Merge branch 'main' into rebranding-auth

Author: jkestering-modus

.github/workflows/build-ios.yml

@@ -0,0 +1,114 @@
+name: iOS Build and upload to testflight
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: macos-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: "frontend/package.json"
+
+      - name: Setup Xcode
+        uses: maxim-lobanov/setup-xcode@v1
+        with:
+          xcode-version: '16.2'
+
+      - name: Install Bundler
+        run: gem install bundler
+
+      - name: Create .env file
+        working-directory: frontend
+        run: |
+            echo "VITE_BUILD_DATE=1970-01-01
+            VITE_BUILD_TIME=00:00:00
+            VITE_BUILD_TS=1970-01-01T00:00:00+0000
+            VITE_BUILD_COMMIT_SHA=test
+            VITE_BUILD_ENV_CODE=test
+            VITE_BUILD_WORKFLOW_RUNNER=test
+            VITE_BUILD_WORKFLOW_NAME=test
+            VITE_BUILD_WORKFLOW_RUN_NUMBER=1
+            VITE_BUILD_WORKFLOW_RUN_ATTEMPT=1
+            VITE_BASE_URL_API=https://jsonplaceholder.typicode.com
+            VITE_TOAST_AUTO_DISMISS_MILLIS=1500" > .env
+
+      - name: Install dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Build Ionic
+        working-directory: frontend
+        run: npm run build
+
+      - name: Prepare Capacitor for iOS
+        working-directory: frontend
+        run: |
+          npx cap sync ios
+          npx cap copy ios
+
+      - name: Install CocoaPods
+        working-directory: frontend/ios/App
+        run: pod install --verbose
+
+      - name: Install Fastlane
+        working-directory: frontend/ios/App
+        run: gem install fastlane
+
+      - name: Setup SSH for Fastlane Match Repo Access
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.IOS_SIGNING_SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan github.com >> ~/.ssh/known_hosts
+
+      - name: Decode App Store API Key
+        working-directory: frontend/ios/App
+        env:
+          IOS_API_KEY_JSON: ${{ secrets.IOS_API_KEY_JSON }}
+        run: echo "$IOS_API_KEY_JSON" > /tmp/api-key.json
+
+      - name: Set up Fastlane Match Password
+        run: echo "MATCH_PASSWORD=${{ secrets.FASTLANE_MATCH_PASSWORD }}" >> $GITHUB_ENV
+
+      - name: Build iOS App for Simulator
+        working-directory: frontend/ios/App
+        env:
+          NSUnbufferedIO: "YES"
+          FASTLANE_VERBOSE: "1"
+        run: |
+          bundle install
+          bundle exec fastlane ios build_for_simulator --verbose
+
+      - name: Upload App.app (iOS Simulator File)
+        uses: actions/upload-artifact@v4
+        with:
+          name: build_for_simulator
+          path: frontend/ios/App/build/simulator/App.xcarchive/Products/Applications/
+          retention-days: 7
+
+      - name: Build iOS App for testflight.
+        working-directory: frontend/ios/App
+        env:
+          NSUnbufferedIO: "YES"
+          FASTLANE_VERBOSE: "1"
+          FASTLANE_MATCH_PASSWORD: ${{ secrets.FASTLANE_MATCH_PASSWORD }}
+        run: |
+          bundle install
+          bundle exec fastlane ios build_and_send_to_testflight --verbose
+
+      - name: Upload App.ipa (iOS device installation)
+        uses: actions/upload-artifact@v4
+        with:
+          name: build_for_device
+          path: frontend/ios/App/build/device/App.ipa
+          retention-days: 7

.gitignore

@@ -17,7 +17,6 @@ node_modules
 *.ntvs*
 *.njsproj
 *.sln
-*.sw*
 
 # Use either yarn.lock or package-lock.json
 # Uncomment one of them to maintain a single lockfile

backend/src/app.module.ts

@@ -1,4 +1,4 @@
-import { Module, NestModule } from '@nestjs/common';
+import { Module, NestModule, MiddlewareConsumer } from '@nestjs/common';
 import { ConfigModule } from '@nestjs/config';
 import configuration from './config/configuration';
 import { AppController } from './app.controller';
@@ -9,6 +9,8 @@ import { PerplexityController } from './controllers/perplexity/perplexity.contro
 import { UserController } from './user/user.controller';
 import { ReportsModule } from './reports/reports.module';
 import { HealthController } from './health/health.controller';
+import { AuthMiddleware } from './auth/auth.middleware';
+
 @Module({
   imports: [
     ConfigModule.forRoot({
@@ -21,8 +23,7 @@ import { HealthController } from './health/health.controller';
   providers: [AppService, AwsSecretsService, PerplexityService],
 })
 export class AppModule implements NestModule {
-  configure() {
-    // Add your middleware configuration here if needed
-    // If you don't need middleware, you can leave this empty
+  configure(consumer: MiddlewareConsumer) {
+    consumer.apply(AuthMiddleware).forRoutes('*'); // Apply to all routes
   }
 }

backend/src/auth/auth.middleware.ts

@@ -0,0 +1,58 @@
+import { Injectable, NestMiddleware } from '@nestjs/common';
+import { Request, Response, NextFunction } from 'express';
+import { ConfigService } from '@nestjs/config';
+import * as jwt from 'jsonwebtoken';
+
+// Extend the Express Request interface to include the user property
+export interface RequestWithUser extends Request {
+  user?: {
+    sub: string;
+    email?: string;
+    groups?: string[];
+    [key: string]: any;
+  } | null;
+}
+
+// Add this interface to define the token structure
+interface DecodedToken {
+  payload: {
+    sub: string;
+    username?: string;
+    email?: string;
+    [key: string]: any;
+  };
+  header: any;
+  signature: string;
+}
+
+@Injectable()
+export class AuthMiddleware implements NestMiddleware {
+  constructor(private configService: ConfigService) {}
+
+  use(req: RequestWithUser, res: Response, next: NextFunction) {
+    const authHeader = req.headers.authorization;
+    if (authHeader && authHeader.startsWith('Bearer ')) {
+      const token = authHeader.substring(7);
+      try {
+        // Verify the JWT token
+        const decodedToken = jwt.decode(token, { complete: true }) as DecodedToken;
+
+        // Access user info from the payload
+        req.user = {
+          sub: decodedToken?.payload.sub as string,
+          username: decodedToken?.payload.username as string,
+        };
+      } catch (error) {
+        // If token verification fails, set user to null
+        console.log('AuthMiddleware error');
+        console.log(error);
+        req.user = null;
+      }
+    } else {
+      // No token provided
+      req.user = null;
+    }
+
+    next();
+  }
+}

backend/src/iac/backend-stack.ts

@@ -445,12 +445,62 @@ export class BackendStack extends cdk.Stack {
 
     // Add CORS to all resources
     api.root.addCorsPreflight(corsOptions);
-    apiResource.addCorsPreflight(corsOptions);
-    reportsResource.addCorsPreflight(corsOptions);
-    latestResource.addCorsPreflight(corsOptions);
-    reportIdResource.addCorsPreflight(corsOptions);
-    reportStatusResource.addCorsPreflight(corsOptions);
-    docsResource.addCorsPreflight(corsOptions);
+    apiResource.addCorsPreflight({
+      ...corsOptions,
+      allowCredentials: false, // This is crucial - make sure OPTIONS requests don't require credentials
+    });
+    reportsResource.addCorsPreflight({
+      ...corsOptions,
+      allowCredentials: false,
+    });
+    latestResource.addCorsPreflight({
+      ...corsOptions,
+      allowCredentials: false,
+    });
+    reportIdResource.addCorsPreflight({
+      ...corsOptions,
+      allowCredentials: false,
+    });
+    reportStatusResource.addCorsPreflight({
+      ...corsOptions,
+      allowCredentials: false,
+    });
+    docsResource.addCorsPreflight({
+      ...corsOptions,
+      allowCredentials: false,
+    });
+
+    // Configure Gateway Responses to add CORS headers to error responses
+    const gatewayResponseTypes = [
+      apigateway.ResponseType.UNAUTHORIZED,
+      apigateway.ResponseType.ACCESS_DENIED,
+      apigateway.ResponseType.DEFAULT_4XX,
+      apigateway.ResponseType.DEFAULT_5XX,
+      apigateway.ResponseType.RESOURCE_NOT_FOUND,
+      apigateway.ResponseType.MISSING_AUTHENTICATION_TOKEN,
+      apigateway.ResponseType.INVALID_API_KEY,
+      apigateway.ResponseType.THROTTLED,
+      apigateway.ResponseType.INTEGRATION_FAILURE,
+      apigateway.ResponseType.INTEGRATION_TIMEOUT,
+    ];
+
+    gatewayResponseTypes.forEach(responseType => {
+      new apigateway.CfnGatewayResponse(
+        this,
+        `${appName}GatewayResponse-${responseType.responseType.toString()}-${props.environment}`,
+        {
+          restApiId: api.restApiId,
+          responseType: responseType.responseType.toString(),
+          responseParameters: {
+            'gatewayresponse.header.Access-Control-Allow-Origin': "'*'",
+            'gatewayresponse.header.Access-Control-Allow-Headers':
+              "'Content-Type,Authorization,X-Amz-Date,X-Api-Key'",
+            'gatewayresponse.header.Access-Control-Allow-Methods':
+              "'GET,POST,PUT,PATCH,DELETE,OPTIONS'",
+          },
+        },
+      );
+    });
 
     // Create API Gateway execution role with required permissions
     new iam.Role(this, `${appName}APIGatewayRole-${props.environment}`, {

backend/src/iac/update-api-policy.js

@@ -62,29 +62,36 @@ async function main() {
     const policy = {
       Version: '2012-10-17',
       Statement: [
-        // Allow authenticated Cognito users
         {
-          Effect: 'Allow',
-          Principal: '*',
-          Action: 'execute-api:Invoke',
-          Resource: `arn:aws:execute-api:${REGION}:*:${api.id}/*/*`,
-          Condition: {
-            StringEquals: {
-              'cognito-identity.amazonaws.com:aud': cognitoUserPoolId
+          "Version": "2012-10-17",
+          "Statement": [
+            // Allow OPTIONS requests
+            {
+              "Effect": "Allow",
+              "Principal": "*",
+              "Action": "execute-api:Invoke",
+              "Resource": "arn:aws:execute-api:us-east-1:*:xhvwo6wp66/*/OPTIONS/*"
+            },
+            {
+              // Allow all other requests - authentication will be handled by Cognito
+              "Effect": "Allow",
+              "Principal": "*",
+              "Action": "execute-api:Invoke",
+              "Resource": "arn:aws:execute-api:us-east-1:*:xhvwo6wp66/*/*"
+            },
+            {
+              // Deny non-HTTPS requests
+              "Effect": "Deny",
+              "Principal": "*",
+              "Action": "execute-api:Invoke",
+              "Resource": "arn:aws:execute-api:us-east-1:*:xhvwo6wp66/*/*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false"
+                }
+              }
             }
-          }
-        },
-        // Deny non-HTTPS requests
-        {
-          Effect: 'Deny',
-          Principal: '*',
-          Action: 'execute-api:Invoke',
-          Resource: `arn:aws:execute-api:${REGION}:*:${api.id}/*/*`,
-          Condition: {
-            Bool: {
-              'aws:SecureTransport': 'false'
-            }
-          }
+          ]
         }
       ]
     };

backend/src/main.ts

@@ -13,9 +13,10 @@ async function bootstrap() {
   // Enable CORS
   app.enableCors({
     origin: [
-      'http://localhost:5173', // Vite default dev server
+      'http://localhost:5173',
       'http://localhost:3000',
-      'http://localhost:4173', // Vite preview
+      'http://localhost:4173',
+      'https://localhost', // Add this for Capacitor
       ...(process.env.FRONTEND_URL ? [process.env.FRONTEND_URL] : []),
     ],
     methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS',