route emails you the pass instead

Author: devksingh4

cloudformation/iam.yml

@@ -10,6 +10,9 @@ Parameters:
   LambdaFunctionName:
     Type: String
     AllowedPattern: ^[a-zA-Z0-9]+[a-zA-Z0-9-]+[a-zA-Z0-9]+$
+  SesEmailDomain:
+    Type: String
+
 Resources:
   ApiLambdaIAMRole:
     Type: AWS::IAM::Role
@@ -24,6 +27,21 @@ Resources:
             Service:
             - lambda.amazonaws.com
       Policies:
+      - PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Action:
+            - ses:SendEmail
+            - ses:SendRawEmail
+            Effect: Allow
+            Resource: "*"
+            Condition:
+              StringEquals:
+                ses:FromAddress: !Sub "membership@${SesEmailDomain}"
+              ForAllValues:StringLike:
+                ses:Recipients:
+                  - "*@illinois.edu"
+        PolicyName: ses-membership
       - PolicyDocument:
           Version: '2012-10-17'
           Statement:
@@ -85,4 +103,4 @@ Outputs:
     Value:
       Fn::GetAtt:
       - ApiLambdaIAMRole
-      - Arn
+      - Arn

cloudformation/main.yml

@@ -40,12 +40,14 @@ Mappings:
       HostedZoneId: Z04502822NVIA85WM2SML
       ApiDomainName: "aws.qa.acmuiuc.org"
       LinkryApiDomainName: "aws.qa.acmuiuc.org"
+      SesDomain: "aws.qa.acmuiuc.org"
       LinkryApiCertificateArn: arn:aws:acm:us-east-1:427040638965:certificate/63ccdf0b-d2b5-44f0-b589-eceffb935c23
     prod:
       ApiCertificateArn: arn:aws:acm:us-east-1:298118738376:certificate/6142a0e2-d62f-478e-bf15-5bdb616fe705
       HostedZoneId: Z05246633460N5MEB9DBF
       ApiDomainName: "aws.acmuiuc.org"
       LinkryApiDomainName: "acm.illinois.edu"
+      SesDomain: "acm.illinois.edu"
       LinkryApiCertificateArn: arn:aws:acm:us-east-1:298118738376:certificate/aeb93d9e-b0b7-4272-9c12-24ca5058c77e
   EnvironmentToCidr:
     dev:
@@ -71,6 +73,7 @@ Resources:
       Parameters:
         RunEnvironment: !Ref RunEnvironment
         LambdaFunctionName: !Sub ${ApplicationPrefix}-lambda
+        SesEmailDomain: !FindInMap [General, !Ref RunEnvironment, SesDomain]
 
   AppLogGroups:
     Type: AWS::Serverless::Application

src/api/functions/entraId.ts

@@ -7,6 +7,7 @@ import {
 } from "../../common/config.js";
 import {
   BaseError,
+  EntraFetchError,
   EntraGroupError,
   EntraInvitationError,
   InternalServerError,
@@ -19,6 +20,7 @@ import {
   EntraInvitationResponse,
 } from "../../common/types/iam.js";
 import { FastifyInstance } from "fastify";
+import { UserProfileDataBase } from "common/types/msGraphApi.js";
 
 function validateGroupId(groupId: string): boolean {
   const groupIdPattern = /^[a-zA-Z0-9-]+$/; // Adjust the pattern as needed
@@ -351,3 +353,47 @@ export async function listGroupMembers(
     });
   }
 }
+
+/**
+ * Retrieves the profile of a user from Entra ID.
+ * @param token - Entra ID token authorized to perform this action.
+ * @param userId - The user ID to fetch the profile for.
+ * @throws {EntraUserError} If fetching the user profile fails.
+ * @returns {Promise<UserProfileDataBase>} The user's profile information.
+ */
+export async function getUserProfile(
+  token: string,
+  email: string,
+): Promise<UserProfileDataBase> {
+  const userId = await resolveEmailToOid(token, email);
+  try {
+    const url = `https://graph.microsoft.com/v1.0/users/${userId}?$select=userPrincipalName,givenName,surname,displayName,otherMails,mail`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+    });
+
+    if (!response.ok) {
+      const errorData = (await response.json()) as {
+        error?: { message?: string };
+      };
+      throw new EntraFetchError({
+        message: errorData?.error?.message ?? response.statusText,
+        email,
+      });
+    }
+    return (await response.json()) as UserProfileDataBase;
+  } catch (error) {
+    if (error instanceof EntraFetchError) {
+      throw error;
+    }
+
+    throw new EntraFetchError({
+      message: error instanceof Error ? error.message : String(error),
+      email,
+    });
+  }
+}

src/api/functions/mobileWallet.ts

@@ -28,7 +28,7 @@ export async function issueAppleWalletMembershipCard(
   app: FastifyInstance,
   request: FastifyRequest,
   email: string,
-  name: string,
+  name?: string,
 ) {
   if (!email.endsWith("@illinois.edu")) {
     throw new UnauthorizedError({

src/api/functions/ses.ts

@@ -0,0 +1,130 @@
+import { SendRawEmailCommand } from "@aws-sdk/client-ses";
+import { encode } from "base64-arraybuffer";
+
+/**
+ * Generates a SendRawEmailCommand for SES to send an email with an attached membership pass.
+ *
+ * @param recipientEmail - The email address of the recipient.
+ * * @param recipientEmail - The email address of the sender with a verified identity in SES.
+ * @param attachmentBuffer - The membership pass in ArrayBufferLike format.
+ * @returns The command to send the email via SES.
+ */
+export function generateMembershipEmailCommand(
+  recipientEmail: string,
+  senderEmail: string,
+  attachmentBuffer: ArrayBufferLike,
+): SendRawEmailCommand {
+  const encodedAttachment = encode(attachmentBuffer);
+  const boundary = "----BoundaryForEmail";
+
+  const emailTemplate = `
+<!doctype html>
+<html>
+    <head>
+        <title>Your ACM @ UIUC Membership</title>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1">
+        <base target="_blank">
+        <style>
+            body {
+                background-color: #F0F1F3;
+                font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, sans-serif;
+                font-size: 15px;
+                line-height: 26px;
+                margin: 0;
+                color: #444;
+            }
+            .wrap {
+                background-color: #fff;
+                padding: 30px;
+                max-width: 525px;
+                margin: 0 auto;
+                border-radius: 5px;
+            }
+            .button {
+                background: #0055d4;
+                border-radius: 3px;
+                text-decoration: none !important;
+                color: #fff !important;
+                font-weight: bold;
+                padding: 10px 30px;
+                display: inline-block;
+            }
+            .button:hover {
+                background: #111;
+            }
+            .footer {
+                text-align: center;
+                font-size: 12px;
+                color: #888;
+            }
+            img {
+                max-width: 100%;
+                height: auto;
+            }
+            a {
+                color: #0055d4;
+            }
+            a:hover {
+                color: #111;
+            }
+            @media screen and (max-width: 600px) {
+                .wrap {
+                    max-width: auto;
+                }
+            }
+        </style>
+    </head>
+<body>
+    <div class="gutter" style="padding: 30px;">&nbsp;</div>
+    <img src="https://acm-brand-images.s3.amazonaws.com/banner-blue.png" style="height: 100px; width: 210px; align-self: center;"/>
+    <br />
+    <div class="wrap">
+        <h2 style="text-align: center;">Welcome</h2>
+        <p>
+            Thank you for becoming a member of ACM @ UIUC! Attached is your membership pass.
+            You can add it to your Apple or Google Wallet for easy access.
+        </p>
+        <p>
+            If you have any questions, feel free to contact us at
+            <a href="mailto:[email protected]">[email protected]</a>.
+        </p>
+        <div style="text-align: center; margin-top: 20px;">
+            <a href="https://acm.illinois.edu" class="button">Visit ACM @ UIUC</a>
+        </div>
+    </div>
+    <div class="footer">
+        <p>
+            <a href="https://acm.illinois.edu">ACM @ UIUC Homepage</a>
+            <a href="mailto:[email protected]">Email ACM @ UIUC</a>
+        </p>
+    </div>
+</body>
+</html>
+  `;
+
+  const rawEmail = `
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="${boundary}"
+From: ACM @ UIUC <${senderEmail}>
+To: ${recipientEmail}
+Subject: Your ACM @ UIUC Membership
+
+--${boundary}
+Content-Type: text/html; charset="UTF-8"
+
+${emailTemplate}
+
+--${boundary}
+Content-Type: application/vnd.apple.pkpass
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="membership.pkpass"
+
+${encodedAttachment}
+--${boundary}--`.trim();
+  return new SendRawEmailCommand({
+    RawMessage: {
+      Data: new TextEncoder().encode(rawEmail),
+    },
+  });
+}

src/api/index.ts

@@ -22,6 +22,7 @@ import NodeCache from "node-cache";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 import mobileWalletRoute from "./routes/mobileWallet.js";
+import { SESClient } from "@aws-sdk/client-ses";
 
 dotenv.config();
 
@@ -36,6 +37,10 @@ async function init() {
     region: genericConfig.AwsRegion,
   });
 
+  const sesClient = new SESClient({
+    region: genericConfig.AwsRegion,
+  });
+
   const app: FastifyInstance = fastify({
     logger: {
       level: process.env.LOG_LEVEL || "info",
@@ -84,6 +89,7 @@ async function init() {
   app.dynamoClient = dynamoClient;
   app.secretsManagerClient = secretsManagerClient;
   app.secretsManagerData = null;
+  app.sesClient = sesClient;
   app.addHook("onRequest", (req, _, done) => {
     req.startTime = now();
     const hostname = req.hostname;
@@ -112,7 +118,7 @@ async function init() {
       api.register(organizationsPlugin, { prefix: "/organizations" });
       api.register(icalPlugin, { prefix: "/ical" });
       api.register(iamRoutes, { prefix: "/iam" });
-      api.register(mobileWalletRoute, { prefix: "/mobile" });
+      api.register(mobileWalletRoute, { prefix: "/mobileWallet" });
       api.register(ticketsPlugin, { prefix: "/tickets" });
       if (app.runEnvironment === "dev") {
         api.register(vendingPlugin, { prefix: "/vending" });

src/api/package.json

@@ -8,7 +8,7 @@
   "type": "module",
   "scripts": {
     "build": "tsc",
-    "dev": "cross-env LOG_LEVEL=debug node esbuild.config.js --watch & nodemon ../../dist/index.js",
+    "dev": "cross-env LOG_LEVEL=debug concurrently --names 'esbuild,server' 'node esbuild.config.js --watch' 'cd ../../dist_devel && nodemon index.js'",
     "typecheck": "tsc --noEmit",
     "lint": "eslint . --ext .ts --cache",
     "prettier": "prettier --check *.ts **/*.ts",
@@ -17,6 +17,7 @@
   "dependencies": {
     "@aws-sdk/client-dynamodb": "^3.624.0",
     "@aws-sdk/client-secrets-manager": "^3.624.0",
+    "@aws-sdk/client-ses": "^3.734.0",
     "@aws-sdk/client-sts": "^3.726.0",
     "@aws-sdk/util-dynamodb": "^3.624.0",
     "@azure/msal-node": "^2.16.1",
@@ -25,6 +26,7 @@
     "@fastify/caching": "^9.0.1",
     "@fastify/cors": "^10.0.1",
     "@touch4it/ical-timezones": "^1.9.0",
+    "base64-arraybuffer": "^1.0.2",
     "discord.js": "^14.15.3",
     "dotenv": "^16.4.5",
     "esbuild": "^0.24.2",
@@ -44,6 +46,7 @@
   },
   "devDependencies": {
     "@tsconfig/node22": "^22.0.0",
+    "@types/base64-arraybuffer": "^0.2.4",
     "nodemon": "^3.1.9"
   }
-}
+}

src/api/plugins/auth.ts

@@ -15,7 +15,6 @@ import {
 } from "../../common/errors/index.js";
 import { genericConfig, SecretConfig } from "../../common/config.js";
 import { getGroupRoles, getUserRoles } from "../functions/authorization.js";
-import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 
 function intersection<T>(setA: Set<T>, setB: Set<T>): Set<T> {
   const _intersection = new Set<T>();