Merge pull request #5 from garden-aid/develop

Protect endpoints with auth0
garden-aid · Sep 13, 2016 · 15d28ec · 15d28ec
2 parents c10ffb2 + 1e26a73
commit 15d28ec
Show file tree

Hide file tree

Showing 35 changed files with 729 additions and 282 deletions.
diff --git a/.eslintignore b/.eslintignore
@@ -2,5 +2,6 @@ coverage
 
 webpack/*
 public/dist/*
+src/auth/policy.js
 
 gulpfile.js
diff --git a/.eslintrc.yml b/.eslintrc.yml
@@ -0,0 +1,13 @@
+extends: airbnb
+plugins:
+  - react
+  - jsx-a11y
+  - import
+
+env:
+  mocha: true
+  node: true
+
+rules:
+  no-console: 0
+  strict: 0
diff --git a/.travis.yml b/.travis.yml
@@ -9,6 +9,6 @@ env:
 
 before_install:
   - npm i -g snyk
-  - npm i -g serverless@beta
+  - npm i -g serverless
 
 script: ./deploy.sh
diff --git a/config.json b/config.json
@@ -1,3 +1,5 @@
 {
-  "moistureTableName": "moisture-data-dev"
+  "MOISTURE_TABLE_NAME": "moisture-data-dev",
+  "AUTH0_DOMAIN": "johncmckim.au.auth0.com",
+  "AUTH0_CLIENT_ID": "SWLx5XS17ssom0DCuTPlDlXnJUbTXbiP"
 }
diff --git a/config/dev.json b/config/dev.json
@@ -1,3 +1,5 @@
 {
-  "moistureTableName": "moisture-data-dev"
+  "MOISTURE_TABLE_NAME": "moisture-data-dev",
+  "AUTH0_DOMAIN": "johncmckim.au.auth0.com",
+  "AUTH0_CLIENT_ID": "SWLx5XS17ssom0DCuTPlDlXnJUbTXbiP"
 }
diff --git a/config/prod.json b/config/prod.json
@@ -1,3 +1,5 @@
 {
-  "moistureTableName": "moisture-data-production"
+  "MOISTURE_TABLE_NAME": "moisture-data-production",
+  "AUTH0_DOMAIN": "johncmckim.au.auth0.com",
+  "AUTH0_CLIENT_ID": "SWLx5XS17ssom0DCuTPlDlXnJUbTXbiP"
 }
diff --git a/create-secrets.js b/create-secrets.js
@@ -1,20 +1,29 @@
 #!/usr/bin/env node
-
 'use strict';
 
 const fs = require('fs');
 const path = require('path');
+const _ = require('lodash');
+
+const envVars = [
+  'IOPIPE_KEY',
+];
 
+const secrets = _.pick(process.env, envVars);
+const secretKeys = Object.keys(secrets);
 
-const iopipeKey = process.env.IOPIPE_KEY;
+console.log('Writing env vars ', secretKeys);
 
-if (!iopipeKey) {
-  throw new Error('Please set IOPIPE_KEY env var');
+if (!_.isEqual(envVars, secretKeys)) {
+  throw new Error('Missing some env vars');
 }
 
-const secrets = {
-  iopipeKey: iopipeKey
-};
+_.forEach(secrets, (secret, key) => {
+  if (!secret) {
+    throw new Error(`${key} is required`);
+  }
+});
 
 const secretsPath = path.resolve(__dirname, './secrets.json');
+
 fs.writeFileSync(secretsPath, JSON.stringify(secrets));
diff --git a/deploy.sh b/deploy.sh
@@ -1,6 +1,11 @@
 #!/bin/bash
 set -e
 
+if [[ $TRAVIS_PULL_REQUEST == "true" ]]; then
+  echo "Not deploying changes on pull request";
+  exit 0;
+fi
+
 AWS_REGION=${AWS_REGION:-ap-southeast-2}
 BRANCH=${TRAVIS_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}
 
@@ -23,4 +28,4 @@ node ./create-secrets.js # create secrets.json from env variables
 
 npm prune --production
 
-sls deploy --stage $STAGE --region $AWS_REGION
+sls deploy --stage $STAGE --region $AWS_REGION --verbose
diff --git a/env.js b/env.js
@@ -1,9 +1,9 @@
 
-module.exports = function(config, secure) {
-  Object.keys(config).forEach((key, index) => {
+module.exports = (config, secure) => {
+  Object.keys(config).forEach((key) => {
     const value = config[key];
     process.env[key] = value;
 
-    console.log(`Env: ${key}=${secure ? 'secure' : value}`)
+    console.log(`Env: ${key}=${secure ? 'secure' : value}`);
   });
-}
+};
diff --git a/index.js b/index.js
@@ -9,8 +9,11 @@ env(secrets, true);
 
 // Setup env vars before requiring functions
 const graphql = require('./src/graphql');
+const authorize = require('./src/authorize');
+
 const iopipe = require('iopipe')({
-   clientId: process.env.iopipeKey
+  clientId: process.env.IOPIPE_KEY,
 });
 
-module.exports.graphql = graphql.handler;
+module.exports.graphql = iopipe(graphql.handler);
+module.exports.authorize = iopipe(authorize.handler);
diff --git a/package.json b/package.json
@@ -6,6 +6,7 @@
     "test": "test"
   },
   "scripts": {
+    "lint": "eslint .",
     "test": "snyk test && npm run test:unit",
     "test:unit": "istanbul cover _mocha tests/all -- -R spec --recursive"
   },
@@ -26,25 +27,34 @@
   },
   "homepage": "https://github.com/johncmckim/garden-aid#readme",
   "dependencies": {
+    "auth0": "^2.3.1",
     "bluebird": "^3.4.1",
+    "chai": "^3.5.0",
     "graphql": "^0.6.1",
     "iopipe": "0.0.19",
     "joi": "^9.0.4",
-    "lodash": "^4.13.1",
+    "jsonwebtoken": "^7.1.9",
+    "lodash": "^4.15.0",
+    "mocha": "^2.5.3",
+    "mocha-lcov-reporter": "^1.2.0",
+    "mock-require": "^1.3.0",
     "moment": "^2.14.1",
+    "sinon": "^1.17.5",
     "stampit": "^2.1.2",
     "util": "^0.10.3",
     "vogels": "^2.2.0",
     "vogels-promisified": "^2.2.3"
   },
   "devDependencies": {
-    "chai": "^3.5.0",
+    "eslint": "^3.5.0",
+    "eslint-config-airbnb": "^11.0.0",
+    "eslint-config-standard": "^6.0.0",
+    "eslint-plugin-import": "^1.14.0",
+    "eslint-plugin-jsx-a11y": "^2.2.1",
+    "eslint-plugin-promise": "^2.0.1",
+    "eslint-plugin-react": "^6.2.0",
+    "eslint-plugin-standard": "^2.0.0",
     "istanbul": "^0.4.4",
-    "lambda-wrapper": "^0.1.0",
-    "mocha": "^2.5.3",
-    "mocha-lcov-reporter": "^1.2.0",
-    "mock-require": "^1.3.0",
-    "sinon": "^1.17.5",
     "snyk": "^1.18.0"
   }
 }
diff --git a/serverless.env.yaml b/serverless.env.yaml
diff --git a/serverless.yaml b/serverless.yaml
@@ -2,6 +2,8 @@ service: garden-aid-web-bff
 provider:
     name: aws
     runtime: nodejs4.3
+    stage: dev
+    region: ap-southeast-2
     iamRoleStatements:
        -  Effect: Allow
           Action:
@@ -13,10 +15,6 @@ provider:
             - dynamodb:UpdateItem
             - dynamodb:DeleteItem
           Resource: "arn:aws:dynamodb:ap-southeast-2:*:*"
-
-defaults:
-    stage: dev
-    region: ap-southeast-2
 package:
     include:
       - node_modules
@@ -38,10 +36,17 @@ package:
 functions:
     graphQl:
         handler: index.graphql
-        memory: 128
+        memory: 512
         timeout: 3
         events:
             - http:
                 path: graphql
                 method: post
                 cors: true
+                authorizer:
+                  name: authorize
+                  resultTtlInSeconds: 30
+    authorize:
+        handler: index.authorize
+        memory: 512
+        timeout: 3
diff --git a/src/auth/auth0.js b/src/auth/auth0.js
@@ -0,0 +1,25 @@
+
+const AuthPolicy = require('./policy').AuthPolicy;
+
+module.exports.authorize = (token, auth0Client, authInfo) =>
+  auth0Client.tokens.getInfo(token)
+    .then((userInfo) => {
+      if (!userInfo || !userInfo.user_id) {
+        throw new Error('No user_id returned from Auth0');
+      }
+
+      console.log(`Building policy for ${userInfo.user_id} with: `, authInfo);
+
+      const policy = new AuthPolicy(userInfo.user_id, authInfo.accountId, authInfo);
+
+      policy.allowMethod(AuthPolicy.HttpVerb.POST, '/graphql');
+
+      const result = policy.build();
+      console.log('Returning auth result: ', result, result.policyDocument.Statement);
+
+      return result;
+    })
+    .catch((err) => {
+      console.log(err);
+      return 'Unauthorized';
+    });