Feat: Github auth flow in API

package.json

@@ -3,6 +3,9 @@
   "version": "3.4.27",
   "description": "",
   "type": "module",
+  "exports": {
+    ".": "./src/index.ts"
+  },
   "engines": {
     "node": ">=22.0.0"
   },
@@ -23,19 +26,26 @@
   "author": "Christian Landgren, William Ryder, Samuel Plumppu mfl",
   "license": "MIT License",
   "dependencies": {
+    "@asteasolutions/zod-to-openapi": "^7.3.0",
     "@bull-board/api": "^6.5.3",
     "@bull-board/express": "^6.5.3",
     "@prisma/client": "^5.22.0",
+    "@types/axios": "^0.9.36",
     "@types/node": "^22.10.0",
+    "axios": "^1.7.9",
     "bullmq": "^5.28.0",
     "chromadb": "^1.9.4",
     "compromise": "^14.13.0",
     "cors": "^2.8.5",
     "discord.js": "^14.16.3",
     "dotenv": "^16.4.5",
     "express": "^5.0.1",
+    "express-session": "^1.18.1",
     "jest": "^29.7.0",
+    "jsonwebtoken": "^9.0.2",
     "openai": "^4.73.1",
+    "passport": "^0.7.0",
+    "passport-github2": "^0.1.12",
     "pdf2pic": "^3.1.3",
     "pino-http": "^10.3.0",
     "prisma-zod-generator": "^0.8.13",
@@ -45,16 +55,22 @@
     "zod": "^3.23.8"
   },
   "devDependencies": {
+    "@scalar/express-api-reference": "^0.2.75",
     "@types/cors": "^2.8.17",
     "@types/express": "^5.0.0",
+    "@types/express-session": "^1.17.10",
     "@types/node": "^22.8.4",
+    "@types/passport": "^1.0.17",
     "concurrently": "^9.1.0",
     "deepl-node": "^1.15.0",
     "exceljs": "^4.4.0",
     "jest": "^29.7.0",
     "pino-pretty": "^13.0.0",
     "prisma": "^5.22.0",
     "supertest": "^7.0.0",
+    "swagger-jsdoc": "^6.2.8",
+    "swagger-ui-express": "^5.0.1",
+    "ts-jest": "^29.2.5",
     "typescript": "^5.7.2"
   },
   "overrides": {

prisma/migrations/20250108132019_add_github_token_to_user/migration.sql

@@ -0,0 +1,3 @@
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN     "githubId" TEXT,
+ADD COLUMN     "githubToken" TEXT;

prisma/schema.prisma

@@ -357,12 +357,12 @@ model Metadata {
 }
 
 model User {
-  id    Int    @id @default(autoincrement())
-  email String @unique
-  name  String
+  id         Int    @id @default(autoincrement())
+  email      String @unique
+  name       String
+  githubId   String?
+  githubToken String?
 
-  // TODO: connect with github ID
-  // TODO: store github profile image - or get it via API
   updated  Metadata[] @relation("metadata_user_id")
   verified Metadata[] @relation("metadata_verified_by")
 }

src/api.ts

@@ -1,8 +1,12 @@
 import express from 'express'
 import pino from 'pino-http'
-import readCompanies from './routes/readCompanies'
-import updateCompanies from './routes/updateCompanies'
+import swaggerJsdoc from 'swagger-jsdoc'
+import { apiReference } from '@scalar/express-api-reference'
+import readCompanies from './routes/companies/company.read'
+import updateCompanies from './routes/companies/company.update'
 import { errorHandler } from './routes/middlewares'
+import { swaggerOptions } from './swagger'
+import auth from './routes/auth'
 
 const apiRouter = express.Router()
 const pinoConfig = process.stdin.isTTY && {
@@ -12,9 +16,31 @@ const pinoConfig = process.stdin.isTTY && {
   level: 'info',
 }
 apiRouter.use(pino(pinoConfig || undefined))
+
+// API Routes
+// Generate OpenAPI spec
+const openApiSpec = swaggerJsdoc(swaggerOptions)
+
+apiRouter.use('/auth', auth)
+
+// API Routes
 apiRouter.use('/companies', readCompanies)
 apiRouter.use('/companies', updateCompanies)
 
+// API Documentation
+apiRouter.get('/openapi.json', (req, res) => {
+  res.json(openApiSpec)
+})
+
+apiRouter.use(
+  '/',
+  apiReference({
+    spec: {
+      url: '/api/openapi.json',
+    },
+  })
+)
+
 // TODO: Why does this error handler not capture errors thrown in readCompanies?
 apiRouter.use(errorHandler)
 

src/config/api.ts

@@ -15,13 +15,35 @@ const envSchema = z.object({
     ),
   API_BASE_URL: z.string().default('http://localhost:3000/api'),
   PORT: z.coerce.number().default(3000),
+  CACHE_MAX_AGE: z.coerce.number().default(3000),
 })
 
 const env = envSchema.parse(process.env)
 
+export type HttpMethod = 'GET' | 'POST' | 'PATCH' | 'PUT' | 'DELETE'
 const ONE_DAY = 1000 * 60 * 60 * 24
 
 export default {
+  cacheMaxAge: env.CACHE_MAX_AGE,
+
+  authorizedUsers: {
+    garbo: '[email protected]',
+    alex: '[email protected]',
+  } as const,
+
+  developmentOrigins: ['http://localhost:4321'],
+  productionOrigins: [
+    'https://beta.klimatkollen.se',
+    'https://klimatkollen.se',
+  ],
+
+  httpMethods: {
+    get: 'GET',
+    post: 'POST',
+    patch: 'PATCH',
+    put: 'PUT',
+    delete: 'DELETE',
+  } as const,
   tokens: env.API_TOKENS,
   frontendURL: env.FRONTEND_URL,
   baseURL: env.API_BASE_URL,

src/config/auth.ts

@@ -0,0 +1,31 @@
+import 'dotenv/config'
+import { z } from 'zod'
+
+const envSchema = z.object({
+  GITHUB_CLIENT_ID: z.string(),
+  GITHUB_CLIENT_SECRET: z.string(),
+  GITHUB_CALLBACK_URL: z
+    .string()
+    .default('http://localhost:3000/api/auth/github/callback'),
+  GITHUB_ORG_NAME: z.string().default('Klimatbyran'),
+  JWT_SECRET: z.string().default('your-secret-key'),
+  SESSION_SECRET: z.string().default('session-secret'),
+})
+
+const env = envSchema.parse(process.env)
+
+export default {
+  github: {
+    clientID: env.GITHUB_CLIENT_ID,
+    clientSecret: env.GITHUB_CLIENT_SECRET,
+    callbackURL: env.GITHUB_CALLBACK_URL,
+    organization: env.GITHUB_ORG_NAME,
+  },
+  jwt: {
+    secret: env.JWT_SECRET,
+    expiresIn: '24h',
+  },
+  session: {
+    secret: env.SESSION_SECRET,
+  },
+}

src/index.ts

@@ -1,8 +1,12 @@
 import express from 'express'
 import { parseArgs } from 'node:util'
+import session from 'express-session'
+import passport from 'passport'
 
 import api from './api'
 import apiConfig from './config/api'
+import authConfig from './config/auth'
+import './lib/auth' // Initialize passport
 
 const { values } = parseArgs({
   options: {
@@ -18,9 +22,22 @@ const START_BOARD = !values['api-only']
 const port = apiConfig.port
 const app = express()
 
+app.use(session({
+  secret: authConfig.session.secret,
+  resave: false,
+  saveUninitialized: false
+}))
+
+app.use(passport.initialize())
+app.use(passport.session())
+
 app.get('/favicon.ico', express.static('public/favicon.png'))
 app.use('/api', api)
 
+app.get('/', (req, res) => {
+  res.redirect('/api')
+})
+
 if (START_BOARD) {
   const queue = (await import('./queue')).default
   app.use('/admin/queues', queue)

src/lib/auth.ts

@@ -0,0 +1,130 @@
+import passport from 'passport'
+import { Strategy as GitHubStrategy } from 'passport-github2'
+import jwt from 'jsonwebtoken'
+import { prisma } from './prisma'
+import authConfig from '../config/auth'
+import { Request, Response, NextFunction } from 'express'
+import { GarboAPIError } from './garbo-api-error'
+import axios from 'axios'
+import { User } from '@prisma/client'
+
+passport.use(
+  new GitHubStrategy(
+    authConfig.github,
+    async (accessToken, refreshToken, profile, done) => {
+      try {
+        const user = await prisma.user.upsert({
+          where: { email: profile.emails![0].value },
+          update: {
+            name: profile.displayName,
+            githubId: profile.id,
+            githubToken: accessToken,
+          },
+          create: {
+            email: profile.emails![0].value,
+            name: profile.displayName,
+            githubId: profile.id,
+            githubToken: accessToken,
+          },
+        })
+        return done(null, user)
+      } catch (error) {
+        return done(error)
+      }
+    }
+  )
+)
+
+passport.serializeUser((user: any, done) => {
+  done(null, user.id)
+})
+
+passport.deserializeUser(async (id: number, done) => {
+  try {
+    const user = await prisma.user.findUnique({ where: { id } })
+    done(null, user)
+  } catch (error) {
+    done(error)
+  }
+})
+
+export const generateToken = (user: any) => {
+  return jwt.sign(
+    {
+      id: user.id,
+      email: user.email,
+      githubId: user.githubId,
+      githubToken: user.githubToken,
+    },
+    authConfig.jwt.secret,
+    {
+      expiresIn: authConfig.jwt.expiresIn,
+    }
+  )
+}
+
+export const authenticateJWT = (
+  req: Request,
+  res: Response,
+  next: NextFunction
+) => {
+  const authHeader = req.headers.authorization
+
+  if (!authHeader) {
+    throw new GarboAPIError('No authorization header', { statusCode: 401 })
+  }
+
+  const token = authHeader.split(' ')[1]
+
+  try {
+    const user = jwt.verify(token, authConfig.jwt.secret)
+    res.locals.user = user
+    next()
+  } catch (error) {
+    throw new GarboAPIError('Invalid token', { statusCode: 401 })
+  }
+}
+
+export const checkOrgMembership = async (
+  req: Request,
+  res: Response,
+  next: NextFunction
+) => {
+  const user = res.locals.user as User
+
+  if (!user) {
+    throw new GarboAPIError('User not authenticated', { statusCode: 401 })
+  }
+
+  try {
+    const response = await axios.get(
+      `https://api.github.com/orgs/${authConfig.github.organization}/members/${user.githubId}`,
+      {
+        headers: {
+          Accept: 'application/vnd.github.v3+json',
+          Authorization: `Bearer ${user.githubToken}`,
+        },
+      }
+    )
+
+    if (response.status === 204) {
+      next()
+    } else {
+      throw new GarboAPIError(
+        'User is not a member of the required organization',
+        { statusCode: 403 }
+      )
+    }
+  } catch (error) {
+    if (error.response?.status === 404) {
+      throw new GarboAPIError(
+        'User is not a member of the required organization',
+        { statusCode: 403 }
+      )
+    }
+    throw new GarboAPIError('Failed to verify organization membership', {
+      statusCode: 500,
+      original: error,
+    })
+  }
+}