allow passing null to service scope, do not check domains on secretKey auth

Author: jnsdls

packages/service-utils/src/core/api.ts

@@ -16,14 +16,17 @@ export type PolicyResult = {
 
 export type CoreServiceConfig = {
   apiUrl: string;
-  serviceScope: ServiceName;
+  // if EXPLICTLY set to null, service will not be checked for authorization
+  // this is meant for services that are not possible to be turned off by users, such as "social" and "analytics"
+  serviceScope: ServiceName | null;
   serviceApiKey: string;
   serviceAction?: string;
   useWalletAuth?: boolean;
   includeUsage?: boolean;
 };
 
 export type TeamAndProjectResponse = {
+  authMethod: "secretKey" | "publishableKey" | "jwt" | "teamId";
   team: TeamResponse;
   project?: ProjectResponse | null;
 };
@@ -42,11 +45,11 @@ export type TeamResponse = {
   name: string;
   slug: string;
   image: string | null;
-  billingPlan: string;
+  billingPlan: "free" | "starter" | "growth" | "pro";
   createdAt: Date;
   updatedAt: Date | null;
   billingEmail: string | null;
-  billingStatus: string | null;
+  billingStatus: "noPayment" | "validPayment" | "invalidPayment" | null;
   growthTrialEligible: boolean | null;
   enabledScopes: ServiceName[];
 };

packages/service-utils/src/core/authorize/client.ts

@@ -12,18 +12,25 @@ export function authorizeClient(
   teamAndProjectResponse: TeamAndProjectResponse,
 ): AuthorizationResult {
   const { origin, bundleId } = authOptions;
-  const { team, project } = teamAndProjectResponse;
+  const { team, project, authMethod } = teamAndProjectResponse;
 
   const authResult: AuthorizationResult = {
     authorized: true,
     team,
     project,
+    authMethod,
   };
 
+  // if there's no project, we'll return the authResult (JWT or teamId auth)
   if (!project) {
     return authResult;
   }
 
+  if (authMethod === "secretKey") {
+    // if the auth was done using secreKey, we do not want to enforce domains or bundleIds
+    return authResult;
+  }
+
   // check for public restrictions
   if (project.domains.includes("*")) {
     return authResult;

packages/service-utils/src/core/authorize/index.ts

@@ -148,5 +148,6 @@ export async function authorize(
     authorized: true,
     team: teamAndProjectResponse.team,
     project: teamAndProjectResponse.project,
+    authMethod: clientAuth.authMethod,
   };
 }

packages/service-utils/src/core/authorize/service.ts

@@ -5,7 +5,16 @@ export function authorizeService(
   teamAndProjectResponse: TeamAndProjectResponse,
   serviceConfig: CoreServiceConfig,
 ): AuthorizationResult {
-  const { team, project } = teamAndProjectResponse;
+  const { team, project, authMethod } = teamAndProjectResponse;
+
+  if (serviceConfig.serviceScope === null) {
+    // if explicitly set to null, we do not want to check for service level authorization
+    return {
+      authorized: true,
+      team,
+      authMethod,
+    };
+  }
 
   if (!team.enabledScopes.includes(serviceConfig.serviceScope)) {
     return {
@@ -21,6 +30,7 @@ export function authorizeService(
     return {
       authorized: true,
       team,
+      authMethod,
     };
   }
 
@@ -57,5 +67,6 @@ export function authorizeService(
     authorized: true,
     team,
     project,
+    authMethod,
   };
 }

packages/service-utils/src/mocks.ts

@@ -43,14 +43,15 @@ export const validTeamResponse: TeamResponse = {
   updatedAt: new Date("2024-06-01"),
   billingPlan: "free",
   billingEmail: "test@example.com",
-  billingStatus: "noCustomer",
+  billingStatus: "noPayment",
   growthTrialEligible: false,
   enabledScopes: ["storage", "rpc", "bundler"],
 };
 
 export const validTeamAndProjectResponse: TeamAndProjectResponse = {
   team: validTeamResponse,
   project: validProjectResponse,
+  authMethod: "publishableKey",
 };
 
 export const validServiceConfig: CoreServiceConfig = {