feat: email address privacy (#971)

src/api/accounts/GetAccount.ts

@@ -13,6 +13,7 @@ export const GetAccountSchema: ValidateParams = {
 export const GetAccount = (accountController: AccountController) => async (ctx: any, next: any): Promise<any> => {
   const logger = ctx.logger(__dirname)
   const { issuer } = ctx.params
+  const { user } = ctx.state
 
   logger.info({ issuer }, 'GetAccount')
 
@@ -21,6 +22,19 @@ export const GetAccount = (accountController: AccountController) => async (ctx:
   if (!response)
     throw new AccountNotFound()
 
-  const { id, email, createdAt, name, bio, ethereumAddress, poeAddress, poeAddressVerified } = response
-  ctx.body = { id, email, createdAt, name, bio, ethereumAddress, poeAddress, poeAddressVerified }
+  const { id, email, emailPublic, createdAt, name, bio, ethereumAddress, poeAddress, poeAddressVerified } = response
+
+  const isAccountOwner = user && user.issuer === issuer
+  const alwaysPublicFields = { id, createdAt, name, bio, ethereumAddress, poeAddressVerified }
+  const alwaysPrivateFields = { poeAddress }
+
+  ctx.body = {
+    ...alwaysPublicFields,
+    ...(isAccountOwner ? {
+      ...alwaysPrivateFields,
+      email,
+    } : {
+      ...(emailPublic && { email }),
+    }),
+  }
 }

src/api/accounts/PatchAccount.test.ts

@@ -8,6 +8,7 @@ import { isPoeAddressVerified } from './PatchAccount'
 const account: Account = {
   issuer: '',
   email: '',
+  emailPublic: false,
   password: '',
   verified: true,
   privateKey: '',

src/api/accounts/PatchAccount.ts

@@ -12,6 +12,7 @@ export const PatchAccountSchema: ValidateParams = {
   }),
   body: () => ({
     email: Joi.string().optional(),
+    emailPublic: Joi.boolean().optional(),
     name: Joi.string().allow('').optional(),
     bio: Joi.string().allow('').optional(),
     ethereumAddress: Joi.string().allow('').optional(),

src/api/routes.ts

@@ -3,6 +3,7 @@ import * as KoaRouter from 'koa-router'
 import { AccountController } from '../controllers/AccountController'
 import { ArchiveController } from '../controllers/ArchiveController'
 
+import { Authentication } from '../middlewares/authentication'
 import { Authorization } from '../middlewares/authorization'
 import { isLoggedIn } from '../middlewares/isLoggedIn'
 import { monitor } from '../middlewares/monitor'
@@ -48,7 +49,8 @@ export const routes = (accountController: AccountController, archiveController:
   testPoetUrl: string,
 ) => {
   const router = new KoaRouter()
-  const authorization = Authorization(accountController)
+  const authentication = Authentication(accountController)
+  const authorization = Authorization()
 
   router.use([Path.WORKS, Path.WORKS_WORKID], (ctx: any, next: any) => {
     ctx.set('Access-Control-Allow-Methods', 'POST,GET')
@@ -72,6 +74,7 @@ export const routes = (accountController: AccountController, archiveController:
       Path.TOKENS,
       Path.TOKENS_TOKENID,
     ],
+    authentication,
     authorization,
   )
 
@@ -95,6 +98,7 @@ export const routes = (accountController: AccountController, archiveController:
   router.get(
     Path.ACCOUNTS_ID,
     validate(GetAccountSchema),
+    authentication,
     GetAccount(accountController),
   )
   router.patch(

src/controllers/AccountController.ts

@@ -137,6 +137,7 @@ export const AccountController = ({
     const account: Account = {
       id,
       email,
+      emailPublic: false,
       password: hashedPassword,
       privateKey: encryptedPrivateKey,
       publicKey,

src/middlewares/authorization.test.ts → src/middlewares/authentication.test.ts

@@ -1,5 +1,5 @@
 import { describe } from 'riteway'
-import { extractToken } from './authorization'
+import { extractToken } from './authentication'
 
 describe('extractToken()', async (assert: any) => {
   {

src/middlewares/authentication.ts

@@ -0,0 +1,16 @@
+import { AccountController } from '../controllers/AccountController'
+
+export const extractToken = (ctx: any): string => (ctx.header.token ? ctx.header.token : ctx.params.token) || ''
+
+export const Authentication = (accountController: AccountController) => async (ctx: any, next: any) => {
+  const token = extractToken(ctx)
+
+  if (token) {
+    const { account, tokenData } = await accountController.authorizeRequest(token)
+
+    ctx.state.tokenData = tokenData
+    ctx.state.user = account
+  }
+
+  return next()
+}

src/middlewares/authorization.ts

@@ -1,22 +1,13 @@
-import { AccountController } from '../controllers/AccountController'
-
-export const extractToken = (ctx: any): string => (ctx.header.token ? ctx.header.token : ctx.params.token) || ''
-
-export const Authorization = (accountController: AccountController) => async (ctx: any, next: any) => {
+export const Authorization = () => async (ctx: any, next: any) => {
   // TODO: add configuration to ctx in app.ts so middlewares have access.
   // This is needed until we can figure out how to restart vault between
   // individual tests.
   // Currently a hack used to prevent errors in integration tests.
   if (process.env.SKIP_VAULT === 'true') return (ctx.status = 404)
 
-  const token = extractToken(ctx)
-
-  const { account, tokenData } = await accountController.authorizeRequest(token)
-
-  if (!account) return (ctx.status = 404)
+  const { user } = ctx.state
 
-  ctx.state.tokenData = tokenData
-  ctx.state.user = account
+  if (!user) return (ctx.status = 404)
 
   return next()
 }

src/models/Account.ts

@@ -1,6 +1,7 @@
 export interface Account {
   readonly id?: string
   readonly email: string
+  readonly emailPublic: boolean
   readonly password: string
   readonly verified: boolean
   readonly privateKey: string

tests/unit/index.ts

@@ -8,7 +8,7 @@ import '../../src/helpers/ethereum.test'
 import '../../src/helpers/token.test'
 import '../../src/helpers/uuid.test'
 import '../../src/loadConfiguration.test'
-import '../../src/middlewares/authorization.test'
+import '../../src/middlewares/authentication.test'
 import '../../src/middlewares/isLoggedIn.test'
 import '../../src/middlewares/monitor.test'
 import '../../src/middlewares/requireApiToken.test'