fix: look up admin email from DynamoDB instead of unreliable event claims (#30)

Author: kiro-agent[bot]

backend/lib/api-stack.ts

@@ -395,6 +395,7 @@ export class APIStack extends cdk.Stack {
         NAMESPACE: namespace,
         TRAININGS_TABLE_NAME: trainingsTable.tableName,
         VOCABULARY_LISTS_TABLE_NAME: vocabularyListsTable.tableName,
+        USERS_TABLE_NAME: usersTable.tableName,
       },
     };
 
@@ -536,6 +537,7 @@ export class APIStack extends cdk.Stack {
     });
 
     trainingsTable.grantReadWriteData(getTrainingStatisticsFunction);
+    usersTable.grantReadData(getTrainingStatisticsFunction);
 
     const getTrainingStatisticsDataSource = api.addLambdaDataSource(
       'GetTrainingStatisticsDataSource',
@@ -555,6 +557,7 @@ export class APIStack extends cdk.Stack {
     });
 
     trainingsTable.grantReadWriteData(getTrainingDayStatisticsFunction);
+    usersTable.grantReadData(getTrainingDayStatisticsFunction);
 
     const getTrainingDayStatisticsDataSource = api.addLambdaDataSource(
       'GetTrainingDayStatisticsDataSource',
@@ -574,6 +577,7 @@ export class APIStack extends cdk.Stack {
     });
 
     trainingsTable.grantReadWriteData(getTrainingOverviewStatisticsFunction);
+    usersTable.grantReadData(getTrainingOverviewStatisticsFunction);
 
     const getTrainingOverviewStatisticsDataSource = api.addLambdaDataSource(
       'GetTrainingOverviewStatisticsDataSource',

backend/src/gql-lambda-functions/Query.getTrainingDayStatistics.ts

@@ -1,4 +1,5 @@
 import { TrainingService } from '../services/training-service';
+import { UserRepository } from '../repositories/user-repository';
 
 const ADMIN_EMAILS = ['johannes.koch@gmail.com', 'lockhead+joe1@lockhead.info'];
 
@@ -15,15 +16,11 @@ interface Event {
   };
   identity: {
     sub: string;
-    claims?: {
-      email?: string;
-    };
   };
 }
 
 export const handler = async (event: Event) => {
   const callerUserId = event.identity?.sub;
-  const callerEmail = event.identity?.claims?.email;
   const { date, userId: targetUserId } = event.arguments;
 
   if (!callerUserId) {
@@ -36,6 +33,9 @@ export const handler = async (event: Event) => {
 
   let effectiveUserId = callerUserId;
   if (targetUserId) {
+    const userRepo = UserRepository.getInstance();
+    const callerUser = await userRepo.getById(callerUserId);
+    const callerEmail = callerUser?.email;
     if (!callerEmail || !ADMIN_EMAILS.includes(callerEmail)) {
       return {
         success: false,

backend/src/gql-lambda-functions/Query.getTrainingOverviewStatistics.ts

@@ -1,4 +1,5 @@
 import { TrainingService } from '../services/training-service';
+import { UserRepository } from '../repositories/user-repository';
 
 const ADMIN_EMAILS = ['johannes.koch@gmail.com', 'lockhead+joe1@lockhead.info'];
 
@@ -16,15 +17,11 @@ interface Event {
   };
   identity: {
     sub: string;
-    claims?: {
-      email?: string;
-    };
   };
 }
 
 export const handler = async (event: Event) => {
   const callerUserId = event.identity?.sub;
-  const callerEmail = event.identity?.claims?.email;
   const { fromDate, toDate, userId: targetUserId } = event.arguments;
 
   if (!callerUserId) {
@@ -37,6 +34,9 @@ export const handler = async (event: Event) => {
 
   let effectiveUserId = callerUserId;
   if (targetUserId) {
+    const userRepo = UserRepository.getInstance();
+    const callerUser = await userRepo.getById(callerUserId);
+    const callerEmail = callerUser?.email;
     if (!callerEmail || !ADMIN_EMAILS.includes(callerEmail)) {
       return {
         success: false,

backend/src/gql-lambda-functions/Query.getTrainingStatistics.ts

@@ -1,4 +1,5 @@
 import { TrainingService } from '../services/training-service';
+import { UserRepository } from '../repositories/user-repository';
 
 const ADMIN_EMAILS = ['johannes.koch@gmail.com', 'lockhead+joe1@lockhead.info'];
 
@@ -15,15 +16,11 @@ interface Event {
   };
   identity: {
     sub: string;
-    claims?: {
-      email?: string;
-    };
   };
 }
 
 export const handler = async (event: Event) => {
   const callerUserId = event.identity?.sub;
-  const callerEmail = event.identity?.claims?.email;
   const { trainingId, userId: targetUserId } = event.arguments;
 
   if (!callerUserId) {
@@ -37,6 +34,9 @@ export const handler = async (event: Event) => {
   // If a targetUserId is provided, only admins may use it
   let effectiveUserId = callerUserId;
   if (targetUserId) {
+    const userRepo = UserRepository.getInstance();
+    const callerUser = await userRepo.getById(callerUserId);
+    const callerEmail = callerUser?.email;
     if (!callerEmail || !ADMIN_EMAILS.includes(callerEmail)) {
       return {
         success: false,

backend/test/admin-authorization.test.ts

@@ -0,0 +1,244 @@
+import { describe, test, expect, beforeEach } from 'vitest';
+import { mockClient } from 'aws-sdk-client-mock';
+import { DynamoDBDocumentClient, GetCommand, QueryCommand } from '@aws-sdk/lib-dynamodb';
+import { handler as getTrainingStatisticsHandler } from '../src/gql-lambda-functions/Query.getTrainingStatistics';
+import { handler as getTrainingOverviewStatisticsHandler } from '../src/gql-lambda-functions/Query.getTrainingOverviewStatistics';
+import { handler as getTrainingDayStatisticsHandler } from '../src/gql-lambda-functions/Query.getTrainingDayStatistics';
+
+const ddbMock = mockClient(DynamoDBDocumentClient);
+
+const USERS_TABLE = 'train-with-joe-users-sandbox';
+const TRAININGS_TABLE = 'train-with-joe-trainings-sandbox';
+
+const ADMIN_EMAIL = 'johannes.koch@gmail.com';
+const NON_ADMIN_EMAIL = 'regular-user@example.com';
+
+const makeUser = (id: string, email: string) => ({
+  id,
+  email,
+  createdAt: '2024-01-01T00:00:00.000Z',
+  updatedAt: '2024-01-01T00:00:00.000Z',
+});
+
+describe('Admin Authorization', () => {
+  beforeEach(() => {
+    ddbMock.reset();
+  });
+
+  describe('Query.getTrainingStatistics', () => {
+    test('should return authentication error when no identity.sub', async () => {
+      const result = await getTrainingStatisticsHandler({
+        arguments: { trainingId: 'training-1' },
+        identity: { sub: '' },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe('Authentication required');
+    });
+
+    test('should deny non-admin user from viewing other user statistics', async () => {
+      const callerId = 'caller-123';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return { Item: makeUser(callerId, NON_ADMIN_EMAIL) };
+        }
+        return {};
+      });
+
+      const result = await getTrainingStatisticsHandler({
+        arguments: { trainingId: 'training-1', userId: 'other-user-456' },
+        identity: { sub: callerId },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe("Not authorized to view other users' statistics");
+    });
+
+    test('should deny when caller user not found in DynamoDB', async () => {
+      const callerId = 'non-existent-user';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return {};
+        }
+        return {};
+      });
+
+      const result = await getTrainingStatisticsHandler({
+        arguments: { trainingId: 'training-1', userId: 'other-user-456' },
+        identity: { sub: callerId },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe("Not authorized to view other users' statistics");
+    });
+
+    test('should allow admin user to view other user statistics', async () => {
+      const callerId = 'admin-123';
+      const targetUserId = 'target-456';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return { Item: makeUser(callerId, ADMIN_EMAIL) };
+        }
+        if (input.TableName === TRAININGS_TABLE) {
+          return {};
+        }
+        return {};
+      });
+
+      ddbMock.on(QueryCommand).resolves({ Items: [] });
+
+      const result = await getTrainingStatisticsHandler({
+        arguments: { trainingId: 'training-1', userId: targetUserId },
+        identity: { sub: callerId },
+      } as any);
+
+      // Should not return the authorization error
+      expect(result.error).not.toBe("Not authorized to view other users' statistics");
+    });
+  });
+
+  describe('Query.getTrainingOverviewStatistics', () => {
+    test('should return authentication error when no identity.sub', async () => {
+      const result = await getTrainingOverviewStatisticsHandler({
+        arguments: { fromDate: '2024-01-01', toDate: '2024-01-31' },
+        identity: { sub: '' },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe('Authentication required');
+    });
+
+    test('should deny non-admin user from viewing other user statistics', async () => {
+      const callerId = 'caller-123';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return { Item: makeUser(callerId, NON_ADMIN_EMAIL) };
+        }
+        return {};
+      });
+
+      const result = await getTrainingOverviewStatisticsHandler({
+        arguments: { fromDate: '2024-01-01', toDate: '2024-01-31', userId: 'other-user-456' },
+        identity: { sub: callerId },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe("Not authorized to view other users' statistics");
+    });
+
+    test('should deny when caller user not found in DynamoDB', async () => {
+      const callerId = 'non-existent-user';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return {};
+        }
+        return {};
+      });
+
+      const result = await getTrainingOverviewStatisticsHandler({
+        arguments: { fromDate: '2024-01-01', toDate: '2024-01-31', userId: 'other-user-456' },
+        identity: { sub: callerId },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe("Not authorized to view other users' statistics");
+    });
+
+    test('should allow admin user to view other user statistics', async () => {
+      const callerId = 'admin-123';
+      const targetUserId = 'target-456';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return { Item: makeUser(callerId, ADMIN_EMAIL) };
+        }
+        return {};
+      });
+
+      ddbMock.on(QueryCommand).resolves({ Items: [] });
+
+      const result = await getTrainingOverviewStatisticsHandler({
+        arguments: { fromDate: '2024-01-01', toDate: '2024-01-31', userId: targetUserId },
+        identity: { sub: callerId },
+      } as any);
+
+      expect(result.error).not.toBe("Not authorized to view other users' statistics");
+    });
+  });
+
+  describe('Query.getTrainingDayStatistics', () => {
+    test('should return authentication error when no identity.sub', async () => {
+      const result = await getTrainingDayStatisticsHandler({
+        arguments: { date: '2024-01-15' },
+        identity: { sub: '' },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe('Authentication required');
+    });
+
+    test('should deny non-admin user from viewing other user statistics', async () => {
+      const callerId = 'caller-123';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return { Item: makeUser(callerId, NON_ADMIN_EMAIL) };
+        }
+        return {};
+      });
+
+      const result = await getTrainingDayStatisticsHandler({
+        arguments: { date: '2024-01-15', userId: 'other-user-456' },
+        identity: { sub: callerId },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe("Not authorized to view other users' statistics");
+    });
+
+    test('should deny when caller user not found in DynamoDB', async () => {
+      const callerId = 'non-existent-user';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return {};
+        }
+        return {};
+      });
+
+      const result = await getTrainingDayStatisticsHandler({
+        arguments: { date: '2024-01-15', userId: 'other-user-456' },
+        identity: { sub: callerId },
+      } as any);
+
+      expect(result.success).toBe(false);
+      expect(result.error).toBe("Not authorized to view other users' statistics");
+    });
+
+    test('should allow admin user to view other user statistics', async () => {
+      const callerId = 'admin-123';
+      const targetUserId = 'target-456';
+
+      ddbMock.on(GetCommand).callsFake((input) => {
+        if (input.TableName === USERS_TABLE) {
+          return { Item: makeUser(callerId, ADMIN_EMAIL) };
+        }
+        return {};
+      });
+
+      ddbMock.on(QueryCommand).resolves({ Items: [] });
+
+      const result = await getTrainingDayStatisticsHandler({
+        arguments: { date: '2024-01-15', userId: targetUserId },
+        identity: { sub: callerId },
+      } as any);
+
+      expect(result.error).not.toBe("Not authorized to view other users' statistics");
+    });
+  });
+});