New authorization scheme for project creation endpoint

[vikasrohit]

To support a new use case, where we need to create projects for inactive users, we need to implement a new auth scheme in project service and use that only for project creation endpoint to allow the creation of projects by inactive users as well.

Details:

1. We will look for Authorization header
2. Technically it would still be using Bearer auth scheme but its value would not be a jwt token this time, rather it would be a simple string with following pattern like userId_<userId> i.e. useId_ as prefix to the actual userId.
3. if we find the bearer token starting with userId_, we should not use the jwt auth middle ware from tc-core-library-js to validate the token and rather use custom logic.
4. if the passed userId is inactive (we can query that using admin access to the identity api), we should authorize the user and if userId is active, we need to throw 403 with appropriate message.

[ngoctay]

@vikasrohit

1. Only for project creation endpoint, right?
2. "we can query that using admin access to the identity api", can you provide more details on on how to access the identity API?

[gondzo]

@vikasrohit does identity api support m2m tokens? do we have a clientId/secret that we could use?

@ngoctay I think identity service endpoint is v4_api/users. Is this correct @vikasrohit ?

[vikasrohit]

@ngoctay this should be the helper function you should be using to get user's status.

[vikasrohit]

@gondzo I think m2m are now supported by identity, however, if our current api is not using m2m to get system user token, we can still go with the existing method of clientId and secret.

[ngoctay]

@vikasrohit
Thanks for the helper function.

Is there any dev identity API endpoint so that I can set the env?

[vikasrohit]

Yes, there is. It should be https://api.topcoder-dev.com/v3, however, it won't work on your local because you won't have client id and secret. You can test this on local by mocking the endpoint while unit testing.

[ngoctay]

Do you have any Swagger or Postman for the Identity API?
I don't know any about the request/response.

[vikasrohit]

@ngoctay this should help.

getStub.withArgs(`${config.get('identityServiceEndpoint')}users`, getUsersOpts).resolves({
  data: { result: { status: 200, content: [{ id: 1, ..., active: false }] } },
});

[ngoctay]

@vikasrohit
Just curious.
Anybody can easily guess a userId and invoke POST /projects with Bearer userId_<userId>.
That is not quite secured.

[vikasrohit]

Yep, that is true. Right now we are evaluating other options as well however we want to have a backup plan in place. Also, reason of allowing only inactive users in this new scheme, is to reduce this spam. Further, we are also thinking of domain whitelisting to allow its invocation.

Can you please add a domain whitelist through cors for this particular endpoint or auth scheme?

We are also working on getting some unique code generated in the flow this endpoint is going to be used so that we can validate that code before allowing the user into the system.

[ngoctay]

Please check the above commit.
Note that we have a new config whitelistedOriginsForUserIdAuth which stores the JSON string array of the whitelisted origins (similar to validIssuers)