a super basic pass issuer

Author: devksingh4

.gitignore

@@ -141,3 +141,4 @@ __pycache__
 /playwright-report/
 /blob-report/
 /playwright/.cache/
+dist_devel/

Makefile

@@ -52,6 +52,7 @@ clean:
 build: src/ cloudformation/ docs/
 	yarn -D
 	VITE_BUILD_HASH=$(GIT_HASH) yarn build
+	cp -r src/api/resources/ dist/api/resources
 	sam build --template-file cloudformation/main.yml
 
 local:

cloudformation/main.yml

@@ -127,6 +127,10 @@ Resources:
         Minify: true
         OutExtension:
           - .js=.mjs
+        Loader:
+          - .png=file
+          - .pkpass=file
+          - .json=file
         Target: "es2022"
         Sourcemap: false
         EntryPoints:

generate_jwt.js

@@ -18,7 +18,7 @@ const payload = {
     groups: ["0"],
     idp: "https://login.microsoftonline.com",
     ipaddr: "192.168.1.1",
-    name: "John Doe",
+    name: "Singh, Dev",
     oid: "00000000-0000-0000-0000-000000000000",
     rh: "rh-value",
     scp: "user_impersonation",

src/api/esbuild.config.js

@@ -0,0 +1,34 @@
+import { build, context } from 'esbuild';
+import { readFileSync } from 'fs';
+import { resolve } from 'path';
+
+const isWatching = !!process.argv.includes('--watch')
+const nodePackage = JSON.parse(readFileSync(resolve(process.cwd(), 'package.json'), 'utf8'));
+
+const buildOptions = {
+  entryPoints: [resolve(process.cwd(), 'index.ts')],
+  outfile: resolve(process.cwd(), '../', '../', 'dist_devel', 'index.js'),
+  bundle: true,
+  platform: 'node',
+  format: 'esm',
+  external: [
+    Object.keys(nodePackage.dependencies ?? {}),
+    Object.keys(nodePackage.peerDependencies ?? {}),
+    Object.keys(nodePackage.devDependencies ?? {}),
+  ].flat(),
+  loader: {
+    '.png': 'file', // Add this line to specify a loader for .png files
+  },
+};
+
+if (isWatching) {
+  context(buildOptions).then(ctx => {
+    if (isWatching) {
+      ctx.watch();
+    } else {
+      ctx.rebuild();
+    }
+  });
+} else {
+  build(buildOptions)
+}

src/api/functions/discord.ts

@@ -12,7 +12,10 @@ import { type EventPostRequest } from "../routes/events.js";
 import moment from "moment-timezone";
 
 import { FastifyBaseLogger } from "fastify";
-import { DiscordEventError } from "../../common/errors/index.js";
+import {
+  DiscordEventError,
+  InternalServerError,
+} from "../../common/errors/index.js";
 import { getSecretValue } from "../plugins/auth.js";
 import { genericConfig } from "../../common/config.js";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
@@ -30,8 +33,15 @@ export const updateDiscord = async (
   isDelete: boolean = false,
   logger: FastifyBaseLogger,
 ): Promise<null | GuildScheduledEventCreateOptions> => {
-  const secretApiConfig =
-    (await getSecretValue(smClient, genericConfig.ConfigSecretName)) || {};
+  const secretApiConfig = await getSecretValue(
+    smClient,
+    genericConfig.ConfigSecretName,
+  );
+  if (!secretApiConfig) {
+    throw new InternalServerError({
+      message: "Could not find credentials for Discord.",
+    });
+  }
   const client = new Client({ intents: [GatewayIntentBits.Guilds] });
   let payload: GuildScheduledEventCreateOptions | null = null;
 

src/api/functions/entraId.ts

@@ -30,12 +30,12 @@ export async function getEntraIdToken(
   clientId: string,
   scopes: string[] = ["https://graph.microsoft.com/.default"],
 ) {
-  const secretApiConfig =
-    (await getSecretValue(
-      fastify.secretsManagerClient,
-      genericConfig.ConfigSecretName,
-    )) || {};
+  const secretApiConfig = await getSecretValue(
+    fastify.secretsManagerClient,
+    genericConfig.ConfigSecretName,
+  );
   if (
+    !secretApiConfig ||
     !secretApiConfig.entra_id_private_key ||
     !secretApiConfig.entra_id_thumbprint
   ) {

src/api/functions/mobileWallet.ts

@@ -0,0 +1,117 @@
+import { getSecretValue } from "../plugins/auth.js";
+import { genericConfig } from "../../common/config.js";
+import {
+  InternalServerError,
+  UnauthorizedError,
+} from "../../common/errors/index.js";
+import { FastifyInstance, FastifyRequest } from "fastify";
+// these make sure that esbuild includes the files
+import icon from "../resources/MembershipPass.pkpass/icon.png";
+import logo from "../resources/MembershipPass.pkpass/logo.png";
+import strip from "../resources/MembershipPass.pkpass/strip.png";
+import pass from "../resources/MembershipPass.pkpass/pass.js";
+import { PKPass } from "passkit-generator";
+import { promises as fs } from "fs";
+
+function trim(s: string) {
+  return (s || "").replace(/^\s+|\s+$/g, "");
+}
+
+function convertName(name: string): string {
+  if (!name.includes(",")) {
+    return name;
+  }
+  return `${trim(name.split(",")[1])} ${name.split(",")[0]}`;
+}
+
+export async function issueAppleWalletMembershipCard(
+  app: FastifyInstance,
+  request: FastifyRequest,
+  email: string,
+  name: string,
+) {
+  if (!email.endsWith("@illinois.edu")) {
+    throw new UnauthorizedError({
+      message:
+        "Cannot issue membership pass for emails not on the illinois.edu domain.",
+    });
+  }
+  const secretApiConfig = await getSecretValue(
+    app.secretsManagerClient,
+    genericConfig.ConfigSecretName,
+  );
+  if (!secretApiConfig) {
+    throw new InternalServerError({
+      message: "Could not retrieve signing data",
+    });
+  }
+  const signerCert = Buffer.from(
+    secretApiConfig.acm_passkit_signerCert_base64,
+    "base64",
+  ).toString("utf-8");
+  const signerKey = Buffer.from(
+    secretApiConfig.acm_passkit_signerKey_base64,
+    "base64",
+  ).toString("utf-8");
+  const wwdr = Buffer.from(
+    secretApiConfig.apple_signing_cert_base64,
+    "base64",
+  ).toString("utf-8");
+  pass["passTypeIdentifier"] = app.environmentConfig["PasskitIdentifier"];
+
+  const pkpass = new PKPass(
+    {
+      "icon.png": await fs.readFile(icon),
+      "logo.png": await fs.readFile(logo),
+      "strip.png": await fs.readFile(strip),
+      "pass.json": Buffer.from(JSON.stringify(pass)),
+    },
+    {
+      wwdr,
+      signerCert,
+      signerKey,
+    },
+    {
+      // logoText: app.runEnvironment === "dev" ? "INVALID Membership Pass" : "Membership Pass",
+      serialNumber: app.environmentConfig["PasskitSerialNumber"],
+    },
+  );
+  pkpass.setBarcodes({
+    altText: email.split("@")[0],
+    format: "PKBarcodeFormatPDF417",
+    message: app.runEnvironment === "dev" ? `INVALID${email}INVALID` : email,
+  });
+  const iat = new Date().toLocaleDateString("en-US", {
+    day: "2-digit",
+    month: "2-digit",
+    year: "numeric",
+  });
+  if (name && name !== "") {
+    pkpass.secondaryFields.push({
+      label: "Member Name",
+      key: "name",
+      value: convertName(name),
+    });
+  }
+  if (app.runEnvironment === "prod") {
+    pkpass.backFields.push({
+      label: "Verification URL",
+      key: "iss",
+      value: `https://membership.acm.illinois.edu/verify/${email.split("@")[0]}`,
+    });
+  } else {
+    pkpass.backFields.push({
+      label: "TESTING ONLY Pass",
+      key: "iss",
+      value: `Do not honor!`,
+    });
+  }
+  pkpass.backFields.push({ label: "Pass Created On", key: "iat", value: iat });
+  pkpass.backFields.push({ label: "Membership ID", key: "id", value: email });
+  const buffer = pkpass.getAsBuffer();
+  request.log.info(
+    { type: "audit", actor: email, target: email },
+    "Created membership verification pass",
+  );
+  return buffer;
+}

src/api/index.ts

@@ -21,6 +21,7 @@ import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
 import NodeCache from "node-cache";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import mobileWalletRoute from "./routes/mobileWallet.js";
 
 dotenv.config();
 
@@ -82,6 +83,7 @@ async function init() {
   app.nodeCache = new NodeCache({ checkperiod: 30 });
   app.dynamoClient = dynamoClient;
   app.secretsManagerClient = secretsManagerClient;
+  app.secretsManagerData = null;
   app.addHook("onRequest", (req, _, done) => {
     req.startTime = now();
     const hostname = req.hostname;
@@ -110,6 +112,7 @@ async function init() {
       api.register(organizationsPlugin, { prefix: "/organizations" });
       api.register(icalPlugin, { prefix: "/ical" });
       api.register(iamRoutes, { prefix: "/iam" });
+      api.register(mobileWalletRoute, { prefix: "/mobile" });
       api.register(ticketsPlugin, { prefix: "/tickets" });
       if (app.runEnvironment === "dev") {
         api.register(vendingPlugin, { prefix: "/vending" });

src/api/package.json

@@ -8,7 +8,7 @@
   "type": "module",
   "scripts": {
     "build": "tsc",
-    "dev": "cross-env LOG_LEVEL=debug tsx watch index.ts",
+    "dev": "cross-env LOG_LEVEL=debug node esbuild.config.js --watch & nodemon ../../dist/index.js",
     "typecheck": "tsc --noEmit",
     "lint": "eslint . --ext .ts --cache",
     "prettier": "prettier --check *.ts **/*.ts",
@@ -36,12 +36,14 @@
     "moment": "^2.30.1",
     "moment-timezone": "^0.5.45",
     "node-cache": "^5.1.2",
+    "passkit-generator": "^3.3.1",
     "pluralize": "^8.0.0",
     "zod": "^3.23.8",
     "zod-to-json-schema": "^3.23.2",
     "zod-validation-error": "^3.3.1"
   },
   "devDependencies": {
-    "@tsconfig/node22": "^22.0.0"
+    "@tsconfig/node22": "^22.0.0",
+    "nodemon": "^3.1.9"
   }
 }