Skip to content

storing user access list based on default and user permission #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Vishwas1 merged 10 commits into from
Dec 11, 2025
Merged

storing user access list based on default and user permission #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
55e6a4b
storing user access list based on default and user permission
varsha766 Dec 9, 2025
c3391b4
fixed app logourl issue
varsha766 Dec 9, 2025
43649d9
remove default access assignment to user and providing access at the …
varsha766 Dec 9, 2025
5ad0f31
reading accessList from user
varsha766 Dec 10, 2025
d0604ff
fixed user permission and added new access fir ssi service
varsha766 Dec 10, 2025
da139ed
Merge branch 'implemented/permission-policy' into refactor/userPermis…
varsha766 Dec 10, 2025
74a9073
fixed typo
varsha766 Dec 10, 2025
334eb07
added missing access
varsha766 Dec 10, 2025
13aff1d
Merge pull request #103 from hypersign-protocol/refactor/userPermission
Vishwas1 Dec 10, 2025
6c8cb58
Merge branch 'refactor/service-token' into implemented/permission-policy
varsha766 Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/app-auth/dtos/create-app.dto.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import {
SERVICE_TYPES,
APP_ENVIRONMENT,
} from 'src/supported-service/services/iServiceList';
import { IsUrlOrBase64Image } from 'src/utils/customDecorator/IsUrlOrBase64Image.decorator';

export class CreateAppDto {
@ApiProperty({
Expand Down Expand Up @@ -60,7 +61,7 @@ export class CreateAppDto {
})
@IsOptional()
@IsString()
@IsUrlEmpty()
@IsUrlOrBase64Image()
logoUrl?: string;
@ApiProperty({
description: 'services',
Expand Down
56 changes: 47 additions & 9 deletions src/app-auth/services/app-auth.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ import { WebPageConfigRepository } from 'src/webpage-config/repositories/webpage
import { InjectModel } from '@nestjs/mongoose';
import { CustomerOnboarding } from 'src/customer-onboarding/schemas/customer-onboarding.schema';
import { Model } from 'mongoose';
import { getAccessListForModule } from 'src/utils/utils';
import { evaluateAccessPolicy, getAccessListForModule } from 'src/utils/utils';
import { TokenModule } from 'src/config/access-matrix';
import { redisClient } from 'src/utils/redis.provider';
import {
Expand Down Expand Up @@ -68,7 +68,7 @@ export class AppAuthService {
@InjectModel(CustomerOnboarding.name)
private readonly onboardModel: Model<CustomerOnboarding>,
private readonly webpageConfigRepo: WebPageConfigRepository,
) { }
) {}

async createAnApp(
createAppDto: CreateAppDto,
Expand Down Expand Up @@ -752,10 +752,15 @@ export class AppAuthService {
switch (serviceType) {
case SERVICE_TYPES.SSI_API: {
grant_type = GRANT_TYPES.access_service_ssi;
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.APP_AUTH,
SERVICE_TYPES.SSI_API,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.SSI_API,
[],
);
break;
}
case SERVICE_TYPES.CAVACH_API: {
Expand All @@ -769,18 +774,28 @@ export class AppAuthService {
]);
}
grant_type = grantType || GRANT_TYPES.access_service_kyc;
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.APP_AUTH,
SERVICE_TYPES.CAVACH_API,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.CAVACH_API,
[],
);
break;
}
case SERVICE_TYPES.QUEST: {
grant_type = GRANT_TYPES.access_service_quest;
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.APP_AUTH,
SERVICE_TYPES.QUEST,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.QUEST,
[],
);
break;
}
default: {
Expand Down Expand Up @@ -865,8 +880,13 @@ export class AppAuthService {
grantType: string,
appId: string,
user,
session?,
): Promise<{ access_token; expiresIn; tokenType }> {
const sessionId = `${appId}_${Context.idDashboard}`;
const context = Context.idDashboard;
let sessionId = `${appId}_${context}_${session.userId}`;
if (session && session.tenantId) {
sessionId = `${sessionId}_tenant`;
}
const savedSession = await redisClient.get(sessionId);
switch (grantType) {
case GRANT_TYPES.access_service_ssi:
Expand Down Expand Up @@ -924,10 +944,16 @@ export class AppAuthService {
'Invalid grant type for this service ' + appId,
]);
}
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.SSI_API,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.SSI_API,
user.accessList,
context,
);
break;
}
case SERVICE_TYPES.CAVACH_API: {
Expand All @@ -939,10 +965,16 @@ export class AppAuthService {
'Invalid grant type for this service ' + appId,
]);
}
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.CAVACH_API,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.CAVACH_API,
user.accessList,
context,
);
break;
}
case SERVICE_TYPES.QUEST: {
Expand All @@ -951,10 +983,16 @@ export class AppAuthService {
'Invalid grant type for this service ' + appId,
]);
}
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.QUEST,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.QUEST,
user.accessList,
context,
);
break;
}
default: {
Expand Down
8 changes: 7 additions & 1 deletion src/app-oauth/app-oauth.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,15 @@ export class AppOauthController {
@Req() request,
): Promise<{ access_token; expiresIn; tokenType }> {
const { user } = request;
const { session } = request;
//
Logger.log('reGenerateAppSecretKey() method: starts', 'AppOAuthController');

return this.appAuthService.grantPermission(grantType, serviceId, user);
return this.appAuthService.grantPermission(
grantType,
serviceId,
user,
session,
);
}
}
31 changes: 27 additions & 4 deletions src/config/access-matrix.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ export enum TokenModule {
DASHBOARD = 'DASHBOARD',
VERIFIER = 'VERIFIER',
APP_AUTH = 'APP_AUTH',
SUPER_ADMIN = 'SUPER_ADMIN',
ID_SERVICE = 'ID_SERVICE',
}
export const KYC_ACCESS_MATRIX = {
[TokenModule.DASHBOARD]: [
Expand Down Expand Up @@ -38,12 +40,33 @@ export const KYC_ACCESS_MATRIX = {
SERVICES.CAVACH_API.ACCESS_TYPES.READ_WIDGET_CONFIG,
SERVICES.CAVACH_API.ACCESS_TYPES.READ_USER_CONSENT,
],
[TokenModule.SUPER_ADMIN]: [SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT],
};
export const SSI_ACCESS_MATRIX = {
// will modify its access later. Assigning ALL for the time being
[TokenModule.DASHBOARD]: [SERVICES.SSI_API.ACCESS_TYPES.ALL],
[TokenModule.VERIFIER]: [SERVICES.SSI_API.ACCESS_TYPES.ALL],
[TokenModule.APP_AUTH]: [SERVICES.SSI_API.ACCESS_TYPES.ALL],
[TokenModule.DASHBOARD]: [
SERVICES.SSI_API.ACCESS_TYPES.READ_DID,
SERVICES.SSI_API.ACCESS_TYPES.WRITE_DID,
SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT,
SERVICES.SSI_API.ACCESS_TYPES.READ_CREDIT,
SERVICES.SSI_API.ACCESS_TYPES.WRITE_SCHEMA,
SERVICES.SSI_API.ACCESS_TYPES.READ_SCHEMA,
SERVICES.SSI_API.ACCESS_TYPES.CHECK_LIVE_STATUS,
SERVICES.SSI_API.ACCESS_TYPES.READ_TX,
SERVICES.SSI_API.ACCESS_TYPES.READ_CREDENTIAL,
SERVICES.SSI_API.ACCESS_TYPES.VERIFY_CREDENTIAL,
SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDENTIAL,
SERVICES.SSI_API.ACCESS_TYPES.READ_USAGE,
SERVICES.SSI_API.ACCESS_TYPES.WRITE_PRESENTATION,
SERVICES.SSI_API.ACCESS_TYPES.VERIFY_PRESENTATION,
],
[TokenModule.VERIFIER]: [SERVICES.SSI_API.ACCESS_TYPES.READ_DID],
[TokenModule.APP_AUTH]: [],
[TokenModule.ID_SERVICE]: [
SERVICES.SSI_API.ACCESS_TYPES.READ_TX,
SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDENTIAL,
SERVICES.SSI_API.ACCESS_TYPES.VERIFY_PRESENTATION,
],
[TokenModule.SUPER_ADMIN]: [SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT],
};
export const QUEST_ACCESS_MATRIX = {
[TokenModule.DASHBOARD]: [],
Expand Down
2 changes: 1 addition & 1 deletion src/customer-onboarding/constants/enum.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ export enum OnboardingStep {
CREATE_DID = 'CREATE_DID',
REGISTER_DID = 'REGISTER_DID',
CREATE_KYC_SERVICE = 'CREATE_KYC_SERVICE',
GIVE_KYC_DASHBOARD_ACCESS = 'GIVE_KYC_DASHBOARD_ACCESS',
GIVE_DASHBOARD_ACCESS = 'GIVE_DASHBOARD_ACCESS',
CREDIT_KYC_SERVICE = 'CREDIT_KYC_SERVICE',
SETUP_KYC_WIDGET = 'SETUP_KYC_WIDGET',
CONFIGURE_KYC_VERIFIER_PAGE = 'CONFIGURE_KYC_VERIFIER_PAGE',
Expand Down
Loading