Skip to content

Commit

Permalink
fix: update user activation route with proper scopes (#8117)
Browse files Browse the repository at this point in the history 
* fix: update user activation route with proper scopes

* fix: update user activation route with proper scopes

* fix: add test for activating user with non token owner
  • Loading branch information
@Nil20
Nil20 authored Dec 2, 2024
1 parent c0a9976 commit 5ace925
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 5 deletions.
55 changes: 53 additions & 2 deletions packages/gateway/src/features/user/root-resolvers.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -658,6 +658,19 @@ describe('User root resolvers', () => {
})
})
describe('activateUser mutation', () => {
const regsiterToken = jwt.sign(
{ scope: ['SCOPES.REGISTER'] },
readFileSync('./test/cert.key'),
{
subject: 'ba7022f0ff4822',
algorithm: 'RS256',
issuer: 'opencrvs:auth-service',
audience: 'opencrvs:gateway-user'
}
)
const newUserHeaders = {
Authorization: `Bearer ${regsiterToken}`
}
it('activates the pending user', async () => {
fetch.mockResponses(
[
Expand All @@ -677,7 +690,7 @@ describe('User root resolvers', () => {
securityQNAs: [{ questionKey: 'HOME_TOWN', answer: 'test' }]
},
{
headers: undefined
headers: newUserHeaders
}
)

Expand All @@ -699,13 +712,51 @@ describe('User root resolvers', () => {
securityQNAs: [{ questionKey: 'HOME_TOWN', answer: 'test' }]
},
{
headers: undefined
headers: newUserHeaders
}
)
).rejects.toThrowError(
"Something went wrong on user-mgnt service. Couldn't activate given user"
)
})
it('fails to activate user if user is not token owner', async () => {
const regsiterToken = jwt.sign(
{ scope: ['SCOPES.REGISTER'] },
readFileSync('./test/cert.key'),
{
subject: 'abcdefgh',
algorithm: 'RS256',
issuer: 'opencrvs:auth-service',
audience: 'opencrvs:gateway-user'
}
)
const newUserHeaders = {
Authorization: `Bearer ${regsiterToken}`
}
fetch.mockResponses(
[
JSON.stringify({
userId: 'abcdefgh'
}),
{ status: 201 }
],
[JSON.stringify({})]
)

return expect(
resolvers.Mutation!.activateUser(
{},
{
userId: 'ba7022f0ff4822',
password: 'test',
securityQNAs: [{ questionKey: 'HOME_TOWN', answer: 'test' }]
},
{
headers: newUserHeaders
}
)
).rejects.toThrowError('User can not be activated')
})
})

describe('changePassword mutation', () => {
Expand Down
6 changes: 6 additions & 0 deletions packages/gateway/src/features/user/root-resolvers.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -347,6 +347,12 @@ export const resolvers: GQLResolver = {
{ userId, password, securityQNAs },
{ headers: authHeader }
) {
if (
!isTokenOwner(authHeader, userId) &&
!hasScope(authHeader, SCOPES.USER_UPDATE)
)
throw new Error('User can not be activated')

const res = await fetch(`${USER_MANAGEMENT_URL}activateUser`, {
method: 'POST',
body: JSON.stringify({ userId, password, securityQNAs }),
Expand Down
3 changes: 0 additions & 3 deletions packages/user-mgnt/src/config/routes.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,9 +335,6 @@ export const getRoutes = () => {
options: {
tags: ['api'],
description: 'Activate an existing pending user',
auth: {
scope: [SCOPES.USER_UPDATE]
},
validate: {
payload: activateUserRequestSchema
}
Expand Down

0 comments on commit 5ace925

Please sign in to comment.