allow m2m users to access the APIs

README.md

@@ -28,6 +28,9 @@ The following parameters can be set in config files or in env variables:
 - `AUTH0_CLIENT_SECRET`: Auth0 client secret, used to get TC M2M token
 - `AUTH0_PROXY_SERVER_URL`: Proxy Auth0 URL, used to get TC M2M token
 
+- `m2m.M2M_AUDIT_USER_ID`: default value is `00000000-0000-0000-0000-000000000000`
+- `m2m.M2M_AUDIT_HANDLE`: default value is `TopcoderService`
+
 - `DATABASE_URL`: PostgreSQL database url.
 - `DB_SCHEMA_NAME`: string - PostgreSQL database target schema
 - `PROJECT_API_URL`: the project service url

app-constants.js

@@ -6,6 +6,30 @@ const UserRoles = {
   BookingManager: 'bookingmanager'
 }
 
+const Scopes = {
+  // job
+  READ_JOB: 'read:taas-jobs',
+  CREATE_JOB: 'create:taas-jobs',
+  UPDATE_JOB: 'update:taas-jobs',
+  DELETE_JOB: 'delete:taas-jobs',
+  ALL_JOB: 'all:taas-jobs',
+  // job candidate
+  READ_JOB_CANDIDATE: 'read:taas-jobCandidates',
+  CREATE_JOB_CANDIDATE: 'create:taas-jobCandidates',
+  UPDATE_JOB_CANDIDATE: 'update:taas-jobCandidates',
+  DELETE_JOB_CANDIDATE: 'delete:taas-jobCandidates',
+  ALL_JOB_CANDIDATE: 'all:taas-jobCandidates',
+  // resource booking
+  READ_RESOURCE_BOOKING: 'read:taas-resourceBookings',
+  CREATE_RESOURCE_BOOKING: 'create:taas-resourceBookings',
+  UPDATE_RESOURCE_BOOKING: 'update:taas-resourceBookings',
+  DELETE_RESOURCE_BOOKING: 'delete:taas-resourceBookings',
+  ALL_RESOURCE_BOOKING: 'all:taas-resourceBookings',
+  // taas-team
+  READ_TAAS_TEAM: 'read:taas-teams'
+}
+
 module.exports = {
-  UserRoles
+  UserRoles,
+  Scopes
 }

app-routes.js

@@ -6,6 +6,7 @@ const _ = require('lodash')
 const config = require('config')
 const HttpStatus = require('http-status-codes')
 const helper = require('./src/common/helper')
+const errors = require('./src/common/errors')
 const routes = require('./src/routes')
 const constants = require('./app-constants')
 const authenticator = require('tc-core-library-js').middleware.jwtAuthenticator
@@ -37,11 +38,22 @@ module.exports = (app) => {
         })
 
         actions.push((req, res, next) => {
-          req.authUser.jwtToken = req.headers.authorization
-          if (_.includes(req.authUser.roles, constants.UserRoles.BookingManager)) {
-            req.authUser.isBookingManager = true
+          if (req.authUser.isMachine) {
+            // M2M
+            if (!req.authUser.scopes || !helper.checkIfExists(def.scopes, req.authUser.scopes)) {
+              next(new errors.ForbiddenError('You are not allowed to perform this action!'))
+            } else {
+              req.authUser.userId = config.m2m.M2M_AUDIT_USER_ID
+              req.authUser.handle = config.m2m.M2M_AUDIT_HANDLE
+              next()
+            }
+          } else {
+            req.authUser.jwtToken = req.headers.authorization
+            if (_.includes(req.authUser.roles, constants.UserRoles.BookingManager)) {
+              req.authUser.isBookingManager = true
+            }
+            next()
           }
-          next()
         })
       }
 

config/default.js

@@ -14,6 +14,11 @@ module.exports = {
   AUTH0_CLIENT_SECRET: process.env.AUTH0_CLIENT_SECRET,
   AUTH0_PROXY_SERVER_URL: process.env.AUTH0_PROXY_SERVER_URL,
 
+  m2m: {
+    M2M_AUDIT_USER_ID: process.env.M2M_AUDIT_USER_ID || '00000000-0000-0000-0000-000000000000',
+    M2M_AUDIT_HANDLE: process.env.M2M_AUDIT_HANDLE || 'TopcoderService'
+  },
+
   TC_API: process.env.TC_API || 'https://api.topcoder-dev.com/v5',
   ORG_ID: process.env.ORG_ID || '36ed815b-3da1-49f1-a043-aaed0a4e81ad',