BC-11531 Switch to service account auth fow.#6355
Conversation
There was a problem hiding this comment.
Pull request overview
This PR removes the dedicated SHD API module/endpoints and relocates “create support JWT” functionality into the Authentication/Login API flow, adding the necessary DTOs and updating unit + API tests accordingly. It also adjusts the authorization rules to allow authorization checks against User entities (not only UserDo).
Changes:
- Removed the entire
shdmodule API (module/controller/UC/DTOs/mappers + API tests) and unregistered it from the server app module. - Added
POST /login/support-jwttoLoginController, backed byLoginUc.getSupportLoginData(...), plus unit and API tests. - Updated
UserRuleto support bothUserandUserDoas authorizable objects.
Reviewed changes
Copilot reviewed 16 out of 19 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| apps/server/src/modules/shd/shd.api.module.ts | Removed SHD API module registration (deleted). |
| apps/server/src/modules/shd/index.ts | SHD module barrel removed (deleted). |
| apps/server/src/modules/shd/api/shd.uc.ts | Removed SHD use-case for support JWT generation (deleted). |
| apps/server/src/modules/shd/api/shd.controller.ts | Removed SHD controller endpoint (deleted). |
| apps/server/src/modules/shd/api/mapper/login-response.mapper.ts | Removed SHD login response mapper (deleted). |
| apps/server/src/modules/shd/api/mapper/index.ts | Removed SHD mapper barrel (deleted). |
| apps/server/src/modules/shd/api/index.ts | Removed SHD API barrel exports (deleted). |
| apps/server/src/modules/shd/api/dto/login.response.ts | Removed SHD login response DTO (deleted). |
| apps/server/src/modules/shd/api/dto/index.ts | Removed SHD DTO barrel exports (deleted). |
| apps/server/src/modules/shd/api/api-tests/shd.api.spec.ts | Removed SHD API integration tests (deleted). |
| apps/server/src/modules/server/server.app.module.ts | Unregistered ShdApiModule from server module list. |
| apps/server/src/modules/authorization-rules/rules/user.rule.ts | Extended UserRule to handle User entities in addition to UserDo. |
| apps/server/src/modules/authentication/uc/login.uc.ts | Added getSupportLoginData(...) and authorization check for support JWT generation. |
| apps/server/src/modules/authentication/uc/login.uc.spec.ts | Added unit tests for getSupportLoginData(...). |
| apps/server/src/modules/authentication/controllers/login.controller.ts | Added POST support-jwt endpoint under login controller. |
| apps/server/src/modules/authentication/controllers/dto/target-user-id.params.ts | Added DTO for request body validation (IsMongoId). |
| apps/server/src/modules/authentication/controllers/dto/index.ts | Exported the new TargetUserIdParams DTO. |
| apps/server/src/modules/authentication/controllers/api-test/login.api.spec.ts | Added API tests covering /support-jwt scenarios. |
| apps/server/src/modules/authentication/authentication-api.module.ts | Imported AuthorizationModule to satisfy AuthorizationService dependency. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| public async getSupportLoginData(targetUserId: EntityId, supportUserId: EntityId): Promise<string> { | ||
| // target user should be better fetch over user service, but is not possible because of circular dependency, so we fetch it over authorization service | ||
| const [supportUser, targetUser] = await Promise.all([ | ||
| this.authorizationService.getUserWithPermissions(supportUserId), | ||
| this.authorizationService.getUserWithPermissions(targetUserId), | ||
| ]); | ||
|
|
||
| const authContext = AuthorizationContextBuilder.write([ | ||
| Permission.CREATE_SUPPORT_JWT, | ||
| Permission.CAN_EXECUTE_INSTANCE_OPERATIONS, | ||
| ]); | ||
| this.authorizationService.checkPermission(supportUser, targetUser, authContext); | ||
|
|
There was a problem hiding this comment.
Not true.
Using authorization over instance for this case was a miss implementation. CAN_EXECUTE_INSTANCE_OPERATION is not connected to the context object instance.
The permission enable execution outside of the given context, in this case user. But enforce that also user write access must be exists.
Setting CAN_EXECUTE_INSTANCE_OPERATION inside of the uc too, enforce that a normal user that can have write access to it self, cant create a support JWT. Only user with the additional permission.
|
Description
https://ticketsystem.dbildungscloud.de/browse/BC-11531
BC-11531 Switch to service account auth fow. #6355
BC-11531 Switch to new support jwt endpoint. superhero-dashboard#353
BC-11531 Generate new server api. nuxt-client#4293
Generate new api in vue client
Switch URI in SHD
Check dependencies authorization and authentication
Links to Tickets or other pull requests
Changes
Approval for review
generate-client:serverwas executed in vue frontend and changes were tested and put in a PR with the same branch name.