refactor(server): auth delete device (#4720)

* refactor(server): auth delete device

* fix: person e2e

server/src/domain/auth/auth.service.spec.ts

@@ -1,9 +1,11 @@
 import { UserEntity } from '@app/infra/entities';
 import { BadRequestException, UnauthorizedException } from '@nestjs/common';
 import {
+  IAccessRepositoryMock,
   authStub,
   keyStub,
   loginResponseStub,
+  newAccessRepositoryMock,
   newCryptoRepositoryMock,
   newKeyRepositoryMock,
   newLibraryRepositoryMock,
@@ -52,6 +54,7 @@ const fixtures = {
 
 describe('AuthService', () => {
   let sut: AuthService;
+  let accessMock: jest.Mocked<IAccessRepositoryMock>;
   let cryptoMock: jest.Mocked<ICryptoRepository>;
   let userMock: jest.Mocked<IUserRepository>;
   let libraryMock: jest.Mocked<ILibraryRepository>;
@@ -84,6 +87,7 @@ describe('AuthService', () => {
       }),
     } as any);
 
+    accessMock = newAccessRepositoryMock();
     cryptoMock = newCryptoRepositoryMock();
     userMock = newUserRepositoryMock();
     libraryMock = newLibraryRepositoryMock();
@@ -92,7 +96,7 @@ describe('AuthService', () => {
     shareMock = newSharedLinkRepositoryMock();
     keyMock = newKeyRepositoryMock();
 
-    sut = new AuthService(cryptoMock, configMock, userMock, userTokenMock, libraryMock, shareMock, keyMock);
+    sut = new AuthService(accessMock, cryptoMock, configMock, libraryMock, userMock, userTokenMock, shareMock, keyMock);
   });
 
   it('should be defined', () => {
@@ -218,7 +222,7 @@ describe('AuthService', () => {
         redirectUri: '/auth/login?autoLaunch=0',
       });
 
-      expect(userTokenMock.delete).toHaveBeenCalledWith('123', 'token123');
+      expect(userTokenMock.delete).toHaveBeenCalledWith('token123');
     });
 
     it('should return the default redirect if auth type is OAUTH but oauth is not enabled', async () => {
@@ -384,16 +388,19 @@ describe('AuthService', () => {
       await sut.logoutDevices(authStub.user1);
 
       expect(userTokenMock.getAll).toHaveBeenCalledWith(authStub.user1.id);
-      expect(userTokenMock.delete).toHaveBeenCalledWith(authStub.user1.id, 'not_active');
-      expect(userTokenMock.delete).not.toHaveBeenCalledWith(authStub.user1.id, 'token-id');
+      expect(userTokenMock.delete).toHaveBeenCalledWith('not_active');
+      expect(userTokenMock.delete).not.toHaveBeenCalledWith('token-id');
     });
   });
 
   describe('logoutDevice', () => {
     it('should logout the device', async () => {
+      accessMock.authDevice.hasOwnerAccess.mockResolvedValue(true);
+
       await sut.logoutDevice(authStub.user1, 'token-1');
 
-      expect(userTokenMock.delete).toHaveBeenCalledWith(authStub.user1.id, 'token-1');
+      expect(accessMock.authDevice.hasOwnerAccess).toHaveBeenCalledWith(authStub.user1.id, 'token-1');
+      expect(userTokenMock.delete).toHaveBeenCalledWith('token-1');
     });
   });
 

server/src/domain/auth/auth.service.ts

@@ -11,7 +11,9 @@ import cookieParser from 'cookie';
 import { IncomingHttpHeaders } from 'http';
 import { DateTime } from 'luxon';
 import { ClientMetadata, Issuer, UserinfoResponse, custom, generators } from 'openid-client';
+import { AccessCore, Permission } from '../access';
 import {
+  IAccessRepository,
   ICryptoRepository,
   IKeyRepository,
   ILibraryRepository,
@@ -61,19 +63,22 @@ interface OAuthProfile extends UserinfoResponse {
 
 @Injectable()
 export class AuthService {
-  private userCore: UserCore;
+  private access: AccessCore;
   private configCore: SystemConfigCore;
   private logger = new Logger(AuthService.name);
+  private userCore: UserCore;
 
   constructor(
+    @Inject(IAccessRepository) accessRepository: IAccessRepository,
     @Inject(ICryptoRepository) private cryptoRepository: ICryptoRepository,
     @Inject(ISystemConfigRepository) configRepository: ISystemConfigRepository,
+    @Inject(ILibraryRepository) libraryRepository: ILibraryRepository,
     @Inject(IUserRepository) userRepository: IUserRepository,
     @Inject(IUserTokenRepository) private userTokenRepository: IUserTokenRepository,
-    @Inject(ILibraryRepository) libraryRepository: ILibraryRepository,
     @Inject(ISharedLinkRepository) private sharedLinkRepository: ISharedLinkRepository,
     @Inject(IKeyRepository) private keyRepository: IKeyRepository,
   ) {
+    this.access = AccessCore.create(accessRepository);
     this.configCore = SystemConfigCore.create(configRepository);
     this.userCore = UserCore.create(cryptoRepository, libraryRepository, userRepository);
 
@@ -104,7 +109,7 @@ export class AuthService {
 
   async logout(authUser: AuthUserDto, authType: AuthType): Promise<LogoutResponseDto> {
     if (authUser.accessTokenId) {
-      await this.userTokenRepository.delete(authUser.id, authUser.accessTokenId);
+      await this.userTokenRepository.delete(authUser.accessTokenId);
     }
 
     return {
@@ -175,8 +180,9 @@ export class AuthService {
     return userTokens.map((userToken) => mapUserToken(userToken, authUser.accessTokenId));
   }
 
-  async logoutDevice(authUser: AuthUserDto, deviceId: string): Promise<void> {
-    await this.userTokenRepository.delete(authUser.id, deviceId);
+  async logoutDevice(authUser: AuthUserDto, id: string): Promise<void> {
+    await this.access.requirePermission(authUser, Permission.AUTH_DEVICE_DELETE, id);
+    await this.userTokenRepository.delete(id);
   }
 
   async logoutDevices(authUser: AuthUserDto): Promise<void> {
@@ -185,7 +191,7 @@ export class AuthService {
       if (device.id === authUser.accessTokenId) {
         continue;
       }
-      await this.userTokenRepository.delete(authUser.id, device.id);
+      await this.userTokenRepository.delete(device.id);
     }
   }