Search Members allow no token support

topcoder-platform · Jul 21, 2020 · 5d559d8 · 5d559d8
1 parent f747dc5
commit 5d559d8
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 15 deletions.
diff --git a/app-routes.js b/app-routes.js
@@ -40,28 +40,38 @@ module.exports = (app) => {
       if (def.auth) {
         // add Authenticator/Authorization check if route has auth
         actions.push((req, res, next) => {
-          authenticator(_.pick(config, ['AUTH_SECRET', 'VALID_ISSUERS']))(req, res, next)
+          // When authorization token is not provided and allow no token is enabled then bypass
+          if(!_.get(req, 'headers.authorization') && def.allowNoToken) {
+            next()
+          } else {
+            authenticator(_.pick(config, ['AUTH_SECRET', 'VALID_ISSUERS']))(req, res, next)
+          }
         })
 
         actions.push((req, res, next) => {
-          if (req.authUser.isMachine) {
-            // M2M
-            if (!req.authUser.scopes || (def.scopes && !helper.checkIfExists(def.scopes, req.authUser.scopes))) {
-              next(new errors.ForbiddenError('You are not allowed to perform this action!'))
-            } else {
-              next()
-            }
+          // When authorization token is not provided and allow no token is enabled then bypass
+          if(!_.get(req, 'headers.authorization') && def.allowNoToken) {
+            next()
           } else {
-            req.authUser.userId = String(req.authUser.userId)
-            // User roles authorization
-            if (req.authUser.roles) {
-              if (def.access && !helper.checkIfExists(def.access, req.authUser.roles)) {
+            if (req.authUser.isMachine) {
+              // M2M
+              if (!req.authUser.scopes || (def.scopes && !helper.checkIfExists(def.scopes, req.authUser.scopes))) {
                 next(new errors.ForbiddenError('You are not allowed to perform this action!'))
               } else {
                 next()
               }
             } else {
-              next(new errors.ForbiddenError('You are not authorized to perform this action'))
+              req.authUser.userId = String(req.authUser.userId)
+              // User roles authorization
+              if (req.authUser.roles) {
+                if (def.access && !helper.checkIfExists(def.access, req.authUser.roles)) {
+                  next(new errors.ForbiddenError('You are not allowed to perform this action!'))
+                } else {
+                  next()
+                }
+              } else {
+                next(new errors.ForbiddenError('You are not authorized to perform this action'))
+              }
             }
           }
         })

diff --git a/src/routes.js b/src/routes.js
@@ -2,7 +2,7 @@
  * Contains all routes
  */
 
-const constants = require('../app-constants')
+// const constants = require('../app-constants')
 const { SCOPES: {
   MEMBERS
 } } = require('config')
@@ -119,6 +119,8 @@ module.exports = {
     get: {
       controller: 'SearchController',
       method: 'searchMembers',
+      auth: 'jwt',
+      allowNoToken: true,
       scopes: [MEMBERS.READ, MEMBERS.ALL]
     }
   }

diff --git a/src/services/SearchService.js b/src/services/SearchService.js
@@ -31,7 +31,6 @@ async function searchMembers (currentUser, query) {
   if (!currentUser || (!currentUser.isMachine && !helper.hasAdminRole(currentUser))) {
     fields = _.without(fields, ...config.SEARCH_SECURE_FIELDS)
   }
-
   // construct ES query
   const esQuery = {
     index: config.get('ES.ES_INDEX'),