update super user to check from request token instead of database

Author: eiman-eltigani-ttd

src/api/middleware/participantsMiddleware.ts

@@ -16,13 +16,12 @@ export const verifyAndEnrichParticipant = async (
 ) => {
   const { participantId } = participantIdSchema.parse(req.params);
   const traceId = getTraceId(req);
-  const userEmail = req.auth?.payload?.email as string;
 
   const participant = await Participant.query()
     .findById(participantId)
     .withGraphFetched('[types, primaryContact]');
 
-  if (!participant || !(await canUserAccessParticipant(userEmail, participantId, traceId))) {
+  if (!participant || !(await canUserAccessParticipant(req, participantId, traceId))) {
     return res.status(403).json({
       message: 'You do not have access to this participant.',
       errorHash: traceId,

src/api/middleware/userRoleMiddleware.ts

@@ -1,11 +1,18 @@
-import { Handler } from 'express';
+import { Handler, Request } from 'express';
 
 import { UserRoleId } from '../entities/UserRole';
 import { UserToParticipantRole } from '../entities/UserToParticipantRole';
 import { ParticipantRequest } from '../services/participantsService';
 import { findUserByEmail } from '../services/usersService';
 
+// Helper to check if email is a UID2 internal email
+export const isUid2InternalEmail = (email: string) => email.toLowerCase().includes('@unifiedid.com');
+
 export const isUid2Support = async (userEmail: string) => {
+  // @unifiedid.com users automatically have UID2 Support access
+  if (isUid2InternalEmail(userEmail)) {
+    return true;
+  }
   const user = await findUserByEmail(userEmail);
   const userWithUid2SupportRole = await UserToParticipantRole.query()
     .where('userId', user!.id)
@@ -24,17 +31,13 @@ export const isUid2SupportCheck: Handler = async (req: ParticipantRequest, res,
   next();
 };
 
-export const isSuperUser = async (userEmail: string) => {
-  const user = await findUserByEmail(userEmail);
-  const userWithSuperUserRole = await UserToParticipantRole.query()
-    .where('userId', user!.id)
-    .andWhere('userRoleId', UserRoleId.SuperUser)
-    .first();
-  return !!userWithSuperUserRole;
+export const isSuperUser = (req: Request) => {
+  const userEmail = req.auth?.payload?.email as string;
+  return isUid2InternalEmail(userEmail);
 };
 
 export const isSuperUserCheck: Handler = async (req: ParticipantRequest, res, next) => {
-  if (!(await isSuperUser(req.auth?.payload?.email as string))) {
+  if (!isSuperUser(req)) {
     return res.status(403).json({
       message: 'Unauthorized. You do not have the necessary permissions.',
       errorHash: req.headers.traceId,
@@ -46,6 +49,10 @@ export const isSuperUserCheck: Handler = async (req: ParticipantRequest, res, ne
 export const isAdminOrUid2SupportCheck: Handler = async (req: ParticipantRequest, res, next) => {
   const { participant } = req;
   const userEmail = req.auth?.payload.email as string;
+  // SuperUsers have admin-level access
+  if (isSuperUser(req)) {
+    return next();
+  }
   const user = await findUserByEmail(userEmail);
   const userParticipant = user?.participants?.find((item) => item.id === participant?.id);
   const userIsAdminOrUid2Support =

src/api/middleware/usersMiddleware.ts

@@ -1,14 +1,14 @@
-import { NextFunction, Response } from 'express';
+import { NextFunction, Request, Response } from 'express';
 import { z } from 'zod';
 
 import { User, UserJobFunction } from '../entities/User';
 import { getLoggers, getTraceId, TraceId } from '../helpers/loggingHelpers';
-import { UserParticipantRequest } from '../services/participantsService';
+import { getAllParticipants, UserParticipantRequest } from '../services/participantsService';
 import { findUserByEmail, UserRequest } from '../services/usersService';
-import { isSuperUser, isUid2Support } from './userRoleMiddleware';
+import { isSuperUser, isUid2InternalEmail, isUid2Support } from './userRoleMiddleware';
 
-// Helper to check if email is a UID2 internal email
-const isUid2InternalEmail = (email: string) => email.toLowerCase().endsWith('@unifiedid.com');
+// Extended user type with support role flags
+type UserWithSupportRoles = User & { isUid2Support: boolean; isSuperUser: boolean };
 
 // Create a new @unifiedid.com user in the portal database from Keycloak token data
 const createUid2InternalUser = async (
@@ -49,14 +49,16 @@ export const isUserBelongsToParticipant = async (
 };
 
 export const canUserAccessParticipant = async (
-  requestingUserEmail: string,
+  req: Request,
   participantId: number,
   traceId: TraceId
 ) => {
-  return (
-    (await isUid2Support(requestingUserEmail)) ||
-    (await isUserBelongsToParticipant(requestingUserEmail, participantId, traceId))
-  );
+  const requestingUserEmail = req.auth?.payload?.email as string;
+  // SuperUsers and UID2Support have access to all participants
+  if (isSuperUser(req) || (await isUid2Support(requestingUserEmail))) {
+    return true;
+  }
+  return isUserBelongsToParticipant(requestingUserEmail, participantId, traceId);
 };
 
 export const enrichCurrentUser = async (req: UserRequest, res: Response, next: NextFunction) => {
@@ -77,18 +79,19 @@ export const enrichCurrentUser = async (req: UserRequest, res: Response, next: N
   if (user.locked) {
     return res.status(403).send([{ message: 'Unauthorized.' }]);
   }
-  req.user = user;
-  return next();
-};
 
-export const enrichUserWithSupportRoles = async (user: User) => {
-  const userIsUid2Support = await isUid2Support(user.email);
-  const userIsSuperUser = await isSuperUser(user.email);
-  return {
-    ...user,
-    isUid2Support: userIsUid2Support,
-    isSuperUser: userIsSuperUser,
-  };
+  // Enrich user with support roles and participants
+  const enrichedUser = user as UserWithSupportRoles;
+  enrichedUser.isUid2Support = await isUid2Support(userEmail);
+  enrichedUser.isSuperUser = isSuperUser(req);
+
+  // SuperUsers and UID2Support get all participants
+  if (enrichedUser.isSuperUser || enrichedUser.isUid2Support) {
+    enrichedUser.participants = await getAllParticipants();
+  }
+
+  req.user = enrichedUser;
+  return next();
 };
 
 const userIdSchema = z.object({
@@ -122,9 +125,8 @@ export const verifyAndEnrichUser = async (
     return res.status(404).send([{ message: 'The user cannot be found.' }]);
   }
 
-  const requestingUserEmail = req.auth?.payload?.email as string;
   const canRequestingUserAccessParticipant = await canUserAccessParticipant(
-    requestingUserEmail,
+    req,
     participant!.id,
     traceId
   );

src/api/services/userService.ts

@@ -8,15 +8,14 @@ import { UserToParticipantRole } from '../entities/UserToParticipantRole';
 import { getTraceId } from '../helpers/loggingHelpers';
 import { mapClientTypeToParticipantType } from '../helpers/siteConvertingHelpers';
 import { getKcAdminClient } from '../keycloakAdminClient';
-import { enrichUserWithSupportRoles } from '../middleware/usersMiddleware';
 import { getSite } from './adminServiceClient';
 import { getApiRoles } from './apiKeyService';
 import {
   constructAuditTrailObject,
   performAsyncOperationWithAuditTrail,
 } from './auditTrailService';
 import { removeApiParticipantMemberRole, updateUserProfile } from './kcUsersService';
-import { getAllParticipants, UserParticipantRequest } from './participantsService';
+import { UserParticipantRequest } from './participantsService';
 import { findUserByEmail, UserRequest } from './usersService';
 
 const updateUserSchema = z.object({
@@ -32,17 +31,12 @@ export const UpdateUserRoleIdSchema = z.object({
 export const KeycloakRequestSchema = z.object({ email: z.string() });
 
 export const getCurrentUser = async (req: UserRequest) => {
-  const userEmail = req.auth?.payload?.email as string;
-  const user = await findUserByEmail(userEmail);
-  const userWithSupportRoles = await enrichUserWithSupportRoles(user!);
-  if (userWithSupportRoles.isUid2Support) {
-    const allParticipants = await getAllParticipants();
-    userWithSupportRoles.participants = allParticipants;
-  }
-  userWithSupportRoles.participants = userWithSupportRoles?.participants?.sort((a, b) =>
-    a.name.localeCompare(b.name)
-  );
-  return userWithSupportRoles;
+  // req.user is already enriched by enrichCurrentUser middleware with:
+  // - isUid2Support, isSuperUser flags
+  // - all participants (for @unifiedid.com and UID2Support users)
+  const user = req.user!;
+  user.participants = user.participants?.sort((a, b) => a.name.localeCompare(b.name));
+  return user;
 };
 
 export const getDefaultParticipant = async (req: UserRequest) => {