Merge pull request #96 from topcoder-platform/develop

restrict access based on the blockIP property of the jwt

Author: ThomasKranitsas

app-routes.js

@@ -45,16 +45,14 @@ module.exports = (app) => {
           }
         })
 
-        if (def.forbiddenCountries) {
-          actions.push(async (req, res, next) => {
-            if (req.authUser.isMachine) {
-              next()
+        if (def.blockByIp) {
+          actions.push((req, res, next) => {
+            req.authUser.blockIP = _.find(req.authUser, (value, key) => {
+              return (key.indexOf('blockIP') !== -1)
+            })
+            if (req.authUser.blockIP) {
+              throw new errors.ForbiddenError('Access denied')
             } else {
-              req.authUser.userId = String(req.authUser.userId)
-              const user = await helper.getMemberById(req.authUser.userId)
-              if (!user || _.intersection([user.homeCountryCode, user.competitionCountryCode], def.forbiddenCountries).length > 0) {
-                throw new errors.ForbiddenError('Access denied')
-              }
               next()
             }
           })

config/default.js

@@ -68,25 +68,5 @@ module.exports = {
   RESOURCE_ROLE_CREATE_TOPIC: process.env.RESOURCE_ROLE_CREATE_TOPIC || 'challenge.action.resource.role.create',
   RESOURCE_ROLE_UPDATE_TOPIC: process.env.RESOURCE_ROLE_UPDATE_TOPIC || 'challenge.action.resource.role.update',
 
-  AUTOMATED_TESTING_NAME_PREFIX: process.env.AUTOMATED_TESTING_NAME_PREFIX || 'POSTMANE2E-',
-
-  FORBIDDEN_COUNTRIES: [
-    'Iran',
-    'North Korea',
-    'Cuba',
-    'Sudan',
-    'Syria',
-    'Belarus',
-    'Russia',
-    'Russian Federation'
-  ],
-  FORBIDDEN_COUNTRIES_ALPHA_3: [
-    'IRN',
-    'PRK',
-    'CUB',
-    'SDN', 'SSD', // (south sudan)
-    'SYR',
-    'BLR',
-    'RUS'
-  ]
+  AUTOMATED_TESTING_NAME_PREFIX: process.env.AUTOMATED_TESTING_NAME_PREFIX || 'POSTMANE2E-'
 }

src/common/helper.js

@@ -162,8 +162,13 @@ async function getMemberInfoById (id) {
  * @returns {Promise<void>}
  */
 async function getMemberById (id) {
-  const res = await getRequest(`${config.MEMBER_API_URL}?userId=${id}`)
-  return _.get(res, 'data[0]')
+  try {
+    const res = await getRequest(`${config.MEMBER_API_URL}`, { userId: id })
+    return _.get(res, 'body[0]')
+  } catch (e) {
+    logger.debug(e.message)
+    logger.debug(e)
+  }
 }
 
 /**

src/routes.js

@@ -4,9 +4,7 @@
 
 const constants = require('../app-constants')
 const {
-  SCOPES: { READ, CREATE, DELETE, UPDATE, ALL },
-  FORBIDDEN_COUNTRIES,
-  FORBIDDEN_COUNTRIES_ALPHA_3
+  SCOPES: { READ, CREATE, DELETE, UPDATE, ALL }
 } = require('config')
 
 module.exports = {
@@ -25,7 +23,7 @@ module.exports = {
       auth: 'jwt',
       access: [constants.UserRoles.Admin, constants.UserRoles.Copilot, constants.UserRoles.Manager, constants.UserRoles.User],
       scopes: [CREATE, ALL],
-      forbiddenCountries: [...FORBIDDEN_COUNTRIES, ...FORBIDDEN_COUNTRIES_ALPHA_3]
+      blockByIp: true
     },
     delete: {
       controller: 'ResourceController',