Skip to content

[PROD] - Trolley LIve #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Oct 21, 2025
Merged

[PROD] - Trolley LIve #83

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5f8a511
debug m2m
vas3a Sep 30, 2025
6ea8815
debug logs
vas3a Sep 30, 2025
8527d44
remove debug logs, add m2m error handling/logging
vas3a Sep 30, 2025
9ab6a6d
Allow for admins to create payments, used in system-admin app
jmgasper Oct 7, 2025
6e03959
Build fix
jmgasper Oct 7, 2025
3b08a9a
fix roles check
vas3a Oct 16, 2025
e1f7806
Merge pull request #85 from topcoder-platform/fix-roles
vas3a Oct 16, 2025
72321ad
do not validate m2m token in roles guard
vas3a Oct 16, 2025
f8ceace
update logic for roles guard
vas3a Oct 16, 2025
abba554
Merge pull request #86 from topcoder-platform/fix-roles
vas3a Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/api/winnings/winnings.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ import {
ApiBearerAuth,
} from '@nestjs/swagger';

import { M2mScope } from 'src/core/auth/auth.constants';
import { M2M, AllowedM2mScope, User } from 'src/core/auth/decorators';
import { M2mScope, Role } from 'src/core/auth/auth.constants';
import { AllowedM2mScope, User, Roles, M2M } from 'src/core/auth/decorators';
import { ResponseDto, ResponseStatusType } from 'src/dto/api-response.dto';
import { UserInfo } from 'src/dto/user.type';
import {
Expand All @@ -29,8 +29,8 @@ export class WinningsController {
) {}

@Post()
@M2M()
@AllowedM2mScope(M2mScope.CreatePayments)
@Roles(Role.PaymentAdmin, Role.PaymentEditor)
@ApiOperation({
summary: 'Create winning with payments.',
description: 'User must have "create:payments" scope to access.',
Expand Down
41 changes: 31 additions & 10 deletions src/core/auth/guards/auth.guard.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ export class AuthGuard implements CanActivate {
if (isPublic) return true;

const req = context.switchToHttp().getRequest();
const isM2M = this.reflector.getAllAndOverride<boolean>(IS_M2M_KEY, [
const routeM2MOnly = this.reflector.getAllAndOverride<boolean>(IS_M2M_KEY, [
context.getHandler(),
context.getClass(),
]);
Expand All @@ -36,24 +36,45 @@ export class AuthGuard implements CanActivate {
};
}

// Regular authentication - check that we have user's email and have verified the id token
if (!isM2M) {
const tokenIsM2M = Boolean(req.m2mTokenScope);

// If route explicitly requires M2M, enforce M2M + scope
if (routeM2MOnly) {
if (!req.idTokenVerified || !tokenIsM2M) {
throw new UnauthorizedException();
}

const allowedM2mScopes = this.reflector.getAllAndOverride<M2mScope[]>(
SCOPES_KEY,
[context.getHandler(), context.getClass()],
);
const reqScopes = String(req.m2mTokenScope || '').split(' ');
return reqScopes.some((s) => allowedM2mScopes.includes(s as M2mScope));
}

// Hybrid (default) route behavior: allow either
// - Verified user JWT (email present), OR
// - Verified M2M token but only if scope matches when scopes are declared on the route

// User JWT branch
if (!tokenIsM2M) {
return Boolean(req.email && req.idTokenVerified);
}

// M2M authentication - check scopes
if (!req.idTokenVerified || !req.m2mTokenScope)
// M2M branch on non-M2M-only route: require declared scopes, otherwise deny
if (!req.idTokenVerified) {
throw new UnauthorizedException();
}

const allowedM2mScopes = this.reflector.getAllAndOverride<M2mScope[]>(
SCOPES_KEY,
[context.getHandler(), context.getClass()],
);

const reqScopes = req.m2mTokenScope.split(' ');
if (reqScopes.some((reqScope) => allowedM2mScopes.includes(reqScope))) {
return true;
if (!allowedM2mScopes || allowedM2mScopes.length === 0) {
// No scopes declared for this route, do not allow M2M by default
return false;
}
return false;
const reqScopes = String(req.m2mTokenScope || '').split(' ');
return reqScopes.some((s) => allowedM2mScopes.includes(s as M2mScope));
}
}
7 changes: 6 additions & 1 deletion src/core/auth/guards/roles.guard.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,12 @@ export class RolesGuard implements CanActivate {
}

const request = context.switchToHttp().getRequest();
const { auth0User } = request;
const tokenIsM2M = Boolean(request.m2mTokenScope);
if (tokenIsM2M) {
return Boolean(request.idTokenVerified);
}

const { auth0User = {} } = request;
const userRoles = Object.keys(auth0User).reduce((roles, key) => {
if (key.match(/claims\/roles$/gi)) {
return auth0User[key] as string[];
Expand Down
18 changes: 18 additions & 0 deletions src/shared/topcoder/topcoder-m2m.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,24 @@ export class TopcoderM2MService {
}),
});

if (!response.ok) {
let jsonError: any;
try {
jsonError = await response.json();
} catch {
jsonError = null;
}

this.logger.error(
'Failed to fetch M2M token',
tokenURL,
response.status,
response.statusText,
jsonError,
);
return undefined;
}

const jsonResponse = await response.json();
const m2mToken = jsonResponse.access_token as string;

Expand Down