feat: only allow user with email whiteslited to access benchmark pages

src/env.d.ts

@@ -8,6 +8,7 @@ declare namespace App {
       username?: string;
       email?: string | null;
       roles?: string[];
+      emailDomain?: string | null;
     };
   }
 }

src/middleware.ts

@@ -4,7 +4,7 @@ import { config as authConfig } from "../auth.config";
 import { isFeatureEnabled } from "./lib/featureflag";
 import aclMapping from "./acl-mapping.json";
 
-const protectedPaths = ["/api/admin/services/benchmarks.json", "/dashboard"];
+const protectedPaths = ["/api/admin/services/", "/dashboard"];
 
 /**
  * Check if the request is for an API endpoint
@@ -52,14 +52,16 @@ export const onRequest = defineMiddleware(async (context, next) => {
       const session = await getSession(context.request, authConfig);
 
       if (session?.user) {
+        const emailDomain = `@${session.user.email?.split("@").pop()}`;
+
         context.locals.user = {
           name: session.user.name,
           username: session.user.username,
           email: session.user.email,
           roles: session.user.roles || [],
+          emailDomain, 
         };
 
-        const emailDomain = `@${context.locals.user.email?.split("@").pop()}`;
         if (context.locals.user.roles?.includes("administrator") || aclMapping.acl.admin.includes(emailDomain)) {
           return next();
         }

src/pages/api/admin/services/[id]/benchmarks.json.ts

@@ -5,6 +5,7 @@ import {
   PARQUET_MONTH_COVERAGE,
   getUrlsFromRequest,
 } from "@/lib/parquet-datasource";
+import aclMapping from "@/acl-mapping.json";
 
 /**
  * @openapi
@@ -92,7 +93,7 @@ import {
  *       - Benchmark
  *       - Scenario
  */
-export const GET: APIRoute = async ({ params, request }) => {
+export const GET: APIRoute = async ({ params, request, locals }) => {
   const scenario = params.id;
 
   if (!scenario) {
@@ -102,6 +103,14 @@ export const GET: APIRoute = async ({ params, request }) => {
     );
   }
 
+  // @ts-expect-error
+  if (!aclMapping.records[scenario]?.includes(locals.user?.emailDomain)) {
+    return new Response(
+      JSON.stringify({ message: "Scenario not found." }),
+      { status: 404, headers: { "Content-Type": "application/json" } },
+    );
+  }
+
   try {
     const urlResponse = await getUrlsFromRequest(request);
     if (urlResponse instanceof Response) {

src/pages/api/admin/services/benchmarks.json.ts

@@ -5,6 +5,7 @@ import {
   PARQUET_MONTH_COVERAGE,
   getUrlsFromRequest,
 } from "@/lib/parquet-datasource";
+import aclMapping from "@/acl-mapping.json";
 
 /**
  * @openapi
@@ -71,7 +72,7 @@ import {
  *       - Admin
  *       - Benchmark
  */
-export const GET: APIRoute = async ({ request }) => {
+export const GET: APIRoute = async ({ request, locals }) => {
   try {
     const urlResponse = await getUrlsFromRequest(request);
     if (urlResponse instanceof Response) {
@@ -102,7 +103,11 @@ export const GET: APIRoute = async ({ request }) => {
       ORDER BY "scenario_id";
     `;
 
-    const data = (await executeQuery(query)) as BenchmarkSummary[];
+    let data = (await executeQuery(query)) as BenchmarkSummary[];
+    data = data.filter((benchmark) => {
+      // @ts-expect-error
+      return aclMapping.records[benchmark.scenario_id]?.includes(locals.user?.emailDomain)
+    });
 
     return Response.json(data);
   } catch (error) {