Merge pull request #427 from demilade18-git/feat/issue-279-295-301-316-cors-oracle-blockchain-bridge-animations

feat: implement CORS middleware, Oracle role, and BlockchainService score bridge

Author: phertyameen

middleware/src/auth/rbac.middleware.ts

@@ -4,15 +4,19 @@ import { Request, Response, NextFunction } from 'express';
 export enum UserRole {
   USER = 'USER',
   MODERATOR = 'MODERATOR',
+  /** Trusted score submitter — can call blockchain score endpoints (Issue #295). */
+  ORACLE = 'ORACLE',
   ADMIN = 'ADMIN',
 }
 
 /**
- * ADMIN inherits all MODERATOR and USER permissions.
- * MODERATOR inherits all USER permissions.
+ * ADMIN inherits all permissions.
+ * ORACLE can submit trusted scores (USER-level API access + score submission).
+ * MODERATOR inherits USER permissions.
  */
 const ROLE_HIERARCHY: Record<UserRole, UserRole[]> = {
-  [UserRole.ADMIN]: [UserRole.ADMIN, UserRole.MODERATOR, UserRole.USER],
+  [UserRole.ADMIN]: [UserRole.ADMIN, UserRole.ORACLE, UserRole.MODERATOR, UserRole.USER],
+  [UserRole.ORACLE]: [UserRole.ORACLE, UserRole.USER],
   [UserRole.MODERATOR]: [UserRole.MODERATOR, UserRole.USER],
   [UserRole.USER]: [UserRole.USER],
 };

middleware/src/blockchain/blockchain.module.ts

@@ -6,6 +6,7 @@ import { RegisterPlayerProvider } from './providers/register-player.provider';
 import { SubmitPuzzleProvider } from './providers/submit-puzzle.provider';
 import { SyncXpMilestoneProvider } from './providers/sync-xp-milestone.provider';
 import { SyncStreakProvider } from './providers/sync-streak.provider';
+import { ScoreSubmissionBridge } from './score-submission.bridge';
 
 /**
  * BlockchainModule — Issue #307
@@ -37,7 +38,8 @@ import { SyncStreakProvider } from './providers/sync-streak.provider';
     SubmitPuzzleProvider,
     SyncXpMilestoneProvider,
     SyncStreakProvider,
+    ScoreSubmissionBridge,
   ],
-  exports: [BlockchainService],
+  exports: [BlockchainService, ScoreSubmissionBridge],
 })
 export class BlockchainModule {}

middleware/src/blockchain/index.ts

@@ -11,3 +11,6 @@ export * from './providers/sync-streak.provider';
 
 // Issue #308 — Wallet linking provider and its interfaces
 export * from './link-wallet.provider';
+
+// Issue #301 — Score submission bridge (Oracle/Admin → Stellar contract)
+export * from './score-submission.bridge';

middleware/src/blockchain/score-submission.bridge.ts

@@ -0,0 +1,59 @@
+import { Injectable, Logger, ForbiddenException } from '@nestjs/common';
+import { UserRole } from '../auth/rbac.middleware';
+import { BlockchainService } from './blockchain.service';
+
+export interface TrustedScorePayload {
+  stellarWallet: string;
+  puzzleId: string;
+  categoryId: string;
+  /** Normalized 0–100 score */
+  score: number;
+  submittedBy: string;
+  submitterRole: UserRole;
+}
+
+export interface TrustedScoreResult {
+  success: boolean;
+  stellarWallet: string;
+  puzzleId: string;
+}
+
+/**
+ * ScoreSubmissionBridge — Issue #301
+ *
+ * Bridges the backend score verification layer and the Stellar smart contract.
+ * Only ORACLE or ADMIN roles may submit trusted scores on-chain.
+ *
+ * Usage:
+ *   await this.scoreSubmissionBridge.submitTrustedScore({
+ *     stellarWallet, puzzleId, categoryId, score,
+ *     submittedBy: req.user.sub,
+ *     submitterRole: req.user.userRole,
+ *   });
+ */
+@Injectable()
+export class ScoreSubmissionBridge {
+  private readonly logger = new Logger(ScoreSubmissionBridge.name);
+
+  constructor(private readonly blockchainService: BlockchainService) {}
+
+  async submitTrustedScore(payload: TrustedScorePayload): Promise<TrustedScoreResult> {
+    const { stellarWallet, puzzleId, categoryId, score, submittedBy, submitterRole } = payload;
+
+    if (submitterRole !== UserRole.ORACLE && submitterRole !== UserRole.ADMIN) {
+      throw new ForbiddenException('Only ORACLE or ADMIN roles may submit trusted scores.');
+    }
+
+    if (score < 0 || score > 100) {
+      throw new Error(`Score must be 0–100, received ${score}`);
+    }
+
+    this.logger.log(
+      `Trusted score: ${submittedBy} (${submitterRole}) → wallet=${stellarWallet} puzzle=${puzzleId} score=${score}`,
+    );
+
+    await this.blockchainService.submitPuzzleOnChain(stellarWallet, puzzleId, categoryId, score);
+
+    return { success: true, stellarWallet, puzzleId };
+  }
+}

middleware/src/security/cors.middleware.ts

@@ -0,0 +1,68 @@
+import { Injectable, NestMiddleware } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+
+export interface CorsOptions {
+  origins?: string | string[];
+  methods?: string[];
+  allowedHeaders?: string[];
+  exposedHeaders?: string[];
+  credentials?: boolean;
+  maxAge?: number;
+}
+
+const DEFAULTS: Required<CorsOptions> = {
+  origins: '*',
+  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+  allowedHeaders: ['Content-Type', 'Authorization', 'X-Correlation-ID', 'X-Idempotency-Key'],
+  exposedHeaders: ['X-Correlation-ID'],
+  credentials: false,
+  maxAge: 86400,
+};
+
+@Injectable()
+export class CorsMiddleware implements NestMiddleware {
+  private readonly opts: Required<CorsOptions>;
+
+  constructor(options: CorsOptions = {}) {
+    this.opts = { ...DEFAULTS, ...options };
+  }
+
+  use(req: Request, res: Response, next: NextFunction): void {
+    const { origins, methods, allowedHeaders, exposedHeaders, credentials, maxAge } = this.opts;
+    const reqOrigin = req.headers.origin;
+
+    if (Array.isArray(origins)) {
+      if (reqOrigin && origins.includes(reqOrigin)) {
+        res.setHeader('Access-Control-Allow-Origin', reqOrigin);
+        res.setHeader('Vary', 'Origin');
+      }
+    } else {
+      res.setHeader('Access-Control-Allow-Origin', origins);
+    }
+
+    res.setHeader('Access-Control-Allow-Methods', methods.join(', '));
+    res.setHeader('Access-Control-Allow-Headers', allowedHeaders.join(', '));
+
+    if (exposedHeaders.length) {
+      res.setHeader('Access-Control-Expose-Headers', exposedHeaders.join(', '));
+    }
+
+    if (credentials) {
+      res.setHeader('Access-Control-Allow-Credentials', 'true');
+    }
+
+    if (req.method === 'OPTIONS') {
+      res.setHeader('Access-Control-Max-Age', String(maxAge));
+      res.status(204).end();
+      return;
+    }
+
+    next();
+  }
+}
+
+/** Factory for use with NestJS consumer.apply() */
+export function corsMiddleware(options?: CorsOptions) {
+  const mw = new CorsMiddleware(options);
+  return (req: Request, res: Response, next: NextFunction) => mw.use(req, res, next);
+}

middleware/src/security/index.ts

@@ -1,3 +1,3 @@
-// Placeholder: security middleware exports will live here.
-
-export const __securityPlaceholder = true;
+export * from './cors.middleware';
+export * from './security-headers.middleware';
+export * from './security-headers.config';