From 06d11fc1bb638b28d0e54d7ed34bc9bb8d815577 Mon Sep 17 00:00:00 2001
From: Courtney Myers <courtney.myers@erg.com>
Date: Wed, 27 Nov 2024 15:51:03 -0500
Subject: [PATCH] Add checkUserData utility function to check if user is an
 admin or helpdesk user and if they have no BAP combo keys, and use it in the
 empty BAP combo keys conditional in BAP /submissions endpoint to return an
 empty array instead of a 401 Unauthorized response for admin or helpdesk
 users

---
 app/server/app/routes/bap.js     | 17 +++++++++------
 app/server/app/utilities/user.js | 37 ++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 app/server/app/utilities/user.js

diff --git a/app/server/app/routes/bap.js b/app/server/app/routes/bap.js
index 14873d70..3b336f07 100644
--- a/app/server/app/routes/bap.js
+++ b/app/server/app/routes/bap.js
@@ -6,6 +6,7 @@ const {
   getSamEntities,
   getBapFormSubmissionsStatuses,
 } = require("../utilities/bap");
+const { checkUserData } = require("../utilities/user");
 const log = require("../utilities/logger");
 
 const router = express.Router();
@@ -26,10 +27,9 @@ router.use(ensureAuthenticated);
 
 // --- get user's SAM.gov data from the BAP
 router.get("/sam", (req, res) => {
-  const { mail, memberof } = req.user;
-  const userRoles = memberof.split(",");
-  const adminOrHelpdeskUser =
-    userRoles.includes("csb_admin") || userRoles.includes("csb_helpdesk");
+  const { mail } = req.user;
+
+  const { adminOrHelpdeskUser } = checkUserData({ req });
 
   if (!mail) {
     const logMessage = `User with no email address attempted to fetch SAM.gov records.`;
@@ -76,10 +76,15 @@ router.get("/sam", (req, res) => {
 
 // --- get user's form submissions statuses from the BAP
 router.get("/submissions", storeBapComboKeys, (req, res) => {
-  const { bapComboKeys } = req;
   const { mail } = req.user;
 
-  if (bapComboKeys.length === 0) {
+  const { adminOrHelpdeskUser, noBapComboKeys } = checkUserData({ req });
+
+  if (noBapComboKeys) {
+    if (adminOrHelpdeskUser) {
+      return res.json([]);
+    }
+
     const logMessage =
       `User with email '${mail}' attempted to fetch form submissions ` +
       `from the BAP without any SAM.gov combo keys.`;
diff --git a/app/server/app/utilities/user.js b/app/server/app/utilities/user.js
new file mode 100644
index 00000000..0b7b0ece
--- /dev/null
+++ b/app/server/app/utilities/user.js
@@ -0,0 +1,37 @@
+const express = require("express");
+
+/**
+ * @typedef {Object} User
+ * @property {string} mail
+ * @property {string} memberof
+ * @property {string} nameID
+ * @property {string} nameIDFormat
+ * @property {string} spNameQualifier
+ * @property {string} sessionIndex
+ * @property {number} iat
+ * @property {number} exp
+ */
+
+/**
+ * Determines if the user is an admin or helpdesk user and if they have any BAP
+ * combo keys.
+ *
+ * @param {Object} param
+ * @param {express.Request} param.req
+ */
+function checkUserData({ req }) {
+  /** @type {{ bapComboKeys: string[]; user: User }} */
+  const { bapComboKeys, user } = req;
+
+  const userRoles = user.memberof.split(",");
+  const adminOrHelpdeskUser =
+    userRoles.includes("csb_admin") || userRoles.includes("csb_helpdesk");
+
+  const noBapComboKeys = bapComboKeys?.length === 0;
+
+  return { adminOrHelpdeskUser, noBapComboKeys };
+}
+
+module.exports = {
+  checkUserData,
+};