Get UIUC access tokens so we can hash UINs

Author: devksingh4

src/api/functions/uin.ts

@@ -0,0 +1,136 @@
+import { hash } from "argon2";
+import { genericConfig } from "common/config.js";
+import {
+  BaseError,
+  EntraFetchError,
+  InternalServerError,
+  UnauthenticatedError,
+  ValidationError,
+} from "common/errors/index.js";
+import { type FastifyBaseLogger } from "fastify";
+
+export type HashUinInputs = {
+  pepper: string;
+  uin: string;
+};
+
+export type GetUserUinInputs = {
+  uiucAccessToken: string;
+  pepper: string;
+};
+
+export const verifyUiucAccessToken = async ({
+  accessToken,
+  logger,
+}: {
+  accessToken: string | string[] | undefined;
+  logger: FastifyBaseLogger;
+}) => {
+  if (!accessToken) {
+    throw new UnauthenticatedError({
+      message: "Access token not found.",
+    });
+  }
+  if (Array.isArray(accessToken)) {
+    throw new ValidationError({
+      message: "Multiple tokens cannot be specified!",
+    });
+  }
+  const url =
+    "https://graph.microsoft.com/v1.0/me?$select=userPrincipalName,givenName,surname,mail";
+
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+      },
+    });
+
+    if (response.status === 401) {
+      const errorText = await response.text();
+      logger.warn(`Microsoft Graph API unauthenticated response: ${errorText}`);
+      throw new UnauthenticatedError({
+        message: "Invalid or expired access token.",
+      });
+    }
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      logger.error(
+        `Microsoft Graph API error: ${response.status} - ${errorText}`,
+      );
+      throw new InternalServerError({
+        message: "Failed to contact Microsoft Graph API.",
+      });
+    }
+
+    const data = (await response.json()) as {
+      userPrincipalName: string;
+      givenName: string;
+      surname: string;
+      mail: string;
+    };
+    logger.info("Access token successfully verified with Microsoft Graph API.");
+    return data;
+  } catch (error) {
+    if (error instanceof BaseError) {
+      throw error;
+    } else {
+      logger.error(error);
+      throw new InternalServerError({
+        message:
+          "An unexpected error occurred during access token verification.",
+      });
+    }
+  }
+};
+
+export async function getUinHash({
+  pepper,
+  uin,
+}: HashUinInputs): Promise<string> {
+  return hash(uin, { salt: Buffer.from(pepper) });
+}
+
+export async function getHashedUserUin({
+  uiucAccessToken,
+  pepper,
+}: GetUserUinInputs): Promise<string> {
+  const url = `https://graph.microsoft.com/v1.0/me?$select=${genericConfig.UinExtendedAttributeName}`;
+  try {
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${uiucAccessToken}`,
+        "Content-Type": "application/json",
+      },
+    });
+
+    if (!response.ok) {
+      throw new EntraFetchError({
+        message: "Failed to get user's UIN.",
+        email: "",
+      });
+    }
+
+    const data = (await response.json()) as {
+      [genericConfig.UinExtendedAttributeName]: string;
+    };
+
+    return await getUinHash({
+      pepper,
+      uin: data[genericConfig.UinExtendedAttributeName],
+    });
+  } catch (error) {
+    if (error instanceof EntraFetchError) {
+      throw error;
+    }
+
+    throw new EntraFetchError({
+      message: "Failed to fetch user UIN.",
+      email: "",
+    });
+  }
+}

src/api/routes/v2/membership.ts

@@ -9,7 +9,7 @@ import { createCheckoutSession } from "api/functions/stripe.js";
 import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
 import * as z from "zod/v4";
 import { notAuthenticatedError, withTags } from "api/components/index.js";
-import { verifyUiucIdToken } from "./mobileWallet.js";
+import { verifyUiucAccessToken, getHashedUserUin } from "api/functions/uin.js";
 
 function splitOnce(s: string, on: string) {
   const [first, ...rest] = s.split(on);
@@ -55,13 +55,12 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
         }),
       },
       async (request, reply) => {
-        const idToken = request.headers["x-uiuc-token"];
-        const verifiedData = await verifyUiucIdToken({
-          idToken,
-          redisClient: fastify.redisClient,
+        const accessToken = request.headers["x-uiuc-token"];
+        const verifiedData = await verifyUiucAccessToken({
+          accessToken,
           logger: request.log,
         });
-        const { preferred_username: upn, email, name } = verifiedData;
+        const { userPrincipalName: upn, givenName, surname } = verifiedData;
         const netId = upn.replace("@illinois.edu", "");
         if (netId.includes("@")) {
           request.log.error(
@@ -87,15 +86,6 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
             message: `${upn} is already a paid member.`,
           });
         }
-        let firstName: string = "";
-        let lastName: string = "";
-        if (!name.includes(",")) {
-          const splitted = splitOnce(name, " ");
-          firstName = splitted[0] || "";
-          lastName = splitted[1] || "";
-        }
-        firstName = trim(name.split(",")[1]);
-        lastName = name.split(",")[0];
 
         return reply.status(200).send(
           await createCheckoutSession({
@@ -118,7 +108,7 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
                 },
                 type: "text",
                 text: {
-                  default_value: firstName,
+                  default_value: givenName,
                 },
               },
               {
@@ -129,7 +119,7 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
                 },
                 type: "text",
                 text: {
-                  default_value: lastName,
+                  default_value: surname,
                 },
               },
             ],

src/api/routes/v2/mobileWallet.ts

@@ -11,88 +11,9 @@ import {
 import rateLimiter from "api/plugins/rateLimiter.js";
 import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
 import { notAuthenticatedError, withTags } from "api/components/index.js";
-import jwt, { Algorithm } from "jsonwebtoken";
-import { getJwksKey } from "api/plugins/auth.js";
 import { issueAppleWalletMembershipCard } from "api/functions/mobileWallet.js";
-import { Redis } from "api/types.js";
 import { Readable } from "stream";
-
-const UIUC_TENANT_ID = "44467e6f-462c-4ea2-823f-7800de5434e3";
-const COULD_NOT_PARSE_MESSAGE = "ID token could not be parsed.";
-
-export const verifyUiucIdToken = async ({
-  idToken,
-  redisClient,
-  logger,
-}: {
-  idToken: string | string[] | undefined;
-  redisClient: Redis;
-  logger: FastifyBaseLogger;
-}) => {
-  if (!idToken) {
-    throw new UnauthenticatedError({
-      message: "ID token not found.",
-    });
-  }
-  if (Array.isArray(idToken)) {
-    throw new ValidationError({
-      message: "Multiple tokens cannot be specified!",
-    });
-  }
-  const decoded = jwt.decode(idToken, { complete: true });
-  if (!decoded) {
-    throw new UnauthenticatedError({
-      message: COULD_NOT_PARSE_MESSAGE,
-    });
-  }
-  const header = decoded?.header;
-  if (!header.kid) {
-    throw new UnauthenticatedError({
-      message: COULD_NOT_PARSE_MESSAGE,
-    });
-  }
-  const signingKey = await getJwksKey({
-    redisClient,
-    kid: header.kid,
-    logger,
-  });
-  const verifyOptions: jwt.VerifyOptions = {
-    algorithms: ["RS256" as Algorithm],
-    issuer: `https://login.microsoftonline.com/${UIUC_TENANT_ID}/v2.0`,
-  };
-  let verifiedData;
-  try {
-    verifiedData = jwt.verify(idToken, signingKey, verifyOptions) as {
-      preferred_username?: string;
-      email?: string;
-      name?: string;
-    };
-  } catch (e) {
-    if (e instanceof Error && e.name === "TokenExpiredError") {
-      throw new UnauthenticatedError({
-        message: "Access token has expired.",
-      });
-    }
-    if (e instanceof Error && e.name === "JsonWebTokenError") {
-      logger.error(e);
-      throw new UnauthenticatedError({
-        message: COULD_NOT_PARSE_MESSAGE,
-      });
-    }
-    throw e;
-  }
-  const { preferred_username: upn, email, name } = verifiedData;
-  if (!upn || !email || !name) {
-    throw new UnauthenticatedError({
-      message: COULD_NOT_PARSE_MESSAGE,
-    });
-  }
-  return verifiedData as {
-    preferred_username: string;
-    email: string;
-    name: string;
-  };
-};
+import { verifyUiucAccessToken } from "api/functions/uin.js";
 
 const mobileWalletV2Route: FastifyPluginAsync = async (fastify, _options) => {
   fastify.register(rateLimiter, {
@@ -127,13 +48,12 @@ const mobileWalletV2Route: FastifyPluginAsync = async (fastify, _options) => {
       }),
     },
     async (request, reply) => {
-      const idToken = request.headers["x-uiuc-token"];
-      const verifiedData = await verifyUiucIdToken({
-        idToken,
-        redisClient: fastify.redisClient,
+      const accessToken = request.headers["x-uiuc-token"];
+      const verifiedData = await verifyUiucAccessToken({
+        accessToken,
         logger: request.log,
       });
-      const { preferred_username: upn, name } = verifiedData;
+      const { userPrincipalName: upn, givenName, surname } = verifiedData;
       const netId = upn.replace("@illinois.edu", "");
       if (netId.includes("@")) {
         request.log.error(
@@ -168,7 +88,7 @@ const mobileWalletV2Route: FastifyPluginAsync = async (fastify, _options) => {
         upn,
         upn,
         request.log,
-        name,
+        `${givenName} ${surname}`,
       );
       const myStream = new Readable({
         read() {

src/common/config.ts

@@ -54,6 +54,8 @@ export type GenericConfigType = {
   ApiKeyTable: string;
   ConfigSecretName: string;
   TestingCredentialsSecret: string;
+  UinHashingSecret: string;
+  UinExtendedAttributeName: string;
 };
 
 type EnvironmentConfigType = {
@@ -92,6 +94,8 @@ const genericConfig: GenericConfigType = {
   ApiKeyTable: "infra-core-api-keys",
   ConfigSecretName: "infra-core-api-config",
   TestingCredentialsSecret: "infra-core-api-testing-credentials",
+  UinHashingSecret: "infra-core-api-uin-pepper",
+  UinExtendedAttributeName: "extension_a70c2e1556954056a6a8edfb1f42f556_uiucEduUIN"
 } as const;
 
 const environmentConfig: EnvironmentConfigType = {
@@ -104,7 +108,7 @@ const environmentConfig: EnvironmentConfigType = {
       /^https:\/\/(?:.*\.)?acmuiuc\.pages\.dev$/,
       /http:\/\/localhost:\d+$/,
     ],
-    ConfigurationSecretIds: [genericConfig.TestingCredentialsSecret, genericConfig.ConfigSecretName],
+    ConfigurationSecretIds: [genericConfig.TestingCredentialsSecret, genericConfig.ConfigSecretName, genericConfig.UinHashingSecret],
     AadValidClientId: "39c28870-94e4-47ee-b4fb-affe0bf96c9f",
     LinkryBaseUrl: "https://core.aws.qa.acmuiuc.org",
     PasskitIdentifier: "pass.org.acmuiuc.qa.membership",
@@ -124,7 +128,7 @@ const environmentConfig: EnvironmentConfigType = {
   prod: {
     UserFacingUrl: "https://core.acm.illinois.edu",
     AzureRoleMapping: { AutonomousWriters: [AppRoles.EVENTS_MANAGER] },
-    ConfigurationSecretIds: [genericConfig.ConfigSecretName],
+    ConfigurationSecretIds: [genericConfig.ConfigSecretName, genericConfig.UinHashingSecret],
     ValidCorsOrigins: [
       /^https:\/\/(?:.*\.)?acmuiuc-academic-web\.pages\.dev$/,
       /^https:\/\/(?:.*\.)?acmuiuc\.pages\.dev$/,
@@ -160,6 +164,7 @@ export type SecretConfig = {
   stripe_links_endpoint_secret: string;
   redis_url: string;
   encryption_key: string;
+  UIN_HASHING_SECRET_PEPPER: string;
 };
 
 export type SecretTesting = {

tests/unit/secret.testdata.ts

@@ -21,6 +21,9 @@ const testSecretObject = {
 const secretJson = JSON.stringify(secretObject);
 
 const testSecretJson = JSON.stringify(testSecretObject);
+const uinSecretJson = JSON.stringify({
+  UIN_HASHING_SECRET_PEPPER: "dc1f1a24-fce5-480b-a342-e7bd34d8f8c5",
+});
 
 const jwtPayload = {
   aud: "custom_jwt",
@@ -81,4 +84,5 @@ export {
   testSecretObject,
   jwtPayload,
   jwtPayloadNoGroups,
+  uinSecretJson,
 };