@optimizely-opal/opal-tool-ocp-sdk 0.0.0-OCP-1487.5 → 0.0.0-OCP-1487.7

package/src/auth/AuthUtils.ts

@@ -3,64 +3,115 @@ import { getTokenVerifier } from './TokenVerifier';
 import { OptiIdAuthData } from '../types/Models';
 
 /**
- * Common authentication utilities for all function types
+ * Validate the OptiID access token
+ *
+ * @param accessToken - The access token to validate
+ * @returns true if the token is valid
  */
-export class AuthUtils {
-
-  /**
-   * Validate the OptiID access token
-   *
-   * @param accessToken - The access token to validate
-   * @returns true if the token is valid
-   */
-  public static async validateAccessToken(accessToken: string | undefined): Promise<boolean> {
-    try {
-      if (!accessToken) {
-        return false;
-      }
-      const tokenVerifier = await getTokenVerifier();
-      return await tokenVerifier.verify(accessToken);
-    } catch (error) {
-      logger.error('OptiID token validation failed:', error);
+async function validateAccessToken(accessToken: string | undefined): Promise<boolean> {
+  try {
+    if (!accessToken) {
       return false;
     }
+    const tokenVerifier = await getTokenVerifier();
+    return await tokenVerifier.verify(accessToken);
+  } catch (error) {
+    logger.error('OptiID token validation failed:', error);
+    return false;
   }
+}
 
-  /**
-   * Extract and validate basic OptiID authentication data from request
-   *
-   * @param request - The incoming request
-   * @returns object with authData and accessToken, or null if invalid
-   */
-  public static extractAuthData(request: any): { authData: OptiIdAuthData; accessToken: string } | null {
-    const authData = request?.bodyJSON?.auth as OptiIdAuthData;
-    const accessToken = authData?.credentials?.access_token;
-    if (!accessToken || authData?.provider?.toLowerCase() !== 'optiid') {
-      logger.error('OptiID token is required but not provided');
-      return null;
-    }
+/**
+ * Extract and validate basic OptiID authentication data from request
+ *
+ * @param request - The incoming request
+ * @returns object with authData and accessToken, or null if invalid
+ */
+function extractAuthData(request: any): { authData: OptiIdAuthData; accessToken: string } | null {
+  const authData = request?.bodyJSON?.auth as OptiIdAuthData;
+  const accessToken = authData?.credentials?.access_token;
+  if (!accessToken || authData?.provider?.toLowerCase() !== 'optiid') {
+    logger.error('OptiID token is required but not provided');
+    return null;
+  }
+
+  return { authData, accessToken };
+}
+
+/**
+ * Validate organization ID matches the app context
+ *
+ * @param customerId - The customer ID from the auth data
+ * @returns true if the organization ID is valid
+ */
+function validateOrganizationId(customerId: string | undefined): boolean {
+  if (!customerId) {
+    logger.error('Organisation ID is required but not provided');
+    return false;
+  }
 
-    return { authData, accessToken };
+  const appOrganisationId = getAppContext()?.account?.organizationId;
+  if (customerId !== appOrganisationId) {
+    logger.error(`Invalid organisation ID: expected ${appOrganisationId}, received ${customerId}`);
+    return false;
   }
 
-  /**
-   * Validate organization ID matches the app context
-   *
-   * @param customerId - The customer ID from the auth data
-   * @returns true if the organization ID is valid
-   */
-  public static validateOrganizationId(customerId: string | undefined): boolean {
-    if (!customerId) {
-      logger.error('Organisation ID is required but not provided');
-      return false;
-    }
+  return true;
+}
 
-    const appOrganisationId = getAppContext()?.account?.organizationId;
-    if (customerId !== appOrganisationId) {
-      logger.error(`Invalid organisation ID: expected ${appOrganisationId}, received ${customerId}`);
-      return false;
-    }
+/**
+ * Check if a request should skip authentication (discovery/ready endpoints)
+ *
+ * @param request - The incoming request
+ * @returns true if auth should be skipped
+ */
+function shouldSkipAuth(request: any): boolean {
+  return request.path === '/discovery' || request.path === '/ready';
+}
 
+/**
+ * Core authentication flow - extracts auth data and validates token
+ *
+ * @param request - The incoming request
+ * @param validateOrg - Whether to validate organization ID
+ * @returns true if authentication succeeds
+ */
+async function authenticateRequest(request: any, validateOrg: boolean = false): Promise<boolean> {
+  if (shouldSkipAuth(request)) {
     return true;
   }
+
+  const authInfo = extractAuthData(request);
+  if (!authInfo) {
+    return false;
+  }
+
+  const { authData, accessToken } = authInfo;
+
+  // Validate organization ID if required
+  if (validateOrg && !validateOrganizationId(authData.credentials?.customer_id)) {
+    return false;
+  }
+
+  return await validateAccessToken(accessToken);
+}
+
+/**
+ * Authenticate a request for regular functions (with organization validation)
+ *
+ * @param request - The incoming request
+ * @returns true if authentication and authorization succeed
+ */
+export async function authenticateRegularRequest(request: any): Promise<boolean> {
+  return await authenticateRequest(request, true);
+}
+
+/**
+ * Authenticate a request for global functions (without organization validation)
+ *
+ * @param request - The incoming request
+ * @returns true if authentication succeeds
+ */
+export async function authenticateGlobalRequest(request: any): Promise<boolean> {
+  return await authenticateRequest(request, false);
 }

package/src/function/GlobalToolFunction.ts

@@ -1,5 +1,5 @@
 import { GlobalFunction, Response, amendLogContext } from '@zaiusinc/app-sdk';
-import { AuthUtils } from '../auth/AuthUtils';
+import { authenticateGlobalRequest } from '../auth/AuthUtils';
 import { toolsService } from '../service/Service';
 
 /**
@@ -41,21 +41,9 @@ export abstract class GlobalToolFunction extends GlobalFunction {
   /**
    * Authenticate the incoming request by validating only the OptiID token
    *
-   * @param request - The incoming request
    * @returns true if authentication succeeds
    */
   private async authorizeRequest(): Promise<boolean> {
-    if (this.request.path === '/discovery' || this.request.path === '/ready') {
-      return true;
-    }
-
-    const authInfo = AuthUtils.extractAuthData(this.request);
-    if (!authInfo) {
-      return false;
-    }
-
-    const { accessToken } = authInfo;
-
-    return await AuthUtils.validateAccessToken(accessToken);
+    return await authenticateGlobalRequest(this.request);
   }
 }

package/src/function/ToolFunction.ts

@@ -1,5 +1,5 @@
 import { Function, Response, amendLogContext } from '@zaiusinc/app-sdk';
-import { AuthUtils } from '../auth/AuthUtils';
+import { authenticateRegularRequest } from '../auth/AuthUtils';
 import { toolsService } from '../service/Service';
 
 /**
@@ -40,25 +40,9 @@ export abstract class ToolFunction extends Function {
   /**
    * Authenticate the incoming request by validating the OptiID token and organization ID
    *
-   * @param request - The incoming request
    * @returns true if authentication succeeds
    */
   private async authorizeRequest(): Promise<boolean> {
-    if (this.request.path === '/discovery' || this.request.path === '/ready') {
-      return true;
-    }
-
-    const authInfo = AuthUtils.extractAuthData(this.request);
-    if (!authInfo) {
-      return false;
-    }
-
-    const { authData, accessToken } = authInfo;
-
-    if (!AuthUtils.validateOrganizationId(authData.credentials?.customer_id)) {
-      return false;
-    }
-
-    return await AuthUtils.validateAccessToken(accessToken);
+    return await authenticateRegularRequest(this.request);
   }
 }