basing security check on crawler and not event on refreshScheduleRequest endpoint, because event might not exist on first crawl

fcamblor · fcamblor · commit e157578f4086 · 2024-04-25T21:41:51.000+02:00
diff --git a/cloud/functions/src/functions/http/api/events-routes.ts b/cloud/functions/src/functions/http/api/events-routes.ts
@@ -3,6 +3,7 @@ import * as z from "zod";
 import {ISO_DATETIME_PARSER} from "../../../utils/zod-parsers";
 import {Routes} from "./routes";
 import {
+  ensureHasCrawlerFamilyOrEventOrganizerToken,
   ensureHasEventStatsValidToken,
   ensureHasFamilyOrEventOrganizerToken,
   ensureHasRoomStatsContributorValidToken,
@@ -58,7 +59,7 @@ export function declareEventHttpRoutes(app: Express) {
         eventId: z.string().min(3),
       })
     }),
-    ensureHasFamilyOrEventOrganizerToken(),
+    ensureHasCrawlerFamilyOrEventOrganizerToken(),
     async (res, path, query, body) =>
       (await import("../event/crawlEvent")).requestEventScheduleRefresh(res, path, query));
   Routes.get(app, '/events/:eventId/talkEditors',
diff --git a/cloud/functions/src/functions/http/api/route-access.ts b/cloud/functions/src/functions/http/api/route-access.ts
@@ -6,6 +6,11 @@ import {
 } from "../../firestore/services/publicTokens-utils";
 import {match, P} from "ts-pattern";
 import {PublicToken} from "../../../../../../shared/public-tokens";
+import {getCrawlersMatching} from "../../firestore/services/crawlers-utils";
+import {FieldPath} from "firebase-admin/firestore";
+import {ConferenceDescriptor} from "../../../../../../shared/conference-descriptor.firestore";
+import {FIREBASE_CRAWLER_DESCRIPTOR_PARSER} from "../../../crawlers/crawler-parsers";
+import {z} from "zod";
 
 
 export function publicEndpoint() {
@@ -21,27 +26,28 @@ export function ensureHasSuperAdminToken() {
   }
 }
 
-function ensureEventBasedTokenPredicateIsValid<T extends PublicToken>(publicTokenResolver: (token: string) => Promise<T>) {
+function ensureEventBasedTokenPredicateIsValid<
+  T extends PublicToken,
+  E extends { eventFamily: string, eventName: string }
+>(
+  entityResolver: (eventId: string) => Promise<E>,
+  publicTokenResolver: (token: string) => Promise<T>
+) {
   return async (pathParams: { eventId: string }, queryParams: { token: string }) => {
     const token = queryParams.token;
 
-    const eventDescriptor = await getEventDescriptor(pathParams.eventId);
-
-    if(!eventDescriptor) {
-      throw new Error(`No event found with id ${pathParams.eventId}`)
-    }
-
+    const entity = await entityResolver(pathParams.eventId);
     const matchingPublicToken = await publicTokenResolver(token);
 
     const validationErrorMessage = match(matchingPublicToken as PublicToken)
       .with({ eventFamilies: P.array(P.string) }, ({ eventFamilies: tokenEventFamilies }) => {
-        if(!eventDescriptor.eventFamily || !tokenEventFamilies.includes(eventDescriptor.eventFamily)) {
-          return `Provided event family-based token doesn't match with event ${eventDescriptor.id} family: [${eventDescriptor.eventFamily}]`;
+        if(!entity.eventFamily || !tokenEventFamilies.includes(entity.eventFamily)) {
+          return `Provided event family-based token doesn't match with event ${pathParams.eventId} family: [${entity.eventFamily}]`;
         }
         return undefined;
       }).with({ eventNames: P.array(P.string) }, ({ eventNames: tokenEventNames }) => {
-        if(!eventDescriptor.eventName || !tokenEventNames.includes(eventDescriptor.eventName)) {
-          return `Provided event-based token doesn't match with event ${eventDescriptor.id} name: [${eventDescriptor.eventName}]`
+        if(!entity.eventName || !tokenEventNames.includes(entity.eventName)) {
+          return `Provided event-based token doesn't match with event ${pathParams.eventId} name: [${entity.eventName}]`
         }
         return undefined;
       }).exhaustive();
@@ -50,18 +56,43 @@ function ensureEventBasedTokenPredicateIsValid<T extends PublicToken>(publicToke
       throw new Error(validationErrorMessage);
     }
 
-    return eventDescriptor;
+    return entity;
+  }
+}
+
+async function resolveEventById(eventId: string): Promise<ConferenceDescriptor> {
+  const eventDescriptor = await getEventDescriptor(eventId);
+
+  if(!eventDescriptor) {
+    throw new Error(`No event found with id ${eventId}`)
+  }
+
+  return eventDescriptor;
+}
+
+async function resolveCrawlerById(eventId: string): Promise<z.infer<typeof FIREBASE_CRAWLER_DESCRIPTOR_PARSER> & {id: string}> {
+
+  const crawlerDescriptors = await getCrawlersMatching(crawlerColl => crawlerColl.where(FieldPath.documentId(), "==", eventId))
+
+  if(!crawlerDescriptors.length) {
+    throw new Error(`No crawler found with id ${eventId}`)
   }
+
+  return crawlerDescriptors[0];
 }
 
 export function ensureHasFamilyOrEventOrganizerToken() {
-  return ensureEventBasedTokenPredicateIsValid((token) => getFamilyOrEventOrganizerToken(token))
+  return ensureEventBasedTokenPredicateIsValid(resolveEventById, (token) => getFamilyOrEventOrganizerToken(token))
+}
+
+export function ensureHasCrawlerFamilyOrEventOrganizerToken() {
+  return ensureEventBasedTokenPredicateIsValid(resolveCrawlerById, (token) => getFamilyOrEventOrganizerToken(token))
 }
 
 export function ensureHasEventStatsValidToken() {
-  return ensureEventBasedTokenPredicateIsValid((token) => getEventStatsValidToken(token))
+  return ensureEventBasedTokenPredicateIsValid(resolveEventById, (token) => getEventStatsValidToken(token))
 }
 
 export function ensureHasRoomStatsContributorValidToken() {
-  return ensureEventBasedTokenPredicateIsValid((token) => getRoomStatsContributorValidToken(token))
+  return ensureEventBasedTokenPredicateIsValid(resolveEventById, (token) => getRoomStatsContributorValidToken(token))
 }
