functionality

Author: devksingh4

src/api/functions/entraId.ts

@@ -7,6 +7,7 @@ import {
 } from "../../common/config.js";
 import {
   BaseError,
+  EntraFetchError,
   EntraGroupError,
   EntraInvitationError,
   InternalServerError,
@@ -19,6 +20,7 @@ import {
   EntraInvitationResponse,
 } from "../../common/types/iam.js";
 import { FastifyInstance } from "fastify";
+import { UserProfileDataBase } from "common/types/msGraphApi.js";
 
 function validateGroupId(groupId: string): boolean {
   const groupIdPattern = /^[a-zA-Z0-9-]+$/; // Adjust the pattern as needed
@@ -351,3 +353,47 @@ export async function listGroupMembers(
     });
   }
 }
+
+/**
+ * Retrieves the profile of a user from Entra ID.
+ * @param token - Entra ID token authorized to perform this action.
+ * @param userId - The user ID to fetch the profile for.
+ * @throws {EntraUserError} If fetching the user profile fails.
+ * @returns {Promise<UserProfileDataBase>} The user's profile information.
+ */
+export async function getUserProfile(
+  token: string,
+  email: string,
+): Promise<UserProfileDataBase> {
+  const userId = await resolveEmailToOid(token, email);
+  try {
+    const url = `https://graph.microsoft.com/v1.0/users/${userId}?$select=userPrincipalName,givenName,surname,displayName,otherMails,mail`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+    });
+
+    if (!response.ok) {
+      const errorData = (await response.json()) as {
+        error?: { message?: string };
+      };
+      throw new EntraFetchError({
+        message: errorData?.error?.message ?? response.statusText,
+        email,
+      });
+    }
+    return (await response.json()) as UserProfileDataBase;
+  } catch (error) {
+    if (error instanceof EntraFetchError) {
+      throw error;
+    }
+
+    throw new EntraFetchError({
+      message: error instanceof Error ? error.message : String(error),
+      email,
+    });
+  }
+}

src/api/functions/membership.ts

@@ -0,0 +1,18 @@
+import { FastifyBaseLogger, FastifyInstance } from "fastify";
+
+export async function checkPaidMembership(
+  endpoint: string,
+  log: FastifyBaseLogger,
+  netId: string,
+) {
+  const membershipApiPayload = (await (
+    await fetch(`${endpoint}?netId=${netId}`)
+  ).json()) as { netId: string; isPaidMember: boolean };
+  log.trace(`Got Membership API Payload for ${netId}: ${membershipApiPayload}`);
+  try {
+    return membershipApiPayload["isPaidMember"];
+  } catch (e: any) {
+    log.error(`Failed to get response from membership API: ${e.toString()}`);
+    throw e;
+  }
+}

src/api/functions/mobileWallet.ts

@@ -0,0 +1,117 @@
+import { getSecretValue } from "../plugins/auth.js";
+import { genericConfig, SecretConfig } from "../../common/config.js";
+import {
+  InternalServerError,
+  UnauthorizedError,
+} from "../../common/errors/index.js";
+import { FastifyInstance, FastifyRequest } from "fastify";
+// these make sure that esbuild includes the files
+import icon from "../resources/MembershipPass.pkpass/icon.png";
+import logo from "../resources/MembershipPass.pkpass/logo.png";
+import strip from "../resources/MembershipPass.pkpass/strip.png";
+import pass from "../resources/MembershipPass.pkpass/pass.js";
+import { PKPass } from "passkit-generator";
+import { promises as fs } from "fs";
+
+function trim(s: string) {
+  return (s || "").replace(/^\s+|\s+$/g, "");
+}
+
+function convertName(name: string): string {
+  if (!name.includes(",")) {
+    return name;
+  }
+  return `${trim(name.split(",")[1])} ${name.split(",")[0]}`;
+}
+
+export async function issueAppleWalletMembershipCard(
+  app: FastifyInstance,
+  request: FastifyRequest,
+  email: string,
+  name?: string,
+) {
+  if (!email.endsWith("@illinois.edu")) {
+    throw new UnauthorizedError({
+      message:
+        "Cannot issue membership pass for emails not on the illinois.edu domain.",
+    });
+  }
+  const secretApiConfig = (await getSecretValue(
+    app.secretsManagerClient,
+    genericConfig.ConfigSecretName,
+  )) as SecretConfig;
+  if (!secretApiConfig) {
+    throw new InternalServerError({
+      message: "Could not retrieve signing data",
+    });
+  }
+  const signerCert = Buffer.from(
+    secretApiConfig.acm_passkit_signerCert_base64,
+    "base64",
+  ).toString("utf-8");
+  const signerKey = Buffer.from(
+    secretApiConfig.acm_passkit_signerKey_base64,
+    "base64",
+  ).toString("utf-8");
+  const wwdr = Buffer.from(
+    secretApiConfig.apple_signing_cert_base64,
+    "base64",
+  ).toString("utf-8");
+  pass["passTypeIdentifier"] = app.environmentConfig["PasskitIdentifier"];
+
+  const pkpass = new PKPass(
+    {
+      "icon.png": await fs.readFile(icon),
+      "logo.png": await fs.readFile(logo),
+      "strip.png": await fs.readFile(strip),
+      "pass.json": Buffer.from(JSON.stringify(pass)),
+    },
+    {
+      wwdr,
+      signerCert,
+      signerKey,
+    },
+    {
+      // logoText: app.runEnvironment === "dev" ? "INVALID Membership Pass" : "Membership Pass",
+      serialNumber: app.environmentConfig["PasskitSerialNumber"],
+    },
+  );
+  pkpass.setBarcodes({
+    altText: email.split("@")[0],
+    format: "PKBarcodeFormatPDF417",
+    message: app.runEnvironment === "dev" ? `INVALID${email}INVALID` : email,
+  });
+  const iat = new Date().toLocaleDateString("en-US", {
+    day: "2-digit",
+    month: "2-digit",
+    year: "numeric",
+  });
+  if (name && name !== "") {
+    pkpass.secondaryFields.push({
+      label: "Member Name",
+      key: "name",
+      value: convertName(name),
+    });
+  }
+  if (app.runEnvironment === "prod") {
+    pkpass.backFields.push({
+      label: "Verification URL",
+      key: "iss",
+      value: `https://membership.acm.illinois.edu/verify/${email.split("@")[0]}`,
+    });
+  } else {
+    pkpass.backFields.push({
+      label: "TESTING ONLY Pass",
+      key: "iss",
+      value: `Do not honor!`,
+    });
+  }
+  pkpass.backFields.push({ label: "Pass Created On", key: "iat", value: iat });
+  pkpass.backFields.push({ label: "Membership ID", key: "id", value: email });
+  const buffer = pkpass.getAsBuffer();
+  request.log.info(
+    { type: "audit", actor: email, target: email },
+    "Created membership verification pass",
+  );
+  return buffer;
+}

src/api/functions/ses.ts

@@ -0,0 +1,130 @@
+import { SendRawEmailCommand } from "@aws-sdk/client-ses";
+import { encode } from "base64-arraybuffer";
+
+/**
+ * Generates a SendRawEmailCommand for SES to send an email with an attached membership pass.
+ *
+ * @param recipientEmail - The email address of the recipient.
+ * * @param recipientEmail - The email address of the sender with a verified identity in SES.
+ * @param attachmentBuffer - The membership pass in ArrayBufferLike format.
+ * @returns The command to send the email via SES.
+ */
+export function generateMembershipEmailCommand(
+  recipientEmail: string,
+  senderEmail: string,
+  attachmentBuffer: ArrayBufferLike,
+): SendRawEmailCommand {
+  const encodedAttachment = encode(attachmentBuffer);
+  const boundary = "----BoundaryForEmail";
+
+  const emailTemplate = `
+<!doctype html>
+<html>
+    <head>
+        <title>Your ACM @ UIUC Membership</title>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1">
+        <base target="_blank">
+        <style>
+            body {
+                background-color: #F0F1F3;
+                font-family: 'Helvetica Neue', 'Segoe UI', Helvetica, sans-serif;
+                font-size: 15px;
+                line-height: 26px;
+                margin: 0;
+                color: #444;
+            }
+            .wrap {
+                background-color: #fff;
+                padding: 30px;
+                max-width: 525px;
+                margin: 0 auto;
+                border-radius: 5px;
+            }
+            .button {
+                background: #0055d4;
+                border-radius: 3px;
+                text-decoration: none !important;
+                color: #fff !important;
+                font-weight: bold;
+                padding: 10px 30px;
+                display: inline-block;
+            }
+            .button:hover {
+                background: #111;
+            }
+            .footer {
+                text-align: center;
+                font-size: 12px;
+                color: #888;
+            }
+            img {
+                max-width: 100%;
+                height: auto;
+            }
+            a {
+                color: #0055d4;
+            }
+            a:hover {
+                color: #111;
+            }
+            @media screen and (max-width: 600px) {
+                .wrap {
+                    max-width: auto;
+                }
+            }
+        </style>
+    </head>
+<body>
+    <div class="gutter" style="padding: 30px;">&nbsp;</div>
+    <img src="https://acm-brand-images.s3.amazonaws.com/banner-blue.png" style="height: 100px; width: 210px; align-self: center;"/>
+    <br />
+    <div class="wrap">
+        <h2 style="text-align: center;">Welcome</h2>
+        <p>
+            Thank you for becoming a member of ACM @ UIUC! Attached is your membership pass.
+            You can add it to your Apple or Google Wallet for easy access.
+        </p>
+        <p>
+            If you have any questions, feel free to contact us at
+            <a href="mailto:[email protected]">[email protected]</a>.
+        </p>
+        <div style="text-align: center; margin-top: 20px;">
+            <a href="https://acm.illinois.edu" class="button">Visit ACM @ UIUC</a>
+        </div>
+    </div>
+    <div class="footer">
+        <p>
+            <a href="https://acm.illinois.edu">ACM @ UIUC Homepage</a>
+            <a href="mailto:[email protected]">Email ACM @ UIUC</a>
+        </p>
+    </div>
+</body>
+</html>
+  `;
+
+  const rawEmail = `
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="${boundary}"
+From: ACM @ UIUC <${senderEmail}>
+To: ${recipientEmail}
+Subject: Your ACM @ UIUC Membership
+
+--${boundary}
+Content-Type: text/html; charset="UTF-8"
+
+${emailTemplate}
+
+--${boundary}
+Content-Type: application/vnd.apple.pkpass
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="membership.pkpass"
+
+${encodedAttachment}
+--${boundary}--`.trim();
+  return new SendRawEmailCommand({
+    RawMessage: {
+      Data: new TextEncoder().encode(rawEmail),
+    },
+  });
+}

src/api/index.ts

@@ -21,6 +21,7 @@ import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
 import NodeCache from "node-cache";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { SESClient } from "@aws-sdk/client-ses";
 
 dotenv.config();
 
@@ -35,6 +36,10 @@ async function init() {
     region: genericConfig.AwsRegion,
   });
 
+  const sesClient = new SESClient({
+    region: genericConfig.AwsRegion,
+  });
+
   const app: FastifyInstance = fastify({
     logger: {
       level: process.env.LOG_LEVEL || "info",
@@ -82,6 +87,7 @@ async function init() {
   app.nodeCache = new NodeCache({ checkperiod: 30 });
   app.dynamoClient = dynamoClient;
   app.secretsManagerClient = secretsManagerClient;
+  app.sesClient = sesClient;
   app.addHook("onRequest", (req, _, done) => {
     req.startTime = now();
     const hostname = req.hostname;

src/api/package.json

@@ -17,6 +17,7 @@
   "dependencies": {
     "@aws-sdk/client-dynamodb": "^3.624.0",
     "@aws-sdk/client-secrets-manager": "^3.624.0",
+    "@aws-sdk/client-ses": "^3.734.0",
     "@aws-sdk/client-sts": "^3.726.0",
     "@aws-sdk/util-dynamodb": "^3.624.0",
     "@azure/msal-node": "^2.16.1",
@@ -25,6 +26,7 @@
     "@fastify/caching": "^9.0.1",
     "@fastify/cors": "^10.0.1",
     "@touch4it/ical-timezones": "^1.9.0",
+    "base64-arraybuffer": "^1.0.2",
     "discord.js": "^14.15.3",
     "dotenv": "^16.4.5",
     "esbuild": "^0.24.2",
@@ -36,6 +38,7 @@
     "moment": "^2.30.1",
     "moment-timezone": "^0.5.45",
     "node-cache": "^5.1.2",
+    "passkit-generator": "^3.3.1",
     "pluralize": "^8.0.0",
     "zod": "^3.23.8",
     "zod-to-json-schema": "^3.23.2",
@@ -44,4 +47,4 @@
   "devDependencies": {
     "@tsconfig/node22": "^22.0.0"
   }
-}
+}