Add auth guard for M2M / admin token for topcoder reports

Author: jmgasper

src/app-constants.ts

@@ -4,6 +4,7 @@ export const Scopes = {
   TopgearChallenge: "reports:topgear-challenge",
   TopgearCancelledChallenge: "reports:topgear-cancelled-challenge",
   AllReports: "reports:all",
+  TopcoderReports: "reports:topcoder",
   TopgearChallengeTechnology: "reports:topgear-challenge-technology",
   TopgearChallengeStatsByUser: "reports:topgear-challenge-stats-by-user",
   TopgearChallengeRegistrantDetails:
@@ -18,3 +19,7 @@ export const Scopes = {
     SubmissionLinks: "reports:challenge-submission-links",
   },
 };
+
+export const UserRoles = {
+  Admin: "Administrator",
+};

src/auth/guards/topcoder-reports.guard.ts

@@ -0,0 +1,59 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+  UnauthorizedException,
+} from "@nestjs/common";
+
+import { Scopes, UserRoles } from "../../app-constants";
+
+@Injectable()
+export class TopcoderReportsGuard implements CanActivate {
+  private static readonly adminRoles = new Set(
+    Object.values(UserRoles).map((role) => role.toLowerCase()),
+  );
+
+  canActivate(context: ExecutionContext): boolean {
+    const request = context.switchToHttp().getRequest();
+    const authUser = request.authUser;
+
+    if (!authUser) {
+      throw new UnauthorizedException("You are not authenticated.");
+    }
+
+    if (authUser.isMachine) {
+      const scopes: string[] = authUser.scopes ?? [];
+      if (this.hasRequiredScope(scopes)) {
+        return true;
+      }
+
+      throw new ForbiddenException(
+        "You do not have the required permissions to access this resource.",
+      );
+    }
+
+    const roles: string[] = authUser.roles ?? [];
+    if (this.isAdmin(roles)) {
+      return true;
+    }
+
+    throw new ForbiddenException(
+      "You do not have the required permissions to access this resource.",
+    );
+  }
+
+  private hasRequiredScope(scopes: string[]): boolean {
+    const normalizedScopes = scopes.map((scope) => scope?.toLowerCase());
+    return (
+      normalizedScopes.includes(Scopes.TopcoderReports.toLowerCase()) ||
+      normalizedScopes.includes(Scopes.AllReports.toLowerCase())
+    );
+  }
+
+  private isAdmin(roles: string[]): boolean {
+    return roles.some((role) =>
+      TopcoderReportsGuard.adminRoles.has(role?.toLowerCase()),
+    );
+  }
+}

src/reports/topcoder/topcoder-reports.controller.ts

@@ -1,10 +1,13 @@
-import { Controller, Get, Query, Res } from "@nestjs/common";
-import { ApiOperation, ApiTags } from "@nestjs/swagger";
+import { Controller, Get, Query, Res, UseGuards } from "@nestjs/common";
+import { ApiBearerAuth, ApiOperation, ApiTags } from "@nestjs/swagger";
 import { Response } from "express";
 import { TopcoderReportsService } from "./topcoder-reports.service";
 import { RegistrantCountriesQueryDto } from "./dto/registrant-countries.dto";
+import { TopcoderReportsGuard } from "../../auth/guards/topcoder-reports.guard";
 
 @ApiTags("Topcoder Reports")
+@ApiBearerAuth()
+@UseGuards(TopcoderReportsGuard)
 @Controller("/topcoder")
 export class TopcoderReportsController {
   constructor(private readonly reports: TopcoderReportsService) {}

src/reports/topcoder/topcoder-reports.module.ts

@@ -1,10 +1,11 @@
 import { Module } from "@nestjs/common";
-import { TopcoderReportsController } from "./topcoder-reports.controller";
 import { TopcoderReportsService } from "./topcoder-reports.service";
 import { SqlLoaderService } from "../../common/sql-loader.service";
+import { TopcoderReportsController } from "./topcoder-reports.controller";
+import { TopcoderReportsGuard } from "../../auth/guards/topcoder-reports.guard";
 
 @Module({
   controllers: [TopcoderReportsController],
-  providers: [TopcoderReportsService, SqlLoaderService],
+  providers: [TopcoderReportsService, SqlLoaderService, TopcoderReportsGuard],
 })
 export class TopcoderReportsModule {}