feat: implement GitHub identity provider

.env.example

@@ -23,6 +23,9 @@ DATABASE_RESET=false
 # Discord OAuth2 client ID and secret (required)
 DISCORD_CLIENT_ID=
 DISCORD_CLIENT_SECRET=
+# GitHub OAuth2 client ID and secret (required)
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
 # Enable GraphQL Playground
 GRAPHQL_PLAYGROUND=true
 # JWT Secret (generate a random string with `openssl rand -hex 32`)

api-schema.graphql

@@ -53,6 +53,7 @@ input AdminUpdateUserInput {
 
 type AppConfig {
   authDiscordEnabled: Boolean!
+  authGithubEnabled: Boolean!
   authPasswordEnabled: Boolean!
   authRegisterEnabled: Boolean!
   authSolanaEnabled: Boolean!

libs/api/auth/data-access/src/index.ts

@@ -5,6 +5,7 @@ export * from './lib/dto/login.input'
 export * from './lib/dto/register.input'
 export * from './lib/guards/api-anon-jwt-guard.service'
 export * from './lib/guards/api-auth-discord.guard'
+export * from './lib/guards/api-auth-github.guard'
 export * from './lib/guards/api-auth-graphql-admin-guard'
 export * from './lib/guards/api-auth-graphql-user-guard.service'
 export * from './lib/guards/api-auth-jwt-guard.service'

libs/api/auth/data-access/src/lib/api-auth-data-access.module.ts

@@ -7,6 +7,7 @@ import { ApiAuthDiscordGuard } from './guards/api-auth-discord.guard'
 import { ApiAuthGraphQLUserGuard } from './guards/api-auth-graphql-user-guard.service'
 import { ApiAuthJwtStrategy } from './strategies/api-auth-jwt.strategy'
 import { DiscordStrategy } from './strategies/discord.strategy'
+import { GithubStrategy } from './strategies/github.strategy'
 
 @Module({
   imports: [
@@ -18,7 +19,14 @@ import { DiscordStrategy } from './strategies/discord.strategy'
     }),
     PassportModule,
   ],
-  providers: [ApiAuthDiscordGuard, ApiAuthGraphQLUserGuard, ApiAuthJwtStrategy, ApiAuthService, DiscordStrategy],
+  providers: [
+    ApiAuthDiscordGuard,
+    ApiAuthGraphQLUserGuard,
+    ApiAuthJwtStrategy,
+    ApiAuthService,
+    DiscordStrategy,
+    GithubStrategy,
+  ],
   exports: [ApiAuthService],
 })
 export class ApiAuthDataAccessModule {}

libs/api/auth/data-access/src/lib/api-auth.service.ts

@@ -74,9 +74,60 @@ export class ApiAuthService {
     return this.findUsername(newUsername)
   }
 
+  async validateRequest({
+    req,
+    providerId,
+    provider,
+    profile,
+    accessToken,
+    refreshToken,
+  }: {
+    providerId: string
+    provider: IdentityProvider
+    accessToken: string
+    refreshToken: string
+    profile: Prisma.InputJsonValue
+    req: AuthRequest
+  }) {
+    const found = await this.findUserByIdentity({
+      provider,
+      providerId,
+    })
+
+    if (found && req.user?.id && found.ownerId !== req.user?.id) {
+      throw new Error(`This ${provider} account is already linked to another user.`)
+    }
+
+    if (found) {
+      await this.core.data.identity.update({
+        where: { id: found.id },
+        data: { accessToken, refreshToken, verified: true, profile },
+      })
+      return found.owner
+    }
+
+    const identity: Prisma.IdentityCreateWithoutOwnerInput = {
+      provider,
+      providerId,
+      accessToken,
+      refreshToken,
+      verified: true,
+      profile,
+    }
+
+    if (req.user?.id) {
+      return await this.updateUserWithIdentity(req.user.id, identity)
+    }
+
+    return await this.createUserWithIdentity(identity)
+  }
+
   async createUserWithIdentity(identity: Prisma.IdentityCreateWithoutOwnerInput) {
     const username = await this.findUsername((identity.profile as { username: string }).username ?? identity.providerId)
-    const admin = this.core.config.authDiscordAdminIds?.includes(identity.providerId)
+    const admin = this.core.config.isAdminId(identity.provider, identity.providerId)
+    this.logger.verbose(
+      `Creating user ${username} with identity ${identity.providerId} (${identity.provider}) (admin: ${admin})`,
+    )
 
     const user = await this.core.data.user.create({
       data: {
@@ -85,6 +136,7 @@ export class ApiAuthService {
         role: admin ? UserRole.Admin : UserRole.User,
         status: UserStatus.Active,
         username,
+        name: (identity.profile as { name?: string })?.name,
         identities: {
           create: {
             ...identity,

libs/api/auth/data-access/src/lib/guards/api-auth-github.guard.ts

@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common'
+import { AuthGuard } from '@nestjs/passport'
+
+@Injectable()
+export class ApiAuthGithubGuard extends AuthGuard('github') {}

libs/api/auth/data-access/src/lib/strategies/discord.strategy.ts

@@ -1,6 +1,6 @@
 import { Injectable } from '@nestjs/common'
 import { PassportStrategy } from '@nestjs/passport'
-import { IdentityProvider, Prisma } from '@prisma/client'
+import { IdentityProvider } from '@prisma/client'
 import { ApiCoreService } from '@pubkey-stack/api-core-data-access'
 
 import { Profile, Strategy } from 'passport-discord'
@@ -20,39 +20,14 @@ export class DiscordStrategy extends PassportStrategy(Strategy, 'discord') {
   }
 
   async validate(req: AuthRequest, accessToken: string, refreshToken: string, profile: Profile) {
-    const found = await this.service.findUserByIdentity({
-      provider: this.provider,
+    return this.service.validateRequest({
+      req,
       providerId: profile.id,
-    })
-
-    if (found && req.user?.id && found.ownerId !== req.user?.id) {
-      throw new Error('This Discord account is already linked to another user.')
-    }
-
-    const identityProfile = createDiscordProfile(profile)
-
-    if (found) {
-      await this.core.data.identity.update({
-        where: { id: found.id },
-        data: { accessToken, refreshToken, verified: true, profile: identityProfile },
-      })
-      return found.owner
-    }
-
-    const identity: Prisma.IdentityCreateWithoutOwnerInput = {
       provider: this.provider,
-      providerId: profile.id,
       accessToken,
       refreshToken,
-      verified: true,
-      profile: identityProfile,
-    }
-
-    if (req.user?.id) {
-      return await this.service.updateUserWithIdentity(req.user.id, identity)
-    }
-
-    return await this.service.createUserWithIdentity(identity)
+      profile: createDiscordProfile(profile),
+    })
   }
 }
 

libs/api/auth/data-access/src/lib/strategies/github.strategy.ts

@@ -0,0 +1,41 @@
+import { Injectable } from '@nestjs/common'
+import { PassportStrategy } from '@nestjs/passport'
+import { IdentityProvider } from '@prisma/client'
+import { ApiCoreService } from '@pubkey-stack/api-core-data-access'
+
+import { Profile, Strategy } from 'passport-github'
+import { ApiAuthService, AuthRequest } from '../api-auth.service'
+
+@Injectable()
+export class GithubStrategy extends PassportStrategy(Strategy, 'github') {
+  private readonly provider = IdentityProvider.GitHub
+  constructor(private core: ApiCoreService, private service: ApiAuthService) {
+    super({
+      clientID: process.env['GITHUB_CLIENT_ID'],
+      clientSecret: process.env['GITHUB_CLIENT_SECRET'],
+      callbackURL: core.config.webUrl + '/api/auth/github/callback',
+      scope: ['public_profile'],
+      passReqToCallback: true,
+    })
+  }
+
+  async validate(req: AuthRequest, accessToken: string, refreshToken: string, profile: Profile) {
+    return this.service.validateRequest({
+      req,
+      providerId: profile.id,
+      provider: this.provider,
+      accessToken,
+      refreshToken,
+      profile: createGithubProfile(profile),
+    })
+  }
+}
+
+function createGithubProfile(profile: Profile) {
+  return {
+    externalId: profile.id,
+    username: profile.username,
+    avatarUrl: profile.photos?.[0].value,
+    name: profile.displayName,
+  }
+}

libs/api/auth/feature/src/lib/api-auth.controller.ts

@@ -1,6 +1,12 @@
 import { Controller, Get, Req, Res, UseGuards } from '@nestjs/common'
 
-import { ApiAnonJwtGuard, ApiAuthDiscordGuard, ApiAuthService, AuthRequest } from '@pubkey-stack/api-auth-data-access'
+import {
+  ApiAnonJwtGuard,
+  ApiAuthDiscordGuard,
+  ApiAuthGithubGuard,
+  ApiAuthService,
+  AuthRequest,
+} from '@pubkey-stack/api-auth-data-access'
 import { Response } from 'express-serve-static-core'
 
 @Controller('auth')
@@ -20,6 +26,19 @@ export class ApiAuthController {
     res.redirect(this.service.core.config.webUrl + '/dashboard')
   }
 
+  @Get('github')
+  @UseGuards(ApiAuthGithubGuard)
+  githubAuthLogin() {
+    // This method triggers the GitHub OAuth2 flow
+  }
+
+  @Get('github/callback')
+  @UseGuards(ApiAnonJwtGuard, ApiAuthGithubGuard)
+  async githubAuthCallback(@Req() req: AuthRequest, @Res({ passthrough: true }) res: Response) {
+    await this.service.setUserCookie({ req, res, user: req.user })
+    res.redirect(this.service.core.config.webUrl + '/dashboard')
+  }
+
   @Get('me')
   @UseGuards(ApiAnonJwtGuard)
   async getMe(@Req() req: AuthRequest) {

libs/api/core/data-access/src/lib/api-core-config.service.ts

@@ -3,6 +3,7 @@ import { ConfigService } from '@nestjs/config'
 import { CookieOptions } from 'express-serve-static-core'
 import { ApiCoreConfig } from './config/configuration'
 import { AppConfig } from './entity/app-config.entity'
+import { IdentityProvider } from '@prisma/client'
 
 @Injectable()
 export class ApiCoreConfigService {
@@ -12,6 +13,7 @@ export class ApiCoreConfigService {
   get appConfig(): AppConfig {
     return {
       authDiscordEnabled: this.authDiscordEnabled,
+      authGithubEnabled: this.authGithubEnabled,
       authPasswordEnabled: this.authPasswordEnabled,
       authRegisterEnabled: this.authRegisterEnabled,
       authSolanaEnabled: this.authSolanaEnabled,
@@ -26,6 +28,14 @@ export class ApiCoreConfigService {
     return this.service.get<boolean>('authDiscordEnabled') ?? false
   }
 
+  get authGithubAdminIds() {
+    return this.service.get<string[]>('authGithubAdminIds')
+  }
+
+  get authGithubEnabled(): boolean {
+    return this.service.get<boolean>('authGithubEnabled') ?? false
+  }
+
   get authPasswordEnabled(): boolean {
     return this.service.get<boolean>('authPasswordEnabled') ?? false
   }
@@ -110,4 +120,17 @@ export class ApiCoreConfigService {
   get webUrl(): string {
     return this.service.get<string>('webUrl') as string
   }
+
+  isAdminId(provider: IdentityProvider, providerId: string) {
+    switch (provider) {
+      case IdentityProvider.Discord:
+        return this.authDiscordAdminIds?.includes(providerId) ?? false
+      case IdentityProvider.GitHub:
+        return this.authGithubAdminIds?.includes(providerId) ?? false
+      case IdentityProvider.Solana:
+        return this.authSolanaAdminIds?.includes(providerId) ?? false
+      default:
+        return false
+    }
+  }
 }

libs/api/core/data-access/src/lib/config/configuration.ts

@@ -22,6 +22,8 @@ export interface ApiCoreConfig {
   apiUrl: string
   authDiscordAdminIds: string[]
   authDiscordEnabled: boolean
+  authGithubAdminIds: string[]
+  authGithubEnabled: boolean
   authPasswordEnabled: boolean
   authRegisterEnabled: boolean
   authSolanaAdminIds: string[]
@@ -36,6 +38,8 @@ export interface ApiCoreConfig {
   databaseReset: boolean
   discordClientId: string
   discordClientSecret: string
+  githubClientId: string
+  githubClientSecret: string
   host: string
   port: number
   webUrl: string
@@ -46,6 +50,8 @@ export function configuration(): ApiCoreConfig {
     apiUrl: process.env['API_URL'] as string,
     authDiscordAdminIds: getFromEnvironment('AUTH_DISCORD_ADMIN_IDS'),
     authDiscordEnabled: process.env['AUTH_DISCORD_ENABLED'] === 'true',
+    authGithubAdminIds: getFromEnvironment('AUTH_GITHUB_ADMIN_IDS'),
+    authGithubEnabled: process.env['AUTH_GITHUB_ENABLED'] === 'true',
     authPasswordEnabled: process.env['AUTH_PASSWORD_ENABLED'] === 'true',
     authRegisterEnabled: process.env['AUTH_REGISTER_ENABLED'] === 'true',
     authSolanaAdminIds: getFromEnvironment('AUTH_SOLANA_ADMIN_IDS'),
@@ -60,6 +66,8 @@ export function configuration(): ApiCoreConfig {
     databaseReset: process.env['DATABASE_RESET'] === 'true',
     discordClientId: process.env['DISCORD_CLIENT_ID'] as string,
     discordClientSecret: process.env['DISCORD_CLIENT_SECRET'] as string,
+    githubClientId: process.env['GITHUB_CLIENT_ID'] as string,
+    githubClientSecret: process.env['GITHUB_CLIENT_SECRET'] as string,
     host: process.env['HOST'] as string,
     port: parseInt(process.env['PORT'] as string, 10) || 3000,
     webUrl: WEB_URL,

libs/api/core/data-access/src/lib/config/validation-schema.ts

@@ -4,6 +4,8 @@ export const validationSchema = Joi.object({
   API_URL: Joi.string().required().error(new Error(`API_URL is required.`)),
   AUTH_DISCORD_ADMIN_IDS: Joi.string(),
   AUTH_DISCORD_ENABLED: Joi.boolean().default(true),
+  AUTH_GITHUB_ADMIN_IDS: Joi.string(),
+  AUTH_GITHUB_ENABLED: Joi.boolean().default(true),
   AUTH_PASSWORD_ENABLED: Joi.boolean().default(true),
   AUTH_REGISTER_ENABLED: Joi.boolean().default(true),
   AUTH_SOLANA_ADMIN_IDS: Joi.string(),
@@ -16,6 +18,8 @@ export const validationSchema = Joi.object({
   DATABASE_URL: Joi.string(),
   DISCORD_CLIENT_ID: Joi.string().required(),
   DISCORD_CLIENT_SECRET: Joi.string().required(),
+  GITHUB_CLIENT_ID: Joi.string().required(),
+  GITHUB_CLIENT_SECRET: Joi.string().required(),
   GRAPHQL_PLAYGROUND: Joi.boolean().default(false),
   JWT_SECRET: Joi.string().required(),
   HOST: Joi.string().default('0.0.0.0'),

libs/api/core/data-access/src/lib/entity/app-config.entity.ts

@@ -5,6 +5,8 @@ export class AppConfig {
   @Field()
   authDiscordEnabled!: boolean
   @Field()
+  authGithubEnabled!: boolean
+  @Field()
   authPasswordEnabled!: boolean
   @Field()
   authRegisterEnabled!: boolean

libs/api/identity/data-access/src/lib/api-anon-identity.service.ts

@@ -11,7 +11,7 @@ import { VerifyIdentityChallengeInput } from './dto/verify-identity-challenge-in
 import { sha256 } from './helpers/sha256'
 import { ApiSolanaIdentityService } from './api-solana-identity.service'
 import { ApiAuthService } from '@pubkey-stack/api-auth-data-access'
-import { UserRole, UserStatus } from '@prisma/client'
+import { IdentityProvider, UserRole, UserStatus } from '@prisma/client'
 
 @Injectable()
 export class ApiAnonIdentityService {
@@ -36,7 +36,7 @@ export class ApiAnonIdentityService {
 
     // Generate a random challenge
     const challenge = sha256(`${Math.random()}-${ip}-${userAgent}-${provider}-${providerId}-${Math.random()}`)
-    const admin = this.core.config.authSolanaAdminIds?.includes(providerId)
+    const admin = this.core.config.isAdminId(IdentityProvider.Solana, providerId)
     // Store the challenge
     return this.core.data.identityChallenge.create({
       data: {