Feature/allow user to rotate Security Token (#5016)

* Allow user to rotate Security Token * Update changelog
3 weeks ago · c437bc2534
10 changed files with 204 additions and 41 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## Unreleased

+### Added
+
+- Added support for generating a new _Security Token_ via the user’s account access panel
+
 ### Changed

 - Renamed `Account` to `account` in the `Order` database schema
@ -6114,7 +6118,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Changed the navigation to always show the portfolio page
 - Migrated the data type of currencies from `enum` to `string` in the database
 - Supported unlimited currencies (instead of `CHF`, `EUR`, `GBP` and `USD`)
- Respected the accounts' currencies in the exchange rate service
+- Respected the accounts’ currencies in the exchange rate service

 ### Fixed

--- a/apps/api/src/app/user/update-own-access-token.dto.ts
+++ b/apps/api/src/app/user/update-own-access-token.dto.ts
@ -0,0 +1,6 @@
+import { IsString } from 'class-validator';
+
+export class UpdateOwnAccessTokenDto {
+  @IsString()
+  accessToken: string;
+}
--- a/apps/api/src/app/user/user.controller.ts
+++ b/apps/api/src/app/user/user.controller.ts
@ -33,6 +33,7 @@ import { merge, size } from 'lodash';

 import { DeleteOwnUserDto } from './delete-own-user.dto';
 import { UserItem } from './interfaces/user-item.interface';
+import { UpdateOwnAccessTokenDto } from './update-own-access-token.dto';
 import { UpdateUserSettingDto } from './update-user-setting.dto';
 import { UserService } from './user.service';

@ -53,24 +54,12 @@ export class UserController {
  public async deleteOwnUser(
    @Body() data: DeleteOwnUserDto
  ): Promise<UserModel> {
-    const hashedAccessToken = this.userService.createAccessToken({
-      password: data.accessToken,
-      salt: this.configurationService.get('ACCESS_TOKEN_SALT')
-    });
-
-    const [user] = await this.userService.users({
-      where: { accessToken: hashedAccessToken, id: this.request.user.id }
-    });
-
-    if (!user) {
-      throw new HttpException(
-        getReasonPhrase(StatusCodes.FORBIDDEN),
-        StatusCodes.FORBIDDEN
-      );
-    }
+    const user = await this.validateAccessToken(
+      data.accessToken,
+      this.request.user.id
+    );

    return this.userService.deleteUser({
-      accessToken: hashedAccessToken,
      id: user.id
    });
  }
@ -94,20 +83,24 @@ export class UserController {
  @HasPermission(permissions.accessAdminControl)
  @Post(':id/access-token')
  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
-  public async generateAccessToken(
+  public async updateUserAccessToken(
    @Param('id') id: string
  ): Promise<AccessTokenResponse> {
-    const { accessToken, hashedAccessToken } =
-      this.userService.generateAccessToken({
-        userId: id
-      });
+    return this.rotateUserAccessToken(id);
+  }

-    await this.prismaService.user.update({
-      data: { accessToken: hashedAccessToken },
-      where: { id }
-    });
+  @HasPermission(permissions.updateOwnAccessToken)
+  @Post('access-token')
+  @UseGuards(AuthGuard('jwt'), HasPermissionGuard)
+  public async updateOwnAccessToken(
+    @Body() data: UpdateOwnAccessTokenDto
+  ): Promise<AccessTokenResponse> {
+    const user = await this.validateAccessToken(
+      data.accessToken,
+      this.request.user.id
+    );

-    return { accessToken };
+    return this.rotateUserAccessToken(user.id);
  }

  @Get()
@ -189,4 +182,43 @@ export class UserController {
      userId: this.request.user.id
    });
  }
+
+  private async rotateUserAccessToken(
+    userId: string
+  ): Promise<AccessTokenResponse> {
+    const { accessToken, hashedAccessToken } =
+      this.userService.generateAccessToken({
+        userId
+      });
+
+    await this.prismaService.user.update({
+      data: { accessToken: hashedAccessToken },
+      where: { id: userId }
+    });
+
+    return { accessToken };
+  }
+
+  private async validateAccessToken(
+    accessToken: string,
+    userId: string
+  ): Promise<UserModel> {
+    const hashedAccessToken = this.userService.createAccessToken({
+      password: accessToken,
+      salt: this.configurationService.get('ACCESS_TOKEN_SALT')
+    });
+
+    const [user] = await this.userService.users({
+      where: { accessToken: hashedAccessToken, id: userId }
+    });
+
+    if (!user) {
+      throw new HttpException(
+        getReasonPhrase(StatusCodes.FORBIDDEN),
+        StatusCodes.FORBIDDEN
+      );
+    }
+
+    return user;
+  }
 }
--- a/apps/api/src/app/user/user.service.ts
+++ b/apps/api/src/app/user/user.service.ts
@ -354,6 +354,11 @@ export class UserService {

    let currentPermissions = getPermissions(user.role);

+    if (user.provider === 'ANONYMOUS') {
+      currentPermissions.push(permissions.deleteOwnUser);
+      currentPermissions.push(permissions.updateOwnAccessToken);
+    }
+
    if (!(user.Settings.settings as UserSettings).isExperimentalFeatures) {
      // currentPermissions = without(
      //   currentPermissions,
--- a/apps/client/src/app/components/admin-users/admin-users.component.ts
+++ b/apps/client/src/app/components/admin-users/admin-users.component.ts
@ -147,7 +147,7 @@ export class AdminUsersComponent implements OnDestroy, OnInit {
    this.notificationService.confirm({
      confirmFn: () => {
        this.dataService
-          .generateAccessToken(aUserId)
+          .updateUserAccessToken(aUserId)
          .pipe(takeUntil(this.unsubscribeSubject))
          .subscribe(({ accessToken }) => {
            this.notificationService.alert({
--- a/apps/client/src/app/components/user-account-access/user-account-access.component.ts
+++ b/apps/client/src/app/components/user-account-access/user-account-access.component.ts
@ -1,5 +1,8 @@
 import { CreateAccessDto } from '@ghostfolio/api/app/access/create-access.dto';
+import { ConfirmationDialogType } from '@ghostfolio/client/core/notification/confirmation-dialog/confirmation-dialog.type';
+import { NotificationService } from '@ghostfolio/client/core/notification/notification.service';
 import { DataService } from '@ghostfolio/client/services/data.service';
+import { TokenStorageService } from '@ghostfolio/client/services/token-storage.service';
 import { UserService } from '@ghostfolio/client/services/user/user.service';
 import { Access, User } from '@ghostfolio/common/interfaces';
 import { hasPermission, permissions } from '@ghostfolio/common/permissions';
@ -11,11 +14,12 @@ import {
  OnDestroy,
  OnInit
 } from '@angular/core';
+import { FormBuilder, Validators } from '@angular/forms';
 import { MatDialog } from '@angular/material/dialog';
 import { ActivatedRoute, Router } from '@angular/router';
 import { DeviceDetectorService } from 'ngx-device-detector';
-import { Subject } from 'rxjs';
-import { takeUntil } from 'rxjs/operators';
+import { EMPTY, Subject } from 'rxjs';
+import { catchError, takeUntil } from 'rxjs/operators';

 import { CreateOrUpdateAccessDialog } from './create-or-update-access-dialog/create-or-update-access-dialog.component';

@ -33,6 +37,11 @@ export class UserAccountAccessComponent implements OnDestroy, OnInit {
  public deviceType: string;
  public hasPermissionToCreateAccess: boolean;
  public hasPermissionToDeleteAccess: boolean;
+  public hasPermissionToUpdateOwnAccessToken: boolean;
+  public isAccessTokenHidden = true;
+  public updateOwnAccessTokenForm = this.formBuilder.group({
+    accessToken: ['', Validators.required]
+  });
  public user: User;

  private unsubscribeSubject = new Subject<void>();
@ -42,8 +51,11 @@ export class UserAccountAccessComponent implements OnDestroy, OnInit {
    private dataService: DataService,
    private deviceService: DeviceDetectorService,
    private dialog: MatDialog,
+    private formBuilder: FormBuilder,
+    private notificationService: NotificationService,
    private route: ActivatedRoute,
    private router: Router,
+    private tokenStorageService: TokenStorageService,
    private userService: UserService
  ) {
    const { globalPermissions } = this.dataService.fetchInfo();
@ -69,6 +81,11 @@ export class UserAccountAccessComponent implements OnDestroy, OnInit {
            permissions.deleteAccess
          );

+          this.hasPermissionToUpdateOwnAccessToken = hasPermission(
+            this.user.permissions,
+            permissions.updateOwnAccessToken
+          );
+
          this.changeDetectorRef.markForCheck();
        }
      });
@ -99,6 +116,41 @@ export class UserAccountAccessComponent implements OnDestroy, OnInit {
      });
  }

+  public onGenerateAccessToken() {
+    this.notificationService.confirm({
+      confirmFn: () => {
+        this.dataService
+          .updateOwnAccessToken({
+            accessToken: this.updateOwnAccessTokenForm.get('accessToken').value
+          })
+          .pipe(
+            catchError(() => {
+              this.notificationService.alert({
+                title: $localize`Oops! Incorrect Security Token.`
+              });
+
+              return EMPTY;
+            }),
+            takeUntil(this.unsubscribeSubject)
+          )
+          .subscribe(({ accessToken }) => {
+            this.notificationService.alert({
+              discardFn: () => {
+                this.tokenStorageService.signOut();
+                this.userService.remove();
+
+                document.location.href = `/${document.documentElement.lang}`;
+              },
+              message: accessToken,
+              title: $localize`Security token`
+            });
+          });
+      },
+      confirmType: ConfirmationDialogType.Warn,
+      title: $localize`Do you really want to generate a new security token?`
+    });
+  }
+
  public ngOnDestroy() {
    this.unsubscribeSubject.next();
    this.unsubscribeSubject.complete();
--- a/apps/client/src/app/components/user-account-access/user-account-access.html
+++ b/apps/client/src/app/components/user-account-access/user-account-access.html
@ -1,3 +1,53 @@
+@if (hasPermissionToUpdateOwnAccessToken) {
+  <div class="container">
+    <h1 class="h3 mb-3 text-center" i18n>Security Token</h1>
+    <form
+      class="w-100"
+      [formGroup]="updateOwnAccessTokenForm"
+      (ngSubmit)="onGenerateAccessToken()"
+    >
+      <div class="align-items-center d-flex justify-content-center mb-5">
+        <mat-form-field
+          appearance="outline"
+          class="without-hint w-50"
+          [hideRequiredMarker]="true"
+        >
+          <mat-label i18n>Security Token</mat-label>
+          <input
+            formControlName="accessToken"
+            matInput
+            [type]="isAccessTokenHidden ? 'password' : 'text'"
+          />
+          <button
+            mat-button
+            matSuffix
+            type="button"
+            (click)="isAccessTokenHidden = !isAccessTokenHidden"
+          >
+            <ion-icon
+              [name]="isAccessTokenHidden ? 'eye-outline' : 'eye-off-outline'"
+            />
+          </button>
+        </mat-form-field>
+        <div class="pl-2">
+          <button
+            color="warn"
+            mat-flat-button
+            type="submit"
+            [disabled]="
+              !(
+                updateOwnAccessTokenForm.dirty && updateOwnAccessTokenForm.valid
+              )
+            "
+          >
+            <span i18n>Generate</span>
+          </button>
+        </div>
+      </div>
+    </form>
+  </div>
+}
+
 <div class="container">
  @if (accessesGet.length > 0) {
    <h1 class="h3 mb-3 text-center" i18n>Received Access</h1>
--- a/apps/client/src/app/components/user-account-access/user-account-access.module.ts
+++ b/apps/client/src/app/components/user-account-access/user-account-access.module.ts
@ -2,9 +2,12 @@ import { GfPortfolioAccessTableModule } from '@ghostfolio/client/components/acce
 import { GfPremiumIndicatorComponent } from '@ghostfolio/ui/premium-indicator';

 import { CommonModule } from '@angular/common';
-import { NgModule } from '@angular/core';
+import { CUSTOM_ELEMENTS_SCHEMA, NgModule } from '@angular/core';
+import { ReactiveFormsModule } from '@angular/forms';
 import { MatButtonModule } from '@angular/material/button';
 import { MatDialogModule } from '@angular/material/dialog';
+import { MatFormFieldModule } from '@angular/material/form-field';
+import { MatInputModule } from '@angular/material/input';
 import { RouterModule } from '@angular/router';

 import { GfCreateOrUpdateAccessDialogModule } from './create-or-update-access-dialog/create-or-update-access-dialog.module';
@ -20,7 +23,11 @@ import { UserAccountAccessComponent } from './user-account-access.component';
    GfPremiumIndicatorComponent,
    MatButtonModule,
    MatDialogModule,
+    MatFormFieldModule,
+    MatInputModule,
+    ReactiveFormsModule,
    RouterModule
-  ]
+  ],
+  schemas: [CUSTOM_ELEMENTS_SCHEMA]
 })
 export class GfUserAccountAccessModule {}
--- a/apps/client/src/app/services/data.service.ts
+++ b/apps/client/src/app/services/data.service.ts
@ -16,6 +16,7 @@ import { UpdateOrderDto } from '@ghostfolio/api/app/order/update-order.dto';
 import { SymbolItem } from '@ghostfolio/api/app/symbol/interfaces/symbol-item.interface';
 import { DeleteOwnUserDto } from '@ghostfolio/api/app/user/delete-own-user.dto';
 import { UserItem } from '@ghostfolio/api/app/user/interfaces/user-item.interface';
+import { UpdateOwnAccessTokenDto } from '@ghostfolio/api/app/user/update-own-access-token.dto';
 import { UpdateUserSettingDto } from '@ghostfolio/api/app/user/update-user-setting.dto';
 import { IDataProviderHistoricalResponse } from '@ghostfolio/api/services/interfaces/interfaces';
 import { PropertyDto } from '@ghostfolio/api/services/property/property.dto';
@ -703,13 +704,6 @@ export class DataService {
    return this.http.get<WatchlistResponse>('/api/v1/watchlist');
  }

-  public generateAccessToken(aUserId: string) {
-    return this.http.post<AccessTokenResponse>(
-      `/api/v1/user/${aUserId}/access-token`,
-      {}
-    );
-  }
-
  public loginAnonymous(accessToken: string) {
    return this.http.post<OAuthResponse>('/api/v1/auth/anonymous', {
      accessToken
@ -818,6 +812,20 @@ export class DataService {
    });
  }

+  public updateOwnAccessToken(aAccessToken: UpdateOwnAccessTokenDto) {
+    return this.http.post<AccessTokenResponse>(
+      '/api/v1/user/access-token',
+      aAccessToken
+    );
+  }
+
+  public updateUserAccessToken(aUserId: string) {
+    return this.http.post<AccessTokenResponse>(
+      `/api/v1/user/${aUserId}/access-token`,
+      {}
+    );
+  }
+
  public updateInfo() {
    this.http.get<InfoItem>('/api/v1/info').subscribe((info) => {
      const utmSource = window.localStorage.getItem('utm_source') as
--- a/libs/common/src/lib/permissions.ts
+++ b/libs/common/src/lib/permissions.ts
@ -52,6 +52,7 @@ export const permissions = {
  updateMarketData: 'updateMarketData',
  updateMarketDataOfOwnAssetProfile: 'updateMarketDataOfOwnAssetProfile',
  updateOrder: 'updateOrder',
+  updateOwnAccessToken: 'updateOwnAccessToken',
  updatePlatform: 'updatePlatform',
  updateTag: 'updateTag',
  updateUserSettings: 'updateUserSettings',
@ -81,7 +82,6 @@ export function getPermissions(aRole: Role): string[] {
        permissions.deleteAccount,
        permissions.deleteAuthDevice,
        permissions.deleteOrder,
-        permissions.deleteOwnUser,
        permissions.deletePlatform,
        permissions.deleteTag,
        permissions.deleteUser,
@ -127,7 +127,6 @@ export function getPermissions(aRole: Role): string[] {
        permissions.deleteAccountBalance,
        permissions.deleteAuthDevice,
        permissions.deleteOrder,
-        permissions.deleteOwnUser,
        permissions.deleteWatchlistItem,
        permissions.readAiPrompt,
        permissions.readMarketDataOfOwnAssetProfile,