opencrvs · Nil20 · Nov 7, 2024 · Nov 5, 2024
diff --git a/packages/user-mgnt/src/config/routes.ts b/packages/user-mgnt/src/config/routes.ts
@@ -96,18 +96,7 @@ import changeEmailHandler, {
 } from '@user-mgnt/features/changeEmail/handler'
 import { getAllSystemsHandler } from '@user-mgnt/features/getAllSystems/handler'
 import * as mongoose from 'mongoose'
-
-const enum RouteScope {
-  DECLARE = 'declare',
-  REGISTER = 'register',
-  CERTIFY = 'certify',
-  PERFORMANCE = 'performance',
-  SYSADMIN = 'sysadmin',
-  NATLSYSADMIN = 'natlsysadmin',
-  VALIDATE = 'validate',
-  RECORDSEARCH = 'recordsearch',
-  VERIFY = 'verify'
-}
+import { SCOPES } from '@opencrvs/commons/authentication'
 
 export const getRoutes = () => {
   return [
@@ -215,12 +204,14 @@ export const getRoutes = () => {
         description: 'Changes password for logged-in user',
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -240,12 +231,14 @@ export const getRoutes = () => {
         description: 'Changes password for logged-in user',
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -265,12 +258,14 @@ export const getRoutes = () => {
         description: 'Changes email for logged-in user',
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -290,12 +285,14 @@ export const getRoutes = () => {
         description: 'Changes avatar for logged-in user',
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -315,12 +312,14 @@ export const getRoutes = () => {
         description: 'Retrieves a user mobile number',
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -338,12 +337,14 @@ export const getRoutes = () => {
       options: {
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -361,16 +362,16 @@ export const getRoutes = () => {
         description: 'Retrieves a user',
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE,
-            RouteScope.VERIFY,
-            RouteScope.RECORDSEARCH,
-            // @TODO: Refer to an enum / constant
-            'record.confirm-registration'
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL,
+            SCOPES.RECORD_REGISTRATION_VERIFY_CERTIFIED_COPIES,
+            SCOPES.RECORDSEARCH
           ]
         },
         validate: {
@@ -386,7 +387,7 @@ export const getRoutes = () => {
         tags: ['api'],
         description: 'Creates a new user',
         auth: {
-          scope: [RouteScope.SYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         }
       }
     },
@@ -398,7 +399,7 @@ export const getRoutes = () => {
         tags: ['api'],
         description: 'Updates an existing user',
         auth: {
-          scope: [RouteScope.SYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         }
       }
     },
@@ -411,12 +412,14 @@ export const getRoutes = () => {
         description: 'Activate an existing pending user',
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -449,7 +452,7 @@ export const getRoutes = () => {
       handler: userAuditHandler,
       options: {
         auth: {
-          scope: [RouteScope.SYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: userAuditSchema
@@ -464,12 +467,14 @@ export const getRoutes = () => {
       options: {
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -485,12 +490,14 @@ export const getRoutes = () => {
       options: {
         auth: {
           scope: [
-            RouteScope.DECLARE,
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.RECORD_DECLARE_BIRTH,
+            SCOPES.RECORD_DECLARE_DEATH,
+            SCOPES.RECORD_DECLARE_MARRIAGE,
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -505,7 +512,7 @@ export const getRoutes = () => {
       handler: resendInviteHandler,
       options: {
         auth: {
-          scope: [RouteScope.SYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: resendInviteRequestSchema
@@ -520,7 +527,7 @@ export const getRoutes = () => {
       handler: usernameReminderHandler,
       options: {
         auth: {
-          scope: [RouteScope.SYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: usernameReminderRequestSchema
@@ -535,7 +542,7 @@ export const getRoutes = () => {
       handler: resetPasswordInviteHandler,
       options: {
         auth: {
-          scope: [RouteScope.SYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: resetPasswordRequestSchema
@@ -552,7 +559,7 @@ export const getRoutes = () => {
         tags: ['api'],
         description: 'Creates a new system client',
         auth: {
-          scope: [RouteScope.NATLSYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: reqRegisterSystemSchema
@@ -570,7 +577,7 @@ export const getRoutes = () => {
         tags: ['api'],
         description: 'Update system permissions',
         auth: {
-          scope: [RouteScope.SYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: reqUpdateSystemSchema
@@ -585,7 +592,7 @@ export const getRoutes = () => {
         tags: ['api'],
         description: 'Deactivates a new system client',
         auth: {
-          scope: [RouteScope.NATLSYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: clientIdSchema
@@ -603,7 +610,7 @@ export const getRoutes = () => {
         tags: ['api'],
         description: 'Reactivates a new system client',
         auth: {
-          scope: [RouteScope.NATLSYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: clientIdSchema
@@ -666,11 +673,11 @@ export const getRoutes = () => {
         description: 'Gets count of users group by office ids',
         auth: {
           scope: [
-            RouteScope.REGISTER,
-            RouteScope.CERTIFY,
-            RouteScope.PERFORMANCE,
-            RouteScope.SYSADMIN,
-            RouteScope.VALIDATE
+            SCOPES.REGISTER,
+            SCOPES.CERTIFY,
+            SCOPES.PERFORMANCE_READ,
+            SCOPES.CONFIG_UPDATE_ALL,
+            SCOPES.RECORD_SUBMIT_FOR_APPROVAL
           ]
         },
         validate: {
@@ -689,7 +696,7 @@ export const getRoutes = () => {
         description: 'Refresh client secret ',
         notes: 'Refresh client secret',
         auth: {
-          scope: [RouteScope.NATLSYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: systemSecretRequestSchema
@@ -708,7 +715,7 @@ export const getRoutes = () => {
         description: 'Delete system ',
         notes: 'This is responsible for system deletion',
         auth: {
-          scope: [RouteScope.NATLSYSADMIN]
+          scope: [SCOPES.CONFIG_UPDATE_ALL]
         },
         validate: {
           payload: clientIdSchema

diff --git a/packages/user-mgnt/src/features/updateUser/handler.ts b/packages/user-mgnt/src/features/updateUser/handler.ts
@@ -11,6 +11,7 @@
 import * as Hapi from '@hapi/hapi'
 import { logger } from '@opencrvs/commons'
 import { Practitioner } from '@opencrvs/commons/types'
+import { SCOPES } from '@opencrvs/commons/authentication'
 import { postUserActionToMetrics } from '@user-mgnt/features/changePhone/handler'
 import {
   createFhirPractitioner,
@@ -70,7 +71,7 @@ export default async function updateUser(
   existingUser.role = user.role
 
   if (existingUser.primaryOfficeId !== user.primaryOfficeId) {
-    if (request.auth.credentials?.scope?.includes('natlsysadmin')) {
+    if (request.auth.credentials?.scope?.includes(SCOPES.CONFIG_UPDATE_ALL)) {
       existingUser.primaryOfficeId = user.primaryOfficeId
     } else {
       throw new Error('Location can be changed only by National System Admin')