feat: implement update member API

whyphi · Jul 28, 2024 · fe45cfd · fe45cfd
1 parent a7d6416
commit fe45cfd
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/chalicelib/api/members.py b/chalicelib/api/members.py
@@ -13,6 +13,15 @@ def get_member(user_id):
     return member if member else {}
 
 
+@members_api.route("/member/{user_id}", methods=["PUT"], cors=True)
+@auth(members_api, roles=[Roles.MEMBER, Roles.ADMIN])
+def update_member(user_id):
+    data = members_api.current_request.json_body
+    return member_service.update(
+        user_id=user_id, data=data, headers=members_api.current_request.headers
+    )
+
+
 @members_api.route("/members", methods=["GET"], cors=True)
 @auth(members_api, roles=["admin", "member"])
 def get_all_members():

diff --git a/chalicelib/services/MemberService.py b/chalicelib/services/MemberService.py
@@ -1,8 +1,10 @@
 from chalicelib.modules.mongo import mongo_module
-from chalice import ConflictError, NotFoundError
+from chalice import ConflictError, NotFoundError, UnauthorizedError
 
-import json
 from bson import ObjectId
+import json
+import jwt
+import boto3
 
 
 class MemberService:
@@ -82,6 +84,33 @@ def get_all(self):
     def onboard(self, document_id=str, data=dict) -> bool:
         return mongo_module.update_document_by_id(self.collection, document_id, data)
 
+    def update(self, user_id: str, data: dict, headers: dict) -> bool:
+        ssm_client = boto3.client("ssm")
+        auth_header = headers.get("Authorization", None)
+
+        if not auth_header:
+            raise UnauthorizedError("Authorization header is missing.")
+
+        _, token = auth_header.split(" ", 1) if " " in auth_header else (None, None)
+
+        if not token:
+            raise UnauthorizedError("Token is missing.")
+
+        auth_secret = ssm_client.get_parameter(
+            Name="/Zap/AUTH_SECRET", WithDecryption=True
+        )["Parameter"]["Value"]
+        decoded = jwt.decode(token, auth_secret, algorithms=["HS256"])
+
+        if user_id != decoded["_id"]:
+            raise UnauthorizedError(
+                "User {user_id} is not authorized to update this user."
+            )
+
+        # NOTE: Performing an update on the path '_id' would modify the immutable field '_id'
+        data.pop("_id", None)
+
+        return mongo_module.update_document_by_id(self.collection, user_id, data)
+
     def update_roles(self, document_id=str, roles=list) -> bool:
         return mongo_module.update_document(
             self.collection,