Use testing credentials secret from AWS for JWT key

cloudformation/iam.yml

@@ -43,6 +43,7 @@ Resources:
             Effect: Allow
             Resource:
               - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config*
+              - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:427040638965:secret:infra-core-api-testing-credentials* # this secret only exists in awsdev account
 
           - Action:
               - dynamodb:DescribeLimits

generate_jwt.js

@@ -20,7 +20,7 @@ export const getSecretValue = async (secretId) => {
   }
 };
 
-const secrets = await getSecretValue("infra-core-api-config");
+const secrets = await getSecretValue("infra-core-api-testing-credentials");
 const client = new STSClient({ region: "us-east-1" });
 const command = new GetCallerIdentityCommand({});
 let data;

src/api/index.ts

@@ -15,6 +15,7 @@ import {
   environmentConfig,
   genericConfig,
   SecretConfig,
+  SecretTesting,
 } from "../common/config.js";
 import organizationsPlugin from "./routes/organizations.js";
 import authorizeFromSchemaPlugin from "./plugins/authorizeFromSchema.js";
@@ -252,13 +253,20 @@ async function init(prettyPrint: boolean = false) {
   app.dynamoClient = dynamoClient;
   app.secretsManagerClient = secretsManagerClient;
   app.redisClient = redisClient;
-  app.secretConfig = secret;
   app.refreshSecretConfig = async () => {
     app.secretConfig = (await getSecretValue(
       app.secretsManagerClient,
       genericConfig.ConfigSecretName,
     )) as SecretConfig;
+    if (app.environmentConfig.TestingCredentialsSecret) {
+      const temp = (await getSecretValue(
+        app.secretsManagerClient,
+        app.environmentConfig.TestingCredentialsSecret,
+      )) as SecretTesting;
+      app.secretConfig = { ...app.secretConfig, ...temp };
+    }
   };
+  app.refreshSecretConfig();
   app.addHook("onRequest", (req, _, done) => {
     req.startTime = now();
     const hostname = req.hostname;

src/api/lambda.ts

@@ -1,8 +1,9 @@
 import "zod-openapi/extend";
-import awsLambdaFastify from "@fastify/aws-lambda";
+import awsLambdaFastify, { LambdaResponse } from "@fastify/aws-lambda";
 import init from "./index.js";
 import warmer from "lambda-warmer";
 import { type APIGatewayEvent, type Context } from "aws-lambda";
+import { InternalServerError } from "common/errors/index.js";
 
 const app = await init();
 const realHandler = awsLambdaFastify(app, {
@@ -16,7 +17,21 @@ const handler = async (event: APIGatewayEvent, context: Context) => {
     return "warmed";
   }
   // else proceed with handler logic
-  return realHandler(event, context);
+  return realHandler(event, context).catch((e) => {
+    console.error(e);
+    const newError = new InternalServerError({
+      message: "Failed to initialize application.",
+    });
+    const json = JSON.stringify(newError.toJson());
+    return {
+      statusCode: newError.httpStatusCode,
+      body: json,
+      headers: {
+        "Content-Type": "application/json",
+      },
+      isBase64Encoded: false,
+    };
+  });
 };
 
 await app.ready(); // needs to be placed after awsLambdaFastify call because of the decoration: https://github.com/fastify/aws-lambda-fastify/blob/master/index.js#L9

src/api/plugins/auth.ts

@@ -13,7 +13,7 @@ import {
   UnauthenticatedError,
   UnauthorizedError,
 } from "../../common/errors/index.js";
-import { SecretConfig } from "../../common/config.js";
+import { SecretConfig, SecretTesting } from "../../common/config.js";
 import {
   AUTH_DECISION_CACHE_SECONDS,
   getGroupRoles,
@@ -195,7 +195,7 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
           }
           signingKey =
             process.env.JwtSigningKey ||
-            (fastify.secretConfig.jwt_key as string) ||
+            ((fastify.secretConfig as SecretTesting).jwt_key as string) ||
             "";
           if (signingKey === "") {
             throw new UnauthenticatedError({

src/api/types.d.ts

@@ -2,7 +2,7 @@
 import { FastifyRequest, FastifyInstance, FastifyReply } from "fastify";
 import { AppRoles, RunEnvironment } from "../common/roles.js";
 import { AadToken } from "./plugins/auth.js";
-import { ConfigType, SecretConfig } from "../common/config.js";
+import { ConfigType, SecretConfig, SecretTesting } from "../common/config.js";
 import NodeCache from "node-cache";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
@@ -36,7 +36,7 @@ declare module "fastify" {
     redisClient: Redis;
     secretsManagerClient: SecretsManagerClient;
     cloudfrontKvClient: CloudFrontKeyValueStoreClient;
-    secretConfig: SecretConfig;
+    secretConfig: SecretConfig | (SecretConfig & SecretTesting);
     refreshSecretConfig: CallableFunction;
   }
   interface FastifyRequest {

src/common/config.ts

@@ -23,6 +23,7 @@ export type ConfigType = {
   PaidMemberPriceId: string;
   AadValidReadOnlyClientId: string;
   LinkryCloudfrontKvArn?: string;
+  TestingCredentialsSecret?: string;
 };
 
 export type GenericConfigType = {
@@ -98,6 +99,7 @@ const environmentConfig: EnvironmentConfigType = {
       /^https:\/\/(?:.*\.)?acmuiuc\.pages\.dev$/,
       /http:\/\/localhost:\d+$/,
     ],
+    TestingCredentialsSecret: "infra-core-api-testing-credentials",
     AadValidClientId: "39c28870-94e4-47ee-b4fb-affe0bf96c9f",
     LinkryBaseUrl: "https://core.aws.qa.acmuiuc.org",
     PasskitIdentifier: "pass.org.acmuiuc.qa.membership",
@@ -137,7 +139,6 @@ const environmentConfig: EnvironmentConfigType = {
 };
 
 export type SecretConfig = {
-  jwt_key?: string;
   discord_guild_id: string;
   discord_bot_token: string;
   entra_id_private_key?: string;
@@ -151,6 +152,10 @@ export type SecretConfig = {
   redis_url: string;
 };
 
+export type SecretTesting = {
+  jwt_key: string;
+}
+
 const roleArns = {
   Entra: process.env.EntraRoleArn,
 };

tests/e2e/base.ts

@@ -30,7 +30,7 @@ async function getSecrets() {
   let response = { PLAYWRIGHT_USERNAME: "", PLAYWRIGHT_PASSWORD: "" };
   let keyData;
   if (!process.env.PLAYWRIGHT_USERNAME || !process.env.PLAYWRIGHT_PASSWORD) {
-    keyData = await getSecretValue("infra-core-api-config");
+    keyData = await getSecretValue("infra-core-api-testing-credentials");
   }
   response["PLAYWRIGHT_USERNAME"] =
     process.env.PLAYWRIGHT_USERNAME ||

tests/live/utils.ts

@@ -30,7 +30,7 @@ async function getSecrets() {
   const response = { JWTKEY: "" };
   let keyData;
   if (!process.env.JWT_KEY) {
-    keyData = await getSecretValue("infra-core-api-config");
+    keyData = await getSecretValue("infra-core-api-testing-credentials");
   }
   response["JWTKEY"] =
     process.env.JWT_KEY || ((keyData ? keyData["jwt_key"] : "") as string);

tests/unit/apiKey.test.ts

@@ -2,7 +2,7 @@ import { afterAll, expect, test, beforeEach, vi, describe } from "vitest";
 import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/api/index.js";
 import { createJwt } from "./auth.test.js";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import supertest from "supertest";
 import {
   ConditionalCheckFailedException,
@@ -31,7 +31,7 @@ vi.mock("../../src/api/functions/apiKey.js", () => {
 // Mock DynamoDB client
 const dynamoMock = mockClient(DynamoDBClient);
 const sqsMock = mockClient(SQSClient);
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 
 vi.stubEnv("JwtSigningKey", jwt_secret);
 

tests/unit/auth.test.ts

@@ -5,13 +5,14 @@ import {
   secretObject,
   jwtPayload,
   jwtPayloadNoGroups,
+  testSecretObject,
 } from "./secret.testdata.js";
 import jwt from "jsonwebtoken";
 import { allAppRoles, AppRoles } from "../../src/common/roles.js";
 import { beforeEach, describe } from "node:test";
 
 const app = await init();
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 export function createJwt(date?: Date, groups?: string[], email?: string) {
   let modifiedPayload = {
     ...jwtPayload,

tests/unit/discordEvent.test.ts

@@ -3,14 +3,14 @@ import { DynamoDBClient, PutItemCommand } from "@aws-sdk/client-dynamodb";
 import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/api/index.js";
 import { createJwt } from "./auth.test.js";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import supertest from "supertest";
 import { describe } from "node:test";
 import { updateDiscord } from "../../src/api/functions/discord.js";
 
 const ddbMock = mockClient(DynamoDBClient);
 
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 vi.stubEnv("JwtSigningKey", jwt_secret);
 
 vi.mock("../../src/api/functions/discord.js", () => {

tests/unit/entraInviteUser.test.ts

@@ -1,7 +1,7 @@
 import { afterAll, expect, test, beforeEach, vi } from "vitest";
 import init from "../../src/api/index.js";
 import { createJwt } from "./auth.test.js";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import supertest from "supertest";
 import { describe } from "node:test";
 
@@ -23,7 +23,7 @@ import {
 } from "../../src/api/functions/entraId.js";
 import { EntraInvitationError } from "../../src/common/errors/index.js";
 
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 
 vi.stubEnv("JwtSigningKey", jwt_secret);
 

tests/unit/eventPost.test.ts

@@ -8,12 +8,12 @@ import {
 import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/api/index.js";
 import { createJwt } from "./auth.test.js";
-import { secretJson, secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import supertest from "supertest";
 import { marshall } from "@aws-sdk/util-dynamodb";
 
 const ddbMock = mockClient(DynamoDBClient);
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 vi.stubEnv("JwtSigningKey", jwt_secret);
 
 const app = await init();

tests/unit/events.test.ts

@@ -8,12 +8,12 @@ import {
 import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/api/index.js";
 import { createJwt } from "./auth.test.js";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import supertest from "supertest";
 import { marshall } from "@aws-sdk/util-dynamodb";
 
 const ddbMock = mockClient(DynamoDBClient);
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 vi.stubEnv("JwtSigningKey", jwt_secret);
 
 // Mock the Discord client to prevent the actual Discord API call

tests/unit/ical.test.ts

@@ -6,11 +6,11 @@ import {
   dynamoEventWithRepeatExclusion,
   dynamoTableData,
 } from "./mockEventData.testdata.js";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import { readFile } from "fs/promises";
 
 const ddbMock = mockClient(DynamoDBClient);
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 vi.stubEnv("JwtSigningKey", jwt_secret);
 
 const app = await init();

tests/unit/linkry.test.ts

@@ -9,13 +9,13 @@ import {
 import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/api/index.js";
 import { createJwt } from "./auth.test.js";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import supertest from "supertest";
 import { dynamoTableData } from "./mockLinkryData.testdata.js";
 import { genericConfig } from "../../src/common/config.js";
 
 const ddbMock = mockClient(DynamoDBClient);
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 vi.stubEnv("JwtSigningKey", jwt_secret);
 
 // Mock the Cloudfront KV client to prevent the actual Cloudfront KV call

tests/unit/logs.test.ts

@@ -3,15 +3,15 @@ import init from "../../src/api/index.js";
 import { describe } from "node:test";
 import { mockClient } from "aws-sdk-client-mock";
 import { DynamoDBClient, QueryCommand } from "@aws-sdk/client-dynamodb";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import supertest from "supertest";
 import { createJwt } from "./auth.test.js";
 import { genericConfig } from "../../src/common/config.js";
 import { marshall } from "@aws-sdk/util-dynamodb";
 import { Modules } from "../../src/common/modules.js";
 
 const ddbMock = mockClient(DynamoDBClient);
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 vi.stubEnv("JwtSigningKey", jwt_secret);
 
 const app = await init();

tests/unit/secret.testdata.ts

@@ -1,7 +1,6 @@
 import { SecretConfig } from "../../src/common/config.js";
 
 const secretObject = {
-  jwt_key: "somethingreallysecret",
   discord_guild_id: "12345",
   discord_bot_token: "12345",
   entra_id_private_key: "",
@@ -13,10 +12,16 @@ const secretObject = {
   acm_passkit_signerKey_base64: "",
   apple_signing_cert_base64: "",
   redis_url: "",
-} as SecretConfig & { jwt_key: string };
+} as SecretConfig;
+
+const testSecretObject = {
+  jwt_key: "somethingreallysecret",
+};
 
 const secretJson = JSON.stringify(secretObject);
 
+const testSecretJson = JSON.stringify(testSecretObject);
+
 const jwtPayload = {
   aud: "custom_jwt",
   iss: "custom_jwt",
@@ -69,4 +74,11 @@ const jwtPayloadNoGroups = {
   ver: "1.0",
 };
 
-export { secretJson, secretObject, jwtPayload, jwtPayloadNoGroups };
+export {
+  secretJson,
+  secretObject,
+  testSecretJson,
+  testSecretObject,
+  jwtPayload,
+  jwtPayloadNoGroups,
+};

tests/unit/tickets.test.ts

@@ -9,7 +9,7 @@ import {
 } from "@aws-sdk/client-dynamodb";
 import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/api/index.js";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import {
   dynamoTableData,
   fulfilledMerchItem1,
@@ -28,7 +28,7 @@ import {
 } from "./data/mockTIcketsMerchMetadata.testdata.js";
 
 const ddbMock = mockClient(DynamoDBClient);
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 vi.stubEnv("JwtSigningKey", jwt_secret);
 
 const app = await init();

tests/unit/vitest.setup.ts

@@ -8,8 +8,8 @@ import {
 } from "@aws-sdk/client-secrets-manager";
 import { mockClient } from "aws-sdk-client-mock";
 import { marshall } from "@aws-sdk/util-dynamodb";
-import { genericConfig } from "../../src/common/config.js";
-import { secretJson } from "./secret.testdata.js";
+import { environmentConfig, genericConfig } from "../../src/common/config.js";
+import { secretJson, testSecretJson } from "./secret.testdata.js";
 
 const ddbMock = mockClient(DynamoDBClient);
 const smMock = mockClient(SecretsManagerClient);
@@ -114,6 +114,9 @@ smMock.on(GetSecretValueCommand).callsFake((command) => {
   if (command.SecretId == genericConfig.ConfigSecretName) {
     return Promise.resolve({ SecretString: secretJson });
   }
+  if (command.SecretId == environmentConfig["dev"].TestingCredentialsSecret) {
+    return Promise.resolve({ SecretString: testSecretJson });
+  }
   return Promise.reject(new Error("Secret ID not mocked"));
 });