fix(adapter): use proper app authority name

dhis2 · KaiVandivier · Oct 14, 2022 · Oct 14, 2022 · Oct 14, 2022 · Oct 17, 2022
commit b03b8584489b3bbbe887917f63f6fedc9b15d47f
diff --git a/adapter/src/components/AuthBoundary.js b/adapter/src/components/AuthBoundary.js
@@ -7,9 +7,13 @@ import PropTypes from 'prop-types'
 import React, { useState } from 'react'
 import { LoadingMask } from './LoadingMask'
 
-// TODO: Remove useVerifyLatestUser
-// TODO: add actual appName to config; rename existing to appTitle (& refactor)
-// - will also need to change app-runtime and headerbar-ui APIs
+// TODO: Remove useVerifyLatestUser.js (and in app wrapper)
+
+const LATEST_USER_KEY = 'dhis2.latestUser'
+const IS_PRODUCTION_ENV = process.env.NODE_ENV === 'production'
+
+const APP_MANAGER_AUTHORITY = 'M_dhis-web-maintenance-appmanager'
+const REQUIRED_APP_AUTHORITY = process.env.REACT_APP_DHIS2_APP_AUTH_NAME
 
 const USER_QUERY = {
  user: {
@@ -18,21 +22,6 @@ const USER_QUERY = {
  },
 }
 
-const LATEST_USER_KEY = 'dhis2.latestUser'
-
-const getRequiredAppAuthority = (appName) => {
- // TODO: this only works for installed, non-core apps. Need other logic for those (dhis-web-app-name)
- // Maybe add this logic to CLI add this to config, instead of needing more env vars here
- // Need 'coreApp', 'name', 'title' (rename current appName to appTitle)
- return (
- 'M_' +
- appName
- .trim()
- .replaceAll(/[^a-zA-Z0-9\s]/g, '')
- .replaceAll(/\s/g, '_')
- )
-}
-
 async function clearCachesIfUserChanged({ currentUserId, pwaEnabled }) {
  const latestUserId = localStorage.getItem(LATEST_USER_KEY)
  if (currentUserId !== latestUserId) {
@@ -46,6 +35,20 @@ async function clearCachesIfUserChanged({ currentUserId, pwaEnabled }) {
  }
 }
 
+const isAppAvailable = (authorities) => {
+ // Skip check on dev
+ // TODO: should we check on dev environments too?
+ if (!IS_PRODUCTION_ENV) {
+ return true
+ }
+ // Check for three possible authorities
+ return authorities.some((authority) =>
+ ['ALL', APP_MANAGER_AUTHORITY, REQUIRED_APP_AUTHORITY].includes(
+ authority
+ )
+ )
+}
+
 /**
  * This hook is used to clear sensitive caches if a user other than the one
  * that cached that data logs in
@@ -56,8 +59,6 @@ export function AuthBoundary({ children }) {
  const [finished, setFinished] = useState(false)
  const { loading, error, data } = useDataQuery(USER_QUERY, {
  onComplete: async ({ user }) => {
- console.log({ authorities: user.authorities })
-
  await clearCachesIfUserChanged({
  currentUserId: user.id,
  pwaEnabled,
@@ -74,21 +75,13 @@ export function AuthBoundary({ children }) {
  throw new Error('Failed to fetch user ID: ' + error)
  }
 
- if (data) {
- const userHasAllAuthority = data.user.authorities.includes('ALL')
-
- const requiredAppAuthority = getRequiredAppAuthority(appName)
- console.log({ requiredAppAuthority })
-
- const userHasRequiredAppAuthority =
- data.user.authorities.includes(requiredAppAuthority)
- if (!userHasAllAuthority && !userHasRequiredAppAuthority) {
- // TODO: better UI element than error boundary?
- throw new Error('Forbidden: not authorized to view this app')
- }
+ if (isAppAvailable(data.user.authorities)) {
+ return children
+ } else {
+ throw new Error(
+ `Forbidden: you don't have access to the ${appName} app`
+ )
  }
-
- return children
 }
 AuthBoundary.propTypes = {
  children: PropTypes.node,

diff --git a/cli/src/lib/formatAppAuthName.js b/cli/src/lib/formatAppAuthName.js
@@ -0,0 +1,30 @@
+const APP_AUTH_PREFIX = 'M_'
+const DHIS_WEB = 'dhis-web-'
+
+/**
+ * Returns the string that identifies the 'App view permission'
+ * required to view the app
+ *
+ * Ex: coreApp && name = 'data-visualizer': authName = 'M_dhis-web-data-visualizer'
+ * Ex: name = 'pwa-example': authName = 'M_pwaexample'
+ * Ex: name = 'BNA Action Tracker': authName = 'M_BNA_Action_Tracker'
+ */
+const formatAppAuthName = (config) => {
+ if (config.coreApp) {
+ // TODO: Verify this formatting - are there any transformations,
+ // or do we trust that it's lower-case and hyphenated?
+ return APP_AUTH_PREFIX + DHIS_WEB + config.name
+ }
+
+ // This formatting is drawn from https://github.com/dhis2/dhis2-core/blob/master/dhis-2/dhis-api/src/main/java/org/hisp/dhis/appmanager/App.java#L494-L499
+ // (replaceAll is only introduced in Node 15)
+ return (
+ APP_AUTH_PREFIX +
+ config.name
+ .trim()
+ .replace(/[^a-zA-Z0-9\s]/g, '')
+ .replace(/\s/g, '_')
+ )
+}
+
+module.exports = formatAppAuthName
diff --git a/cli/src/lib/formatAppAuthName.test.js b/cli/src/lib/formatAppAuthName.test.js
@@ -0,0 +1,26 @@
+const formatAppAuthName = require('./formatAppAuthName.js')
+
+describe('core app handling', () => {
+ it('should handle core apps', () => {
+ const config = { coreApp: true, name: 'data-visualizer' }
+ const formattedAuthName = formatAppAuthName(config)
+
+ expect(formattedAuthName).toBe('M_dhis-web-data-visualizer')
+ })
+})
+
+describe('non-core app handling', () => {
+ it('should handle app names with hyphens', () => {
+ const config = { name: 'hyphenated-string-example' }
+ const formattedAuthName = formatAppAuthName(config)
+
+ expect(formattedAuthName).toBe('M_hyphenatedstringexample')
+ })
+
+ it('should handle app names with capitals and spaces', () => {
+ const config = { name: 'Multi Word App Name' }
+ const formattedAuthName = formatAppAuthName(config)
+
+ expect(formattedAuthName).toBe('M_Multi_Word_App_Name')
+ })
+})
diff --git a/cli/src/lib/shell/index.js b/cli/src/lib/shell/index.js
@@ -1,4 +1,5 @@
 const { exec } = require('@dhis2/cli-helpers-engine')
+const formatAppAuthName = require('../formatAppAuthName')
 const { getPWAEnvVars } = require('../pwa')
 const bootstrap = require('./bootstrap')
 const getEnv = require('./env')
@@ -7,6 +8,7 @@ module.exports = ({ config, paths }) => {
  const baseEnvVars = {
  name: config.title,
  version: config.version,
+ auth_name: formatAppAuthName(config),
  }
 
  return {