Work on security

[boiboi796]

##What I did
I installed JWT and upgraded the security of each endpoint of the expense tracker

[Copilot]

Pull request overview

This PR implements JWT-based authentication and authorization for the expense tracker application. It introduces a complete auth system with user management, password hashing, JWT token generation, and role-based access control to secure transaction and user endpoints.

Changes:

• Added authentication module with JWT strategy, guards, and login endpoint
• Created users module with user registration, CRUD operations, and password hashing
• Enhanced transaction endpoints with ownership validation and admin-only access controls
• Updated database schema to make user fields required (name, email, passwordHash)

Reviewed changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 26 comments.

Show a summary per file

File	Description
package.json	Added authentication dependencies (bcrypt, passport, jsonwebtoken, @nestjs/passport)
src/auth/auth.module.ts	Created authentication module with JWT strategy and passport integration
src/auth/auth.service.ts	Implemented login logic with password verification and JWT token generation
src/auth/auth.controller.ts	Added login and profile endpoints
src/auth/guards/jwt-auth/jwt-auth.guard.ts	Created JWT authentication guard for protecting endpoints
src/auth/strategies/jwt.strategy/jwt.strategy.ts	Implemented JWT validation strategy using passport-jwt
src/auth/dto/login.dto.ts	Created DTO for login requests with email and password validation
src/users/users.module.ts	Created users module with service, repository, and controller
src/users/users.service.ts	Implemented user creation with password hashing and admin check
src/users/users.controller.ts	Added user CRUD endpoints with admin-only access control
src/users/users.repository.ts	Created repository for user database operations
src/users/dto/users-dto.ts	Created DTO for user creation with validation
src/transactions/transactions.service.ts	Added ownership validation to prevent users from accessing others' transactions
src/transactions/transactions.controller.ts	Protected all endpoints with JWT auth and added admin checks for list endpoint
src/transactions/dto/create-transaction.dto.ts	Removed unused Length import
src/db/schema.ts	Made user fields required and improved formatting
src/config/env.ts	Added JWT_SECRET configuration
src/app.module.ts	Imported AuthModule

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The auth implementation uses the low-level jsonwebtoken library directly instead of leveraging NestJS's @nestjs/jwt module. This bypasses NestJS's built-in JWT integration and makes the code less maintainable. Replace the manual jwt.sign call with JwtService from @nestjs/jwt, and add JwtModule to the AuthModule imports with proper configuration.

[Copilot]

The passwordHash field in the DTO is poorly named and misleading. At this point in the request lifecycle, it contains the plain-text password from the user, not a hashed password. Rename this field to 'password' to accurately reflect its content. The hashing happens later in the service layer.

Suggested change

	passwordHash: string;
	password: string;

[Copilot]

The admin authorization logic is duplicated across multiple controller methods in both UsersController and TransactionsController. This code duplication makes the codebase harder to maintain and increases the risk of inconsistent authorization checks. Create a reusable RolesGuard or AdminGuard that can be applied via a decorator (e.g., @roles('ADMIN')) to eliminate this duplication.

[Copilot]

The findById method returns user records including the passwordHash field. Password hashes should never be exposed in API responses. Filter out the passwordHash field from these query results using .select() with explicit field selection, or map the results to exclude the sensitive field.

Suggested change

	return this.dbClient.select()
	.from(users)
	.where(eq(users.id, id));
	const result = await this.dbClient.select()
	.from(users)
	.where(eq(users.id, id));
	return result.map(({ passwordHash, ...userWithoutPassword }) => userWithoutPassword);

[Copilot]

Type casting req as 'any' bypasses TypeScript's type safety and is repeated throughout the controller. Define a proper type or interface that extends Express.Request with a user property, and use it consistently to eliminate these unsafe type casts.

[Copilot]

The authentication and authorization logic in the controller lacks comprehensive test coverage. The test file only contains a basic 'should be defined' test. Add unit tests for the JWT guard integration, admin authorization checks, and user ownership validation across all endpoints.

[Copilot]

The authentication logic including login, password verification, and JWT token generation lacks comprehensive test coverage. The test file only contains a basic 'should be defined' test. Add unit tests for the login method covering successful authentication, invalid email, invalid password, and JWT token generation scenarios.

[Copilot]

The user creation endpoint does not check if a user with the provided email already exists before attempting to create a new user. This will result in a database constraint violation error when duplicate emails are provided, which may expose internal database details. Add a check in the service to verify email uniqueness and return a clear error message (e.g., 'User with this email already exists') before attempting the database insert.

[Copilot]

Type casting req as 'any' bypasses TypeScript's type safety. Define a proper type or interface that extends Express.Request with a user property, and use it consistently throughout the controller to eliminate these unsafe type casts.

[Copilot]

Unused import Query.

Suggested change

	import { Controller, Get, Param, Body, Post, ParseIntPipe, Query, ForbiddenException, UseGuards, Request } from '@nestjs/common';
	import { Controller, Get, Param, Body, Post, ParseIntPipe, ForbiddenException, UseGuards, Request } from '@nestjs/common';

[a-k-o-r-e-d-e]

@boiboi796 Just study rate limiting but you don't have to implement it rn

[a-k-o-r-e-d-e]

Use one hour for now, we can implement refresh tokens in a different PR

[a-k-o-r-e-d-e]

See the comment about creating an interface

[a-k-o-r-e-d-e]

Create a RolesGuard

[a-k-o-r-e-d-e]

Could bypass this check by just fetching from the db by transactionId and userId.

create a repo func for that. If it returns a transaction, then the transaction muct belong to the user

[a-k-o-r-e-d-e]

RolesGuard

[a-k-o-r-e-d-e]

Create a response dto or User dto

[a-k-o-r-e-d-e]

Check if the user exists first, do not depend on the db returning an error as the error might not be user friendly

[a-k-o-r-e-d-e]

findOneById should not return an array, but rather the first item in an array or null.

refactor the repo function to do this.

You can use a util function such as

export const returnFirst = (rows: T[]): T | null => rows[0] ?? null;

wrap this around the response of the repo such as

static async findOneById(whereClause: SQL | undefined, tx: Transaction): Promise<IDojo | null> {
const dojo = returnFirst(await tx.select().from(dojos).where(eq(dojos.id, id)).limit(1).execute());

return dojo || null;

}

[a-k-o-r-e-d-e]

findOneById should not return an array, but rather the first item in an array or null.

refactor the repo function to do this.

You can use a util function such as

export const returnFirst = (rows: T[]): T | null => rows[0] ?? null;

wrap this around the response of the repo such as

static async findOneById(whereClause: SQL | undefined, tx: Transaction): Promise<IDojo | null> {
const dojo = returnFirst(await tx.select().from(dojos).where(eq(dojos.id, id)).limit(1).execute());

return dojo || null;

}