Code-4-Community
diff --git a/‎.github/dependabot.yml‎
Lines changed: 31 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎DEPENDABOT.md‎
Lines changed: 48 additions & 0 deletions b/‎DEPENDABOT.md‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎apps/backend/src/auth/auth.controller.ts‎
Lines changed: 73 additions & 3 deletions b/‎apps/backend/src/auth/auth.controller.ts‎
Lines changed: 73 additions & 3 deletions
diff --git a/‎apps/backend/src/auth/auth.service.ts‎
Lines changed: 80 additions & 27 deletions b/‎apps/backend/src/auth/auth.service.ts‎
Lines changed: 80 additions & 27 deletions
diff --git a/‎apps/backend/src/auth/aws-exports.ts‎
Lines changed: 3 additions & 3 deletions b/‎apps/backend/src/auth/aws-exports.ts‎
Lines changed: 3 additions & 3 deletions
@@ -0,0 +1,31 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - "aaronashby"
+      - "thaninbew"
+    open-pull-requests-limit: 3
+
+  # Enable version updates for Docker
+  - package-ecosystem: "docker"
+    directory: "/apps/backend"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - "aaronashby"
+      - "thaninbew"
+    open-pull-requests-limit: 3
+
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - "aaronashby"
+      - "thaninbew"
+    open-pull-requests-limit: 3
@@ -0,0 +1,48 @@
+# Dependabot Workflow
+
+## Overview
+
+Dependabot is a GitHub-native tool that automatically opens pull requests to keep dependencies up to date. Its configuration settings are located in `.github/dependabot.yml`, and runs weekly.
+
+## What Dependabot Updates
+
+- **Node.js dependencies**: Dependencies declared in `package.json` and the lockfile `yarn.lock`
+- **Docker dependencies**: Updates base image tags referenced by Dockerfiles (e.g. the one in `apps/backend`)
+- **GitHub Actions**: Updates action versions used in workflows in `.github/workflows`
+
+## Schedule and Ownership
+
+Dependabot creates PRs on a **weekly** basis, and automatically assigns the PRs to `aaronashby` and `thaninbew`
+
+## How to Review Dependabot PRs
+
+- Skim the PR title, release notes, and commits
+- Check the diff
+  - Dependency updates often change `package.json` + `yarn.lock` (or only `yarn.lock`).
+  - Docker updates typically change a `FROM …` line.
+  - Actions updates usually change `uses: …@vX` pins in workflows.
+
+## Merging Guidelines (suggested)
+
+- **Patch/minor updates**: usually safe to merge once CI passes.
+- **Major updates**: prefer a quick manual smoke test and a scan for breaking changes.
+- **Lockfile-only updates**: merge if CI passes (these happen due to dependency resolution changes).
+
+## Common Tweaks (edit `.github/dependabot.yml`)
+
+- **Add a separate Docker entry for root compose files**
+  - Dependabot currently only scans Docker in `/apps/backend`. If you want it to update `docker-compose.dev.yml` at the repo root, add another docker update with `directory: "/"`.
+- **Limit PR volume**
+  - Add `open-pull-requests-limit: <number>` to an update block.
+- **Ignore versions**
+  - Use `ignore:` to skip major versions or specific packages temporarily.
+- **Group updates**
+  - Use `groups:` to bundle related packages (e.g., React, NestJS, Nx) into fewer PRs.
+
+## Troubleshooting
+- **CI fails after a bump**
+  - Check the package’s changelog/release notes and revert/ignore if needed.
+  - If it’s a tooling bump (Nx/Vite/ESLint/TypeScript), failures often come from peer dependency changes or config deprecations.
+- **Dependabot isn’t opening PRs**
+  - Confirm `.github/dependabot.yml` is on the default branch and syntactically valid.
+  - Check the repo’s Dependabot alerts/PRs in GitHub for run history and errors.
@@ -1,4 +1,17 @@
-import { BadRequestException, Body, Controller, Post } from '@nestjs/common';
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  ForbiddenException,
+  Get,
+  Post,
+  Req,
+  UseGuards,
+  UseInterceptors,
+} from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { CurrentUserInterceptor } from '../interceptors/current-user.interceptor';
+import { Status } from '../users/types';
 
 import { SignInDto } from './dtos/sign-in.dto';
 import { SignUpDto } from './dtos/sign-up.dto';
@@ -21,12 +34,63 @@ export class AuthController {
     private usersService: UsersService,
   ) {}
 
+  @Get('/me')
+  @UseGuards(AuthGuard('jwt'))
+  @UseInterceptors(CurrentUserInterceptor)
+  async me(@Req() req: any) {
+    return req.user;
+  }
+
+  @Post('/admin-verify')
+  @UseGuards(AuthGuard('jwt'))
+  @UseInterceptors(CurrentUserInterceptor)
+  async adminVerify(
+    @Req() req: any,
+    @Body() body: { email: string },
+  ): Promise<void> {
+    if (req.user.status !== Status.ADMIN) {
+      throw new ForbiddenException('Only admins can verify users');
+    }
+    try {
+      await this.authService.adminConfirmUser(body.email);
+    } catch (e) {
+      console.error('Admin verify error:', e);
+      throw new BadRequestException(e.message);
+    }
+  }
+
+  @Get('/users')
+  @UseGuards(AuthGuard('jwt'))
+  @UseInterceptors(CurrentUserInterceptor)
+  async listUsers(@Req() req: any) {
+    try {
+      const cognitoUsers = await this.authService.listAllUsers();
+      // Combine with DB users
+      const results = await Promise.all(
+        cognitoUsers.map(async (cu) => {
+          const email = cu.Attributes.find((a) => a.Name === 'email')?.Value;
+          const dbUsers = email ? await this.usersService.find(email) : [];
+          return {
+            username: cu.Username,
+            status: cu.UserStatus, // UNCONFIRMED, CONFIRMED, etc.
+            email,
+            dbUser: dbUsers[0] || null,
+          };
+        }),
+      );
+      return results;
+    } catch (e) {
+      throw new BadRequestException(e.message);
+    }
+  }
+
   @Post('/signup')
   async createUser(@Body() signUpDto: SignUpDto): Promise<User> {
     // By default, creates a standard user
     try {
       await this.authService.signup(signUpDto);
     } catch (e) {
+      console.error('Signup error:', e);
       throw new BadRequestException(e.message);
     }
 
@@ -45,13 +109,18 @@ export class AuthController {
     try {
       this.authService.verifyUser(body.email, body.verificationCode);
     } catch (e) {
+      console.error('Verify error:', e);
       throw new BadRequestException(e.message);
     }
   }
 
   @Post('/signin')
-  signin(@Body() signInDto: SignInDto): Promise<SignInResponseDto> {
-    return this.authService.signin(signInDto);
+  async signin(@Body() signInDto: SignInDto): Promise<SignInResponseDto> {
+    try {
+      return await this.authService.signin(signInDto);
+    } catch (e) {
+      throw new BadRequestException(e.message);
+    }
   }
 
   @Post('/refresh')
@@ -76,6 +145,7 @@ export class AuthController {
     try {
       await this.authService.deleteUser(user.email);
     } catch (e) {
+      console.error('Delete error:', e);
       throw new BadRequestException(e.message);
     }
 
 
@@ -1,5 +1,6 @@
 import { Injectable } from '@nestjs/common';
 import {
+  AdminConfirmSignUpCommand,
   AdminDeleteUserCommand,
   AdminInitiateAuthCommand,
   AttributeType,
@@ -41,7 +42,10 @@ export class AuthService {
   // Hash key is the Cognito client secret, message is username + client ID
   // Username value depends on the command
   // (see https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash)
-  calculateHash(username: string): string {
+  calculateHash(username: string): string | undefined {
+    if (!this.clientSecret) {
+      return undefined;
+    }
     const hmac = createHmac('sha256', this.clientSecret);
     hmac.update(username + CognitoAuthConfig.clientId);
     return hmac.digest('base64');
@@ -55,14 +59,32 @@ export class AuthService {
 
     // TODO need error handling
     const { Users } = await this.providerClient.send(listUsersCommand);
-    return Users[0].Attributes;
+    return Users?.[0]?.Attributes || [];
+  }
+
+  async listAllUsers() {
+    const listUsersCommand = new ListUsersCommand({
+      UserPoolId: CognitoAuthConfig.userPoolId,
+    });
+
+    const { Users } = await this.providerClient.send(listUsersCommand);
+    return Users || [];
+  }
+
+  async adminConfirmUser(email: string): Promise<void> {
+    const confirmCommand = new AdminConfirmSignUpCommand({
+      UserPoolId: CognitoAuthConfig.userPoolId,
+      Username: email,
+    });
+
+    await this.providerClient.send(confirmCommand);
   }
 
   async signup(
     { firstName, lastName, email, password }: SignUpDto,
     status: Status = Status.STANDARD,
   ): Promise<boolean> {
-    // Needs error handling
+    console.log(`Attempting signup for: ${email} with status: ${status}`);
     const signUpCommand = new SignUpCommand({
       ClientId: CognitoAuthConfig.clientId,
       SecretHash: this.calculateHash(email),
@@ -73,17 +95,21 @@ export class AuthService {
           Name: 'name',
           Value: `${firstName} ${lastName}`,
         },
-        // Optional: add a custom Cognito attribute called "role" that also stores the user's status/role
-        // If you choose to do so, you'll have to first add this custom attribute in your user pool
-        {
-          Name: 'custom:role',
-          Value: status,
-        },
+        // Commented out as it might cause InvalidParameterException if not in User Pool
+        // {
+        //   Name: 'custom:role',
+        //   Value: status,
+        // },
       ],
     });
 
-    const response = await this.providerClient.send(signUpCommand);
-    return response.UserConfirmed;
+    try {
+      const response = await this.providerClient.send(signUpCommand);
+      return response.UserConfirmed;
+    } catch (err) {
+      console.error('Cognito signup error:', err);
+      throw err;
+    }
   }
 
   async verifyUser(email: string, verificationCode: string): Promise<void> {
@@ -98,39 +124,66 @@ export class AuthService {
   }
 
   async signin({ email, password }: SignInDto): Promise<SignInResponseDto> {
+    const authParameters: Record<string, string> = {
+      USERNAME: email,
+      PASSWORD: password,
+    };
+
+    const secretHash = this.calculateHash(email);
+    if (secretHash) {
+      authParameters.SECRET_HASH = secretHash;
+    }
+
     const signInCommand = new AdminInitiateAuthCommand({
       AuthFlow: 'ADMIN_USER_PASSWORD_AUTH',
       ClientId: CognitoAuthConfig.clientId,
       UserPoolId: CognitoAuthConfig.userPoolId,
-      AuthParameters: {
-        USERNAME: email,
-        PASSWORD: password,
-        SECRET_HASH: this.calculateHash(email),
-      },
+      AuthParameters: authParameters,
     });
 
-    const response = await this.providerClient.send(signInCommand);
-
-    return {
-      accessToken: response.AuthenticationResult.AccessToken,
-      refreshToken: response.AuthenticationResult.RefreshToken,
-      idToken: response.AuthenticationResult.IdToken,
-    };
+    try {
+      const response = await this.providerClient.send(signInCommand);
+
+      return {
+        accessToken: response.AuthenticationResult.AccessToken,
+        refreshToken: response.AuthenticationResult.RefreshToken,
+        idToken: response.AuthenticationResult.IdToken,
+      };
+    } catch (err: unknown) {
+      if (
+        err &&
+        typeof err === 'object' &&
+        'name' in err &&
+        err.name === 'UserNotConfirmedException'
+      ) {
+        throw new Error(
+          'Your account is not confirmed yet. Please ask an admin to confirm your registration.',
+        );
+      }
+      console.error('Signin error:', err);
+      throw err;
+    }
   }
 
   // Refresh token hash uses a user's sub (unique ID), not their username (typically their email)
   async refreshToken({
     refreshToken,
     userSub,
   }: RefreshTokenDto): Promise<SignInResponseDto> {
+    const authParameters: Record<string, string> = {
+      REFRESH_TOKEN: refreshToken,
+    };
+
+    const secretHash = this.calculateHash(userSub);
+    if (secretHash) {
+      authParameters.SECRET_HASH = secretHash;
+    }
+
     const refreshCommand = new AdminInitiateAuthCommand({
       AuthFlow: 'REFRESH_TOKEN_AUTH',
       ClientId: CognitoAuthConfig.clientId,
       UserPoolId: CognitoAuthConfig.userPoolId,
-      AuthParameters: {
-        REFRESH_TOKEN: refreshToken,
-        SECRET_HASH: this.calculateHash(userSub),
-      },
+      AuthParameters: authParameters,
     });
 
     const response = await this.providerClient.send(refreshCommand);
 
@@ -1,7 +1,7 @@
 const CognitoAuthConfig = {
-  userPoolId: 'USER POOL ID HERE',
-  clientId: 'CLIENT ID HERE',
-  region: 'us-east-2',
+  userPoolId: process.env.COGNITO_USER_POOL_ID,
+  clientId: process.env.COGNITO_CLIENT_ID,
+  region: process.env.COGNITO_REGION || 'us-east-2',
 };
 
 export default CognitoAuthConfig;