IAM panel to invite entra ID tenant users

Author: devksingh4

.eslintrc

@@ -1,8 +1,10 @@
 {
-  "extends": ["plugin:prettier/recommended", "plugin:@typescript-eslint/recommended"],
+  "extends": [
+    "plugin:prettier/recommended",
+    "plugin:@typescript-eslint/recommended"
+  ],
   "plugins": ["import"],
   "rules": {
-    // turn on errors for missing imports
     "import/no-unresolved": "error",
     "import/extensions": [
       "error",
@@ -13,26 +15,32 @@
         "ts": "never",
         "tsx": "never"
       }
-   ],
-   "no-unused-vars": "off",
-   "max-classes-per-file": "off",
-   "func-names": "off",
-   "@typescript-eslint/no-unused-vars": [
-     "warn", // or "error"
-     {
-       "argsIgnorePattern": "^_",
-       "varsIgnorePattern": "^_",
-       "caughtErrorsIgnorePattern": "^_"
-     }
-   ]
+    ],
+    "no-unused-vars": "off",
+    "max-classes-per-file": "off",
+    "func-names": "off",
+    "@typescript-eslint/no-unused-vars": [
+      "warn",
+      {
+        "argsIgnorePattern": "^_",
+        "varsIgnorePattern": "^_",
+        "caughtErrorsIgnorePattern": "^_"
+      }
+    ],
+    "@typescript-eslint/no-explicit-any": "warn",
+    "@typescript-eslint/explicit-module-boundary-types": "off"
   },
   "settings": {
     "import/parsers": {
       "@typescript-eslint/parser": [".ts", ".tsx", ".js", ".jsx"]
     },
     "import/resolver": {
       "typescript": {
-        "alwaysTryTypes": true
+        "alwaysTryTypes": true,
+        "project": [
+          "src/api/tsconfig.json", // Path to tsconfig.json in src/api
+          "src/ui/tsconfig.json"   // Path to tsconfig.json in src/ui
+        ]
       }
     }
   },
@@ -44,7 +52,7 @@
       }
     },
     {
-      "files": ["src/ui/*", "src/ui/**/*"], // Or *.test.js
+      "files": ["src/ui/*", "src/ui/**/*"],
       "rules": {
         "@typescript-eslint/no-explicit-any": "off",
         "@typescript-eslint/no-unused-vars": "off"

src/api/routes/iam.ts

@@ -1,6 +1,5 @@
 import { FastifyPluginAsync } from "fastify";
 import { AppRoles } from "../../common/roles.js";
-import { z } from "zod";
 import { zodToJsonSchema } from "zod-to-json-schema";
 import { addToTenant, getEntraIdToken } from "../functions/entraId.js";
 import {
@@ -18,33 +17,13 @@ import {
 } from "@aws-sdk/client-dynamodb";
 import { genericConfig } from "../../common/config.js";
 import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
-
-const invitePostRequestSchema = z.object({
-  emails: z.array(z.string()),
-});
-export type InviteUserPostRequest = z.infer<typeof invitePostRequestSchema>;
-
-const groupMappingCreatePostSchema = z.object({
-  roles: z
-    .array(z.nativeEnum(AppRoles))
-    .min(1)
-    .refine((items) => new Set(items).size === items.length, {
-      message: "All roles must be unique, no duplicate values allowed",
-    }),
-});
-
-export type GroupMappingCreatePostRequest = z.infer<
-  typeof groupMappingCreatePostSchema
->;
-
-const invitePostResponseSchema = zodToJsonSchema(
-  z.object({
-    success: z.array(z.object({ email: z.string() })).optional(),
-    failure: z
-      .array(z.object({ email: z.string(), message: z.string() }))
-      .optional(),
-  }),
-);
+import {
+  InviteUserPostRequest,
+  invitePostRequestSchema,
+  GroupMappingCreatePostRequest,
+  groupMappingCreatePostSchema,
+  invitePostResponseSchema,
+} from "../../common/types/iam.js";
 
 const dynamoClient = new DynamoDBClient({
   region: genericConfig.AwsRegion,
@@ -155,13 +134,13 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
     "/inviteUsers",
     {
       schema: {
-        response: { 200: invitePostResponseSchema },
+        response: { 200: zodToJsonSchema(invitePostResponseSchema) },
       },
       preValidation: async (request, reply) => {
         await fastify.zodValidateBody(request, reply, invitePostRequestSchema);
       },
       onRequest: async (request, reply) => {
-        await fastify.authorize(request, reply, [AppRoles.SSO_INVITE_USER]);
+        await fastify.authorize(request, reply, [AppRoles.IAM_INVITE_ONLY]);
       },
     },
     async (request, reply) => {
@@ -194,11 +173,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
           }
         }
       }
-      let statusCode = 201;
-      if (response.success.length === 0) {
-        statusCode = 500;
-      }
-      reply.status(statusCode).send(response);
+      reply.status(202).send(response);
     },
   );
 };

src/api/tsconfig.json

@@ -1,11 +1,20 @@
 {
   "extends": "@tsconfig/node20/tsconfig.json",
   "compilerOptions": {
-      "module": "Node16",
-      "outDir": "../../dist",
+    "module": "Node16",
+    "rootDir": "../",
+    "outDir": "../../dist",
+    "baseUrl": "../",
   },
   "ts-node": {
     "esm": true
   },
-  "include": ["./*"],
+  "include": [
+    "../api/**/*.ts",
+    "../common/**/*.ts"
+  ],
+  "exclude": [
+    "../../node_modules",
+    "../../dist"
+  ]
 }

src/common/config.ts

@@ -80,7 +80,7 @@ const environmentConfig: EnvironmentConfigType = {
       "ff49e948-4587-416b-8224-65147540d5fc": allAppRoles, // Officers
       "ad81254b-4eeb-4c96-8191-3acdce9194b1": [
         AppRoles.EVENTS_MANAGER,
-        AppRoles.SSO_INVITE_USER,
+        AppRoles.IAM_INVITE_ONLY,
       ], // Exec
     },
     UserRoleMapping: {

src/common/errors/index.ts

@@ -141,7 +141,7 @@ export class EntraInvitationError extends BaseError<"EntraInvitationError"> {
       name: "EntraInvitationError",
       id: 108,
       message: message || "Could not invite user to Entra ID.",
-      httpStatusCode: 500,
+      httpStatusCode: 400,
     });
     this.email = email;
   }

src/common/roles.ts

@@ -3,10 +3,10 @@ export const runEnvironments = ["dev", "prod"] as const;
 export type RunEnvironment = (typeof runEnvironments)[number];
 export enum AppRoles {
   EVENTS_MANAGER = "manage:events",
-  SSO_INVITE_USER = "invite:sso",
   TICKETS_SCANNER = "scan:tickets",
   TICKETS_MANAGER = "manage:tickets",
   IAM_ADMIN = "admin:iam",
+  IAM_INVITE_ONLY = "invite:iam",
 }
 export const allAppRoles = Object.values(AppRoles).filter(
   (value) => typeof value === "string",

src/common/types/iam.ts

@@ -0,0 +1,30 @@
+import { AppRoles } from "../roles.js";
+import { z } from "zod";
+
+export const invitePostRequestSchema = z.object({
+  emails: z.array(z.string()),
+});
+
+export type InviteUserPostRequest = z.infer<typeof invitePostRequestSchema>;
+
+export const groupMappingCreatePostSchema = z.object({
+  roles: z
+    .array(z.nativeEnum(AppRoles))
+    .min(1)
+    .refine((items) => new Set(items).size === items.length, {
+      message: "All roles must be unique, no duplicate values allowed",
+    }),
+});
+
+export type GroupMappingCreatePostRequest = z.infer<
+  typeof groupMappingCreatePostSchema
+>;
+
+export const invitePostResponseSchema = z.object({
+  success: z.array(z.object({ email: z.string() })).optional(),
+  failure: z
+    .array(z.object({ email: z.string(), message: z.string() }))
+    .optional(),
+});
+
+export type InvitePostResponse = z.infer<typeof invitePostResponseSchema>;

src/ui/Router.tsx

@@ -16,6 +16,7 @@ import { ViewEventsPage } from './pages/events/ViewEvents.page';
 import { ScanTicketsPage } from './pages/tickets/ScanTickets.page';
 import { SelectTicketsPage } from './pages/tickets/SelectEventId.page';
 import { ViewTicketsPage } from './pages/tickets/ViewTickets.page';
+import { ManageIamPage } from './pages/iam/ManageIam.page';
 
 // Component to handle redirects to login with return path
 const LoginRedirect: React.FC = () => {
@@ -110,6 +111,10 @@ const authenticatedRouter = createBrowserRouter([
     path: '/tickets',
     element: <SelectTicketsPage />,
   },
+  {
+    path: '/iam',
+    element: <ManageIamPage />,
+  },
   {
     path: '/tickets/manage/:eventId',
     element: <ViewTicketsPage />,

src/ui/components/AppShell/index.tsx

@@ -15,6 +15,7 @@ import {
   IconFileDollar,
   IconPizza,
   IconTicket,
+  IconLock,
 } from '@tabler/icons-react';
 import { ReactNode } from 'react';
 import { useNavigate } from 'react-router-dom';
@@ -44,6 +45,12 @@ export const navItems = [
     icon: IconTicket,
     description: null,
   },
+  {
+    link: '/iam',
+    name: 'IAM',
+    icon: IconLock,
+    description: null,
+  },
 ];
 
 export const extLinks = [

src/ui/components/AuthGuard/index.tsx

@@ -5,6 +5,7 @@ import { AcmAppShell } from '@ui/components/AppShell';
 import FullScreenLoader from '@ui/components/AuthContext/LoadingScreen';
 import { getRunEnvironmentConfig, ValidService } from '@ui/config';
 import { useApi } from '@ui/util/api';
+import { AppRoles } from '@common/roles';
 
 export const CACHE_KEY_PREFIX = 'auth_response_cache_';
 const CACHE_DURATION = 2 * 60 * 60 * 1000; // 2 hours in milliseconds
@@ -16,7 +17,7 @@ type CacheData = {
 
 export type ResourceDefinition = {
   service: ValidService;
-  validRoles: string[];
+  validRoles: AppRoles[];
 };
 
 const getAuthCacheKey = (service: ValidService, route: string) =>