Contract final

.env

@@ -0,0 +1,4 @@
+AUTH0_DOMAIN=lesleychard.auth0.com
+AUTH0_CLIENT_ID=bnyMiWB15Rz5CwsxTNnrN9v5ftHcdabj
+AUTH0_MGMT_CLIENT_ID=mxNP8B5JnQ4v049Vt2mR80z9rvov5yfj
+AUTH0_CLAIMS_NAMESPACE=https://lesleychard

.github/workflows/deploy.yml

@@ -0,0 +1,52 @@
+name: Deploy to Google Cloud Run
+on:
+  release:
+    types: [published]
+jobs:
+  build:
+    environment: "GC Run"
+    name: Build image
+    runs-on: ubuntu-latest
+    env:
+      HASH: $(git rev-parse --short "$GITHUB_SHA")
+      BRANCH: ${GITHUB_REF##*/}
+      SERVICE_NAME: ${{ secrets.SERVICE_NAME }}
+      PROJECT_ID: ${{ secrets.PROJECT_ID }}
+      AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }}
+      AUTH0_MGMT_CLIENT_SECRET: ${{ secrets.AUTH0_MGMT_CLIENT_SECRET }}
+      AUTH0_DOMAIN: ${{ secrets.AUTH0_DOMAIN }}
+      AUTH0_CLIENT_ID: ${{ secrets.AUTH0_CLIENT_ID }}
+      AUTH0_MGMT_CLIENT_ID: ${{ secrets.AUTH0_MGMT_CLIENT_ID }}
+      AUTH0_CLAIMS_NAMESPACE: ${{ secrets.AUTH0_CLAIMS_NAMESPACE }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      # Setup gcloud CLI
+      - uses: google-github-actions/github-actions/setup-gcloud@master
+        with:
+          service_account_key: ${{ secrets.GCR_DEVOPS_SERVICE_ACCOUNT_KEY }}
+          project_id: ${{ secrets.PROJECT_ID }}
+          export_default_credentials: true
+      - run: |
+          ls -la
+      # Build docker image
+      - name: Build Docker Image
+        run: |-
+          docker build -t northamerica-northeast1-docker.pkg.dev/ranlab-mvp-295423/ranlab-api-mvp/ranlab-api-mvp:latest .
+      # Configure docker to use the gcloud command-line tool as a credential helper
+      - run: |
+          gcloud auth configure-docker -q northamerica-northeast1-docker.pkg.dev
+      # Push image to Google Container Registry
+      - name: Push Image to GCR
+        run: |-
+          docker push northamerica-northeast1-docker.pkg.dev/ranlab-mvp-295423/ranlab-api-mvp/ranlab-api-mvp:latest
+      - name: Deploy Container
+        run: |-
+          gcloud run \
+            deploy ranlab-api-mvp \
+            --quiet \
+            --platform=managed \
+            --region=northamerica-northeast1 \
+            --allow-unauthenticated \
+            --image northamerica-northeast1-docker.pkg.dev/ranlab-mvp-295423/ranlab-api-mvp/ranlab-api-mvp:latest \
+            --set-env-vars AUTH0_MGMT_CLIENT_SECRET=$AUTH0_MGMT_CLIENT_SECRET,AUTH0_CLIENT_SECRET=$AUTH0_CLIENT_SECRET,AUTH0_DOMAIN=$AUTH0_DOMAIN,AUTH0_CLIENT_ID=$AUTH0_CLIENT_ID,AUTH0_MGMT_CLIENT_ID=$AUTH0_MGMT_CLIENT_ID,AUTH0_CLAIMS_NAMESPACE=$AUTH0_CLAIMS_NAMESPACE

.gitignore

@@ -1,5 +1,6 @@
 yarn-error.log
 
+.idea/
 node_modules/
 
 *.tsbuildinfo

Dockerfile

@@ -0,0 +1,20 @@
+FROM node:15
+
+# Create and change to the app directory.
+WORKDIR /usr/src/app
+
+# Copy application dependency manifests to the container image.
+# A wildcard is used to ensure both package.json AND package-lock.json are copied.
+# Copying this separately prevents re-running npm install on every code change.
+COPY package*.json ./
+
+# Install production dependencies.
+RUN yarn install --only=production
+
+# Copy local code to the container image.
+COPY . .
+
+RUN yarn build
+
+# Run the web service on container startup.
+CMD [ "yarn", "start" ]

babel.config.js

@@ -0,0 +1,6 @@
+module.exports = {
+  presets: [
+    ['@babel/preset-env', {targets: {node: 'current'}}],
+    +    '@babel/preset-typescript',
+  ],
+};

deploy.sh

@@ -0,0 +1,10 @@
+# Prerequisite Setup Steps:
+#  gcloud artifacts repositories create ranlab-api-mvp --repository-format docker --location northamerica-northeast1 # create the artifact repo
+#  gcloud auth configure-docker northamerica-northeast1-docker.pkg.dev
+
+docker build -t ranlab-mvp-api:latest .
+docker tag ranlab-mvp-api:latest northamerica-northeast1-docker.pkg.dev/ranlab-mvp-295423/ranlab-api-mvp/ranlab-api-mvp:latest
+gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io
+docker push northamerica-northeast1-docker.pkg.dev/ranlab-mvp-295423/ranlab-api-mvp/ranlab-api-mvp:latest
+gcloud run --platform=managed --region=northamerica-northeast1  deploy ranlab-api-mvp --image northamerica-northeast1-docker.pkg.dev/ranlab-mvp-295423/ranlab-api-mvp/ranlab-api-mvp:latest
+

dev/test

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -u
+set -o pipefail
+
+readonly all_files=$( find src -type f -name '*.test.js' )
+
+for f in ${1:-$all_files}
+do
+  output=$(node "$f")
+  status="$?"
+  if [[ "$status" -eq 0 ]]
+  then
+    printf '%s' "${output}"
+  else
+    printf '%s\n' "${output}"
+    exit "$status"
+  fi
+done

jest.config.js

@@ -0,0 +1,5 @@
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  testPathIgnorePatterns: ["/node_modules/","/build/"]
+};

jsdoc.json

@@ -0,0 +1,15 @@
+{
+  "opts": {
+    "template": "node_modules/better-docs"
+  },
+  "tags": {
+    "allowUnknownTags": ["optional", "category"]
+  },
+  "plugins": [
+    "node_modules/better-docs/typescript",
+    "node_modules/better-docs/category"
+  ],
+  "source": {
+    "includePattern": ".+\\.(jsx|js|ts|tsx)$"
+  }
+}

package.json

@@ -1,13 +1,14 @@
 {
   "name": "@ranlab/api",
-  "version": "0.0.0",
+  "version": "0.1.0",
   "license": "UNLICENSED",
   "private": true,
   "description": "API for the RAnLab app",
-  "main": "src/index.js",
+  "main": "build/src/index.js",
   "scripts": {
     "build": "tsc --project .",
-    "test": ":",
+    "test": "dev/test",
+    "jest": "jest",
     "start": "node ."
   },
   "repository": {
@@ -22,10 +23,28 @@
     "node": ">=12"
   },
   "dependencies": {
-    "fastify": "^3.5.1"
+    "@auth0/auth0-spa-js": "^1.13.6",
+    "@google-cloud/firestore": "^4.9.9",
+    "@types/node-fetch": "^2.5.8",
+    "body-parser": "^1.19.0",
+    "fastify": "^3.5.1",
+    "fastify-auth0-verify": "^0.4.2",
+    "fastify-authz-jwks": "^1.1.11",
+    "fastify-cors": "^5.1.0",
+    "fastify-jwt": "^2.1.3",
+    "fastify-sensible": "^3.1.0",
+    "fastify-swagger": "^4.0.1",
+    "jsonwebtoken": "^8.5.1",
+    "jwks-rsa": "^1.12.0",
+    "jwt-decode": "^3.1.2",
+    "node-fetch": "^2.6.1"
   },
   "devDependencies": {
+    "@types/jest": "^26.0.15",
     "@types/node": "^12.12.67",
+    "baretest": "^2.0.0",
+    "jest": "^26.6.3",
+    "ts-jest": "^26.4.4",
     "typescript": "^4.0.3"
   }
 }

src/auth0.ts

@@ -0,0 +1,165 @@
+import { FastifyRequest} from "fastify";
+import fetch from "node-fetch";
+
+let moduleAdminToken: string;
+
+async function getAdminToken(refresh : boolean) {
+  if(refresh || !moduleAdminToken) {
+    let mgmtDomain = process.env.AUTH0_DOMAIN;
+
+    let refreshResponse = await fetch(`https://${process.env.AUTH0_DOMAIN}/oauth/token`, {
+      "method": "post",
+      "headers": {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        "grant_type": "client_credentials",
+        "client_id": process.env.AUTH0_MGMT_CLIENT_ID,
+        "client_secret": process.env.AUTH0_MGMT_CLIENT_SECRET,
+        "audience": `https://${mgmtDomain}/api/v2/`,
+        "scope": "read:users update:users read:users_app_metadata update:users_app_metadata"
+      })
+    });
+    let refreshJson = await refreshResponse.json();
+    moduleAdminToken = refreshJson.access_token
+  }
+  return moduleAdminToken;
+}
+
+export interface Auth0UserInfo {
+  user_id: string, // Should be URL encoded since it may contain characters that do not work well in a URL.
+  username?: string,
+  email?: string
+  email_verified?: boolean,
+  phone_number?: string
+  phone_verified?: boolean,
+  created_at?: string,
+  updated_at?: string,
+  identities?: [
+    {
+      connection?: string,
+      user_id: string,
+      provider: string,
+      isSocial?: boolean
+    }
+  ],
+  app_metadata?: any,
+  user_metadata?: any,
+  picture?: string,
+  name?: string,
+  nickname?: string,
+  multifactor?: string[],
+  last_ip?: string,
+  last_login?: string,
+  logins_count?: number,
+  blocked?: boolean,
+  given_name?: string,
+  family_name?: string
+}
+
+export interface UserInfoPatch {
+  blocked?: boolean,
+  email_verified?: boolean,
+  email?: string,
+  phone_number?: string,
+  phone_verified?: boolean,
+  user_metadata?: any,
+  app_metadata?: any,
+  given_name?: string,
+  family_name?: string,
+  name?: string,
+  nickname?: string,
+  picture?: string,
+  verify_email?: boolean,
+  verify_phone_number?: boolean,
+  password?: string,
+  connection?: string,
+  client_id?: string,
+  username?: string
+}
+
+async function getUserRole(userId: string) : Promise<{role:string}> {
+  let app_metadata = (await getUserById(userId)).app_metadata;
+  return {role: app_metadata.role};
+}
+
+/*
+  Get user by ID: https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id
+  Get all users: https://auth0.com/docs/api/management/v2#!/Users/get_users
+  Update a user: https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id
+ */
+
+export async function getUserById(userId: string) : Promise<Auth0UserInfo> {
+  userId = userId.startsWith("auth0|") ? userId : `auth0|${userId}`;
+  return callManagementApi<Auth0UserInfo>(`/users/${userId}`);
+}
+
+export async function getAllUsers(per_page? : number, page?: number) {
+  let querystring = "";
+  if(!!per_page || !!page) {
+    querystring = "?";
+    let perPageClause = !per_page ? "" : `per_page=${per_page}`
+    let pageClause = !page ? "" : `page=${page}`;
+    querystring = `?${perPageClause}&${pageClause}`;
+  }
+  return callManagementApi<Auth0UserInfo[]>(`/users${querystring}`);
+}
+
+export async function updateUser(userId: string, userInfoPatch: UserInfoPatch) {
+  userId = userId.startsWith("auth0|") ? userId : `auth0|${userId}`;
+  return callManagementApi<Auth0UserInfo>(`/users/${userId}`, "PATCH", JSON.stringify(userInfoPatch));
+}
+
+async function callManagementApi<T>(path: string, method = "GET", body = "", refresh = false) : Promise<T> {
+  let mgmtDomain = process.env.AUTH0_DOMAIN;
+  let adminToken = await getAdminToken(refresh);
+  let url = encodeURI(`https://${mgmtDomain}/api/v2${path}`);
+  let options : any = {
+    method,
+    "headers": {
+      "Authorization": `Bearer ${adminToken}`
+    }
+  };
+  if(!!body) {
+    options.headers["Content-Type"] = "application/json";
+    options.body = body;
+  }
+  let metaResponse = await fetch(url, options);
+  if(metaResponse.status === 200) {
+    let json = await metaResponse.json()
+    return json;
+  } else if (!refresh && metaResponse.status === 401) {
+    return await callManagementApi<T>(path, method, body,true);
+  } else {
+    throw new Error(JSON.stringify(metaResponse));
+  }
+}
+
+
+export async function getUserInfo(authHeader: string) {
+  try {
+    let userResponse = await fetch(`https://${process.env.AUTH0_DOMAIN}/userinfo`, {
+      "method": "GET",
+      "headers": {"Authorization": authHeader}
+    });
+    let payload: any = await userResponse.json();
+    let userId : string = !payload.sub ? "" : payload.sub;
+    return {userId};
+  } catch (e) {
+    throw e;
+  }
+}
+
+export type Auth0JwtVerifier = (request: FastifyRequest) => Promise<{userAppId: string, admin: boolean, role: string}>;
+export async function verifyJwt(request: FastifyRequest) {
+  let authHeader = !request.headers.authorization ? "" : request.headers.authorization
+  if(!authHeader) {
+    return {userAppId: "", admin: false, role: ""};
+  } else {
+    let {userId} = await getUserInfo(authHeader);
+    let {role} = await getUserRole(userId);
+    let admin: boolean = role === "admin"
+    let userAppId = userId.indexOf("|") > 0 ? userId.split("|")[1] : userId;
+    return {userAppId, admin, role};
+  }
+}

src/cors.ts

@@ -0,0 +1,10 @@
+import {FastifyInstance} from "fastify";
+import fastifyCors from "fastify-cors";
+
+export function registerCorsHandler(server: FastifyInstance) {
+  server.register(fastifyCors, {
+    origin: [/^https?:\/\/localhost/, /^https?:\/\/ranlab-app-phzez.ondigitalocean.app/],
+    credentials: true,
+    strictPreflight: true
+  });
+}

src/database/firestore.ts

@@ -0,0 +1,3 @@
+import {Firestore} from "@google-cloud/firestore";
+
+export const productionFirestore = new Firestore();