@optimizely-opal/opal-tool-ocp-sdk 0.0.0-OCP-1487.4 → 0.0.0-OCP-1487.6

package/src/auth/AuthUtils.ts

@@ -3,64 +3,115 @@ import { getTokenVerifier } from './TokenVerifier';
 import { OptiIdAuthData } from '../types/Models';
 
 /**
- * Common authentication utilities for all function types
+ * Validate the OptiID access token
+ *
+ * @param accessToken - The access token to validate
+ * @returns true if the token is valid
  */
-export class AuthUtils {
-
-  /**
-   * Validate the OptiID access token
-   *
-   * @param accessToken - The access token to validate
-   * @returns true if the token is valid
-   */
-  public static async validateAccessToken(accessToken: string | undefined): Promise<boolean> {
-    try {
-      if (!accessToken) {
-        return false;
-      }
-      const tokenVerifier = await getTokenVerifier();
-      return await tokenVerifier.verify(accessToken);
-    } catch (error) {
-      logger.error('OptiID token validation failed:', error);
+async function validateAccessToken(accessToken: string | undefined): Promise<boolean> {
+  try {
+    if (!accessToken) {
       return false;
     }
+    const tokenVerifier = await getTokenVerifier();
+    return await tokenVerifier.verify(accessToken);
+  } catch (error) {
+    logger.error('OptiID token validation failed:', error);
+    return false;
   }
+}
 
-  /**
-   * Extract and validate basic OptiID authentication data from request
-   *
-   * @param request - The incoming request
-   * @returns object with authData and accessToken, or null if invalid
-   */
-  public static extractAuthData(request: any): { authData: OptiIdAuthData; accessToken: string } | null {
-    const authData = request?.bodyJSON?.auth as OptiIdAuthData;
-    const accessToken = authData?.credentials?.access_token;
-    if (!accessToken || authData?.provider?.toLowerCase() !== 'optiid') {
-      logger.error('OptiID token is required but not provided');
-      return null;
-    }
+/**
+ * Extract and validate basic OptiID authentication data from request
+ *
+ * @param request - The incoming request
+ * @returns object with authData and accessToken, or null if invalid
+ */
+function extractAuthData(request: any): { authData: OptiIdAuthData; accessToken: string } | null {
+  const authData = request?.bodyJSON?.auth as OptiIdAuthData;
+  const accessToken = authData?.credentials?.access_token;
+  if (!accessToken || authData?.provider?.toLowerCase() !== 'optiid') {
+    logger.error('OptiID token is required but not provided');
+    return null;
+  }
+
+  return { authData, accessToken };
+}
+
+/**
+ * Validate organization ID matches the app context
+ *
+ * @param customerId - The customer ID from the auth data
+ * @returns true if the organization ID is valid
+ */
+function validateOrganizationId(customerId: string | undefined): boolean {
+  if (!customerId) {
+    logger.error('Organisation ID is required but not provided');
+    return false;
+  }
 
-    return { authData, accessToken };
+  const appOrganisationId = getAppContext()?.account?.organizationId;
+  if (customerId !== appOrganisationId) {
+    logger.error(`Invalid organisation ID: expected ${appOrganisationId}, received ${customerId}`);
+    return false;
   }
 
-  /**
-   * Validate organization ID matches the app context
-   *
-   * @param customerId - The customer ID from the auth data
-   * @returns true if the organization ID is valid
-   */
-  public static validateOrganizationId(customerId: string | undefined): boolean {
-    if (!customerId) {
-      logger.error('Organisation ID is required but not provided');
-      return false;
-    }
+  return true;
+}
 
-    const appOrganisationId = getAppContext()?.account?.organizationId;
-    if (customerId !== appOrganisationId) {
-      logger.error(`Invalid organisation ID: expected ${appOrganisationId}, received ${customerId}`);
-      return false;
-    }
+/**
+ * Check if a request should skip authentication (discovery/ready endpoints)
+ *
+ * @param request - The incoming request
+ * @returns true if auth should be skipped
+ */
+function shouldSkipAuth(request: any): boolean {
+  return request.path === '/discovery' || request.path === '/ready';
+}
 
+/**
+ * Core authentication flow - extracts auth data and validates token
+ *
+ * @param request - The incoming request
+ * @param validateOrg - Whether to validate organization ID
+ * @returns true if authentication succeeds
+ */
+async function authenticateRequest(request: any, validateOrg: boolean = false): Promise<boolean> {
+  if (shouldSkipAuth(request)) {
     return true;
   }
+
+  const authInfo = extractAuthData(request);
+  if (!authInfo) {
+    return false;
+  }
+
+  const { authData, accessToken } = authInfo;
+
+  // Validate organization ID if required
+  if (validateOrg && !validateOrganizationId(authData.credentials?.customer_id)) {
+    return false;
+  }
+
+  return await validateAccessToken(accessToken);
+}
+
+/**
+ * Authorize a request for regular functions (with organization validation)
+ *
+ * @param request - The incoming request
+ * @returns true if authentication and authorization succeed
+ */
+export async function authorizeRegularRequest(request: any): Promise<boolean> {
+  return await authenticateRequest(request, true);
+}
+
+/**
+ * Authorize a request for global functions (without organization validation)
+ *
+ * @param request - The incoming request
+ * @returns true if authentication succeeds
+ */
+export async function authorizeGlobalRequest(request: any): Promise<boolean> {
+  return await authenticateRequest(request, false);
 }

package/src/decorator/Decorator.test.ts

@@ -36,7 +36,8 @@ describe('Decorators', () => {
         expect.any(Function),
         [],
         '/test-tool',
-        []
+        [],
+        false
       );
 
       // Ensure TestClass is considered "used" by TypeScript
@@ -78,7 +79,8 @@ describe('Decorators', () => {
           })
         ]),
         '/tool-with-params',
-        []
+        [],
+        false
       );
 
       // Ensure TestClass is considered "used" by TypeScript
@@ -119,7 +121,8 @@ describe('Decorators', () => {
             scopeBundle: 'calendar',
             required: true
           })
-        ])
+        ]),
+        false
       );
 
       // Ensure TestClass is considered "used" by TypeScript
@@ -200,7 +203,8 @@ describe('Decorators', () => {
             scopeBundle: 'drive',
             required: false
           })
-        ])
+        ]),
+        false
       );
 
       // Ensure TestClass is considered "used" by TypeScript
@@ -228,7 +232,8 @@ describe('Decorators', () => {
         expect.any(Function),
         [],
         '/empty-params',
-        []
+        [],
+        false
       );
 
       expect(TestClass).toBeDefined();
@@ -256,7 +261,8 @@ describe('Decorators', () => {
         expect.any(Function),
         [],
         '/no-auth',
-        []
+        [],
+        false
       );
 
       expect(TestClass).toBeDefined();
@@ -323,7 +329,8 @@ describe('Decorators', () => {
           expect.objectContaining({ name: 'dictParam', type: ParameterType.Dictionary })
         ]),
         '/multi-type',
-        []
+        [],
+        false
       );
     });
   });
@@ -442,7 +449,8 @@ describe('Decorators', () => {
           })
         ]),
         '/mixed-tool',
-        []
+        [],
+        false
       );
 
       expect(toolsService.registerInteraction).toHaveBeenCalledWith(
@@ -489,7 +497,8 @@ describe('Decorators', () => {
             scopeBundle: 'calendar',
             required: true // Should default to true
           })
-        ])
+        ]),
+        false
       );
     });
 
@@ -515,7 +524,8 @@ describe('Decorators', () => {
         expect.any(Function),
         [], // Should be empty array when parameters is undefined
         '/undefined-arrays',
-        [] // Should be empty array when authRequirements is undefined
+        [], // Should be empty array when authRequirements is undefined
+        false
       );
     });
   });
@@ -645,5 +655,37 @@ describe('Decorators', () => {
       expect(TestClass).toBeDefined();
     });
   });
+
+  describe('global tool registration', () => {
+    it('should register a global tool with isGlobal: true', () => {
+      const config = {
+        name: 'globalTool',
+        description: 'A global tool',
+        parameters: [],
+        endpoint: '/global-tool',
+        authRequirements: [],
+        isGlobal: true
+      };
+
+      class GlobalTestClass {
+        @tool(config)
+        public async testTool(): Promise<{ result: string }> {
+          return { result: 'global-tool-result' };
+        }
+      }
+
+      expect(toolsService.registerTool).toHaveBeenCalledWith(
+        'globalTool',
+        'A global tool',
+        expect.any(Function),
+        [],
+        '/global-tool',
+        [],
+        true
+      );
+
+      expect(GlobalTestClass).toBeDefined();
+    });
+  });
 });
 

package/src/decorator/Decorator.ts

@@ -10,6 +10,7 @@ export interface ToolConfig {
   parameters: ParameterConfig[];
   authRequirements?: AuthRequirementConfig[];
   endpoint: string;
+  isGlobal?: boolean;
 }
 
 /**
@@ -76,7 +77,8 @@ export function tool(config: ToolConfig) {
       boundHandler,
       parameters,
       config.endpoint,
-      authRequirements
+      authRequirements,
+      config.isGlobal || false
     );
   };
 }

package/src/function/GlobalToolFunction.ts

@@ -1,5 +1,5 @@
 import { GlobalFunction, Response, amendLogContext } from '@zaiusinc/app-sdk';
-import { AuthUtils } from '../auth/AuthUtils';
+import { authorizeGlobalRequest } from '../auth/AuthUtils';
 import { toolsService } from '../service/Service';
 
 /**
@@ -41,21 +41,9 @@ export abstract class GlobalToolFunction extends GlobalFunction {
   /**
    * Authenticate the incoming request by validating only the OptiID token
    *
-   * @param request - The incoming request
    * @returns true if authentication succeeds
    */
   private async authorizeRequest(): Promise<boolean> {
-    if (this.request.path === '/discovery' || this.request.path === '/ready') {
-      return true;
-    }
-
-    const authInfo = AuthUtils.extractAuthData(this.request);
-    if (!authInfo) {
-      return false;
-    }
-
-    const { accessToken } = authInfo;
-
-    return await AuthUtils.validateAccessToken(accessToken);
+    return await authorizeGlobalRequest(this.request);
   }
 }

package/src/function/ToolFunction.ts

@@ -1,5 +1,5 @@
 import { Function, Response, amendLogContext } from '@zaiusinc/app-sdk';
-import { AuthUtils } from '../auth/AuthUtils';
+import { authorizeRegularRequest } from '../auth/AuthUtils';
 import { toolsService } from '../service/Service';
 
 /**
@@ -40,25 +40,9 @@ export abstract class ToolFunction extends Function {
   /**
    * Authenticate the incoming request by validating the OptiID token and organization ID
    *
-   * @param request - The incoming request
    * @returns true if authentication succeeds
    */
   private async authorizeRequest(): Promise<boolean> {
-    if (this.request.path === '/discovery' || this.request.path === '/ready') {
-      return true;
-    }
-
-    const authInfo = AuthUtils.extractAuthData(this.request);
-    if (!authInfo) {
-      return false;
-    }
-
-    const { authData, accessToken } = authInfo;
-
-    if (!AuthUtils.validateOrganizationId(authData.credentials?.customer_id)) {
-      return false;
-    }
-
-    return await AuthUtils.validateAccessToken(accessToken);
+    return await authorizeRegularRequest(this.request);
   }
 }

package/src/service/Service.ts

@@ -160,8 +160,10 @@ export class ToolsService {
     this.interactions.set(endpoint, func);
   }
 
-  public async processRequest(req: App.Request,
-                              functionContext: ToolFunction | GlobalToolFunction): Promise<App.Response> {
+  public async processRequest(
+    req: App.Request,
+    functionContext: ToolFunction | GlobalToolFunction
+  ): Promise<App.Response> {
     if (req.path === '/discovery') {
       return this.handleDiscovery(functionContext);
     } else {