feat: add debug routes for transaction database (#113)

naftis · web-flow · commit 1e6996932caf · 2025-12-02T14:50:20.000+02:00
* feat: debug routes for SQLite

* feat: restrict scopes who can debug the db

* refactor: remove the need to have a search to delete a record

this allows record only tokens to remove records

* Update packages/mosip-api/src/routes/debug-sqlite.ts

* use scopes from 1.9.0

* give actionId / eventId to debug
diff --git a/packages/mosip-api/src/database.ts b/packages/mosip-api/src/database.ts
@@ -62,4 +62,23 @@ export const getTransactionAndDiscard = (id: string) => {
   };
 };
 
+/**
+ * Retrieves all transactions from the database.
+ *
+ * @warning
+ * This function is intended for **debugging purposes only** as it exposes sensitive data.
+ */
+export const getAllTransactions = () => {
+  return database
+    .prepare(
+      "SELECT id, registration_number, token, created_at FROM transactions",
+    )
+    .all() as Array<{
+    id: string;
+    registration_number: string;
+    token: string;
+    created_at: string;
+  }>;
+};
+
 export const exit = () => database.close();
diff --git a/packages/mosip-api/src/index.ts b/packages/mosip-api/src/index.ts
@@ -19,6 +19,10 @@ import {
   CredentialIssuedSchema,
 } from "./routes/websub-credential-issued";
 import { initWebSub } from "./websub/subscribe";
+import {
+  deleteTransactionHandler,
+  getAllTransactionsHandler,
+} from "./routes/debug-sqlite";
 import { verifyHandler, VerifySchema } from "./routes/verify";
 
 const envToLogger = {
@@ -34,6 +38,9 @@ const envToLogger = {
 };
 
 const initRoutes = (app: FastifyInstance) => {
+  /*
+   * OpenCRVS birth / death registration and personal information verification
+   */
   app.withTypeProvider<ZodTypeProvider>().route({
     url: "/events/registration",
     method: "POST",
@@ -80,6 +87,21 @@ const initRoutes = (app: FastifyInstance) => {
       body: CredentialIssuedSchema,
     },
   });
+
+  /*
+   * SQLite debug route
+   */
+  app.withTypeProvider<ZodTypeProvider>().route({
+    method: "GET",
+    url: "/debug/transactions",
+    handler: getAllTransactionsHandler,
+  });
+
+  app.withTypeProvider<ZodTypeProvider>().route({
+    method: "DELETE",
+    url: "/debug/transactions/:id",
+    handler: deleteTransactionHandler,
+  });
 };
 
 let corePublicKey: string;
diff --git a/packages/mosip-api/src/routes/debug-sqlite.ts b/packages/mosip-api/src/routes/debug-sqlite.ts
@@ -0,0 +1,85 @@
+import { FastifyReply, FastifyRequest } from "fastify";
+import { getAllTransactions, getTransactionAndDiscard } from "../database";
+import { SCOPES } from "@opencrvs/toolkit/scopes";
+import { TokenPayload } from "./websub-credential-issued";
+import { decode } from "jsonwebtoken";
+
+interface AuthenticatedUser {
+  scope: string[];
+}
+
+/**
+ * Allow listing transactions for users that have the search scope.
+ *
+ * Rationale:
+ * - Users with this scope would be able to see record UUID's and registration numbers in the UI anyway.
+ */
+const isAllowedToSearch = (scope: string[]) => {
+  return (
+    scope.includes(SCOPES.SEARCH_BIRTH) && scope.includes(SCOPES.SEARCH_DEATH)
+  );
+};
+
+/**
+ * Allow deleting transactions for users that have `record.reject-registration` scope.
+ *
+ * Rationale:
+ * - This should be accompanied with a `client.event.actions.register.reject` call via Postman which requires this scope.
+ */
+const isAllowedToDelete = (scope: string[]) =>
+  scope.includes(SCOPES.RECORD_REJECT_REGISTRATION);
+
+export const getAllTransactionsHandler = async (
+  request: FastifyRequest,
+  reply: FastifyReply,
+) => {
+  const { scope } = request.user as AuthenticatedUser;
+
+  if (!isAllowedToSearch(scope)) {
+    return reply.status(403).send({
+      error: "You do not have permission to access this resource.",
+    });
+  }
+
+  const transactions = getAllTransactions();
+
+  return transactions.map(({ token, ...rest }) => {
+    const { eventId, actionId } = decode(token) as TokenPayload;
+
+    return {
+      eventId,
+      actionId,
+      ...rest,
+    };
+  });
+};
+
+export type DeleteTransactionRequest = FastifyRequest<{
+  Params: { id: string };
+}>;
+
+export const deleteTransactionHandler = async (
+  request: DeleteTransactionRequest,
+  reply: FastifyReply,
+) => {
+  const { scope } = request.user as AuthenticatedUser;
+
+  if (!isAllowedToDelete(scope)) {
+    return reply.status(403).send({
+      error: "You do not have permission to access this resource.",
+    });
+  }
+
+  const { id } = request.params;
+
+  try {
+    const transaction = getTransactionAndDiscard(id);
+
+    reply.status(200).send(transaction);
+  } catch (error) {
+    const message =
+      error instanceof Error ? error.message : "Unknown error occurred";
+
+    reply.status(404).send({ error: message });
+  }
+};
diff --git a/packages/mosip-api/src/routes/websub-credential-issued.ts b/packages/mosip-api/src/routes/websub-credential-issued.ts
@@ -28,7 +28,7 @@ export const CredentialIssuedSchema = z.object({
   }),
 });
 
-interface TokenPayload {
+export interface TokenPayload {
   eventId: string;
   actionId: string;
 }

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ export const CredentialIssuedSchema = z.object({`
`28`	`28`	`}),`
`29`	`29`	`});`
`30`	`30`
`31`		`-interface TokenPayload {`
	`31`	`+export interface TokenPayload {`
`32`	`32`	`eventId: string;`
`33`	`33`	`actionId: string;`
`34`	`34`	`}`