Ensure scanners can only see active items

Author: devksingh4

src/config.ts

@@ -56,6 +56,7 @@ const environmentConfig: EnvironmentConfigType = {
       "f8dfc4cf-456b-4da3-9053-f7fdeda5d5d6": allAppRoles, // Infra Leads
       "0": allAppRoles, // Dummy Group for development only
       "1": [], // Dummy Group for development only
+      "scanner-only": [AppRoles.TICKETS_SCANNER],
     },
     UserRoleMapping: {
       "[email protected]": [AppRoles.TICKETS_SCANNER],

src/routes/tickets.ts

@@ -126,21 +126,32 @@ const ticketsPlugin: FastifyPluginAsync = async (fastify, _options) => {
       },
     },
     async (request, reply) => {
+      let isTicketingManager = true;
+      try {
+        await fastify.authorize(request, reply, [AppRoles.TICKETS_MANAGER]);
+      } catch {
+        isTicketingManager = false;
+      }
+
       const merchCommand = new ScanCommand({
         TableName: genericConfig.MerchStoreMetadataTableName,
         ProjectionExpression:
           "item_id, item_name, item_sales_active_utc, item_price",
       });
-      const isTicketingManager = await fastify.authorize(request, reply, [
-        AppRoles.TICKETS_MANAGER,
-      ]);
+
       const merchItems: ItemMetadata[] = [];
       const response = await dynamoClient.send(merchCommand);
+      const now = new Date();
+
       if (response.Items) {
         for (const item of response.Items.map((x) => unmarshall(x))) {
-          if (!isTicketingManager && item.item_sales_active_utc === -1) {
-            continue;
+          // Skip inactive items for non-managers
+          if (!isTicketingManager) {
+            if (item.item_sales_active_utc === -1) continue;
+            const itemDate = new Date(parseInt(item.item_sales_active_utc, 10));
+            if (itemDate > now) continue;
           }
+
           const memberPrice = parseInt(item.item_price?.paid, 10) || 0;
           const nonMemberPrice = parseInt(item.item_price?.others, 10) || 0;
           merchItems.push({
@@ -157,18 +168,27 @@ const ticketsPlugin: FastifyPluginAsync = async (fastify, _options) => {
           });
         }
       }
+
       const ticketCommand = new ScanCommand({
         TableName: genericConfig.TicketMetadataTableName,
         ProjectionExpression:
           "event_id, event_name, event_sales_active_utc, event_capacity, tickets_sold, eventCost",
       });
+
       const ticketItems: TicketItemMetadata[] = [];
       const ticketResponse = await dynamoClient.send(ticketCommand);
+
       if (ticketResponse.Items) {
         for (const item of ticketResponse.Items.map((x) => unmarshall(x))) {
-          if (!isTicketingManager && item.event_sales_active_utc === -1) {
-            continue;
+          // Skip inactive items for non-managers
+          if (!isTicketingManager) {
+            if (item.event_sales_active_utc === -1) continue;
+            const itemDate = new Date(
+              parseInt(item.event_sales_active_utc, 10),
+            );
+            if (itemDate > now) continue;
           }
+
           const memberPrice = parseInt(item.eventCost?.paid, 10) || 0;
           const nonMemberPrice = parseInt(item.eventCost?.others, 10) || 0;
           ticketItems.push({
@@ -187,6 +207,7 @@ const ticketsPlugin: FastifyPluginAsync = async (fastify, _options) => {
           });
         }
       }
+
       reply.send({ merch: merchItems, tickets: ticketItems });
     },
   );

tests/unit/auth.test.ts

@@ -19,19 +19,23 @@ const ddbMock = mockClient(SecretsManagerClient);
 const app = await init();
 const jwt_secret = secretObject["jwt_key"];
 export function createJwt(date?: Date, group?: string) {
-  let modifiedPayload = jwtPayload;
+  let modifiedPayload = {
+    ...jwtPayload,
+    groups: [...jwtPayload.groups],
+  };
   if (date) {
     const nowMs = Math.floor(date.valueOf() / 1000);
     const laterMs = nowMs + 3600 * 24;
     modifiedPayload = {
-      ...jwtPayload,
+      ...modifiedPayload,
       iat: nowMs,
       nbf: nowMs,
       exp: laterMs,
     };
   }
+
   if (group) {
-    modifiedPayload["groups"][0] = group;
+    modifiedPayload.groups[0] = group;
   }
   return jwt.sign(modifiedPayload, jwt_secret, { algorithm: "HS256" });
 }

tests/unit/data/mockTIcketsMerchMetadata.testdata.ts

@@ -66,7 +66,7 @@ const merchMetadata = [
   },
   {
     item_id: {
-      S: "2024_fa_barcrawl",
+      S: "2024_fa_barcrawl_2",
     },
     item_email_desc: {
       S: "Shirts will be availiable for pickup one week before the event. Check your email near then for more details. Make sure to join the ACM Discord for updates!",
@@ -88,7 +88,7 @@ const merchMetadata = [
       },
     },
     item_sales_active_utc: {
-      N: "0",
+      N: "-1",
     },
     member_price: {
       S: "price_1QFSCiDiGOXU9RuSNJ90SblG",

tests/unit/tickets.test.ts

@@ -59,9 +59,9 @@ describe("Test getting ticketing + merch metadata", async () => {
           priceDollars: { member: 22, nonMember: 26 },
         },
         {
-          itemId: "2024_fa_barcrawl",
+          itemId: "2024_fa_barcrawl_2",
           itemName: "ACM Bar Crawl: Fall 2024 (Nov 14)",
-          itemSalesActive: "1970-01-01T00:00:00.000Z",
+          itemSalesActive: false,
           priceDollars: { member: 15, nonMember: 18 },
         },
       ],
@@ -84,7 +84,36 @@ describe("Test getting ticketing + merch metadata", async () => {
         },
       ],
     });
-    expect(responseDataJson.tickets).toHaveLength(2);
+  });
+  test("Ensure scanners can only see active items", async () => {
+    ddbMock
+      .on(ScanCommand)
+      .resolvesOnce({
+        Items: merchMetadata as Record<string, AttributeValue>[],
+      })
+      .resolvesOnce({
+        Items: ticketsMetadata as Record<string, AttributeValue>[],
+      })
+      .rejects();
+    const testJwt = createJwt(undefined, "scanner-only");
+    await app.ready();
+    const response = await supertest(app.server)
+      .get("/api/v1/tickets")
+      .set("authorization", `Bearer ${testJwt}`);
+    const responseDataJson = response.body;
+    console.log(responseDataJson);
+    expect(response.statusCode).toEqual(200);
+    expect(responseDataJson).toEqual({
+      merch: [
+        {
+          itemId: "2024_spr_tshirt",
+          itemName: "ACM T-Shirt: Spring 2024 Series",
+          itemSalesActive: "1970-01-01T00:00:00.000Z",
+          priceDollars: { member: 22, nonMember: 26 },
+        },
+      ],
+      tickets: [],
+    });
   });
 });