chore(auth): allow profile scope on App Store registration route

Because: * The VPN team needs to migrate existing Apple IAP users to SubPlat. * They only have the 'profile' scope in this context. This commit: * Allows the 'profile:subscriptions' scope, which is a subset of the 'profile' scope, in the App Store registration route. Notes: * This is a temporary change that should be reverted once the migrations are completed successfully (see FXA-5848). Closes #FXA-5833
mozilla · Aug 31, 2022 · c2c4ea0 · c2c4ea0
1 parent 2ade9a5
commit c2c4ea0
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 6 deletions.
diff --git a/packages/fxa-auth-server/lib/routes/subscriptions/apple.ts b/packages/fxa-auth-server/lib/routes/subscriptions/apple.ts
@@ -2,9 +2,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 import { ServerRoute } from '@hapi/hapi';
-import isA from 'joi';
 import { DecodedNotificationPayload } from 'app-store-server-api';
 import { OAUTH_SCOPE_SUBSCRIPTIONS_IAP } from 'fxa-shared/oauth/constants';
+import ScopeSet from 'fxa-shared/oauth/scopes';
+import isA from 'joi';
 import { Container } from 'typedi';
 
 import SUBSCRIPTIONS_DOCS from '../../../docs/swagger/subscriptions-api';
@@ -14,7 +15,6 @@ import { AppleIAP } from '../../payments/iap/apple-app-store/apple-iap';
 import { PurchaseUpdateError } from '../../payments/iap/apple-app-store/types/errors';
 import { IAPConfig } from '../../payments/iap/iap-config';
 import { AuthLogger, AuthRequest } from '../../types';
-import { handleAuthScoped } from './utils';
 
 export class AppleIapHandler {
   private log: AuthLogger;
@@ -86,9 +86,18 @@ export class AppleIapHandler {
    */
   public async registerOriginalTransactionId(request: AuthRequest) {
     this.log.begin('appleIap.registerOriginalTransactionId', request);
-    const { uid } = handleAuthScoped(request.auth, [
+    const { auth } = request;
+    const scopes = [
       OAUTH_SCOPE_SUBSCRIPTIONS_IAP,
-    ]);
+      // FIXME: Remove this scope and use `handleAuthScoped` instead of below logic
+      // once VPN migration is complete (FXA-5848).
+      'profile:subscriptions',
+    ];
+    const scope = ScopeSet.fromArray(auth.credentials.scope);
+    if (!scopes.some((requiredScope) => scope.contains(requiredScope))) {
+      throw error.invalidScopes();
+    }
+    const { user: uid } = auth.credentials;
 
     const { appName } = request.params;
     const { originalTransactionId } = request.payload as any;
@@ -102,7 +111,7 @@ export class AppleIapHandler {
       purchase = await this.appStore.purchaseManager.registerToUserAccount(
         bundleId,
         originalTransactionId,
-        uid
+        uid as string
       );
     } catch (err) {
       switch (err.name) {
@@ -120,7 +129,7 @@ export class AppleIapHandler {
           );
       }
     }
-    await this.capabilityService.iapUpdate(uid, purchase);
+    await this.capabilityService.iapUpdate(uid as string, purchase);
     return { transactionIdValid: true };
   }
 }

diff --git a/packages/fxa-auth-server/test/local/routes/subscriptions/apple.js b/packages/fxa-auth-server/test/local/routes/subscriptions/apple.js
@@ -84,6 +84,15 @@ describe('AppleIapHandler', () => {
       assert.deepEqual(result, { transactionIdValid: true });
     });
 
+    it('accepts a "profile" scope for auth', async () => {
+      request.auth.credentials.scope = ['profile'];
+      appleIap.purchaseManager = {
+        registerToUserAccount: sinon.fake.resolves({}),
+      };
+      iapConfig.getBundleId = sinon.fake.resolves('testPackage');
+      await appleIapHandler.registerOriginalTransactionId(request);
+    });
+
     it('throws on invalid package', async () => {
       appleIap.purchaseManager = {
         registerToUserAccount: sinon.fake.resolves({}),