Get membership by UIUC access token

devksingh4 · devksingh4 · commit 5d62df0b81d6 · 2025-08-04T19:17:32.000-04:00
diff --git a/src/api/routes/membership.ts b/src/api/routes/membership.ts
@@ -37,6 +37,7 @@ import { illinoisNetId, withRoles, withTags } from "api/components/index.js";
 import { getKey, setKey } from "api/functions/redisCache.js";
 import { AppRoles } from "common/roles.js";
 import { unmarshall } from "@aws-sdk/util-dynamodb";
+import { verifyUiucAccessToken } from "api/functions/uin.js";
 
 const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
   await fastify.register(rawbody, {
@@ -81,6 +82,150 @@ const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
       duration: 30,
       rateLimitIdentifier: "membership",
     });
+    fastify.withTypeProvider<FastifyZodOpenApiTypeProvider>().get(
+      "/",
+      {
+        schema: withTags(["Membership"], {
+          querystring: z.object({
+            list: z.string().min(1).optional().meta({
+              description:
+                "Membership list to check from (defaults to ACM Paid Member list).",
+            }),
+          }),
+          headers: z.object({
+            "x-uiuc-token": z.jwt().min(1).meta({
+              description:
+                "An access token for the user in the UIUC Entra ID tenant.",
+            }),
+          }),
+          summary:
+            "Authenticated check ACM @ UIUC paid membership (or partner organization membership) status.",
+          response: {
+            200: {
+              description: "List membership status.",
+              content: {
+                "application/json": {
+                  schema: z
+                    .object({
+                      netId: illinoisNetId,
+                      list: z.optional(z.string().min(1)),
+                      isPaidMember: z.boolean(),
+                    })
+                    .meta({
+                      example: {
+                        netId: "rjjones",
+                        isPaidMember: false,
+                      },
+                    }),
+                },
+              },
+            },
+          },
+        }),
+      },
+      async (request, reply) => {
+        const accessToken = request.headers["x-uiuc-token"];
+        const verifiedData = await verifyUiucAccessToken({
+          accessToken,
+          logger: request.log,
+        });
+        const { userPrincipalName: upn, givenName, surname } = verifiedData;
+        const netId = upn.replace("@illinois.edu", "");
+        if (netId.includes("@")) {
+          request.log.error(
+            `Found UPN ${upn} which cannot be turned into NetID via simple replacement.`,
+          );
+          throw new ValidationError({
+            message: "ID token could not be parsed.",
+          });
+        }
+        const list = request.query.list || "acmpaid";
+        const cacheKey = `membership:${netId}:${list}`;
+        const result = await getKey<{ isMember: boolean }>({
+          redisClient: fastify.redisClient,
+          key: cacheKey,
+          logger: request.log,
+        });
+        if (result) {
+          return reply.header("X-ACM-Data-Source", "cache").send({
+            netId,
+            list: list === "acmpaid" ? undefined : list,
+            isPaidMember: result.isMember,
+          });
+        }
+        if (list !== "acmpaid") {
+          const isMember = await checkExternalMembership(
+            netId,
+            list,
+            fastify.dynamoClient,
+          );
+          await setKey({
+            redisClient: fastify.redisClient,
+            key: cacheKey,
+            data: JSON.stringify({ isMember }),
+            expiresIn: MEMBER_CACHE_SECONDS,
+            logger: request.log,
+          });
+          return reply.header("X-ACM-Data-Source", "dynamo").send({
+            netId,
+            list,
+            isPaidMember: isMember,
+          });
+        }
+        const isDynamoMember = await checkPaidMembershipFromTable(
+          netId,
+          fastify.dynamoClient,
+        );
+        if (isDynamoMember) {
+          await setKey({
+            redisClient: fastify.redisClient,
+            key: cacheKey,
+            data: JSON.stringify({ isMember: true }),
+            expiresIn: MEMBER_CACHE_SECONDS,
+            logger: request.log,
+          });
+          return reply
+            .header("X-ACM-Data-Source", "dynamo")
+            .send({ netId, isPaidMember: true });
+        }
+        const entraIdToken = await getEntraIdToken({
+          clients: await getAuthorizedClients(),
+          clientId: fastify.environmentConfig.AadValidClientId,
+          secretName: genericConfig.EntraSecretName,
+          logger: request.log,
+        });
+        const paidMemberGroup = fastify.environmentConfig.PaidMemberGroupId;
+        const isAadMember = await checkPaidMembershipFromEntra(
+          netId,
+          entraIdToken,
+          paidMemberGroup,
+        );
+        if (isAadMember) {
+          await setKey({
+            redisClient: fastify.redisClient,
+            key: cacheKey,
+            data: JSON.stringify({ isMember: true }),
+            expiresIn: MEMBER_CACHE_SECONDS,
+            logger: request.log,
+          });
+          reply
+            .header("X-ACM-Data-Source", "aad")
+            .send({ netId, isPaidMember: true });
+          await setPaidMembershipInTable(netId, fastify.dynamoClient);
+          return;
+        }
+        await setKey({
+          redisClient: fastify.redisClient,
+          key: cacheKey,
+          data: JSON.stringify({ isMember: false }),
+          expiresIn: MEMBER_CACHE_SECONDS,
+          logger: request.log,
+        });
+        return reply
+          .header("X-ACM-Data-Source", "aad")
+          .send({ netId, isPaidMember: false });
+      },
+    );
     fastify.withTypeProvider<FastifyZodOpenApiTypeProvider>().get(
       "/:netId",
       {
diff --git a/tests/unit/membership.test.ts b/tests/unit/membership.test.ts
@@ -33,10 +33,32 @@ const spySetPaidMembership = vi.spyOn(
 );
 
 describe("Test membership routes", async () => {
-  test("Test getting member", async () => {
+  test("Test getting non-member with UIUC access token", async () => {
     const response = await app.inject({
       method: "GET",
-      url: "/api/v1/membership/valid",
+      url: "/api/v1/membership",
+      headers: {
+        "x-uiuc-token":
+          "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImlhdCI6MTY3Mjc2NjAyOCwiZXhwIjoxNjc0NDk0MDI4fQ.kCak9sLJr74frSRVQp0_27BY4iBCgQSmoT3vQVWKzJg",
+      },
+    });
+    expect(response.statusCode).toBe(200);
+    const responseDataJson = (await response.json()) as EventGetResponse;
+    expect(response.headers).toHaveProperty("x-acm-data-source");
+    expect(response.headers["x-acm-data-source"]).toEqual("aad");
+    expect(responseDataJson).toEqual({
+      netId: "fjkldk99",
+      isPaidMember: false,
+    });
+  });
+  test("Test getting member with UIUC access token", async () => {
+    const response = await app.inject({
+      method: "GET",
+      url: "/api/v1/membership",
+      headers: {
+        "x-uiuc-token":
+          "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImlhdCI6MTY3Mjc2NjAyOCwiZXhwIjoxNjcyODAyMDI4fQ.P1_rB3hJ5afwiG4TWXLq6jOAcVJkvQZ2Z-ZZOnQ1dZw",
+      },
     });
     expect(response.statusCode).toBe(200);
     const responseDataJson = (await response.json()) as EventGetResponse;
diff --git a/tests/unit/vitest.setup.ts b/tests/unit/vitest.setup.ts
@@ -13,6 +13,10 @@ import {
   testSecretJson,
   uinSecretJson,
 } from "./secret.testdata.js";
+import {
+  UnauthenticatedError,
+  ValidationError,
+} from "../../src/common/errors/index.js";
 
 const ddbMock = mockClient(DynamoDBClient);
 const smMock = mockClient(SecretsManagerClient);
@@ -29,6 +33,56 @@ vi.mock(
   },
 );
 
+vi.mock(import("../../src/api/functions/uin.js"), async (importOriginal) => {
+  const mod = await importOriginal();
+  return {
+    ...mod,
+    verifyUiucAccessToken: vi.fn(
+      async ({
+        accessToken,
+        logger,
+      }: {
+        accessToken: string | string[] | undefined;
+        logger: unknown;
+      }) => {
+        if (!accessToken) {
+          throw new UnauthenticatedError({
+            message: "Access token not found.",
+          });
+        }
+        if (Array.isArray(accessToken)) {
+          throw new ValidationError({
+            message: "Multiple tokens cannot be specified!",
+          });
+        }
+        const validTokens = {
+          "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImlhdCI6MTY3Mjc2NjAyOCwiZXhwIjoxNjc0NDk0MDI4fQ.kCak9sLJr74frSRVQp0_27BY4iBCgQSmoT3vQVWKzJg":
+            {
+              userPrincipalName: "fjkldk99@illinois.edu",
+              givenName: "Infra",
+              surname: "Testing",
+              mail: "fjkldk99@illinois.edu",
+            },
+          "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImlhdCI6MTY3Mjc2NjAyOCwiZXhwIjoxNjcyODAyMDI4fQ.P1_rB3hJ5afwiG4TWXLq6jOAcVJkvQZ2Z-ZZOnQ1dZw":
+            {
+              userPrincipalName: "valid@illinois.edu",
+              givenName: "Infra",
+              surname: "Testing",
+              mail: "valid@illinois.edu",
+            },
+        };
+        if (accessToken in validTokens) {
+          return validTokens[accessToken as keyof typeof validTokens];
+        } else {
+          throw new UnauthenticatedError({
+            message: "Invalid or expired access token.",
+          });
+        }
+      },
+    ),
+  };
+});
+
 vi.mock(
   import("../../src/api/functions/authorization.js"),
   async (importOriginal) => {
