Only allow machine users to call the registration endpoint

packages/apps/api-authorizer/src/authorization.ts

@@ -1,4 +1,4 @@
-import { Jwt } from 'jsonwebtoken';
+import { Jwt, JwtPayload } from 'jsonwebtoken';
 import { auth0IdToPublic } from '@weco/auth0-client';
 
 type HttpVerb =
@@ -12,7 +12,9 @@ type HttpVerb =
   | 'CONNECT';
 
 type AccessControlRule = (
-  jwt: Jwt,
+  jwt: Jwt & {
+    payload: (JwtPayload & { gty?: string }) | string
+  },
   parameters?: Record<string, string | undefined>
 ) => boolean;
 
@@ -37,6 +39,40 @@ export const hasScopes = (...requiredScopes: string[]): AccessControlRule => (
   return tokenScopes.some((tokenScope) => requiredScopes.includes(tokenScope));
 };
 
+export const isMachineUser: AccessControlRule = (jwt, parameters) => {
+  if (typeof jwt.payload === 'string') {
+    return false;
+  }
+
+  // This is relying on two implementation details of the Auth0
+  // client credentials flow:
+  //
+  //    - An access token from the client-credentials flow will have the
+  //      field "gty": "client-credentials"
+  //    - The subject field will be of the form "client ID@clients",
+  //      e.g. "sub": "123@clients"
+  //
+  // This is belt-and-braces checking; we already trust the JWT.  We want
+  // to make sure tokens aren't being used in unexpected places, because
+  // machine-to-machine clients can modify *all* users, whereas users can
+  // only modify themselves.
+  //
+  // If this breaks in future and we want a more robust way of checking
+  // for machine users, we should use a custom claim.
+  //
+  // We already have code for adding custom claims; we'd need to add this
+  // to an action tied to the client credentials flow.
+  //
+  // See
+  // https://github.com/wellcomecollection/identity/blob/585882471c43b45b7578fab926fa384ca4e691dd/packages/apps/auth0-actions/src/add_custom_claims.ts
+  // https://community.auth0.com/t/sub-claim-format-for-m2m-tokens/39451/5
+  // https://wellcome.slack.com/archives/CUA669WHH/p1656055161485399
+  const isClientCredentials = jwt.payload.gty === 'client-credentials';
+  const isClientSubject = (jwt.payload.sub || '').endsWith('@clients');
+
+  return isClientCredentials && isClientSubject;
+}
+
 export const isSelf: AccessControlRule = (jwt, parameters) => {
   if (typeof jwt.payload === 'string') {
     return false;

packages/apps/api-authorizer/src/handler.ts

@@ -8,6 +8,7 @@ import { authorizerResult, policyDocument, send401 } from './api-gateway';
 import {
   allOf,
   hasScopes,
+  isMachineUser,
   isSelf,
   resourceAuthorizationValidator,
 } from './authorization';
@@ -41,7 +42,7 @@ const validateRequest = resourceAuthorizationValidator({
     GET: allOf(isSelf, hasScopes('read:requests')),
   },
   '/users/{userId}/registration': {
-    PUT: allOf(isSelf, hasScopes('update:user')),
+    PUT: isMachineUser,
   },
 });