Multiple Authors Access

.firebaserc

@@ -1,5 +1,8 @@
 {
   "projects": {
-    "default": "cioos-metadata-form"
-  }
-}
+    "default": "cioos-metadata-form",
+    "dev": "cioos-metadata-form-dev"
+  },
+  "targets": {},
+  "etags": {}
+}

.github/workflows/firebase-hosting-pull-request.yml

@@ -26,7 +26,7 @@ jobs:
           firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_CIOOS_METADATA_FORM }}'
           expires: 30d
           entryPoint: '.'
-          projectId: cioos-metadata-form
+          projectId: cioos-metadata-form-dev
         env:
           FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
           GMAIL_USER: ${{ secrets.GMAIL_USER }}

firebase-functions/.firebaserc

@@ -1,6 +1,7 @@
 {
   "projects": {
-    "default": "cioos-metadata-form"
+    "default": "cioos-metadata-form",
+    "dev": "cioos-metadata-form-dev"
   },
   "targets": {
     "cioos-metadata-form": {
@@ -12,6 +13,16 @@
           "cioos-metadata-form-dev"
         ]
       }
+    },
+    "development": {
+      "database": {
+        "prod": [
+          "cioos-metadata-form"
+        ],
+        "dev": [
+          "cioos-metadata-form-dev"
+        ]
+      }
     }
   },
   "etags": {}

firebase-functions/database.rules.json

@@ -5,7 +5,7 @@
     // This design requires careful structuring of rules (and data) to ensure appropriate access control 
     // throughout the database hierarchy.
     "$region": {
-      // Allow read access to any authenticated user.
+        // Allow read access to any authenticated user.
       ".read": "auth.uid != null",
       "shares": {
         "$userid": {
@@ -17,48 +17,52 @@
       "users": {
         "$userid": {
           // Allow write access if the authenticated user is the user specified by $userid or if the authenticated user's email is listed as a reviewer in the admin permissions for the region.
-          ".write": "(auth.uid == $userid) || root.child('admin').child($region).child('permissions').child('reviewers').val().contains(auth.email)",
+          ".write": "(auth.uid == $userid) || root.child('admin').child($region).child('permissions').child('reviewers').val().contains(auth.email)",    
           "records": {
             "$recordid": {
-              // Allow read access if the authenticated users's uid is listed in the 'shared with' list for the record
-              ".read": "root.child($region).child('users').child($userid).child('records').child($recordid).child('sharedWith').child(auth.uid).exists()",
-              // Allow write access if the authenticated users's uid is listed in the 'shared with' list for the record
-              ".write": "root.child($region).child('users').child($userid).child('records').child($recordid).child('sharedWith').child(auth.uid).exists()",
+              // Allow read access if the authenticated users's uid exists in the 'shared with' object for the record
+            ".read": "root.child($region).child('users').child($userid).child('records').child($recordid).child('sharedWith').child(auth.uid).exists()",
+            // Allow write access if the authenticated users's uid exists in the 'shared with' object for the record
+          ".write": "root.child($region).child('users').child($userid).child('records').child($recordid).child('sharedWith').child(auth.uid).exists()",
             }
-          },
+          }
         }
       }
     },
     "admin": { // Section of the database dedicated to admin configurations.
       "$regionAdmin": {
         // Allow read access if the authenticated user's email is listed as a reviewer in the permissions for the region.
-        ".read": "root.child('admin').child($regionAdmin).child('permissions').child('reviewers').val().contains(auth.email) || root.child('admin').child($regionAdmin).child('permissions').child('admins').val().contains(auth.email)",
-        "projects": {
-          // Allow write access to projects if the authenticated user's email is listed as a reviewer in the permissions for the region.
-          ".write": "root.child('admin').child($regionAdmin).child('permissions').child('reviewers').val().contains(auth.email)",
-          // Allow read access to any authenticated user.
-          ".read": "auth.uid != null"
-        },
-        "permissions": {
-          // Allow read access to any authenticated user.
-          ".read": "auth.uid != null",
-          "admins": {
-            // Allow write access for admins if the authenticated user's email is listed as an admin in the permissions for the region.
-            ".write": "root.child('admin').child($regionAdmin).child('permissions').child('admins').val().contains(auth.email)",
+            ".read": "root.child('admin').child($regionAdmin).child('permissions').child('reviewers').val().contains(auth.email)",
+          "projects": {
+              // Allow write access to projects if the authenticated user's email is listed as a reviewer in the permissions for the region.
+              ".write": "root.child('admin').child($regionAdmin).child('permissions').child('reviewers').val().contains(auth.email)",
+              // Allow read access to any authenticated user.
+              ".read": "auth.uid != null"
+              },
+          "permissions": {
             // Allow read access to any authenticated user.
-            ".read": "auth.uid != null"
+            ".read": "auth.uid != null",
+              "admins": {
+              // Allow write access for admins if the authenticated user's email is listed as an admin in the permissions for the region.
+              ".write": "root.child('admin').child($regionAdmin).child('permissions').child('admins').val().contains(auth.email)",
+              // Allow read access to any authenticated user.
+              ".read": "auth.uid != null",
+              },
+              "reviewers": {
+              // Allow write access for reviewers if the authenticated user's email is listed as an admin in the permissions for the region.
+              ".write": "root.child('admin').child($regionAdmin).child('permissions').child('admins').val().contains(auth.email)",
+              // Allow read access to any authenticated user.
+              ".read": "auth.uid != null",
+              },
+              "dataciteCredentials": {
+                // Allow write access to DataCite credentials if the authenticated user's email is listed as an admin in the permissions for the region.
+                ".write": "root.child('admin').child($regionAdmin).child('permissions').child('admins').val().contains(auth.email)",
+            }
           },
-          "reviewers": {
-            // Allow write access for reviewers if the authenticated user's email is listed as an admin in the permissions for the region.
+          "dataciteCredentials": {
+            // Allow write access to DataCite credentials if the authenticated user's email is listed as an admin in the permissions for the region.
             ".write": "root.child('admin').child($regionAdmin).child('permissions').child('admins').val().contains(auth.email)",
-            // Allow read access to any authenticated user.
-            ".read": "auth.uid != null"
           }
-        },
-        "dataciteCredentials": {
-          // Allow write access to DataCite credentials if the authenticated user's email is listed as an admin in the permissions for the region.
-          ".write": "root.child('admin').child($regionAdmin).child('permissions').child('admins').val().contains(auth.email)",
-        }
       }
     }
   }

firebase-functions/functions/datacite.js

@@ -1,11 +1,21 @@
+const admin = require("firebase-admin");
+
 const baseUrl = "https://api.datacite.org/dois/";
 const functions = require("firebase-functions");
-const { defineString } = require('firebase-functions/params');
 const axios = require("axios");
 
 exports.createDraftDoi = functions.https.onCall(async (data) => {
 
-  const { record, authHash } = data;
+  const { record, region } = data;
+
+  let authHash
+
+  try {
+    authHash = (await admin.database().ref('admin').child(region).child("dataciteCredentials").child("dataciteHash").once("value")).val();
+  } catch (error) {
+      console.error(`Error fetching Datacite Auth Hash for region ${region}:`, error);
+      return null;
+  } 
 
   functions.logger.log(authHash);
 
@@ -51,15 +61,21 @@ exports.createDraftDoi = functions.https.onCall(async (data) => {
   }
 });
 
-exports.updateDraftDoi = functions.https.onCall(async (data) => {
-
-  const dataciteCred = process.env.DATACITE_AUTH_HASH || dataciteAuthHash.value()
+exports.updateDraftDoi = functions.https.onCall(async (dataObj) => {
+  const { doi, region, data } = dataObj;
+  let authHash
+  try {
+    authHash = (await admin.database().ref('admin').child(region).child("dataciteCredentials").child("dataciteHash").once("value")).val();
+  } catch (error) {
+    console.error(`Error fetching Datacite Auth Hash for region ${region}:`, error);
+      return null;
+  } 
 
   try {
-    const url = `${baseUrl}${data.doi}/`;
-    const response = await axios.put(url, data.data, {
+    const url = `${baseUrl}${doi}/`;
+    const response = await axios.put(url, data, {
       headers: {
-        'Authorization': `Basic ${data.dataciteAuthHash}`,
+        'Authorization': `Basic ${authHash}`,
         'Content-Type': "application/json",
       },
     });
@@ -102,11 +118,20 @@ exports.updateDraftDoi = functions.https.onCall(async (data) => {
 
 exports.deleteDraftDoi = functions.https.onCall(async (data) => {
 
-  const { doi, dataciteAuthHash } = data;
+  const { doi, region } = data;
+  let authHash
+
+  try {
+    authHash = (await admin.database().ref('admin').child(region).child("dataciteCredentials").child("dataciteHash").once("value")).val();
+  } catch (error) {
+      console.error(`Error fetching Datacite Auth Hash for region ${region}:`, error);
+      return null;
+  } 
+
   try {
     const url = `${baseUrl}${doi}/`;
     const response = await axios.delete(url, {
-    headers: { 'Authorization': `Basic ${dataciteAuthHash}` },
+    headers: { 'Authorization': `Basic ${authHash}` },
   });
   return response.status;
   } catch (err) {
@@ -142,14 +167,31 @@ exports.deleteDraftDoi = functions.https.onCall(async (data) => {
 
 exports.getDoiStatus = functions.https.onCall(async (data) => {
 
-  const dataciteCred = process.env.DATACITE_AUTH_HASH || dataciteAuthHash.value()
+  let prefix;
+  let authHash
+
+  functions.logger.log(data);
+
+  try {
+    prefix = (await admin.database().ref('admin').child(data.region).child("dataciteCredentials").child("prefix").once("value")).val();
+  } catch (error) {
+      console.error(`Error fetching Datacite Prefix for region ${data.region}:`, error);
+      return null;
+  }
+
+  try {
+    authHash = (await admin.database().ref('admin').child(data.region).child("dataciteCredentials").child("dataciteHash").once("value")).val();
+  } catch (error) {
+      console.error(`Error fetching Datacite Auth Hash for region ${data.region}:`, error);
+      return null;
+  } 
 
   try {
     const url = `${baseUrl}${data.doi}/`;
     // TODO: limit response to just the state field. elasticsearch query syntax?
     const response = await axios.get(url, {
       headers: {
-        'Authorization': `Basic ${data.authHash}`
+        'Authorization': `Basic ${authHash}`
       },
     });
     return response.data.data.attributes.state;
@@ -163,7 +205,7 @@ exports.getDoiStatus = functions.https.onCall(async (data) => {
     }
     // if the error is a 404, throw a HttpsError with the code 'not-found'
     if (err.response && err.response.status === 404) {
-      if (data.doi.startsWith(`${data.prefix}/`)) {
+      if (data.doi.startsWith(`${prefix}/`)) {
         return 'not found'
       }
       return 'unknown'
@@ -184,3 +226,29 @@ exports.getDoiStatus = functions.https.onCall(async (data) => {
   }
 
 });
+
+exports.getCredentialsStored = functions.https.onCall(async (data) => {
+  try {
+    const credentialsRef = admin.database().ref('admin').child(data).child("dataciteCredentials");
+    const authHashSnapshot = await credentialsRef.child("dataciteHash").once("value");
+    const prefixSnapshot = await credentialsRef.child("prefix").once("value");
+
+    const authHash = authHashSnapshot.val();
+    const prefix = prefixSnapshot.val();
+
+    // Check for non-null and non-empty
+    return authHash && authHash !== "" && prefix && prefix !== "";
+  } catch (error) {
+    console.error("Error checking Datacite credentials:", error);
+    return false;
+  }
+});
+
+exports.getDatacitePrefix = functions.https.onCall(async (region) => {
+  try {
+    const prefix = (await admin.database().ref('admin').child(region).child("dataciteCredentials").child("prefix").once("value")).val();
+    return prefix;
+  } catch (error) {
+    throw new Error(`Error fetching Datacite Prefix for region ${region}: ${error}`);
+  }
+});

firebase-functions/functions/index.js

@@ -1,7 +1,7 @@
 const admin = require("firebase-admin");
 const { translate } = require("./translate");
 const { checkURLActive } = require("./serverUtils");
-const { createDraftDoi, updateDraftDoi, deleteDraftDoi, getDoiStatus } = require("./datacite");
+const { createDraftDoi, updateDraftDoi, deleteDraftDoi, getDoiStatus, getCredentialsStored, getDatacitePrefix } = require("./datacite");
 const { notifyReviewer, notifyUser } = require("./notify");
 const {
   updatesRecordCreate,
@@ -26,3 +26,5 @@ exports.deleteDraftDoi = deleteDraftDoi;
 exports.updateDraftDoi = updateDraftDoi;
 exports.getDoiStatus = getDoiStatus;
 exports.checkURLActive = checkURLActive;
+exports.getCredentialsStored = getCredentialsStored;
+exports.getDatacitePrefix = getDatacitePrefix;