feature: GET /users/user-id/USER_ID — getUserByUserId migrated to v7

constantine2nd · constantine2nd · commit b5f45ca79f25 · 2026-04-10T13:23:25.000+02:00
diff --git a/obp-api/src/main/scala/code/api/v7_0_0/Http4s700.scala b/obp-api/src/main/scala/code/api/v7_0_0/Http4s700.scala
@@ -28,9 +28,13 @@ import com.openbankproject.commons.model.{AccountId, BankId, BankIdAccountId, Co
 import com.github.dwickern.macros.NameOf.nameOf
 import com.openbankproject.commons.ExecutionContext.Implicits.global
 import com.openbankproject.commons.util.{ApiVersion, ApiVersionStatus, ScannedApiVersion}
+import code.loginattempts.LoginAttempt
+import code.metrics.MappedMetric
+import code.users.UserAgreementProvider
 import net.liftweb.common.Full
 import net.liftweb.json.JsonAST.prettyRender
 import net.liftweb.json.{Extraction, Formats}
+import net.liftweb.mapper.{By, Descending, MaxRows, OrderBy}
 import org.http4s._
 import org.http4s.dsl.io._
 
@@ -666,6 +670,68 @@ object Http4s700 {
       http4sPartialFunction = Some(getUsers)
     )
 
+    // Route: GET /obp/v7.0.0/users/user-id/USER_ID
+    val getUserByUserId: HttpRoutes[IO] = HttpRoutes.of[IO] {
+      case req @ GET -> `prefixPath` / "users" / "user-id" / userId =>
+        EndpointHelpers.withUser(req) { (_, cc) =>
+          for {
+            user <- UserVend.users.vend.getUserByUserIdFuture(userId).map(
+              x => unboxFullOrFail(x, cc.callContext, s"$UserNotFoundByUserId Current USER_ID($userId)", 404)
+            )
+            entitlements <- NewStyle.function.getEntitlementsByUserId(user.userId, cc.callContext)
+            agreements <- Future {
+              val acceptMarketingInfo = UserAgreementProvider.userAgreementProvider.vend.getLastUserAgreement(user.userId, "accept_marketing_info")
+              val termsAndConditions = UserAgreementProvider.userAgreementProvider.vend.getLastUserAgreement(user.userId, "terms_and_conditions")
+              val privacyConditions = UserAgreementProvider.userAgreementProvider.vend.getLastUserAgreement(user.userId, "privacy_conditions")
+              val agreementList = acceptMarketingInfo.toList ::: termsAndConditions.toList ::: privacyConditions.toList
+              if (agreementList.isEmpty) None else Some(agreementList)
+            }
+            isLocked = LoginAttempt.userIsLocked(user.provider, user.name)
+            authUser = code.model.dataAccess.AuthUser.find(
+              By(code.model.dataAccess.AuthUser.user, user.userPrimaryKey.value)
+            )
+            userMetrics <- Future {
+              MappedMetric.findAll(
+                By(MappedMetric.userId, userId),
+                OrderBy(MappedMetric.date, Descending),
+                MaxRows(5)
+              )
+            }
+            lastActivityDate = userMetrics.headOption.map(_.getDate())
+            recentOperationIds = userMetrics.map(_.getImplementedByPartialFunction()).distinct.take(5)
+          } yield JSONFactory600.createUserInfoJsonV600(
+            user,
+            authUser.map(_.firstName.get).getOrElse(""),
+            authUser.map(_.lastName.get).getOrElse(""),
+            entitlements,
+            agreements,
+            isLocked,
+            lastActivityDate,
+            recentOperationIds
+          )
+        }
+    }
+
+    resourceDocs += ResourceDoc(
+      null,
+      implementedInApiVersion,
+      nameOf(getUserByUserId),
+      "GET",
+      "/users/user-id/USER_ID",
+      "Get User by USER_ID",
+      """Get user by USER_ID.
+        |
+        |Authentication is required.
+        |
+        |CanGetAnyUser entitlement is required.""",
+      EmptyBody,
+      userInfoJsonV600,
+      List($AuthenticatedUserIsRequired, UserHasMissingRoles, UserNotFoundByUserId, UnknownError),
+      apiTagUser :: Nil,
+      Some(List(canGetAnyUser)),
+      http4sPartialFunction = Some(getUserByUserId)
+    )
+
     // Route: GET /obp/v7.0.0/banks/BANK_ID/customers
     val getCustomersAtOneBank: HttpRoutes[IO] = HttpRoutes.of[IO] {
       case req @ GET -> `prefixPath` / "banks" / bankIdStr / "customers" =>
diff --git a/obp-api/src/test/scala/code/api/v7_0_0/Http4s700RoutesTest.scala b/obp-api/src/test/scala/code/api/v7_0_0/Http4s700RoutesTest.scala
@@ -5,7 +5,7 @@ import code.api.Constant.SYSTEM_OWNER_VIEW_ID
 import code.api.ResponseHeader
 import code.api.util.APIUtil
 import code.api.util.ApiRole.{canCreateEntitlementAtAnyBank, canDeleteEntitlementAtAnyBank, canGetAnyUser, canGetCardsForBank, canGetCustomersAtOneBank, canReadResourceDoc}
-import code.api.util.ErrorMessages.{AuthenticatedUserIsRequired, BankNotFound, UserHasMissingRoles}
+import code.api.util.ErrorMessages.{AuthenticatedUserIsRequired, BankNotFound, UserHasMissingRoles, UserNotFoundByUserId}
 import code.customer.CustomerX
 import code.entitlement.Entitlement
 import code.metadata.counterparties.Counterparties
@@ -1419,6 +1419,90 @@ class Http4s700RoutesTest extends ServerSetupWithTestData {
     }
   }
 
+  // ─── getUserByUserId ──────────────────────────────────────────────────────────
+
+  feature("Http4s700 getUserByUserId endpoint") {
+
+    scenario("Reject unauthenticated access to /users/user-id/USER_ID", Http4s700RoutesTag) {
+      Given("GET /obp/v7.0.0/users/user-id/USER_ID with no auth headers")
+      val (statusCode, json, _) = makeHttpRequest(s"/obp/v7.0.0/users/user-id/${resourceUser1.userId}")
+
+      Then("Response is 401 with AuthenticatedUserIsRequired message")
+      statusCode shouldBe 401
+      json match {
+        case JObject(fields) =>
+          toFieldMap(fields).get("message") match {
+            case Some(JString(msg)) => msg should include(AuthenticatedUserIsRequired)
+            case _ => fail("Expected message field")
+          }
+        case _ => fail("Expected JSON object")
+      }
+    }
+
+    scenario("Return 403 when authenticated but missing canGetAnyUser role", Http4s700RoutesTag) {
+      Given("GET /obp/v7.0.0/users/user-id/USER_ID with DirectLogin header but no role")
+      val headers = Map("DirectLogin" -> s"token=${token1.value}")
+      val (statusCode, json, _) = makeHttpRequest(s"/obp/v7.0.0/users/user-id/${resourceUser1.userId}", headers)
+
+      Then("Response is 403 with UserHasMissingRoles")
+      statusCode shouldBe 403
+      json match {
+        case JObject(fields) =>
+          toFieldMap(fields).get("message") match {
+            case Some(JString(msg)) =>
+              msg should include(UserHasMissingRoles)
+              msg should include(canGetAnyUser.toString)
+            case _ => fail("Expected message field")
+          }
+        case _ => fail("Expected JSON object")
+      }
+    }
+
+    scenario("Return 200 with user fields when authenticated with canGetAnyUser role", Http4s700RoutesTag) {
+      Given("canGetAnyUser role granted to resourceUser1")
+      addEntitlement("", resourceUser1.userId, canGetAnyUser.toString)
+
+      When(s"GET /obp/v7.0.0/users/user-id/${resourceUser1.userId} with DirectLogin header")
+      val headers = Map("DirectLogin" -> s"token=${token1.value}")
+      val (statusCode, json, _) = makeHttpRequest(s"/obp/v7.0.0/users/user-id/${resourceUser1.userId}", headers)
+
+      Then("Response is 200 with user_id, username, email fields")
+      statusCode shouldBe 200
+      json match {
+        case JObject(fields) =>
+          val m = toFieldMap(fields)
+          m.get("user_id") match {
+            case Some(JString(id)) => id shouldBe resourceUser1.userId
+            case _ => fail("Expected user_id field")
+          }
+          m.keys should contain("username")
+          m.keys should contain("email")
+          m.keys should contain("entitlements")
+        case _ => fail("Expected JSON object for getUserByUserId")
+      }
+    }
+
+    scenario("Return 404 when USER_ID does not exist", Http4s700RoutesTag) {
+      Given("canGetAnyUser role granted to resourceUser1")
+      addEntitlement("", resourceUser1.userId, canGetAnyUser.toString)
+
+      When("GET /obp/v7.0.0/users/user-id/non-existing-user-id with DirectLogin header")
+      val headers = Map("DirectLogin" -> s"token=${token1.value}")
+      val (statusCode, json, _) = makeHttpRequest("/obp/v7.0.0/users/user-id/non-existing-user-id-xyz", headers)
+
+      Then("Response is 404 with UserNotFoundByUserId message")
+      statusCode shouldBe 404
+      json match {
+        case JObject(fields) =>
+          toFieldMap(fields).get("message") match {
+            case Some(JString(msg)) => msg should include(UserNotFoundByUserId)
+            case _ => fail("Expected message field")
+          }
+        case _ => fail("Expected JSON object")
+      }
+    }
+  }
+
   // ─── getCustomersAtOneBank ────────────────────────────────────────────────────
 
   feature("Http4s700 getCustomersAtOneBank endpoint") {
