feat(api): Add OAuth redirection and polished authentication

[rajdip-b]

User description

Description

• Added redirect after oauth login/signup.
• Added AuthProvider enum to distinguish the kind of authentication the user made while signing up.
• Added checks to ensure that cross provider authentications are blocked.

---

PR Type

enhancement, bug_fix

---

Description

• Enhanced OAuth handling in the authentication controller, including redirection and cookie setting.
• Updated authentication service to support multiple OAuth providers and prevent cross provider authentication.
• Added AuthProvider to user creation processes and updated relevant methods across services.
• Updated environment configurations and Prisma schema to support new OAuth functionalities.

---

Changes walkthrough 📝

	Relevant files
Enhancement	auth.controller.ts Enhance OAuth handling and refactor authentication methods apps/api/src/auth/controller/auth.controller.ts Implemented OAuth redirection and cookie setting in OAuth callback methods. Refactored OTP validation to use a new setCookie method. Added AuthProvider to OAuth login handling. Added sendRedirect method to handle user redirection after OAuth authentication. +44/-12  auth.service.ts Update authentication service to support multiple OAuth providers apps/api/src/auth/service/auth.service.ts Added AuthProvider parameter to handleOAuthLogin and createUserIfNotExists methods. Implemented user authentication provider check to prevent cross provider authentication. +19/-4    create-user.ts Update user creation to include authentication provider    apps/api/src/common/create-user.ts Modified createUser function to accept AuthProvider and include it in user creation. +4/-3      user.service.ts Refactor user service to specify authentication provider on creation apps/api/src/user/service/user.service.ts Updated user creation to specify AuthProvider.EMAIL_OTP as the authentication method. +5/-2      migration.sql Database migration to add authentication provider to users apps/api/src/prisma/migrations/20240512141423_add_auth_provider/migration.sql Added AuthProvider enum and updated the User table to include an authProvider column. +5/-0      schema.prisma Update Prisma schema to include AuthProvider enum                apps/api/src/prisma/schema.prisma Added AuthProvider enum to the Prisma schema. Included authProvider in the User model. +8/-0
Tests	user.e2e.spec.ts Update user service tests to handle new AuthProvider field apps/api/src/user/user.e2e.spec.ts Updated tests to include AuthProvider.EMAIL_OTP in expected user properties. +2/-1
Configuration changes	.env.example Update environment configuration for OAuth redirection      .env.example Updated environment variables for platform URL and OAuth redirection path. +3/-2

---

💡 PR-Agent usage:
Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

[codiumai-pr-agent-free]

PR Description updated to latest commit (d2a956e)

[codiumai-pr-agent-free]

PR Review 🔍

(Review updated until commit 879da25)

⏱️ Estimated effort to review [1-5]	4, because the PR involves multiple files and complex changes related to authentication, OAuth providers, and environment configurations. It requires a thorough understanding of authentication flows and potential security implications.
🧪 Relevant tests	No
⚡ Possible issues	Possible Bug: The createUserIfNotExists method in auth.service.ts throws an exception if the user's authentication provider does not match the one stored in the database. This could prevent users from logging in if they initially signed up with one provider and later try to log in with another, even if it's allowed by the business logic.
	Security Concern: The sendRedirect method in auth.controller.ts appends user data directly into the URL query parameters, which might expose sensitive user information. This could be mitigated by using more secure methods of transmitting data.
🔒 Security concerns	Sensitive information exposure: The sendRedirect method in auth.controller.ts potentially exposes user data by appending it to the URL. This method should be reviewed to ensure that sensitive information is not leaked.

Code feedback:

---

relevant file	apps/api/src/auth/controller/auth.controller.ts
suggestion	Consider implementing a more secure method to handle user data during redirection. Instead of appending user data directly to the URL, use server-side sessions or encrypted tokens to pass sensitive information securely. [important]
relevant line	`${platformOAuthRedirectUrl}?data=${encodeURIComponent(

---

relevant file	apps/api/src/auth/service/auth.service.ts
suggestion	Modify the createUserIfNotExists method to allow users to log in with different OAuth providers if the business logic permits. This could involve updating the user's authProvider in the database if it changes, rather than throwing an exception. [important]
relevant line	if (user.authProvider !== authProvider) {

---

[codiumai-pr-agent-free]

PR Code Suggestions ✨

Category	Suggestion	Score
Security	Modify user data transmission to enhance security The redirect URL construction in sendRedirect method exposes sensitive user information as URL parameters. Consider using POST requests or secure cookies to pass sensitive data securely. apps/api/src/auth/controller/auth.controller.ts [276-277] response .status(302) - .redirect( - `${platformOAuthRedirectUrl}?email=${user.email}&name=${user.name}&profilePictureUrl=${user.profilePictureUrl}&isActive=${user.isActive}&isAdmin=${user.isAdmin}&isOnboardingFinished=${user.isOnboardingFinished}` - ) + .redirect(platformOAuthRedirectUrl) +// Consider setting sensitive user details in a secure, HttpOnly cookie or via secure POST request. Suggestion importance[1-10]: 9 Why: The suggestion to avoid passing sensitive user information via URL parameters is highly relevant for security. Using secure methods like POST requests or secure cookies is a best practice to protect user data during transmission.	9
Possible issue	Validate environment variables before use to prevent runtime errors It is recommended to validate the environment variables PLATFORM_FRONTEND_URL and PLATFORM_OAUTH_REDIRECT_PATH before constructing platformOAuthRedirectUrl. This will prevent runtime errors in cases where the environment variables are not set, ensuring that the application fails gracefully or logs a meaningful error. apps/api/src/auth/controller/auth.controller.ts [32] +if (!platformFrontendUrl || !platformOAuthRedirectPath) { + throw new Error('Environment variables for PLATFORM_FRONTEND_URL and PLATFORM_OAUTH_REDIRECT_PATH must be set.'); +} const platformOAuthRedirectUrl = `${platformFrontendUrl}${platformOAuthRedirectPath}` Suggestion importance[1-10]: 8 Why: Validating environment variables is crucial to prevent runtime errors, especially when constructing URLs that are critical for OAuth redirections. This suggestion addresses a significant potential issue that could affect application stability.	8
	Add error handling for cookie setting to enhance robustness The setCookie method should handle potential exceptions that might occur when setting the cookie, such as invalid token formats or security settings that block cookies. Using a try-catch block can help manage these exceptions gracefully. apps/api/src/auth/controller/auth.controller.ts [266-269] -response.cookie('token', `Bearer ${token}`, { - domain: process.env.DOMAIN ?? 'localhost', - expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 7) // 7 days, -}) +try { + response.cookie('token', `Bearer ${token}`, { + domain: process.env.DOMAIN ?? 'localhost', + expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 7) // 7 days, + }) +} catch (error) { + console.error('Failed to set cookie', error); + throw new Error('Failed to set authentication cookie.'); +} Suggestion importance[1-10]: 7 Why: Adding error handling for cookie operations is important for robustness, especially given the security implications and potential browser restrictions on cookies. This suggestion correctly identifies a possible improvement in error management.	7
Possible bug	Check for array content before accessing to prevent runtime errors Consider adding a check for the existence of emails and photos arrays in the OAuth callback methods to ensure that these properties contain elements before accessing them. This prevents potential runtime errors from accessing properties of undefined. apps/api/src/auth/controller/auth.controller.ts [151-152] +if (!emails.length || !photos.length) { + throw new Error('Emails or photos information is missing from the OAuth provider data.'); +} const email = emails[0].value const profilePictureUrl = photos[0].value Suggestion importance[1-10]: 8 Why: Ensuring that arrays like emails and photos are not empty before accessing them is crucial to prevent runtime errors. This suggestion correctly addresses a common source of bugs in handling OAuth provider data.	8

[codecov]

Codecov Report

Attention: Patch coverage is 95.23810% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 91.62%. Comparing base (7bb3d21) to head (aaf9f19).
Report is 59 commits behind head on develop.

Files	Patch %	Lines
apps/api/src/auth/service/auth.service.ts	75.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##           develop     #212       +/-   ##
============================================
+ Coverage    62.20%   91.62%   +29.41%     
============================================
  Files           76      107       +31     
  Lines         1503     2435      +932     
  Branches       260      455      +195     
============================================
+ Hits           935     2231     +1296     
+ Misses         568      204      -364     

Flag	Coverage Δ
api-e2e-tests	91.62% <95.23%> (+29.41%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[rajdip-b]

/review

[codiumai-pr-agent-free]

Persistent review updated to latest commit 879da25

[rajdip-b]

/improve

[rajdip-b]

/ask regenerate suggestions

[codiumai-pr-agent-free]

Ask❓

regenerate suggestions

Answer:

The PR introduces several enhancements and new functionalities related to OAuth handling in an API, including redirection after OAuth login/signup, setting cookies, and enforcing authentication provider consistency. Here are the detailed responses to the changes:

1. OAuth Redirection and Cookie Setting:

   • The PR adds a new environment variable PLATFORM_OAUTH_REDIRECT_URL constructed from PLATFORM_FRONTEND_URL and PLATFORM_OAUTH_REDIRECT_PATH. This URL is used to redirect users after successful OAuth authentication.
   • A new method setCookie is introduced in the AuthController. This method sets a cookie with the user's token, which is then used for subsequent authenticated requests. This centralizes the cookie setting logic, which was previously repeated in multiple places.
   • The sendRedirect method is also added to handle the redirection of the user to the specified OAuth redirection URL along with user data appended as a query parameter. This ensures that after OAuth authentication, the user is redirected back to the application frontend with their data.

2. Handling Multiple OAuth Providers:

   • The PR integrates an AuthProvider enum to manage different types of OAuth providers (Google, GitHub, GitLab, and EMAIL_OTP). This enum is used across the service to ensure that the OAuth provider is consistently handled.
   • In the AuthService, the handleOAuthLogin method is updated to accept an AuthProvider parameter, which is then passed to the createUserIfNotExists method to ensure that the user is created with the correct provider.
   • The createUserIfNotExists method now throws an UnauthorizedException if there is an attempt to authenticate a user with a different provider than the one they originally used. This is a crucial security feature to prevent account takeover through provider switching.

3. Database and Schema Changes:

   • A new SQL migration adds the AuthProvider enum to the database schema and updates the User table to include an authProvider column. This is necessary to store the provider used during the user's initial authentication.
   • The Prisma schema file is updated accordingly to reflect this new column and enum.

4. Test and Configuration Updates:

   • The .env.example file is updated with new environment variables reflecting the local development URLs for frontend redirection.
   • End-to-end tests are updated to include the AuthProvider.EMAIL_OTP when creating a user, ensuring that tests reflect the new authentication flow.

Overall, the PR is well-structured and addresses the enhancement of OAuth functionalities robustly. It ensures better security by enforcing provider consistency and improves user experience by handling redirection and cookie management efficiently. The use of environment variables for configuration and centralizing repeated logic into single methods are good practices that enhance code maintainability and readability.

[codiumai-pr-agent-free]

PR Code Suggestions ✨

Category	Suggestion	Score
Best practice	Validate critical environment variables at the start of the application It's recommended to validate the environment variables PLATFORM_FRONTEND_URL and PLATFORM_OAUTH_REDIRECT_PATH at the start of your application to ensure they are set. This prevents runtime errors in the production environment where these variables might be missing. apps/api/src/auth/controller/auth.controller.ts [30-32] -const platformFrontendUrl = process.env.PLATFORM_FRONTEND_URL -const platformOAuthRedirectPath = process.env.PLATFORM_OAUTH_REDIRECT_PATH -const platformOAuthRedirectUrl = `${platformFrontendUrl}${platformOAuthRedirectPath}` +if (!process.env.PLATFORM_FRONTEND_URL || !process.env.PLATFORM_OAUTH_REDIRECT_PATH) { + throw new Error('Required environment variables PLATFORM_FRONTEND_URL or PLATFORM_OAUTH_REDIRECT_PATH are not set.'); +} +const platformFrontendUrl = process.env.PLATFORM_FRONTEND_URL; +const platformOAuthRedirectPath = process.env.PLATFORM_OAUTH_REDIRECT_PATH; +const platformOAuthRedirectUrl = `${platformFrontendUrl}${platformOAuthRedirectPath}`; Suggestion importance[1-10]: 8 Why: This suggestion correctly identifies a potential runtime error due to missing environment variables and proposes a robust solution to validate them early in the application lifecycle, which is crucial for preventing failures in production environments.	8
Possible bug	Add checks for empty arrays to prevent accessing undefined properties Consider handling the case where emails or photos arrays might be empty to prevent runtime errors. This can be done by adding checks before accessing their values. apps/api/src/auth/controller/auth.controller.ts [151-152] -const email = emails[0].value -const profilePictureUrl = photos[0].value +const email = emails.length > 0 ? emails[0].value : null; +const profilePictureUrl = photos.length > 0 ? photos[0].value : null; +if (!email || !profilePictureUrl) { + throw new Error('Email or profile picture URL is missing from the OAuth provider data.'); +} Suggestion importance[1-10]: 7 Why: The suggestion addresses a common source of runtime errors by adding checks for empty arrays before accessing their values. This is a good practice to prevent errors when the expected data structure is not present.	7
Maintainability	Refactor repeated OAuth login logic into a single method Refactor the repeated OAuth login handling logic into a single method to reduce code duplication and improve maintainability. apps/api/src/auth/controller/auth.controller.ts [154-161] -const data = await this.authService.handleOAuthLogin(email, name, profilePictureUrl, AuthProvider.GITHUB); -const user = this.setCookie(req.res, data); -this.sendRedirect(req.res, user); +handleOAuthProcess(req, AuthProvider.GITHUB); Suggestion importance[1-10]: 7 Why: The suggestion to refactor repeated OAuth login handling into a single method is valid and would improve code maintainability and reduce duplication. This is a beneficial change for long-term code management.	7
Enhancement	Handle mismatch of authentication providers more gracefully Instead of directly throwing an error when the authentication provider does not match, consider logging this event or handling it more gracefully to improve user experience. apps/api/src/auth/controller/auth.controller.ts [178-182] if (user.authProvider !== authProvider) { - throw new UnauthorizedException( - 'The user has signed up with a different authentication provider.' - ); + // Log the mismatch of authentication provider + console.warn(`User attempted to log in with ${authProvider} but was registered with ${user.authProvider}.`); + // Redirect to a generic error page or provide a message + response.redirect('/error?message=AuthProviderMismatch'); } Suggestion importance[1-10]: 6 Why: This suggestion improves the user experience by handling authentication provider mismatches more gracefully. It proposes logging and redirecting instead of throwing an error, which enhances the application's robustness and user feedback.	6

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[rajdip-b]

/improve

[codiumai-pr-agent-free]

PR Code Suggestions ✨

Category	Suggestion	Score
Possible bug	Correct the URL assignments in OAuth redirect functions to match their intended success and failure outcomes Correct the logic in sendOAuthFailureRedirect and sendOAuthSuccessRedirect to ensure that the URLs and query parameters are correctly assigned. Currently, the success and failure functions are incorrectly swapped. apps/api/src/common/redirect.ts [14-27] -.redirect(`${platformOAuthSuccessRedirectUrl}?reason=${reason}`) -.redirect(`${platformOAuthFailureRedirectUrl}?data=${encodeURIComponent(JSON.stringify(user))}`) +.redirect(`${platformOAuthFailureRedirectUrl}?reason=${reason}`) +.redirect(`${platformOAuthSuccessRedirectUrl}?data=${encodeURIComponent(JSON.stringify(user))}`) Suggestion importance[1-10]: 10 Why: This suggestion correctly identifies a critical bug where the success and failure redirect URLs are swapped. Fixing this is crucial as it directly affects the application's flow and user experience.	10
Maintainability	Refactor repeated email validation checks into a single method to improve code maintainability Refactor the repeated logic for checking if the email list is empty in OAuth callback methods into a private method within the class to reduce code duplication and improve maintainability. apps/api/src/auth/controller/auth.controller.ts [153-157] -if (!emails.length) { - throw new UnprocessableEntityException( - 'Email information is missing from the OAuth provider data.' - ) -} +this.validateEmails(emails); Suggestion importance[1-10]: 8 Why: Refactoring repeated email validation logic into a single method is a good practice to reduce code duplication and improve maintainability. This suggestion correctly identifies the repeated code and offers a practical improvement.	8
Enhancement	Use a custom exception for missing email information in OAuth callbacks for clearer error handling Instead of throwing an UnprocessableEntityException directly in the OAuth callback methods when the email is missing, consider using a more specific custom exception that provides clearer information about the error and possibly suggests corrective actions. apps/api/src/auth/controller/auth.controller.ts [154-156] -throw new UnprocessableEntityException( - 'Email information is missing from the OAuth provider data.' +throw new MissingEmailException( + 'Email information is missing from the OAuth provider data. Please ensure that your OAuth provider is configured to share email addresses.' ) Suggestion importance[1-10]: 7 Why: The suggestion to use a more specific custom exception for missing email information in OAuth callbacks is valid and improves error clarity, which enhances maintainability and debuggability.	7
Performance	Check the authProvider before user creation to optimize database operations Optimize the createUserIfNotExists method by checking the authProvider before attempting to create a new user, which can prevent unnecessary database operations if the user exists but with a different auth provider. apps/api/src/auth/service/auth.service.ts [161-174] let user = await this.findUserByEmail(email) -if (!user) { +if (!user || user.authProvider !== authProvider) { user = await createUser({ email, name, profilePictureUrl, authProvider }, this.prisma) } Suggestion importance[1-10]: 6 Why: The suggestion to optimize the createUserIfNotExists method by checking the authProvider is valid and can prevent unnecessary database operations. However, the existing code already includes a check after user creation, which somewhat reduces the impact of this suggestion.	6

[rajdip-b]

🎉 This PR is included in version 1.3.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀