feat(ids-api): Filter out accessControlled scopes

[GunnlaugurG]

...

Attach a link to issue if relevant

What

Specify what you're trying to achieve

Why

Specify why you need to achieve this

Screenshots / Gifs

Attach Screenshots / Gifs to help reviewers understand the scope of the pull request

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Enhanced filtering logic for API scopes, ensuring only valid, non-access controlled scopes are processed based on delegation types.
  • Introduced a new method for filtering API scopes based on custom scope rules.

• Bug Fixes

  • Resolved issues with scope validation that may have allowed inappropriate scopes to be included.

[coderabbitai]

Walkthrough

The changes involve updating the DelegationConfig.ts file to replace the DelegationType with AuthDelegationType, impacting the validation logic in customScopeRuleSchema. Additionally, a new method filterByCustomScopeRule is introduced in the DelegationsIncomingCustomService class to filter API scopes based on custom scope rules. The overall filtering logic for available scopes has been refined to improve the handling of delegation types.

Changes

File	Change Summary
libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts	Replaced DelegationType with AuthDelegationType in customScopeRuleSchema affecting scope configurations.
libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts	Added filterByCustomScopeRule method; updated filtering logic in findAllAvailableGeneralMandate and findAllAvailableIncoming methods.

Possibly related PRs

• feat(auth-api-lib): add support for delegation types to api-scopes #14887: This PR adds support for delegation types to API scopes, which is directly related to the changes in DelegationConfig.ts where AuthDelegationType is introduced.
• feat(auth-admin): General mandate delegation type #16005: This PR introduces a new delegation type called "GeneralMandate," which aligns with the updates in the main PR that reference AuthDelegationType in the context of delegation types.
• feat(ids-admin): Delegation-Delegation-Type #16068: This PR adds a new field for delegation_delegation_type to support General Mandate delegations, which is relevant to the changes made in the main PR regarding delegation types.
• feat(delegation-api): Add GeneralMandate delegations to accessControl #16170: This PR enhances the DelegationsOutgoingService to include AuthDelegationType.GeneralMandate, which is directly related to the updates in the main PR that involve the use of AuthDelegationType.

Suggested labels

automerge

Suggested reviewers

• saevarma

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts (1)

190-195: LGTM! Consider enhancing readability with a separate variable.

The changes effectively filter out access-controlled scopes, aligning with the PR objective. The implementation maintains type safety and doesn't affect tree-shaking or reusability.

To improve readability, consider extracting the filter condition into a separate variable:

const isAllowedScope = (s: ApiScopeInfo) =>
  !s.isAccessControlled &&
  s.supportedDelegationTypes?.some(
    (dt) => dt.delegationType === AuthDelegationType.GeneralMandate
  );

const customApiScopes = clientAllowedApiScopes.filter(isAllowedScope);

This separation of concerns makes the code more self-documenting and easier to maintain.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 4cb5e52 and 34f14ee.

📒 Files selected for processing (1)

• libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.70%. Comparing base (6841e69) to head (fb8fbee).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16175      +/-   ##
==========================================
+ Coverage   36.69%   36.70%   +0.01%     
==========================================
  Files        6778     6776       -2     
  Lines      139671   139571     -100     
  Branches    39719    39695      -24     
==========================================
- Hits        51247    51236      -11     
+ Misses      88424    88335      -89     

Flag	Coverage Δ
api	3.39% <ø> (ø)
api-domains-auth-admin	48.77% <ø> (ø)
application-system-api	41.63% <ø> (ø)
application-template-api-modules	23.71% <ø> (-0.02%)	⬇️
services-auth-admin-api	51.94% <29.41%> (-0.03%)	⬇️
services-auth-delegation-api	57.90% <29.41%> (-0.04%)	⬇️
services-auth-ids-api	51.82% <35.29%> (-0.05%)	⬇️
services-auth-personal-representative	45.46% <29.41%> (-0.07%)	⬇️
services-auth-personal-representative-public	41.54% <23.52%> (-0.03%)	⬇️
services-auth-public-api	49.33% <100.00%> (+0.07%)	⬆️
services-user-notification	47.13% <ø> (ø)
services-user-profile	62.21% <ø> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...th-api-lib/src/lib/delegations/DelegationConfig.ts	100.00% <100.00%> (ø)
...delegations/delegations-incoming-custom.service.ts	92.65% <100.00%> (+0.53%)	⬆️

... and 14 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6841e69...fb8fbee. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs daaf68a 🔗

✅ 13 Total Test Services: 0 Failed, 13 Passed
🔻 Test Sessions change in coverage: 2 decreased, 1 increased (+0.03%), 22 no change

Test Services

This report shows up to 10 services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
api	0	0	0	4	0	3.15s	1 no change	Link
api-domains-auth-admin	0	0	0	18	0	13.32s	1 no change	Link
application-system-api	0	0	0	111	2	3m 25.43s	1 no change	Link
application-template-api-modules	0	0	0	109	0	1m 51.05s	1 no change	Link
auth-api-lib	0	0	0	20	0	34.34s	1 no change	Link
services-auth-admin-api	0	0	0	125	0	3m 12.76s	1 no change	Link
services-auth-delegation-api	0	0	0	256	0	3m 2.42s	1 no change	Link
services-auth-ids-api	0	0	0	152	0	1m 0.68s	1 no change	Link
services-auth-personal-representative	0	0	0	59	0	1m 24.86s	1 decreased (-0.02%)	Link
services-auth-personal-representative-public	0	0	0	10	0	26.97s	1 no change	Link

🔻 Code Coverage Decreases vs Default Branch (2)

• services-user-profile - jest 52.71% (-0.04%) - Details
• services-auth-personal-representative - jest 44.01% (-0.02%) - Details

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts (1)

208-214: LGTM: Enhanced filtering logic in findAllAvailableGeneralMandate

The updated filtering logic in the findAllAvailableGeneralMandate method aligns well with the PR objective of filtering out access-controlled scopes. The implementation looks correct and effectively uses the newly added filterByCustomScopeRule method.

Consider the performance impact of the multiple filtering conditions, especially for large datasets. If performance becomes an issue, you might want to explore optimizing this filtering process.

If performance becomes a concern, consider refactoring the filtering logic into a separate method for better readability and potential optimization:

private filterCustomApiScopes(scopes: ApiScopeInfo[]): ApiScopeInfo[] {
  return scopes.filter(
    (s) =>
      !s.isAccessControlled &&
      this.filterByCustomScopeRule(s) &&
      s.supportedDelegationTypes?.some(
        (dt) => dt.delegationType === AuthDelegationType.GeneralMandate,
      ),
  );
}

Then use it in the findAllAvailableGeneralMandate method:

const customApiScopes = this.filterCustomApiScopes(clientAllowedApiScopes);

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 34f14ee and eff3ef5.

📒 Files selected for processing (2)

• libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts (3 hunks)
• libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts (4 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

🔇 Additional comments (10)

libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts (7)

5-5: Excellent use of shared types!

The import of AuthDelegationType from a shared types module aligns well with our coding guidelines. This change promotes reusability across different NextJS apps and supports effective tree-shaking and bundling practices.

---

24-24: Consistent type usage maintained

The refinement check has been correctly updated to use AuthDelegationType. This change maintains type safety and is consistent with the import modification. It's a good example of proper TypeScript usage for defining props and types.

---

45-45: Consistent enumeration usage in configuration

The onlyForDelegationType fields have been correctly updated to use AuthDelegationType.ProcurationHolder. This change maintains consistency with the import and schema modifications, ensuring type safety throughout the configuration.

Also applies to: 49-49

---

54-55: Correct enumeration usage with multiple delegation types

The onlyForDelegationType field for ApiScope.samradsgatt has been properly updated to use AuthDelegationType.ProcurationHolder and AuthDelegationType.Custom. This change maintains consistency with previous modifications while preserving the inclusion of multiple delegation types.

---

61-62: Consistent enumeration updates across multiple scopes

The onlyForDelegationType fields for both ApiScope.financeSalary and ApiScope.company have been correctly updated to use AuthDelegationType.ProcurationHolder and AuthDelegationType.Custom. These changes maintain consistency across multiple scope configurations while preserving the inclusion of multiple delegation types.

Also applies to: 68-69

---

Line range hint 1-105: Overall assessment: Excellent adherence to coding guidelines

The changes in this file consistently update the delegation type from DelegationType to AuthDelegationType across all relevant configurations. These modifications:

1. Maintain type safety throughout the file.
2. Promote reusability by using shared types from a common module.
3. Support effective tree-shaking and bundling practices.
4. Properly utilize TypeScript for defining props and exporting types.

The overall structure and purpose of the configuration remain unchanged, ensuring that the existing functionality is preserved while improving type consistency.

---

76-77: Consistent updates for custom scopes and migration note

The onlyForDelegationType fields for custom scopes (including '@akureyri.is/service-portal', '@island.is/applications/orkusjodur', and '@skagafjordur.is/ibuagatt') have been correctly updated to use AuthDelegationType.ProcurationHolder and AuthDelegationType.Custom. These changes maintain consistency across all scope configurations.

Note: There's a TODO comment regarding a scope migration for '@island.is/applications/orkusjodur'. Please ensure this is addressed in future updates.

To verify the TODO comment and its relevance, run the following script:

Also applies to: 85-86, 93-94

✅ Verification successful

Action Required: Update Verification Scripts Due to Unrecognized File Type

The initial verification scripts encountered issues with the rg command not recognizing the typescript file type. Please run the updated scripts below to ensure accurate verification:

---

Action Required: Update Verification Scripts with Correct File Extensions

Please run the updated verification scripts below to ensure accurate search results:

---

Verification Successful: TODO Comment and Branch Confirmed

The TODO comment regarding the scope migration for @island.is/applications/orkusjodur has been located in DelegationConfig.ts, and the branch auth-api/custom-delegation-scope-rule exists in the repository. Additionally, related mentions in libs/auth/scopes/src/lib/api.scope.ts have been identified, ensuring comprehensive coverage of the migration effort.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for the presence of the TODO comment and related branch

# Test 1: Search for the TODO comment
echo "Searching for TODO comment:"
rg --type typescript "Todo: add this to the scope migration of the branch" libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts

# Test 2: Check if the mentioned branch exists
echo "Checking for the existence of the auth-api/custom-delegation-scope-rule branch:"
git ls-remote --exit-code --heads origin auth-api/custom-delegation-scope-rule

# Test 3: Search for any mentions of '@island.is/applications/orkusjodur' in other files
echo "Searching for mentions of '@island.is/applications/orkusjodur' in other files:"
rg --type typescript "@island.is/applications/orkusjodur" --glob '!libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts'

Length of output: 908

---

Script:

#!/bin/bash
# Description: Check for the presence of the TODO comment and related branch

# Test 1: Search for the TODO comment
echo "Searching for TODO comment:"
rg "Todo: add this to the scope migration of the branch" libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts

# Test 2: Check if the mentioned branch exists
echo "Checking for the existence of the auth-api/custom-delegation-scope-rule branch:"
git ls-remote --exit-code --heads origin auth-api/custom-delegation-scope-rule

# Test 3: Search for any mentions of '@island.is/applications/orkusjodur' in other files
echo "Searching for mentions of '@island.is/applications/orkusjodur' in other files:"
rg "@island.is/applications/orkusjodur" --glob '!libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts' -t ts -t tsx

Length of output: 906

---

Script:

#!/bin/bash
# Description: Check for the presence of the TODO comment and related branch

# Test 1: Search for the TODO comment
echo "Searching for TODO comment:"
rg "Todo: add this to the scope migration of the branch" libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts

# Test 2: Check if the mentioned branch exists
echo "Checking for the existence of the auth-api/custom-delegation-scope-rule branch:"
git ls-remote --exit-code --heads origin auth-api/custom-delegation-scope-rule

# Test 3: Search for any mentions of '@island.is/applications/orkusjodur' in other files
echo "Searching for mentions of '@island.is/applications/orkusjodur' in other files:"
rg "@island.is/applications/orkusjodur" --glob '*.ts' --glob '*.tsx' --glob '!libs/auth-api-lib/src/lib/delegations/DelegationConfig.ts'

Length of output: 986

libs/auth-api-lib/src/lib/delegations/delegations-incoming-custom.service.ts (3)

3-3: LGTM: Import of ConfigType enhances type safety

The addition of the ConfigType import from @nestjs/config is a good practice. It suggests that configuration types are being used, which enhances type safety and improves the overall robustness of the code.

---

61-62: LGTM: DelegationConfig injection enhances configurability

The addition of the DelegationConfig injection in the constructor is a good practice. It allows for better configurability of the service and follows NestJS dependency injection patterns. This change will likely improve the flexibility and maintainability of the code.

---

189-201: LGTM: New filterByCustomScopeRule method enhances scope filtering

The new filterByCustomScopeRule method is a good addition that aligns with the PR objective of filtering out access-controlled scopes. The implementation looks correct and follows TypeScript best practices.

However, please verify if the default behavior (returning true when no custom scope rule is found) is intentional and aligns with the expected filtering logic.

[saevarma]

🚀