diff --git a/src/app-auth/dtos/create-app.dto.ts b/src/app-auth/dtos/create-app.dto.ts index 92832536..27ddc99a 100644 --- a/src/app-auth/dtos/create-app.dto.ts +++ b/src/app-auth/dtos/create-app.dto.ts @@ -19,6 +19,7 @@ import { SERVICE_TYPES, APP_ENVIRONMENT, } from 'src/supported-service/services/iServiceList'; +import { IsUrlOrBase64Image } from 'src/utils/customDecorator/IsUrlOrBase64Image.decorator'; export class CreateAppDto { @ApiProperty({ @@ -60,7 +61,7 @@ export class CreateAppDto { }) @IsOptional() @IsString() - @IsUrlEmpty() + @IsUrlOrBase64Image() logoUrl?: string; @ApiProperty({ description: 'services', diff --git a/src/app-auth/services/app-auth.service.ts b/src/app-auth/services/app-auth.service.ts index 8910b737..3b1f0d8f 100644 --- a/src/app-auth/services/app-auth.service.ts +++ b/src/app-auth/services/app-auth.service.ts @@ -34,7 +34,7 @@ import { WebPageConfigRepository } from 'src/webpage-config/repositories/webpage import { InjectModel } from '@nestjs/mongoose'; import { CustomerOnboarding } from 'src/customer-onboarding/schemas/customer-onboarding.schema'; import { Model } from 'mongoose'; -import { getAccessListForModule } from 'src/utils/utils'; +import { evaluateAccessPolicy, getAccessListForModule } from 'src/utils/utils'; import { TokenModule } from 'src/config/access-matrix'; import { redisClient } from 'src/utils/redis.provider'; import { @@ -68,7 +68,7 @@ export class AppAuthService { @InjectModel(CustomerOnboarding.name) private readonly onboardModel: Model, private readonly webpageConfigRepo: WebPageConfigRepository, - ) { } + ) {} async createAnApp( createAppDto: CreateAppDto, @@ -752,10 +752,15 @@ export class AppAuthService { switch (serviceType) { case SERVICE_TYPES.SSI_API: { grant_type = GRANT_TYPES.access_service_ssi; - accessList = getAccessListForModule( + const defaultAccessList = getAccessListForModule( TokenModule.APP_AUTH, SERVICE_TYPES.SSI_API, ); + accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.SSI_API, + [], + ); break; } case SERVICE_TYPES.CAVACH_API: { @@ -769,18 +774,28 @@ export class AppAuthService { ]); } grant_type = grantType || GRANT_TYPES.access_service_kyc; - accessList = getAccessListForModule( + const defaultAccessList = getAccessListForModule( TokenModule.APP_AUTH, SERVICE_TYPES.CAVACH_API, ); + accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.CAVACH_API, + [], + ); break; } case SERVICE_TYPES.QUEST: { grant_type = GRANT_TYPES.access_service_quest; - accessList = getAccessListForModule( + const defaultAccessList = getAccessListForModule( TokenModule.APP_AUTH, SERVICE_TYPES.QUEST, ); + accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.QUEST, + [], + ); break; } default: { @@ -865,8 +880,13 @@ export class AppAuthService { grantType: string, appId: string, user, + session?, ): Promise<{ access_token; expiresIn; tokenType }> { - const sessionId = `${appId}_${Context.idDashboard}`; + const context = Context.idDashboard; + let sessionId = `${appId}_${context}_${session.userId}`; + if (session && session.tenantId) { + sessionId = `${sessionId}_tenant`; + } const savedSession = await redisClient.get(sessionId); switch (grantType) { case GRANT_TYPES.access_service_ssi: @@ -924,10 +944,16 @@ export class AppAuthService { 'Invalid grant type for this service ' + appId, ]); } - accessList = getAccessListForModule( + const defaultAccessList = getAccessListForModule( TokenModule.DASHBOARD, SERVICE_TYPES.SSI_API, ); + accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.SSI_API, + user.accessList, + context, + ); break; } case SERVICE_TYPES.CAVACH_API: { @@ -939,10 +965,16 @@ export class AppAuthService { 'Invalid grant type for this service ' + appId, ]); } - accessList = getAccessListForModule( + const defaultAccessList = getAccessListForModule( TokenModule.DASHBOARD, SERVICE_TYPES.CAVACH_API, ); + accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.CAVACH_API, + user.accessList, + context, + ); break; } case SERVICE_TYPES.QUEST: { @@ -951,10 +983,16 @@ export class AppAuthService { 'Invalid grant type for this service ' + appId, ]); } - accessList = getAccessListForModule( + const defaultAccessList = getAccessListForModule( TokenModule.DASHBOARD, SERVICE_TYPES.QUEST, ); + accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.QUEST, + user.accessList, + context, + ); break; } default: { diff --git a/src/app-oauth/app-oauth.controller.ts b/src/app-oauth/app-oauth.controller.ts index 61ab0134..a96feb6e 100644 --- a/src/app-oauth/app-oauth.controller.ts +++ b/src/app-oauth/app-oauth.controller.ts @@ -134,9 +134,15 @@ export class AppOauthController { @Req() request, ): Promise<{ access_token; expiresIn; tokenType }> { const { user } = request; + const { session } = request; // Logger.log('reGenerateAppSecretKey() method: starts', 'AppOAuthController'); - return this.appAuthService.grantPermission(grantType, serviceId, user); + return this.appAuthService.grantPermission( + grantType, + serviceId, + user, + session, + ); } } diff --git a/src/config/access-matrix.ts b/src/config/access-matrix.ts index 2c1a76aa..84fb945d 100644 --- a/src/config/access-matrix.ts +++ b/src/config/access-matrix.ts @@ -3,6 +3,8 @@ export enum TokenModule { DASHBOARD = 'DASHBOARD', VERIFIER = 'VERIFIER', APP_AUTH = 'APP_AUTH', + SUPER_ADMIN = 'SUPER_ADMIN', + ID_SERVICE = 'ID_SERVICE', } export const KYC_ACCESS_MATRIX = { [TokenModule.DASHBOARD]: [ @@ -38,12 +40,33 @@ export const KYC_ACCESS_MATRIX = { SERVICES.CAVACH_API.ACCESS_TYPES.READ_WIDGET_CONFIG, SERVICES.CAVACH_API.ACCESS_TYPES.READ_USER_CONSENT, ], + [TokenModule.SUPER_ADMIN]: [SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT], }; export const SSI_ACCESS_MATRIX = { - // will modify its access later. Assigning ALL for the time being - [TokenModule.DASHBOARD]: [SERVICES.SSI_API.ACCESS_TYPES.ALL], - [TokenModule.VERIFIER]: [SERVICES.SSI_API.ACCESS_TYPES.ALL], - [TokenModule.APP_AUTH]: [SERVICES.SSI_API.ACCESS_TYPES.ALL], + [TokenModule.DASHBOARD]: [ + SERVICES.SSI_API.ACCESS_TYPES.READ_DID, + SERVICES.SSI_API.ACCESS_TYPES.WRITE_DID, + SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT, + SERVICES.SSI_API.ACCESS_TYPES.READ_CREDIT, + SERVICES.SSI_API.ACCESS_TYPES.WRITE_SCHEMA, + SERVICES.SSI_API.ACCESS_TYPES.READ_SCHEMA, + SERVICES.SSI_API.ACCESS_TYPES.CHECK_LIVE_STATUS, + SERVICES.SSI_API.ACCESS_TYPES.READ_TX, + SERVICES.SSI_API.ACCESS_TYPES.READ_CREDENTIAL, + SERVICES.SSI_API.ACCESS_TYPES.VERIFY_CREDENTIAL, + SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDENTIAL, + SERVICES.SSI_API.ACCESS_TYPES.READ_USAGE, + SERVICES.SSI_API.ACCESS_TYPES.WRITE_PRESENTATION, + SERVICES.SSI_API.ACCESS_TYPES.VERIFY_PRESENTATION, + ], + [TokenModule.VERIFIER]: [SERVICES.SSI_API.ACCESS_TYPES.READ_DID], + [TokenModule.APP_AUTH]: [], + [TokenModule.ID_SERVICE]: [ + SERVICES.SSI_API.ACCESS_TYPES.READ_TX, + SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDENTIAL, + SERVICES.SSI_API.ACCESS_TYPES.VERIFY_PRESENTATION, + ], + [TokenModule.SUPER_ADMIN]: [SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT], }; export const QUEST_ACCESS_MATRIX = { [TokenModule.DASHBOARD]: [], diff --git a/src/customer-onboarding/constants/enum.ts b/src/customer-onboarding/constants/enum.ts index fe994f7f..76138284 100644 --- a/src/customer-onboarding/constants/enum.ts +++ b/src/customer-onboarding/constants/enum.ts @@ -133,7 +133,7 @@ export enum OnboardingStep { CREATE_DID = 'CREATE_DID', REGISTER_DID = 'REGISTER_DID', CREATE_KYC_SERVICE = 'CREATE_KYC_SERVICE', - GIVE_KYC_DASHBOARD_ACCESS = 'GIVE_KYC_DASHBOARD_ACCESS', + GIVE_DASHBOARD_ACCESS = 'GIVE_DASHBOARD_ACCESS', CREDIT_KYC_SERVICE = 'CREDIT_KYC_SERVICE', SETUP_KYC_WIDGET = 'SETUP_KYC_WIDGET', CONFIGURE_KYC_VERIFIER_PAGE = 'CONFIGURE_KYC_VERIFIER_PAGE', diff --git a/src/customer-onboarding/services/customer-onboarding.service.ts b/src/customer-onboarding/services/customer-onboarding.service.ts index 84954ce6..184430ac 100644 --- a/src/customer-onboarding/services/customer-onboarding.service.ts +++ b/src/customer-onboarding/services/customer-onboarding.service.ts @@ -37,7 +37,11 @@ import { LogDetail, } from '../schemas/customer-onboarding.schema'; import { AppRepository } from 'src/app-auth/repositories/app.repository'; -import { getAccessListForModule, sanitizeUrl } from 'src/utils/utils'; +import { + evaluateAccessPolicy, + getAccessListForModule, + sanitizeUrl, +} from 'src/utils/utils'; import { RoleRepository } from 'src/roles/repository/role.repository'; import { ONBORDING_CONSTANT_DATA } from '../constants/en'; import { WebpageConfigService } from 'src/webpage-config/services/webpage-config.service'; @@ -342,14 +346,12 @@ export class CustomerOnboardingService { `Customer onboarding detail not found for id: ${id}`, ]); } - // Initialize configuration const { companyName, domain, userId, companyLogo, customerEmail } = customerOnboardingData; const ssiBaseDomain = this.config.get('SSI_API_DOMAIN'); const cavachBaseDomain = this.config.get('CAVACH_API_DOMAIN'); const secret = this.config.get('JWT_SECRET'); - let ssiSubdomain = customerOnboardingData?.ssiSubdomain; let kycSubdomain = customerOnboardingData?.kycSubdomain; let ssiTenantUrl = this.getTenantUrl(ssiBaseDomain, ssiSubdomain); @@ -371,10 +373,43 @@ export class CustomerOnboardingService { throw new BadRequestException(['Customer onboarding is already done']); } let onboardingStatus; + let userDetail = await this.userRepository.findOne({ userId }); // Process each step for (const step of remainingSteps) { try { switch (step) { + case OnboardingStep.GIVE_DASHBOARD_ACCESS: { + Logger.log( + 'GIVE_DASHBOARD_ACCESS step started', + 'CustomerOnboardingService', + ); + userDetail = await this.userRepository.findOneUpdate( + { userId }, + { + $push: { + accessList: { + $each: [ + { + serviceType: SERVICE_TYPES.CAVACH_API, + access: SERVICES.CAVACH_API.ACCESS_TYPES.ALL, + expiryDate: null, + }, + { + serviceType: SERVICE_TYPES.SSI_API, + access: SERVICES.SSI_API.ACCESS_TYPES.ALL, + expiryDate: null, + }, + ], + }, + }, + }, + ); + Logger.debug( + 'GIVE_DASHBOARD_ACCESS step ends', + 'CustomerOnboardingService', + ); + break; + } case OnboardingStep.CREATE_TEAM_ROLE: { Logger.log( 'CREATE_TEAM_ROLE step started', @@ -454,7 +489,10 @@ export class CustomerOnboardingService { ssiTenantUrl, secret, ssiService?.whitelistedCors, - [SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT], + getAccessListForModule( + TokenModule.SUPER_ADMIN, + SERVICE_TYPES.SSI_API, + ), ); Logger.debug( 'CREDIT_SSI_SERVICE step ends', @@ -474,14 +512,21 @@ export class CustomerOnboardingService { }); } const ssiServiceDetail = await redisClient.get(ssiRedisKey); + const defaultAccessList = getAccessListForModule( + TokenModule.DASHBOARD, + SERVICE_TYPES.SSI_API, + ); + const accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.SSI_API, + userDetail.accessList, + Context.idDashboard, + ); if (!ssiServiceDetail) { await this.appAuthService.storeDataInRedis( GRANT_TYPES.access_service_ssi, ssiService, - getAccessListForModule( - TokenModule.DASHBOARD, - SERVICE_TYPES.SSI_API, - ), + accessList, ssiRedisKey, ); } @@ -527,14 +572,21 @@ export class CustomerOnboardingService { 'CustomerOnboardingService', ); const ssiServiceDetail = await redisClient.get(ssiRedisKey); + const defaultAccessList = getAccessListForModule( + TokenModule.DASHBOARD, + SERVICE_TYPES.SSI_API, + ); + const accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.SSI_API, + userDetail.accessList, + Context.idDashboard, + ); if (!ssiServiceDetail) { await this.appAuthService.storeDataInRedis( GRANT_TYPES.access_service_ssi, ssiService, - getAccessListForModule( - TokenModule.DASHBOARD, - SERVICE_TYPES.SSI_API, - ), + accessList, ssiRedisKey, ); } @@ -640,41 +692,6 @@ export class CustomerOnboardingService { ); break; } - - case OnboardingStep.GIVE_KYC_DASHBOARD_ACCESS: { - Logger.log( - 'GIVE_KYC_DASHBOARD_ACCESS step started', - 'CustomerOnboardingService', - ); - await this.userRepository.findOneUpdate( - { - userId, - accessList: { - $not: { - $elemMatch: { - serviceType: 'CAVACH_API', - access: 'ALL', - }, - }, - }, - }, - { - $push: { - accessList: { - serviceType: 'CAVACH_API', - access: 'ALL', - expiryDate: null, - }, - }, - }, - ); - Logger.debug( - 'GIVE_KYC_DASHBOARD_ACCESS step ends', - 'CustomerOnboardingService', - ); - break; - } - case OnboardingStep.CREDIT_KYC_SERVICE: { Logger.log( 'CREDIT_KYC_SERVICE step started', @@ -693,7 +710,10 @@ export class CustomerOnboardingService { kycTenantUrl, secret, kycService?.whitelistedCors, - [SERVICES.CAVACH_API.ACCESS_TYPES.WRITE_CREDIT], + getAccessListForModule( + TokenModule.SUPER_ADMIN, + SERVICE_TYPES.CAVACH_API, + ), ); Logger.debug( 'CREDIT_KYC_SERVICE step ends', @@ -711,15 +731,22 @@ export class CustomerOnboardingService { appId: customerOnboardingData.kycServiceId, }); } + const defaultAccessList = getAccessListForModule( + TokenModule.DASHBOARD, + SERVICE_TYPES.CAVACH_API, + ); + const accessList = evaluateAccessPolicy( + defaultAccessList, + SERVICE_TYPES.CAVACH_API, + userDetail.accessList, + Context.idDashboard, + ); const kycServiceDetail = await redisClient.get(kycRedisKey); if (!kycServiceDetail) { await this.appAuthService.storeDataInRedis( GRANT_TYPES.access_service_kyc, kycService, - getAccessListForModule( - TokenModule.DASHBOARD, - SERVICE_TYPES.CAVACH_API, - ), + accessList, kycRedisKey, ); } diff --git a/src/social-login/services/social-login.service.ts b/src/social-login/services/social-login.service.ts index 1b523a2b..398bcfa1 100644 --- a/src/social-login/services/social-login.service.ts +++ b/src/social-login/services/social-login.service.ts @@ -74,18 +74,11 @@ export class SocialLoginService { }); if (!user) { const userId = `${Date.now()}-${uuidv4()}`; - const ssiAccessList = this.supportedServiceList.getDefaultServicesAccess( - SERVICE_TYPES.SSI_API, - ); - const kycAccessList = this.supportedServiceList.getDefaultServicesAccess( - SERVICE_TYPES.CAVACH_API, - ); user = await this.userRepository.create({ email, userId, name, profileIcon, - accessList: [...ssiAccessList, ...kycAccessList], }); } const updates: Partial = {}; diff --git a/src/supported-service/services/iServiceList.ts b/src/supported-service/services/iServiceList.ts index 90d2d34a..dedb4cb9 100644 --- a/src/supported-service/services/iServiceList.ts +++ b/src/supported-service/services/iServiceList.ts @@ -54,18 +54,21 @@ export namespace SERVICES { export namespace SSI_API { export enum ACCESS_TYPES { ALL = 'ALL', - 'CREATE_DID' = 'CREATE_DID', - 'REGISTER_DID' = 'REGISTER_DID', - 'RESOLVE_DID' = 'RESOLVE_DID', - 'ISSUE_CREDENTIAL' = 'ISSUE_CREDENTIAL', - 'VERIFY_CREDENTIAL' = 'VERIFY_CREDENTIAL', - 'REGISTER_CREDENTIAL_STATUS' = 'REGISTER_CREDENTIAL_STATUS', - 'RESOLVE_CREDENTIAL_STATUS' = 'RESOLVE_CREDENTIAL_STATUS', - 'RESOLVE_SCHEMA' = 'RESOLVE_SCHEMA', - 'REGISTER_SCHEMA' = 'REGISTER_SCHEMA', - 'READ_USAGE' = 'READ_USAGE', - 'WRITE_CREDIT' = 'WRITE_CREDIT', - 'READ_CREDIT' = 'READ_CREDIT', + READ_DID = 'READ_DID', + WRITE_DID = 'WRITE_DID', + WRITE_CREDIT = 'WRITE_CREDIT', + VERIFY_DID_SIGNATURE = 'VERIFY_DID_SIGNATURE', + READ_CREDIT = 'READ_CREDIT', + WRITE_SCHEMA = 'WRITE_SCHEMA', + READ_SCHEMA = 'READ_SCHEMA', + CHECK_LIVE_STATUS = 'CHECK_LIVE_STATUS', + READ_TX = 'READ_TX', + READ_CREDENTIAL = 'READ_CREDENTIAL', + VERIFY_CREDENTIAL = 'VERIFY_CREDENTIAL', + WRITE_CREDENTIAL = 'WRITE_CREDENTIAL', + READ_USAGE = 'READ_USAGE', + WRITE_PRESENTATION = 'WRITE_PRESENTATION', + VERIFY_PRESENTATION = 'VERIFY_PRESENTATION', } } @@ -92,7 +95,7 @@ export namespace SERVICES { WRITE_CREDIT = 'WRITE_CREDIT', READ_CREDIT = 'READ_CREDIT', CHECK_LIVE_STATUS = 'CHECK_LIVE_STATUS', - WRITE_AUTH='WRITE_AUTH', + WRITE_AUTH = 'WRITE_AUTH', } } diff --git a/src/user/schema/user.schema.ts b/src/user/schema/user.schema.ts index b8af9553..2cfc27ed 100644 --- a/src/user/schema/user.schema.ts +++ b/src/user/schema/user.schema.ts @@ -38,9 +38,9 @@ export class User { name?: string; @Prop({ required: false }) profileIcon?: string; - @Prop({ required: false }) + @Prop({ required: false, default: [] }) @Optional() - accessList: Array; + accessList?: Array; @Prop({ default: [] }) authenticators?: Authenticator[]; @Prop({ diff --git a/src/utils/utils.ts b/src/utils/utils.ts index fccfe00c..1eb696bf 100644 --- a/src/utils/utils.ts +++ b/src/utils/utils.ts @@ -15,6 +15,7 @@ import { } from '@nestjs/common'; import { Did } from 'hs-ssi-sdk'; import { + Context, SERVICE_TYPES, SERVICES, } from 'src/supported-service/services/iServiceList'; @@ -22,6 +23,7 @@ import { KYC_ACCESS_MATRIX, QUEST_ACCESS_MATRIX, SSI_ACCESS_MATRIX, + TokenModule, } from 'src/config/access-matrix'; export const existDir = (dirPath) => { @@ -179,7 +181,7 @@ export const REDIS_KEYS = { VERIFIER_PAGE_TOKEN: 'verifierPageToken:', }; export function getAccessListForModule( - module: 'DASHBOARD' | 'VERIFIER' | 'APP_AUTH', + module: TokenModule, serviceType: SERVICE_TYPES, ) { switch (serviceType) { @@ -191,3 +193,34 @@ export function getAccessListForModule( return QUEST_ACCESS_MATRIX[module] || []; } } +export const evaluateAccessPolicy = ( + defaultAccessList: string[], + serviceType: SERVICE_TYPES, + userAccessList?: { + serviceType: SERVICE_TYPES; + access: string; + expiryDate?: Date; + }[], + context?: string, +): string[] => { + if (!context) { + return defaultAccessList; + } + if (context === Context.idDashboard) { + // No user access info → Return NO access + if (!userAccessList?.length) { + return []; + } + const userServiceAccess = userAccessList + .filter((a) => a.serviceType === serviceType) + .map((a) => a.access); + + // User With ALL access + if (userServiceAccess.includes('ALL')) { + return defaultAccessList; + } + // Intersection rule + return defaultAccessList.filter((p) => userServiceAccess.includes(p)); + } + return defaultAccessList; +}; diff --git a/src/webpage-config/services/webpage-config.service.ts b/src/webpage-config/services/webpage-config.service.ts index 0e96683c..8e360b0b 100644 --- a/src/webpage-config/services/webpage-config.service.ts +++ b/src/webpage-config/services/webpage-config.service.ts @@ -23,8 +23,13 @@ import { urlSanitizer } from 'src/utils/sanitizeUrl.validator'; import { isValidObjectId, Types } from 'mongoose'; import { WEBPAGE_CONFIG_ERRORS } from '../constant/en'; import { redisClient } from 'src/utils/redis.provider'; +import { + evaluateAccessPolicy, + getAccessListForModule, + REDIS_KEYS, +} from 'src/utils/utils'; +import { TokenModule } from 'src/config/access-matrix'; import { EXPIRY_CONFIG } from 'src/utils/time-constant'; -import { getAccessListForModule, REDIS_KEYS } from 'src/utils/utils'; @Injectable() export class WebpageConfigService { @@ -271,24 +276,12 @@ export class WebpageConfigService { WEBPAGE_CONFIG_ERRORS.WEBPAGE_CONFIG_NOT_FOUND, ]); } - let kycServiceDetail; - const kycService = await redisClient.get(appId); - if (!kycService) { - kycServiceDetail = await this.appRepository.findOne({ appId }); - if (!kycServiceDetail) { - throw new BadRequestException([ - WEBPAGE_CONFIG_ERRORS.WEBPAGE_CONFIG_LINKED_APP_NOT_FOUND, - ]); - } - await this.appAuthService.storeDataInRedis( - GRANT_TYPES.access_service_kyc, - kycServiceDetail, - getAccessListForModule('VERIFIER', SERVICE_TYPES.CAVACH_API), - appId, - ); - } else { - kycServiceDetail = JSON.parse(kycService); - } + const kycServiceDetail = await this.getServiceAndCache( + appId, + SERVICE_TYPES.CAVACH_API, + GRANT_TYPES.access_service_kyc, + TokenModule.VERIFIER, + ); if ( !kycServiceDetail.dependentServices || kycServiceDetail.dependentServices.length === 0 @@ -298,27 +291,12 @@ export class WebpageConfigService { ]); } const ssiServiceId = kycServiceDetail?.dependentServices?.[0]; - let ssiServiceDetail; - const ssiService = await redisClient.get(ssiServiceId); - if (!ssiService) { - ssiServiceDetail = await this.appRepository.findOne({ - appId: ssiServiceId, - }); - if (!ssiServiceDetail) { - throw new BadRequestException([ - WEBPAGE_CONFIG_ERRORS.WEBPAGE_CONFIG_SSI_SERVICE_DOES_NOT_EXIST, - ]); - } - await this.appAuthService.storeDataInRedis( - GRANT_TYPES.access_service_ssi, - ssiServiceDetail, - getAccessListForModule('VERIFIER', SERVICE_TYPES.SSI_API), - ssiServiceId, - ); - } else { - ssiServiceDetail = JSON.parse(ssiService); - } - + const ssiServiceDetail = await this.getServiceAndCache( + ssiServiceId, + SERVICE_TYPES.SSI_API, + GRANT_TYPES.access_service_ssi, + TokenModule.ID_SERVICE, + ); // generate access tokens const [ssiAccessTokenDetail, kycAccessTokenDetail] = await Promise.all([ this.appAuthService.getAccessToken( @@ -358,4 +336,32 @@ export class WebpageConfigService { ...redisPayload, }; } + public async getServiceAndCache( + appId: string, + serviceType: SERVICE_TYPES, + grantType: GRANT_TYPES, + tokenModule, + ) { + const cached = await redisClient.get(appId); + if (cached) return JSON.parse(cached); + const serviceDetail = await this.appRepository.findOne({ appId }); + if (!serviceDetail) { + throw new BadRequestException([ + WEBPAGE_CONFIG_ERRORS.WEBPAGE_CONFIG_LINKED_APP_NOT_FOUND, + ]); + } + const defaultAccessList = getAccessListForModule(tokenModule, serviceType); + const validateAccessList = evaluateAccessPolicy( + defaultAccessList, + serviceType, + [], + ); + await this.appAuthService.storeDataInRedis( + grantType, + serviceDetail, + validateAccessList, + appId, + ); + return serviceDetail; + } }