allow passing null to service scope, do not check domains on `secre…

…tKey` auth (#5728)

fixes: DASH-621

<!-- start pr-codex -->

---

## PR-Codex overview
This PR focuses on enhancing the authorization process by introducing an `authMethod` property and allowing `null` service scopes, while modifying billing statuses and service configuration types.

### Detailed summary
- Added `authMethod` to `teamAndProjectResponse`.
- Allowed passing `null` to `serviceScope` in `CoreServiceConfig`.
- Changed `billingStatus` from `"noCustomer"` to `"noPayment"`.
- Updated `TeamAndProjectResponse` to include `authMethod` type.
- Adjusted authorization logic for `secretKey` and null service scopes.

> ✨ Ask PR-Codex anything about this PR by commenting with `/codex {your question}`

<!-- end pr-codex -->

.changeset/chatty-llamas-drum.md

@@ -0,0 +1,5 @@
+---
+"@thirdweb-dev/service-utils": patch
+---
+
+allow passing `null` to service scope, do not validate domains/bundleids when using secretKey auth method

packages/service-utils/src/core/api.ts

@@ -16,14 +16,17 @@ export type PolicyResult = {
 
 export type CoreServiceConfig = {
   apiUrl: string;
-  serviceScope: ServiceName;
+  // if EXPLICITLY set to null, service will not be checked for authorization
+  // this is meant for services that are not possible to be turned off by users, such as "social" and "analytics"
+  serviceScope: ServiceName | null;
   serviceApiKey: string;
   serviceAction?: string;
   useWalletAuth?: boolean;
   includeUsage?: boolean;
 };
 
 export type TeamAndProjectResponse = {
+  authMethod: "secretKey" | "publishableKey" | "jwt" | "teamId";
   team: TeamResponse;
   project?: ProjectResponse | null;
 };
@@ -42,11 +45,11 @@ export type TeamResponse = {
   name: string;
   slug: string;
   image: string | null;
-  billingPlan: string;
+  billingPlan: "free" | "starter" | "growth" | "pro";
   createdAt: Date;
   updatedAt: Date | null;
   billingEmail: string | null;
-  billingStatus: string | null;
+  billingStatus: "noPayment" | "validPayment" | "invalidPayment" | null;
   growthTrialEligible: boolean | null;
   enabledScopes: ServiceName[];
 };

packages/service-utils/src/core/authorize/client.ts

@@ -12,18 +12,25 @@ export function authorizeClient(
   teamAndProjectResponse: TeamAndProjectResponse,
 ): AuthorizationResult {
   const { origin, bundleId } = authOptions;
-  const { team, project } = teamAndProjectResponse;
+  const { team, project, authMethod } = teamAndProjectResponse;
 
   const authResult: AuthorizationResult = {
     authorized: true,
     team,
     project,
+    authMethod,
   };
 
+  // if there's no project, we'll return the authResult (JWT or teamId auth)
   if (!project) {
     return authResult;
   }
 
+  if (authMethod === "secretKey") {
+    // if the auth was done using secretKey, we do not want to enforce domains or bundleIds
+    return authResult;
+  }
+
   // check for public restrictions
   if (project.domains.includes("*")) {
     return authResult;

packages/service-utils/src/core/authorize/index.ts

@@ -148,5 +148,6 @@ export async function authorize(
     authorized: true,
     team: teamAndProjectResponse.team,
     project: teamAndProjectResponse.project,
+    authMethod: clientAuth.authMethod,
   };
 }

packages/service-utils/src/core/authorize/service.ts

@@ -5,7 +5,16 @@ export function authorizeService(
   teamAndProjectResponse: TeamAndProjectResponse,
   serviceConfig: CoreServiceConfig,
 ): AuthorizationResult {
-  const { team, project } = teamAndProjectResponse;
+  const { team, project, authMethod } = teamAndProjectResponse;
+
+  if (serviceConfig.serviceScope === null) {
+    // if explicitly set to null, we do not want to check for service level authorization
+    return {
+      authorized: true,
+      team,
+      authMethod,
+    };
+  }
 
   if (!team.enabledScopes.includes(serviceConfig.serviceScope)) {
     return {
@@ -21,6 +30,7 @@ export function authorizeService(
     return {
       authorized: true,
       team,
+      authMethod,
     };
   }
 
@@ -57,5 +67,6 @@ export function authorizeService(
     authorized: true,
     team,
     project,
+    authMethod,
   };
 }

packages/service-utils/src/mocks.ts

@@ -43,14 +43,15 @@ export const validTeamResponse: TeamResponse = {
   updatedAt: new Date("2024-06-01"),
   billingPlan: "free",
   billingEmail: "test@example.com",
-  billingStatus: "noCustomer",
+  billingStatus: "noPayment",
   growthTrialEligible: false,
   enabledScopes: ["storage", "rpc", "bundler"],
 };
 
 export const validTeamAndProjectResponse: TeamAndProjectResponse = {
   team: validTeamResponse,
   project: validProjectResponse,
+  authMethod: "publishableKey",
 };
 
 export const validServiceConfig: CoreServiceConfig = {