Make endpoints superadmin only

Author: Timothy-Gonzalez

src/services/auth/auth-models.ts

@@ -1,6 +1,12 @@
 import { z } from "zod";
 
-export const Role = z.enum(["USER", "STAFF", "ADMIN", "CORPORATE"]);
+export const Role = z.enum([
+    "USER",
+    "STAFF",
+    "ADMIN",
+    "CORPORATE",
+    "SUPER_ADMIN",
+]);
 export type Role = z.infer<typeof Role>;
 
 export enum Platform {

src/services/auth/auth-router.ts

@@ -35,34 +35,38 @@ const oauthClients = {
 
 authRouter.use("/sponsor", authSponsorRouter);
 
-// Remove role from userId (admin only endpoint)
-authRouter.delete("/", RoleChecker([Role.Enum.ADMIN]), async (req, res) => {
-    // Validate request body using Zod schema
-    const { userId, role } = AuthRoleChangeRequest.parse(req.body);
+// Remove role from userId (super admin only endpoint)
+authRouter.delete(
+    "/",
+    RoleChecker([Role.Enum.SUPER_ADMIN]),
+    async (req, res) => {
+        // Validate request body using Zod schema
+        const { userId, role } = AuthRoleChangeRequest.parse(req.body);
 
-    const { data } = await SupabaseDB.AUTH_INFO.select("userId")
-        .eq("userId", userId)
-        .maybeSingle()
-        .throwOnError();
+        const { data } = await SupabaseDB.AUTH_INFO.select("userId")
+            .eq("userId", userId)
+            .maybeSingle()
+            .throwOnError();
 
-    if (!data) {
-        return res.status(StatusCodes.NOT_FOUND).json({
-            error: "UserNotFound",
-        });
-    }
+        if (!data) {
+            return res.status(StatusCodes.NOT_FOUND).json({
+                error: "UserNotFound",
+            });
+        }
 
-    const { data: deleted } = await SupabaseDB.AUTH_ROLES.delete()
-        .eq("userId", userId)
-        .eq("role", role)
-        .select()
-        .single()
-        .throwOnError();
+        const { data: deleted } = await SupabaseDB.AUTH_ROLES.delete()
+            .eq("userId", userId)
+            .eq("role", role)
+            .select()
+            .single()
+            .throwOnError();
 
-    return res.status(StatusCodes.OK).json(deleted);
-});
+        return res.status(StatusCodes.OK).json(deleted);
+    }
+);
 
-// Add role to userId (admin only endpoint)
-authRouter.put("/", RoleChecker([Role.Enum.ADMIN]), async (req, res) => {
+// Add role to userId (super admin only endpoint)
+authRouter.put("/", RoleChecker([Role.Enum.SUPER_ADMIN]), async (req, res) => {
     const { userId, role } = AuthRoleChangeRequest.parse(req.body);
 
     const { data } = await SupabaseDB.AUTH_INFO.select("userId")

src/services/notifications/notifications-router.test.ts

@@ -22,8 +22,6 @@ jest.mock("../../firebase", () => ({
     }),
 }));
 
-jest.setTimeout(100000);
-
 function makeTestAttendee(overrides = {}) {
     return {
         userId: TESTER.userId,
@@ -97,6 +95,10 @@ async function insertTestUser(overrides: InsertTestAttendeeOverrides = {}) {
     ]).throwOnError();
 }
 
+beforeEach(() => {
+    mockSend.mockReset();
+});
+
 describe("/notifications", () => {
     describe("POST /notifications/register", () => {
         it("should create a notification entry and subscribe to the allUsers topic", async () => {
@@ -141,8 +143,11 @@ describe("/notifications", () => {
     });
 
     describe("POST /notifications/topics/:topicName", () => {
-        it("should send a notification as an admin", async () => {
-            await post("/notifications/topics/event_123", Role.enum.ADMIN)
+        it("should send a notification as an super admin", async () => {
+            const res = await post(
+                "/notifications/topics/event_123",
+                Role.enum.SUPER_ADMIN
+            )
                 .send({ title: "Admin Test", body: "Admin Message" })
                 .expect(StatusCodes.OK);
 
@@ -154,6 +159,23 @@ describe("/notifications", () => {
                     body: "Admin Message",
                 },
             });
+
+            expect(res.body).toMatchObject({
+                status: "success",
+            });
+        });
+        it("fails if the user is not a super admin", async () => {
+            const res = await post(
+                "/notifications/topics/event_123",
+                Role.enum.ADMIN
+            )
+                .send({ title: "Admin Test", body: "Admin Message" })
+                .expect(StatusCodes.FORBIDDEN);
+
+            // Verify Firebase mock was not called
+            expect(mockSend).not.toHaveBeenCalled();
+
+            expect(res.body).toHaveProperty("error", "Forbidden");
         });
     });
 

src/services/notifications/notifications-router.ts

@@ -38,13 +38,13 @@ notificationsRouter.post(
     }
 );
 
-// Admins can send notifications to a specific topic
+// Super admins can send notifications to a specific topic
 // parameter: the topicName that the admin is sending to
 // ^ Can get this from dropdown (will have a route to get all topics)
 // Request body: title, body. (title and body of the notification)
 notificationsRouter.post(
     "/topics/:topicName",
-    RoleChecker([Role.enum.ADMIN]), // for now thinking that only admins get to use this
+    RoleChecker([Role.enum.SUPER_ADMIN]),
     async (req, res) => {
         sendToTopicSchema.parse(req.body); // make sure it fits the validator
 

src/services/subscription/subscription-router.test.ts

@@ -1,5 +1,10 @@
 import { describe, expect, it } from "@jest/globals";
-import { post, getAsAdmin, postAsAdmin } from "../../../testing/testingTools";
+import {
+    post,
+    getAsAdmin,
+    postAsAdmin,
+    postAsSuperAdmin,
+} from "../../../testing/testingTools";
 import { StatusCodes } from "http-status-codes";
 import { SupabaseDB } from "../../database";
 import { IncomingSubscription } from "./subscription-schema";
@@ -188,21 +193,21 @@ describe("GET /subscription/", () => {
 });
 
 describe("POST /subscription/send-email", () => {
-    it("should send an email to all subscribers of a list", async () => {
-        const mailingList = "test_list";
-        const subscribers = ["email1@test.com", "email2@test.com"];
+    const mailingList = "test_list";
+    const subscribers = ["email1@test.com", "email2@test.com"];
+    const emailPayload = {
+        mailingList: mailingList,
+        subject: "Test Subject",
+        htmlBody: "<p>Hello World</p>",
+    };
+    beforeEach(async () => {
         await SupabaseDB.SUBSCRIPTIONS.insert({
             mailingList,
             subscriptions: subscribers,
         });
-
-        const emailPayload = {
-            mailingList: mailingList,
-            subject: "Test Subject",
-            htmlBody: "<p>Hello World</p>",
-        };
-
-        await postAsAdmin("/subscription/send-email")
+    });
+    it("should send an email to all subscribers of a list", async () => {
+        const res = await postAsSuperAdmin("/subscription/send-email")
             .send(emailPayload)
             .expect(StatusCodes.OK);
 
@@ -222,18 +227,30 @@ describe("POST /subscription/send-email", () => {
 
         // Verify that the send method was actually invoked
         expect(mockSESV2Send).toHaveBeenCalledTimes(1);
+
+        expect(res.body).toEqual({
+            status: "success",
+        });
+    });
+    it("fails for a non-super admin", async () => {
+        const res = await postAsAdmin("/subscription/send-email")
+            .send(emailPayload)
+            .expect(StatusCodes.FORBIDDEN);
+
+        expect(SendEmailCommand).not.toHaveBeenCalled();
+        expect(mockSESV2Send).not.toHaveBeenCalled();
+        expect(res.body).toMatchObject({ error: "Forbidden" });
     });
 });
 
 describe("POST /subscription/send-email/single", () => {
+    const emailPayload = {
+        email: "ritam@test.com",
+        subject: "Single Email Test",
+        htmlBody: "<p>Single Email Body</p>",
+    };
     it("should send an email to a single specified email address", async () => {
-        const emailPayload = {
-            email: "ritam@test.com",
-            subject: "Single Email Test",
-            htmlBody: "<p>Single Email Body</p>",
-        };
-
-        await postAsAdmin("/subscription/send-email/single")
+        const res = await postAsSuperAdmin("/subscription/send-email/single")
             .send(emailPayload)
             .expect(StatusCodes.OK);
 
@@ -252,5 +269,22 @@ describe("POST /subscription/send-email/single", () => {
 
         // Verify that the send method was actually invoked
         expect(mockSESV2Send).toHaveBeenCalledTimes(1);
+
+        expect(res.body).toEqual({
+            status: "success",
+        });
+    });
+
+    it("fails for non super admin", async () => {
+        const res = await postAsAdmin("/subscription/send-email/single")
+            .send(emailPayload)
+            .expect(StatusCodes.FORBIDDEN);
+
+        expect(SendEmailCommand).not.toHaveBeenCalled();
+
+        // Verify that the send method was actually invoked
+        expect(mockSESV2Send).not.toHaveBeenCalled();
+
+        expect(res.body).toMatchObject({ error: "Forbidden" });
     });
 });

src/services/subscription/subscription-router.ts

@@ -76,7 +76,7 @@ subscriptionRouter.get(
 // API body: {String} mailingList The list to send the email to, {String} subject The subject line of the email, {String} htmlBody The HTML content of the email.
 subscriptionRouter.post(
     "/send-email",
-    RoleChecker([Role.Enum.ADMIN]),
+    RoleChecker([Role.Enum.SUPER_ADMIN]),
     async (req, res) => {
         const { mailingList, subject, htmlBody } = req.body;
         const { data: list } = await SupabaseDB.SUBSCRIPTIONS.select(
@@ -113,7 +113,7 @@ subscriptionRouter.post(
 // API body: {String} email (the singular email to send to), {String} subject : The subject line of the email, {String} htmlBody : The HTML content of the email.
 subscriptionRouter.post(
     "/send-email/single",
-    RoleChecker([Role.Enum.ADMIN]),
+    RoleChecker([Role.Enum.SUPER_ADMIN]),
     async (req, res) => {
         const { email, subject, htmlBody } = req.body;
 

testing/testingTools.ts

@@ -55,6 +55,10 @@ export function getAsAdmin(url: string): request.Test {
     return get(url, Role.enum.ADMIN);
 }
 
+export function getAsSuperAdmin(url: string): request.Test {
+    return get(url, Role.enum.SUPER_ADMIN);
+}
+
 export function getAsCorporate(url: string): request.Test {
     return get(url, Role.enum.CORPORATE);
 }
@@ -86,6 +90,10 @@ export function postAsAdmin(url: string): request.Test {
     return post(url, Role.enum.ADMIN);
 }
 
+export function postAsSuperAdmin(url: string): request.Test {
+    return post(url, Role.enum.SUPER_ADMIN);
+}
+
 export function postAsCorporate(url: string): request.Test {
     return post(url, Role.enum.CORPORATE);
 }
@@ -106,6 +114,10 @@ export function putAsAdmin(url: string): request.Test {
     return put(url, Role.enum.ADMIN);
 }
 
+export function putAsSuperAdmin(url: string): request.Test {
+    return put(url, Role.enum.SUPER_ADMIN);
+}
+
 export function putAsCorporate(url: string): request.Test {
     return put(url, Role.enum.CORPORATE);
 }
@@ -126,6 +138,10 @@ export function patchAsAdmin(url: string): request.Test {
     return patch(url, Role.enum.ADMIN);
 }
 
+export function patchAsSuperAdmin(url: string): request.Test {
+    return patch(url, Role.enum.SUPER_ADMIN);
+}
+
 export function patchAsCorporate(url: string): request.Test {
     return patch(url, Role.enum.CORPORATE);
 }
@@ -146,6 +162,10 @@ export function delAsAdmin(url: string): request.Test {
     return del(url, Role.enum.ADMIN);
 }
 
+export function delAsSuperAdmin(url: string): request.Test {
+    return del(url, Role.enum.SUPER_ADMIN);
+}
+
 export function delAsCorporate(url: string): request.Test {
     return del(url, Role.enum.CORPORATE);
 }