feat: Support GET on resource registration API

Author: joachimvh

packages/uma/config/routes/resources.json

@@ -15,14 +15,14 @@
     {
       "@id": "urn:uma:default:ResourceRegistrationRoute",
       "@type": "HttpHandlerRoute",
-      "methods": [ "POST" ],
+      "methods": [ "GET", "POST" ],
       "handler": { "@id": "urn:uma:default:ResourceRegistrationHandler" },
       "path": "/uma/resources/"
     },
     {
       "@id": "urn:uma:default:ResourceRegistrationOpsRoute",
       "@type": "HttpHandlerRoute",
-      "methods": [ "PUT", "DELETE" ],
+      "methods": [ "GET", "PUT", "DELETE" ],
       "handler": { "@id": "urn:uma:default:ResourceRegistrationHandler" },
       "path": "/uma/resources/{id}"
     }

packages/uma/src/routes/ResourceRegistration.ts

@@ -61,13 +61,32 @@ export class ResourceRegistrationRequestHandler extends HttpHandler {
     const { owner } = await this.validator.handleSafe({ request });
 
     switch (request.method) {
+      case 'GET': return this.handleGet(request, owner);
       case 'POST': return this.handlePost(request, owner);
       case 'PUT': return this.handlePut(request, owner);
       case 'DELETE': return this.handleDelete(request, owner);
       default: throw new MethodNotAllowedHttpError([ request.method ]);
     }
   }
 
+  protected async handleGet(request: HttpHandlerRequest, owner: string): Promise<HttpHandlerResponse> {
+    const id = request.parameters?.id;
+    if (id) {
+      const registration = await this.registrationStore.get(id);
+      if (!registration) {
+        throw new NotFoundHttpError();
+      }
+      if (registration.owner !== owner) {
+        throw new ForbiddenHttpError()
+      }
+      return { status: 200, body: registration.description };
+    }
+
+    // No ID so return the list of all owned resources
+    const identifiers = await this.ownershipStore.get(owner) ?? [];
+    return { status: 200, body: identifiers };
+  }
+
   protected async handlePost(request: HttpHandlerRequest, owner: string): Promise<HttpHandlerResponse> {
     const { body } = request;
 

packages/uma/test/unit/routes/ResourceRegistration.test.ts

@@ -23,6 +23,7 @@ vi.mock('node:crypto', () => ({
 
 describe('ResourceRegistration', (): void => {
   const owner = 'owner';
+  const resource = 'http://example.com/resource';
   let input: HttpHandlerContext<ResourceDescription>;
   let policyStore: Store;
 
@@ -61,7 +62,7 @@ describe('ResourceRegistration', (): void => {
     } satisfies Partial<KeyValueStorage<string, ResourceDescription>> as any;
 
     ownershipStore = {
-      get: vi.fn().mockResolvedValue([]),
+      get: vi.fn().mockResolvedValue([ resource ]),
       set: vi.fn(),
       delete: vi.fn(),
     } satisfies Partial<KeyValueStorage<string, string[]>> as any;
@@ -80,9 +81,38 @@ describe('ResourceRegistration', (): void => {
   });
 
   it('throws an error if the method is not allowed.', async(): Promise<void> => {
+    input.request.method = 'PATCH';
     await expect(handler.handle(input)).rejects.toThrow(MethodNotAllowedHttpError);
   });
 
+  describe('with GET requests', (): void => {
+    it('can return a list of owned resource identifiers.', async(): Promise<void> => {
+      await expect(handler.handle(input)).resolves.toEqual({ status: 200, body: [ resource ] });
+      expect(ownershipStore.get).toHaveBeenCalledExactlyOnceWith(owner);
+    });
+
+    it('can return the details of a single resource.', async(): Promise<void> => {
+      input.request.parameters = { id: resource };
+      await expect(handler.handle(input)).resolves
+        .toEqual({ status: 200, body: input.request.body });
+      expect(registrationStore.get).toHaveBeenCalledExactlyOnceWith(resource);
+    });
+
+    it('returns a 404 for unknown resource identifiers.', async(): Promise<void> => {
+      input.request.parameters = { id: resource };
+      registrationStore.get.mockResolvedValueOnce(undefined);
+      await expect(handler.handle(input)).rejects.toThrow(NotFoundHttpError);
+      expect(registrationStore.get).toHaveBeenCalledExactlyOnceWith(resource);
+    });
+
+    it('returns a 403 if the user is not the actual owner.', async(): Promise<void> => {
+      input.request.parameters = { id: resource };
+      registrationStore.get.mockResolvedValueOnce({ owner: 'someone else' } as any);
+      await expect(handler.handle(input)).rejects.toThrow(ForbiddenHttpError);
+      expect(registrationStore.get).toHaveBeenCalledExactlyOnceWith(resource);
+    });
+  });
+
   describe('with POST requests', (): void => {
     beforeEach(async(): Promise<void> => {
       input.request.method = 'POST';

test/integration/Aggregation.test.ts

@@ -273,7 +273,7 @@ describe('An aggregation setup', (): void => {
     // Update registration with derivation ID
     const description: ResourceDescription = {
       name: `http://localhost:${aggregatorPort}/resource`,
-      resource_scopes: [ 'read' ],
+      resource_scopes: [ 'http://www.w3.org/ns/odrl/2/read' ],
       derived_from: [{
         issuer: srcConfig.issuer,
         derivation_resource_id: derivationId,
@@ -292,6 +292,28 @@ describe('An aggregation setup', (): void => {
     expect(response.status).toBe(200);
   });
 
+  it('can read the resource registration on the AS.', async(): Promise<void> => {
+    let response = await fetch(aggConfig.resource_registration_endpoint, {
+      headers: { authorization: pat }
+    });
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual([aggregatedResourceId]);
+
+    const url = joinUrl(aggConfig.resource_registration_endpoint, encodeURIComponent(aggregatedResourceId));
+    response = await fetch(url, {
+      headers: { authorization: pat  },
+    });
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({
+      name: `http://localhost:${aggregatorPort}/resource`,
+      resource_scopes: [ 'http://www.w3.org/ns/odrl/2/read' ],
+      derived_from: [{
+        issuer: srcConfig.issuer,
+        derivation_resource_id: derivationId,
+      }],
+    });
+  });
+
   it('a client cannot read an aggregated resource without the necessary tokens.', async(): Promise<void> => {
     // We don't have an actual aggregator server so simulating the request
     const body = [{