chore: minor type, name, and structural edits

Author: natalierobbins

server/src/middleware/auth.ts

@@ -3,7 +3,7 @@ import { NextFunction, Response } from 'express';
 import User from '@/models/users';
 import { AuthenticatedRequest } from '@/types/auth';
 import { verifyAuthToken } from '@/utils/authTokenHandler';
-import authorizeUser from '@/utils/roleBasedAccess';
+import defineAbilitiesForUser from '@/utils/roleBasedAccess';
 
 // Middleware for verifying token signature and storing token info in response
 // If this call passes to the next handler, it means the user is atleast a volunteer
@@ -33,8 +33,6 @@ export async function auth(
 
 		// Add the decoded token to the request object
 		req.user = {
-			// REVIEW: Why do we need "id" here? Where are we using it?
-			id: decodedAuthToken.id ?? decodedAuthToken.employeeId,
 			employeeId: decodedAuthToken.employeeId,
 			role: decodedAuthToken.role,
 			firstName: decodedAuthToken.firstName
@@ -65,7 +63,7 @@ export async function auth(
 		}
 
 		// Add role authorization to the request
-		req.authorization = authorizeUser(req, user.id, user.permissions);
+		req.authorization = defineAbilitiesForUser(req, user.id, user.permissions);
 
 		next();
 	} catch (err: any) {

server/src/models/users.ts

@@ -1,23 +1,7 @@
 import mongoose, { Model, Schema } from 'mongoose';
 
-import { IPermission, IUser } from '@/types/models';
-import {
-	ACTION_ENUM,
-	RESOURCE_ENUM,
-	SCOPE_ENUM
-} from '@/utils/roleBasedAccess';
-
-// Permission schema definition
-// This schema defines the structure of the permission data assigned to a user for a single operation.
-// It includes fields for action, resource, and scope.
-// These permissions are used in addition to the default permissions for each role
-// REVIEW: Why is this Schema? Maybe an interface would work just fine.
-// REVIEW: Update property names to match CASL terminology? Action, subject, field, conditions?
-const permissionSchema = new Schema<IPermission>({
-	action: { type: String, enum: ACTION_ENUM, required: true },
-	resource: { type: String, enum: RESOURCE_ENUM, required: true },
-	scope: { type: String, enum: SCOPE_ENUM, required: true }
-});
+import { IUser } from '@/types/models';
+import { ACTION_ENUM, SUBJECT_ENUM, CONDITION_ENUM } from '@/utils/roleDefinitions';
 
 // User schema definition
 // This schema defines the structure of the user data in the MongoDB database.
@@ -46,7 +30,11 @@ const userSchema = new Schema<IUser>(
 			default: 'Pending'
 		},
 		permissions: {
-			type: [permissionSchema],
+			type: [{
+				action: { type: String, enum: ACTION_ENUM, required: true },
+				subject: { type: String, enum: SUBJECT_ENUM, required: true },
+				condition: { type: String, enum: CONDITION_ENUM, required: true }
+			}],
 			default: []
 		}
 	},

server/src/routes/auth.ts

@@ -12,7 +12,7 @@ import {
 	SignupRequest
 } from '@/types/auth';
 import { generateAuthToken } from '@/utils/authTokenHandler';
-import { ACTIONS } from '@/utils/roleBasedAccess';
+import { ACTIONS, SUBJECTS } from '@/utils/roleDefinitions';
 
 const router = express.Router();
 
@@ -193,7 +193,7 @@ router.get(
 		}
 		try {
 			const users = await User.find(
-				accessibleBy(req.authorization).ofType('User'),
+				accessibleBy(req.authorization).ofType(SUBJECTS.USER),
 				'firstName lastName role approvalStatus'
 			);
 			res.json(users);
@@ -208,15 +208,12 @@ router.get(
 
 router.put(
 	'/users/:id/approve',
-	auth, // REVIEW: Why auth and not [auth]. What's the difference?
+	[auth],
 	async (req: AuthenticatedRequest, res: Response): Promise<void> => {
-		// REVIEW: Should we replace 'User' with the const RESOURCES.USER?
-		// REVIEW: What is 'approvalStatus' here?
 		if (
 			!req.authorization?.can(
 				ACTIONS.CUSTOM.APPROVE,
-				subject('User', { _id: req.params.id }),
-				'approvalStatus'
+				subject(SUBJECTS.USER, { _id: req.params.id }),
 			)
 		) {
 			res.sendStatus(403);
@@ -252,7 +249,7 @@ router.post(
 	'/preapprove',
 	auth,
 	async (req: AuthenticatedRequest, res: Response): Promise<void> => {
-		if (!req.authorization?.can(ACTIONS.CUSTOM.PREAPPROVE, 'User')) {
+		if (!req.authorization?.can(ACTIONS.CUSTOM.PREAPPROVE, SUBJECTS.USER)) {
 			res.sendStatus(403);
 			return;
 		}
@@ -291,7 +288,7 @@ router.get(
 		if (
 			!req.authorization?.can(
 				ACTIONS.CASL.READ,
-				subject('User', { employeeId: req.params.employeeId })
+				subject(SUBJECTS.USER, { employeeId: req.params.employeeId })
 			)
 		) {
 			res.sendStatus(403);
@@ -325,7 +322,7 @@ router.put(
 		if (
 			!req.authorization?.can(
 				ACTIONS.CASL.UPDATE,
-				subject('User', { employeeId: req.params.employeeId })
+				subject(SUBJECTS.USER, { employeeId: req.params.employeeId })
 			)
 		) {
 			res.sendStatus(403);
@@ -366,7 +363,7 @@ router.get(
 		if (
 			!req.authorization?.can(
 				ACTIONS.CASL.READ,
-				subject('User', { _id: req.params.id })
+				subject(SUBJECTS.USER, { _id: req.params.id })
 			)
 		) {
 			res.sendStatus(403);
@@ -398,7 +395,7 @@ router.put(
 		if (
 			!req.authorization?.can(
 				ACTIONS.CASL.UPDATE,
-				subject('User', { _id: req.params.id })
+				subject(SUBJECTS.USER, { _id: req.params.id })
 			)
 		) {
 			res.sendStatus(403);

server/src/types/auth.ts

@@ -1,20 +1,17 @@
-import { MongoAbility } from '@casl/ability';
+import { Ability } from '@/utils/roleDefinitions';
 import { Request } from 'express';
 import { JwtPayload } from 'jsonwebtoken';
 
 export interface AuthenticatedRequest extends Request {
 	user?: {
-		id: string;
 		employeeId: string;
 		role: string;
 		firstName: string;
 	};
-	// REVIEW: Do we need <any> here?
-	authorization?: MongoAbility<any>;
+	authorization?: Ability;
 }
 
 export interface JWTPayload extends JwtPayload {
-	id: string;
 	employeeId: string;
 	role: string;
 }