feat(server): setup api for selfhost deployment (#7569)

packages/backend/server/src/core/auth/service.ts

@@ -5,14 +5,7 @@ import { PrismaClient } from '@prisma/client';
 import type { CookieOptions, Request, Response } from 'express';
 import { assign, omit } from 'lodash-es';
 
-import {
-  Config,
-  CryptoHelper,
-  EmailAlreadyUsed,
-  MailService,
-  WrongSignInCredentials,
-  WrongSignInMethod,
-} from '../../fundamentals';
+import { Config, EmailAlreadyUsed, MailService } from '../../fundamentals';
 import { FeatureManagementService } from '../features/management';
 import { QuotaService } from '../quota/service';
 import { QuotaType } from '../quota/types';
@@ -74,20 +67,19 @@ export class AuthService implements OnApplicationBootstrap {
     private readonly mailer: MailService,
     private readonly feature: FeatureManagementService,
     private readonly quota: QuotaService,
-    private readonly user: UserService,
-    private readonly crypto: CryptoHelper
+    private readonly user: UserService
   ) {}
 
   async onApplicationBootstrap() {
     if (this.config.node.dev) {
       try {
-        const [email, name, pwd] = ['dev@affine.pro', 'Dev User', 'dev'];
+        const [email, name, password] = ['dev@affine.pro', 'Dev User', 'dev'];
         let devUser = await this.user.findUserByEmail(email);
         if (!devUser) {
           devUser = await this.user.createUser({
             email,
             name,
-            password: await this.crypto.encryptPassword(pwd),
+            password,
           });
         }
         await this.quota.switchUserQuota(devUser.id, QuotaType.ProPlanV1);
@@ -114,36 +106,17 @@ export class AuthService implements OnApplicationBootstrap {
       throw new EmailAlreadyUsed();
     }
 
-    const hashedPassword = await this.crypto.encryptPassword(password);
-
     return this.user
       .createUser({
         name,
         email,
-        password: hashedPassword,
+        password,
       })
       .then(sessionUser);
   }
 
   async signIn(email: string, password: string) {
-    const user = await this.user.findUserWithHashedPasswordByEmail(email);
-
-    if (!user) {
-      throw new WrongSignInCredentials();
-    }
-
-    if (!user.password) {
-      throw new WrongSignInMethod();
-    }
-
-    const passwordMatches = await this.crypto.verifyPassword(
-      password,
-      user.password
-    );
-
-    if (!passwordMatches) {
-      throw new WrongSignInCredentials();
-    }
+    const user = await this.user.signIn(email, password);
 
     return sessionUser(user);
   }
@@ -382,8 +355,7 @@ export class AuthService implements OnApplicationBootstrap {
     id: string,
     newPassword: string
   ): Promise<Omit<User, 'password'>> {
-    const hashedPassword = await this.crypto.encryptPassword(newPassword);
-    return this.user.updateUser(id, { password: hashedPassword });
+    return this.user.updateUser(id, { password: newPassword });
   }
 
   async changeEmail(

packages/backend/server/src/core/config/resolver.ts

@@ -9,7 +9,7 @@ import {
   ResolveField,
   Resolver,
 } from '@nestjs/graphql';
-import { RuntimeConfig, RuntimeConfigType } from '@prisma/client';
+import { PrismaClient, RuntimeConfig, RuntimeConfigType } from '@prisma/client';
 import { GraphQLJSON, GraphQLJSONObject } from 'graphql-scalars';
 
 import { Config, DeploymentType, URLHelper } from '../../fundamentals';
@@ -115,7 +115,8 @@ export class ServerFlagsType implements ServerFlags {
 export class ServerConfigResolver {
   constructor(
     private readonly config: Config,
-    private readonly url: URLHelper
+    private readonly url: URLHelper,
+    private readonly db: PrismaClient
   ) {}
 
   @Public()
@@ -165,6 +166,13 @@ export class ServerConfigResolver {
       return flags;
     }, {} as ServerFlagsType);
   }
+
+  @ResolveField(() => Boolean, {
+    description: 'whether server has been initialized',
+  })
+  async initialized() {
+    return (await this.db.user.count()) > 0;
+  }
 }
 
 @Resolver(() => ServerRuntimeConfigType)

packages/backend/server/src/core/features/management.ts

@@ -1,6 +1,6 @@
 import { Injectable, Logger } from '@nestjs/common';
 
-import { Config } from '../../fundamentals';
+import { Config, type EventPayload, OnEvent } from '../../fundamentals';
 import { UserService } from '../user/service';
 import { FeatureService } from './service';
 import { FeatureType } from './types';
@@ -167,4 +167,9 @@ export class FeatureManagementService {
   async listFeatureWorkspaces(feature: FeatureType) {
     return this.feature.listFeatureWorkspaces(feature);
   }
+
+  @OnEvent('user.admin.created')
+  async onAdminUserCreated({ id }: EventPayload<'user.admin.created'>) {
+    await this.addAdmin(id);
+  }
 }

packages/backend/server/src/core/features/resolver.ts

@@ -47,7 +47,8 @@ export class FeatureManagementResolver {
     if (user) {
       return this.feature.addEarlyAccess(user.id, type);
     } else {
-      const user = await this.users.createAnonymousUser(email, {
+      const user = await this.users.createUser({
+        email,
         registered: false,
       });
       return this.feature.addEarlyAccess(user.id, type);

packages/backend/server/src/core/setup/controller.ts

@@ -0,0 +1,66 @@
+import { Body, Controller, Post, Req, Res } from '@nestjs/common';
+import { PrismaClient } from '@prisma/client';
+import type { Request, Response } from 'express';
+
+import {
+  ActionForbidden,
+  EventEmitter,
+  InternalServerError,
+  MutexService,
+  PasswordRequired,
+} from '../../fundamentals';
+import { AuthService, Public } from '../auth';
+import { UserService } from '../user/service';
+
+interface CreateUserInput {
+  email: string;
+  password: string;
+}
+
+@Controller('/api/setup')
+export class CustomSetupController {
+  constructor(
+    private readonly db: PrismaClient,
+    private readonly user: UserService,
+    private readonly auth: AuthService,
+    private readonly event: EventEmitter,
+    private readonly mutex: MutexService
+  ) {}
+
+  @Public()
+  @Post('/create-admin-user')
+  async createAdmin(
+    @Req() req: Request,
+    @Res() res: Response,
+    @Body() input: CreateUserInput
+  ) {
+    if (!input.password) {
+      throw new PasswordRequired();
+    }
+
+    await using lock = await this.mutex.lock('createFirstAdmin');
+
+    if (!lock) {
+      throw new InternalServerError();
+    }
+
+    if ((await this.db.user.count()) > 0) {
+      throw new ActionForbidden('First user already created');
+    }
+
+    const user = await this.user.createUser({
+      email: input.email,
+      password: input.password,
+      registered: true,
+    });
+
+    try {
+      await this.event.emitAsync('user.admin.created', user);
+      await this.auth.setCookie(req, res, user);
+      res.send({ id: user.id, email: user.email, name: user.name });
+    } catch (e) {
+      await this.user.deleteUser(user.id);
+      throw e;
+    }
+  }
+}

packages/backend/server/src/core/setup/index.ts

@@ -0,0 +1,11 @@
+import { Module } from '@nestjs/common';
+
+import { AuthModule } from '../auth';
+import { UserModule } from '../user';
+import { CustomSetupController } from './controller';
+
+@Module({
+  imports: [AuthModule, UserModule],
+  controllers: [CustomSetupController],
+})
+export class CustomSetupModule {}

packages/backend/server/src/core/user/resolver.ts

@@ -12,13 +12,7 @@ import { PrismaClient } from '@prisma/client';
 import GraphQLUpload from 'graphql-upload/GraphQLUpload.mjs';
 import { isNil, omitBy } from 'lodash-es';
 
-import {
-  Config,
-  CryptoHelper,
-  type FileUpload,
-  Throttle,
-  UserNotFound,
-} from '../../fundamentals';
+import { type FileUpload, Throttle, UserNotFound } from '../../fundamentals';
 import { CurrentUser } from '../auth/current-user';
 import { Public } from '../auth/guard';
 import { sessionUser } from '../auth/service';
@@ -177,9 +171,7 @@ class CreateUserInput {
 export class UserManagementResolver {
   constructor(
     private readonly db: PrismaClient,
-    private readonly user: UserService,
-    private readonly crypto: CryptoHelper,
-    private readonly config: Config
+    private readonly user: UserService
   ) {}
 
   @Query(() => [UserType], {
@@ -222,22 +214,9 @@ export class UserManagementResolver {
   async createUser(
     @Args({ name: 'input', type: () => CreateUserInput }) input: CreateUserInput
   ) {
-    validators.assertValidEmail(input.email);
-    if (input.password) {
-      const config = await this.config.runtime.fetchAll({
-        'auth/password.max': true,
-        'auth/password.min': true,
-      });
-      validators.assertValidPassword(input.password, {
-        max: config['auth/password.max'],
-        min: config['auth/password.min'],
-      });
-    }
-
-    const { id } = await this.user.createAnonymousUser(input.email, {
-      password: input.password
-        ? await this.crypto.encryptPassword(input.password)
-        : undefined,
+    const { id } = await this.user.createUser({
+      email: input.email,
+      password: input.password,
       registered: true,
     });
 

packages/backend/server/src/core/user/service.ts

@@ -3,12 +3,16 @@ import { Prisma, PrismaClient } from '@prisma/client';
 
 import {
   Config,
+  CryptoHelper,
   EmailAlreadyUsed,
   EventEmitter,
   type EventPayload,
   OnEvent,
+  WrongSignInCredentials,
+  WrongSignInMethod,
 } from '../../fundamentals';
 import { Quota_FreePlanV1_1 } from '../quota/schema';
+import { validators } from '../utils/validators';
 
 @Injectable()
 export class UserService {
@@ -26,6 +30,7 @@ export class UserService {
 
   constructor(
     private readonly config: Config,
+    private readonly crypto: CryptoHelper,
     private readonly prisma: PrismaClient,
     private readonly emitter: EventEmitter
   ) {}
@@ -35,7 +40,7 @@ export class UserService {
       name: 'Unnamed',
       features: {
         create: {
-          reason: 'created by invite sign up',
+          reason: 'sign up',
           activated: true,
           feature: {
             connect: {
@@ -47,7 +52,33 @@ export class UserService {
     };
   }
 
-  async createUser(data: Prisma.UserCreateInput) {
+  async createUser(
+    data: Omit<Prisma.UserCreateInput, 'name'> & { name?: string }
+  ) {
+    validators.assertValidEmail(data.email);
+    const user = await this.findUserByEmail(data.email);
+
+    if (user) {
+      throw new EmailAlreadyUsed();
+    }
+
+    if (data.password) {
+      const config = await this.config.runtime.fetchAll({
+        'auth/password.max': true,
+        'auth/password.min': true,
+      });
+      validators.assertValidPassword(data.password, {
+        max: config['auth/password.max'],
+        min: config['auth/password.min'],
+      });
+
+      data.password = await this.crypto.encryptPassword(data.password);
+    }
+
+    if (!data.name) {
+      data.name = data.email.split('@')[0];
+    }
+
     return this.prisma.user.create({
       select: this.defaultUserSelect,
       data: {
@@ -57,23 +88,6 @@ export class UserService {
     });
   }
 
-  async createAnonymousUser(
-    email: string,
-    data?: Partial<Prisma.UserCreateInput>
-  ) {
-    const user = await this.findUserByEmail(email);
-
-    if (user) {
-      throw new EmailAlreadyUsed();
-    }
-
-    return this.createUser({
-      email,
-      name: email.split('@')[0],
-      ...data,
-    });
-  }
-
   async findUserById(id: string) {
     return this.prisma.user
       .findUnique({
@@ -86,6 +100,7 @@ export class UserService {
   }
 
   async findUserByEmail(email: string) {
+    validators.assertValidEmail(email);
     return this.prisma.user.findFirst({
       where: {
         email: {
@@ -101,6 +116,7 @@ export class UserService {
    * supposed to be used only for `Credential SignIn`
    */
   async findUserWithHashedPasswordByEmail(email: string) {
+    validators.assertValidEmail(email);
     return this.prisma.user.findFirst({
       where: {
         email: {
@@ -111,15 +127,27 @@ export class UserService {
     });
   }
 
-  async findOrCreateUser(
-    email: string,
-    data?: Partial<Prisma.UserCreateInput>
-  ) {
-    const user = await this.findUserByEmail(email);
-    if (user) {
-      return user;
+  async signIn(email: string, password: string) {
+    const user = await this.findUserWithHashedPasswordByEmail(email);
+
+    if (!user) {
+      throw new WrongSignInCredentials();
     }
-    return this.createAnonymousUser(email, data);
+
+    if (!user.password) {
+      throw new WrongSignInMethod();
+    }
+
+    const passwordMatches = await this.crypto.verifyPassword(
+      password,
+      user.password
+    );
+
+    if (!passwordMatches) {
+      throw new WrongSignInCredentials();
+    }
+
+    return user;
   }
 
   async fulfillUser(
@@ -160,9 +188,23 @@ export class UserService {
 
   async updateUser(
     id: string,
-    data: Prisma.UserUpdateInput,
+    data: Omit<Prisma.UserUpdateInput, 'password'> & {
+      password?: string | null;
+    },
     select: Prisma.UserSelect = this.defaultUserSelect
   ) {
+    if (data.password) {
+      const config = await this.config.runtime.fetchAll({
+        'auth/password.max': true,
+        'auth/password.min': true,
+      });
+      validators.assertValidPassword(data.password, {
+        max: config['auth/password.max'],
+        min: config['auth/password.min'],
+      });
+
+      data.password = await this.crypto.encryptPassword(data.password);
+    }
     const user = await this.prisma.user.update({ where: { id }, data, select });
 
     this.emitter.emit('user.updated', user);

packages/backend/server/src/core/user/types.ts

@@ -7,6 +7,7 @@ import {
 } from '@nestjs/graphql';
 import type { User } from '@prisma/client';
 
+import type { Payload } from '../../fundamentals/event/def';
 import { CurrentUser } from '../auth/current-user';
 
 @ObjectType()
@@ -81,3 +82,11 @@ export class UpdateUserInput implements Partial<User> {
   @Field({ description: 'User name', nullable: true })
   name?: string;
 }
+
+declare module '../../fundamentals/event/def' {
+  interface UserEvents {
+    admin: {
+      created: Payload<{ id: string }>;
+    };
+  }
+}

packages/backend/server/src/core/workspaces/resolvers/workspace.ts

@@ -342,7 +342,8 @@ export class WorkspaceResolver {
         // only invite if the user is not already in the workspace
         if (originRecord) return originRecord.id;
       } else {
-        target = await this.users.createAnonymousUser(email, {
+        target = await this.users.createUser({
+          email,
           registered: false,
         });
       }