[$100] Support M2M tokens

[maxceem]

We need to allow calling TaaS API using M2M tokens.

• We can follow Challenge API as an example for implementation https://github.com/topcoder-platform/challenge-api/blob/develop/app-routes.js

• We should be able to configs scopes per route like this https://github.com/topcoder-platform/challenge-api/blob/develop/src/routes.js#L20

• Support and config scopes per entity:

  • For teams: read:taas-teams
  • For jobs: read:taas-jobs, create:taas-jobs, delete:taas-jobs, update:taas-jobs, all:taas-jobs
  • For job candidates: read:taas-jobCandidates, create:taas-jobCandidates, delete:taas-jobCandidates, update:taas-jobCandidates, all:taas-jobCandidates
  • For resource bookings: read:taas-resourceBookings, create:taas-resourceBookings, delete:taas-resourceBookings, update:taas-resourceBookings, all:taas-resourceBookings

[maxceem]

@imcaizheng you may pick it up if you are interested.

[imcaizheng]

@maxceem
PR created #43

There is a minor issue, when GET /taas-teams/:id with m2m token, it would fail with the following message:

[2020-12-04T13:17:33.868Z] TeamService getTeam ERROR : cannot GET /v5/projects/111 (403)

Beside that, other endpoints work well with m2m access. Will look into that issue later.

[maxceem]

Thanks, @imcaizheng.

I think project service returns an error because it requires M2M token to have proper scopes all:projects or read:projects. And for other Project API endpoints, you may check required scopes here https://htmlpreview.github.io/?https://github.com/topcoder-platform/tc-project-service/blob/develop/docs/permissions.html.

[imcaizheng]

@maxceem
I tried to capture the token generated from helper.getM2Mtoken() https://github.com/topcoder-platform/taas-apis/blob/feature/integration-test-fix/src/common/helper.js#L206
but I cannot find read:projects or all:projects inside the payload of the token. Here is the payload:

{
  "iss": "https://topcoder-dev.auth0.com/",
  "sub": "LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5@clients",
  "aud": "https://u-bahn.topcoder.com",
  "iat": 1607058602,
  "exp": 1607145002,
  "azp": "LEyCiuOrHc7UAFoY0EAAhMulWSX7SrQ5",
  "scope": "read:user all:user create:user update:user delete:user all:achievement create:achievement update:achievement read:achievement delete:achievement read:achievementsProvider all:achievementsProvider update:achievementsProvider delete:achievementsProvider read:attribute all:attribute update:attribute delete:attribute read:attributeGroup all:attributeGroup create:attributeGroup update:attributeGroup delete:attributeGroup read:externalProfile all:externalProfile create:externalProfile delete:externalProfile read:organization all:organization create:organization delete:organization read:role all:role create:role update:role delete:role read:skill all:skill create:skill update:skill delete:skill read:skillsProvider all:skillsProvider create:skillsProvider update:skillsProvider delete:skillsProvider read:userAttribute all:userAttribute create:userAttribute update:userAttribute delete:userAttribute read:usersRole all:usersRole create:usersRole update:usersRole delete:usersRole read:usersSkill all:usersSkill create:usersSkill update:usersSkill delete:usersSkill read:group all:group update:group create:group delete:group update:externalProfile update:organization create:achievementsProvider create:upload update:upload all:upload create:template read:upload read:template all:template update:template delete:upload delete:template create:attribute",
  "gty": "client-credentials"
}

Do you have any idea how to configure AUTH0 related parameters to get tokens that can access /v5/projects?

[maxceem]

Thanks for the details @imcaizheng. I would check If we have any good way of testing it.

To configure AUTH0 token we would need to ask the Topcoder infrastructure team, so this may take some time.

[maxceem]

Contest https://www.topcoder.com/challenges/30156200 has been created for this ticket.

This is an automated message for maxceem via Topcoder X

[maxceem]

Contest https://www.topcoder.com/challenges/30156200 has been updated - it has been assigned to aaron2017.

This is an automated message for maxceem via Topcoder X

[maxceem]

@imcaizheng could you, please, let me know what secret did you use to sign the tokens in Postman file?

[maxceem]

Works great for me locally.
Would merge it as soon as merge conflicts are resulted.

Issue with getting the team by id should be resolved when we add scope read:projects to the Auth0 config which we use in TaaS API on DEV so this method https://github.com/topcoder-platform/taas-apis/blob/feature/integration-test-fix/src/common/helper.js#L198-L200 returns a token which is allowed to call Projects API GET /projects/:id for any project.

[maxceem]

@nkumar-topcoder I've resolved conflicts and merged to DEV for testing.

[imcaizheng]

@maxceem I guess you already found out the secret is mysecret. It can be found at config/default.js, assigned to the AUTH_SECRET parameter.

[maxceem]

It has been tested e2e, and Connect App (using Projects API) creates Jobs in TaaS API using M2M token and it works great.

Thanks, @imcaizheng.

[maxceem]

Payment task has been updated: https://software.topcoder.com/review/actions/ViewProjectDetails?pid=30156200

This is an automated message for maxceem via Topcoder X