allow passing null to service scope, do not check domains on secretKey auth (#5728)

jnsdls · jnsdls · commit a0770238d45f · 2024-12-13T06:12:14.000Z
fixes: DASH-621  --- ## PR-Codex overview This PR focuses on enhancing the authorization process by introducing an `authMethod` property and allowing `null` service scopes, while modifying billing statuses and service configuration types. ### Detailed summary - Added `authMethod` to `teamAndProjectResponse`. - Allowed passing `null` to `serviceScope` in `CoreServiceConfig`. - Changed `billingStatus` from `"noCustomer"` to `"noPayment"`. - Updated `TeamAndProjectResponse` to include `authMethod` type. - Adjusted authorization logic for `secretKey` and null service scopes. > ✨ Ask PR-Codex anything about this PR by commenting with `/codex {your question}`
diff --git a/.changeset/chatty-llamas-drum.md b/.changeset/chatty-llamas-drum.md
@@ -0,0 +1,5 @@
+---
+"@thirdweb-dev/service-utils": patch
+---
+
+allow passing `null` to service scope, do not validate domains/bundleids when using secretKey auth method
diff --git a/packages/service-utils/src/core/api.ts b/packages/service-utils/src/core/api.ts
@@ -16,14 +16,17 @@ export type PolicyResult = {
 
 export type CoreServiceConfig = {
   apiUrl: string;
-  serviceScope: ServiceName;
+  // if EXPLICITLY set to null, service will not be checked for authorization
+  // this is meant for services that are not possible to be turned off by users, such as "social" and "analytics"
+  serviceScope: ServiceName | null;
   serviceApiKey: string;
   serviceAction?: string;
   useWalletAuth?: boolean;
   includeUsage?: boolean;
 };
 
 export type TeamAndProjectResponse = {
+  authMethod: "secretKey" | "publishableKey" | "jwt" | "teamId";
   team: TeamResponse;
   project?: ProjectResponse | null;
 };
@@ -42,11 +45,11 @@ export type TeamResponse = {
   name: string;
   slug: string;
   image: string | null;
-  billingPlan: string;
+  billingPlan: "free" | "starter" | "growth" | "pro";
   createdAt: Date;
   updatedAt: Date | null;
   billingEmail: string | null;
-  billingStatus: string | null;
+  billingStatus: "noPayment" | "validPayment" | "invalidPayment" | null;
   growthTrialEligible: boolean | null;
   enabledScopes: ServiceName[];
 };
diff --git a/packages/service-utils/src/core/authorize/client.ts b/packages/service-utils/src/core/authorize/client.ts
@@ -12,18 +12,25 @@ export function authorizeClient(
   teamAndProjectResponse: TeamAndProjectResponse,
 ): AuthorizationResult {
   const { origin, bundleId } = authOptions;
-  const { team, project } = teamAndProjectResponse;
+  const { team, project, authMethod } = teamAndProjectResponse;
 
   const authResult: AuthorizationResult = {
     authorized: true,
     team,
     project,
+    authMethod,
   };
 
+  // if there's no project, we'll return the authResult (JWT or teamId auth)
   if (!project) {
     return authResult;
   }
 
+  if (authMethod === "secretKey") {
+    // if the auth was done using secretKey, we do not want to enforce domains or bundleIds
+    return authResult;
+  }
+
   // check for public restrictions
   if (project.domains.includes("*")) {
     return authResult;
diff --git a/packages/service-utils/src/core/authorize/index.ts b/packages/service-utils/src/core/authorize/index.ts
@@ -148,5 +148,6 @@ export async function authorize(
     authorized: true,
     team: teamAndProjectResponse.team,
     project: teamAndProjectResponse.project,
+    authMethod: clientAuth.authMethod,
   };
 }
diff --git a/packages/service-utils/src/core/authorize/service.ts b/packages/service-utils/src/core/authorize/service.ts
@@ -5,7 +5,16 @@ export function authorizeService(
   teamAndProjectResponse: TeamAndProjectResponse,
   serviceConfig: CoreServiceConfig,
 ): AuthorizationResult {
-  const { team, project } = teamAndProjectResponse;
+  const { team, project, authMethod } = teamAndProjectResponse;
+
+  if (serviceConfig.serviceScope === null) {
+    // if explicitly set to null, we do not want to check for service level authorization
+    return {
+      authorized: true,
+      team,
+      authMethod,
+    };
+  }
 
   if (!team.enabledScopes.includes(serviceConfig.serviceScope)) {
     return {
@@ -21,6 +30,7 @@ export function authorizeService(
     return {
       authorized: true,
       team,
+      authMethod,
     };
   }
 
@@ -57,5 +67,6 @@ export function authorizeService(
     authorized: true,
     team,
     project,
+    authMethod,
   };
 }
diff --git a/packages/service-utils/src/mocks.ts b/packages/service-utils/src/mocks.ts
@@ -43,14 +43,15 @@ export const validTeamResponse: TeamResponse = {
   updatedAt: new Date("2024-06-01"),
   billingPlan: "free",
   billingEmail: "test@example.com",
-  billingStatus: "noCustomer",
+  billingStatus: "noPayment",
   growthTrialEligible: false,
   enabledScopes: ["storage", "rpc", "bundler"],
 };
 
 export const validTeamAndProjectResponse: TeamAndProjectResponse = {
   team: validTeamResponse,
   project: validProjectResponse,
+  authMethod: "publishableKey",
 };
 
 export const validServiceConfig: CoreServiceConfig = {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@thirdweb-dev/service-utils": patch
 +---
++
 +allow passing `null` to service scope, do not validate domains/bundleids when using secretKey auth method
Original file line number	Diff line number	Diff line change
`@@ -148,5 +148,6 @@ export async function authorize(`
`148`	`148`	`authorized: true,`
`149`	`149`	`team: teamAndProjectResponse.team,`
`150`	`150`	`project: teamAndProjectResponse.project,`
	`151`	`+ authMethod: clientAuth.authMethod,`
`151`	`152`	`};`
`152`	`153`	`}`