Security: Authorization / Authentication / Google

[evereq]

1. At the moment seems anyone can login via Google Auth.

Instead, only users who already registered (mean record exists in users table) should be able to login via Google (e.g. may need to check if the email we get from Google is the same as email of the user in DB and only in such case "match" google user with existed user). So if a user with admin@ever.co existed already in DB, then Google user with the same email should be able to sign-in using Google. If Google email is different (e.g. someone@ever.co), he should NOT be able to login!

2. We need to verify how Roles working / Authorization. Mean if a user from the "Admin" role, she/he should have access everywhere. If the user only has "Data Entry", she/he should only be able to add records for Income / Expenses, but not see Dashboard and not be able to manage employees/organizations details (except recurring expenses), etc.

3. We need to verify non-authenticated users access - they only should be able to access http://localhost:4200/#/auth/login, http://localhost:4200/#/auth/register, http://localhost:4200/#/auth/request-password in the browser and only relevant APIs used on such pages, not any other API endpoints!

Check https://docs.nestjs.com/guards, https://docs.nestjs.com/techniques/authentication, https://github.com/mdoury/nestjs-auth-starter-kit, https://github.com/neoteric-eu/nestjs-auth, etc

[Dreemsuncho]

Report for the current state of the issue @evereq: I fixed the google and facebook authentication so that only users that already have an account can sign-in. Now if you have an account you can sign-in and if not the application will redirect you to "Registration" page

Video after google auth fix: https://www.screencast.com/t/r9gs2Cg6bWu For Facebook, I did not create a video because my Facebook acc did not return any emails (for some unknown reason, settings or something)

Also, front-end authorization is implemented with auth guards but I'll need info about which roles on which routes have access i.e. Admin can access everything, the employee can access only income, expense, and etc...

For the sake of the video, I remove the admin role requirement on the Dashboard page and put on almost all menu routes ADMIN requirement because when I sign-in with normal account the Gauzy redirects me to the Login page. Video: https://www.screencast.com/t/IoHKX4s732Xn

This authorization has to be replicated on the backend API as well because now only the front-edn routes are guarded.

[evereq]

@Dreemsuncho in the first video, when you try to login with email which is not registered in DB yet, it shows "registration" page, but fields are empty (e.g. email / full name). However, in the response from Google (or FB) you should be getting such details and you can fill them in the registration form, etc.

However no need to do that improvement, for now, we will need to decide more about Registration flow, because it's not business to a customer (B2C) site. On B2C, after user sign-in with Google, normally you don't need to ask him/her anything at all during the registration phase, because all details just loaded from Google provider. In our case, I think we will need to show that form as you did, but as I said some details will be loaded from Google, but some users may need to enter/select data in the additional fields.

So, for now, let's continue with other flows/guards and we will get back to registration later.

[Dreemsuncho]

I've implemented Backend role authorization with route guards, i.e. the functionality itself is done and we can use Roles and Guards on every controller/method we want but for now, I put 'Admin' requirement for organization and employee controllers so that I can test and capture a video. https://www.screencast.com/t/uom7KTkHye.

The functionality for authorization is done but remains to be decided which controllers or routes are for admins/employees/data-entry and this is still not clear for me or rather I have to research every front-end component and decide but there also is not clear what roles for what pages/functionalities are allowed and I'll leave it this way for now.

The branch is ready for merge because it's sync with the master, but some "License Compliance" does not allow me to merge the pull request. https://github.com/ever-co/gauzy/pull/252