fix: oauth intergration and refactor process flow

Author: soorq

libs/bootstrap/src/setups/swagger.ts

@@ -50,7 +50,7 @@ export async function setupSwagger(app: NestFastifyApplication, options: Swagger
         extraModels: [GlobalErrorResponse.Output],
     });
 
-    const customCss = await getCustomCSS();
+    const customCss = await getCustomCSS().catch(() => '');
 
     SwaggerModule.setup(path, app, cleanupOpenApiDoc(document), {
         jsonDocumentUrl: `${path}/s/json`,

src/auth/application/auth.facade.ts

@@ -1,6 +1,7 @@
 import { Injectable } from '@nestjs/common';
 
 import {
+    ExchangeDto,
     OAuthResponse,
     PasswordResetConfirmDto,
     ResendCodeDto,
@@ -25,6 +26,7 @@ import {
     GetConnectedProvidersQuery,
     GetEnabledProvidersQuery,
     ResendCodeUseCase,
+    ExchangeUseCase,
 } from './use-cases';
 
 import type { DeviceMetadata } from '../infrastructure/utils';
@@ -46,6 +48,7 @@ export class AuthFacade {
         private readonly getConnectedProvidersQuery: GetConnectedProvidersQuery,
         private readonly confirmResetPasswordUseCase: ConfirmResetPasswordUseCase,
         private readonly resendCodeUseCase: ResendCodeUseCase,
+        private readonly exchangeTokenUC: ExchangeUseCase,
     ) {}
 
     public async signIn(dto: SignInDto, device: DeviceMetadata) {
@@ -84,6 +87,10 @@ export class AuthFacade {
         return this.confirmResetPasswordUseCase.execute(dto);
     }
 
+    public async exchangeToken(dto: ExchangeDto, device: DeviceMetadata) {
+        return this.exchangeTokenUC.execute(dto, device);
+    }
+
     public async authenticateOAuth(dto: OAuthResponse, device: DeviceMetadata, state?: string) {
         return this.authenticateOAuthUseCase.execute(dto, device, state);
     }

src/auth/application/controller/oauth/controller.ts

@@ -1,10 +1,22 @@
 import { getDeviceMeta } from '@core/auth/infrastructure/utils';
-import { Delete, Get, Param, Post, Query, Req, Res, UseGuards } from '@nestjs/common';
+import {
+    Body,
+    Delete,
+    Get,
+    HttpCode,
+    Param,
+    Post,
+    Query,
+    Req,
+    Res,
+    UseGuards,
+} from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { ApiBaseController, GetUserId, SkipContract } from '@shared/decorators';
 import { BearerAuthGuard, OAuthGuard } from '@shared/guards';
 
 import { AuthFacade } from '../../auth.facade';
+import { ExchangeDto, type TOAuthResponse } from '../../dtos';
 
 import {
     DisconnectOAuthProviderSwagger,
@@ -13,12 +25,12 @@ import {
     GetOAuthProvidersSwagger,
     OAuthCallbackSwagger,
     OAuthLoginSwagger,
+    ExchangeSwagger,
 } from './swagger';
 
-import type { TOAuthResponse } from '../../dtos';
 import type { FastifyReply, FastifyRequest } from 'fastify';
 
-@ApiBaseController('auth/oauth', 'OAuth')
+@ApiBaseController('oauth', 'OAuth')
 export class OAuthController {
     private readonly isProduction: boolean = false;
     private readonly domain?: string | null = null;
@@ -66,14 +78,30 @@ export class OAuthController {
 
         const baseUrl = `https://dev.${this.domain}`;
 
-        if (result.isSign && result.refresh) {
-            this.setRefreshCookie(res, result.refresh, result.expiresAt);
+        if (result.isSign) {
             res.redirect(`${baseUrl}/oauth?${result.query.toString()}`, 302);
         } else {
             res.redirect(`${baseUrl}/user/profile?${result.query.toString()}`, 302);
         }
     }
 
+    @Post('exchange')
+    @ExchangeSwagger()
+    @HttpCode(200)
+    async exchange(
+        @Body() dto: ExchangeDto,
+        @Res({ passthrough: true }) res: FastifyReply,
+        @Req() req: FastifyRequest,
+    ) {
+        const meta = getDeviceMeta(req);
+
+        const { expiresAt, refresh, ...result } = await this.facade.exchangeToken(dto, meta);
+
+        this.setRefreshCookie(res, refresh, expiresAt);
+
+        return result;
+    }
+
     @Get('providers')
     @GetOAuthProvidersSwagger()
     async getEnabledProviders() {

src/auth/application/controller/oauth/swagger.ts

@@ -1,6 +1,6 @@
 import { OAuthProvider } from '@core/auth/infrastructure/constants';
 import { applyDecorators, SetMetadata } from '@nestjs/common';
-import { ApiOperation, ApiParam, ApiResponse } from '@nestjs/swagger';
+import { ApiBody, ApiOperation, ApiParam, ApiResponse } from '@nestjs/swagger';
 import { ActionResponse } from '@shared/dtos';
 import {
     ApiBadRequest,
@@ -11,7 +11,13 @@ import {
 } from '@shared/error';
 import { ZOD_RESPONSE_TOKEN } from '@shared/interceptors';
 
-import { ConnectedProviders, ConnectProviderResponse, ProvidersResponse } from '../../dtos';
+import {
+    ConnectedProviders,
+    ConnectProviderResponse,
+    ExchangeDto,
+    ExchangeResponse,
+    ProvidersResponse,
+} from '../../dtos';
 
 export const OAuthLoginSwagger = () =>
     applyDecorators(
@@ -151,3 +157,23 @@ export const GetConnectedProvidersSwagger = () =>
 
         SetMetadata(ZOD_RESPONSE_TOKEN, ConnectedProviders),
     );
+export const ExchangeSwagger = () =>
+    applyDecorators(
+        ApiOperation({
+            summary: 'Обменять одноразовый токен на сессию',
+            description:
+                'Обменивает одноразовый exchange-токен, полученный после OAuth авторизации, на полноценную сессию с access и refresh токенами. Устанавливает refresh токен в httpOnly cookie.',
+        }),
+        ApiBody({
+            type: ExchangeDto.Output,
+        }),
+        ApiResponse({
+            status: 200,
+            description: 'Токен успешно обменян. Возвращает access токен и данные пользователя.',
+            type: ExchangeResponse.Output,
+        }),
+        ApiBadRequest('Неверный запрос. Токен отсутствует, истёк или имеет неверный формат.'),
+        ApiUnauthorized(),
+        ApiValidationError(),
+        SetMetadata(ZOD_RESPONSE_TOKEN, ExchangeResponse),
+    );

src/auth/application/dtos/oauth.dto.ts

@@ -57,3 +57,43 @@ export const ConnectProviderSchema = z.object({
 });
 
 export class ConnectProviderResponse extends createZodDto(ConnectProviderSchema) {}
+
+export const ExchangeSchema = z.object({
+    token: z
+        .string()
+        .min(32, 'Token must be at least 32 characters')
+        .max(128, 'Token must not exceed 128 characters')
+        .regex(/^[a-f0-9]+$/, 'Token must be hexadecimal string'),
+});
+
+export class ExchangeDto extends createZodDto(ExchangeSchema) {}
+
+export interface IOAuthExchangeData {
+    userId: string;
+    isNewUser: boolean;
+    email: string;
+    provider: 'google' | 'yandex' | 'github' | 'vkontakte';
+    ip: string;
+}
+
+export const ExchangeResponseSchema = z.object({
+    success: z.boolean().describe('Успешность операции'),
+    message: z
+        .string()
+        .min(1, 'message не может быть пустым')
+        .max(255, 'message не длиннее 255 символов')
+        .describe('Сообщение для тоста'),
+    access: z
+        .string()
+        .min(10, 'access токен слишком короткий')
+        .max(500, 'access токен слишком длинный')
+        .describe('JWT access токен'),
+    isNewUser: z.boolean().describe('Новый пользователь?'),
+    provider: z
+        .enum(['google', 'yandex', 'github', 'vkontakte'], {
+            message: 'provider должен быть: google, yandex, github или vkontakte',
+        })
+        .describe('OAuth провайдер'),
+});
+
+export class ExchangeResponse extends createZodDto(ExchangeResponseSchema) {}

src/auth/application/use-cases/index.ts

@@ -3,6 +3,7 @@ import { AuthenticateOAuthUseCase } from './oauth/authenticate-oauth.use-case';
 import { ConnectOAuthProviderUseCase } from './oauth/connect-oauth-provider.use-case';
 import { ConnectProviderUseCase } from './oauth/connect-provider.use-case';
 import { DisconnectProviderUseCase } from './oauth/disconnect-provider.use-case';
+import { ExchangeUseCase } from './oauth/exchange.use-case';
 import { GetConnectedProvidersQuery } from './oauth/get-connected-providers.query';
 import { GetEnabledProvidersQuery } from './oauth/get-enabled-providers.query';
 import { OAuthOrchestratorUseCase } from './oauth/oauth-orchestrator.use-case';
@@ -37,24 +38,26 @@ export const AuthUseCases = [
     SignOutUseCase,
     SignUpUseCase,
     ResendCodeUseCase,
+    ExchangeUseCase,
 ];
 
-export { ConfirmResetPasswordUseCase } from './confirm-reset-password.use-case';
-export { VerifyResetPasswordUseCase } from './verify-reset-password.use-case';
-export { GetConnectedProvidersQuery } from './oauth/get-connected-providers.query';
-export { DisconnectProviderUseCase } from './oauth/disconnect-provider.use-case';
-export { AuthenticateOAuthUseCase } from './oauth/authenticate-oauth.use-case';
-export { ConnectProviderUseCase } from './oauth/connect-provider.use-case';
-export { RefreshTokensUseCase } from './refresh-tokens.use-case';
-export { ResetPasswordUseCase } from './reset-password.use-case';
-export { SignUpVerifyUseCase } from './sign-up-verify.use-case';
-export { GetEnabledProvidersQuery } from './oauth/get-enabled-providers.query';
+export * from './confirm-reset-password.use-case';
+export * from './verify-reset-password.use-case';
+export * from './oauth/get-connected-providers.query';
+export * from './oauth/disconnect-provider.use-case';
+export * from './oauth/authenticate-oauth.use-case';
+export * from './oauth/connect-provider.use-case';
+export * from './refresh-tokens.use-case';
+export * from './reset-password.use-case';
+export * from './sign-up-verify.use-case';
+export * from './oauth/get-enabled-providers.query';
+export * from './oauth/exchange.use-case';
 
-export { OAuthOrchestratorUseCase } from './oauth/oauth-orchestrator.use-case';
-export { ProcessOAuthLoginUseCase } from './oauth/process-oauth-login.use-case';
-export { ProcessOAuthRegistrationUseCase } from './oauth/process-oauth-registration.use-case';
-export { ConnectOAuthProviderUseCase } from './oauth/connect-oauth-provider.use-case';
-export { SignInUseCase } from './sign-in.use-case';
-export { SignOutUseCase } from './sign-out.use-case';
-export { SignUpUseCase } from './sign-up.use-case';
-export { ResendCodeUseCase } from './resend-code.use-case';
+export * from './oauth/oauth-orchestrator.use-case';
+export * from './oauth/process-oauth-login.use-case';
+export * from './oauth/process-oauth-registration.use-case';
+export * from './oauth/connect-oauth-provider.use-case';
+export * from './sign-in.use-case';
+export * from './sign-out.use-case';
+export * from './sign-up.use-case';
+export * from './resend-code.use-case';

src/auth/application/use-cases/oauth/authenticate-oauth.use-case.ts

@@ -1,7 +1,10 @@
-import { ISessionRepository } from '@core/auth/domain/repository';
-import { TokenService } from '@core/auth/infrastructure/security';
+import crypto from 'node:crypto';
+
 import { Inject, Injectable } from '@nestjs/common';
-import { createId } from '@paralleldrive/cuid2';
+import { CACHE_SERVICE } from '@shared/adapters/cache/constants';
+import { ICacheService } from '@shared/adapters/cache/ports';
+
+import { EXCHANGE_TOKEN_NAME, EXCHANGE_TOKEN_TTL } from '../../../infrastructure/constants';
 
 import { OAuthOrchestratorUseCase } from './oauth-orchestrator.use-case';
 
@@ -11,10 +14,9 @@ import type { DeviceMetadata } from '@core/auth/infrastructure/utils';
 @Injectable()
 export class AuthenticateOAuthUseCase {
     constructor(
+        @Inject(CACHE_SERVICE)
+        private readonly cacheService: ICacheService,
         private readonly orchestrator: OAuthOrchestratorUseCase,
-        @Inject('ISessionRepository')
-        private readonly sessionRepo: ISessionRepository,
-        private readonly tokenService: TokenService,
     ) {}
 
     async execute(dto: OAuthResponse, meta: DeviceMetadata, state?: string) {
@@ -33,28 +35,26 @@ export class AuthenticateOAuthUseCase {
                 expiresAt: null,
             };
         }
+        const token = crypto.randomBytes(32).toString('hex');
 
-        const sessionId = createId();
-        const { access, expiresAt, refresh } = await this.tokenService.generateTokens(
-            user,
-            sessionId,
-        );
-
-        await this.sessionRepo.create({
-            id: sessionId,
-            ...meta,
-            expiresAt: expiresAt.toISOString(),
+        const data = {
             userId: user.id,
-        });
+            isNewUser,
+            email: user.email,
+            provider: dto.provider,
+            ip: meta.ip,
+        };
+
+        await this.cacheService.setOne(
+            EXCHANGE_TOKEN_NAME(token),
+            JSON.stringify(data),
+            EXCHANGE_TOKEN_TTL,
+        );
 
         const query = new URLSearchParams({
-            success: 'true',
-            message: isNewUser ? 'Регистрация успешна' : 'Вход успешен',
-            access,
-            provider: dto.provider,
-            isNewUser: String(isNewUser),
+            token,
         });
 
-        return { query, refresh, expiresAt, isSign: true };
+        return { query, isSign: true };
     }
 }