feat: Refactor GitHub Actions workflow for Docker image build and transfer, add token validation endpoint in AuthController

Author: letnull19A

.github/workflows/deploy.yml

@@ -11,27 +11,28 @@ env:
   IMAGE_NAME: ${{ secrets.DOCKER_IMAGE_NAME || 'atom-dbro-backend' }}
 
 jobs:
-  build:
-    name: Build and Export Docker Image
+  build-and-transfer:
+    name: Build and Transfer Docker Image
     runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
+      - name: Verify Docker access
+        run: |
+          echo "=== Verifying Docker access ==="
+          docker ps 2>&1 | head -3 || {
+            echo "❌ ERROR: Cannot access Docker daemon"
+            exit 1
+          }
+          echo "✅ Docker access verified"
       - name: Build Docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile
-          push: false
-          load: true
-          tags: ${{ env.IMAGE_NAME }}:latest
-          no-cache: true
-
+        run: |
+          echo "📦 Building Docker image: ${{ env.IMAGE_NAME }}:latest"
+          docker build --no-cache -t ${{ env.IMAGE_NAME }}:latest -f ./Dockerfile .
+          echo "✅ Docker image built successfully"
       - name: Verify image was built
         run: |
           if ! docker images | grep -q "${{ env.IMAGE_NAME }}.*latest"; then
@@ -40,7 +41,6 @@ jobs:
           fi
           echo "✅ Docker image built successfully: ${{ env.IMAGE_NAME }}:latest"
           docker images | grep "${{ env.IMAGE_NAME }}"
-
       - name: Export Docker image to tar.gz
         run: |
           echo "📦 Exporting Docker image to tar.gz..."
@@ -58,27 +58,6 @@ jobs:
           fi
           
           echo "✅ Docker image exported successfully"
-
-      - name: Upload Docker image artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: docker-image
-          path: image.tar.gz
-          retention-days: 1
-
-  transfer:
-    name: Transfer Image to Server
-    needs: build
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
-    
-    steps:
-      - name: Download Docker image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: docker-image
-          path: ./
-
       - name: Set up SSH
         uses: webfactory/ssh-agent@v0.9.0
         with:
@@ -89,6 +68,8 @@ jobs:
           SSH_PORT="${DEPLOY_SSH_PORT:-22}"
           ssh -o StrictHostKeyChecking=no -p "$SSH_PORT" ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} \
             "echo 'SSH connection successful' && hostname"
+        env:
+          DEPLOY_SSH_PORT: ${{ secrets.DEPLOY_SSH_PORT || '22' }}
 
       - name: Transfer Docker image to server
         run: |
@@ -108,9 +89,17 @@ jobs:
         env:
           DEPLOY_SSH_PORT: ${{ secrets.DEPLOY_SSH_PORT || '22' }}
 
+      - name: Cleanup
+        if: always()
+        run: |
+          echo "🧹 Cleaning up temporary files and Docker resources..."
+          rm -f image.tar.gz
+          docker rmi ${{ env.IMAGE_NAME }}:latest 2>/dev/null || true
+          docker builder prune -f || true
+          echo "✅ Cleanup completed"
   deploy:
     name: Deploy Application
-    needs: transfer
+    needs: build-and-transfer
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
 
@@ -332,4 +321,4 @@ jobs:
           CONTAINER_NAME: ${{ secrets.DEPLOY_CONTAINER_NAME || 'atom-dbro-app' }}
           SERVICE_NAME: ${{ secrets.DEPLOY_SERVICE_NAME || 'app' }}
           IMAGE_NAME: ${{ env.IMAGE_NAME }}
-          COMPOSE_PROJECT_NAME: ${{ secrets.DEPLOY_COMPOSE_PROJECT_NAME || '' }}
+          COMPOSE_PROJECT_NAME: ${{ secrets.DEPLOY_COMPOSE_PROJECT_NAME || '' }}

src/auth/auth.controller.ts

@@ -1,12 +1,14 @@
-import { Controller, Post, Body, HttpCode, UseGuards, UseInterceptors } from '@nestjs/common';
-import { ApiTags, ApiOperation, ApiResponse, ApiBody } from '@nestjs/swagger';
+import { Controller, Post, Body, HttpCode, UseGuards, UseInterceptors, Version } from '@nestjs/common';
+import { ApiTags, ApiOperation, ApiResponse, ApiBody, ApiBearerAuth } from '@nestjs/swagger';
 import { AuthService } from './auth.service';
 import { LoginDto, loginSchema, LoginDtoClass } from './dto/login.dto';
 import { RefreshTokenDto, refreshTokenSchema, RefreshTokenDtoClass } from './dto/refresh-token.dto';
 import { ZodValidation } from '../common/decorators/zod-validation.decorator';
 import { Public } from './decorators/public.decorator';
 import { RefreshTokenGuard } from './guards/refresh-token.guard';
 import { LoginLoggingInterceptor } from './interceptors/login-logging.interceptor';
+import { JwtAuthGuard } from './guards/jwt-auth.guard';
+import { ValidateTokenGuard } from './guards/validate-token.guard';
 
 @ApiTags('Авторизация')
 @Controller('auth')
@@ -34,5 +36,18 @@ export class AuthController {
   refresh(@Body() refreshTokenDto: RefreshTokenDto) {
     return this.authService.refresh(refreshTokenDto);
   }
+
+  @Post('validate')
+  @Version('1')
+  @UseGuards(ValidateTokenGuard)
+  @HttpCode(200)
+  @ApiBearerAuth()
+  @ApiOperation({ summary: 'Валидация токена' })
+  @ApiResponse({ status: 200, description: 'Токен валиден' })
+  @ApiResponse({ status: 401, description: 'Токен не валиден' })
+  @ApiResponse({ status: 400, description: 'Доступ разрешен только администраторам' })
+  validate() {
+    return { message: 'Токен валиден' };
+  }
 }
 

src/auth/auth.service.ts

@@ -1,4 +1,4 @@
-import { Injectable, UnauthorizedException, ConflictException, Logger } from '@nestjs/common';
+import { Injectable, UnauthorizedException, ConflictException, Logger, BadRequestException } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import { ConfigService } from '@nestjs/config';
 import * as bcrypt from 'bcrypt';
@@ -48,7 +48,7 @@ export class AuthService {
 
       // Проверяем, что пользователь имеет роль ADMIN
       if (user.role !== 'ADMIN') {
-        throw new UnauthorizedException('Доступ разрешен только администраторам');
+        throw new BadRequestException('Доступ разрешен только администраторам');
       }
 
       const payload = { email: user.email, sub: user.id };
@@ -89,7 +89,7 @@ export class AuthService {
 
       // Проверяем, что пользователь имеет роль ADMIN
       if (user.role !== 'ADMIN') {
-        throw new UnauthorizedException('Доступ разрешен только администраторам');
+        throw new BadRequestException('Доступ разрешен только администраторам');
       }
 
       const newPayload = { email: user.email, sub: user.id };

src/auth/guards/jwt-auth.guard.ts

@@ -1,4 +1,4 @@
-import { ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
+import { ExecutionContext, Injectable, UnauthorizedException, BadRequestException } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
 import { AuthGuard } from '@nestjs/passport';
 import { IS_PUBLIC_KEY } from '../decorators/public.decorator';
@@ -53,6 +53,11 @@ export class JwtAuthGuard extends AuthGuard('jwt') {
       throw new UnauthorizedException(message);
     }
 
+    // Проверяем, что пользователь имеет роль ADMIN
+    if (user.role !== 'ADMIN') {
+      throw new BadRequestException('Доступ разрешен только администраторам');
+    }
+    
     return user;
   }
 }

src/auth/guards/validate-token.guard.ts

@@ -0,0 +1,26 @@
+import { ExecutionContext, Injectable, UnauthorizedException, BadRequestException } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+
+@Injectable()
+export class ValidateTokenGuard extends AuthGuard('jwt') {
+  handleRequest(err: any, user: any, info: any, context: ExecutionContext) {
+    // Если есть ошибка или пользователь отсутствует
+    if (err || !user) {
+      // Если ошибка уже является HttpException, пробрасываем её, но с нашим сообщением
+      if (err && (err.statusCode || err instanceof UnauthorizedException)) {
+        throw new UnauthorizedException('Токен не валиден');
+      }
+      
+      // Для всех остальных случаев невалидного токена
+      throw new UnauthorizedException('Токен не валиден');
+    }
+    
+    // Проверяем, что пользователь имеет роль ADMIN
+    if (user.role !== 'ADMIN') {
+      throw new BadRequestException('Доступ разрешен только администраторам');
+    }
+    
+    return user;
+  }
+}
+

src/auth/strategies/jwt.strategy.ts

@@ -2,13 +2,13 @@ import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
 import { ExtractJwt, Strategy } from 'passport-jwt';
 import { ConfigService } from '@nestjs/config';
-import { UserService } from '../../user/user.service';
+import { UserRepository } from '../../user/user.repository';
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
   constructor(
     private configService: ConfigService,
-    private userService: UserService,
+    private userRepository: UserRepository,
   ) {
     super({
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
@@ -19,11 +19,11 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
   }
 
   async validate(payload: any) {
-    const user = await this.userService.findOne(payload.sub);
+    const user = await this.userRepository.findById(payload.sub);
     if (!user) {
       throw new UnauthorizedException();
     }
-    return { userId: user.id, email: user.email };
+    return { userId: user.id, email: user.email, role: user.role };
   }
 }