We need to lock down the reviewer routes based on user role, e.g. reviewer, super-reviewer
Changes proposed in this pull request
We wrap our reviewer functions in a roleChecker function which extracts the user's claims from the request context and returns 401 responses if the roles don't match. We also add the base COGNITO_USER_POOL authorizer around the reviewer routes so that only users within the user pool can access the routes.
Guidance to review
Get user tokens for different roles and try hitting the results/next endpoint. NOTE: if running offline the cognito authorizer doesn't run. This means no claims are passed in to the event, so our role checker is not applied. This should be tested against the dev API.
Context
We need to lock down the reviewer routes based on user role, e.g. reviewer, super-reviewer
Changes proposed in this pull request
We wrap our reviewer functions in a roleChecker function which extracts the user's claims from the request context and returns 401 responses if the roles don't match. We also add the base COGNITO_USER_POOL authorizer around the reviewer routes so that only users within the user pool can access the routes.
Guidance to review
Get user tokens for different roles and try hitting the results/next endpoint. NOTE: if running offline the cognito authorizer doesn't run. This means no claims are passed in to the event, so our role checker is not applied. This should be tested against the dev API.
Link to Jira task
https://bluesquirrel.atlassian.net/browse/LDAT-253