Writing session cookies (#15)

* wip

Co-authored-by: DamianUduevbo <[email protected]>

* post merge

* lin:ws

* remove sessions from select

* reorder

* clean up some tests

* mock

* fixes

* add cookies to tests

* add mockClear between tests

* woo

* fix

* cookies tests

* one more test

* middleware tests

* ensure seed is working

* remove todo

* clean up test

* userWithSesion -> userWithSession

---------

Co-authored-by: DamianUduevbo <[email protected]>
Co-authored-by: DamianUduevbo <[email protected]>

apps/db/package.json

@@ -12,6 +12,8 @@
     "down": "docker-compose -f compose.yml down",
     "clean": "rm -rf .turbo node_modules",
     "format": " prisma format && prettier --check . --ignore-path ../../.gitignore",
+    "lint": "eslint",
+    "typecheck": "tsc --noEmit --emitDeclarationOnly false",
     "push": "prisma db push",
     "studio": "prisma studio",
     "generate": "prisma generate",
@@ -26,6 +28,7 @@
     "@prisma/client": "5.19.1"
   },
   "devDependencies": {
+    "@good-dog/auth": "workspace:*",
     "@good-dog/eslint": "workspace:*",
     "@good-dog/prettier": "workspace:*",
     "@good-dog/typescript": "workspace:*",

apps/db/prisma/migrations/20241025232323_name_required/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "User" ALTER COLUMN "name" SET NOT NULL;

apps/db/prisma/schema.prisma

@@ -15,17 +15,17 @@ datasource db {
 }
 
 model User {
-  id        String       @id @default(uuid())
-  email     String    @unique
-  name      String?
-  password  String
-  sessions  Session[]
-  createdAt DateTime  @default(now())
-  updatedAt DateTime  @updatedAt
+  id             String    @id @default(uuid())
+  email          String    @unique
+  name           String
+  hashedPassword String    @map("password")
+  sessions       Session[]
+  createdAt      DateTime  @default(now())
+  updatedAt      DateTime  @updatedAt
 }
 
 model Session {
-  id        String      @id @default(uuid())
+  id        String   @id @default(uuid())
   user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
   userId    String
   createdAt DateTime @default(now())

apps/db/prisma/seed.ts

@@ -1,89 +1,119 @@
 import { PrismaClient } from "@prisma/client";
 
+import { hashPassword } from "@good-dog/auth/password";
+
 const prisma = new PrismaClient();
 async function main() {
-  const alice = await prisma.user.upsert({
+  // Alice has a session that expires in the future
+  await prisma.user.upsert({
     where: { email: "[email protected]" },
-    update: {},
+    update: {
+      sessions: {
+        update: {
+          where: { id: "23" },
+          data: {
+            expiresAt: new Date(
+              new Date().setFullYear(new Date().getFullYear() + 10),
+            ),
+          },
+        },
+      },
+    },
     create: {
       id: "7",
       email: "[email protected]",
       name: "Alice",
-      password: "alicePasswod",
-    },
-  });
-  const aliceSession = await prisma.session.upsert({
-    where: { id: "23" },
-    update: {
-      expiresAt: new Date(
-        new Date().setFullYear(new Date().getFullYear() + 10),
-      ),
-    },
-    create: {
-      userId: alice.id,
-      id: "23",
-      expiresAt: new Date(
-        new Date().setFullYear(new Date().getFullYear() + 10),
-      ),
+      hashedPassword: await hashPassword("alicePassword"),
+      sessions: {
+        create: {
+          id: "23",
+          expiresAt: new Date(
+            new Date().setFullYear(new Date().getFullYear() + 10),
+          ),
+        },
+      },
     },
   });
 
-  const bob = await prisma.user.upsert({
+  // Bob has a session that expired in the past and another that expires in the future
+  await prisma.user.upsert({
     where: { email: "[email protected]" },
-    update: {},
+    update: {
+      sessions: {
+        updateMany: [
+          {
+            where: { id: "12" },
+            data: {
+              expiresAt: new Date(
+                new Date().setFullYear(new Date().getFullYear() - 1),
+              ),
+            },
+          },
+          {
+            where: { id: "45" },
+            data: {
+              expiresAt: new Date(
+                new Date().setFullYear(new Date().getFullYear() + 10),
+              ),
+            },
+          },
+        ],
+      },
+    },
     create: {
       id: "9",
       email: "[email protected]",
       name: "Bob Jones",
-      password: "bobPassword",
-    },
-  });
-  const bobSession1 = await prisma.session.upsert({
-    where: { id: "12" },
-    update: {
-      expiresAt: new Date(new Date().setFullYear(new Date().getFullYear() - 1)),
-    },
-    create: {
-      userId: bob.id,
-      id: "12",
-      expiresAt: new Date(new Date().setFullYear(new Date().getFullYear() - 1)),
-    },
-  });
-  const bobSession2 = await prisma.session.upsert({
-    where: { id: "45" },
-    update: {
-      expiresAt: new Date(
-        new Date().setFullYear(new Date().getFullYear() + 10),
-      ),
-    },
-    create: {
-      userId: bob.id,
-      id: "45",
-      expiresAt: new Date(
-        new Date().setFullYear(new Date().getFullYear() + 10),
-      ),
+      hashedPassword: await hashPassword("bobPassword"),
+      sessions: {
+        createMany: {
+          data: [
+            {
+              id: "12",
+              expiresAt: new Date(
+                new Date().setFullYear(new Date().getFullYear() - 1),
+              ),
+            },
+            {
+              id: "45",
+              expiresAt: new Date(
+                new Date().setFullYear(new Date().getFullYear() + 10),
+              ),
+            },
+          ],
+        },
+      },
     },
   });
 
-  const eve = await prisma.user.upsert({
+  // Eve has a session that expired in the past
+  await prisma.user.upsert({
     where: { email: "[email protected]" },
-    update: {},
+    update: {
+      sessions: {
+        update: {
+          where: { id: "78" },
+          data: {
+            expiresAt: new Date(
+              new Date().setFullYear(new Date().getFullYear() - 1),
+            ),
+          },
+        },
+      },
+    },
     create: {
       id: "56",
       email: "[email protected]",
       name: "Eve Smith",
-      password: "evePassword",
-    },
-  });
-  const eveSession = await prisma.session.upsert({
-    where: { id: "78" },
-    update: {
-      expiresAt: new Date(new Date().setFullYear(new Date().getFullYear() - 1)),
-    },
-    create: {
-      userId: eve.id,
-      id: "78",
-      expiresAt: new Date(new Date().setFullYear(new Date().getFullYear() - 1)),
+      hashedPassword: await hashPassword("evePassword"),
+      sessions: {
+        create: {
+          id: "78",
+          expiresAt: new Date(
+            new Date().setFullYear(new Date().getFullYear() - 1),
+          ),
+        },
+      },
     },
   });
 }

apps/db/tsconfig.json

@@ -3,6 +3,6 @@
   "compilerOptions": {
     "tsBuildInfoFile": "node_modules/.cache/tsbuildinfo.json"
   },
-  "include": ["*.ts", "src"],
+  "include": ["*.ts", "src", "prisma/seed.ts"],
   "exclude": ["node_modules"]
 }

apps/web/package.json

@@ -14,7 +14,7 @@
   "dependencies": {
     "@good-dog/tailwind": "workspace:*",
     "@t3-oss/env-nextjs": "^0.10.1",
-    "next": "^14.2.12",
+    "next": "14.2.12",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "server-only": "^0.0.1",

packages/auth/package.json

@@ -4,7 +4,8 @@
   "version": "0.1.0",
   "type": "module",
   "exports": {
-    ".": "./src/index.ts"
+    "./password": "./src/password.ts",
+    "./cookies": "./src/cookies.ts"
   },
   "license": "MIT",
   "scripts": {
@@ -24,6 +25,7 @@
   },
   "prettier": "@good-dog/prettier",
   "dependencies": {
-    "bcryptjs": "^2.4.3"
+    "bcryptjs": "^2.4.3",
+    "next": "14.2.12"
   }
 }

packages/auth/src/cookies.ts

@@ -0,0 +1,21 @@
+import { cookies } from "next/headers";
+
+export const SESSION_COOKIE_NAME = "sessionId";
+
+export const getSessionCookie = () => {
+  return cookies().get(SESSION_COOKIE_NAME);
+};
+
+export const setSessionCookie = (sessionId: string, expires: Date) => {
+  cookies().set(SESSION_COOKIE_NAME, sessionId, {
+    httpOnly: true,
+    secure: true,
+    sameSite: "lax",
+    path: "/",
+    expires,
+  });
+};
+
+export const deleteSessionCookie = () => {
+  cookies().delete(SESSION_COOKIE_NAME);
+};

packages/trpc/README.md

@@ -110,15 +110,15 @@ To add a new procedure, follow these steps:
 
 ### Unit Testing
 
-You can write unit tests for your tRPC procedures using the `_trpcCaller` export. Here is an example test for the `hello` procedure:
+You can write unit tests for your tRPC procedures using the `$trpcCaller` export. Here is an example test for the `hello` procedure:
 
 ```ts
 import { expect, test } from "bun:test";
 
-import { _trpcCaller } from "@good-dog/trpc/server";
+import { $trpcCaller } from "@good-dog/trpc/server";
 
 test("hello world", async () => {
-  const result = await _trpcCaller.hello({ text: "world" });
+  const result = await $trpcCaller.hello({ text: "world" });
   expect(result.greeting).toEqual("hello world");
 });
 ```

packages/trpc/package.json

@@ -31,7 +31,6 @@
     "@trpc/client": "11.0.0-rc.544",
     "@trpc/react-query": "11.0.0-rc.544",
     "@trpc/server": "11.0.0-rc.544",
-    "next": "^14.2.12",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "server-only": "^0.0.1",

packages/trpc/src/internal/init.ts

@@ -1,8 +1,9 @@
 import React from "react";
-import { cookies } from "next/headers";
 import { initTRPC, TRPCError } from "@trpc/server";
 import SuperJSON from "superjson";
+import { ZodError } from "zod";
 
+import { getSessionCookie } from "@good-dog/auth/cookies";
 import { prisma } from "@good-dog/db";
 
 export const createTRPCContext = React.cache(() => {
@@ -23,6 +24,23 @@ const t = initTRPC.context<ReturnType<typeof createTRPCContext>>().create({
    * @see https://trpc.io/docs/server/data-transformers
    */
   transformer: SuperJSON,
+  errorFormatter: ({ shape, error }) => ({
+    ...shape,
+    data: {
+      ...shape.data,
+      zodError:
+        error.code === "BAD_REQUEST" && error.cause instanceof ZodError
+          ? error.cause.flatten()
+          : null,
+      prismaError:
+        process.env.VERCEL_ENV !== "production" &&
+        error.code === "INTERNAL_SERVER_ERROR" &&
+        error.cause &&
+        "clientVersion" in error.cause
+          ? error.cause
+          : null,
+    },
+  }),
 });
 
 // Base router and procedure helpers
@@ -33,7 +51,7 @@ export const createCallerFactory = t.createCallerFactory;
 export const baseProcedureBuilder = t.procedure;
 export const authenticatedProcedureBuilder = baseProcedureBuilder.use(
   async ({ ctx, next }) => {
-    const sessionId = cookies().get("sessionId");
+    const sessionId = getSessionCookie();
 
     if (!sessionId?.value) {
       throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -65,8 +83,33 @@ export const authenticatedProcedureBuilder = baseProcedureBuilder.use(
     return next({
       ctx: {
         ...ctx,
-        user: sessionOrNull.user,
+        session: sessionOrNull,
       },
     });
   },
 );
+
+// This middleware is used to prevent authenticated users from accessing a resource
+export const notAuthenticatedProcedureBuilder = baseProcedureBuilder.use(
+  async ({ ctx, next }) => {
+    const sessionId = getSessionCookie();
+
+    if (!sessionId?.value) {
+      return next({ ctx });
+    }
+
+    const sessionOrNull = await ctx.prisma.session.findUnique({
+      where: {
+        id: sessionId.value,
+      },
+    });
+
+    if (sessionOrNull && sessionOrNull.expiresAt > new Date()) {
+      throw new TRPCError({ code: "FORBIDDEN" });
+    }
+
+    return next({
+      ctx,
+    });
+  },
+);