chore(5692): revise usr login credentials validity check

Kolezhanchik · Kolezhanchik · commit d722cda3d1f4 · 2025-06-06T17:21:10.000-07:00
diff --git a/app/app/api/private-cloud/products/[licencePlate]/usage-metrics/route.ts b/app/app/api/private-cloud/products/[licencePlate]/usage-metrics/route.ts
@@ -5,7 +5,7 @@ import createApiHandler from '@/core/api-handler';
 import { OkResponse, UnauthorizedResponse } from '@/core/responses';
 import { Cluster, ResourceRequestsEnv } from '@/prisma/client';
 import { models } from '@/services/db';
-import { getPodMetrics } from '@/services/k8s/metrics';
+import { getUsageMetrics } from '@/services/k8s/metrics';
 import { getPathParamSchema } from '../schema';
 
 const queryParamSchema = z.object({
@@ -33,7 +33,7 @@ export const GET = apiHandler(async ({ queryParams, pathParams, session }) => {
     cluster = 'KLAB';
   }
 
-  const metrics = await getPodMetrics(
+  const metrics = await getUsageMetrics(
     licencePlate,
     environmentLongNames[environment] as keyof ResourceRequestsEnv,
     cluster,
diff --git a/app/app/api/token-check/route.ts b/app/app/api/token-check/route.ts
@@ -9,25 +9,25 @@ import { validateAllServiceAccountTokens } from './validations/service-account-t
 
 export const POST = createApiHandler({})(async () => {
   const [
-    metricsTokens,
     keycloakServiceAccountCredentials,
     keycloakUserLoginCredentials,
+    metricsTokens,
     serviceAccountTokens,
     chesCredentials,
     msGraphCredentials,
   ] = await Promise.all([
-    validateAllMetricsReaderTokens(),
     validateKeycloakServiceAccount(),
     validateKeycloakUserLogin(),
+    validateAllMetricsReaderTokens(),
     validateAllServiceAccountTokens(),
     validateChesCredentials(),
     validateMsGraphCredentials(),
   ]);
 
   return NextResponse.json({
-    metricsTokens,
     keycloakServiceAccountCredentials,
     keycloakUserLoginCredentials,
+    metricsTokens,
     serviceAccountTokens,
     chesCredentials,
     msGraphCredentials,
diff --git a/app/app/api/token-check/validations/helpers.ts b/app/app/api/token-check/validations/helpers.ts
@@ -1,4 +1,6 @@
+import KcAdminClient from '@keycloak/keycloak-admin-client';
 import { AuthorizationV1Api } from '@kubernetes/client-node';
+import { KEYCLOAK_ADMIN_CLIENT_ID, KEYCLOAK_ADMIN_CLIENT_SECRET } from '@/config';
 import { Cluster } from '@/prisma/client';
 import { configureKubeConfig } from '@/services/k8s/helpers';
 
@@ -45,3 +47,27 @@ export async function validateClientCredentials({ tokenUrl, clientId, clientSecr
   const token = await getClientCredentialsToken(tokenUrl, params);
   return Boolean(token);
 }
+
+export async function validateKeycloakUserClientId(clientId: string) {
+  try {
+    const authUrl = `${process.env.AUTH_SERVER_URL}/realms/${process.env.AUTH_RELM}/protocol/openid-connect/auth`;
+
+    const params = new URLSearchParams({
+      client_id: clientId,
+      response_type: 'code',
+      scope: 'openid profile email',
+      redirect_uri: 'https://registry.developer.gov.bc.ca/',
+      state: 'test',
+      nonce: 'test',
+    });
+
+    const res = await fetch(`${authUrl}?${params.toString()}`, {
+      method: 'GET',
+      redirect: 'manual',
+    });
+
+    return res.status === 200 || res.status === 302;
+  } catch {
+    return false;
+  }
+}
diff --git a/app/app/api/token-check/validations/keycloak-service-account-credentials.ts b/app/app/api/token-check/validations/keycloak-service-account-credentials.ts
@@ -1,9 +1,11 @@
-import { AUTH_SERVER_URL, AUTH_RELM, KEYCLOAK_ADMIN_CLIENT_ID, KEYCLOAK_ADMIN_CLIENT_SECRET } from '@/config';
+import { KEYCLOAK_ADMIN_CLIENT_ID, KEYCLOAK_ADMIN_CLIENT_SECRET } from '@/config';
 import { validateClientCredentials } from './helpers';
 
 export async function validateKeycloakServiceAccount() {
+  const tokenUrl = `${process.env.AUTH_SERVER_URL}/realms/${process.env.AUTH_RELM}/protocol/openid-connect/token`;
+
   return await validateClientCredentials({
-    tokenUrl: `${AUTH_SERVER_URL}/realms/${AUTH_RELM}/protocol/openid-connect/token`,
+    tokenUrl: tokenUrl,
     clientId: KEYCLOAK_ADMIN_CLIENT_ID,
     clientSecret: KEYCLOAK_ADMIN_CLIENT_SECRET,
   });
diff --git a/app/app/api/token-check/validations/keycloak-user-login-credentials.ts b/app/app/api/token-check/validations/keycloak-user-login-credentials.ts
@@ -1,12 +1,6 @@
-import { AUTH_RESOURCE, AUTH_SECRET } from '@/config';
-import { validateClientCredentials } from './helpers';
+import { AUTH_RESOURCE } from '@/config';
+import { validateKeycloakUserClientId } from './helpers';
 
 export async function validateKeycloakUserLogin() {
-  const tokenUrl = `${process.env.AUTH_SERVER_URL}/realms/${process.env.AUTH_RELM}/protocol/openid-connect/token`;
-
-  return await validateClientCredentials({
-    tokenUrl,
-    clientId: AUTH_RESOURCE,
-    clientSecret: AUTH_SECRET,
-  });
+  return await validateKeycloakUserClientId(AUTH_RESOURCE);
 }
diff --git a/app/services/k8s/metrics/usage-metrics.ts b/app/services/k8s/metrics/usage-metrics.ts
@@ -21,7 +21,7 @@ async function getLastTwoWeeksAvgUsage(cluster: Cluster, namespace: string, podN
 
     // Match memory usage for the same container
     const memoryUsageItem = usageMemory.find((memItem) => memItem.metric.container === containerName);
-    const memoryUsage = memoryUsageItem && memoryUsageItem.value ? parseFloat(memoryUsageItem.value[1]) : 0;
+    const memoryUsage = memoryUsageItem?.value ? parseFloat(memoryUsageItem.value[1]) : 0;
 
     return {
       containerName,
