feat(api)!: add support for preflight requests to use presigned S3 urls (#18)

* wip

* update deps

* add hash options endpoint

* create presigned requests

* wip

* refactor(api): update authorizer and user info function handling

- Renamed `tokenAuthorizerFunction` to `authorizerFunction` for clarity.
- Introduced `userInfoFunction` prop to allow custom user info function.
- Enabled the addition of a `GET /v2/user` endpoint with proper documentation.
- Updated `LambdaFunctions` class to handle custom authorizer and user info functions, improving flexibility in function management.

* fix(api): update artifact integration paths to use teamId instead of slug

- Changed API integration paths in getArtifact, headArtifact, and putArtifact functions to replace 'slug' with 'teamId'.
- Updated request parameters accordingly to ensure proper handling of teamId in API requests.
- This change improves the clarity and functionality of artifact management by aligning with the new team-based structure.

* refactor(preflight): replace JWT team extraction with authorizer teamId and improve error handling

- Updated the handler to use `teamId` from the request context instead of extracting it from the JWT token.
- Enhanced error responses to return JSON formatted messages for missing headers and invalid request methods.
- Adjusted S3 object keys and presigned URL generation to utilize `teamId`, ensuring consistency with the new authorization structure.

* feat(infra): add AWS Lambda authorizer and user info functions

- Introduced two new Lambda functions: `aryaAuthorizer` for token-based authorization and `getUserInfo` for fetching user data.
- Updated `package.json` and `pnpm-lock.yaml` to include `@types/aws-lambda` as a dev dependency.
- Enhanced the TurboRemoteCacheStack to integrate the new Lambda functions, improving API security and user management.

* remove debug logs

* add default team for token auth

Author: aryasaatvik

apps/infrastructure/lambda/arya-authorizer/index.ts

@@ -0,0 +1,44 @@
+import { APIGatewayTokenAuthorizerHandler } from "aws-lambda";
+
+export const handler: APIGatewayTokenAuthorizerHandler = async (event) => {
+  let token = event.authorizationToken;
+  if (token.startsWith('Bearer ')) {
+    token = token.substring(7);
+  }
+
+  const methodArnParts = event.methodArn.split(':');
+  const region = methodArnParts[3];
+  const accountId = methodArnParts[4];
+  const apiParts = methodArnParts[5].split('/');
+  const apiId = apiParts[0];
+  const stage = apiParts[1];
+
+  const response = await fetch('https://auth.arya.sh/turborepo/user', {
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error('Unauthorized');
+  }
+
+  const userData = await response.json();
+
+  return {
+    principalId: 'user',
+    policyDocument: {
+      Version: '2012-10-17',
+      Statement: [{
+        Action: 'execute-api:Invoke',
+        Effect: 'Allow',
+        Resource: `arn:aws:execute-api:${region}:${accountId}:${apiId}/${stage}/*/*`
+      }]
+    },
+    context: {
+      userId: userData.user.id,
+      teamId: userData.team.id,
+      teamSlug: userData.team.slug,
+    },
+  };
+};

apps/infrastructure/lambda/get-user-info/index.ts

@@ -0,0 +1,33 @@
+import { APIGatewayProxyHandler } from 'aws-lambda';
+
+export const handler: APIGatewayProxyHandler = async (event) => {
+  const authHeader = event.headers.Authorization;
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return {
+      statusCode: 401,
+      body: JSON.stringify({ error: 'Unauthorized' }),
+    };
+  }
+
+  const token = authHeader.split(' ')[1];
+
+  const response = await fetch('https://auth.arya.sh/turborepo/user', {
+    headers: {
+      Authorization: `Bearer ${token}`,
+    },
+  });
+
+  if (!response.ok) {
+    return {
+      statusCode: 401,
+      body: JSON.stringify({ error: 'Unauthorized' }),
+    };
+  }
+
+  const user = await response.json();
+
+  return {
+    statusCode: 200,
+    body: JSON.stringify(user),
+  };
+};

apps/infrastructure/lib/turbo-remote-cache-stack.ts

@@ -5,6 +5,7 @@ import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as apigateway from 'aws-cdk-lib/aws-apigateway';
 import * as dotenv from 'dotenv';
 import * as path from 'path';
+import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 
 export class TurboRemoteCacheStack extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
@@ -16,6 +17,18 @@ export class TurboRemoteCacheStack extends cdk.Stack {
       throw new Error('TURBO_TOKEN is not set');
     }
 
+    const aryaAuthorizer = new NodejsFunction(this, 'AryaAuthorizer', {
+      runtime: cdk.aws_lambda.Runtime.NODEJS_20_X,
+      handler: 'handler',
+      entry: path.join(__dirname, '..', 'lambda', 'arya-authorizer', 'index.ts'),
+    });
+
+    const userInfo = new NodejsFunction(this, 'UserInfo', {
+      runtime: cdk.aws_lambda.Runtime.NODEJS_20_X,
+      handler: 'handler',
+      entry: path.join(__dirname, '..', 'lambda', 'get-user-info', 'index.ts'),
+    });
+
     new TurboRemoteCache(this, 'TurboRemoteCache', {
       turboToken: process.env.TURBO_TOKEN,
       apiProps: {
@@ -26,6 +39,11 @@ export class TurboRemoteCacheStack extends cdk.Stack {
           securityPolicy: apigateway.SecurityPolicy.TLS_1_2,
         },
       },
+      authorizerFunction: aryaAuthorizer,
+      userInfoFunction: userInfo,
+      lambdaProps: {
+        memorySize: 1024,
+      },
       artifactsBucketProps: {
         bucketName: 'turbo-remote-cache-artifacts',
         removalPolicy: cdk.RemovalPolicy.RETAIN,
@@ -36,4 +54,4 @@ export class TurboRemoteCacheStack extends cdk.Stack {
       },
     });
   }
-}
+}

apps/infrastructure/package.json

@@ -15,6 +15,7 @@
   "devDependencies": {
     "@types/jest": "^29.5.12",
     "@types/node": "20.14.9",
+    "@types/aws-lambda": "^8.10.145",
     "aws-cdk": "2.176.0",
     "dotenv": "^16.4.5",
     "esbuild": "^0.23.1",

packages/construct/lambda/src/preflight-artifact/index.ts

@@ -0,0 +1,102 @@
+import type { APIGatewayProxyHandler } from 'aws-lambda';
+import { GetObjectCommand, PutObjectCommand } from '@aws-sdk/client-s3';
+import { S3RequestPresigner } from '@aws-sdk/s3-request-presigner';
+import { Hash } from '@aws-sdk/hash-node';
+import { parseUrl } from '@aws-sdk/url-parser';
+import { HttpRequest } from '@aws-sdk/protocol-http';
+import { formatUrl } from '@aws-sdk/util-format-url';
+
+/**
+ * Preflight request for the artifact resource
+ *
+ * @param event lambda event
+ */
+export const handler: APIGatewayProxyHandler = async (event) => {
+  const requestMethod = event.headers['access-control-request-method'];
+  const signableHeaders = event.headers['access-control-request-headers']?.split(',').map(header => header.trim()).filter(header => header !== 'Authorization');
+  const requestHeaders = signableHeaders?.reduce((acc: Record<string, string>, header) => {
+    if (event.headers[header]) {
+      acc[header] = event.headers[header];
+    }
+    return acc;
+  }, {});
+
+  if (!requestMethod) {
+    return {
+      statusCode: 400,
+      body: JSON.stringify({ error: 'Missing required headers' }),
+    };
+  }
+
+  const teamId = event.requestContext.authorizer?.teamId;
+
+  if (!teamId) {
+    return {
+      statusCode: 400,
+      body: JSON.stringify({ error: 'Missing teamId' }),
+    };
+  }
+
+  let command: GetObjectCommand | PutObjectCommand | undefined;
+  if (requestMethod === 'GET') {
+    command = new GetObjectCommand({
+      Bucket: process.env.ARTIFACTS_BUCKET,
+      Key: `${teamId}/${event.pathParameters?.hash}`,
+    });
+  } else if (requestMethod === 'PUT') {
+    command = new PutObjectCommand({
+      Bucket: process.env.ARTIFACTS_BUCKET,
+      Key: `${teamId}/${event.pathParameters?.hash}`,
+      ContentType: event.headers['content-type'],
+    });
+  }
+
+  if (!command) {
+    return {
+      statusCode: 400,
+      body: JSON.stringify({ error: 'Invalid request method' }),
+    };
+  }
+
+  if (!process.env.AWS_ACCESS_KEY_ID || !process.env.AWS_SECRET_ACCESS_KEY || !process.env.AWS_REGION) {
+    throw new Error('AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_REGION must be set');
+  }
+
+  const presigner = new S3RequestPresigner({
+    credentials: {
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+      sessionToken: process.env.AWS_SESSION_TOKEN,
+    },
+    region: process.env.AWS_REGION,
+    sha256: Hash.bind(null, 'sha256'),
+  });
+
+  const url = parseUrl(`https://${process.env.ARTIFACTS_BUCKET}.s3.${process.env.AWS_REGION}.amazonaws.com/${teamId}/${event.pathParameters?.hash}`);
+  const request = new HttpRequest({
+    ...url,
+    method: requestMethod,
+    query: {
+      teamId: teamId,
+    },
+    headers: requestHeaders,
+  });
+  const presignedUrl = await presigner.presign(request, {
+    expiresIn: 60 * 60 * 24,
+    signableHeaders: signableHeaders ? new Set(signableHeaders) : undefined,
+  });
+  const formattedUrl = formatUrl(presignedUrl);
+
+  // turborepo cli appends teamId to the url, so we need to remove it to ensure valid signature
+  const responseUrl = new URL(formattedUrl);
+  responseUrl.searchParams.delete('teamId');
+
+  return {
+    statusCode: 200,
+    headers: {
+      location: responseUrl.href,
+      allow_authorization_header: false,
+    },
+    body: '',
+  };
+};

packages/construct/lambda/src/token-authorizer/index.ts

@@ -24,6 +24,9 @@ export const handler: APIGatewayTokenAuthorizerHandler = async (event) => {
           Effect: 'Allow',
           Resource: `arn:aws:execute-api:${region}:${accountId}:${apiId}/${stage}/*/*`
         }]
+      },
+      context: {
+        teamId: 'team_turbo_default'
       }
     };
   } else {

packages/construct/package.json

@@ -44,8 +44,12 @@
   "dependencies": {
     "@aws-sdk/client-dynamodb": "^3.645.0",
     "@aws-sdk/client-s3": "^3.645.0",
+    "@aws-sdk/hash-node": "^3.374.0",
+    "@aws-sdk/protocol-http": "^3.374.0",
     "@aws-sdk/s3-request-presigner": "^3.645.0",
-    "@aws-sdk/util-dynamodb": "^3.645.0"
+    "@aws-sdk/url-parser": "^3.374.0",
+    "@aws-sdk/util-dynamodb": "^3.645.0",
+    "@aws-sdk/util-format-url": "^3.696.0"
   },
   "devDependencies": {
     "@types/aws-lambda": "^8.10.145",

packages/construct/src/api.ts

@@ -22,9 +22,9 @@ export class APIGateway extends Construct {
     const logGroup = logs.LogGroup.fromLogGroupName(this, 'LogGroup', '/aws/apigateway/turbo-remote-cache-api');
 
     let tokenAuthorizer: apigateway.TokenAuthorizer | undefined;
-    if (props.lambdaFunctions.tokenAuthorizerFunction) {
+    if (props.lambdaFunctions.authorizerFunction) {
       tokenAuthorizer = new apigateway.TokenAuthorizer(this, 'TokenAuthorizer', {
-        handler: props.lambdaFunctions.tokenAuthorizerFunction,
+        handler: props.lambdaFunctions.authorizerFunction,
         resultsCacheTtl: cdk.Duration.minutes(60),
         identitySource: 'method.request.header.Authorization',
       });
@@ -144,6 +144,11 @@ export class APIGateway extends Construct {
 
     const hashResource = artifactsResource.addResource('{hash}');
 
+    hashResource.addMethod('OPTIONS', new apigateway.LambdaIntegration(props.lambdaFunctions.preflightArtifactFunction), {
+      operationName: 'preflightArtifact',
+      methodResponses: [{ statusCode: '200' }],
+    });
+
     // GET /v8/artifacts/{hash}
     getArtifactIntegration(this, {
       artifactsBucket: props.artifactsBucket,
@@ -257,30 +262,30 @@ export class APIGateway extends Construct {
     //   restApiId: api.restApiId,
     // });
 
-    // const v2Resource = api.root.addResource('v2');
+    const v2Resource = api.root.addResource('v2');
 
-    // const userResource = v2Resource.addResource('user');
+    const userResource = v2Resource.addResource('user');
 
-    // // GET /v2/user
-    // userResource.addMethod('GET', new apigateway.LambdaIntegration(props.lambdaFunctions.getUserInfoFunction), {
-    //   operationName: 'getUserInfo',
-    // });
+    // GET /v2/user
+    userResource.addMethod('GET', new apigateway.LambdaIntegration(props.lambdaFunctions.getUserInfoFunction), {
+      operationName: 'getUserInfo',
+    });
 
-    // const getUserInfoDocumentationPart = {
-    //   description: 'Retrieves information about the authenticated user.',
-    //   summary: 'Get user info',
-    //   tags: ['login'],
-    // }
+    const getUserInfoDocumentationPart = {
+      description: 'Retrieves information about the authenticated user.',
+      summary: 'Get user info',
+      tags: ['login'],
+    }
 
-    // new apigateway.CfnDocumentationPart(this, 'TurborepoUserInfoDocumentationPart', {
-    //   location: {
-    //     type: 'METHOD',
-    //     method: 'GET',
-    //     path: '/v2/user',
-    //   },
-    //   properties: JSON.stringify(getUserInfoDocumentationPart),
-    //   restApiId: api.restApiId,
-    // });
+    new apigateway.CfnDocumentationPart(this, 'TurborepoUserInfoDocumentationPart', {
+      location: {
+        type: 'METHOD',
+        method: 'GET',
+        path: '/v2/user',
+      },
+      properties: JSON.stringify(getUserInfoDocumentationPart),
+      restApiId: api.restApiId,
+    });
 
     // cloudfront domain name for CNAME
     new cdk.CfnOutput(this, 'CloudfrontAliasDomainName', {

packages/construct/src/get-artifact.ts

@@ -14,7 +14,7 @@ export function getArtifactIntegration(scope: Construct, props: GetArtifactInteg
   const getIntegration = new apigateway.AwsIntegration({
     service: 's3',
     integrationHttpMethod: 'GET',
-    path: `${props.artifactsBucket.bucketName}/{slug}/{hash}`,
+    path: `${props.artifactsBucket.bucketName}/{teamId}/{hash}`,
     options: {
       credentialsRole: props.s3Credentials,
       integrationResponses: [
@@ -53,7 +53,7 @@ export function getArtifactIntegration(scope: Construct, props: GetArtifactInteg
       ],
       requestParameters: {
         'integration.request.path.hash': 'method.request.path.hash',
-        'integration.request.path.slug': 'method.request.querystring.slug',
+        'integration.request.path.teamId': 'method.request.querystring.teamId',
       },
     },
   });
@@ -62,7 +62,7 @@ export function getArtifactIntegration(scope: Construct, props: GetArtifactInteg
     operationName: 'downloadArtifact',
     requestParameters: {
       'method.request.path.hash': true,
-      'method.request.querystring.slug': true,
+      'method.request.querystring.teamId': true,
     },
     methodResponses: [
       {

packages/construct/src/head-artifact.ts

@@ -14,7 +14,7 @@ export function headArtifactIntegration(scope: Construct, props: HeadArtifactInt
   const headIntegration = new apigateway.AwsIntegration({
     service: 's3',
     integrationHttpMethod: 'HEAD',
-    path: `${props.artifactsBucket.bucketName}/{slug}/{hash}`,
+    path: `${props.artifactsBucket.bucketName}/{teamId}/{hash}`,
     options: {
       credentialsRole: props.s3Credentials,
       integrationResponses: [
@@ -36,7 +36,7 @@ export function headArtifactIntegration(scope: Construct, props: HeadArtifactInt
       ],
       requestParameters: {
         'integration.request.path.hash': 'method.request.path.hash',
-        'integration.request.path.slug': 'method.request.querystring.slug',
+        'integration.request.path.teamId': 'method.request.querystring.teamId',
       },
     },
   });
@@ -45,7 +45,7 @@ export function headArtifactIntegration(scope: Construct, props: HeadArtifactInt
     operationName: 'artifactExists',
     requestParameters: {
       'method.request.path.hash': true,
-      'method.request.querystring.slug': true,
+      'method.request.querystring.teamId': true,
     },
     methodResponses: [
       {