Use testing credentials secret from AWS for JWT key (#176)

Author: devksingh4

cloudformation/iam.yml

@@ -43,6 +43,7 @@ Resources:
             Effect: Allow
             Resource:
               - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config*
+              - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:427040638965:secret:infra-core-api-testing-credentials* # this secret only exists in awsdev account
 
           - Action:
               - dynamodb:DescribeLimits

generate_jwt.js

@@ -20,7 +20,7 @@ export const getSecretValue = async (secretId) => {
   }
 };
 
-const secrets = await getSecretValue("infra-core-api-config");
+const secrets = await getSecretValue("infra-core-api-testing-credentials");
 const client = new STSClient({ region: "us-east-1" });
 const command = new GetCallerIdentityCommand({});
 let data;

src/api/index.ts

@@ -15,6 +15,7 @@ import {
   environmentConfig,
   genericConfig,
   SecretConfig,
+  SecretTesting,
 } from "../common/config.js";
 import organizationsPlugin from "./routes/organizations.js";
 import authorizeFromSchemaPlugin from "./plugins/authorizeFromSchema.js";
@@ -252,13 +253,20 @@ async function init(prettyPrint: boolean = false) {
   app.dynamoClient = dynamoClient;
   app.secretsManagerClient = secretsManagerClient;
   app.redisClient = redisClient;
-  app.secretConfig = secret;
   app.refreshSecretConfig = async () => {
     app.secretConfig = (await getSecretValue(
       app.secretsManagerClient,
       genericConfig.ConfigSecretName,
     )) as SecretConfig;
+    if (app.environmentConfig.TestingCredentialsSecret) {
+      const temp = (await getSecretValue(
+        app.secretsManagerClient,
+        app.environmentConfig.TestingCredentialsSecret,
+      )) as SecretTesting;
+      app.secretConfig = { ...app.secretConfig, ...temp };
+    }
   };
+  app.refreshSecretConfig();
   app.addHook("onRequest", (req, _, done) => {
     req.startTime = now();
     const hostname = req.hostname;

src/api/lambda.ts

@@ -1,8 +1,9 @@
 import "zod-openapi/extend";
-import awsLambdaFastify from "@fastify/aws-lambda";
+import awsLambdaFastify, { LambdaResponse } from "@fastify/aws-lambda";
 import init from "./index.js";
 import warmer from "lambda-warmer";
 import { type APIGatewayEvent, type Context } from "aws-lambda";
+import { InternalServerError } from "common/errors/index.js";
 
 const app = await init();
 const realHandler = awsLambdaFastify(app, {
@@ -16,7 +17,21 @@ const handler = async (event: APIGatewayEvent, context: Context) => {
     return "warmed";
   }
   // else proceed with handler logic
-  return realHandler(event, context);
+  return realHandler(event, context).catch((e) => {
+    console.error(e);
+    const newError = new InternalServerError({
+      message: "Failed to initialize application.",
+    });
+    const json = JSON.stringify(newError.toJson());
+    return {
+      statusCode: newError.httpStatusCode,
+      body: json,
+      headers: {
+        "Content-Type": "application/json",
+      },
+      isBase64Encoded: false,
+    };
+  });
 };
 
 await app.ready(); // needs to be placed after awsLambdaFastify call because of the decoration: https://github.com/fastify/aws-lambda-fastify/blob/master/index.js#L9

src/api/plugins/auth.ts

@@ -13,7 +13,7 @@ import {
   UnauthenticatedError,
   UnauthorizedError,
 } from "../../common/errors/index.js";
-import { SecretConfig } from "../../common/config.js";
+import { SecretConfig, SecretTesting } from "../../common/config.js";
 import {
   AUTH_DECISION_CACHE_SECONDS,
   getGroupRoles,
@@ -195,7 +195,7 @@ const authPlugin: FastifyPluginAsync = async (fastify, _options) => {
           }
           signingKey =
             process.env.JwtSigningKey ||
-            (fastify.secretConfig.jwt_key as string) ||
+            ((fastify.secretConfig as SecretTesting).jwt_key as string) ||
             "";
           if (signingKey === "") {
             throw new UnauthenticatedError({

src/api/types.d.ts

@@ -2,7 +2,7 @@
 import { FastifyRequest, FastifyInstance, FastifyReply } from "fastify";
 import { AppRoles, RunEnvironment } from "../common/roles.js";
 import { AadToken } from "./plugins/auth.js";
-import { ConfigType, SecretConfig } from "../common/config.js";
+import { ConfigType, SecretConfig, SecretTesting } from "../common/config.js";
 import NodeCache from "node-cache";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
@@ -36,7 +36,7 @@ declare module "fastify" {
     redisClient: Redis;
     secretsManagerClient: SecretsManagerClient;
     cloudfrontKvClient: CloudFrontKeyValueStoreClient;
-    secretConfig: SecretConfig;
+    secretConfig: SecretConfig | (SecretConfig & SecretTesting);
     refreshSecretConfig: CallableFunction;
   }
   interface FastifyRequest {

src/common/config.ts

@@ -23,6 +23,7 @@ export type ConfigType = {
   PaidMemberPriceId: string;
   AadValidReadOnlyClientId: string;
   LinkryCloudfrontKvArn?: string;
+  TestingCredentialsSecret?: string;
 };
 
 export type GenericConfigType = {
@@ -98,6 +99,7 @@ const environmentConfig: EnvironmentConfigType = {
       /^https:\/\/(?:.*\.)?acmuiuc\.pages\.dev$/,
       /http:\/\/localhost:\d+$/,
     ],
+    TestingCredentialsSecret: "infra-core-api-testing-credentials",
     AadValidClientId: "39c28870-94e4-47ee-b4fb-affe0bf96c9f",
     LinkryBaseUrl: "https://core.aws.qa.acmuiuc.org",
     PasskitIdentifier: "pass.org.acmuiuc.qa.membership",
@@ -137,7 +139,6 @@ const environmentConfig: EnvironmentConfigType = {
 };
 
 export type SecretConfig = {
-  jwt_key?: string;
   discord_guild_id: string;
   discord_bot_token: string;
   entra_id_private_key?: string;
@@ -151,6 +152,10 @@ export type SecretConfig = {
   redis_url: string;
 };
 
+export type SecretTesting = {
+  jwt_key: string;
+}
+
 const roleArns = {
   Entra: process.env.EntraRoleArn,
 };

tests/e2e/base.ts

@@ -30,7 +30,7 @@ async function getSecrets() {
   let response = { PLAYWRIGHT_USERNAME: "", PLAYWRIGHT_PASSWORD: "" };
   let keyData;
   if (!process.env.PLAYWRIGHT_USERNAME || !process.env.PLAYWRIGHT_PASSWORD) {
-    keyData = await getSecretValue("infra-core-api-config");
+    keyData = await getSecretValue("infra-core-api-testing-credentials");
   }
   response["PLAYWRIGHT_USERNAME"] =
     process.env.PLAYWRIGHT_USERNAME ||

tests/live/utils.ts

@@ -30,7 +30,7 @@ async function getSecrets() {
   const response = { JWTKEY: "" };
   let keyData;
   if (!process.env.JWT_KEY) {
-    keyData = await getSecretValue("infra-core-api-config");
+    keyData = await getSecretValue("infra-core-api-testing-credentials");
   }
   response["JWTKEY"] =
     process.env.JWT_KEY || ((keyData ? keyData["jwt_key"] : "") as string);

tests/unit/apiKey.test.ts

@@ -2,7 +2,7 @@ import { afterAll, expect, test, beforeEach, vi, describe } from "vitest";
 import { mockClient } from "aws-sdk-client-mock";
 import init from "../../src/api/index.js";
 import { createJwt } from "./auth.test.js";
-import { secretObject } from "./secret.testdata.js";
+import { testSecretObject } from "./secret.testdata.js";
 import supertest from "supertest";
 import {
   ConditionalCheckFailedException,
@@ -31,7 +31,7 @@ vi.mock("../../src/api/functions/apiKey.js", () => {
 // Mock DynamoDB client
 const dynamoMock = mockClient(DynamoDBClient);
 const sqsMock = mockClient(SQSClient);
-const jwt_secret = secretObject["jwt_key"];
+const jwt_secret = testSecretObject["jwt_key"];
 
 vi.stubEnv("JwtSigningKey", jwt_secret);