From 8d4d063322e9ef7c8d610daa1637525f7e312d53 Mon Sep 17 00:00:00 2001 From: Matt Waldron Date: Thu, 21 Mar 2024 10:31:34 +0000 Subject: [PATCH] force system user by env var --- src/services/user.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/services/user.ts b/src/services/user.ts index e7c08c79..c5e1446c 100644 --- a/src/services/user.ts +++ b/src/services/user.ts @@ -12,7 +12,25 @@ export const getUserDetails = (jwt: string): UserDetails => { msOid: decodedToken.oid, email: decodedToken.email ?? decodedToken.preferred_username ?? decodedToken.upn, }; + if (!userDetails?.username || !userDetails.msOid) { + // Data remediation requirements... + // If we have an authenticated token, but it is not running in the context of a user + // then it will be a client_credentials grant_type e.g. the data remediation app. + // In this scenario, this is a valid path, but the request is not running in the context of a user, + // so we don't have a username or email available in the token. + // To accommodate this, we can set an environment variable that allows for the username and email + // to be set to SYSTEM_USER. + + // TODO: Can we replace this with custom claims in the Entra app registration. This way we can define + // 'client' (data remediation app) contact details for use here. + // TODO: The token dependency here should be refactored into the authorizer context object. + if (process.env.ENABLE_SYSTEM_USER_IMPERSONATION ?? false) { + userDetails.username = 'SYSTEM_USER'; + userDetails.email = 'SYSTEM_USER'; + return userDetails; + } + throw new Error(ERRORS.MISSING_USER_DETAILS); } return userDetails;