Restrict User Info endpoints to specific roles (#382)

Also cleanup role definitions for meta-roles.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Security**
* Enhanced authorization requirements for user lookup functionality, now
requiring specific access roles.

* **Refactor**
* Restructured role management system to support improved permission
control and maintainability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: devksingh4

src/api/routes/user.ts

@@ -17,6 +17,7 @@ import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
 import { QueryCommand } from "@aws-sdk/client-dynamodb";
 import { genericConfig } from "common/config.js";
 import { unmarshall } from "@aws-sdk/util-dynamodb";
+import { AppRoles } from "common/roles.js";
 
 const userRoute: FastifyPluginAsync = async (fastify, _options) => {
   await fastify.register(rateLimiter, {
@@ -29,7 +30,11 @@ const userRoute: FastifyPluginAsync = async (fastify, _options) => {
     "/findUserByUin",
     {
       schema: withRoles(
-        [],
+        [
+          AppRoles.VIEW_USER_INFO,
+          AppRoles.TICKETS_MANAGER,
+          AppRoles.TICKETS_SCANNER,
+        ],
         withTags(["Generic"], {
           summary: "Find a user by UIN.",
           body: searchUserByUinRequest,

src/common/roles.ts

@@ -3,7 +3,9 @@ import { AllOrganizationNameList } from "@acm-uiuc/js-shared";
 /* eslint-disable import/prefer-default-export */
 export const runEnvironments = ["dev", "prod"] as const;
 export type RunEnvironment = (typeof runEnvironments)[number];
-export enum AppRoles {
+export const META_ROLE_PREFIX = "__metaRole:"
+
+export enum BaseRoles {
   EVENTS_MANAGER = "manage:events",
   TICKETS_SCANNER = "scan:tickets",
   TICKETS_MANAGER = "manage:tickets",
@@ -21,19 +23,25 @@ export enum AppRoles {
   VIEW_EXTERNAL_MEMBERSHIP_LIST = "view:externalMembershipList",
   MANAGE_EXTERNAL_MEMBERSHIP_LIST = "manage:externalMembershipList",
   ALL_ORG_MANAGER = "manage:orgDefinitions",
-  AT_LEAST_ONE_ORG_MANAGER = "manage:someOrg" // THIS IS A FAKE ROLE - DO NOT ASSIGN IT MANUALLY - only used for permissioning
+  VIEW_USER_INFO = "view:userInfo",
+}
+
+export enum MetaRoles {
+  AT_LEAST_ONE_ORG_MANAGER = `${META_ROLE_PREFIX}manage:someOrg`,
 }
-export const PSUEDO_ROLES = [AppRoles.AT_LEAST_ONE_ORG_MANAGER]
+
+export const AppRoles = { ...BaseRoles, ...MetaRoles } as const;
+export type AppRoles = BaseRoles | MetaRoles;
 export const orgRoles = ["LEAD", "MEMBER"] as const;
 export type OrgRole = typeof orgRoles[number];
 export type OrgRoleDefinition = {
   org: typeof AllOrganizationNameList[number],
   role: OrgRole
 }
 
-export const allAppRoles = Object.values(AppRoles).filter(
+export const allAppRoles = Object.values(BaseRoles).filter(
   (value) => typeof value === "string",
-).filter(value => !PSUEDO_ROLES.includes(value)); // don't assign psuedo roles by default
+);
 
 export const AppRoleHumanMapper: Record<AppRoles, string> = {
   [AppRoles.EVENTS_MANAGER]: "Events Manager",
@@ -54,4 +62,5 @@ export const AppRoleHumanMapper: Record<AppRoles, string> = {
   [AppRoles.MANAGE_EXTERNAL_MEMBERSHIP_LIST]: "External Membership List Manager",
   [AppRoles.ALL_ORG_MANAGER]: "Organization Definition Manager",
   [AppRoles.AT_LEAST_ONE_ORG_MANAGER]: "Manager of at least one org",
+  [AppRoles.VIEW_USER_INFO]: "User Information Viewer"
 }