Fixes for local issues seen with JWT validation, in case it starts to affect dev and prod

Author: jmgasper

src/shared/config/auth.config.ts

@@ -8,7 +8,7 @@ export const AuthConfig = {
   // JSON array string of allowed issuers
   validIssuers:
     process.env.VALID_ISSUERS ||
-    '["https://testsachin.topcoder-dev.com/","https://test-sachin-rs256.auth0.com/","https://api.topcoder.com","https://api.topcoder-dev.com","https://topcoder-dev.auth0.com/", "https://auth.topcoder-dev.com/"]',
+    '["https://testsachin.topcoder-dev.com/","https://test-sachin-rs256.auth0.com/","https://api.topcoder.com","https://api.topcoder-dev.com","https://topcoder-dev.auth0.com/","https://auth.topcoder-dev.com/","https://topcoder.auth0.com/","https://auth.topcoder.com/"]',
 
   // Legacy JWT configuration (kept for backward compatibility)
   jwt: {

src/shared/guards/tokenRoles.guard.ts

@@ -7,21 +7,30 @@ import {
   SetMetadata,
 } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
+import { Request } from 'express';
 import { JwtService } from '../modules/global/jwt.service';
 import { SCOPES_KEY } from '../decorators/scopes.decorator';
+import { LoggerService } from '../modules/global/logger.service';
 import { UserRole } from '../enums/userRole.enum';
 
 export const ROLES_KEY = 'roles';
 export const Roles = (...roles: UserRole[]) => SetMetadata(ROLES_KEY, roles);
 
 @Injectable()
 export class TokenRolesGuard implements CanActivate {
+  private readonly logger = LoggerService.forRoot(TokenRolesGuard.name);
+
   constructor(
     private reflector: Reflector,
     private jwtService: JwtService,
   ) {}
 
   canActivate(context: ExecutionContext): boolean {
+    const handler = context.getHandler?.();
+    const controllerClass = context.getClass?.();
+    const controllerName = controllerClass?.name || 'UnknownController';
+    const handlerName = handler?.name || 'UnknownHandler';
+
     // Get required roles and scopes from decorators
     const requiredRoles =
       this.reflector.get<UserRole[]>(ROLES_KEY, context.getHandler()) || [];
@@ -31,18 +40,49 @@ export class TokenRolesGuard implements CanActivate {
 
     // If no roles or scopes are required, allow access
     if (requiredRoles.length === 0 && requiredScopes.length === 0) {
+      this.logger.log({
+        message: 'No roles or scopes required, allowing request',
+        controllerName,
+        handlerName,
+      });
       return true;
     }
 
     const request = context.switchToHttp().getRequest<Request>();
+    const requestMeta = this.buildRequestLogMeta(
+      request,
+      controllerName,
+      handlerName,
+    );
+
+    this.logger.log({
+      message: 'Evaluating token roles guard',
+      ...requestMeta,
+      requiredRoles,
+      requiredScopes,
+    });
 
     try {
       const user = request['user'];
 
       if (!user && (requiredRoles.length || requiredScopes.length)) {
+        this.logger.warn({
+          message: 'Rejecting request due to missing user payload',
+          ...requestMeta,
+          hasUser: false,
+        });
         throw new UnauthorizedException('Missing or invalid token!');
       }
 
+      this.logger.log({
+        message: 'User payload extracted from request',
+        ...requestMeta,
+        userId: user?.userId,
+        isMachine: Boolean(user?.isMachine),
+        roles: user?.roles,
+        scopes: user?.scopes,
+      });
+
       const normalizedRequiredRoles = requiredRoles.map((role) =>
         String(role).trim().toLowerCase(),
       );
@@ -51,10 +91,22 @@ export class TokenRolesGuard implements CanActivate {
       if (normalizedRequiredRoles.length > 0) {
         const normalizedUserRoles = this.normalizeUserRoles(user.roles);
 
+        this.logger.log({
+          message: 'Checking role-based permissions',
+          ...requestMeta,
+          normalizedRequiredRoles,
+          normalizedUserRoles,
+        });
+
         const hasRole = normalizedRequiredRoles.some((role) =>
           normalizedUserRoles.includes(role),
         );
         if (hasRole) {
+          this.logger.log({
+            message: 'Access granted via role-based authorization',
+            ...requestMeta,
+            normalizedRequiredRoles,
+          });
           return true;
         }
 
@@ -66,6 +118,13 @@ export class TokenRolesGuard implements CanActivate {
             user,
           )
         ) {
+          this.logger.log({
+            message:
+              'Access granted via submission list challenge fallback rule',
+            ...requestMeta,
+            challengeId: request?.query?.challengeId,
+            userId: user?.userId,
+          });
           return true;
         }
       }
@@ -75,7 +134,20 @@ export class TokenRolesGuard implements CanActivate {
         const hasScope = requiredScopes.some((scope) =>
           user.scopes ? user.scopes.includes(scope) : false,
         );
+
+        this.logger.log({
+          message: 'Checking scope-based permissions',
+          ...requestMeta,
+          requiredScopes,
+          tokenScopes: user.scopes,
+          hasScope,
+        });
+
         if (hasScope) {
+          this.logger.log({
+            message: 'Access granted via scope-based authorization',
+            ...requestMeta,
+          });
           return true;
         }
       }
@@ -89,10 +161,22 @@ export class TokenRolesGuard implements CanActivate {
         requiredRoles.length > 0 &&
         requiredScopes.length === 0
       ) {
+        this.logger.warn({
+          message:
+            'M2M token detected without role permissions for role-only endpoint',
+          ...requestMeta,
+          tokenScopes: user.scopes,
+        });
         throw new ForbiddenException('M2M token not allowed for this endpoint');
       }
 
       // Access denied - neither roles nor scopes match
+      this.logger.warn({
+        message: 'Access denied due to insufficient permissions',
+        ...requestMeta,
+        requiredRoles,
+        requiredScopes,
+      });
       throw new ForbiddenException('Insufficient permissions');
     } catch (error) {
       if (
@@ -101,6 +185,15 @@ export class TokenRolesGuard implements CanActivate {
       ) {
         throw error;
       }
+      this.logger.error(
+        {
+          message: 'Unexpected error validating token roles',
+          ...requestMeta,
+          error:
+            error instanceof Error ? error.message : String(error ?? 'error'),
+        },
+        error instanceof Error ? error.stack : undefined,
+      );
       throw new UnauthorizedException('Invalid token');
     }
   }
@@ -192,4 +285,33 @@ export class TokenRolesGuard implements CanActivate {
 
     return Array.from(normalizedRoles);
   }
+
+  private buildRequestLogMeta(
+    request: any,
+    controllerName: string,
+    handlerName: string,
+  ) {
+    const headers = (request?.headers || {}) as Record<
+      string,
+      string | string[] | undefined
+    >;
+    const correlationIdCandidate =
+      headers['x-request-id'] ||
+      headers['x-correlation-id'] ||
+      headers['x-trace-id'];
+    const method =
+      typeof request?.method === 'string'
+        ? request.method.toUpperCase()
+        : undefined;
+
+    return {
+      controllerName,
+      handlerName,
+      method,
+      path: request?.originalUrl || request?.url || request?.path,
+      correlationId: Array.isArray(correlationIdCandidate)
+        ? correlationIdCandidate[0]
+        : correlationIdCandidate,
+    };
+  }
 }