Use canActivate for tools

vas3a · vas3a · commit 5f404f0b03be · 2025-07-03T23:13:22.000+03:00
diff --git a/src/core/auth/auth.constants.ts b/src/core/auth/auth.constants.ts
@@ -1,4 +1,5 @@
 export enum Role {
+  Admin = 'administrator',
   User = 'Topcoder User',
 }
 
diff --git a/src/core/auth/guards/auth.guard.ts b/src/core/auth/guards/auth.guard.ts
@@ -1,17 +1,10 @@
-import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
-import { Reflector } from '@nestjs/core';
-import { Logger } from 'src/shared/global';
+import { Request } from 'express';
+import { decode } from './guards.utils';
 
-@Injectable()
-export class AuthGuard implements CanActivate {
-  private readonly logger = new Logger(AuthGuard.name);
-
-  constructor(private reflector: Reflector) {}
-
-  canActivate(context: ExecutionContext): boolean {
-    this.logger.log('AuthGuard canActivate called...');
-    // Check if the route is marked as public...
-
-    return true;
+export const authGuard = async (req: Request) => {
+  if (!(await decode(req.headers.authorization ?? ''))) {
+    return false;
   }
-}
+
+  return true;
+};
diff --git a/src/core/auth/guards/guards.utils.ts b/src/core/auth/guards/guards.utils.ts
@@ -0,0 +1,27 @@
+import * as jwt from 'jsonwebtoken';
+// import { UnauthorizedException } from '@nestjs/common';
+import { Logger } from 'src/shared/global';
+import { getSigningKey } from '../jwt';
+
+const logger = new Logger('guards.utils()');
+
+export const decode = async (authHeader: string) => {
+  const [type, idToken] = authHeader?.split(' ') ?? [];
+
+  if (type !== 'Bearer' || !idToken) {
+    return false;
+    // throw new UnauthorizedException('Missing Authorization header!');
+  }
+
+  let decoded: jwt.JwtPayload | string;
+  try {
+    const signingKey = await getSigningKey(idToken);
+    decoded = jwt.verify(idToken, signingKey);
+  } catch (error) {
+    logger.error('Error verifying JWT', error);
+    return false;
+    // throw new UnauthorizedException('Invalid or expired JWT!');
+  }
+
+  return decoded;
+};
diff --git a/src/core/auth/guards/index.ts b/src/core/auth/guards/index.ts
@@ -1 +1,3 @@
 export * from './auth.guard';
+export * from './m2m-scope.guard';
+export * from './role.guard';
diff --git a/src/core/auth/guards/m2m-scope.guard.ts b/src/core/auth/guards/m2m-scope.guard.ts
@@ -0,0 +1,19 @@
+import { Request } from 'express';
+import { decode } from './guards.utils';
+import { JwtPayload } from 'jsonwebtoken';
+import { M2mScope } from '../auth.constants';
+
+export const checkM2MScope =
+  (...requiredM2mScopes: M2mScope[]) =>
+  async (req: Request) => {
+    const decodedAuth = await decode(req.headers.authorization ?? '');
+
+    const authorizedScopes = ((decodedAuth as JwtPayload).scope ?? '').split(
+      ' ',
+    );
+    if (!requiredM2mScopes.some((scope) => authorizedScopes.includes(scope))) {
+      return false;
+    }
+
+    return true;
+  };
diff --git a/src/core/auth/guards/role.guard.ts b/src/core/auth/guards/role.guard.ts
@@ -0,0 +1,23 @@
+import { Request } from 'express';
+import { decode } from './guards.utils';
+import { Role } from '../auth.constants';
+
+export const checkHasUserRole =
+  (...requiredUserRoles: Role[]) =>
+  async (req: Request) => {
+    const decodedAuth = await decode(req.headers.authorization ?? '');
+
+    const decodedUserRoles = Object.keys(decodedAuth).reduce((roles, key) => {
+      if (key.match(/claims\/roles$/gi)) {
+        return decodedAuth[key] as string[];
+      }
+
+      return roles;
+    }, []);
+
+    if (!requiredUserRoles.some((role) => decodedUserRoles.includes(role))) {
+      return false;
+    }
+
+    return true;
+  };
diff --git a/src/mcp/tools/challenges/queryChallenges.tool.ts b/src/mcp/tools/challenges/queryChallenges.tool.ts
@@ -1,11 +1,16 @@
-import { Injectable, Inject, UseGuards } from '@nestjs/common';
+import { Injectable, Inject } from '@nestjs/common';
 import { Tool } from '@tc/mcp-nest';
 import { REQUEST } from '@nestjs/core';
 import { QUERY_CHALLENGES_TOOL_PARAMETERS } from './queryChallenges.parameters';
 import { TopcoderChallengesService } from 'src/shared/topcoder/challenges.service';
 import { Logger } from 'src/shared/global';
 import { QUERY_CHALLENGES_TOOL_OUTPUT_SCHEMA } from './queryChallenges.output';
-import { AuthGuard } from 'src/core/auth/guards';
+import {
+  authGuard,
+  checkHasUserRole,
+  checkM2MScope,
+} from 'src/core/auth/guards';
+import { M2mScope, Role } from 'src/core/auth/auth.constants';
 
 @Injectable()
 export class QueryChallengesTool {
@@ -16,19 +21,7 @@ export class QueryChallengesTool {
     @Inject(REQUEST) private readonly request: any,
   ) {}
 
-  @Tool({
-    name: 'query-tc-challenges',
-    description:
-      'Returns a list of public Topcoder challenges based on the query parameters.',
-    parameters: QUERY_CHALLENGES_TOOL_PARAMETERS,
-    outputSchema: QUERY_CHALLENGES_TOOL_OUTPUT_SCHEMA,
-    annotations: {
-      title: 'Query Public Topcoder Challenges',
-      readOnlyHint: true,
-    },
-  })
-  @UseGuards(AuthGuard)
-  async queryChallenges(params) {
+  private async _queryChallenges(params) {
     // Validate the input parameters
     const validatedParams = QUERY_CHALLENGES_TOOL_PARAMETERS.safeParse(params);
     if (!validatedParams.success) {
@@ -127,4 +120,67 @@ export class QueryChallengesTool {
       };
     }
   }
+
+  @Tool({
+    name: 'query-tc-challenges-private',
+    description:
+      'Returns a list of public Topcoder challenges based on the query parameters.',
+    parameters: QUERY_CHALLENGES_TOOL_PARAMETERS,
+    outputSchema: QUERY_CHALLENGES_TOOL_OUTPUT_SCHEMA,
+    annotations: {
+      title: 'Query Public Topcoder Challenges',
+      readOnlyHint: true,
+    },
+    canActivate: authGuard,
+  })
+  async queryChallengesPrivate(params) {
+    return this._queryChallenges(params);
+  }
+
+  @Tool({
+    name: 'query-tc-challenges-protected',
+    description:
+      'Returns a list of public Topcoder challenges based on the query parameters.',
+    parameters: QUERY_CHALLENGES_TOOL_PARAMETERS,
+    outputSchema: QUERY_CHALLENGES_TOOL_OUTPUT_SCHEMA,
+    annotations: {
+      title: 'Query Public Topcoder Challenges',
+      readOnlyHint: true,
+    },
+    canActivate: checkHasUserRole(Role.Admin),
+  })
+  async queryChallengesProtected(params) {
+    return this._queryChallenges(params);
+  }
+
+  @Tool({
+    name: 'query-tc-challenges-m2m',
+    description:
+      'Returns a list of public Topcoder challenges based on the query parameters.',
+    parameters: QUERY_CHALLENGES_TOOL_PARAMETERS,
+    outputSchema: QUERY_CHALLENGES_TOOL_OUTPUT_SCHEMA,
+    annotations: {
+      title: 'Query Public Topcoder Challenges',
+      readOnlyHint: true,
+    },
+    canActivate: checkM2MScope(M2mScope.QueryPublicChallenges),
+  })
+  async queryChallengesM2m(params) {
+    return this._queryChallenges(params);
+  }
+
+  @Tool({
+    name: 'query-tc-challenges-public',
+    description:
+      'Returns a list of public Topcoder challenges based on the query parameters.',
+    parameters: QUERY_CHALLENGES_TOOL_PARAMETERS,
+    outputSchema: QUERY_CHALLENGES_TOOL_OUTPUT_SCHEMA,
+    annotations: {
+      title: 'Query Public Topcoder Challenges',
+      readOnlyHint: true,
+    },
+  })
+  async queryChallengesPublic(params) {
+    return this._queryChallenges(params);
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`export enum Role {`
	`2`	`+ Admin = 'administrator',`
`2`	`3`	`User = 'Topcoder User',`
`3`	`4`	`}`
`4`	`5`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,3 @@`
`1`	`1`	`export * from './auth.guard';`
	`2`	`+export * from './m2m-scope.guard';`
	`3`	`+export * from './role.guard';`