feat(ids-admin): Enable delegation settings for normal users

[saevarma]

What

• Enable delegation settings for normal users both on application and permission
• Enable access control settings on permission
• Update description on access control section in permissions.
• Reorder access control vs delegation sections in permissions.

Why

We are now onboarding more organisations and we want them to be able to configure their own delegation settings.

Screenshots / Gifs

N/A

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Added new fields for consent, offline access, and PKCE requirement in client settings.

• Improvements

  • Enhanced descriptions for access control and user scope permissions for better clarity.

• Bug Fixes

  • Removed unnecessary super admin checks and conditions, simplifying the UI and logic for delegation settings and permission editing.

• Tests

  • Updated test cases to reflect changes in client and scope fields, ensuring accurate coverage.

[coderabbitai]

Walkthrough

The recent changes primarily focus on refining the authorization and delegation functionalities within the authentication API and admin portals. Key modifications include the removal of unnecessary delegation types and API scope fields, updates to consent and access control features, and adjustments to the UI elements and test cases to reflect these changes. The goal is to streamline the authorization process and enhance the clarity and manageability of permissions and client configurations.

Changes

File Path	Change Summary
libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts	Removed delegation types and API scope fields; added fields for consent, offline access, and PKCE requirement.
libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts	Removed imports related to AuthDelegationProvider, AuthDelegationType, and DelegationTypeModel.
libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts	Redefined superUserScopeFields as an empty array with added comments.
libs/portals/admin/ids-admin/src/lib/messages.ts	Updated default messages for isAccessControlledDescription and grantToAuthenticatedUserDescription for better clarity.
libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx	Removed isSuperAdmin condition while retaining isMachineApplication condition for component rendering.
libs/portals/admin/ids-admin/src/screens/Client/components/Delegation.tsx	Removed usage of isSuperAdmin to disable UI elements related to delegation settings.
libs/portals/admin/ids-admin/src/screens/Permission/EditPermission.tsx	Removed useSuperAdmin hook and reordered component rendering within EditPermission component.
apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts	Removed promptDelegations and requireApiScopes fields; added allowedAcr field within typeSpecificDefaults object.
apps/services/auth/admin-api/src/app/v2/scopes/test/me-scopes.spec.ts	Removed test case related to updating a scope when the user is not a super user and the input contains super user fields.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (3)

libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts (3)

Line range hint 28-41: Remove invalid decorator usage.

The @InjectModel decorators are incorrectly placed on class properties, which is not valid in TypeScript. Decorators can only be used on class declarations, class expressions, class methods, or method parameters. To fix this, you should move these decorators inside the constructor and use them on the constructor parameters.

- @InjectModel(ApiScope)
- private readonly apiScope: typeof ApiScope,
- @InjectModel(ApiScopeUserClaim)
- private readonly apiScopeUserClaim: typeof ApiScopeUserClaim,
- @InjectModel(ApiScopeDelegationType)
- private readonly apiScopeDelegationType: typeof ApiScopeDelegationType,
+ constructor(
+   @InjectModel(ApiScope) private readonly apiScope: typeof ApiScope,
+   @InjectModel(ApiScopeUserClaim) private readonly apiScopeUserClaim: typeof ApiScopeUserClaim,
+   @InjectModel(ApiScopeDelegationType) private readonly apiScopeDelegationType: typeof ApiScopeDelegationType,
+   private readonly adminTranslationService: AdminTranslationService,
+   private readonly translationService: TranslationService,
+   private sequelize: Sequelize,
+ ) {}

---

Line range hint 44-63: Consider optimizing the sorting of API scopes.

Currently, the API scopes are sorted in the application layer after retrieval from the database. This could potentially lead to performance issues if the number of scopes is large. Consider modifying the SQL query to include an ORDER BY clause, which would perform the sorting at the database level, likely improving performance.

- const apiScopes = await this.apiScope.findAll({
-   where: {
-     domainName: tenantId,
-     enabled: true,
-   },
-   include: [
-     { model: ApiScopeDelegationType, as: 'supportedDelegationTypes' },
-   ],
- })
+ const apiScopes = await this.apiScope.findAll({
+   where: {
+     domainName: tenantId,
+     enabled: true,
+   },
+   order: [['name', 'ASC']],
+   include: [
+     { model: ApiScopeDelegationType, as: 'supportedDelegationTypes' },
+   ],
+ })

Tools

Biome

[error] 41-41: Decorators are not valid here. (parse)

Decorators are only valid on class declarations, class expressions, and class methods.
You can enable parameter decorators by setting the unsafeParameterDecoratorsEnabled option to true in your configuration file.

---

Line range hint 109-150: Enhance error messages for better debugging and user feedback.

The error messages in the createScope method could be more descriptive to aid in debugging and provide better feedback to the user. Consider including more context in the messages, such as the invalid input values.

- throw new BadRequestException(`Invalid scope name: "${input.name}"`)
+ throw new BadRequestException(`Invalid scope name provided: "${input.name}". Scope names must start with the tenant ID prefix.`)

- throw new BadRequestException(`Scope name "${input.name}" already exists`)
+ throw new BadRequestException(`The scope name "${input.name}" is already in use. Please choose a different name.`)

- throw new BadRequestException(translatedValuesErrorMsg)
+ throw new BadRequestException(`${translatedValuesErrorMsg}. Please ensure both displayName and description are provided and correctly formatted.`)

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between d92ca8d and 2078ba3.

Files selected for processing (7)

• libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts (1 hunks)
• libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts (2 hunks)
• libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts (1 hunks)
• libs/portals/admin/ids-admin/src/lib/messages.ts (1 hunks)
• libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx (1 hunks)
• libs/portals/admin/ids-admin/src/screens/Client/components/Delegation.tsx (4 hunks)
• libs/portals/admin/ids-admin/src/screens/Permission/EditPermission.tsx (2 hunks)

Files skipped from review due to trivial changes (2)

• libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts
• libs/portals/admin/ids-admin/src/lib/messages.ts

Additional context used

Path-based instructions (5)

libs/portals/admin/ids-admin/src/screens/Permission/EditPermission.tsx (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/portals/admin/ids-admin/src/screens/Client/components/Delegation.tsx (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

Biome

libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts

[error] 37-37: Decorators are not valid here. (parse)

Decorators are only valid on class declarations, class expressions, and class methods.
You can enable parameter decorators by setting the unsafeParameterDecoratorsEnabled option to true in your configuration file.

---

[error] 39-39: Decorators are not valid here. (parse)

Decorators are only valid on class declarations, class expressions, and class methods.
You can enable parameter decorators by setting the unsafeParameterDecoratorsEnabled option to true in your configuration file.

---

[error] 41-41: Decorators are not valid here. (parse)

Decorators are only valid on class declarations, class expressions, and class methods.
You can enable parameter decorators by setting the unsafeParameterDecoratorsEnabled option to true in your configuration file.

Additional comments not posted (4)

libs/portals/admin/ids-admin/src/screens/Permission/EditPermission.tsx (1)

22-23: Reordering of components looks good.

Please verify the user interface to ensure that the reordering provides a better user experience as intended.

libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts (1)

Line range hint 1-100: Addition of new properties for delegation and API scopes is well-documented.

Please ensure that these new properties are correctly handled in the backend logic.

libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx (1)

129-129: Conditional rendering of the Delegation component based on the application type is implemented correctly.

Please verify that the conditional rendering functions as expected in different scenarios.

libs/portals/admin/ids-admin/src/screens/Client/components/Delegation.tsx (1)

Line range hint 1-100: Removal of the isSuperAdmin check to democratize access to delegation settings is aligned with the PR objectives.

Please conduct thorough testing to ensure that this change does not introduce any security or business logic issues.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.99%. Comparing base (2e6d9ae) to head (d509034).

❗ Current head d509034 differs from pull request most recent head da34fdf

Please upload reports for the commit da34fdf to get more accurate results.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15181      +/-   ##
==========================================
- Coverage   37.15%   36.99%   -0.17%     
==========================================
  Files        6475     6418      -57     
  Lines      131847   130936     -911     
  Branches    37691    37490     -201     
==========================================
- Hits        48987    48435     -552     
+ Misses      82860    82501     -359     

Flag	Coverage Δ
api	3.44% <ø> (-0.05%)	⬇️
api-domains-auth-admin	54.29% <ø> (ø)
application-system-api	41.97% <ø> (-0.14%)	⬇️
application-template-api-modules	24.25% <ø> (+0.03%)	⬆️
auth-api-lib	9.60% <0.00%> (-4.78%)	⬇️
services-auth-personal-representative	48.70% <100.00%> (+0.15%)	⬆️
services-auth-personal-representative-public	44.48% <100.00%> (+0.02%)	⬆️
services-auth-public-api	50.07% <100.00%> (-0.43%)	⬇️
services-user-notification	47.61% <ø> (-0.60%)	⬇️
services-user-profile	62.20% <ø> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...rc/lib/clients/admin/dto/admin-patch-client.dto.ts	100.00% <ø> (ø)
...lib/src/lib/resources/admin/admin-scope.service.ts	89.47% <100.00%> (-0.14%)	⬇️
...c/lib/resources/admin/dto/admin-patch-scope.dto.ts	100.00% <100.00%> (ø)

... and 198 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2e6d9ae...da34fdf. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs 3a3ae35 🔗

✅ 14 Total Test Services: 0 Failed, 14 Passed
🔻 Test Sessions change in coverage: 4 decreased, 24 no change

Test Services

This report shows up to 10 services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
api	0	0	0	4	0	4.21s	1 no change	Link
api-domains-auth-admin	0	0	0	18	0	16.79s	1 no change	Link
application-system-api	0	0	0	111	2	2m 57.38s	1 no change	Link
application-template-api-modules	0	0	0	109	0	1m 40.96s	1 no change	Link
auth-api-lib	0	0	0	19	0	51.04s	1 decreased (-0.02%)	Link
portals-admin-ids-admin	0	0	0	2	0	8.86s	1 no change	Link
services-auth-admin-api	0	0	0	105	0	3m 28.2s	1 decreased (-0.03%)	Link
services-auth-delegation-api	0	0	0	254	0	3m 31.15s	1 no change	Link
services-auth-ids-api	0	0	0	215	0	1m 30s	1 no change	Link
services-auth-personal-representative	0	0	0	59	0	1m 23.88s	1 decreased (-0.04%)	Link

🔻 Code Coverage Decreases vs Default Branch (4)

• services-auth-personal-representative-public - jest 46.89% (-0.08%) - Details
• services-auth-personal-representative - jest 51.04% (-0.04%) - Details
• services-auth-admin-api - jest 51.88% (-0.03%) - Details
• auth-api-lib - jest 15.93% (-0.02%) - Details

[coderabbitai]

Actionable comments posted: 1

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 2078ba3 and d509034.

Files selected for processing (2)

• apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts (1 hunks)
• apps/services/auth/admin-api/src/app/v2/scopes/test/me-scopes.spec.ts (1 hunks)

Files skipped from review due to trivial changes (1)

• apps/services/auth/admin-api/src/app/v2/scopes/test/me-scopes.spec.ts

Additional context used

Path-based instructions (1)

apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts (2)

Pattern apps/services/**/*: "Confirm that the code adheres to the following:

• NestJS architecture, including modules, services, and controllers.
• Dependency injection patterns and service encapsulation.
• Integration and unit testing coverage and practices."

---

Pattern apps/**/*: "Confirm that the code adheres to the following:

• NextJS best practices, including file structure, API routes, and static generation methods.
• Efficient state management and server-side rendering techniques.
• Optimal use of TypeScript for component and utility type safety."

Additional comments not posted (4)

apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts (4)

372-372: The test case for creating a client with default values for 'super admin fields' as a normal user is well-implemented.

This test case effectively checks the system's behavior when a normal user tries to create a client with fields typically reserved for super admins. The assertions are correctly checking the expected outcomes.

---

372-372: The test case for a super user creating a client with correct none default values is well-implemented.

This test case effectively checks the system's behavior when a super user creates a client with non-default values. The assertions are correctly checking the expected outcomes, ensuring that the system behaves as expected for super users.

---

372-372: The test case for creating a client with correct delegation types for a super user is well-implemented.

This test case effectively checks the system's behavior when a super user creates a client with specific delegation types. The assertions correctly verify the supported delegation types in the response, ensuring that the system behaves as expected for super users.

---

372-372: The test case for updating supported delegation types is well-implemented.

This test case effectively checks the system's behavior when supported delegation types are updated. The assertions correctly verify the supported delegation types and related boolean fields in the response, ensuring that the system behaves as expected.

[Herdismaria]

💯