Create V2 API to get membership pass with UIUC tenant ID

devksingh4 · devksingh4 · commit fcd3d265c500 · 2025-07-12T14:35:34.000-04:00
diff --git a/src/api/functions/membership.ts b/src/api/functions/membership.ts
@@ -16,6 +16,9 @@ import {
 import { EntraGroupError } from "common/errors/index.js";
 import { EntraGroupActions } from "common/types/iam.js";
 import { pollUntilNoError } from "./general.js";
+import Redis from "ioredis";
+import { getKey } from "./redisCache.js";
+import { FastifyBaseLogger } from "fastify";
 
 export const MEMBER_CACHE_SECONDS = 43200; // 12 hours
 
@@ -42,6 +45,23 @@ export async function checkExternalMembership(
   return true;
 }
 
+export async function checkPaidMembershipFromRedis(
+  netId: string,
+  redisClient: Redis.default,
+  logger: FastifyBaseLogger,
+) {
+  const cacheKey = `membership:${netId}:acmpaid`;
+  const result = await getKey<{ isMember: boolean }>({
+    redisClient,
+    key: cacheKey,
+    logger,
+  });
+  if (!result) {
+    return null;
+  }
+  return result.isMember;
+}
+
 export async function checkPaidMembershipFromTable(
   netId: string,
   dynamoClient: DynamoDBClient,
diff --git a/src/api/functions/mobileWallet.ts b/src/api/functions/mobileWallet.ts
@@ -19,6 +19,7 @@ import { RunEnvironment } from "common/roles.js";
 import pino from "pino";
 import { createAuditLogEntry } from "./auditLog.js";
 import { Modules } from "common/modules.js";
+import { FastifyBaseLogger } from "fastify";
 
 function trim(s: string) {
   return (s || "").replace(/^\s+|\s+$/g, "");
@@ -37,7 +38,7 @@ export async function issueAppleWalletMembershipCard(
   runEnvironment: RunEnvironment,
   email: string,
   initiator: string,
-  logger: pino.Logger,
+  logger: pino.Logger | FastifyBaseLogger,
   name?: string,
 ) {
   if (!email.endsWith("@illinois.edu")) {
diff --git a/src/api/index.ts b/src/api/index.ts
@@ -58,6 +58,7 @@ import apiKeyRoute from "./routes/apiKey.js";
 import clearSessionRoute from "./routes/clearSession.js";
 import protectedRoute from "./routes/protected.js";
 import eventsPlugin from "./routes/events.js";
+import mobileWalletV2Route from "./routes/v2/mobileWallet.js";
 /** END ROUTES */
 
 export const instanceId = randomUUID();
@@ -353,6 +354,12 @@ async function init(prettyPrint: boolean = false, initClients: boolean = true) {
     },
     { prefix: "/api/v1" },
   );
+  await app.register(
+    async (api, _options) => {
+      api.register(mobileWalletV2Route, { prefix: "/mobileWallet" });
+    },
+    { prefix: "/api/v2" },
+  );
   await app.register(cors, {
     origin: app.environmentConfig.ValidCorsOrigins,
     methods: ["GET", "HEAD", "POST", "PATCH", "DELETE"],
diff --git a/src/api/plugins/auth.ts b/src/api/plugins/auth.ts
@@ -1,4 +1,9 @@
-import { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
+import {
+  FastifyBaseLogger,
+  FastifyPluginAsync,
+  FastifyReply,
+  FastifyRequest,
+} from "fastify";
 import fp from "fastify-plugin";
 import jwksClient from "jwks-rsa";
 import jwt, { Algorithm, Jwt } from "jsonwebtoken";
@@ -21,6 +26,7 @@ import {
 import { getGroupRoles, getUserRoles } from "../functions/authorization.js";
 import { getApiKeyData, getApiKeyParts } from "api/functions/apiKey.js";
 import { getKey, setKey } from "api/functions/redisCache.js";
+import { Redis } from "api/types.js";
 
 export const AUTH_CACHE_PREFIX = `authCache:`;
 
@@ -107,6 +113,41 @@ export const getUserIdentifier = (request: FastifyRequest): string | null => {
   }
 };
 
+export const getJwksKey = async ({
+  redisClient,
+  kid,
+  logger,
+}: {
+  redisClient: Redis;
+  kid: string;
+  logger: FastifyBaseLogger;
+}) => {
+  let signingKey;
+  const cachedJwksSigningKey = await getKey<{ key: string }>({
+    redisClient,
+    key: `jwksKey:${kid}`,
+    logger,
+  });
+  if (cachedJwksSigningKey) {
+    signingKey = cachedJwksSigningKey.key;
+    logger.debug("Got JWKS signing key from cache.");
+  } else {
+    const client = jwksClient({
+      jwksUri: "https://login.microsoftonline.com/common/discovery/keys",
+    });
+    signingKey = (await client.getSigningKey(kid)).getPublicKey();
+    await setKey({
+      redisClient,
+      key: `jwksKey:${kid}`,
+      data: JSON.stringify({ key: signingKey }),
+      expiresIn: JWKS_CACHE_SECONDS,
+      logger,
+    });
+    logger.debug("Got JWKS signing key from server.");
+  }
+  return signingKey;
+};
+
 const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
   const handleApiKeyAuthentication = async (
     request: FastifyRequest,
@@ -230,31 +271,11 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
             audience: `api://${AadClientId}`,
           };
           const { redisClient } = fastify;
-          const cachedJwksSigningKey = await getKey<{ key: string }>({
+          signingKey = await getJwksKey({
             redisClient,
-            key: `jwksKey:${header.kid}`,
+            kid: header.kid,
             logger: request.log,
           });
-          if (cachedJwksSigningKey) {
-            signingKey = cachedJwksSigningKey.key;
-            request.log.debug("Got JWKS signing key from cache.");
-          } else {
-            const client = jwksClient({
-              jwksUri:
-                "https://login.microsoftonline.com/common/discovery/keys",
-            });
-            signingKey = (
-              await client.getSigningKey(header.kid)
-            ).getPublicKey();
-            await setKey({
-              redisClient,
-              key: `jwksKey:${header.kid}`,
-              data: JSON.stringify({ key: signingKey }),
-              expiresIn: JWKS_CACHE_SECONDS,
-              logger: request.log,
-            });
-            request.log.debug("Got JWKS signing key from server.");
-          }
         }
 
         const verifiedTokenData = jwt.verify(
diff --git a/src/api/routes/v2/mobileWallet.ts b/src/api/routes/v2/mobileWallet.ts
@@ -0,0 +1,173 @@
+import { FastifyBaseLogger, FastifyPluginAsync } from "fastify";
+import {
+  UnauthenticatedError,
+  ValidationError,
+} from "../../../common/errors/index.js";
+import * as z from "zod/v4";
+import {
+  checkPaidMembershipFromRedis,
+  checkPaidMembershipFromTable,
+} from "../../functions/membership.js";
+import rateLimiter from "api/plugins/rateLimiter.js";
+import { FastifyZodOpenApiTypeProvider } from "fastify-zod-openapi";
+import { withTags } from "api/components/index.js";
+import jwt, { Algorithm } from "jsonwebtoken";
+import { getJwksKey } from "api/plugins/auth.js";
+import { issueAppleWalletMembershipCard } from "api/functions/mobileWallet.js";
+import { Redis } from "api/types.js";
+
+const UIUC_TENANT_ID = "44467e6f-462c-4ea2-823f-7800de5434e3";
+const COULD_NOT_PARSE_MESSAGE = "ID token could not be parsed.";
+
+export const verifyUiucIdToken = async ({
+  idToken,
+  redisClient,
+  logger,
+}: {
+  idToken: string | string[] | undefined;
+  redisClient: Redis;
+  logger: FastifyBaseLogger;
+}) => {
+  if (!idToken) {
+    throw new UnauthenticatedError({
+      message: "ID token not found.",
+    });
+  }
+  if (Array.isArray(idToken)) {
+    throw new ValidationError({
+      message: "Multiple tokens cannot be specified!",
+    });
+  }
+  const decoded = jwt.decode(idToken, { complete: true });
+  if (!decoded) {
+    throw new UnauthenticatedError({
+      message: COULD_NOT_PARSE_MESSAGE,
+    });
+  }
+  const header = decoded?.header;
+  if (!header.kid) {
+    throw new UnauthenticatedError({
+      message: COULD_NOT_PARSE_MESSAGE,
+    });
+  }
+  const signingKey = await getJwksKey({
+    redisClient,
+    kid: header.kid,
+    logger,
+  });
+  const verifyOptions: jwt.VerifyOptions = {
+    algorithms: ["RS256" as Algorithm],
+    issuer: `https://login.microsoftonline.com/${UIUC_TENANT_ID}/v2.0`,
+  };
+  let verifiedData;
+  try {
+    verifiedData = jwt.verify(idToken, signingKey, verifyOptions) as {
+      preferred_username?: string;
+      email?: string;
+      name?: string;
+    };
+  } catch (e) {
+    if (e instanceof Error && e.name === "TokenExpiredError") {
+      throw new UnauthenticatedError({
+        message: "Access token has expired.",
+      });
+    }
+    if (e instanceof Error && e.name === "JsonWebTokenError") {
+      logger.error(e);
+      throw new UnauthenticatedError({
+        message: COULD_NOT_PARSE_MESSAGE,
+      });
+    }
+    throw e;
+  }
+  return verifiedData;
+};
+
+const mobileWalletV2Route: FastifyPluginAsync = async (fastify, _options) => {
+  fastify.register(rateLimiter, {
+    limit: 15,
+    duration: 30,
+    rateLimitIdentifier: "mobileWalletV2",
+  });
+  fastify.withTypeProvider<FastifyZodOpenApiTypeProvider>().get(
+    "/membership",
+    {
+      schema: withTags(["Mobile Wallet"], {
+        summary: "Retrieve mobile wallet pass for ACM member.",
+        headers: z.object({
+          "x-uiuc-id-token": z.jwt().min(1).meta({
+            description:
+              "An access token for the user in the UIUC Entra ID tenant.",
+          }),
+        }),
+        response: {
+          204: {
+            description: "A mobile wallet pass has been generated.",
+            content: {
+              "application/vnd.apple.pkpass": {
+                schema: z.any(),
+                description:
+                  "A pkpass file which contains the user's ACM @ UIUC membership pass.",
+              },
+            },
+          },
+        },
+      }),
+    },
+    async (request, reply) => {
+      const idToken = request.headers["x-uiuc-id-token"];
+      const verifiedData = await verifyUiucIdToken({
+        idToken,
+        redisClient: fastify.redisClient,
+        logger: request.log,
+      });
+      const { preferred_username: upn, email, name } = verifiedData;
+      if (!upn || !email || !name) {
+        throw new UnauthenticatedError({
+          message: COULD_NOT_PARSE_MESSAGE,
+        });
+      }
+      const netId = upn.replace("@illinois.edu", "");
+      if (netId.includes("@")) {
+        request.log.error(
+          `Found UPN ${upn} which cannot be turned into NetID via simple replacement.`,
+        );
+        throw new ValidationError({
+          message: "ID token could not be parsed.",
+        });
+      }
+      let isPaidMember = await checkPaidMembershipFromRedis(
+        netId,
+        fastify.redisClient,
+        request.log,
+      );
+      if (isPaidMember === null) {
+        isPaidMember = await checkPaidMembershipFromTable(
+          netId,
+          fastify.dynamoClient,
+        );
+      }
+
+      if (!isPaidMember) {
+        throw new UnauthenticatedError({
+          message: `${upn} is not a paid member.`,
+        });
+      }
+
+      const pkpass = await issueAppleWalletMembershipCard(
+        { smClient: fastify.secretsManagerClient },
+        fastify.environmentConfig,
+        fastify.runEnvironment,
+        upn,
+        upn,
+        request.log,
+        name,
+      );
+      await reply
+        .header("Content-Type", "application/vnd.apple.pkpass")
+        .send(pkpass);
+    },
+  );
+};
+
+export default mobileWalletV2Route;
