add membership checking to core

Author: devksingh4

src/api/functions/entraId.ts

@@ -447,3 +447,60 @@ export async function patchUserProfile(
     });
   }
 }
+
+/**
+ * Checks if a user is a member of an Entra ID group.
+ * @param token - Entra ID token authorized to take this action.
+ * @param email - The email address of the user to check.
+ * @param group - The group ID to check membership in.
+ * @throws {EntraGroupError} If the membership check fails.
+ * @returns {Promise<boolean>} True if the user is a member of the group, false otherwise.
+ */
+export async function isUserInGroup(
+  token: string,
+  email: string,
+  group: string,
+): Promise<boolean> {
+  email = email.toLowerCase().replace(/\s/g, "");
+  if (!email.endsWith("@illinois.edu")) {
+    throw new EntraGroupError({
+      group,
+      message: "User's domain must be illinois.edu to check group membership.",
+    });
+  }
+  try {
+    const oid = await resolveEmailToOid(token, email);
+    const url = `https://graph.microsoft.com/v1.0/groups/${group}/members/${oid}`;
+
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+    });
+
+    if (response.ok) {
+      return true; // User is in the group
+    } else if (response.status === 404) {
+      return false; // User is not in the group
+    }
+
+    const errorData = (await response.json()) as {
+      error?: { message?: string };
+    };
+    throw new EntraGroupError({
+      message: errorData?.error?.message ?? response.statusText,
+      group,
+    });
+  } catch (error) {
+    if (error instanceof EntraGroupError) {
+      throw error;
+    }
+    const message = error instanceof Error ? error.message : String(error);
+    throw new EntraGroupError({
+      message,
+      group,
+    });
+  }
+}

src/api/functions/membership.ts

@@ -1,4 +1,12 @@
+import {
+  DynamoDBClient,
+  PutItemCommand,
+  QueryCommand,
+} from "@aws-sdk/client-dynamodb";
+import { marshall } from "@aws-sdk/util-dynamodb";
+import { genericConfig } from "common/config.js";
 import { FastifyBaseLogger } from "fastify";
+import { isUserInGroup } from "./entraId.js";
 
 export async function checkPaidMembership(
   endpoint: string,
@@ -22,3 +30,51 @@ export async function checkPaidMembership(
     throw e;
   }
 }
+
+export async function checkPaidMembershipFromTable(
+  netId: string,
+  dynamoClient: DynamoDBClient,
+): Promise<boolean> {
+  const { Items } = await dynamoClient.send(
+    new QueryCommand({
+      TableName: genericConfig.MembershipTableName,
+      KeyConditionExpression: "#pk = :pk",
+      ExpressionAttributeNames: {
+        "#pk": "email",
+      },
+      ExpressionAttributeValues: marshall({
+        ":pk": `${netId}@illinois.edu`,
+      }),
+    }),
+  );
+  if (!Items || Items.length == 0) {
+    return false;
+  }
+  return true;
+}
+
+export async function checkPaidMembershipFromEntra(
+  netId: string,
+  entraToken: string,
+  paidMemberGroup: string,
+): Promise<boolean> {
+  return isUserInGroup(entraToken, `${netId}@illinois.edu`, paidMemberGroup);
+}
+
+export async function setPaidMembershipInTable(
+  netId: string,
+  dynamoClient: DynamoDBClient,
+): Promise<void> {
+  const obj = {
+    email: `${netId}@illinois.edu`,
+    inserted_at: new Date().toISOString(),
+    inserted_by: "membership-api-queried",
+  };
+
+  await dynamoClient.send(
+    new PutItemCommand({
+      TableName: genericConfig.MembershipTableName,
+      Item: marshall(obj),
+    }),
+  );
+}

src/api/routes/membership.ts

@@ -1,7 +1,12 @@
+import {
+  checkPaidMembershipFromEntra,
+  checkPaidMembershipFromTable,
+  setPaidMembershipInTable,
+} from "api/functions/membership.js";
 import { validateNetId } from "api/functions/validation.js";
-import { NotImplementedError } from "common/errors/index.js";
 import { FastifyPluginAsync } from "fastify";
-import { ValidationError } from "zod-validation-error";
+import { ValidationError } from "common/errors/index.js";
+import { getEntraIdToken } from "api/functions/entraId.js";
 
 const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
   fastify.get<{
@@ -24,9 +29,44 @@ const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
     async (request, reply) => {
       const netId = (request.params as Record<string, string>).netId;
       if (!validateNetId(netId)) {
-        throw new ValidationError(`${netId} is not a valid Illinois NetID!`);
+        throw new ValidationError({
+          message: `${netId} is not a valid Illinois NetID!`,
+        });
       }
-      throw new NotImplementedError({});
+      const isDynamoMember = await checkPaidMembershipFromTable(
+        netId,
+        fastify.dynamoClient,
+      );
+      // check Dynamo cache first
+      if (isDynamoMember) {
+        return reply
+          .header("X-ACM-Data-Source", "dynamo")
+          .send({ netId, isPaidMember: true });
+      }
+      // check AAD
+      const entraIdToken = await getEntraIdToken(
+        {
+          smClient: fastify.secretsManagerClient,
+          dynamoClient: fastify.dynamoClient,
+        },
+        fastify.environmentConfig.AadValidClientId,
+      );
+      const paidMemberGroup = fastify.environmentConfig.PaidMemberGroupId;
+      const isAadMember = await checkPaidMembershipFromEntra(
+        netId,
+        entraIdToken,
+        paidMemberGroup,
+      );
+      if (isAadMember) {
+        reply
+          .header("X-ACM-Data-Source", "aad")
+          .send({ netId, isPaidMember: true });
+        await setPaidMembershipInTable(netId, fastify.dynamoClient);
+        return;
+      }
+      return reply
+        .header("X-ACM-Data-Source", "aad")
+        .send({ netId, isPaidMember: false });
     },
   );
 };

src/api/routes/mobileWallet.ts

@@ -54,9 +54,8 @@ const mobileWalletRoute: FastifyPluginAsync = async (fastify, _options) => {
         });
       }
       const isPaidMember = await checkPaidMembership(
-        fastify.environmentConfig.MembershipApiEndpoint,
-        request.log,
         request.query.email.replace("@illinois.edu", ""),
+        fastify.dynamoClient,
       );
       if (!isPaidMember) {
         throw new UnauthenticatedError({

src/common/config.ts

@@ -31,6 +31,7 @@ export type GenericConfigType = {
   MerchStorePurchasesTableName: string;
   TicketPurchasesTableName: string;
   TicketMetadataTableName: string;
+  MembershipTableName: string;
   MerchStoreMetadataTableName: string;
   IAMTablePrefix: string;
   ProtectedEntraIDGroups: string[]; // these groups are too privileged to be modified via this portal and must be modified directly in Entra ID.
@@ -63,6 +64,7 @@ const genericConfig: GenericConfigType = {
   TicketMetadataTableName: "infra-events-ticketing-metadata",
   IAMTablePrefix: "infra-core-api-iam",
   ProtectedEntraIDGroups: [infraChairsGroupId, officersGroupId],
+  MembershipTableName: "infra-core-api-membership-provisioning",
 } as const;
 
 const environmentConfig: EnvironmentConfigType = {

src/common/errors/index.ts

@@ -215,7 +215,6 @@ export class EntraFetchError extends BaseError<"EntraFetchError"> {
   }
 }
 
-
 export class EntraPatchError extends BaseError<"EntraPatchError"> {
   email: string;
   constructor({ message, email }: { message?: string; email: string }) {