Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Newspaper Archive auth endpoint - check supporter entitlement #1404

Merged
merged 5 commits into from
Oct 23, 2024
Merged

Newspaper Archive auth endpoint - check supporter entitlement #1404

merged 5 commits into from
Oct 23, 2024

Conversation

andrewHEguardian
Copy link
Contributor

@andrewHEguardian andrewHEguardian commented Oct 22, 2024
edited
Loading

Current situation/background

We have an endpoint that authenticates a user, and sends them off to newspapers dot com. It doesn't check if they're actually entitled to go there.

What does this PR change?

This PR adds a check of the user's supporter entitlements - by sending a request to members data api's user-attributes/me endpoint.

Next steps/further info

I've left 3 todos:

  1. Update the list of entitlements MDAPI returns, currently none accurately reflect this benefit of Tier3
  2. Send the user somewhere if they aren't entitled (this is a nice to have)
  3. Refactor to parse the responses

rupertbates
rupertbates reviewed Oct 22, 2024
View reviewed changes
server/apiProxy.ts
return {};
}
};

export const customMembersDataApiHandler = proxyApiHandler(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use this function rather than having to export the authorization one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a go at this but it's quite hard to wrangle. Because it's a callback that doesn't return anything, we can give it our express Response object but we don't actually want to hijack what we return to the user

@andrewHEguardian andrewHEguardian requested a review from tjmw October 23, 2024 14:14
tjmw
tjmw approved these changes Oct 23, 2024
View reviewed changes
Copy link
Member

@tjmw tjmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good. I left a couple of bits of minor feedback to take or leave, see what you think.

server/routes/newspaperArchive.ts Outdated
method: 'GET',
headers: {
...(await authorizationOrCookieHeader({ req, host })),
'Content-Type': 'application/json',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super minor point - but do we need to send a Content-Type header here? My understanding is that it's needed as a request header when sending a request with a particular content type in the body (which isn't the case here as it's a GET).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're right! Was copied from the other code that calls mdapi but doesn't seem necessary here. I've also copied the X_GU_ID_FORWARDED_SCOPE which I'm assuming is important. I'll try test without it...

server/routes/newspaperArchive.ts Outdated
return res.sendStatus(500);
}

const hasCorrectEntitlement = await checkSupporterEntitlement(req);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this should be wrapped in a try/catch in case any of the underlying operations error (for example if the request to mdapi fails)? I guess in that case we'd want to set hasCorrectEntitlement to false to be on the safe side.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've wrapped the whole thing in a try catch, seems more accurate than eg telling a user they don't have a product in the case the mdapi call failed

@andrewHEguardian andrewHEguardian merged commit b516bc6 into main Oct 23, 2024
13 checks passed
@andrewHEguardian andrewHEguardian deleted the ahe/newspaper-archive-check-support branch October 23, 2024 15:26
@andrewHEguardian andrewHEguardian mentioned this pull request Oct 23, 2024
Merged
@prout-bot
Copy link
Collaborator

Seen on PROD (merged by @andrewHEguardian 10 minutes and 7 seconds ago) Please check your changes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rupertbates rupertbates rupertbates left review comments

@tjmw tjmw tjmw approved these changes

Assignees
No one assigned
Labels
Seen-on-PROD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@andrewHEguardian @prout-bot @rupertbates @tjmw