save uin on membership checkout and handle firstname/lastname transparently

devksingh4 · devksingh4 · commit 5b5bc7aeec85 · 2025-08-02T20:40:08.000-04:00
diff --git a/src/api/functions/stripe.ts b/src/api/functions/stripe.ts
@@ -18,6 +18,7 @@ export type StripeCheckoutSessionCreateParams = {
   stripeApiKey: string;
   items: { price: string; quantity: number }[];
   initiator: string;
+  metadata?: Record<string, string>;
   allowPromotionCodes: boolean;
   customFields?: Stripe.Checkout.SessionCreateParams.CustomField[];
 };
@@ -77,6 +78,7 @@ export const createCheckoutSession = async ({
   initiator,
   allowPromotionCodes,
   customFields,
+  metadata,
 }: StripeCheckoutSessionCreateParams): Promise<string> => {
   const stripe = new Stripe(stripeApiKey);
   const payload: Stripe.Checkout.SessionCreateParams = {
@@ -90,6 +92,7 @@ export const createCheckoutSession = async ({
     mode: "payment",
     customer_email: customerEmail,
     metadata: {
+      ...(metadata || {}),
       initiator,
     },
     allow_promotion_codes: allowPromotionCodes,
diff --git a/src/api/functions/uin.ts b/src/api/functions/uin.ts
@@ -1,3 +1,5 @@
+import { DynamoDBClient, PutItemCommand } from "@aws-sdk/client-dynamodb";
+import { marshall } from "@aws-sdk/util-dynamodb";
 import { hash } from "argon2";
 import { genericConfig } from "common/config.js";
 import {
@@ -134,3 +136,26 @@ export async function getHashedUserUin({
     });
   }
 }
+
+type SaveHashedUserUin = GetUserUinInputs & {
+  dynamoClient: DynamoDBClient;
+  netId: string;
+};
+
+export async function saveHashedUserUin({
+  uiucAccessToken,
+  pepper,
+  dynamoClient,
+  netId,
+}: SaveHashedUserUin) {
+  const uinHash = await getHashedUserUin({ uiucAccessToken, pepper });
+  await dynamoClient.send(
+    new PutItemCommand({
+      TableName: genericConfig.UinHashTable,
+      Item: marshall({
+        uinHash,
+        netId,
+      }),
+    }),
+  );
+}
diff --git a/src/api/index.ts b/src/api/index.ts
@@ -61,6 +61,7 @@ import eventsPlugin from "./routes/events.js";
 import mobileWalletV2Route from "./routes/v2/mobileWallet.js";
 import membershipV2Plugin from "./routes/v2/membership.js";
 import { docsHtml, securitySchemes } from "./docs.js";
+import syncIdentityPlugin from "./routes/syncIdentity.js";
 /** END ROUTES */
 
 export const instanceId = randomUUID();
@@ -356,6 +357,7 @@ Otherwise, email [infra@acm.illinois.edu](mailto:infra@acm.illinois.edu) for sup
   );
   await app.register(
     async (api, _options) => {
+      api.register(syncIdentityPlugin, { prefix: "/syncIdentity" });
       api.register(protectedRoute, { prefix: "/protected" });
       api.register(eventsPlugin, { prefix: "/events" });
       api.register(organizationsPlugin, { prefix: "/organizations" });
diff --git a/src/api/routes/membership.ts b/src/api/routes/membership.ts
@@ -413,12 +413,8 @@ const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
             event.data.object.metadata.initiator === "purchase-membership"
           ) {
             const customerEmail = event.data.object.customer_email;
-            const firstName = event.data.object.custom_fields.filter(
-              (x) => x.key === "firstName",
-            )[0].text?.value;
-            const lastName = event.data.object.custom_fields.filter(
-              (x) => x.key === "lastName",
-            )[0].text?.value;
+            const firstName = event.data.object.metadata.givenName;
+            const lastName = event.data.object.metadata.surname;
             if (!customerEmail) {
               request.log.info("No customer email found.");
               return reply
diff --git a/src/api/routes/syncIdentity.ts b/src/api/routes/syncIdentity.ts
@@ -0,0 +1,142 @@
+import {
+  checkPaidMembershipFromTable,
+  checkPaidMembershipFromRedis,
+} from "api/functions/membership.js";
+import { FastifyPluginAsync } from "fastify";
+import { ValidationError } from "common/errors/index.js";
+import rateLimiter from "api/plugins/rateLimiter.js";
+import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
+import * as z from "zod/v4";
+import { notAuthenticatedError, withTags } from "api/components/index.js";
+import { verifyUiucAccessToken, saveHashedUserUin } from "api/functions/uin.js";
+import { getRoleCredentials } from "api/functions/sts.js";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { genericConfig, roleArns } from "common/config.js";
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import {
+  getEntraIdToken,
+  patchUserProfile,
+  resolveEmailToOid,
+} from "api/functions/entraId.js";
+
+const syncIdentityPlugin: FastifyPluginAsync = async (fastify, _options) => {
+  const getAuthorizedClients = async () => {
+    if (roleArns.Entra) {
+      fastify.log.info(
+        `Attempting to assume Entra role ${roleArns.Entra} to get the Entra token...`,
+      );
+      const credentials = await getRoleCredentials(roleArns.Entra);
+      const clients = {
+        smClient: new SecretsManagerClient({
+          region: genericConfig.AwsRegion,
+          credentials,
+        }),
+        dynamoClient: new DynamoDBClient({
+          region: genericConfig.AwsRegion,
+          credentials,
+        }),
+        redisClient: fastify.redisClient,
+      };
+      fastify.log.info(
+        `Assumed Entra role ${roleArns.Entra} to get the Entra token.`,
+      );
+      return clients;
+    }
+    fastify.log.debug(
+      "Did not assume Entra role as no env variable was present",
+    );
+    return {
+      smClient: fastify.secretsManagerClient,
+      dynamoClient: fastify.dynamoClient,
+      redisClient: fastify.redisClient,
+    };
+  };
+  const limitedRoutes: FastifyPluginAsync = async (fastify) => {
+    await fastify.register(rateLimiter, {
+      limit: 5,
+      duration: 30,
+      rateLimitIdentifier: "syncIdentityPlugin",
+    });
+    fastify.withTypeProvider<FastifyZodOpenApiTypeProvider>().post(
+      "/",
+      {
+        schema: withTags(["Generic"], {
+          headers: z.object({
+            "x-uiuc-token": z.jwt().min(1).meta({
+              description:
+                "An access token for the user in the UIUC Entra ID tenant.",
+            }),
+          }),
+          summary:
+            "Sync the Illinois NetID account with the ACM @ UIUC account.",
+          response: {
+            201: {
+              description: "The user has been synced.",
+              content: {
+                "application/json": {
+                  schema: z.null(),
+                },
+              },
+            },
+            403: notAuthenticatedError,
+          },
+        }),
+      },
+      async (request, reply) => {
+        const accessToken = request.headers["x-uiuc-token"];
+        const verifiedData = await verifyUiucAccessToken({
+          accessToken,
+          logger: request.log,
+        });
+        const { userPrincipalName: upn, givenName, surname } = verifiedData;
+        const netId = upn.replace("@illinois.edu", "");
+        if (netId.includes("@")) {
+          request.log.error(
+            `Found UPN ${upn} which cannot be turned into NetID via simple replacement.`,
+          );
+          throw new ValidationError({
+            message: "ID token could not be parsed.",
+          });
+        }
+        await saveHashedUserUin({
+          uiucAccessToken: accessToken,
+          pepper: fastify.secretConfig.UIN_HASHING_SECRET_PEPPER,
+          dynamoClient: fastify.dynamoClient,
+          netId,
+        });
+        let isPaidMember = await checkPaidMembershipFromRedis(
+          netId,
+          fastify.redisClient,
+          request.log,
+        );
+        if (isPaidMember === null) {
+          isPaidMember = await checkPaidMembershipFromTable(
+            netId,
+            fastify.dynamoClient,
+          );
+        }
+        if (isPaidMember) {
+          const username = `${netId}@illinois.edu`;
+          request.log.info("User is paid member, syncing profile!");
+          const entraIdToken = await getEntraIdToken({
+            clients: await getAuthorizedClients(),
+            clientId: fastify.environmentConfig.AadValidClientId,
+            secretName: genericConfig.EntraSecretName,
+            logger: request.log,
+          });
+          const oid = await resolveEmailToOid(entraIdToken, username);
+          await patchUserProfile(entraIdToken, username, oid, {
+            displayName: `${givenName} ${surname}`,
+            givenName,
+            surname,
+            mail: username,
+          });
+        }
+        return reply.status(201).send();
+      },
+    );
+  };
+  fastify.register(limitedRoutes);
+};
+
+export default syncIdentityPlugin;
diff --git a/src/api/routes/v2/membership.ts b/src/api/routes/v2/membership.ts
@@ -9,15 +9,7 @@ import { createCheckoutSession } from "api/functions/stripe.js";
 import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
 import * as z from "zod/v4";
 import { notAuthenticatedError, withTags } from "api/components/index.js";
-import { verifyUiucAccessToken, getHashedUserUin } from "api/functions/uin.js";
-
-function splitOnce(s: string, on: string) {
-  const [first, ...rest] = s.split(on);
-  return [first, rest.length > 0 ? rest.join(on) : null];
-}
-function trim(s: string) {
-  return (s || "").replace(/^\s+|\s+$/g, "");
-}
+import { verifyUiucAccessToken, saveHashedUserUin } from "api/functions/uin.js";
 
 const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
   const limitedRoutes: FastifyPluginAsync = async (fastify) => {
@@ -70,6 +62,13 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
             message: "ID token could not be parsed.",
           });
         }
+        request.log.debug("Saving user hashed UIN!");
+        const saveHashPromise = saveHashedUserUin({
+          uiucAccessToken: accessToken,
+          pepper: fastify.secretConfig.UIN_HASHING_SECRET_PEPPER,
+          dynamoClient: fastify.dynamoClient,
+          netId,
+        });
         let isPaidMember = await checkPaidMembershipFromRedis(
           netId,
           fastify.redisClient,
@@ -81,12 +80,13 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
             fastify.dynamoClient,
           );
         }
+        await saveHashPromise;
+        request.log.debug("Saved user hashed UIN!");
         if (isPaidMember) {
           throw new ValidationError({
             message: `${upn} is already a paid member.`,
           });
         }
-
         return reply.status(200).send(
           await createCheckoutSession({
             successUrl: "https://acm.illinois.edu/paid",
@@ -99,30 +99,10 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
                 quantity: 1,
               },
             ],
-            customFields: [
-              {
-                key: "firstName",
-                label: {
-                  type: "custom",
-                  custom: "Member First Name",
-                },
-                type: "text",
-                text: {
-                  default_value: givenName,
-                },
-              },
-              {
-                key: "lastName",
-                label: {
-                  type: "custom",
-                  custom: "Member Last Name",
-                },
-                type: "text",
-                text: {
-                  default_value: surname,
-                },
-              },
-            ],
+            metadata: {
+              givenName,
+              surname,
+            },
             initiator: "purchase-membership",
             allowPromotionCodes: true,
           }),
