modify endpoint names; add listing group membership route

Author: devksingh4

src/api/functions/entraId.ts

@@ -233,3 +233,60 @@ export async function modifyGroup(
     });
   }
 }
+
+/**
+ * Lists all members of an Entra ID group.
+ * @param token - Entra ID token authorized to take this action.
+ * @param group - The group ID to fetch members for.
+ * @throws {EntraGroupError} If the group action fails.
+ * @returns {Promise<Array<{ name: string; email: string }>>} List of members with name and email.
+ */
+export async function listGroupMembers(
+  token: string,
+  group: string,
+): Promise<Array<{ name: string; email: string }>> {
+  try {
+    const url = `https://graph.microsoft.com/v1.0/groups/${group}/members`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+    });
+
+    if (!response.ok) {
+      const errorData = (await response.json()) as {
+        error?: { message?: string };
+      };
+      throw new EntraGroupError({
+        message: errorData?.error?.message ?? response.statusText,
+        group,
+      });
+    }
+
+    const data = (await response.json()) as {
+      value: Array<{
+        displayName?: string;
+        mail?: string;
+      }>;
+    };
+
+    // Map the response to the desired format
+    const members = data.value.map((member) => ({
+      name: member.displayName ?? "",
+      email: member.mail ?? "",
+    }));
+
+    return members;
+  } catch (error) {
+    if (error instanceof EntraGroupError) {
+      throw error;
+    }
+
+    throw new EntraGroupError({
+      message: error instanceof Error ? error.message : String(error),
+      group,
+    });
+  }
+}

src/api/routes/iam.ts

@@ -4,6 +4,7 @@ import { zodToJsonSchema } from "zod-to-json-schema";
 import {
   addToTenant,
   getEntraIdToken,
+  listGroupMembers,
   modifyGroup,
 } from "../functions/entraId.js";
 import {
@@ -188,7 +189,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
     Body: GroupModificationPatchRequest;
     Querystring: { groupId: string };
   }>(
-    "/groupMembership/:groupId",
+    "/groups/:groupId",
     {
       schema: {
         querystring: {
@@ -222,7 +223,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         throw new EntraGroupError({
           code: 403,
           message:
-            "This group is protected and may not be modified by this service. You must log into Entra ID directly to modify this group.",
+            "This group is protected and cannot be modified by this service. You must log into Entra ID directly to modify this group.",
           group: groupId,
         });
       }
@@ -282,6 +283,47 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
       reply.status(202).send(response);
     },
   );
+  fastify.get<{
+    Querystring: { groupId: string };
+  }>(
+    "/groups/:groupId",
+    {
+      schema: {
+        querystring: {
+          type: "object",
+          properties: {
+            groupId: {
+              type: "string",
+            },
+          },
+        },
+      },
+      onRequest: async (request, reply) => {
+        await fastify.authorize(request, reply, [AppRoles.IAM_ADMIN]);
+      },
+    },
+    async (request, reply) => {
+      const groupId = (request.params as Record<string, string>).groupId;
+      if (!groupId || groupId === "") {
+        throw new NotFoundError({
+          endpointName: request.url,
+        });
+      }
+      if (genericConfig.ProtectedEntraIDGroups.includes(groupId)) {
+        throw new EntraGroupError({
+          code: 403,
+          message:
+            "This group is protected and cannot be read by this service. You must log into Entra ID directly to read this group.",
+          group: groupId,
+        });
+      }
+      const entraIdToken = await getEntraIdToken(
+        fastify.environmentConfig.AadValidClientId,
+      );
+      const response = await listGroupMembers(entraIdToken, groupId);
+      reply.status(200).send(response);
+    },
+  );
 };
 
 export default iamRoutes;