Allow registered users to see submissions

Author: jmgasper

src/shared/guards/tokenRoles.guard.spec.ts

@@ -0,0 +1,95 @@
+import 'reflect-metadata';
+
+import { ForbiddenException, type ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+
+import { TokenRolesGuard, ROLES_KEY } from './tokenRoles.guard';
+import { SCOPES_KEY } from '../decorators/scopes.decorator';
+import { UserRole } from '../enums/userRole.enum';
+
+describe('TokenRolesGuard', () => {
+  const reflector = new Reflector();
+  const guard = new TokenRolesGuard(reflector, {} as any);
+
+  function listSubmissions() {
+    return undefined;
+  }
+
+  const handler = listSubmissions;
+
+  beforeAll(() => {
+    Reflect.defineMetadata(
+      ROLES_KEY,
+      [UserRole.Copilot, UserRole.Admin, UserRole.Reviewer, UserRole.User],
+      handler,
+    );
+    Reflect.defineMetadata(SCOPES_KEY, ['read:submission'], handler);
+  });
+
+  type TestRequest = Record<string, unknown> & {
+    method: string;
+    query: Record<string, unknown>;
+    user: {
+      userId: string;
+      isMachine: boolean;
+      roles?: unknown[];
+      scopes?: unknown[];
+    };
+  };
+
+  const createExecutionContext = (request: TestRequest): ExecutionContext => {
+    class SubmissionController {}
+
+    return {
+      switchToHttp: () => ({
+        getRequest: () => request,
+      }),
+      getHandler: () => handler,
+      getClass: () => SubmissionController,
+      getType: () => 'http',
+      getArgs: () => [],
+      getArgByIndex: () => undefined,
+      switchToRpc: () => ({
+        getData: () => undefined,
+        getContext: () => undefined,
+      }),
+      switchToWs: () => ({
+        getClient: () => undefined,
+        getData: () => undefined,
+        getPattern: () => undefined,
+      }),
+    } as unknown as ExecutionContext;
+  };
+
+  it('allows authenticated users without explicit roles when requesting submissions by challengeId', () => {
+    const request = {
+      method: 'GET',
+      query: { challengeId: '12345' },
+      user: {
+        userId: '1001',
+        isMachine: false,
+        roles: [],
+      },
+    };
+
+    const context = createExecutionContext(request);
+
+    expect(guard.canActivate(context)).toBe(true);
+  });
+
+  it('denies access when challengeId is missing', () => {
+    const request = {
+      method: 'GET',
+      query: {},
+      user: {
+        userId: '1001',
+        isMachine: false,
+        roles: [],
+      },
+    };
+
+    const context = createExecutionContext(request);
+
+    expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
+  });
+});

src/shared/guards/tokenRoles.guard.ts

@@ -43,22 +43,35 @@ export class TokenRolesGuard implements CanActivate {
         throw new UnauthorizedException('Missing or invalid token!');
       }
 
-      // Check role-based access for regular users
-      if (Array.isArray(user.roles) && requiredRoles.length > 0) {
-        const normalizedUserRoles = user.roles
-          .map((role) => String(role).trim().toLowerCase())
-          .filter((role) => role.length > 0);
+      const normalizedRequiredRoles = requiredRoles.map((role) =>
+        String(role).trim().toLowerCase(),
+      );
 
-        const normalizedRequiredRoles = requiredRoles.map((role) =>
-          String(role).trim().toLowerCase(),
-        );
+      // Check role-based access for regular users
+      if (normalizedRequiredRoles.length > 0) {
+        const normalizedUserRoles = Array.isArray(user.roles)
+          ? user.roles
+              .map((role) => String(role).trim().toLowerCase())
+              .filter((role) => role.length > 0)
+          : [];
 
         const hasRole = normalizedRequiredRoles.some((role) =>
           normalizedUserRoles.includes(role),
         );
         if (hasRole) {
           return true;
         }
+
+        if (
+          this.allowSubmissionListByChallenge(
+            context,
+            request,
+            normalizedRequiredRoles,
+            user,
+          )
+        ) {
+          return true;
+        }
       }
 
       // Check scope-based access for M2M tokens
@@ -95,4 +108,54 @@ export class TokenRolesGuard implements CanActivate {
       throw new UnauthorizedException('Invalid token');
     }
   }
+
+  private allowSubmissionListByChallenge(
+    context: ExecutionContext,
+    request: any,
+    normalizedRequiredRoles: string[],
+    user: any,
+  ): boolean {
+    const generalUserRole = String(UserRole.User).trim().toLowerCase();
+
+    if (user?.isMachine || !user?.userId) {
+      return false;
+    }
+
+    if (!normalizedRequiredRoles.includes(generalUserRole)) {
+      return false;
+    }
+
+    const handler = context.getHandler?.();
+    const controllerClass = context.getClass?.();
+
+    const isSubmissionListHandler =
+      controllerClass?.name === 'SubmissionController' &&
+      handler?.name === 'listSubmissions';
+
+    if (!isSubmissionListHandler) {
+      return false;
+    }
+
+    const method = (request?.method || '').toUpperCase();
+    if (method !== 'GET') {
+      return false;
+    }
+
+    const challengeId = request?.query?.challengeId;
+    if (!this.hasNonEmptyQueryParam(challengeId)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  private hasNonEmptyQueryParam(value: unknown): boolean {
+    if (typeof value === 'string') {
+      return value.trim().length > 0;
+    }
+    if (Array.isArray(value)) {
+      return value.some((entry) => this.hasNonEmptyQueryParam(entry));
+    }
+    return false;
+  }
 }