Merge pull request 'Feature / Refactor to session based auth in backend' (#9) from feature/frontend-dashboard into main

Reviewed-on: #9

backend/package.json

@@ -35,19 +35,22 @@
     "argon2": "^0.40.1",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",
+    "cookie-parser": "^1.4.6",
     "passport": "^0.7.0",
     "passport-jwt": "^4.0.1",
     "pg": "^8.11.5",
     "reflect-metadata": "^0.2.0",
     "rxjs": "^7.8.1",
     "swagger-ui-express": "^5.0.0",
-    "typeorm": "^0.3.20"
+    "typeorm": "^0.3.20",
+    "uuid": "^9.0.1"
   },
   "devDependencies": {
     "@nestjs/cli": "^10.0.0",
     "@nestjs/schematics": "^10.0.0",
     "@nestjs/testing": "^10.0.0",
     "@types/argon2": "^0.15.0",
+    "@types/cookie-parser": "^1.4.7",
     "@types/express": "^4.17.17",
     "@types/jest": "^29.5.2",
     "@types/node": "^20.3.1",

backend/pnpm-lock.yaml

@@ -41,6 +41,9 @@ dependencies:
   class-validator:
     specifier: ^0.14.1
     version: 0.14.1
+  cookie-parser:
+    specifier: ^1.4.6
+    version: 1.4.6
   passport:
     specifier: ^0.7.0
     version: 0.7.0
@@ -62,6 +65,9 @@ dependencies:
   typeorm:
     specifier: ^0.3.20
     version: 0.3.20(pg@8.11.5)(ts-node@10.9.2)
+  uuid:
+    specifier: ^9.0.1
+    version: 9.0.1
 
 devDependencies:
   '@nestjs/cli':
@@ -76,6 +82,9 @@ devDependencies:
   '@types/argon2':
     specifier: ^0.15.0
     version: 0.15.0
+  '@types/cookie-parser':
+    specifier: ^1.4.7
+    version: 1.4.7
   '@types/express':
     specifier: ^4.17.17
     version: 4.17.21
@@ -1288,6 +1297,12 @@ packages:
       '@types/node': 20.12.4
     dev: true
 
+  /@types/cookie-parser@1.4.7:
+    resolution: {integrity: sha512-Fvuyi354Z+uayxzIGCwYTayFKocfV7TuDYZClCdIP9ckhvAu/ixDtCB6qx2TT0FKjPLf1f3P/J1rgf6lPs64mw==}
+    dependencies:
+      '@types/express': 4.17.21
+    dev: true
+
   /@types/cookiejar@2.1.5:
     resolution: {integrity: sha512-he+DHOWReW0nghN24E1WUqM0efK4kI9oTqDm6XmK8ZPe2djZ90BSNdGnIyCLzCPw7/pogPlGbzI2wHGGmi4O/Q==}
     dev: true
@@ -2237,9 +2252,22 @@ packages:
     resolution: {integrity: sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==}
     dev: true
 
+  /cookie-parser@1.4.6:
+    resolution: {integrity: sha512-z3IzaNjdwUC2olLIB5/ITd0/setiaFMLYiZJle7xg5Fe9KWAceil7xszYfHHBtDFYLSgJduS2Ty0P1uJdPDJeA==}
+    engines: {node: '>= 0.8.0'}
+    dependencies:
+      cookie: 0.4.1
+      cookie-signature: 1.0.6
+    dev: false
+
   /cookie-signature@1.0.6:
     resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==}
 
+  /cookie@0.4.1:
+    resolution: {integrity: sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA==}
+    engines: {node: '>= 0.6'}
+    dev: false
+
   /cookie@0.6.0:
     resolution: {integrity: sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==}
     engines: {node: '>= 0.6'}

backend/src/app.module.ts

@@ -3,7 +3,6 @@ import { ConfigModule } from '@nestjs/config';
 
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
-import { CorsMiddleware } from './middleware/cors-middleware/cors.middlware';
 import { CspMiddleware } from './middleware/csp-middleware/csp.middleware';
 import { HttpsRedirectMiddleware } from './middleware/https-middlware/https-redirect.middleware';
 import { SecurityHeadersMiddleware } from './middleware/security-middleware/security.middleware';
@@ -35,8 +34,8 @@ export class AppModule {
       .apply(
         CspMiddleware,
         SecurityHeadersMiddleware,
-        HttpsRedirectMiddleware,
+        HttpsRedirectMiddleware
-        CorsMiddleware
+        //CorsMiddleware
       )
       .forRoutes({ path: '*', method: RequestMethod.ALL });
   }

backend/src/entities/index.ts

@@ -1,3 +1,4 @@
 export * from './user-credentials.entity';
 export * from './user-data.entity';
 export * from './email-verification.entity';
+export * from './session.entity';

backend/src/entities/session.entity.ts

@@ -0,0 +1,38 @@
+import {
+  Entity,
+  PrimaryGeneratedColumn,
+  Column,
+  ManyToOne,
+  JoinColumn,
+  CreateDateColumn,
+  UpdateDateColumn,
+} from 'typeorm';
+
+import { UserCredentials } from './user-credentials.entity';
+
+@Entity()
+export class Session {
+  @PrimaryGeneratedColumn('uuid')
+  public id: string;
+
+  @Column()
+  public sessionId: string;
+
+  @Column({ type: 'timestamp' })
+  public expiresAt: Date;
+
+  @Column({})
+  public userAgent: string;
+
+  @ManyToOne(() => UserCredentials, (userCredentials) => userCredentials.id, {
+    nullable: false,
+  })
+  @JoinColumn({ name: 'userCredentialsId' })
+  public userCredentials: UserCredentials['id'];
+
+  @CreateDateColumn()
+  public createdAt: Date;
+
+  @UpdateDateColumn()
+  public updatedAt: Date;
+}

backend/src/entities/user-credentials.entity.ts

@@ -18,7 +18,7 @@ export class UserCredentials {
   public hash: string;
 
   @Column({ nullable: true })
-  public hashedRt?: string;
+  public refreshToken?: string;
 
   @CreateDateColumn()
   public createdAt: Date;

backend/src/main.ts

@@ -4,6 +4,7 @@ import { join } from 'path';
 import { INestApplication, ValidationPipe } from '@nestjs/common';
 import { NestFactory } from '@nestjs/core';
 import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger';
+import * as cookieParser from 'cookie-parser';
 
 import { AppModule } from './app.module';
 
@@ -30,6 +31,10 @@ async function setupSwagger(app: INestApplication): Promise<void> {
   );
 }
 
+async function setupCookieParser(app: INestApplication): Promise<void> {
+  app.use(cookieParser());
+}
+
 async function setupPrefix(app: INestApplication): Promise<void> {
   app.setGlobalPrefix('api');
 }
@@ -41,6 +46,7 @@ async function setupClassValidator(app: INestApplication): Promise<void> {
 async function bootstrap(): Promise<void> {
   const app = await NestFactory.create(AppModule);
 
+  await setupCookieParser(app);
   await setupSwagger(app);
   await setupPrefix(app);
   await setupClassValidator(app);

backend/src/modules/auth-module/auth.module.ts

@@ -1,15 +1,17 @@
 import { Module } from '@nestjs/common';
 import { JwtModule } from '@nestjs/jwt';
 import { TypeOrmModule } from '@nestjs/typeorm';
-import { UserCredentials } from 'src/entities';
+import { Session, UserCredentials } from 'src/entities';
 
 import { SendgridModule } from '../sendgrid-module/sendgrid.module';
 import { UserModule } from '../user-module/user.module';
 import { VerifyModule } from '../verify-module/verify.module';
 
 import { AuthController } from './controller/auth.controller';
+import { SessionRepository } from './repositories/session.repository';
 import { UserCredentialsRepository } from './repositories/user-credentials.repository';
 import { AuthService } from './services/auth.service';
+import { SessionService } from './services/session.service';
 import { TokenManagementService } from './services/token-management.service';
 import { AccessTokenStrategy, RefreshTokenStrategy } from './strategies';
 
@@ -19,12 +21,14 @@ import { AccessTokenStrategy, RefreshTokenStrategy } from './strategies';
     SendgridModule,
     VerifyModule,
     JwtModule.register({}),
-    TypeOrmModule.forFeature([UserCredentials]),
+    TypeOrmModule.forFeature([UserCredentials, Session]),
   ],
   providers: [
     AuthService,
+    SessionService,
     TokenManagementService,
     UserCredentialsRepository,
+    SessionRepository,
     AccessTokenStrategy,
     RefreshTokenStrategy,
   ],

backend/src/modules/auth-module/common/decorators/get-user.decorator.ts

@@ -1,14 +1,13 @@
-import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+//import { JwtPayloadWithRefreshToken } from 'src/modules/auth-module/models/types';
-import { JwtPayloadWithRefreshToken } from 'src/modules/auth-module/models/types';
 
-export const GetCurrentUser = createParamDecorator(
+// export const GetCurrentUser = createParamDecorator(
-  (
+//   (
-    data: keyof JwtPayloadWithRefreshToken | undefined,
+//     data: keyof JwtPayloadWithRefreshToken | undefined,
-    context: ExecutionContext
+//     context: ExecutionContext
-  ) => {
+//   ) => {
-    const request = context.switchToHttp().getRequest();
+//     const request = context.switchToHttp().getRequest();
 
-    if (!data) return request.user;
+//     if (!data) return request.user;
-    return request.user[data];
+//     return request.user[data];
-  }
+//   }
-);
+// );

backend/src/modules/auth-module/common/decorators/index.ts

@@ -1,2 +1,2 @@
 export * from './get-user-id.decorator';
-export * from './get-user.decorator';
+// export * from './get-user.decorator';

backend/src/modules/auth-module/controller/auth.controller.ts

@@ -4,14 +4,19 @@ import {
   Body,
   HttpCode,
   HttpStatus,
-  UseGuards,
+  Res,
+  Req,
 } from '@nestjs/common';
-import { ApiCreatedResponse, ApiHeader, ApiTags } from '@nestjs/swagger';
+import { ApiCreatedResponse, ApiTags } from '@nestjs/swagger';
+import { Response, Request } from 'express';
 import { Public } from 'src/shared/decorator';
 
-import { GetCurrentUser, GetCurrentUserId } from '../common/decorators';
+import { GetCurrentUserId } from '../common/decorators';
-import { RefreshTokenGuard } from '../common/guards';
+import {
-import { TokensDto, UserCredentialsDto } from '../models/dto';
+  AccessTokenDto,
+  LoginResponseDto,
+  UserCredentialsDto,
+} from '../models/dto';
 import { AuthService } from '../services/auth.service';
 
 @ApiTags('Authentication')
@@ -21,59 +26,50 @@ export class AuthController {
 
   @ApiCreatedResponse({
     description: 'User signed up successfully',
-    type: TokensDto,
+    type: LoginResponseDto,
   })
   @Public()
   @Post('signup')
   @HttpCode(HttpStatus.CREATED)
   public async signup(
     @Body() userCredentials: UserCredentialsDto
-  ): Promise<TokensDto> {
+  ): Promise<LoginResponseDto> {
     return this.authService.signup(userCredentials);
   }
 
   @ApiCreatedResponse({
     description: 'User signin successfully',
-    type: TokensDto,
+    type: LoginResponseDto,
   })
+  @HttpCode(HttpStatus.OK)
   @Public()
   @Post('signin')
-  @HttpCode(HttpStatus.OK)
   public async signin(
+    @Res({ passthrough: true }) response: Response,
+    @Req() request: Request,
     @Body() userCredentials: UserCredentialsDto
-  ): Promise<TokensDto> {
+  ): Promise<LoginResponseDto> {
-    return this.authService.signin(userCredentials);
+    return await this.authService.signin(userCredentials, response, request);
+  }
+
+  @ApiCreatedResponse({
+    description: 'User tokens refreshed successfully',
+    type: AccessTokenDto,
+  })
+  @HttpCode(HttpStatus.OK)
+  @Public()
+  @Post('refresh')
+  public async refreshToken(@Req() request: Request): Promise<AccessTokenDto> {
+    return await this.authService.refresh(request);
   }
 
   @ApiCreatedResponse({
     description: 'User signed out successfully',
     type: Boolean,
   })
-  @Post('logout')
   @HttpCode(HttpStatus.OK)
+  @Post('logout')
   public async logout(@GetCurrentUserId() userId: string): Promise<boolean> {
     return this.authService.logout(userId);
   }
-
-  @ApiHeader({
-    name: 'Authorization',
-    required: true,
-    schema: {
-      example: 'Bearer <refresh_token>',
-    },
-  })
-  @ApiCreatedResponse({
-    description: 'User tokens refreshed successfully',
-    type: TokensDto,
-  })
-  @Public()
-  @UseGuards(RefreshTokenGuard)
-  @Post('refresh')
-  @HttpCode(HttpStatus.OK)
-  public async refresh(
-    @GetCurrentUserId() userId: string,
-    @GetCurrentUser('refresh_token') refresh_token: string
-  ): Promise<TokensDto> {
-    return this.authService.refresh(userId, refresh_token);
-  }
 }

backend/src/modules/auth-module/models/dto/access-token.dto.ts

@@ -1,7 +1,7 @@
 import { ApiProperty } from '@nestjs/swagger';
 import { IsNotEmpty, IsString } from 'class-validator';
 
-export class TokensDto {
+export class AccessTokenDto {
   @ApiProperty({
     title: 'Access token',
     description: 'Access token',
@@ -10,13 +10,4 @@ export class TokensDto {
   @IsNotEmpty()
   @IsString()
   public access_token: string;
-
-  @ApiProperty({
-    title: 'Refresh token',
-    description: 'Refresh token',
-    example: 'eyJhbGci',
-  })
-  @IsNotEmpty()
-  @IsString()
-  public refresh_token: string;
 }

backend/src/modules/auth-module/models/dto/index.ts

@@ -1,2 +1,3 @@
 export * from './user-credentials.dto';
-export * from './tokens.dto';
+export * from './login-response.dto';
+export * from './access-token.dto';

backend/src/modules/auth-module/models/dto/login-response.dto.ts

@@ -0,0 +1,32 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
+
+export class LoginResponseDto {
+  @ApiProperty({
+    title: 'Access token',
+    description: 'Access token',
+    example: 'eyJhbGci',
+  })
+  @IsNotEmpty()
+  @IsString()
+  public access_token: string;
+
+  @ApiProperty({
+    title: 'Email',
+    description: 'User Email',
+    example: 'foo@bar.de',
+  })
+  @IsNotEmpty()
+  @IsString()
+  @IsEmail()
+  public email: string;
+
+  @ApiProperty({
+    title: 'User ID',
+    description: 'User ID',
+  })
+  @IsNotEmpty()
+  @IsString()
+  @IsEmail()
+  public userId: string;
+}

backend/src/modules/auth-module/models/types/index.ts

@@ -1,2 +1,4 @@
 export * from './jwt-payload.type';
-export * from './jwt-payload-with-refresh-token.type';
+// export * from './jwt-payload-with-refresh-token.type';
+export * from './token-payload.type';
+export * from './tokens.type';

backend/src/modules/auth-module/models/types/jwt-payload-with-refresh-token.type.ts

@@ -1,3 +1,3 @@
-import { JwtPayload } from './jwt-payload.type';
+// import { JwtPayload } from './jwt-payload.type';
 
-export type JwtPayloadWithRefreshToken = JwtPayload & { refresh_token: string };
+// export type JwtPayloadWithRefreshToken = JwtPayload & { refresh_token: string };

backend/src/modules/auth-module/models/types/token-payload.type.ts

@@ -0,0 +1,6 @@
+export type TokenPayload = {
+  sub: string;
+  email: string;
+  iat: number;
+  exp: number;
+};

backend/src/modules/auth-module/models/types/tokens.type.ts

@@ -0,0 +1,4 @@
+export type Tokens = {
+  access_token: string;
+  refresh_token: string;
+};

backend/src/modules/auth-module/repositories/session.repository.ts

@@ -0,0 +1,101 @@
+import { Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Response } from 'express';
+import { Session } from 'src/entities';
+import { LessThan, Repository } from 'typeorm';
+import { v4 as uuidv4 } from 'uuid';
+
+@Injectable()
+export class SessionRepository {
+  public constructor(
+    @InjectRepository(Session)
+    private sessionRepository: Repository<Session>
+  ) {}
+
+  public async createSession(
+    userId: string,
+    userAgent: string
+  ): Promise<Session> {
+    const sessionId = uuidv4();
+    const expirationDate = new Date();
+
+    expirationDate.setHours(expirationDate.getHours() + 1);
+    const session = this.sessionRepository.create({
+      userCredentials: userId,
+      sessionId,
+      expiresAt: expirationDate,
+      userAgent,
+    });
+
+    await this.sessionRepository.save(session);
+    return session;
+  }
+
+  public async findSessionBySessionId(sessionId: string): Promise<Session> {
+    return await this.sessionRepository.findOne({
+      where: { sessionId: sessionId },
+      relations: ['userCredentials'],
+    });
+  }
+
+  public attachSessionToResponse(response: Response, sessionId: string): void {
+    response.cookie('session_id', sessionId, {
+      httpOnly: true,
+      secure: true,
+      sameSite: 'strict',
+    });
+  }
+
+  public async validateSessionUserAgent(
+    sessionId: string,
+    currentUserAgent: string
+  ): Promise<boolean> {
+    const session = await this.sessionRepository.findOne({
+      where: { sessionId: sessionId },
+      select: ['userAgent'],
+    });
+
+    if (!session) {
+      return false;
+    }
+
+    return session.userAgent === currentUserAgent;
+  }
+
+  public async checkSessionLimit(userId: string): Promise<void> {
+    const userSessions = await this.sessionRepository
+      .createQueryBuilder('session')
+      .leftJoinAndSelect('session.userCredentials', 'userCredentials')
+      .where('userCredentials.id = :userId', { userId })
+      .orderBy('session.expiresAt', 'ASC')
+      .getMany();
+
+    if (userSessions.length >= 5) {
+      await this.sessionRepository.delete(userSessions[0].id);
+    }
+  }
+
+  public async invalidateAllSessionsForUser(userId: string): Promise<void> {
+    await this.sessionRepository.delete({ userCredentials: userId });
+  }
+
+  public async extendSessionExpiration(sessionId: string): Promise<void> {
+    const session = await this.sessionRepository.findOne({
+      where: { sessionId },
+    });
+
+    if (session) {
+      session.expiresAt = new Date(
+        session.expiresAt.setMinutes(session.expiresAt.getMinutes() + 30)
+      );
+      await this.sessionRepository.save(session);
+    }
+  }
+
+  // TODO Add cron job to clear expired sessions
+  public async clearExpiredSessions(): Promise<void> {
+    const now = new Date();
+
+    await this.sessionRepository.delete({ expiresAt: LessThan(now) });
+  }
+}

backend/src/modules/auth-module/repositories/user-credentials.repository.ts

@@ -31,11 +31,11 @@ export class UserCredentialsRepository {
     return this.repository.findOne({ where: { id: userId } });
   }
 
-  public async updateUserTokenHash(
+  public async updateUserRefreshToken(
     userId: string,
-    hashedRt: string | null
+    refreshToken: string | null
   ): Promise<number> {
-    const result = await this.repository.update(userId, { hashedRt });
+    const result = await this.repository.update(userId, { refreshToken });
 
     return result.affected ?? 0;
   }

backend/src/modules/auth-module/services/auth.service.ts

@@ -1,12 +1,20 @@
 import { ForbiddenException, Injectable } from '@nestjs/common';
+import { Response, Request } from 'express';
+import { Session } from 'src/entities';
 import { EncryptionService } from 'src/shared';
 
 import { PasswordConfirmationMailService } from '../../sendgrid-module/services/password-confirmation.mail.service';
 import { UserDataRepository } from '../../user-module/repositories/user-data.repository';
 import { EmailVerificationService } from '../../verify-module/services/email-verification.service';
-import { TokensDto, UserCredentialsDto } from '../models/dto';
+import {
+  AccessTokenDto,
+  LoginResponseDto,
+  UserCredentialsDto,
+} from '../models/dto';
+import { TokenPayload } from '../models/types';
 import { UserCredentialsRepository } from '../repositories/user-credentials.repository';
 
+import { SessionService } from './session.service';
 import { TokenManagementService } from './token-management.service';
 
 @Injectable()
@@ -16,10 +24,13 @@ export class AuthService {
     private readonly userDataRepository: UserDataRepository,
     private readonly tokenManagementService: TokenManagementService,
     private readonly passwordConfirmationMailService: PasswordConfirmationMailService,
-    private readonly emailVerificationService: EmailVerificationService
+    private readonly emailVerificationService: EmailVerificationService,
+    private readonly sessionService: SessionService
   ) {}
 
-  public async signup(userCredentials: UserCredentialsDto): Promise<TokensDto> {
+  public async signup(
+    userCredentials: UserCredentialsDto
+  ): Promise<LoginResponseDto> {
     const passwordHashed = await EncryptionService.hashData(
       userCredentials.password
     );
@@ -44,7 +55,11 @@ export class AuthService {
     return this.generateAndPersistTokens(user.id, user.email);
   }
 
-  public async signin(userCredentials: UserCredentialsDto): Promise<TokensDto> {
+  public async signin(
+    userCredentials: UserCredentialsDto,
+    response: Response,
+    request: Request
+  ): Promise<LoginResponseDto> {
     const user = await this.userCredentialsRepository.findUserByEmail(
       userCredentials.email
     );
@@ -62,56 +77,104 @@ export class AuthService {
       throw new ForbiddenException('Access Denied');
     }
 
-    return this.generateAndPersistTokens(user.id, user.email);
+    await this.sessionService.checkSessionLimit(user.id);
-  }
 
-  public async refresh(
+    const sesseionId = await this.sessionService.createSession(
-    userId: string,
+      user.id,
-    refreshToken: string
+      request.headers['user-agent']
-  ): Promise<TokensDto> {
-    const user = await this.userCredentialsRepository.findUserById(userId);
-
-    if (!user || !user.hashedRt) {
-      throw new ForbiddenException('Access Denied');
-    }
-
-    const refreshTokenMatch = await EncryptionService.compareHash(
-      refreshToken,
-      user.hashedRt
     );
 
-    if (!refreshTokenMatch) {
+    this.sessionService.attachSessionToResponse(response, sesseionId.sessionId);
-      throw new ForbiddenException('Access Denied');
-    }
 
-    return this.generateAndPersistTokens(user.id, user.email);
+    return this.generateAndPersistTokens(user.id, user.email, true);
   }
 
   public async logout(userId: string): Promise<boolean> {
-    const affected = await this.userCredentialsRepository.updateUserTokenHash(
+    const affected =
-      userId,
+      await this.userCredentialsRepository.updateUserRefreshToken(userId, null);
-      null
+
-    );
+    await this.sessionService.invalidateAllSessionsForUser(userId);
 
     return affected > 0;
   }
 
+  public async refresh(request: Request): Promise<AccessTokenDto> {
+    const sessionId = request.cookies['session_id'];
+
+    if (!sessionId) {
+      throw new ForbiddenException('Session ID missing');
+    }
+
+    const session: Session =
+      await this.sessionService.findSessionBySessionId(sessionId);
+
+    if (!session) {
+      throw new ForbiddenException('Invalid session');
+    }
+
+    const isUserAgentValid = await this.sessionService.validateSessionUserAgent(
+      sessionId,
+      request.headers['user-agent']
+    );
+
+    if (!isUserAgentValid) {
+      throw new ForbiddenException('Invalid session - User agent mismatch');
+    }
+
+    await this.sessionService.extendSessionExpiration(sessionId);
+
+    const decodedToken: TokenPayload = await this.validateRefreshToken(
+      session.userCredentials['id']
+    );
+
+    const newTokens = await this.generateAndPersistTokens(
+      decodedToken.sub,
+      decodedToken.email,
+      false
+    );
+
+    return { access_token: newTokens.access_token };
+  }
+
   private async generateAndPersistTokens(
     userId: string,
-    email: string
+    email: string,
-  ): Promise<TokensDto> {
+    updateRefreshToken: boolean = false
+  ): Promise<LoginResponseDto> {
     const tokens = await this.tokenManagementService.generateTokens(
       userId,
       email
     );
-    const hashedRefreshToken = await EncryptionService.hashData(
+
-      tokens.refresh_token
+    if (updateRefreshToken) {
+      await this.userCredentialsRepository.updateUserRefreshToken(
+        userId,
+        tokens.refresh_token
+      );
+    }
+
+    return { access_token: tokens.access_token, email: email, userId: userId };
+  }
+
+  private async validateRefreshToken(userId: string): Promise<TokenPayload> {
+    const user = await this.userCredentialsRepository.findUserById(userId);
+
+    if (!user || !user.refreshToken) {
+      throw new Error('No refresh token found');
+    }
+
+    const decodedToken = await this.tokenManagementService.verifyRefreshToken(
+      user.refreshToken
     );
 
-    await this.userCredentialsRepository.updateUserTokenHash(
+    if (decodedToken.exp < Date.now() / 1000) {
-      userId,
+      throw new Error('Token expired');
-      hashedRefreshToken
+    }
-    );
+
-    return tokens;
+    if (decodedToken.sub !== user.id) {
+      throw new Error('Token subject mismatch');
+    }
+
+    return decodedToken;
   }
 }

backend/src/modules/auth-module/services/session.service.ts

@@ -0,0 +1,55 @@
+import { Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Response } from 'express';
+import { Session } from 'src/entities';
+
+import { SessionRepository } from '../repositories/session.repository';
+
+@Injectable()
+export class SessionService {
+  public constructor(
+    @InjectRepository(Session)
+    private readonly sessionRepository: SessionRepository
+  ) {}
+
+  public async createSession(
+    userId: string,
+    userAgent: string
+  ): Promise<Session> {
+    return await this.sessionRepository.createSession(userId, userAgent);
+  }
+
+  public async validateSessionUserAgent(
+    sessionId: string,
+    currentUserAgent: string
+  ): Promise<boolean> {
+    return await this.sessionRepository.validateSessionUserAgent(
+      sessionId,
+      currentUserAgent
+    );
+  }
+
+  public async checkSessionLimit(userId: string): Promise<void> {
+    await this.sessionRepository.checkSessionLimit(userId);
+  }
+
+  public async invalidateAllSessionsForUser(userId: string): Promise<void> {
+    await this.sessionRepository.invalidateAllSessionsForUser(userId);
+  }
+
+  public async clearExpiredSessions(): Promise<void> {
+    await this.sessionRepository.clearExpiredSessions();
+  }
+
+  public async extendSessionExpiration(sessionId: string): Promise<void> {
+    await this.sessionRepository.extendSessionExpiration(sessionId);
+  }
+
+  public async findSessionBySessionId(sessionId: string): Promise<Session> {
+    return await this.sessionRepository.findSessionBySessionId(sessionId);
+  }
+
+  public attachSessionToResponse(response: Response, sessionId: string): void {
+    this.sessionRepository.attachSessionToResponse(response, sessionId);
+  }
+}

backend/src/modules/auth-module/services/token-management.service.ts

@@ -2,7 +2,7 @@ import { Injectable } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import { JwtService } from '@nestjs/jwt';
 
-import { TokensDto } from '../models/dto';
+import { TokenPayload, Tokens } from '../models/types';
 
 @Injectable()
 export class TokenManagementService {
@@ -25,16 +25,19 @@ export class TokenManagementService {
     this.JWT_SECRET_RT = this.configService.get<string>('JWT_SECRET_RT');
   }
 
-  public async generateTokens(
+  public async generateTokens(userId: string, email: string): Promise<Tokens> {
-    userId: string,
-    email: string
-  ): Promise<TokensDto> {
     const access_token: string = await this.createAccessToken(userId, email);
     const refresh_token: string = await this.createRefreshToken(userId, email);
 
     return { access_token, refresh_token };
   }
 
+  public async verifyRefreshToken(token: string): Promise<TokenPayload> {
+    return this.jwt.verifyAsync(token, {
+      secret: this.JWT_SECRET_RT,
+    });
+  }
+
   private async createAccessToken(
     userId: string,
     email: string

backend/src/modules/database-module/database-config.ts

@@ -1,6 +1,11 @@
 import { ConfigService } from '@nestjs/config';
 import { TypeOrmModuleOptions } from '@nestjs/typeorm';
-import { EmailVerification, UserCredentials, UserData } from 'src/entities';
+import {
+  EmailVerification,
+  UserCredentials,
+  UserData,
+  Session,
+} from 'src/entities';
 
 export const databaseConfigFactory = (
   configService: ConfigService
@@ -13,5 +18,5 @@ export const databaseConfigFactory = (
   database: configService.get('DB_NAME'),
   synchronize: true,
   logging: true,
-  entities: [UserCredentials, UserData, EmailVerification],
+  entities: [UserCredentials, UserData, EmailVerification, Session],
 });

frontend/src/app/app.component.ts

@@ -1,15 +1,33 @@
-import { Component, inject } from '@angular/core';
+import { Component, OnInit } from '@angular/core';
-import { RouterOutlet } from '@angular/router';
+import { RouterOutlet, Router } from '@angular/router';
 
 import { AuthService } from './shared/service';
 @Component({
   selector: 'app-root',
   standalone: true,
-  providers: [AuthService],
+  providers: [],
   imports: [RouterOutlet],
   templateUrl: './app.component.html',
   styleUrl: './app.component.scss',
 })
-export class AppComponent {
+export class AppComponent implements OnInit {
-  private readonly authService: AuthService = inject(AuthService);
+  public constructor(
+    private readonly authService: AuthService,
+    private readonly router: Router
+  ) {}
+
+  public ngOnInit(): void {
+    this.checkAuthentication();
+  }
+
+  private checkAuthentication(): void {
+    this.authService.isAuthenticated$.subscribe((isAuthenticated: boolean) => {
+      if (isAuthenticated) {
+        console.log('User is authenticated');
+        this.router.navigateByUrl('dashboard');
+      } else {
+        this.router.navigateByUrl('signup');
+      }
+    });
+  }
 }

frontend/src/app/app.routes.ts

@@ -1,7 +1,12 @@
 import { Routes } from '@angular/router';
 
-export const routes: Routes = [
+import { AuthGuard } from './shared/guard/auth.guard';
-  { path: '', pathMatch: 'full', redirectTo: '' },
+
+const publicRoutes: Routes = [
+  {
+    path: '',
+    loadComponent: () => import('./app.component').then((m) => m.AppComponent),
+  },
   {
     path: 'signup',
     loadComponent: () =>
@@ -17,3 +22,25 @@ export const routes: Routes = [
       ),
   },
 ];
+
+const protectedRoutes: Routes = [
+  {
+    path: 'dashboard',
+    loadComponent: () =>
+      import('./pages/dashboard-root/dashboard-root.component').then(
+        (m) => m.DashboardRootComponent
+      ),
+    canActivate: [AuthGuard],
+  },
+];
+
+export const routes: Routes = [
+  {
+    path: '',
+    children: [
+      ...publicRoutes,
+      ...protectedRoutes,
+      { path: '', redirectTo: '', pathMatch: 'full' },
+    ],
+  },
+];

frontend/src/app/pages/dashboard-root/dashboard-root.component.html

@@ -0,0 +1 @@
+<h1>Hello World</h1>

frontend/src/app/pages/dashboard-root/dashboard-root.component.ts

@@ -0,0 +1,14 @@
+import { ChangeDetectionStrategy, Component } from '@angular/core';
+
+@Component({
+  selector: 'app-dashboard-root',
+  standalone: true,
+  imports: [],
+  providers: [],
+  templateUrl: './dashboard-root.component.html',
+  styleUrl: './dashboard-root.component.scss',
+  changeDetection: ChangeDetectionStrategy.OnPush,
+})
+export class DashboardRootComponent {
+  public constructor() {}
+}

frontend/src/app/pages/register-root/register-root.component.ts

@@ -47,7 +47,7 @@ type AuthAction = 'register' | 'signup';
     PasswordModule,
     HttpClientModule,
   ],
-  providers: [AuthService],
+  providers: [],
   templateUrl: './register-root.component.html',
   styleUrl: './register-root.component.scss',
   changeDetection: ChangeDetectionStrategy.OnPush,

frontend/src/app/shared/guard/auth.guard.ts

@@ -0,0 +1,32 @@
+import { inject } from '@angular/core';
+import {
+  ActivatedRouteSnapshot,
+  CanActivateFn,
+  Router,
+  RouterStateSnapshot,
+  UrlTree,
+} from '@angular/router';
+
+import { Observable } from 'rxjs';
+
+import { AuthService } from '../service';
+
+export const AuthGuard: CanActivateFn = (
+  route: ActivatedRouteSnapshot,
+  state: RouterStateSnapshot
+):
+  | Observable<boolean | UrlTree>
+  | Promise<boolean | UrlTree>
+  | boolean
+  | UrlTree => {
+  const authService: AuthService = inject(AuthService);
+  const router: Router = inject(Router);
+
+  authService.isAuthenticated$.subscribe((isAuthenticated: boolean) => {
+    if (!isAuthenticated) {
+      router.navigateByUrl('signup');
+    }
+  });
+
+  return true;
+};

frontend/src/app/shared/interceptors/auth.interceptor.ts

@@ -1,51 +1,79 @@
 import {
-  HttpErrorResponse,
-  HttpEvent,
-  HttpHandlerFn,
   HttpInterceptorFn,
   HttpRequest,
+  HttpHandlerFn,
+  HttpEvent,
+  HttpErrorResponse,
 } from '@angular/common/http';
 import { inject } from '@angular/core';
+import { Router } from '@angular/router';
 
-import { Observable, catchError, switchMap, throwError } from 'rxjs';
+import { Observable, throwError } from 'rxjs';
+import { catchError, switchMap } from 'rxjs/operators';
 
 import { AuthService } from '../service';
-import { Tokens } from '../types';
 
 export const AuthInterceptor: HttpInterceptorFn = (
   request: HttpRequest<unknown>,
   next: HttpHandlerFn
 ): Observable<HttpEvent<unknown>> => {
-  const authService: AuthService = inject(AuthService);
+  const router = inject(Router);
-  const accessToken: string | null = authService.access_token;
+  const authService = inject(AuthService);
 
-  if (accessToken) {
+  const handleRequest = (
-    request = request.clone({
+    req: HttpRequest<unknown>
+  ): Observable<HttpEvent<unknown>> => {
+    const accessToken = authService.access_token;
+
+    if (accessToken) {
+      req = addAuthHeader(req, accessToken);
+    }
+    return next(req);
+  };
+
+  const addAuthHeader = (
+    req: HttpRequest<unknown>,
+    token: string
+  ): HttpRequest<unknown> => {
+    return req.clone({
       setHeaders: {
-        Authorization: `Bearer ${accessToken}`,
+        Authorization: `Bearer ${token}`,
       },
     });
-  }
+  };
-  return next(request).pipe(
-    catchError((error: HttpErrorResponse) => {
-      if (error.status === 401) {
-        return authService.refreshToken().pipe(
-          switchMap((tokens: Tokens) => {
-            request = request.clone({
-              setHeaders: {
-                Authorization: `Bearer ${tokens.access_token}`,
-              },
-            });
-            return next(request);
-          }),
-          catchError((refreshError) => {
-            authService.signout();
-            return throwError(() => new Error(refreshError));
-          })
-        );
-      }
 
-      return throwError(() => new Error());
+  const handle401Error = (
-    })
+    req: HttpRequest<unknown>
+  ): Observable<HttpEvent<unknown>> => {
+    console.log(authService.refresh_token);
+    if (!authService.refresh_token) {
+      router.navigateByUrl('signup');
+      return throwError(() => new Error('Authentication required'));
+    }
+
+    return authService.refreshToken().pipe(
+      switchMap((tokens) => {
+        req = addAuthHeader(req, tokens.access_token);
+        return next(req);
+      }),
+      catchError((refreshError) => {
+        router.navigateByUrl('signup');
+        return throwError(() => new Error(refreshError));
+      })
+    );
+  };
+
+  const handleError = (
+    error: HttpErrorResponse,
+    req: HttpRequest<unknown>
+  ): Observable<HttpEvent<unknown>> => {
+    if (error.status === 401) {
+      return handle401Error(req);
+    }
+    return throwError(() => new Error('Unhandled error'));
+  };
+
+  return handleRequest(request).pipe(
+    catchError((error) => handleError(error, request))
   );
 };

frontend/src/app/shared/service/auth.service.ts

@@ -1,4 +1,3 @@
-import { HttpClient } from '@angular/common/http';
 import { Injectable } from '@angular/core';
 
 import { BehaviorSubject, Observable, tap } from 'rxjs';
@@ -13,22 +12,28 @@ import { SessionStorageService } from './session-storage.service';
   providedIn: 'root',
 })
 export class AuthService {
+  public isAuthenticated$: BehaviorSubject<boolean> =
+    new BehaviorSubject<boolean>(false);
   private _access_token: string | null = null;
   private _refresh_token: string | null = null;
-  private _isAuthenticated$: BehaviorSubject<boolean> =
-    new BehaviorSubject<boolean>(false);
 
   public get access_token(): string | null {
     return this._access_token;
   }
 
+  public get refresh_token(): string | null {
+    return this._refresh_token;
+  }
+
   public constructor(
-    private readonly httpClient: HttpClient,
     private readonly localStorageService: LocalStorageService,
     private readonly sessionStorageService: SessionStorageService,
     private readonly authenticationApiService: AuthenticationApiService
   ) {
-    //this.autoLogin();
+    this._access_token =
+      this.localStorageService.getItem<string>('access_token');
+    this._refresh_token =
+      this.sessionStorageService.getItem<string>('refresh_token');
   }
 
   public signin(credentials: LoginCredentials): void {
@@ -66,31 +71,16 @@ export class AuthService {
           this._refresh_token = null;
           this.localStorageService.removeItem('access_token');
           this.sessionStorageService.removeItem('refresh_token');
-          this._isAuthenticated$.next(false);
+          this.isAuthenticated$.next(false);
         }
       });
   }
 
-  public autoLogin(): void {
-    const storedAccessToken: string | null =
-      this.localStorageService.getItem('access_token');
-    const storedRefreshToken: string | null =
-      this.sessionStorageService.getItem('refresh_token');
-
-    if (storedAccessToken && storedRefreshToken) {
-      this._refresh_token = storedRefreshToken;
-      this._isAuthenticated$.next(true);
-      //TODO Validate tokens with backend or decode JWT to check expiration
-    } else {
-      this.signout();
-    }
-  }
-
   private handleSuccess(tokens: Tokens): void {
     this._access_token = tokens.access_token;
     this._refresh_token = tokens.refresh_token;
     this.localStorageService.setItem('access_token', tokens.access_token);
     this.sessionStorageService.setItem('refresh_token', tokens.refresh_token);
-    this._isAuthenticated$.next(true);
+    this.isAuthenticated$.next(true);
   }
 }