Restrict access based on country

ThomasKranitsas · ThomasKranitsas · commit e0b40e58b40d · 2022-04-05T19:23:29.000+03:00
diff --git a/app-routes.js b/app-routes.js
@@ -45,6 +45,21 @@ module.exports = (app) => {
           }
         })
 
+        if (def.forbiddenCountries) {
+          actions.push(async (req, res, next) => {
+            if (req.authUser.isMachine) {
+              next()
+            } else {
+              req.authUser.userId = String(req.authUser.userId)
+              const user = await helper.getMemberById(req.authUser.userId)
+              if (!user || _.intersection([user.homeCountryCode, user.competitionCountryCode], def.forbiddenCountries).length > 0) {
+                throw new errors.ForbiddenError('Access denied')
+              }
+              next()
+            }
+          })
+        }
+
         if (!def.allowAnonymous) {
           actions.push((req, res, next) => {
             if (req.authUser.isMachine) {
diff --git a/config/default.js b/config/default.js
@@ -68,5 +68,25 @@ module.exports = {
   RESOURCE_ROLE_CREATE_TOPIC: process.env.RESOURCE_ROLE_CREATE_TOPIC || 'challenge.action.resource.role.create',
   RESOURCE_ROLE_UPDATE_TOPIC: process.env.RESOURCE_ROLE_UPDATE_TOPIC || 'challenge.action.resource.role.update',
 
-  AUTOMATED_TESTING_NAME_PREFIX: process.env.AUTOMATED_TESTING_NAME_PREFIX || 'POSTMANE2E-'
+  AUTOMATED_TESTING_NAME_PREFIX: process.env.AUTOMATED_TESTING_NAME_PREFIX || 'POSTMANE2E-',
+
+  FORBIDDEN_COUNTRIES: [
+    'Iran',
+    'North Korea',
+    'Cuba',
+    'Sudan',
+    'Syria',
+    'Belarus',
+    'Russia',
+    'Russian Federation'
+  ],
+  FORBIDDEN_COUNTRIES_ALPHA_3: [
+    'IRN',
+    'PRK',
+    'CUB',
+    'SDN', 'SSD', // (south sudan)
+    'SYR',
+    'BLR',
+    'RUS'
+  ]
 }
diff --git a/src/common/helper.js b/src/common/helper.js
@@ -156,6 +156,16 @@ async function getMemberInfoById (id) {
   return memberInfo
 }
 
+/**
+ * Get Member by memberId from the API
+ * @param {String} id The user ID
+ * @returns {Promise<void>}
+ */
+async function getMemberById (id) {
+  const res = await getRequest(`${config.MEMBER_API_URL}?userId=${id}`)
+  return _.get(res, 'data[0]')
+}
+
 /**
  * Get Data by model id
  * @param {String} handle The member handle
@@ -483,5 +493,6 @@ module.exports = {
   getAllPages,
   getESClient,
   checkAgreedTerms,
-  postRequest
+  postRequest,
+  getMemberById
 }
diff --git a/src/routes.js b/src/routes.js
@@ -3,7 +3,11 @@
  */
 
 const constants = require('../app-constants')
-const { SCOPES: { READ, CREATE, DELETE, UPDATE, ALL } } = require('config')
+const {
+  SCOPES: { READ, CREATE, DELETE, UPDATE, ALL },
+  FORBIDDEN_COUNTRIES,
+  FORBIDDEN_COUNTRIES_ALPHA_3
+} = require('config')
 
 module.exports = {
   '/resources': {
@@ -20,7 +24,8 @@ module.exports = {
       method: 'createResource',
       auth: 'jwt',
       access: [constants.UserRoles.Admin, constants.UserRoles.Copilot, constants.UserRoles.Manager, constants.UserRoles.User],
-      scopes: [CREATE, ALL]
+      scopes: [CREATE, ALL],
+      forbiddenCountries: [...FORBIDDEN_COUNTRIES, ...FORBIDDEN_COUNTRIES_ALPHA_3]
     },
     delete: {
       controller: 'ResourceController',
