move membership pass creation into SQS queue

Author: devksingh4

package.json

@@ -11,7 +11,7 @@
   "scripts": {
     "build": "yarn workspaces run build && yarn lockfile-manage",
     "dev": "concurrently --names 'api,ui' 'yarn workspace infra-core-api run dev' 'yarn workspace infra-core-ui run dev'",
-    "lockfile-manage": "synp --with-workspace --source-file yarn.lock && cp package-lock.json dist/lambda/ && cp src/api/package.lambda.json dist/lambda/package.json && rm package-lock.json",
+    "lockfile-manage": "synp --with-workspace --source-file yarn.lock && cp package-lock.json dist/lambda/ && cp package-lock.json dist/sqsConsumer/ && cp src/api/package.lambda.json dist/lambda/package.json && cp src/api/package.lambda.json dist/sqsConsumer/package.json && rm package-lock.json",
     "prettier": "yarn workspaces run prettier && prettier --check tests/**/*.ts",
     "prettier:write": "yarn workspaces run prettier:write && prettier --write tests/**/*.ts",
     "lint": "yarn workspaces run lint",
@@ -81,4 +81,4 @@
   "resolutions": {
     "pdfjs-dist": "^4.8.69"
   }
-}
+}

src/api/functions/entraId.ts

@@ -21,22 +21,22 @@ import {
 } from "../../common/types/iam.js";
 import { FastifyInstance } from "fastify";
 import { UserProfileDataBase } from "common/types/msGraphApi.js";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 
 function validateGroupId(groupId: string): boolean {
   const groupIdPattern = /^[a-zA-Z0-9-]+$/; // Adjust the pattern as needed
   return groupIdPattern.test(groupId);
 }
 
 export async function getEntraIdToken(
-  fastify: FastifyInstance,
+  clients: { smClient: SecretsManagerClient; dynamoClient: DynamoDBClient },
   clientId: string,
   scopes: string[] = ["https://graph.microsoft.com/.default"],
 ) {
   const secretApiConfig =
-    (await getSecretValue(
-      fastify.secretsManagerClient,
-      genericConfig.ConfigSecretName,
-    )) || {};
+    (await getSecretValue(clients.smClient, genericConfig.ConfigSecretName)) ||
+    {};
   if (
     !secretApiConfig.entra_id_private_key ||
     !secretApiConfig.entra_id_thumbprint
@@ -50,7 +50,7 @@ export async function getEntraIdToken(
     "base64",
   ).toString("utf8");
   const cachedToken = await getItemFromCache(
-    fastify.dynamoClient,
+    clients.dynamoClient,
     "entra_id_access_token",
   );
   if (cachedToken) {
@@ -80,7 +80,7 @@ export async function getEntraIdToken(
     date.setTime(date.getTime() - 30000);
     if (result?.accessToken) {
       await insertItemIntoCache(
-        fastify.dynamoClient,
+        clients.dynamoClient,
         "entra_id_access_token",
         { token: result?.accessToken },
         date,

src/api/functions/mobileWallet.ts

@@ -1,5 +1,10 @@
 import { getSecretValue } from "../plugins/auth.js";
-import { genericConfig, SecretConfig } from "../../common/config.js";
+import {
+  ConfigType,
+  genericConfig,
+  GenericConfigType,
+  SecretConfig,
+} from "../../common/config.js";
 import {
   InternalServerError,
   UnauthorizedError,
@@ -12,6 +17,9 @@ import strip from "../resources/MembershipPass.pkpass/strip.png";
 import pass from "../resources/MembershipPass.pkpass/pass.js";
 import { PKPass } from "passkit-generator";
 import { promises as fs } from "fs";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { RunEnvironment } from "common/roles.js";
+import pino from "pino";
 
 function trim(s: string) {
   return (s || "").replace(/^\s+|\s+$/g, "");
@@ -25,9 +33,11 @@ function convertName(name: string): string {
 }
 
 export async function issueAppleWalletMembershipCard(
-  app: FastifyInstance,
-  request: FastifyRequest,
+  clients: { smClient: SecretsManagerClient },
+  environmentConfig: ConfigType,
+  runEnvironment: RunEnvironment,
   email: string,
+  logger: pino.Logger,
   name?: string,
 ) {
   if (!email.endsWith("@illinois.edu")) {
@@ -37,7 +47,7 @@ export async function issueAppleWalletMembershipCard(
     });
   }
   const secretApiConfig = (await getSecretValue(
-    app.secretsManagerClient,
+    clients.smClient,
     genericConfig.ConfigSecretName,
   )) as SecretConfig;
   if (!secretApiConfig) {
@@ -57,7 +67,7 @@ export async function issueAppleWalletMembershipCard(
     secretApiConfig.apple_signing_cert_base64,
     "base64",
   ).toString("utf-8");
-  pass["passTypeIdentifier"] = app.environmentConfig["PasskitIdentifier"];
+  pass["passTypeIdentifier"] = environmentConfig["PasskitIdentifier"];
 
   const pkpass = new PKPass(
     {
@@ -73,13 +83,13 @@ export async function issueAppleWalletMembershipCard(
     },
     {
       // logoText: app.runEnvironment === "dev" ? "INVALID Membership Pass" : "Membership Pass",
-      serialNumber: app.environmentConfig["PasskitSerialNumber"],
+      serialNumber: environmentConfig["PasskitSerialNumber"],
     },
   );
   pkpass.setBarcodes({
     altText: email.split("@")[0],
     format: "PKBarcodeFormatPDF417",
-    message: app.runEnvironment === "dev" ? `INVALID${email}INVALID` : email,
+    message: runEnvironment === "dev" ? `INVALID${email}INVALID` : email,
   });
   const iat = new Date().toLocaleDateString("en-US", {
     day: "2-digit",
@@ -93,7 +103,7 @@ export async function issueAppleWalletMembershipCard(
       value: convertName(name),
     });
   }
-  if (app.runEnvironment === "prod") {
+  if (runEnvironment === "prod") {
     pkpass.backFields.push({
       label: "Verification URL",
       key: "iss",
@@ -109,7 +119,7 @@ export async function issueAppleWalletMembershipCard(
   pkpass.backFields.push({ label: "Pass Created On", key: "iat", value: iat });
   pkpass.backFields.push({ label: "Membership ID", key: "id", value: email });
   const buffer = pkpass.getAsBuffer();
-  request.log.info(
+  logger.info(
     { type: "audit", actor: email, target: email },
     "Created membership verification pass",
   );

src/api/routes/iam.ts

@@ -160,7 +160,10 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
     async (request, reply) => {
       const emails = request.body.emails;
       const entraIdToken = await getEntraIdToken(
-        fastify,
+        {
+          smClient: fastify.secretsManagerClient,
+          dynamoClient: fastify.dynamoClient,
+        },
         fastify.environmentConfig.AadValidClientId,
       );
       if (!entraIdToken) {
@@ -247,7 +250,10 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         });
       }
       const entraIdToken = await getEntraIdToken(
-        fastify,
+        {
+          smClient: fastify.secretsManagerClient,
+          dynamoClient: fastify.dynamoClient,
+        },
         fastify.environmentConfig.AadValidClientId,
       );
       const addResults = await Promise.allSettled(
@@ -371,7 +377,10 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         });
       }
       const entraIdToken = await getEntraIdToken(
-        fastify,
+        {
+          smClient: fastify.secretsManagerClient,
+          dynamoClient: fastify.dynamoClient,
+        },
         fastify.environmentConfig.AadValidClientId,
       );
       const response = await listGroupMembers(entraIdToken, groupId);

src/api/routes/mobileWallet.ts

@@ -1,21 +1,28 @@
 import { FastifyPluginAsync } from "fastify";
-import { issueAppleWalletMembershipCard } from "../functions/mobileWallet.js";
 import {
-  EntraFetchError,
+  InternalServerError,
   UnauthenticatedError,
-  UnauthorizedError,
   ValidationError,
 } from "../../common/errors/index.js";
-import { generateMembershipEmailCommand } from "../functions/ses.js";
 import { z } from "zod";
-import { getEntraIdToken, getUserProfile } from "../functions/entraId.js";
 import { checkPaidMembership } from "../functions/membership.js";
+import { AvailableSQSFunctions, SQSPayload } from "common/types/sqsMessage.js";
+import { SendMessageCommand, SQSClient } from "@aws-sdk/client-sqs";
+import { genericConfig } from "common/config.js";
+import { zodToJsonSchema } from "zod-to-json-schema";
+
+const queuedResponseJsonSchema = zodToJsonSchema(
+  z.object({
+    queueId: z.string().uuid(),
+  }),
+);
 
 const mobileWalletRoute: FastifyPluginAsync = async (fastify, _options) => {
   fastify.post<{ Querystring: { email: string } }>(
     "/membership",
     {
       schema: {
+        response: { 202: queuedResponseJsonSchema },
         querystring: {
           type: "object",
           properties: {
@@ -53,37 +60,36 @@ const mobileWalletRoute: FastifyPluginAsync = async (fastify, _options) => {
           message: `${request.query.email} is not a paid member.`,
         });
       }
-      const entraIdToken = await getEntraIdToken(
-        fastify,
-        fastify.environmentConfig.AadValidClientId,
-      );
-
-      const userProfile = await getUserProfile(
-        entraIdToken,
-        request.query.email,
-      );
-
-      const item = await issueAppleWalletMembershipCard(
-        fastify,
-        request,
-        request.query.email,
-        userProfile.displayName,
-      );
-      const emailCommand = generateMembershipEmailCommand(
-        request.query.email,
-        `membership@${fastify.environmentConfig.EmailDomain}`,
-        item,
+      const sqsPayload: SQSPayload<AvailableSQSFunctions.EmailMembershipPass> =
+        {
+          function: AvailableSQSFunctions.EmailMembershipPass,
+          metadata: {
+            initiator: "public",
+            reqId: request.id,
+          },
+          payload: {
+            email: request.query.email,
+          },
+        };
+      if (!fastify.sqsClient) {
+        fastify.sqsClient = new SQSClient({
+          region: genericConfig.AwsRegion,
+        });
+      }
+      const result = await fastify.sqsClient.send(
+        new SendMessageCommand({
+          QueueUrl: fastify.environmentConfig.SqsQueueUrl,
+          MessageBody: JSON.stringify(sqsPayload),
+        }),
       );
-      if (
-        fastify.runEnvironment === "dev" &&
-        request.query.email === "[email protected]"
-      ) {
-        return reply
-          .status(202)
-          .send({ message: "OK (skipped sending email)" });
+      if (!result.MessageId) {
+        request.log.error(result);
+        throw new InternalServerError({
+          message: "Could not add job to queue.",
+        });
       }
-      await fastify.sesClient.send(emailCommand);
-      reply.status(202).send({ message: "OK" });
+      request.log.info(`Queued job to SQS with message ID ${result.MessageId}`);
+      reply.status(202).send({ queueId: result.MessageId });
     },
   );
 };

src/api/sqs/driver.ts

@@ -11,7 +11,6 @@ const payload = parseSQSPayload({
   function: "ping",
   payload: {},
   metadata: {
-    taskId: "0",
     reqId: "1",
     initiator: "[email protected]",
   },

src/api/sqs/handlers.ts

@@ -1,10 +1,49 @@
 import { AvailableSQSFunctions } from "common/types/sqsMessage.js";
-import { SQSHandlerFunction } from "./index.js";
+import {
+  currentEnvironmentConfig,
+  runEnvironment,
+  SQSHandlerFunction,
+} from "./index.js";
+import { getEntraIdToken, getUserProfile } from "api/functions/entraId.js";
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import { environmentConfig, genericConfig } from "common/config.js";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { issueAppleWalletMembershipCard } from "api/functions/mobileWallet.js";
+import { generateMembershipEmailCommand } from "api/functions/ses.js";
+import { SESClient } from "@aws-sdk/client-ses";
 
 export const emailMembershipPassHandler: SQSHandlerFunction<
   AvailableSQSFunctions.EmailMembershipPass
-> = async (payload, metadata, logger) => {
-  logger.error("Not implemented yet!");
+> = async (payload, _metadata, logger) => {
+  const email = payload.email;
+  const commonConfig = { region: genericConfig.AwsRegion };
+  const clients = {
+    smClient: new SecretsManagerClient(commonConfig),
+    dynamoClient: new DynamoDBClient(commonConfig),
+    sesClient: new SESClient(commonConfig),
+  };
+  const entraIdToken = await getEntraIdToken(
+    clients,
+    currentEnvironmentConfig.AadValidClientId,
+  );
+  const userProfile = await getUserProfile(entraIdToken, email);
+  const pkpass = await issueAppleWalletMembershipCard(
+    clients,
+    environmentConfig[runEnvironment],
+    runEnvironment,
+    email,
+    logger,
+    userProfile.displayName,
+  );
+  const emailCommand = generateMembershipEmailCommand(
+    email,
+    `membership@${environmentConfig[runEnvironment].EmailDomain}`,
+    pkpass,
+  );
+  if (runEnvironment === "dev" && email === "[email protected]") {
+    return;
+  }
+  await clients.sesClient.send(emailCommand);
   return;
 };