backend: Allow mocking the user based on custom header

UniversityOfHelsinkiCS · Mar 20, 2024 · c43425f · c43425f
1 parent fe25d8c
commit c43425f
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/backend/src/controllers/LoginController.js b/backend/src/controllers/LoginController.js
@@ -40,7 +40,9 @@ export const login = async (req, res) => {
         try {
             const { shibbolethId, studentNumber, firstname, lastname, email } =
                 parseShibbolethInformationFromHeaders(req.headers)
-            await register(shibbolethId, studentNumber, firstname, lastname, email)
+            if (!req.isMockUser) {
+                await register(shibbolethId, studentNumber, firstname, lastname, email)
+            }
             const token = await generateToken(shibbolethId)
             res.status(200).json({ token })
         } catch (err) {

diff --git a/backend/src/middleware/auth.js b/backend/src/middleware/auth.js
@@ -6,6 +6,9 @@ const config = require('../util/config')
 
 const isShibboUser = (userId, uidHeader) => userId === uidHeader
 
+const hasAtLeastOneRole = (userRoles, allowedRoleNames) =>
+    userRoles.filter(item => allowedRoleNames.includes(item.role.name)).length > 0
+
 /**
  * Authentication middleware that is called before any requests.
  *
@@ -14,11 +17,26 @@ export const checkAuth = async (req, res, next) => {
     const token = req.headers['x-access-token']
     const { uid } = req.headers
     if (token) {
-        jwt.verify(token, config.TOKEN_SECRET, (err, decoded) => {
+        jwt.verify(token, config.TOKEN_SECRET, async (err, decoded) => {
             if (err) {
                 res.status(403).json(err)
             } else if (isShibboUser(decoded.userId, uid)) {
                 req.decodedToken = decoded
+
+                if (req.headers['x-mock-user-id']) {
+                    // only allow admins to mock other users
+                    const user = await personService.getLoggedPerson(req)
+                    const userRoles = await roleService.getUsersRoles(user)
+                    const isAdmin = hasAtLeastOneRole(userRoles, ['admin'])
+
+                    if (isAdmin || process.env.NODE === 'development') {
+                        req.headers.uid = req.headers['x-mock-user-id']
+                        req.isMockUser = true
+                        // if x-mock-user-id is set, we need to mock userId also in the token
+                        req.decodedToken.userId = req.headers['x-mock-user-id']
+                    }
+                }
+
                 next()
             } else {
                 res.status(403).json({ error: 'User shibboleth id and token id did not match' })
@@ -55,12 +73,12 @@ export const checkCanSubmitThesis = async (req, res, next) => {
     await checkRoles(staffRoles, req, res, next)
 }
 
-const checkRoles = async (allowedRoles, req, res, next) => {
+const checkRoles = async (allowedRoleNames, req, res, next) => {
     console.log("Checking roles")
     const user = await personService.getLoggedPerson(req)
     const userRoles = await roleService.getUsersRoles(user)
     try {
-        if (userRoles.filter(item => allowedRoles.includes(item.role.name)).length > 0) {
+        if (hasAtLeastOneRole(userRoles, allowedRoleNames)) {
             console.log("Roles were ok")
             next()
         } else {