Add v2 membership route

Author: devksingh4

src/api/routes/membership.ts

@@ -86,20 +86,13 @@ const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
       "/",
       {
         schema: withTags(["Membership"], {
-          querystring: z.object({
-            list: z.string().min(1).optional().meta({
-              description:
-                "Membership list to check from (defaults to ACM Paid Member list).",
-            }),
-          }),
           headers: z.object({
             "x-uiuc-token": z.jwt().min(1).meta({
               description:
                 "An access token for the user in the UIUC Entra ID tenant.",
             }),
           }),
-          summary:
-            "Authenticated check ACM @ UIUC paid membership (or partner organization membership) status.",
+          summary: "Check self ACM @ UIUC paid membership.",
           response: {
             200: {
               description: "List membership status.",
@@ -110,7 +103,6 @@ const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
                       givenName: z.string().min(1),
                       surname: z.string().min(1),
                       netId: illinoisNetId,
-                      list: z.optional(z.string().min(1)),
                       isPaidMember: z.boolean(),
                     })
                     .meta({
@@ -143,7 +135,7 @@ const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
             message: "ID token could not be parsed.",
           });
         }
-        const list = request.query.list || "acmpaid";
+        const list = "acmpaid";
         const cacheKey = `membership:${netId}:${list}`;
         const result = await getKey<{ isMember: boolean }>({
           redisClient: fastify.redisClient,
@@ -238,6 +230,8 @@ const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
       "/:netId",
       {
         schema: withTags(["Membership"], {
+          deprecated: true,
+          description: "[DEPRECATED] DO NOT USE!",
           params: z.object({ netId: illinoisNetId }),
           querystring: z.object({
             list: z.string().min(1).optional().meta({

src/api/routes/v2/membership.ts

@@ -1,17 +1,68 @@
 import {
   checkPaidMembershipFromTable,
   checkPaidMembershipFromRedis,
+  checkExternalMembership,
+  MEMBER_CACHE_SECONDS,
+  checkPaidMembershipFromEntra,
+  setPaidMembershipInTable,
 } from "api/functions/membership.js";
 import { FastifyPluginAsync } from "fastify";
-import { ValidationError } from "common/errors/index.js";
+import {
+  InternalServerError,
+  UnauthorizedError,
+  ValidationError,
+} from "common/errors/index.js";
 import rateLimiter from "api/plugins/rateLimiter.js";
 import { createCheckoutSession } from "api/functions/stripe.js";
 import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
 import * as z from "zod/v4";
-import { notAuthenticatedError, withTags } from "api/components/index.js";
+import {
+  illinoisNetId,
+  notAuthenticatedError,
+  withRoles,
+  withTags,
+} from "api/components/index.js";
 import { verifyUiucAccessToken, saveHashedUserUin } from "api/functions/uin.js";
+import { getKey, setKey } from "api/functions/redisCache.js";
+import { getEntraIdToken } from "api/functions/entraId.js";
+import { genericConfig, roleArns } from "common/config.js";
+import { getRoleCredentials } from "api/functions/sts.js";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import { AppRoles } from "common/roles.js";
 
 const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
+  const getAuthorizedClients = async () => {
+    if (roleArns.Entra) {
+      fastify.log.info(
+        `Attempting to assume Entra role ${roleArns.Entra} to get the Entra token...`,
+      );
+      const credentials = await getRoleCredentials(roleArns.Entra);
+      const clients = {
+        smClient: new SecretsManagerClient({
+          region: genericConfig.AwsRegion,
+          credentials,
+        }),
+        dynamoClient: new DynamoDBClient({
+          region: genericConfig.AwsRegion,
+          credentials,
+        }),
+        redisClient: fastify.redisClient,
+      };
+      fastify.log.info(
+        `Assumed Entra role ${roleArns.Entra} to get the Entra token.`,
+      );
+      return clients;
+    }
+    fastify.log.debug(
+      "Did not assume Entra role as no env variable was present",
+    );
+    return {
+      smClient: fastify.secretsManagerClient,
+      dynamoClient: fastify.dynamoClient,
+      redisClient: fastify.redisClient,
+    };
+  };
   const limitedRoutes: FastifyPluginAsync = async (fastify) => {
     await fastify.register(rateLimiter, {
       limit: 15,
@@ -109,6 +160,158 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
         );
       },
     );
+    fastify.withTypeProvider<FastifyZodOpenApiTypeProvider>().get(
+      "/:netId",
+      {
+        schema: withRoles(
+          [
+            AppRoles.VIEW_INTERNAL_MEMBERSHIP_LIST,
+            AppRoles.VIEW_EXTERNAL_MEMBERSHIP_LIST,
+          ],
+          withTags(["Membership"], {
+            params: z.object({ netId: illinoisNetId }),
+            querystring: z.object({
+              list: z.string().min(1).optional().meta({
+                example: "built",
+                description:
+                  "Membership list to check from (defaults to ACM Paid Member list).",
+              }),
+            }),
+            summary:
+              "Check ACM @ UIUC paid membership (or partner organization membership) status.",
+            response: {
+              200: {
+                description: "List membership status.",
+                content: {
+                  "application/json": {
+                    schema: z
+                      .object({
+                        netId: illinoisNetId,
+                        list: z.optional(z.string().min(1)),
+                        isPaidMember: z.boolean(),
+                      })
+                      .meta({
+                        example: {
+                          netId: "rjjones",
+                          list: "built",
+                          isPaidMember: false,
+                        },
+                      }),
+                  },
+                },
+              },
+            },
+          }),
+        ),
+        onRequest: async (request, reply) => {
+          await fastify.authorizeFromSchema(request, reply);
+          if (!request.userRoles) {
+            throw new InternalServerError({});
+          }
+          const list = request.query.list || "acmpaid";
+          if (
+            list === "acmpaid" &&
+            !request.userRoles.has(AppRoles.VIEW_INTERNAL_MEMBERSHIP_LIST)
+          ) {
+            throw new UnauthorizedError({});
+          }
+          if (
+            list !== "acmpaid" &&
+            !request.userRoles.has(AppRoles.VIEW_EXTERNAL_MEMBERSHIP_LIST)
+          ) {
+            throw new UnauthorizedError({});
+          }
+        },
+      },
+      async (request, reply) => {
+        const netId = request.params.netId.toLowerCase();
+        const list = request.query.list || "acmpaid";
+        const cacheKey = `membership:${netId}:${list}`;
+        const result = await getKey<{ isMember: boolean }>({
+          redisClient: fastify.redisClient,
+          key: cacheKey,
+          logger: request.log,
+        });
+        if (result) {
+          return reply.header("X-ACM-Data-Source", "cache").send({
+            netId,
+            list: list === "acmpaid" ? undefined : list,
+            isPaidMember: result.isMember,
+          });
+        }
+        if (list !== "acmpaid") {
+          const isMember = await checkExternalMembership(
+            netId,
+            list,
+            fastify.dynamoClient,
+          );
+          await setKey({
+            redisClient: fastify.redisClient,
+            key: cacheKey,
+            data: JSON.stringify({ isMember }),
+            expiresIn: MEMBER_CACHE_SECONDS,
+            logger: request.log,
+          });
+          return reply.header("X-ACM-Data-Source", "dynamo").send({
+            netId,
+            list,
+            isPaidMember: isMember,
+          });
+        }
+        const isDynamoMember = await checkPaidMembershipFromTable(
+          netId,
+          fastify.dynamoClient,
+        );
+        if (isDynamoMember) {
+          await setKey({
+            redisClient: fastify.redisClient,
+            key: cacheKey,
+            data: JSON.stringify({ isMember: true }),
+            expiresIn: MEMBER_CACHE_SECONDS,
+            logger: request.log,
+          });
+          return reply
+            .header("X-ACM-Data-Source", "dynamo")
+            .send({ netId, isPaidMember: true });
+        }
+        const entraIdToken = await getEntraIdToken({
+          clients: await getAuthorizedClients(),
+          clientId: fastify.environmentConfig.AadValidClientId,
+          secretName: genericConfig.EntraSecretName,
+          logger: request.log,
+        });
+        const paidMemberGroup = fastify.environmentConfig.PaidMemberGroupId;
+        const isAadMember = await checkPaidMembershipFromEntra(
+          netId,
+          entraIdToken,
+          paidMemberGroup,
+        );
+        if (isAadMember) {
+          await setKey({
+            redisClient: fastify.redisClient,
+            key: cacheKey,
+            data: JSON.stringify({ isMember: true }),
+            expiresIn: MEMBER_CACHE_SECONDS,
+            logger: request.log,
+          });
+          reply
+            .header("X-ACM-Data-Source", "aad")
+            .send({ netId, isPaidMember: true });
+          await setPaidMembershipInTable(netId, fastify.dynamoClient);
+          return;
+        }
+        await setKey({
+          redisClient: fastify.redisClient,
+          key: cacheKey,
+          data: JSON.stringify({ isMember: false }),
+          expiresIn: MEMBER_CACHE_SECONDS,
+          logger: request.log,
+        });
+        return reply
+          .header("X-ACM-Data-Source", "aad")
+          .send({ netId, isPaidMember: false });
+      },
+    );
   };
   fastify.register(limitedRoutes);
 };

src/common/config.ts

@@ -19,7 +19,6 @@ export type ConfigType = {
   LinkryBaseUrl: string
   PasskitIdentifier: string;
   PasskitSerialNumber: string;
-  MembershipApiEndpoint: string;
   EmailDomain: string;
   SqsQueueUrl: string;
   PaidMemberGroupId: string;
@@ -115,8 +114,6 @@ const environmentConfig: EnvironmentConfigType = {
     LinkryBaseUrl: "https://core.aws.qa.acmuiuc.org",
     PasskitIdentifier: "pass.org.acmuiuc.qa.membership",
     PasskitSerialNumber: "0",
-    MembershipApiEndpoint:
-      "https://core.aws.qa.acmuiuc.org/api/v1/membership",
     EmailDomain: "aws.qa.acmuiuc.org",
     SqsQueueUrl:
       "https://sqs.us-east-1.amazonaws.com/427040638965/infra-core-api-sqs",
@@ -141,8 +138,6 @@ const environmentConfig: EnvironmentConfigType = {
     LinkryBaseUrl: "https://go.acm.illinois.edu/",
     PasskitIdentifier: "pass.edu.illinois.acm.membership",
     PasskitSerialNumber: "0",
-    MembershipApiEndpoint:
-      "https://core.acm.illinois.edu/api/v1/membership",
     EmailDomain: "acm.illinois.edu",
     SqsQueueUrl:
       "https://sqs.us-east-1.amazonaws.com/298118738376/infra-core-api-sqs",

src/common/errors/index.ts

@@ -55,8 +55,8 @@ export class NotImplementedError extends BaseError<"NotImplementedError"> {
 }
 
 export class UnauthorizedError extends BaseError<"UnauthorizedError"> {
-  constructor({ message }: { message: string }) {
-    super({ name: "UnauthorizedError", id: 101, message, httpStatusCode: 401 });
+  constructor({ message }: { message?: string }) {
+    super({ name: "UnauthorizedError", id: 101, message: message || "Caller does not have permission.", httpStatusCode: 401 });
   }
 }
 

src/common/policies/definition.ts

@@ -2,14 +2,15 @@ import { FastifyRequest } from "fastify";
 import { hostRestrictionPolicy } from "./events.js";
 import * as z from "zod/v4";
 import { AuthorizationPolicyResult } from "./evaluator.js";
+import { membershipListPolicy } from "./membershipListPolicy.js";
 
 type Policy<TParamsSchema extends z.ZodObject<any>> = {
   name: string;
   paramsSchema: TParamsSchema;
   evaluator: (
-  request: FastifyRequest,
-  params: z.infer<TParamsSchema>)
-  => AuthorizationPolicyResult;
+    request: FastifyRequest,
+    params: z.infer<TParamsSchema>)
+    => AuthorizationPolicyResult;
 };
 
 type PolicyParams<T> = T extends Policy<infer U> ? z.infer<U> : never;
@@ -20,14 +21,15 @@ type PolicyRegistry = {
 
 // Type to generate a strongly-typed version of the policy registry
 type TypedPolicyRegistry<T extends PolicyRegistry> = { [K in
-keyof T]: {
-  name: T[K]["name"];
-  params: PolicyParams<T[K]>;
-} };
+  keyof T]: {
+    name: T[K]["name"];
+    params: PolicyParams<T[K]>;
+  } };
 
 
 export const AuthorizationPoliciesRegistry: PolicyRegistry = {
-  EventsHostRestrictionPolicy: hostRestrictionPolicy
+  EventsHostRestrictionPolicy: hostRestrictionPolicy,
+  MembershipListQueryPolicy: membershipListPolicy
 } as const;
 
 export type AvailableAuthorizationPolicies = TypedPolicyRegistry<
@@ -37,4 +39,4 @@ export type AvailableAuthorizationPolicies = TypedPolicyRegistry<
 export type AvailableAuthorizationPolicy = {
   name: keyof typeof AuthorizationPoliciesRegistry;
   params: PolicyParams<typeof AuthorizationPoliciesRegistry[keyof typeof AuthorizationPoliciesRegistry]>;
-};
+};