|
10 | 10 | - [**Prerequisites**](#prerequisites) |
11 | 11 | - [**Setting up Environment**](#setting-up-environment) |
12 | 12 | - [**Deploying Locally**](#deploying-locally) |
13 | | - - [**Verifying through Postman Collections**](#verifying-through-postman-collections) |
14 | | - - [**Environment Configuration**](#environment-configuration) |
| 13 | +- [**Verifying through Postman Collections**](#verifying-through-postman-collections) |
| 14 | +- [**Environment Configuration**](#environment-configuration) |
| 15 | + - [**Downstream Usage**](#downstream-usage) |
| 16 | + - [**Auth0 Integration**](#auth0-integration) |
15 | 17 |
|
16 | 18 | **Prerequisites** |
17 | 19 | --------------- |
@@ -125,3 +127,56 @@ The following table summarizes the environment variables used by the application |
125 | 127 | | `LOG_LEVEL` | Logging level (e.g., `debug`, `info`, `warn`, `error`) | `info` | |
126 | 128 | | `JWT_SECRET` | Secret key for signing/verifying internal JWTs (e.g., 2FA, one-time tokens). | `just-a-random-string` (example) | |
127 | 129 | | `LEGACY_BLOWFISH_KEY` | Base64 encoded Blowfish key for legacy password encryption/decryption. | `dGhpc2lzRGVmYXVmZlZhbHVl` (example) | |
| 130 | + |
| 131 | + |
| 132 | +**Downstream Usage** |
| 133 | +-------------------- |
| 134 | + |
| 135 | +- This service is consumed by multiple Topcoder apps, as well as Auth0. Below is a quick map of where and how it’s called to help with debugging and local development. |
| 136 | + |
| 137 | +**platform-ui** |
| 138 | + |
| 139 | +- Local dev proxy forwards Identity routes to this service: |
| 140 | + - See `platform-ui/src/config/environments/local.env.ts` (proxies for `/v6/users`, `/v6/roles`, `/v6/user-roles`, `/v6/identityproviders`). |
| 141 | +- Admin users and roles management use the following endpoints: |
| 142 | + - Search/list users: `GET /v6/users?fields=...&filter=...&limit=...` — `platform-ui/src/apps/admin/src/lib/services/user.service.ts`. |
| 143 | + - Get user by id: `GET /v6/users/{id}` — `platform-ui/src/apps/admin/src/lib/services/user.service.ts`. |
| 144 | + - Update email: `PATCH /v6/users/{id}/email` — `platform-ui/src/apps/admin/src/lib/services/user.service.ts`. |
| 145 | + - Update status: `PATCH /v6/users/{id}/status?comment=...` — `platform-ui/src/apps/admin/src/lib/services/user.service.ts`. |
| 146 | + - Fetch achievements: `GET /v6/users/{id}/achievements` — `platform-ui/src/apps/admin/src/lib/services/user.service.ts`. |
| 147 | + - Manage SSO user logins: `GET/POST/PUT/DELETE /v6/users/{id}/SSOUserLogin(s)` — `platform-ui/src/apps/admin/src/lib/services/user.service.ts`. |
| 148 | + - Fetch identity providers (SSO): `GET /v6/identityproviders/sso-providers` — `platform-ui/src/apps/admin/src/lib/services/identity-provider.service.ts`. |
| 149 | + - Roles catalog and assignments: |
| 150 | + - List roles: `GET /v6/roles` — `platform-ui/src/apps/admin/src/lib/services/roles.service.ts`. |
| 151 | + - Subject roles: `GET /v6/roles?filter=subjectID={userId}` — `platform-ui/src/apps/admin/src/lib/services/roles.service.ts`. |
| 152 | + - Assign role: `PATCH /v6/user-roles/{userId}` — `platform-ui/src/apps/admin/src/lib/services/roles.service.ts`. |
| 153 | + - Remove role: `DELETE /v6/user-roles/{userId}/{roleId}` — `platform-ui/src/apps/admin/src/lib/services/roles.service.ts`. |
| 154 | + - Manage role members: `GET /v6/roles/{roleId}/subjects[?page&perPage&userId&userHandle&email]` — `platform-ui/src/apps/admin/src/lib/services/roles.service.ts`. |
| 155 | +- User password changes from the profile context use: `PATCH /v6/users/{id}` (credential payload) — `platform-ui/src/libs/core/lib/auth/user-functions/user-xhr.store.ts` and `platform-ui/src/libs/core/lib/auth/user-functions/user-endpoint.config.ts`. |
| 156 | + |
| 157 | +**community-app** |
| 158 | + |
| 159 | +- Community App does not call Identity API endpoints directly. It authenticates via the Accounts app/Auth0 and consumes roles embedded in the JWT to gate features. |
| 160 | + - Token acquisition and decoding: `community-app/src/client/index.jsx`. |
| 161 | + - Various parts of the app read roles from the decoded token (e.g., reviewer checks): `community-app/src/shared/containers/ReviewOpportunityDetails.jsx`. |
| 162 | + |
| 163 | +**work-manager** |
| 164 | + |
| 165 | +- Work Manager does not call Identity API endpoints directly. It relies on JWT roles to authorize actions (admin/manager/copilot/read-only checks). |
| 166 | + - Role checks based on decoded token claims: `work-manager/src/util/tc.js`. |
| 167 | + - Token wiring and axios auth header: `work-manager/src/services/axiosWithAuth.js`. |
| 168 | + |
| 169 | +Swagger: when running locally, the Identity API docs are available at `http://localhost:3000/v6/users/api-docs`. |
| 170 | + |
| 171 | + |
| 172 | +**Auth0 Integration** |
| 173 | +--------------------- |
| 174 | + |
| 175 | +- Auth0 uses Identity API for critical authentication flows via Actions |
| 176 | + - Validate username/email + password during login: `POST /v6/users/login` (form data). |
| 177 | + - Fetch user profile and roles to embed into tokens: `POST /v6/users/roles` (form data). |
| 178 | + - Registration flow: create users via `POST /v6/users`, then activate with `PUT /v6/users/activate`; resend activation via `POST /v6/users/resendActivationEmail`. |
| 179 | + |
| 180 | +Notes: |
| 181 | +- Endpoints above are intentionally callable by Auth0 without a bearer token and are documented in the code (`identity-api-v6/src/api/user/user.controller.ts`). These endpoints are restricted to only Auth0 IP addresses |
| 182 | +- Roles added to JWTs are then consumed by apps like Work Manager and Community App to gate features, as well as all services, to validate user access to specific functionality. |
0 commit comments