feat!: country configurable user scopes & roles

packages/auth/package.json

@@ -7,7 +7,7 @@
   "scripts": {
     "start": "cross-env NODE_ENV=development NODE_OPTIONS=--dns-result-order=ipv4first nodemon --exec ts-node -r tsconfig-paths/register src/index.ts",
     "start:prod": "TS_NODE_BASEURL=./build/dist/src node -r tsconfig-paths/register build/dist/src/index.js",
-    "test": "jest --coverage --silent --noStackTrace && yarn test:compilation",
+    "test": "yarn test:compilation && jest --coverage --silent --noStackTrace",
     "test:watch": "jest --watch",
     "open:cov": "yarn test && opener coverage/index.html",
     "lint": "eslint -c .eslintrc.js --fix ./src",
@@ -84,7 +84,8 @@
       "<rootDir>"
     ],
     "moduleNameMapper": {
-      "@auth/(.*)": "<rootDir>/src/$1"
+      "@auth/(.*)": "<rootDir>/src/$1",
+      "@opencrvs/commons/(.*)": "@opencrvs/commons/build/dist/$1"
     },
     "testRegex": "(/__tests__/.*|(\\.|/)(test|spec))\\.tsx?$",
     "setupFiles": [

packages/auth/src/features/authenticate/handler.test.ts

@@ -11,6 +11,7 @@
 import * as fetchAny from 'jest-fetch-mock'
 import { createServerWithEnvironment } from '@auth/tests/util'
 import { createServer } from '@auth/server'
+import { DEFAULT_ROLES_DEFINITION } from '@opencrvs/commons/authentication'
 
 const fetch = fetchAny as fetchAny.FetchMock
 describe('authenticate handler receives a request', () => {
@@ -54,7 +55,7 @@ describe('authenticate handler receives a request', () => {
     it('returns 403', async () => {
       fetch.mockResponse(
         JSON.stringify({
-          userId: '1',
+          id: '1',
           status: 'deactivated',
           scope: ['admin']
         })
@@ -78,14 +79,18 @@ describe('authenticate handler receives a request', () => {
 
       jest.spyOn(reloadedCodeService, 'generateNonce').mockReturnValue('12345')
 
-      fetch.mockResponse(
+      fetch.mockResponseOnce(
         JSON.stringify({
-          userId: '1',
+          id: '1',
           status: 'active',
-          scope: ['admin'],
+          role: 'NATIONAL_SYSTEM_ADMIN',
           mobile: `+345345343`
         })
       )
+
+      fetch.mockResponse(JSON.stringify(DEFAULT_ROLES_DEFINITION), {
+        status: 200
+      })
       const spy = jest.spyOn(reloadedCodeService, 'sendVerificationCode')
 
       await server.server.inject({
@@ -109,14 +114,20 @@ describe('authenticate handler receives a request', () => {
 
       jest.spyOn(reloadedCodeService, 'generateNonce').mockReturnValue('12345')
 
-      fetch.mockResponse(
+      fetch.mockResponseOnce(
         JSON.stringify({
-          userId: '1',
+          id: '1',
           status: 'pending',
-          scope: ['admin'],
+          role: 'NATIONAL_SYSTEM_ADMIN',
+          systemRole: 'NATIONAL_SYSTEM_ADMIN',
           mobile: `+345345343`
         })
       )
+
+      fetch.mockResponse(JSON.stringify(DEFAULT_ROLES_DEFINITION), {
+        status: 200
+      })
+
       const spy = jest.spyOn(reloadedCodeService, 'sendVerificationCode')
 
       await server.server.inject({

packages/auth/src/features/authenticate/handler.ts

@@ -8,21 +8,23 @@
  *
  * Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
  */
-import * as Hapi from '@hapi/hapi'
-import * as Joi from 'joi'
+import { JWT_ISSUER, WEB_USER_JWT_AUDIENCES } from '@auth/constants'
 import {
+  IAuthentication,
   authenticate,
-  storeUserInformation,
   createToken,
   generateAndSendVerificationCode,
-  IAuthentication
+  storeUserInformation
 } from '@auth/features/authenticate/service'
 import {
   NotificationEvent,
   generateNonce
 } from '@auth/features/verifyCode/service'
-import { unauthorized, forbidden } from '@hapi/boom'
-import { WEB_USER_JWT_AUDIENCES, JWT_ISSUER } from '@auth/constants'
+import { forbidden, unauthorized } from '@hapi/boom'
+import * as Hapi from '@hapi/hapi'
+import { CoreUserRole } from '@opencrvs/commons/authentication'
+import * as Joi from 'joi'
+import { getUserRoleScopeMapping } from '@auth/features/scopes/service'
 
 interface IAuthPayload {
   username: string
@@ -34,6 +36,7 @@ interface IAuthResponse {
   mobile?: string
   email?: string
   status: string
+  systemRole: CoreUserRole
   token?: string
 }
 
@@ -43,6 +46,7 @@ export default async function authenticateHandler(
 ): Promise<IAuthResponse> {
   const payload = request.payload as IAuthPayload
   let result: IAuthentication
+
   const { username, password } = payload
   try {
     result = await authenticate(username.trim(), password)
@@ -58,15 +62,28 @@ export default async function authenticateHandler(
     mobile: result.mobile,
     email: result.email,
     status: result.status,
+    systemRole: result.systemRole,
     nonce
   }
 
   const isPendingUser = response.status && response.status === 'pending'
 
+  const roleScopeMappings = await getUserRoleScopeMapping()
+
+  let scopes = []
+
+  const role = result.role as keyof typeof roleScopeMappings
+
+  if (roleScopeMappings[role]) {
+    scopes = roleScopeMappings[role]
+  } else {
+    scopes = roleScopeMappings[response.systemRole]
+  }
+
   if (isPendingUser) {
     response.token = await createToken(
       result.userId,
-      result.scope,
+      scopes,
       WEB_USER_JWT_AUDIENCES,
       JWT_ISSUER
     )
@@ -75,7 +92,7 @@ export default async function authenticateHandler(
       nonce,
       result.name,
       result.userId,
-      result.scope,
+      scopes,
       result.mobile,
       result.email
     )
@@ -84,13 +101,14 @@ export default async function authenticateHandler(
 
     await generateAndSendVerificationCode(
       nonce,
-      result.scope,
+      scopes,
       notificationEvent,
       result.name,
       result.mobile,
       result.email
     )
   }
+
   return response
 }
 
@@ -104,5 +122,7 @@ export const responseSchema = Joi.object({
   mobile: Joi.string().optional(),
   email: Joi.string().optional(),
   status: Joi.string(),
+  role: Joi.string(),
+  systemRole: Joi.string(),
   token: Joi.string().optional()
 })

packages/auth/src/features/authenticate/service.ts

@@ -32,9 +32,12 @@ import {
   storeVerificationCode
 } from '@auth/features/verifyCode/service'
 import { logger } from '@opencrvs/commons'
+import { CoreUserRole } from '@opencrvs/commons/authentication'
 import { unauthorized } from '@hapi/boom'
-import { chainW, tryCatch } from 'fp-ts/Either'
-import { pipe } from 'fp-ts/function'
+
+import * as F from 'fp-ts'
+const { chainW, tryCatch } = F.either
+const { pipe } = F.function
 
 const cert = readFileSync(CERT_PRIVATE_KEY_PATH)
 const publicCert = readFileSync(CERT_PUBLIC_KEY_PATH)
@@ -55,8 +58,9 @@ export interface IAuthentication {
   mobile?: string
   userId: string
   status: string
-  scope: string[]
   email?: string
+  systemRole: CoreUserRole
+  role: string
 }
 
 export interface ISystemAuthentication {
@@ -86,11 +90,14 @@ export async function authenticate(
   if (res.status !== 200) {
     throw Error(res.statusText)
   }
+
   const body = await res.json()
+
   return {
     name: body.name,
     userId: body.id,
-    scope: body.scope,
+    role: body.role,
+    systemRole: body.systemRole,
     status: body.status,
     mobile: body.mobile,
     email: body.email
@@ -128,9 +135,6 @@ export async function createToken(
   issuer: string,
   temporary?: boolean
 ): Promise<string> {
-  if (typeof userId === undefined) {
-    throw new Error('Invalid userId found for token creation')
-  }
   return sign({ scope }, cert, {
     subject: userId,
     algorithm: 'RS256',
@@ -174,12 +178,7 @@ export async function generateAndSendVerificationCode(
   email?: string
 ) {
   const isDemoUser = scope.indexOf('demo') > -1 || QA_ENV
-  logger.info(
-    `isDemoUser,
-      ${JSON.stringify({
-        isDemoUser: isDemoUser
-      })}`
-  )
+  logger.info(`Is demo user: ${isDemoUser}. Scopes: ${scope.join(', ')}`)
   let verificationCode
   if (isDemoUser) {
     verificationCode = '000000'

packages/auth/src/features/authenticateSuperUser/handler.ts

@@ -17,6 +17,8 @@ import {
 } from '@auth/features/authenticate/service'
 import { unauthorized } from '@hapi/boom'
 import { WEB_USER_JWT_AUDIENCES, JWT_ISSUER } from '@auth/constants'
+import { DEFAULT_CORE_ROLE_SCOPES } from '@opencrvs/commons/authentication'
+import { logger } from '@opencrvs/commons'
 
 interface IAuthPayload {
   username: string
@@ -36,9 +38,16 @@ export default async function authenticateSuperUserHandler(
     throw unauthorized()
   }
 
+  if (result.status === 'deactivated') {
+    logger.info('Login attempt with a deactivated super user account detected')
+    throw unauthorized()
+  }
+
+  const scope = DEFAULT_CORE_ROLE_SCOPES.SUPER_ADMIN
+
   const token = await createToken(
     result.userId,
-    result.scope,
+    scope,
     WEB_USER_JWT_AUDIENCES,
     JWT_ISSUER
   )

packages/auth/src/features/refresh/handler.test.ts

@@ -9,25 +9,36 @@
  * Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
  */
 import { createServerWithEnvironment } from '@auth/tests/util'
+import { DEFAULT_ROLES_DEFINITION } from '@opencrvs/commons/authentication'
+import * as fetchAny from 'jest-fetch-mock'
+const fetch = fetchAny as fetchAny.FetchMock
 
 describe('authenticate handler receives a request', () => {
   let server: any
 
   beforeEach(async () => {
-    server = await createServerWithEnvironment({ NODE_ENV: 'production' })
+    server = await createServerWithEnvironment({
+      NODE_ENV: 'production'
+    })
   })
 
   describe('refresh expiring token', () => {
-    it('verifies a token and generates a new token', async () => {
+    it.only('verifies a token and generates a new token', async () => {
+      fetch.mockResponseOnce(JSON.stringify(DEFAULT_ROLES_DEFINITION), {
+        status: 200
+      })
       // eslint-disable-next-line @typescript-eslint/no-var-requires
       const codeService = require('../verifyCode/service')
 
       // eslint-disable-next-line @typescript-eslint/no-var-requires
       const authService = require('../authenticate/service')
       const codeSpy = jest.spyOn(codeService, 'sendVerificationCode')
+      fetch.mockResponseOnce(JSON.stringify(DEFAULT_ROLES_DEFINITION), {
+        status: 200
+      })
       jest.spyOn(authService, 'authenticate').mockReturnValue({
         userId: '1',
-        scope: ['admin'],
+        role: 'NATIONAL_SYSTEM_ADMIN',
         mobile: '+345345343'
       })
 
@@ -63,7 +74,7 @@ describe('authenticate handler receives a request', () => {
 
       const [, payload] = refreshResponse.result.token.split('.')
       const body = JSON.parse(Buffer.from(payload, 'base64').toString())
-      expect(body.scope).toEqual(['admin'])
+      expect(body.scope).toEqual(['sysadmin', 'natlsysadmin'])
       expect(body.sub).toBe('1')
     })
     it('refreshError returns a 401 to the client if the token is bad', async () => {
@@ -73,7 +84,7 @@ describe('authenticate handler receives a request', () => {
       const authService = require('../authenticate/service')
       const codeSpy = jest.spyOn(codeService, 'sendVerificationCode')
       jest.spyOn(authService, 'authenticate').mockReturnValue({
-        userId: '1',
+        id: '1',
         scope: ['admin'],
         username: '+345345343'
       })

packages/auth/src/features/resend/handler.test.ts

@@ -50,7 +50,7 @@ describe('resend handler receives a request', () => {
       // eslint-disable-next-line
       const authService = require('../authenticate/service')
       jest.spyOn(authService, 'getStoredUserInformation').mockReturnValue({
-        userId: '1',
+        id: '1',
         scope: ['admin'],
         mobile: '+345345343'
       })

packages/auth/src/features/retrievalSteps/verifyNumber/handler.test.ts

@@ -25,7 +25,7 @@ describe('verifyNumber handler receives a request', () => {
     jest.spyOn(codeService, 'generateNonce').mockReturnValue('12345')
     fetch.mockResponse(
       JSON.stringify({
-        userId: '1',
+        id: '1',
         username: 'fake_user_name',
         status: 'active',
         scope: ['demo'],

packages/auth/src/features/retrievalSteps/verifyUser/handler.test.ts

@@ -49,7 +49,7 @@ describe('verifyUser handler receives a request', () => {
       jest.spyOn(codeService, 'generateNonce').mockReturnValue('12345')
       fetch.mockResponse(
         JSON.stringify({
-          userId: '1',
+          id: '1',
           username: 'fake_user_name',
           status: 'active',
           scope: ['demo'],
@@ -75,7 +75,7 @@ describe('verifyUser handler receives a request', () => {
 
       fetch.mockResponse(
         JSON.stringify({
-          userId: '1',
+          id: '1',
           username: 'fake_user_name',
           status: 'active',
           scope: ['admin'],