Authenticate site -> catalog requests (#1414)

aomarks · web-flow · commit d320c7c0bd85 · 2023-01-12T16:31:03.000-08:00
diff --git a/cloud-build/deploy-main.yaml b/cloud-build/deploy-main.yaml
@@ -13,7 +13,8 @@ substitutions:
   _IMAGE_URL_CATALOG: us.gcr.io/${PROJECT_ID}/main/catalog:${SHORT_SHA}
   _IMAGE_URL_SITE: us.gcr.io/${PROJECT_ID}/main/site:${SHORT_SHA}
   _IMAGE_CACHE_TTL: 168h # 1 week
-  _CATALOG_GRAPHQL_URL: https://${_TAG}---catalog-khswqo4xea-wl.a.run.app
+  _CATALOG_SERVER_AUTH_ID: https://catalog-khswqo4xea-wl.a.run.app
+  _CATALOG_GRAPHQL_URL: https://${_TAG}---catalog-khswqo4xea-wl.a.run.app/graphql
 
 steps:
   # Build catalog Docker image.
@@ -82,7 +83,7 @@ steps:
       - --concurrency=200
       - --min-instances=1
       - --max-instances=1000
-      - --update-env-vars=CATALOG_GRAPHQL_URL=${_CATALOG_GRAPHQL_URL}
+      - --update-env-vars=CATALOG_GRAPHQL_URL=${_CATALOG_GRAPHQL_URL},CATALOG_SERVER_AUTH_ID=${_CATALOG_SERVER_AUTH_ID}
 
   # Route traffic to new catalog revision.
   - id: route-catalog
diff --git a/cloud-build/deploy-pr.yaml b/cloud-build/deploy-pr.yaml
@@ -13,7 +13,8 @@ substitutions:
   _IMAGE_URL_CATALOG: us.gcr.io/${PROJECT_ID}/pr/catalog:${SHORT_SHA}
   _IMAGE_URL_SITE: us.gcr.io/${PROJECT_ID}/pr/site:${SHORT_SHA}
   _IMAGE_CACHE_TTL: 168h # 1 week
-  _CATALOG_GRAPHQL_URL: https://${_TAG}---catalog-khswqo4xea-wl.a.run.app
+  _CATALOG_SERVER_AUTH_ID: https://catalog-khswqo4xea-wl.a.run.app
+  _CATALOG_GRAPHQL_URL: https://${_TAG}---catalog-khswqo4xea-wl.a.run.app/graphql
 
 steps:
   # Build catalog Docker image.
@@ -82,4 +83,4 @@ steps:
       - --concurrency=default # Unlimited
       - --min-instances=0
       - --max-instances=1
-      - --update-env-vars=CATALOG_GRAPHQL_URL=${_CATALOG_GRAPHQL_URL}
+      - --update-env-vars=CATALOG_GRAPHQL_URL=${_CATALOG_GRAPHQL_URL},CATALOG_SERVER_AUTH_ID=${_CATALOG_SERVER_AUTH_ID}
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/site-server/package.json b/packages/site-server/package.json
@@ -67,6 +67,9 @@
     },
     "start:dev": {
       "command": "node --enable-source-maps ./lib/dev-server.js",
+      "env": {
+        "CATALOG_GRAPHQL_URL": "http://localhost:6451/graphql"
+      },
       "service": {
         "readyWhen": {
           "lineMatches": "Web Dev Server started"
@@ -79,7 +82,14 @@
     },
     "start:prod": {
       "command": "node --enable-source-maps ./lib/prod-server.js",
-      "service": true,
+      "env": {
+        "CATALOG_GRAPHQL_URL": "http://localhost:6451/graphql"
+      },
+      "service": {
+        "readyWhen": {
+          "lineMatches": "serving"
+        }
+      },
       "files": [],
       "dependencies": [
         "build:prod"
@@ -106,6 +116,7 @@
     "@types/marked": "^4.0.8",
     "@web/dev-server": "^0.1.34",
     "@webcomponents/internal-site-content": "^0.0.0",
+    "google-auth-library": "^8.7.0",
     "koa": "^2.13.4",
     "koa-conditional-get": "^3.0.0",
     "koa-etag": "^4.0.0",
diff --git a/packages/site-server/src/lib/catalog/graphql.ts b/packages/site-server/src/lib/catalog/graphql.ts
@@ -4,12 +4,50 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import {ApolloClient, InMemoryCache} from '@apollo/client/core/index.js';
+import {
+  ApolloClient,
+  HttpLink,
+  InMemoryCache,
+} from '@apollo/client/core/index.js';
+import {GoogleAuth} from 'google-auth-library';
 
-const CATALOG_GRAPHQL_URL =
-  process.env['CATALOG_GRAPHQL_URL'] || `http://localhost:6451/graphql`;
+const CATALOG_GRAPHQL_URL = process.env['CATALOG_GRAPHQL_URL'];
+if (!CATALOG_GRAPHQL_URL) {
+  throw new Error('CATALOG_GRAPHQL_URL must be set');
+}
+
+let linkFetch: typeof fetch | undefined = undefined;
+if (process.env['K_SERVICE']) {
+  // We're on Cloud Run, as opposed to local, so our cross-service requests need
+  // to be authenticated. The K_SERVICE environment variable is set by Cloud
+  // Run, see
+  // https://cloud.google.com/run/docs/reference/container-contract#env-vars.
+  const CATALOG_SERVER_AUTH_ID = process.env['CATALOG_SERVER_AUTH_ID'];
+  if (!CATALOG_SERVER_AUTH_ID) {
+    throw new Error('CATALOG_SERVER_AUTH_ID must be set');
+  }
+  const auth = new GoogleAuth();
+  linkFetch = async (
+    input: RequestInfo | URL,
+    init?: RequestInit | undefined
+  ): Promise<Response> => {
+    const authClient = await auth.getIdTokenClient(CATALOG_SERVER_AUTH_ID);
+    const authHeaders = await authClient.getRequestHeaders();
+    const headers = {
+      ...(init?.headers ?? {}),
+      ...authHeaders,
+    };
+    return fetch(input, {
+      ...(init ?? {}),
+      headers,
+    });
+  };
+}
 
 export const client = new ApolloClient({
-  uri: CATALOG_GRAPHQL_URL,
+  link: new HttpLink({
+    uri: CATALOG_GRAPHQL_URL,
+    fetch: linkFetch,
+  }),
   cache: new InMemoryCache(),
 });
