From f9768f7e088916b03b4fe4f45055c6563c27663d Mon Sep 17 00:00:00 2001
From: Tyler Myracle <tyler.myracle@gmail.com>
Date: Sun, 21 Jan 2024 15:36:29 -0600
Subject: [PATCH 1/2] fix dev tools and add admin role

---
 apps/client/pages/api/auth/[...nextauth].ts   | 22 +++++--
 apps/client/pages/register.tsx                | 28 ++++++++-
 apps/server/src/app/lib/ability.ts            |  8 +--
 apps/server/src/app/lib/endpoint.ts           |  6 +-
 apps/server/src/app/routes/admin.router.ts    |  5 +-
 .../src/app/routes/institutions.router.ts     |  4 +-
 .../src/accounts-list/AccountDevTools.tsx     | 23 +------
 .../accounts-manager/AccountTypeSelector.tsx  |  2 +-
 .../src/services/queue/in-memory-queue.ts     |  1 +
 libs/server/shared/src/utils/auth-utils.ts    | 60 -------------------
 libs/server/shared/src/utils/index.ts         |  1 -
 libs/shared/src/types/user-types.ts           |  4 --
 .../migration.sql                             |  5 ++
 prisma/schema.prisma                          |  7 +++
 14 files changed, 67 insertions(+), 109 deletions(-)
 delete mode 100644 libs/server/shared/src/utils/auth-utils.ts
 create mode 100644 prisma/migrations/20240121204146_add_auth_user_role/migration.sql

diff --git a/apps/client/pages/api/auth/[...nextauth].ts b/apps/client/pages/api/auth/[...nextauth].ts
index a641f0ac..40348a75 100644
--- a/apps/client/pages/api/auth/[...nextauth].ts
+++ b/apps/client/pages/api/auth/[...nextauth].ts
@@ -2,7 +2,8 @@ import NextAuth from 'next-auth'
 import type { SessionStrategy, NextAuthOptions } from 'next-auth'
 import CredentialsProvider from 'next-auth/providers/credentials'
 import { z } from 'zod'
-import { PrismaClient, type Prisma } from '@prisma/client'
+import { PrismaClient, AuthUserRole } from '@prisma/client'
+import type { Prisma } from '@prisma/client'
 import { PrismaAdapter } from '@auth/prisma-adapter'
 import type { SharedType } from '@maybe-finance/shared'
 import bcrypt from 'bcrypt'
@@ -36,6 +37,7 @@ async function validateCredentials(credentials: any): Promise<z.infer<typeof aut
         lastName: z.string().optional(),
         email: z.string().email({ message: 'Invalid email address.' }),
         password: z.string().min(6),
+        isAdmin: z.boolean().default(false),
     })
 
     const parsed = authSchema.safeParse(credentials)
@@ -51,13 +53,15 @@ async function createNewAuthUser(credentials: {
     lastName: string
     email: string
     password: string
+    isAdmin: boolean
 }): Promise<SharedType.AuthUser> {
-    const { firstName, lastName, email, password } = credentials
+    const { firstName, lastName, email, password, isAdmin } = credentials
 
     if (!firstName || !lastName) {
         throw new Error('Both first name and last name are required.')
     }
 
+    const isDevelopment = process.env.NODE_ENV === 'development'
     const hashedPassword = await bcrypt.hash(password, 10)
     return createAuthUser({
         firstName,
@@ -65,6 +69,7 @@ async function createNewAuthUser(credentials: {
         name: `${firstName} ${lastName}`,
         email,
         password: hashedPassword,
+        role: isAdmin && isDevelopment ? AuthUserRole.admin : AuthUserRole.user,
     })
 }
 
@@ -94,10 +99,15 @@ export const authOptions = {
                 lastName: { label: 'Last name', type: 'text', placeholder: 'Last name' },
                 email: { label: 'Email', type: 'email', placeholder: 'hello@maybe.co' },
                 password: { label: 'Password', type: 'password' },
+                isAdmin: { label: 'Admin', type: 'checkbox' },
             },
             async authorize(credentials) {
-                const { firstName, lastName, email, password } = await validateCredentials(
-                    credentials
+                // Take credentials and convert the isAdmin string to a boolean
+                const { firstName, lastName, email, password, isAdmin } = await validateCredentials(
+                    {
+                        ...credentials,
+                        isAdmin: Boolean(credentials?.isAdmin),
+                    }
                 )
 
                 const existingUser = await getAuthUserByEmail(email)
@@ -114,7 +124,7 @@ export const authOptions = {
                     throw new Error('Invalid credentials provided.')
                 }
 
-                return createNewAuthUser({ firstName, lastName, email, password })
+                return createNewAuthUser({ firstName, lastName, email, password, isAdmin })
             },
         }),
     ],
@@ -126,6 +136,7 @@ export const authOptions = {
                 token.firstName = authUser.firstName
                 token.lastName = authUser.lastName
                 token.name = authUser.name
+                token.role = authUser.role
             }
             return token
         },
@@ -136,6 +147,7 @@ export const authOptions = {
             session.firstName = token.firstName
             session.lastName = token.lastName
             session.name = token.name
+            session.role = token.role
             return session
         },
     },
diff --git a/apps/client/pages/register.tsx b/apps/client/pages/register.tsx
index 2552a3dd..6a0a64f5 100644
--- a/apps/client/pages/register.tsx
+++ b/apps/client/pages/register.tsx
@@ -1,5 +1,5 @@
 import { useState, type ReactElement } from 'react'
-import { Input, InputPassword, Button } from '@maybe-finance/design-system'
+import { Input, InputPassword, Button, Checkbox } from '@maybe-finance/design-system'
 import { FullPageLayout } from '@maybe-finance/client/features'
 import { signIn, useSession } from 'next-auth/react'
 import { useRouter } from 'next/router'
@@ -15,6 +15,7 @@ export default function RegisterPage() {
     const [isValid, setIsValid] = useState(false)
     const [errorMessage, setErrorMessage] = useState<string | null>(null)
     const [isLoading, setIsLoading] = useState(false)
+    const [isAdmin, setIsAdmin] = useState(false)
 
     const { data: session } = useSession()
     const router = useRouter()
@@ -38,6 +39,7 @@ export default function RegisterPage() {
             password,
             firstName,
             lastName,
+            isAdmin,
             redirect: false,
         })
 
@@ -108,6 +110,8 @@ export default function RegisterPage() {
                                 </div>
                             ) : null}
 
+                            <AuthDevTools isAdmin={isAdmin} setIsAdmin={setIsAdmin} />
+
                             <Button
                                 type="submit"
                                 disabled={!isValid}
@@ -135,6 +139,28 @@ export default function RegisterPage() {
     )
 }
 
+type AuthDevToolsProps = {
+    isAdmin: boolean
+    setIsAdmin: (isAdmin: boolean) => void
+}
+
+function AuthDevTools({ isAdmin, setIsAdmin }: AuthDevToolsProps) {
+    return process.env.NODE_ENV === 'development' ? (
+        <div className="my-2 p-2 border border-red-300 rounded-md">
+            <h6 className="flex text-red">
+                Dev Tools <i className="ri-tools-fill ml-1.5" />
+            </h6>
+            <p className="text-sm my-2">
+                This section will NOT show in production and is solely for making testing easier.
+            </p>
+
+            <div>
+                <Checkbox checked={isAdmin} onChange={setIsAdmin} label="Create Admin user?" />
+            </div>
+        </div>
+    ) : null
+}
+
 RegisterPage.getLayout = function getLayout(page: ReactElement) {
     return <FullPageLayout>{page}</FullPageLayout>
 }
diff --git a/apps/server/src/app/lib/ability.ts b/apps/server/src/app/lib/ability.ts
index 9a3cfed8..16b74065 100644
--- a/apps/server/src/app/lib/ability.ts
+++ b/apps/server/src/app/lib/ability.ts
@@ -2,7 +2,6 @@ import type { Subjects } from '@casl/prisma'
 import { PrismaAbility, accessibleBy } from '@casl/prisma'
 import type { AbilityClass } from '@casl/ability'
 import { AbilityBuilder, ForbiddenError } from '@casl/ability'
-import type { SharedType } from '@maybe-finance/shared'
 import type {
     User,
     Account,
@@ -18,6 +17,7 @@ import type {
     ProviderInstitution,
     Plan,
 } from '@prisma/client'
+import { AuthUserRole } from '@prisma/client'
 
 type CRUDActions = 'create' | 'read' | 'update' | 'delete'
 type AppActions = CRUDActions | 'manage'
@@ -41,13 +41,11 @@ type AppSubjects = PrismaSubjects | 'all'
 
 type AppAbility = PrismaAbility<[AppActions, AppSubjects]>
 
-export default function defineAbilityFor(
-    user: (Pick<User, 'id'> & { roles: SharedType.UserRole[] }) | null
-) {
+export default function defineAbilityFor(user: (Pick<User, 'id'> & { role: AuthUserRole }) | null) {
     const { can, build } = new AbilityBuilder(PrismaAbility as AbilityClass<AppAbility>)
 
     if (user) {
-        if (user.roles.includes('Admin')) {
+        if (user.role === AuthUserRole.admin) {
             can('manage', 'Account')
             can('manage', 'AccountConnection')
             can('manage', 'Valuation')
diff --git a/apps/server/src/app/lib/endpoint.ts b/apps/server/src/app/lib/endpoint.ts
index 7fba5f3c..91d0948c 100644
--- a/apps/server/src/app/lib/endpoint.ts
+++ b/apps/server/src/app/lib/endpoint.ts
@@ -301,15 +301,11 @@ async function getCurrentUser(jwt: NonNullable<Request['user']>) {
 
     return {
         ...user,
+        role: jwt.role,
         // TODO: Replace Auth0 concepts with next-auth
-        roles: [],
         primaryIdentity: {},
         userMetadata: {},
         appMetadata: {},
-        // roles: jwt[SharedType.Auth0CustomNamespace.Roles] ?? [],
-        // primaryIdentity: jwt[SharedType.Auth0CustomNamespace.PrimaryIdentity] ?? {},
-        // userMetadata: jwt[SharedType.Auth0CustomNamespace.UserMetadata] ?? {},
-        // appMetadata: jwt[SharedType.Auth0CustomNamespace.AppMetadata] ?? {},
     }
 }
 
diff --git a/apps/server/src/app/routes/admin.router.ts b/apps/server/src/app/routes/admin.router.ts
index dd17b6d9..4303e867 100644
--- a/apps/server/src/app/routes/admin.router.ts
+++ b/apps/server/src/app/routes/admin.router.ts
@@ -1,12 +1,9 @@
 import { Router } from 'express'
-import { auth, claimCheck } from 'express-openid-connect'
 import { createBullBoard } from '@bull-board/api'
 import { BullAdapter } from '@bull-board/api/bullAdapter'
 import { ExpressAdapter } from '@bull-board/express'
-import { AuthUtil, BullQueue } from '@maybe-finance/server/shared'
-import { SharedType } from '@maybe-finance/shared'
+import { BullQueue } from '@maybe-finance/server/shared'
 import { queueService } from '../lib/endpoint'
-import env from '../../env'
 import { validateAuthJwt } from '../middleware'
 
 const router = Router()
diff --git a/apps/server/src/app/routes/institutions.router.ts b/apps/server/src/app/routes/institutions.router.ts
index 19e2a937..dd94b499 100644
--- a/apps/server/src/app/routes/institutions.router.ts
+++ b/apps/server/src/app/routes/institutions.router.ts
@@ -27,10 +27,10 @@ router.post(
         resolve: async ({ ctx }) => {
             ctx.ability.throwUnlessCan('update', 'Institution')
 
-            // Sync all Plaid institutions
+            // Sync all Teller institutions
             await ctx.queueService
                 .getQueue('sync-institution')
-                .addBulk([{ name: 'sync-plaid-institutions', data: {} }])
+                .addBulk([{ name: 'sync-teller-institutions', data: {} }])
 
             return { success: true }
         },
diff --git a/libs/client/features/src/accounts-list/AccountDevTools.tsx b/libs/client/features/src/accounts-list/AccountDevTools.tsx
index 6dbf05a6..c417196d 100644
--- a/libs/client/features/src/accounts-list/AccountDevTools.tsx
+++ b/libs/client/features/src/accounts-list/AccountDevTools.tsx
@@ -1,23 +1,16 @@
 import Link from 'next/link'
-import {
-    useAccountConnectionApi,
-    useInstitutionApi,
-    usePlaidApi,
-    BrowserUtil,
-} from '@maybe-finance/client/shared'
+import { useAccountConnectionApi, useInstitutionApi } from '@maybe-finance/client/shared'
 
 export function AccountDevTools() {
-    const { useSandboxQuickAdd } = usePlaidApi()
     const { useDeleteAllConnections } = useAccountConnectionApi()
     const { useSyncInstitutions, useDeduplicateInstitutions } = useInstitutionApi()
 
-    const sandboxQuickAdd = useSandboxQuickAdd()
     const deleteAllConnections = useDeleteAllConnections()
     const syncInstitutions = useSyncInstitutions()
     const deduplicateInstitutions = useDeduplicateInstitutions()
 
     return process.env.NODE_ENV === 'development' ? (
-        <div className="relative mb-12 mx-2 sm:mx-0 p-4 bg-gray-700 rounded-md">
+        <div className="relative mb-12 mx-2 sm:mx-0 p-4 bg-gray-700 rounded-md z-10">
             <h6 className="flex text-red">
                 Dev Tools <i className="ri-tools-fill ml-1.5" />
             </h6>
@@ -27,12 +20,6 @@ export function AccountDevTools() {
             </p>
             <div className="flex items-center text-sm mt-4">
                 <p className="font-bold">Actions:</p>
-                <button
-                    className="underline text-red ml-4"
-                    onClick={() => sandboxQuickAdd.mutate()}
-                >
-                    Quick add item
-                </button>
                 <button
                     className="underline text-red ml-4"
                     onClick={() => deleteAllConnections.mutate()}
@@ -42,12 +29,6 @@ export function AccountDevTools() {
                 <Link href="http://localhost:3333/admin/bullmq" className="underline text-red ml-4">
                     BullMQ Dashboard
                 </Link>
-                <button
-                    className="underline text-red ml-4"
-                    onClick={() => BrowserUtil.copyToClipboard((window as any).JWT)}
-                >
-                    Copy JWT
-                </button>
                 <button
                     className="underline text-red ml-4"
                     onClick={() => syncInstitutions.mutate()}
diff --git a/libs/client/features/src/accounts-manager/AccountTypeSelector.tsx b/libs/client/features/src/accounts-manager/AccountTypeSelector.tsx
index a66b5c18..b4bd3bb9 100644
--- a/libs/client/features/src/accounts-manager/AccountTypeSelector.tsx
+++ b/libs/client/features/src/accounts-manager/AccountTypeSelector.tsx
@@ -57,7 +57,7 @@ export default function AccountTypeSelector({
                     type="text"
                     placeholder="Search for an institution"
                     fixedLeftOverride={<RiSearchLine className="w-5 h-5" />}
-                    inputClassName="pl-10"
+                    inputClassName="pl-11"
                     value={searchQuery}
                     onChange={(e) => setSearchQuery(e.target.value)}
                     ref={inputRef}
diff --git a/libs/server/shared/src/services/queue/in-memory-queue.ts b/libs/server/shared/src/services/queue/in-memory-queue.ts
index 034b5d76..eb45a6d0 100644
--- a/libs/server/shared/src/services/queue/in-memory-queue.ts
+++ b/libs/server/shared/src/services/queue/in-memory-queue.ts
@@ -70,6 +70,7 @@ export class InMemoryQueueFactory implements IQueueFactory {
     constructor(
         private readonly ignoreJobNames: string[] = [
             'sync-all-securities',
+            'sync-teller-institutions',
             'sync-plaid-institutions',
             'trial-reminders',
             'send-email',
diff --git a/libs/server/shared/src/utils/auth-utils.ts b/libs/server/shared/src/utils/auth-utils.ts
deleted file mode 100644
index 42c509c5..00000000
--- a/libs/server/shared/src/utils/auth-utils.ts
+++ /dev/null
@@ -1,60 +0,0 @@
-import jwks from 'jwks-rsa'
-import jwt from 'jsonwebtoken'
-import { SharedType } from '@maybe-finance/shared'
-
-export const verifyRoleClaims = (claims, role: SharedType.UserRole) => {
-    const customRoleClaim = claims[SharedType.Auth0CustomNamespace.Roles]
-
-    return customRoleClaim && Array.isArray(customRoleClaim) && customRoleClaim.includes(role)
-}
-
-export async function validateRS256JWT(
-    token: string,
-    domain: string,
-    audience: string
-): Promise<{
-    authId: string
-    userMetadata: SharedType.MaybeUserMetadata
-    appMetadata: SharedType.MaybeAppMetadata
-}> {
-    const jwksClient = jwks({
-        rateLimit: true,
-        jwksUri: `https://${domain}/.well-known/jwks.json`,
-    })
-
-    return new Promise((resolve, reject) => {
-        if (!token) reject('No token provided')
-
-        const parts = token.split(' ')
-
-        if (!parts || parts.length !== 2) reject('JWT must be in format: Bearer <token>')
-        if (parts[0] !== 'Bearer') reject('JWT must be in format: Bearer <token>')
-
-        const rawToken = parts[1]
-
-        jwt.verify(
-            rawToken,
-            (header, cb) => {
-                jwksClient
-                    .getSigningKey(header.kid)
-                    .then((key) => cb(null, key.getPublicKey()))
-                    .catch((err) => cb(err))
-            },
-            {
-                audience,
-                issuer: `https://${domain}/`,
-                algorithms: ['RS256'],
-            },
-            (err, payload) => {
-                if (err) return reject(err)
-                if (typeof payload !== 'object') return reject('payload not an object')
-
-                resolve({
-                    authId: payload.sub!,
-                    appMetadata: payload[SharedType.Auth0CustomNamespace.AppMetadata] ?? {},
-                    userMetadata: payload[SharedType.Auth0CustomNamespace.UserMetadata] ?? {},
-                })
-            }
-        )
-    })
-}
diff --git a/libs/server/shared/src/utils/index.ts b/libs/server/shared/src/utils/index.ts
index 62ccba24..97b70d16 100644
--- a/libs/server/shared/src/utils/index.ts
+++ b/libs/server/shared/src/utils/index.ts
@@ -1,4 +1,3 @@
-export * as AuthUtil from './auth-utils'
 export * as DbUtil from './db-utils'
 export * as PlaidUtil from './plaid-utils'
 export * as TellerUtil from './teller-utils'
diff --git a/libs/shared/src/types/user-types.ts b/libs/shared/src/types/user-types.ts
index ddea52a8..983ffaa2 100644
--- a/libs/shared/src/types/user-types.ts
+++ b/libs/shared/src/types/user-types.ts
@@ -170,9 +170,6 @@ export type MaybeUserMetadata = Partial<{
 // Maybe's "normalized" Auth0 `user.app_metadata` object
 export type MaybeAppMetadata = {}
 
-// The custom roles we have defined in Auth0
-export type UserRole = 'Admin' | 'CIUser'
-
 export type PrimaryAuth0Identity = Partial<{
     connection: string
     provider: string
@@ -183,7 +180,6 @@ export type PrimaryAuth0Identity = Partial<{
 export type MaybeCustomClaims = {
     [Auth0CustomNamespace.Email]?: string | null
     [Auth0CustomNamespace.Picture]?: string | null
-    [Auth0CustomNamespace.Roles]?: UserRole[]
     [Auth0CustomNamespace.UserMetadata]?: MaybeUserMetadata
     [Auth0CustomNamespace.AppMetadata]?: MaybeAppMetadata
     [Auth0CustomNamespace.PrimaryIdentity]?: PrimaryAuth0Identity
diff --git a/prisma/migrations/20240121204146_add_auth_user_role/migration.sql b/prisma/migrations/20240121204146_add_auth_user_role/migration.sql
new file mode 100644
index 00000000..d0573c70
--- /dev/null
+++ b/prisma/migrations/20240121204146_add_auth_user_role/migration.sql
@@ -0,0 +1,5 @@
+-- CreateEnum
+CREATE TYPE "AuthUserRole" AS ENUM ('user', 'admin', 'ci');
+
+-- AlterTable
+ALTER TABLE "auth_user" ADD COLUMN     "role" "AuthUserRole" NOT NULL DEFAULT 'user';
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index cccdd299..f7bac315 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -564,6 +564,12 @@ model AuthAccount {
   @@map("auth_account")
 }
 
+enum AuthUserRole {
+  user
+  admin
+  ci
+}
+
 model AuthUser {
   id            String        @id @default(cuid())
   name          String?
@@ -573,6 +579,7 @@ model AuthUser {
   emailVerified DateTime?     @map("email_verified")
   password      String?
   image         String?
+  role          AuthUserRole  @default(user)
   accounts      AuthAccount[]
   sessions      AuthSession[]
 

From e5659ed93e249357576b11413d704d37dc8d365c Mon Sep 17 00:00:00 2001
From: Tyler Myracle <tyler.myracle@gmail.com>
Date: Sun, 21 Jan 2024 15:42:23 -0600
Subject: [PATCH 2/2] clean up

---
 apps/client/pages/api/auth/[...nextauth].ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/client/pages/api/auth/[...nextauth].ts b/apps/client/pages/api/auth/[...nextauth].ts
index 40348a75..485d75cb 100644
--- a/apps/client/pages/api/auth/[...nextauth].ts
+++ b/apps/client/pages/api/auth/[...nextauth].ts
@@ -102,7 +102,6 @@ export const authOptions = {
                 isAdmin: { label: 'Admin', type: 'checkbox' },
             },
             async authorize(credentials) {
-                // Take credentials and convert the isAdmin string to a boolean
                 const { firstName, lastName, email, password, isAdmin } = await validateCredentials(
                     {
                         ...credentials,