Implement basic RBAC

Forbid front end navigation and API access if at least one role isn't present

app/src/components/constants.ts

@@ -14,13 +14,21 @@ export const DEFAULTCORS = Object.freeze({
   origin: true
 });
 
-/** Current user authentication type */
+/** Current user authentication types */
 export const IdentityProvider = Object.freeze({
   IDIR: 'idir',
   BCEID: 'bceidbasic',
   BCEIDBUSINESS: 'bceidbusiness'
 });
 
+/** Current user access role types */
+export const AccessRoles = Object.freeze({
+  PCNS_ADMIN: 'PCNS_ADMIN',
+  PCNS_DEVELOPER: 'PCNS_DEVELOPER',
+  PCNS_NAVIGATOR: 'PCNS_NAVIGATOR',
+  PCNS_OTHER: 'PCNS_OTHER'
+});
+
 /** CHEFS form statuses */
 export const APPLICATION_STATUS_LIST = Object.freeze({
   NEW: 'New',

app/src/middleware/authorization.ts

@@ -0,0 +1,32 @@
+// @ts-expect-error api-problem lacks a defined interface; code still works fine
+import Problem from 'api-problem';
+
+import { AccessRoles } from '../components/constants';
+
+import type { NextFunction, Request, Response } from '../interfaces/IExpress';
+
+/**
+ * @function hasAccess
+ * Check if the currentUser has at least one assigned role
+ * @param {Request} req Express request object
+ * @param {Response} res Express response object
+ * @param {NextFunction} next The next callback function
+ * @returns {function} Express middleware function
+ * @throws The error encountered upon failure
+ */
+export const hasAccess = async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    // TODO: Can we expand tokenPayload to include client_roles?
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const roles = (req.currentUser?.tokenPayload as any)?.client_roles;
+    if (!roles || !Object.values(AccessRoles).some((r) => roles.includes(r))) {
+      throw new Error('Invalid role authorization');
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  } catch (err: any) {
+    return next(new Problem(403, { detail: err.message, instance: req.originalUrl }));
+  }
+
+  // Continue middleware
+  next();
+};

app/src/routes/v1/index.ts

@@ -1,4 +1,5 @@
 import { currentUser } from '../../middleware/authentication';
+import { hasAccess } from '../../middleware/authorization';
 import express from 'express';
 import chefs from './chefs';
 import document from './document';
@@ -7,6 +8,7 @@ import user from './user';
 
 const router = express.Router();
 router.use(currentUser);
+router.use(hasAccess);
 
 // Base v1 Responder
 router.get('/', (_req, res) => {

frontend/src/router/index.ts

@@ -116,6 +116,11 @@ export default function getRouter() {
       if (!user || user.expired) {
         router.replace({ name: RouteNames.LOGIN });
       }
+
+      // Forbid if user does not have at least one assigned role
+      if (user && (!user?.profile?.client_roles || (user?.profile?.client_roles as []).length === 0)) {
+        router.replace({ name: RouteNames.FORBIDDEN });
+      }
     }
   });
 

frontend/src/utils/constants.ts

@@ -1,4 +1,5 @@
 import {
+  ACCESS_ROLES,
   APPLICATION_STATUS_LIST,
   INTAKE_STATUS_LIST,
   PERMIT_STATUS,
@@ -51,6 +52,16 @@ export const ToastTimeout = Object.freeze({
   WARNING: 5000
 });
 
+/**
+ * Route names
+ */
+export const AccessRoles = Object.freeze({
+  PCNS_ADMIN: ACCESS_ROLES.PCNS_ADMIN,
+  PCNS_DEVELOPER: ACCESS_ROLES.PCNS_DEVELOPER,
+  PCNS_NAVIGATOR: ACCESS_ROLES.PCNS_NAVIGATOR,
+  PCNS_OTHER: ACCESS_ROLES.PCNS_OTHER
+});
+
 /**
  * CHEFS form constants
  */

frontend/src/utils/enums.ts

@@ -1,11 +1,23 @@
 // Enums that represent general app-wide values
 
-// Which way to display a button that can appear in multiple modes
+/**
+ *  Which way to display a button that can appear in multiple modes
+ */
 export const enum BUTTON_MODE {
   BUTTON = 'BUTTON',
   ICON = 'ICON'
 }
 
+/**
+ * Current user access role types
+ */
+export const ACCESS_ROLES = Object.freeze({
+  PCNS_ADMIN: 'PCNS_ADMIN',
+  PCNS_DEVELOPER: 'PCNS_DEVELOPER',
+  PCNS_NAVIGATOR: 'PCNS_NAVIGATOR',
+  PCNS_OTHER: 'PCNS_OTHER'
+});
+
 /**
  * CHEFS form statuses
  */