@plusscommunities/pluss-core-aws 2.0.24-auth.0 → 2.0.24

package/helper/auth/getSessionUser.js

@@ -1,90 +1,75 @@
-// const https = require("https");
-// const jose = require("node-jose");
-// const { app_client_id, keys_url } = require("../../../config");
-// const isUserDisabled = require("./isUserDisabled");
-const { log } = require("..");
-const AuthenticationContext = require("./context/AuthenticationContext");
+const https = require("https");
+const jose = require("node-jose");
+const { getConfig } = require("../../config");
+const checkTokenBlacklist = require("./checkTokenBlacklist");
 
 module.exports = async (token) => {
-  const logId = log("getSessionUser", "Start", true);
-  const userId = await AuthenticationContext.getSessionUser(token);
-  log("getSessionUser", "Result", userId, logId);
-  return userId;
-  // return new Promise((resolve, reject) => {
-  //   if (!token) {
-  //     return resolve(null);
-  //   }
-  //   var sections = token.split(".");
-  //   // get the kid from the headers prior to verification
-  //   var header = jose.util.base64url.decode(sections[0]);
-  //   header = JSON.parse(header);
-  //   var kid = header.kid;
-  //   // download the public keys
-  //   https.get(keys_url, async (response) => {
-  //     if (response.statusCode == 200) {
-  //       response.on("data", async (body) => {
-  //         var keys = JSON.parse(body)["keys"];
-  //         // search for the kid in the downloaded public keys
-  //         var key_index = -1;
-  //         for (var i = 0; i < keys.length; i++) {
-  //           if (kid == keys[i].kid) {
-  //             key_index = i;
-  //             break;
-  //           }
-  //         }
-  //         if (key_index == -1) {
-  //           reject();
-  //           return;
-  //         }
-  //         // construct the public key
-  //         jose.JWK.asKey(keys[key_index])
-  //           .then(async (result) => {
-  //             // verify the signature
-  //             jose.JWS.createVerify(result)
-  //               .verify(token)
-  //               .then(async (result2) => {
-  //                 // now we can use the claims
-  //                 var claims = JSON.parse(result2.payload);
-  //                 // additionally we can verify the token expiration
-  //                 var current_ts = Math.floor(new Date() / 1000);
-  //                 if (current_ts > claims.exp) {
-  //                   console.log("Token is expired");
-  //                   reject("Token is expired");
-  //                   return;
-  //                 }
+  return new Promise(async (resolve, reject) => {
+    if (!token) {
+      return resolve(null);
+    }
 
-  //                 /*  --=- Optional audience stuff we dont use.
-  //                                   // and the Audience (use claims.client_id if verifying an access token)
-  //                                   if (claims.aud != app_client_id) {
-  //                                       console.log('Token was not issued for this audience')
-  //                                       return;
-  //                                   }
-  //                                    */
+    // Check if token is blacklisted before expensive verification
+    const isBlacklisted = await checkTokenBlacklist(token);
+    if (isBlacklisted) {
+      reject("Token has been invalidated");
+      return;
+    }
 
-  //                 const isDisabled = await isUserDisabled(claims.username);
-
-  //                 if (isDisabled) {
-  //                   console.log("User is disabled");
-  //                   reject("User is disabled");
-  //                   return;
-  //                 }
-
-  //                 resolve(claims.username);
-  //               })
-  //               .catch(async (error) => {
-  //                 console.log("Signature verification failed", error);
-  //                 reject("Signature verification failed");
-  //               });
-  //           })
-  //           .catch(async (error) => {
-  //             console.log("failed JWK.asKey", error);
-  //             reject(error);
-  //           });
-  //       });
-  //     } else {
-  //       console.log("failed on response", response);
-  //       reject(response);
-  //     }
-  //   });
-  // });
+    var sections = token.split(".");
+    // get the kid from the headers prior to verification
+    var header = jose.util.base64url.decode(sections[0]);
+    header = JSON.parse(header);
+    var kid = header.kid;
+    // download the public keys
+    https.get(getConfig().keys_url, function (response) {
+      if (response.statusCode == 200) {
+        response.on("data", function (body) {
+          var keys = JSON.parse(body)["keys"];
+          // search for the kid in the downloaded public keys
+          var key_index = -1;
+          for (var i = 0; i < keys.length; i++) {
+            if (kid == keys[i].kid) {
+              key_index = i;
+              break;
+            }
+          }
+          if (key_index == -1) {
+            reject();
+            return;
+          }
+          // construct the public key
+          jose.JWK.asKey(keys[key_index])
+            .then(function (result) {
+              // verify the signature
+              jose.JWS.createVerify(result)
+                .verify(token)
+                .then(function (result2) {
+                  // now we can use the claims
+                  var claims = JSON.parse(result2.payload);
+                  // additionally we can verify the token expiration
+                  var current_ts = Math.floor(new Date() / 1000);
+                  if (current_ts > claims.exp) {
+                    console.log("Token is expired");
+                    reject("Token is expired");
+                    return;
+                  }
+                  resolve(claims.username);
+                })
+                .catch(function (error) {
+                  console.log("Signature verification failed", error);
+                  reject("Signature verification failed");
+                });
+            })
+            .catch(function (error) {
+              console.log("failed JWK.asKey", error);
+              reject(error);
+            });
+        });
+      } else {
+        console.log("failed on response", response);
+        reject(response);
+      }
+    });
+  });
 };

package/helper/notifySiteConfigs.js

@@ -0,0 +1,117 @@
+/**
+ * Notify SiteConfigs Service of Operational Data Changes
+ *
+ * This helper provides a pre-filtering mechanism for auto-propagation.
+ * When operational data changes (sites, usertypes, interfaces, strings, jobTypes),
+ * this function:
+ *
+ * 1. Queries SourceSiteIdIndex to check if any templates use this site as source
+ * 2. If none found → early return (no Lambda invoke, 99% of cases)
+ * 3. If templates found → invokes siteConfigs Lambda to handle republishing
+ *
+ * This hybrid approach ensures:
+ * - No Lambda latency for most sites (pre-filter catches non-source sites)
+ * - Publishing logic stays encapsulated in siteConfigs service
+ * - Minimal cross-service coupling
+ *
+ * Usage:
+ *   const notifySiteConfigs = require("@plusscommunities/pluss-core-aws/helper/notifySiteConfigs");
+ *   await notifySiteConfigs(siteId, logId);
+ */
+
+const AWS = require("aws-sdk");
+const indexQuery = require("../db/common/indexQuery");
+const { log } = require("./index");
+
+const lambda = new AWS.Lambda();
+
+const TABLE_NAME = "siteconfigs";
+
+/**
+ * Check if a site has any templates using it as a source
+ * @param {string} siteId - The site ID to check
+ * @returns {Promise<Array>} Array of template IDs (empty if none)
+ */
+const getTemplatesForSourceSite = async (siteId) => {
+  try {
+    const result = await indexQuery(TABLE_NAME, {
+      IndexName: "SourceSiteIdIndex",
+      KeyConditionExpression: "SourceSiteId = :sourceSiteId",
+      ExpressionAttributeValues: {
+        ":sourceSiteId": siteId,
+      },
+      ProjectionExpression: "Id", // Only need IDs for pre-filter
+    });
+    return (result.Items || []).map((item) => item.Id);
+  } catch (err) {
+    // Table or index might not exist in all deployments
+    log("notifySiteConfigs", "QueryError", { siteId, error: err.message });
+    return [];
+  }
+};
+
+/**
+ * Invoke the siteConfigs operationalDataChanged Lambda
+ * @param {string} siteId - The source site that changed
+ * @param {Array<string>} templateIds - List of template IDs to republish
+ * @param {string} logId - Log ID for tracing
+ */
+const invokeSiteConfigsLambda = async (siteId, templateIds, logId) => {
+  // Build function name from environment
+  // Format: {client}-siteConfigs-{stage}-operationalDataChanged
+  const client = process.env.client || "dev";
+  const stage = process.env.stage || "dev";
+  const functionName = `${client}-siteConfigs-${stage}-operationalDataChanged`;
+
+  const payload = {
+    siteId,
+    templateIds,
+    logId,
+    source: "notifySiteConfigs",
+  };
+
+  log("notifySiteConfigs", "InvokingLambda", { functionName, siteId, templateCount: templateIds.length }, logId);
+
+  try {
+    await lambda
+      .invoke({
+        FunctionName: functionName,
+        InvocationType: "Event", // Async invocation
+        Payload: JSON.stringify(payload),
+      })
+      .promise();
+
+    log("notifySiteConfigs", "LambdaInvoked", { functionName, siteId }, logId);
+  } catch (err) {
+    log("notifySiteConfigs", "LambdaError", { functionName, siteId, error: err.message }, logId);
+    // Don't throw - this is a non-critical operation
+  }
+};
+
+/**
+ * Notify siteConfigs service that operational data has changed for a site.
+ * Performs pre-filtering to avoid unnecessary Lambda invocations.
+ *
+ * @param {string} siteId - The site ID where operational data changed
+ * @param {string} logId - Optional log ID for tracing
+ */
+const notifySiteConfigs = async (siteId, logId) => {
+  if (!siteId) {
+    return;
+  }
+
+  // Pre-filter: Check if this site is a source for any templates
+  const templateIds = await getTemplatesForSourceSite(siteId);
+
+  if (templateIds.length === 0) {
+    // No Lambda invocation needed
+    return;
+  }
+
+  log("notifySiteConfigs", "TemplatesFound", { siteId, count: templateIds.length }, logId);
+
+  // Invoke siteConfigs Lambda to handle republishing
+  await invokeSiteConfigsLambda(siteId, templateIds, logId);
+};
+
+module.exports = notifySiteConfigs;

package/package.json

@@ -1,15 +1,12 @@
 {
   "name": "@plusscommunities/pluss-core-aws",
-  "version": "2.0.24-auth.0",
+  "version": "2.0.24",
   "description": "Core extension package for Pluss Communities platform",
   "scripts": {
     "betapatch": "npm version prepatch --preid=beta",
     "patch": "npm version patch",
     "betaupload": "npm i && npm i && npm publish --access public --tag beta",
     "betaupload:p": "npm run betapatch && npm run betaupload",
-    "authpatch": "npm version prepatch --preid=auth",
-    "authupload": "npm i && npm i && npm publish --access public --tag auth",
-    "authupload:p": "npm run authpatch && npm run authupload",
     "upload": "npm i && npm i && npm publish --access public",
     "upload:p": "npm run patch && npm run upload"
   },
@@ -23,8 +20,6 @@
     "expo-server-sdk": "^3.0.1",
     "html-entities": "^2.3.2",
     "https": "^1.0.0",
-    "jsonwebtoken": "^9.0.2",
-    "jwks-rsa": "^3.1.0",
     "lodash": "^4.17.10",
     "moment": "^2.30.1",
     "moment-timezone": "^0.5.41",

package/helper/auth/context/AuthenticationContext.js

@@ -1,50 +0,0 @@
-const Auth0Strategy = require("./auth0/Strategy");
-const CognitoStrategy = require("./cognito/Strategy");
-const BoltonClarkeStrategy = require("./boltonclarke/Strategy");
-const { getConfig } = require("../../../config");
-
-class AuthenticationContext {
-  static strategy = null;
-
-  static initialiseStrategy() {
-    switch (getConfig().authConfig.provider) {
-      case "auth0":
-        AuthenticationContext.strategy = new Auth0Strategy();
-        break;
-      case "boltonclarke":
-        AuthenticationContext.strategy = new BoltonClarkeStrategy();
-        break;
-      case "cognito":
-        AuthenticationContext.strategy = new CognitoStrategy();
-        break;
-      default:
-        throw new Error("Invalid authentication provider specified");
-    }
-  }
-
-  static getSessionUser = async (token) => {
-    if (!AuthenticationContext.strategy) {
-      AuthenticationContext.initialiseStrategy();
-    }
-    return AuthenticationContext.strategy.getSessionUser(token);
-  };
-
-  static populateUser = async (token) => {
-    if (!AuthenticationContext.strategy) {
-      AuthenticationContext.initialiseStrategy();
-    }
-    return AuthenticationContext.strategy.populateUser(token);
-  };
-
-  static updateIdentityAttributes = async (input, userId) => {
-    if (!AuthenticationContext.strategy) {
-      AuthenticationContext.initialiseStrategy();
-    }
-    return AuthenticationContext.strategy.updateIdentityAttributes(
-      input,
-      userId
-    );
-  };
-}
-
-module.exports = AuthenticationContext;

package/helper/auth/context/AuthenticationStrategy.js

@@ -1,20 +0,0 @@
-// Authentication Strategy Interface
-class AuthenticationStrategy {
-  constructor() {}
-
-  getSessionUser(token) {
-    throw new Error("Method 'getSessionUser()' must be implemented.");
-  }
-
-  // optional function to populate user data based on a token
-  populateUser(token) {
-    return;
-  }
-
-  // optional function to save attributes to identity provider
-  updateIdentityAttributes = async (input, userId) => {
-    return;
-  };
-}
-
-module.exports = AuthenticationStrategy;

package/helper/auth/context/auth0/Strategy.js

@@ -1,12 +0,0 @@
-// auth0Strategy.js
-const AuthenticationStrategy = require("../AuthenticationStrategy");
-const getSessionUser = require("./functions/getSessionUser");
-
-class Auth0Strategy extends AuthenticationStrategy {
-  constructor() {
-    super();
-    this.getSessionUser = getSessionUser;
-  }
-}
-
-module.exports = Auth0Strategy;

package/helper/auth/context/auth0/functions/decodeAccessToken.js

@@ -1,45 +0,0 @@
-const jwt = require("jsonwebtoken");
-const jwksClient = require("jwks-rsa");
-
-const { getConfig } = require("../../../../../config");
-
-// Function to retrieve the signing key from Auth0 JWKS
-const getKey = (header, callback) => {
-  // Initialize JWKS client
-  const client = jwksClient({
-    jwksUri: `https://${getConfig().auth0Config.domain}/.well-known/jwks.json`,
-  });
-
-  client.getSigningKey(header.kid, (err, key) => {
-    if (err) {
-      callback(err, null);
-    } else {
-      const signingKey = key.publicKey || key.rsaPublicKey;
-      callback(null, signingKey);
-    }
-  });
-};
-
-// Function to validate the token and extract user information
-const decodeAccessToken = async (token) => {
-  return new Promise((resolve, reject) => {
-    jwt.verify(
-      token,
-      getKey,
-      {
-        audience: getConfig().auth0Config.audience,
-        issuer: `https://${getConfig().auth0Config.domain}/`,
-        algorithms: ["RS256"],
-      },
-      (err, decoded) => {
-        if (err) {
-          reject(err);
-        } else {
-          resolve(decoded); // 'sub' contains the user ID
-        }
-      }
-    );
-  });
-};
-
-module.exports = decodeAccessToken;

package/helper/auth/context/auth0/functions/getSessionUser.js

@@ -1,21 +0,0 @@
-const decodeAccessToken = require("./decodeAccessToken");
-const { getConfig } = require("../../../../../config");
-
-// Function to validate the token and extract user information
-const getSessionUser = async (token) => {
-  return new Promise((resolve, reject) => {
-    decodeAccessToken(token)
-      .then((claims) => {
-        return resolve(
-          claims[getConfig().auth0Config.residentIdClaim] ||
-            claims[getConfig().auth0Config.staffIdClaim] ||
-            claims[getConfig().auth0Config.userIdClaim]
-        );
-      })
-      .catch((err) => {
-        reject(err);
-      });
-  });
-};
-
-module.exports = getSessionUser;

package/helper/auth/context/boltonclarke/Strategy.js

@@ -1,10 +0,0 @@
-// auth0Strategy.js
-const Auth0Strategy = require("../auth0/Strategy");
-
-class BoltonClarkeStrategy extends Auth0Strategy {
-  constructor() {
-    super();
-  }
-}
-
-module.exports = BoltonClarkeStrategy;

package/helper/auth/context/cognito/Strategy.js

@@ -1,12 +0,0 @@
-// cognitoStrategy.js
-const AuthenticationStrategy = require("../AuthenticationStrategy");
-const getSessionUser = require("./functions/getSessionUser");
-
-class CognitoStrategy extends AuthenticationStrategy {
-  constructor() {
-    super();
-    this.getSessionUser = getSessionUser;
-  }
-}
-
-module.exports = CognitoStrategy;

package/helper/auth/context/cognito/functions/getSessionUser.js

@@ -1,76 +0,0 @@
-const https = require("https");
-const jose = require("node-jose");
-
-const { getConfig } = require("../../../../../config");
-
-module.exports = async (token) => {
-  return new Promise((resolve, reject) => {
-    if (!token) {
-      return resolve(null);
-    }
-    var sections = token.split(".");
-    // get the kid from the headers prior to verification
-    var header = jose.util.base64url.decode(sections[0]);
-    header = JSON.parse(header);
-    var kid = header.kid;
-    // download the public keys
-    https.get(getConfig().keys_url, async (response) => {
-      if (response.statusCode == 200) {
-        response.on("data", async (body) => {
-          var keys = JSON.parse(body)["keys"];
-          // search for the kid in the downloaded public keys
-          var key_index = -1;
-          for (var i = 0; i < keys.length; i++) {
-            if (kid == keys[i].kid) {
-              key_index = i;
-              break;
-            }
-          }
-          if (key_index == -1) {
-            reject();
-            return;
-          }
-          // construct the public key
-          jose.JWK.asKey(keys[key_index])
-            .then(async (result) => {
-              // verify the signature
-              jose.JWS.createVerify(result)
-                .verify(token)
-                .then(async (result2) => {
-                  // now we can use the claims
-                  var claims = JSON.parse(result2.payload);
-                  // additionally we can verify the token expiration
-                  var current_ts = Math.floor(new Date() / 1000);
-                  if (current_ts > claims.exp) {
-                    console.log("Token is expired");
-                    reject("Token is expired");
-                    return;
-                  }
-
-                  // const isDisabled = await isUserDisabled(claims.username);
-
-                  // if (isDisabled) {
-                  //   console.log("User is disabled");
-                  //   reject("User is disabled");
-                  //   return;
-                  // }
-
-                  resolve(claims.username);
-                })
-                .catch(async (error) => {
-                  console.log("Signature verification failed", error);
-                  reject("Signature verification failed");
-                });
-            })
-            .catch(async (error) => {
-              console.log("failed JWK.asKey", error);
-              reject(error);
-            });
-        });
-      } else {
-        console.log("failed on response", response);
-        reject(response);
-      }
-    });
-  });
-};