Skip to content

storing user access list based on default and user permission #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Vishwas1 merged 10 commits into from
Dec 11, 2025
Merged

storing user access list based on default and user permission #102

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
55e6a4b
storing user access list based on default and user permission
varsha766 Dec 9, 2025
c3391b4
fixed app logourl issue
varsha766 Dec 9, 2025
43649d9
remove default access assignment to user and providing access at the …
varsha766 Dec 9, 2025
5ad0f31
reading accessList from user
varsha766 Dec 10, 2025
d0604ff
fixed user permission and added new access fir ssi service
varsha766 Dec 10, 2025
da139ed
Merge branch 'implemented/permission-policy' into refactor/userPermis…
varsha766 Dec 10, 2025
74a9073
fixed typo
varsha766 Dec 10, 2025
334eb07
added missing access
varsha766 Dec 10, 2025
13aff1d
Merge pull request #103 from hypersign-protocol/refactor/userPermission
Vishwas1 Dec 10, 2025
6c8cb58
Merge branch 'refactor/service-token' into implemented/permission-policy
varsha766 Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/app-auth/dtos/create-app.dto.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import {
SERVICE_TYPES,
APP_ENVIRONMENT,
} from 'src/supported-service/services/iServiceList';
import { IsUrlOrBase64Image } from 'src/utils/customDecorator/IsUrlOrBase64Image.decorator';

export class CreateAppDto {
@ApiProperty({
Expand Down Expand Up @@ -60,7 +61,7 @@ export class CreateAppDto {
})
@IsOptional()
@IsString()
@IsUrlEmpty()
@IsUrlOrBase64Image()
logoUrl?: string;
@ApiProperty({
description: 'services',
Expand Down
56 changes: 47 additions & 9 deletions src/app-auth/services/app-auth.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ import { WebPageConfigRepository } from 'src/webpage-config/repositories/webpage
import { InjectModel } from '@nestjs/mongoose';
import { CustomerOnboarding } from 'src/customer-onboarding/schemas/customer-onboarding.schema';
import { Model } from 'mongoose';
import { getAccessListForModule } from 'src/utils/utils';
import { evaluateAccessPolicy, getAccessListForModule } from 'src/utils/utils';
import { TokenModule } from 'src/config/access-matrix';
import { redisClient } from 'src/utils/redis.provider';
import { TIME } from 'src/utils/time-constant';
Expand Down Expand Up @@ -64,7 +64,7 @@ export class AppAuthService {
@InjectModel(CustomerOnboarding.name)
private readonly onboardModel: Model<CustomerOnboarding>,
private readonly webpageConfigRepo: WebPageConfigRepository,
) { }
) {}

async createAnApp(
createAppDto: CreateAppDto,
Expand Down Expand Up @@ -749,10 +749,15 @@ export class AppAuthService {
switch (serviceType) {
case SERVICE_TYPES.SSI_API: {
grant_type = GRANT_TYPES.access_service_ssi;
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.APP_AUTH,
SERVICE_TYPES.SSI_API,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.SSI_API,
[],
);
break;
}
case SERVICE_TYPES.CAVACH_API: {
Expand All @@ -766,18 +771,29 @@ export class AppAuthService {
]);
}
grant_type = grantType || GRANT_TYPES.access_service_kyc;
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.APP_AUTH,
SERVICE_TYPES.CAVACH_API,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.CAVACH_API,
[],

);
break;
}
case SERVICE_TYPES.QUEST: {
grant_type = GRANT_TYPES.access_service_quest;
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.APP_AUTH,
SERVICE_TYPES.QUEST,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.QUEST,
[],
);
break;
}
default: {
Expand Down Expand Up @@ -853,9 +869,13 @@ export class AppAuthService {
grantType: string,
appId: string,
user,
session?,
): Promise<{ access_token; expiresIn; tokenType }> {
const context = Context.idDashboard;
const sessionId = `${appId}_${context}`;
let sessionId = `${appId}_${context}_${session.userId}`;
if (session && session.tenantId) {
sessionId = `${sessionId}_tenant`;
}
const savedSession = await redisClient.get(sessionId);
switch (grantType) {
case GRANT_TYPES.access_service_ssi:
Expand Down Expand Up @@ -909,10 +929,16 @@ export class AppAuthService {
'Invalid grant type for this service ' + appId,
]);
}
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.SSI_API,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.SSI_API,
user.accessList,
context,
);
break;
}
case SERVICE_TYPES.CAVACH_API: {
Expand All @@ -924,10 +950,16 @@ export class AppAuthService {
'Invalid grant type for this service ' + appId,
]);
}
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.CAVACH_API,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.CAVACH_API,
user.accessList,
context,
);
break;
}
case SERVICE_TYPES.QUEST: {
Expand All @@ -936,10 +968,16 @@ export class AppAuthService {
'Invalid grant type for this service ' + appId,
]);
}
accessList = getAccessListForModule(
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.QUEST,
);
accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.QUEST,
user.accessList,
context,
);
break;
}
default: {
Expand Down
8 changes: 7 additions & 1 deletion src/app-oauth/app-oauth.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,15 @@ export class AppOauthController {
@Req() request,
): Promise<{ access_token; expiresIn; tokenType }> {
const { user } = request;
const { session } = request;
//
Logger.log('reGenerateAppSecretKey() method: starts', 'AppOAuthController');

return this.appAuthService.grantPermission(grantType, serviceId, user);
return this.appAuthService.grantPermission(
grantType,
serviceId,
user,
session,
);
}
}
1 change: 1 addition & 0 deletions src/customer-onboarding/controllers/customer-onboarding.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ export class CustomerOnboardingController {
processCustomerOnboarding(
@Param('id') id: string,
@Body() customerOnboardingProcessDto: CustomerOnboardingProcessDto,
@Req() req,
) {
return this.customerOnboardingService.processCustomerOnboarding(
id,
Expand Down
52 changes: 39 additions & 13 deletions src/customer-onboarding/services/customer-onboarding.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,11 @@ import {
LogDetail,
} from '../schemas/customer-onboarding.schema';
import { AppRepository } from 'src/app-auth/repositories/app.repository';
import { getAccessListForModule, sanitizeUrl } from 'src/utils/utils';
import {
evaluateAccessPolicy,
getAccessListForModule,
sanitizeUrl,
} from 'src/utils/utils';
import { RoleRepository } from 'src/roles/repository/role.repository';
import { ONBORDING_CONSTANT_DATA } from '../constants/en';
import { WebpageConfigService } from 'src/webpage-config/services/webpage-config.service';
Expand Down Expand Up @@ -369,6 +373,7 @@ export class CustomerOnboardingService {
throw new BadRequestException(['Customer onboarding is already done']);
}
let onboardingStatus;
const userDetail = await this.userRepository.findOne({ userId });
// Process each step
for (const step of remainingSteps) {
try {
Expand Down Expand Up @@ -472,14 +477,21 @@ export class CustomerOnboardingService {
});
}
const ssiServiceDetail = await redisClient.get(ssiRedisKey);
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.SSI_API,
);
const accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.SSI_API,
userDetail.accessList,
Context.idDashboard,
);
if (!ssiServiceDetail) {
await this.appAuthService.storeDataInRedis(
GRANT_TYPES.access_service_ssi,
ssiService,
getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.SSI_API,
),
accessList,
ssiRedisKey,
);
}
Expand Down Expand Up @@ -524,14 +536,21 @@ export class CustomerOnboardingService {
'CustomerOnboardingService',
);
const ssiServiceDetail = await redisClient.get(ssiRedisKey);
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.SSI_API,
);
const accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.SSI_API,
userDetail.accessList,
Context.idDashboard,
);
if (!ssiServiceDetail) {
await this.appAuthService.storeDataInRedis(
GRANT_TYPES.access_service_ssi,
ssiService,
getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.SSI_API,
),
accessList,
ssiRedisKey,
);
}
Expand Down Expand Up @@ -707,15 +726,22 @@ export class CustomerOnboardingService {
appId: customerOnboardingData.kycServiceId,
});
}
const defaultAccessList = getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.CAVACH_API,
);
const accessList = evaluateAccessPolicy(
defaultAccessList,
SERVICE_TYPES.CAVACH_API,
userDetail.accessList,
Context.idDashboard,
);
const kycServiceDetail = await redisClient.get(kycRedisKey);
if (!kycServiceDetail) {
await this.appAuthService.storeDataInRedis(
GRANT_TYPES.access_service_kyc,
kycService,
getAccessListForModule(
TokenModule.DASHBOARD,
SERVICE_TYPES.CAVACH_API,
),
accessList,
kycRedisKey,
);
}
Expand Down
36 changes: 36 additions & 0 deletions src/utils/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import {
} from '@nestjs/common';
import { Did } from 'hs-ssi-sdk';
import {
Context,
SERVICE_TYPES,
SERVICES,
} from 'src/supported-service/services/iServiceList';
Expand Down Expand Up @@ -191,3 +192,38 @@ export function getAccessListForModule(
return QUEST_ACCESS_MATRIX[module] || [];
}
}
export const evaluateAccessPolicy = (
defaultAccessList: string[],
serviceType: SERVICE_TYPES,
userAccessList?: {
serviceType: SERVICE_TYPES;
access: string;
expiryDate?: Date;
}[],
context?: string,
): string[] => {
if (!context) {
return defaultAccessList;
}
// will remove it once access lsit in fixed in ssi service
if (serviceType !== SERVICE_TYPES.CAVACH_API) {
Copy link

@Vishwas1 Vishwas1 Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now do we need to remove this ?

Copy link
Collaborator Author

@varsha766 varsha766 Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes it is removed in latest branch

return defaultAccessList;
}
if (context === Context.idDashboard) {
// No user access info β†’ Return NO access
if (!userAccessList?.length) {
return [];
}
const userServiceAccess = userAccessList
.filter((a) => a.serviceType === serviceType)
.map((a) => a.access);

// User With ALL access
if (userServiceAccess.includes('ALL')) {
return defaultAccessList;
}
// Intersection rule
return defaultAccessList.filter((p) => userServiceAccess.includes(p));
}
return defaultAccessList;
};
Loading