fix(api): improve user model usage (#3076)

## Context

Extracted from #3072

- Clarify our use of user's session
`req.user` is painful because session can be out of date, and it's hard
to add/remove fields from session. It's easier to always use
`res.locals[user] that's always fresh.

- Pass UUID, will be used later
- Fix regex for integration tests

packages/server/lib/controllers/v1/meta/getMeta.ts

@@ -10,11 +10,7 @@ export const getMeta = asyncWrapper<GetMeta>(async (req, res) => {
         return;
     }
 
-    const sessionUser = req.user;
-    if (!sessionUser) {
-        res.status(400).send({ error: { code: 'user_not_found' } });
-        return;
-    }
+    const sessionUser = res.locals['user'];
 
     const environments = await environmentService.getEnvironmentsByAccountId(sessionUser.account_id);
     const onboarding = await getOnboarding(sessionUser.id);

packages/server/lib/controllers/v1/team/getTeam.integration.test.ts

@@ -57,7 +57,8 @@ describe(`GET ${route}`, () => {
                         accountId: account.id,
                         email: user.email,
                         id: user.id,
-                        name: user.name
+                        name: user.name,
+                        uuid: user.uuid
                     }
                 ]
             }

packages/server/lib/controllers/v1/user/getUser.ts

@@ -11,6 +11,6 @@ export const getUser = asyncWrapper<GetUser, never>((req, res) => {
     }
 
     res.status(200).send({
-        data: userToAPI(req.user!)
+        data: userToAPI(res.locals['user'])
     });
 });

packages/server/lib/controllers/v1/user/patchUser.ts

@@ -1,6 +1,6 @@
 import { asyncWrapper } from '../../../utils/asyncWrapper.js';
 import { requireEmptyQuery, zodErrorToHTTP } from '@nangohq/utils';
-import type { PatchUser } from '@nangohq/types';
+import type { DBUser, PatchUser } from '@nangohq/types';
 import { userService } from '@nangohq/shared';
 import { z } from 'zod';
 import { userToAPI } from '../../../formatters/user.js';
@@ -26,7 +26,7 @@ export const patchUser = asyncWrapper<PatchUser, never>(async (req, res) => {
         return;
     }
 
-    const user = req.user!;
+    const user = res.locals['user'] as DBUser; // type is slightly wrong because we are not in an endpoint with an ?env=
     const body: PatchUser['Body'] = val.data;
 
     const updated = await userService.update({ id: user.id, ...body });

packages/server/lib/express.d.ts

@@ -1,5 +1,9 @@
 declare global {
     namespace Express {
+        /**
+         * You should avoid using this type (req.user)
+         * It's serialized in session, which means we can't easily add / remove fields
+         */
         interface User {
             id: number;
             email: string;

packages/server/lib/formatters/user.ts

@@ -1,10 +1,11 @@
 import type { ApiUser, DBUser } from '@nangohq/types';
 
-export function userToAPI(user: Pick<DBUser, 'id' | 'account_id' | 'email' | 'name'>): ApiUser {
+export function userToAPI(user: Pick<DBUser, 'id' | 'account_id' | 'email' | 'name' | 'uuid'>): ApiUser {
     return {
         id: user.id,
         accountId: user.account_id,
         email: user.email,
-        name: user.name
+        name: user.name,
+        uuid: user.uuid
     };
 }

packages/server/lib/middleware/access.middleware.ts

@@ -405,7 +405,7 @@ async function fillLocalsFromSession(req: Request, res: Response<any, RequestLoc
             return;
         }
 
-        res.locals['user'] = req.user!;
+        res.locals['user'] = user;
 
         if (ignoreEnvPaths.includes(req.route.path)) {
             next();

packages/server/lib/utils/express.ts

@@ -23,7 +23,7 @@ import type { DBEnvironment, DBTeam, ConnectSession, DBUser, EndUser } from '@na
 
 export interface RequestLocals {
     authType?: 'secretKey' | 'publicKey' | 'basic' | 'adminKey' | 'none' | 'session' | 'connectSession';
-    user?: Pick<DBUser, 'id' | 'email' | 'name'>;
+    user?: DBUser;
     account?: DBTeam;
     environment?: DBEnvironment;
     connectSession?: ConnectSession;

packages/server/lib/utils/utils.ts

@@ -10,6 +10,7 @@ import { OrchestratorClient } from '@nangohq/nango-orchestrator';
 
 const logger = getLogger('Server.Utils');
 
+/** @deprecated TODO delete this */
 export async function getUserFromSession(req: Request<any>): Promise<Result<DBUser, NangoError>> {
     const sessionUser = req.user;
     if (!sessionUser) {

packages/types/lib/user/api.ts

@@ -22,4 +22,5 @@ export interface ApiUser {
     accountId: number;
     email: string;
     name: string;
+    uuid: string;
 }

tests/setupFiles.ts

@@ -1,7 +1,7 @@
 import { expect } from 'vitest';
 
-const dateRegex = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{1,6}Z$/;
-const dateRegexWithTZ = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{1,6}\+\d{2}:\d{2}$/;
+const dateRegex = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(.\d{1,6})?Z$/;
+const dateRegexWithTZ = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(.\d{1,6})?\+\d{2}:\d{2}$/;
 const uuidRegex = /^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i;
 const sha256Regex = /^[a-f0-9]{64}$/;