restrict non-idir user search

TimCsaky · TimCsaky · commit c8f44f825ec5 · 2025-05-27T17:12:41.000-07:00
diff --git a/app/src/components/utils.js b/app/src/components/utils.js
@@ -72,6 +72,11 @@ const utils = {
     return key || '/'; // set empty key to '/' to match convention in COMS db
   },
 
+  hasOnlyPermittedKeys(obj, permittedKeys) {
+    const objKeys = Object.keys(obj);
+    return objKeys.every(key => permittedKeys.includes(key));
+  },
+
   /**
    * @function getBucket
    * Acquire core S3 bucket credential information from database or configuration
@@ -161,6 +166,8 @@ const utils = {
    * @function getCurrentIdentity
    * Attempts to acquire current identity value.
    * Always takes first non-default value available. Yields `defaultValue` otherwise.
+   * looks for one of the specified claims (eg idir_user_guid,bceid_user_guid or github_id)
+   * if not found, returns 'sub' claim
    * @param {object} currentUser The express request currentUser object
    * @param {string} [defaultValue=undefined] An optional default return value
    * @returns {string} The current user identifier if applicable, or `defaultValue`
diff --git a/app/src/middleware/authorization.js b/app/src/middleware/authorization.js
@@ -6,7 +6,10 @@ const {
   getAppAuthMode,
   getCurrentIdentity,
   getConfigBoolean,
-  mixedQueryToArray, stripDelimit } = require('../components/utils');
+  hasOnlyPermittedKeys,
+  mixedQueryToArray,
+  stripDelimit
+} = require('../components/utils');
 const { NIL: SYSTEM_USER } = require('uuid');
 const {
   bucketPermissionService,
@@ -207,6 +210,29 @@ const hasPermission = (permission) => {
   };
 };
 
+/**
+ * if non-IDIR user, require userId, email or identityId query parameter
+ * route validationrequires a valid email
+ */
+const restrictNonIdirUserSearch = async (req, _res, next) => {
+  try {
+    if (req.currentUser.authType === AuthType.BEARER &&
+      req.currentUser.tokenPayload.identity_provider !== 'idir' &&
+      !hasOnlyPermittedKeys(req.query, ['email', 'userId', 'identityId'])
+    ) {
+      throw new Error('User lacks permission to complete this actionnn');
+    }
+  }
+  catch (err) {
+    log.verbose(err.message, { function: 'restrictNonIdirUserSearch' });
+    return next(new Problem(403, {
+      detail: err.message,
+      instance: req.originalUrl
+    }));
+  }
+  next();
+};
+
 module.exports = {
-  _checkPermission, checkAppMode, checkS3BasicAccess, currentObject, hasPermission
+  _checkPermission, checkAppMode, checkS3BasicAccess, currentObject, hasPermission, restrictNonIdirUserSearch
 };
diff --git a/app/src/routes/v1/user.js b/app/src/routes/v1/user.js
@@ -2,7 +2,7 @@ const router = require('express').Router();
 
 const { userValidator } = require('../../validators');
 const { userController } = require('../../controllers');
-const { checkAppMode, checkS3BasicAccess } = require('../../middleware/authorization');
+const { checkAppMode, checkS3BasicAccess, restrictNonIdirUserSearch } = require('../../middleware/authorization');
 const { requireSomeAuth } = require('../../middleware/featureToggle');
 
 router.use(checkAppMode);
@@ -15,7 +15,9 @@ router.get('/',
    * checkS3BasicAccess will add a bucketId query param which triggers a 422 from the userValidator
    */
   checkS3BasicAccess,
-  userValidator.searchUsers, (req, res, next) => {
+  userValidator.searchUsers,
+  restrictNonIdirUserSearch,
+  (req, res, next) => {
     userController.searchUsers(req, res, next);
   });
 
diff --git a/app/src/services/user.js b/app/src/services/user.js
@@ -153,9 +153,6 @@ const service = {
    * @returns {Promise<object>} The result of running the login operation
    */
   login: async (token) => {
-
-    console.log('a', token);
-
     const newUser = service._tokenToUser(token);
     // wrap with db transaction
     return await utils.trxWrapper(async (trx) => {
