Challenge Overview
Attention! This is a fast challenge! All phases are shorter than usual. Make sure you don’t miss any deadline.
Challenge Objectives
-
Secure the provided API to only allow calling the endpoints using an M2M token.
Tech Stack
-
Node.js
-
ElasticSearch
-
DynamoDB
-
Informix
-
Docker
Code Access
Repo: https://github.com/topcoder-platform/legacy-challenge-migration-script
Branch: develop
Detailed Requirements
As part of this simple challenge, you need to secure the following endpoints of the provided API:
-
POST /challenge-migration/sync - only allow M2M tokens with the scopes all/write:challenges
-
POST /challenge-migration - only allow M2M tokens with the scopes all/write:challenges
-
PUT /challenge-migration - only allow M2M tokens with the scopes all/write:challenges
-
DELETE /challenge-migration/:uuid - only allow M2M tokens with the scopes all/delete:challenges
Every other endpoint can remain public.
To keep things a bit more organized, you need to refactor the code to dynamically load routes from a routes.js file similar to how other APIs do it (eg https://github.com/topcoder-platform/challenge-api/blob/develop/src/routes.js)
You need to use the jwtAuthenticator middleware from the tc-core-library-js (appirio-tech/tc-core-library-js.git#v2.6.4) library to validate and decode the token from the authorization header.
When calling a secured endpoint with an invalid/missing token or with a valid M2M token that does not have the required scopes, the API should throw the appropriate error response with the correct status code.
For example, with an invalid/missing token, it’s expected to get 401 Unauthorized while with a valid token that’s missing the required scopes, it’s expected to get 403 Forbidden (along with a descriptive error message).
What to submit
Submit a git patch for the latest commit in the develop branch. Make sure to mention the commit you used so we don’t face any issues while applying your patch file.