
- Add authentication module with Google OAuth 2.0 and JWT strategies - Create secure user management with email hashing (SHA-256) - Implement rate limiting (10 requests/minute) for auth endpoints - Add CSRF protection and security middleware - Create user registration with Basic plan (50 quota default) - Add JWT-based session management with secure cookies - Implement protected routes with authentication guards - Add comprehensive API documentation with Swagger - Configure environment variables for OAuth and security - Add user profile management and quota tracking Resolves authentication requirements §18-20: - §18: Google OAuth 2.0 with email scope only - §19: Auto-create User record on first OAuth callback - §20: Store only Google UID, display name, and email hash 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
56 lines
No EOL
1.6 KiB
TypeScript
56 lines
No EOL
1.6 KiB
TypeScript
import { Injectable, UnauthorizedException } from '@nestjs/common';
|
|
import { ConfigService } from '@nestjs/config';
|
|
import { PassportStrategy } from '@nestjs/passport';
|
|
import { Strategy, ExtractJwt } from 'passport-jwt';
|
|
import { AuthService } from './auth.service';
|
|
|
|
export interface JwtPayload {
|
|
sub: string; // User ID
|
|
email: string;
|
|
iat: number; // Issued at
|
|
exp: number; // Expires at
|
|
iss: string; // Issuer
|
|
aud: string; // Audience
|
|
}
|
|
|
|
@Injectable()
|
|
export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
|
|
constructor(
|
|
private readonly configService: ConfigService,
|
|
private readonly authService: AuthService,
|
|
) {
|
|
super({
|
|
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
|
|
ignoreExpiration: false,
|
|
secretOrKey: configService.get<string>('JWT_SECRET'),
|
|
issuer: 'seo-image-renamer',
|
|
audience: 'seo-image-renamer-users',
|
|
});
|
|
}
|
|
|
|
async validate(payload: JwtPayload) {
|
|
try {
|
|
// Verify the user still exists and is active
|
|
const user = await this.authService.validateUserById(payload.sub);
|
|
|
|
if (!user) {
|
|
throw new UnauthorizedException('User not found');
|
|
}
|
|
|
|
if (!user.isActive) {
|
|
throw new UnauthorizedException('User account is inactive');
|
|
}
|
|
|
|
// Return user object that will be attached to request
|
|
return {
|
|
id: user.id,
|
|
email: user.email,
|
|
plan: user.plan,
|
|
quotaRemaining: user.quotaRemaining,
|
|
isActive: user.isActive,
|
|
};
|
|
} catch (error) {
|
|
throw new UnauthorizedException('Invalid token');
|
|
}
|
|
}
|
|
} |