#3881 - Validate user account for all routes (#3985)

# Validate user account for all routes

## New global guard and decorator

- [x] New guard `RequiresUserAccountGuard` has been introduced globally
to ensure that routes are authorized with the user token which belongs
to valid SIMS user. There are exceptional routes like public routes and
routes used that setup the user itself are skipped from this validation.
- [x] New decorator `@RequiresUserAccount()` is introduced to get the
metadata context for the guard.

## Student page container

- [x] Student page container updated to NOT render restriction and SIN
banners for pages which does not require a valid student account.

## E2E Tests

- [x] The existing method to mock the student info from token
`mockUserLoginInfo()` does not have a way to restore the mock, if the
mock needs to be restored for other tests in same suite.
Hence refactored the code to use `jest.spyOn()` to mock the userService
method implementation and also created a reset mock method to reset the
mock as required in the test suite.

Here is an example.
**Mock applied**


![image](https://github.com/user-attachments/assets/9f0277d8-27c9-4c1a-98d0-8fd5fc5583a8)

**Mock Reset**

![image](https://github.com/user-attachments/assets/0e9115b3-d456-43eb-aace-d282d68d5297)

- [x] Created new Auth E2E tests


![image](https://github.com/user-attachments/assets/b3e48542-c314-4ee7-81e3-6807a6ea32f6)


## Volar extension

- [x] Updated the workspace file with deprecated vue extension by
replacing with recommended extension.

![image](https://github.com/user-attachments/assets/1ee3de6f-b315-4d87-acd2-32f58dce0891)

Author: dheepak-aot

sims.code-workspace

@@ -27,7 +27,7 @@
   ],
   "extensions": {
     "recommendations": [
-      "vue.vscode-typescript-vue-plugin",
+      "Vue.volar",
       "dbaeumer.vscode-eslint",
       "esbenp.prettier-vscode",
       "streetsidesoftware.code-spell-checker",

sources/packages/backend/apps/api/src/auth/_tests_/e2e/auth.e2e-spec.ts

@@ -19,9 +19,14 @@ import { AuthTestController } from "../../../testHelpers/controllers/auth-test/a
 import { DiscoveryModule } from "@golevelup/nestjs-discovery";
 import { DataSource } from "typeorm";
 import { JwtService } from "@nestjs/jwt";
-import { INVALID_BETA_USER } from "../../../constants";
-import { BEARER_AUTH_TYPE } from "../../../testHelpers";
+import { INVALID_BETA_USER, MISSING_USER_ACCOUNT } from "../../../constants";
+import {
+  BEARER_AUTH_TYPE,
+  mockUserLoginInfo,
+  resetMockUserLoginInfo,
+} from "../../../testHelpers";
 import * as dayjs from "dayjs";
+import { Student, User } from "@sims/sims-db";
 
 describe("Authentication (e2e)", () => {
   // Nest application to be shared for all e2e tests
@@ -38,6 +43,7 @@ describe("Authentication (e2e)", () => {
   let configService: ConfigService;
   let db: E2EDataSources;
   let studentDecodedToken: any;
+  let moduleFixture: TestingModule;
 
   beforeAll(async () => {
     await KeycloakConfig.load();
@@ -57,7 +63,7 @@ describe("Authentication (e2e)", () => {
     );
     aestAccessToken = aestToken.access_token;
 
-    const moduleFixture: TestingModule = await Test.createTestingModule({
+    moduleFixture = await Test.createTestingModule({
       imports: [AppModule, createZeebeModuleMock(), DiscoveryModule],
       // AuthTestController is used only for e2e tests and could be
       // changed as needed to implement more test scenarios.
@@ -80,6 +86,8 @@ describe("Authentication (e2e)", () => {
     jest
       .spyOn(configService, "allowBetaUsersOnly", "get")
       .mockReturnValue(false);
+    // Reset mock user login info.
+    await resetMockUserLoginInfo(moduleFixture);
   });
 
   it("Load publicKey from Keycloak", async () => {
@@ -254,6 +262,40 @@ describe("Authentication (e2e)", () => {
           expect(resp.body.email).toBeTruthy();
         });
     });
+
+    it(
+      "Should return a HttpStatus FORBIDDEN(403) when there is no user account associated to the user token " +
+        "to a default route that requires a user account.",
+      async () => {
+        await mockUserLoginInfo(moduleFixture, {
+          id: null,
+          user: { id: null, isActive: null } as User,
+        } as Student);
+        return request(app.getHttpServer())
+          .get("/auth-test/default-requires-user-route")
+          .auth(studentAccessToken, { type: "bearer" })
+          .expect(HttpStatus.FORBIDDEN)
+          .expect({
+            message: "No user account has been associated to the user token.",
+            errorType: MISSING_USER_ACCOUNT,
+          });
+      },
+    );
+
+    it(
+      "Should return a HttpStatus OK(200) when there is no user account associated to the user token " +
+        "to a route that does not requires a user account.",
+      async () => {
+        await mockUserLoginInfo(moduleFixture, {
+          id: null,
+          user: { id: null, isActive: null } as User,
+        } as Student);
+        return request(app.getHttpServer())
+          .get("/auth-test/user-not-required-route")
+          .auth(studentAccessToken, { type: "bearer" })
+          .expect(HttpStatus.OK);
+      },
+    );
   });
 
   afterAll(async () => {

sources/packages/backend/apps/api/src/auth/auth.module.ts

@@ -24,6 +24,7 @@ import {
   RequiresStudentAccountGuard,
   InstitutionBCPublicGuard,
   InstitutionStudentDataAccessGuard,
+  RequiresUserAccountGuard,
 } from "./guards";
 import { RolesGuard } from "./guards/roles.guard";
 import { ConfigModule } from "@sims/utilities/config";
@@ -99,6 +100,10 @@ const jwtModule = JwtModule.register({
       provide: APP_GUARD,
       useClass: InstitutionStudentDataAccessGuard,
     },
+    {
+      provide: APP_GUARD,
+      useClass: RequiresUserAccountGuard,
+    },
   ],
   exports: [jwtModule, KeycloakService],
 })

sources/packages/backend/apps/api/src/auth/decorators/common.decorator.ts

@@ -0,0 +1,5 @@
+import { Reflector } from "@nestjs/core";
+/**
+ * Specifies when a user account must be already created in order to access a route.
+ */
+export const RequiresUserAccount = Reflector.createDecorator<boolean>();

sources/packages/backend/apps/api/src/auth/decorators/index.ts

@@ -10,3 +10,4 @@ export * from "./allow-inactive-user.decorator";
 export * from "./groups.decorator";
 export * from "./student/check-sin-status.decorator";
 export * from "./student/requires-student-account.decorator";
+export * from "./common.decorator";

sources/packages/backend/apps/api/src/auth/guards/groups.guard.ts

@@ -1,7 +1,14 @@
-import { Injectable, CanActivate, ExecutionContext } from "@nestjs/common";
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+} from "@nestjs/common";
 import { Reflector } from "@nestjs/core";
 import { GROUPS_KEY } from "../decorators";
 import { AuthorizedParties, UserGroups, IUserToken } from "..";
+import { MISSING_GROUP_ACCESS } from "../../constants";
+import { ApiProcessError } from "../../types";
 
 /**
  * Allow the authorization based on groups making use
@@ -34,8 +41,20 @@ export class GroupsGuard implements CanActivate {
     // Check if the user has any of the groups required to have access to the resource.
     // UserGroups 'aest/user/x' and 'aest/user' are valid, as they start with 'aest/user'
     // we are here looking for matches, not the exact string.
-    return requiredGroups.some((group: string) =>
+    const hasGroupAccess = requiredGroups.some((group: string) =>
       userToken.groups?.some((userGroup) => userGroup.startsWith(group)),
     );
+
+    // Throw custom error to be handled by the consumer.
+    if (!hasGroupAccess) {
+      throw new ForbiddenException(
+        new ApiProcessError(
+          "Required group permission is missing for the user.",
+          MISSING_GROUP_ACCESS,
+        ),
+      );
+    }
+
+    return true;
   }
 }

sources/packages/backend/apps/api/src/auth/guards/index.ts

@@ -8,3 +8,4 @@ export * from "./active-user.guard";
 export * from "./groups.guard";
 export * from "./student/sin-validation.guard";
 export * from "./student/requires-student-account.guard";
+export * from "./requires-user-account.guard";

sources/packages/backend/apps/api/src/auth/guards/requires-user-account.guard.ts

@@ -0,0 +1,55 @@
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+} from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+import { IS_PUBLIC_KEY, RequiresUserAccount } from "../decorators";
+import { IUserToken } from "apps/api/src/auth/userToken.interface";
+import { MISSING_USER_ACCOUNT } from "../../constants";
+import { ApiProcessError } from "../../types";
+
+/**
+ * Validates that a user account must be already created in order to access a route.
+ * Public routes and routes that do not require a user account are skipped.
+ */
+@Injectable()
+export class RequiresUserAccountGuard implements CanActivate {
+  constructor(private readonly reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    // Check if the route is public.
+    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    // If the route is public, no validation is required.
+    if (isPublic) {
+      return true;
+    }
+
+    const requiresUserAccount = this.reflector.getAllAndOverride(
+      RequiresUserAccount,
+      [context.getHandler(), context.getClass()],
+    );
+
+    if (requiresUserAccount === false) {
+      return true;
+    }
+
+    const { user } = context.switchToHttp().getRequest();
+    const userToken = user as IUserToken;
+
+    if (!userToken?.userId) {
+      throw new ForbiddenException(
+        new ApiProcessError(
+          "No user account has been associated to the user token.",
+          MISSING_USER_ACCOUNT,
+        ),
+      );
+    }
+
+    return true;
+  }
+}

sources/packages/backend/apps/api/src/constants/error-code.constants.ts

@@ -2,6 +2,9 @@ export const OFFERING_START_DATE_ERROR = "OFFERING_START_DATE_ERROR";
 export const INVALID_STUDY_DATES = "INVALID_STUDY_DATES";
 export const OFFERING_INTENSITY_MISMATCH = "OFFERING_INTENSITY_MISMATCH";
 export const MISSING_STUDENT_ACCOUNT = "MISSING_STUDENT_ACCOUNT";
+export const MISSING_USER_ACCOUNT = "MISSING_USER_ACCOUNT";
+export const MISSING_GROUP_ACCESS = "MISSING_GROUP_ACCESS";
+export const MISSING_USER_INFO = "MISSING_USER_INFO";
 export const INVALID_APPLICATION_NUMBER = "INVALID_APPLICATION_NUMBER";
 /**
  * An application can have only one pending appeal at a time.

sources/packages/backend/apps/api/src/route-controllers/assessment/_tests_/e2e/assessment.students.controller.getAssessmentAwardDetails.e2e-spec.ts

@@ -42,7 +42,7 @@ describe("AssessmentStudentsController(e2e)-getAssessmentAwardDetails", () => {
     db = createE2EDataSources(dataSource);
     // Shared student to be used for tests that would not need further student customization.
     sharedStudent = await saveFakeStudent(db.dataSource);
-    mockUserLoginInfo(module, sharedStudent);
+    await mockUserLoginInfo(module, sharedStudent);
     // Valid MSFAA Number that will be part of the expected returned values.
     sharedMSFAANumber = await db.msfaaNumber.save(
       createFakeMSFAANumber(

sources/packages/backend/apps/api/src/route-controllers/audit/audit.controller.ts

@@ -1,7 +1,11 @@
 import { Controller, Post, Req, Body } from "@nestjs/common";
 import { ApiTags } from "@nestjs/swagger";
 import { AuthorizedParties, IUserToken } from "../../auth";
-import { AllowAuthorizedParty, UserToken } from "../../auth/decorators";
+import {
+  AllowAuthorizedParty,
+  RequiresUserAccount,
+  UserToken,
+} from "../../auth/decorators";
 import BaseController from "../BaseController";
 import { AuditService } from "../../services";
 import { Request } from "express";
@@ -13,6 +17,7 @@ import { AuditAPIInDTO } from "./models/audit.dto";
   AuthorizedParties.supportingUsers,
   AuthorizedParties.aest,
 )
+@RequiresUserAccount(false)
 @Controller("audit")
 @ApiTags("audit")
 export class AuditController extends BaseController {

sources/packages/backend/apps/api/src/route-controllers/dynamic-form/dynamic-form.controller.ts

@@ -1,7 +1,10 @@
 import { Controller, Get, Param } from "@nestjs/common";
 import BaseController from "../BaseController";
 import { FormService } from "../../services";
-import { AllowAuthorizedParty } from "../../auth/decorators";
+import {
+  AllowAuthorizedParty,
+  RequiresUserAccount,
+} from "../../auth/decorators";
 import { AuthorizedParties } from "../../auth/authorized-parties.enum";
 import { ApiTags } from "@nestjs/swagger";
 import { FormNameParamAPIInDTO } from "./models/form.dto";
@@ -12,6 +15,7 @@ import { FormNameParamAPIInDTO } from "./models/form.dto";
   AuthorizedParties.supportingUsers,
   AuthorizedParties.aest,
 )
+@RequiresUserAccount(false)
 @Controller("dynamic-form")
 @ApiTags("dynamic-form")
 export class DynamicFormController extends BaseController {

sources/packages/backend/apps/api/src/route-controllers/institution-user/institution-user.institutions.controller.ts

@@ -14,6 +14,7 @@ import {
   AllowAuthorizedParty,
   AllowInactiveUser,
   IsInstitutionAdmin,
+  RequiresUserAccount,
   UserToken,
 } from "../../auth/decorators";
 import { InstitutionService, UserService, BCeIDService } from "../../services";
@@ -197,6 +198,7 @@ export class InstitutionUserInstitutionsController extends BaseController {
    * @returns information to support the institution login process and
    * the decisions that need happen to complete the process.
    */
+  @RequiresUserAccount(false)
   @AllowInactiveUser()
   @Get("status")
   async getInstitutionUserStatus(

sources/packages/backend/apps/api/src/route-controllers/institution/institution.institutions.controller.ts

@@ -11,6 +11,7 @@ import { AuthorizedParties } from "../../auth/authorized-parties.enum";
 import {
   AllowAuthorizedParty,
   IsInstitutionAdmin,
+  RequiresUserAccount,
   UserToken,
 } from "../../auth/decorators";
 import { InstitutionService, UserService } from "../../services";
@@ -58,6 +59,7 @@ export class InstitutionInstitutionsController extends BaseController {
   @ApiUnprocessableEntityResponse({
     description: "Institution user already exist",
   })
+  @RequiresUserAccount(false)
   @Post()
   async createInstitutionWithAssociatedUser(
     @Body() payload: CreateInstitutionAPIInDTO,
@@ -139,6 +141,7 @@ export class InstitutionInstitutionsController extends BaseController {
    * list (key/value pair) schema.
    * @returns institutions types in an option list (key/value pair) schema.
    */
+  @RequiresUserAccount(false)
   @Get("type/options-list")
   async getInstitutionTypeOptions(): Promise<OptionItemAPIOutDTO[]> {
     return this.institutionControllerService.getInstitutionTypeOptions();

sources/packages/backend/apps/api/src/route-controllers/student-account-applications/student-account-application.students.controller.ts

@@ -17,6 +17,7 @@ import { AuthorizedParties } from "../../auth/authorized-parties.enum";
 import {
   AllowAuthorizedParty,
   RequiresStudentAccount,
+  RequiresUserAccount,
   UserToken,
 } from "../../auth/decorators";
 import BaseController from "../BaseController";
@@ -66,6 +67,7 @@ export class StudentAccountApplicationStudentsController extends BaseController
       "There is already a student account application in progress or the user is already present.",
   })
   @Post()
+  @RequiresUserAccount(false)
   @RequiresStudentAccount(false)
   async create(
     @UserToken() userToken: IUserToken,
@@ -110,6 +112,7 @@ export class StudentAccountApplicationStudentsController extends BaseController
    * @returns true if there is a pending student account application
    * to be assessed by the Ministry, otherwise, false.
    */
+  @RequiresUserAccount(false)
   @RequiresStudentAccount(false)
   @Get("has-pending-account-application")
   async hasPendingAccountApplication(

sources/packages/backend/apps/api/src/route-controllers/student/student.students.controller.ts

@@ -27,6 +27,7 @@ import { AuthorizedParties } from "../../auth/authorized-parties.enum";
 import {
   AllowAuthorizedParty,
   RequiresStudentAccount,
+  RequiresUserAccount,
   UserToken,
 } from "../../auth/decorators";
 import {
@@ -108,6 +109,7 @@ export class StudentStudentsController extends BaseController {
   @ApiForbiddenResponse({
     description: "User is not allowed to create a student account.",
   })
+  @RequiresUserAccount(false)
   @RequiresStudentAccount(false)
   async create(
     @UserToken() studentUserToken: StudentUserToken,

sources/packages/backend/apps/api/src/route-controllers/supporting-user/supporting-user.supporting-users.controller.ts

@@ -45,6 +45,7 @@ import {
 } from "@nestjs/swagger";
 import BaseController from "../BaseController";
 import { WorkflowClientService } from "@sims/services";
+import { RequiresUserAccount } from "../../auth/decorators";
 
 @AllowAuthorizedParty(AuthorizedParties.supportingUsers)
 @Controller("supporting-user")
@@ -70,6 +71,7 @@ export class SupportingUserSupportingUsersController extends BaseController {
    * Application.
    * @returns application details.
    */
+  @RequiresUserAccount(false)
   @Post(":supportingUserType/application")
   @HttpCode(HttpStatus.OK)
   @ApiUnprocessableEntityResponse({
@@ -130,6 +132,7 @@ export class SupportingUserSupportingUsersController extends BaseController {
    * the supporting data (e.g. parent/partner).
    * @param payload data used for validation and to execute the update.
    */
+  @RequiresUserAccount(false)
   @Patch(":supportingUserType")
   @ApiUnprocessableEntityResponse({
     description: