winglang · mbonig · Oct 31, 2022 · Nov 17, 2022 · Nov 17, 2022 · Nov 17, 2022
diff --git a/docusaurus.config.js b/docusaurus.config.js
@@ -71,7 +71,8 @@ const config = {
               dropdownActiveClassDisabled: true,
             },
             {
-              href: earlyAccessRequestUrl, label: 'Request Early Access', position: 'right',
+              type: 'custom-invite-form-button',
+              position: 'right',
             },
             {
               href: slackUrl,

diff --git a/infrastructure/.eslintrc.json b/infrastructure/.eslintrc.json
diff --git a/infrastructure/.gitattributes b/infrastructure/.gitattributes
diff --git a/infrastructure/.gitignore b/infrastructure/.gitignore
diff --git a/infrastructure/.projen/deps.json b/infrastructure/.projen/deps.json
diff --git a/infrastructure/.projen/files.json b/infrastructure/.projen/files.json
diff --git a/infrastructure/.projen/tasks.json b/infrastructure/.projen/tasks.json
diff --git a/infrastructure/.projenrc.ts b/infrastructure/.projenrc.ts
@@ -6,8 +6,11 @@ const project = new awscdk.AwsCdkTypeScriptApp({
   name: 'infrastructure',
   packageManager: NodePackageManager.NPM,
   deps: [
-    '@types/aws-lambda',
+    '@aws-cdk/aws-apigatewayv2-alpha',
+    '@aws-cdk/aws-apigatewayv2-authorizers-alpha',
+    '@aws-cdk/aws-apigatewayv2-integrations-alpha',
     '@aws-sdk/client-secrets-manager',
+    '@types/aws-lambda',
     'axios',
     'cdk-iam-floyd',
     'cdk-lambda-layer-zip',

diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -38,6 +38,16 @@ The GitHub PAT should have full access to the winglang-docs repo.
 The `SSHSecret` secret stored an SSH private key for use by the Lambda to authenticate against GitHub for SSH access.
 The public keys needs to be registered against a user that has full read/write access to the winglang-docs repo.
 
+## Auth0 isAuthorized API
+
+Auth0 needs a way to know if a user is authorized in the preview, so that the user can be granted access to the docs site.
+
+The flow is:
+
+User logs in -> Auth0 calls our /isAuthorized API providing the GH username -> Checks GitHub contributor team
+
+If the user is part of the contributor team in the winglang org, then auth0 will add the WingAlpha role to the user.
+This WingAlpha role is checked by the site to see if the user is authorized to view content.
 
 # Contributing
 

diff --git a/infrastructure/package-lock.json b/infrastructure/package-lock.json
diff --git a/infrastructure/package.json b/infrastructure/package.json
diff --git a/infrastructure/src/auth0/login.js b/infrastructure/src/auth0/login.js
@@ -0,0 +1,55 @@
+const axios = require('axios');
+const ManagementClient = require('auth0').ManagementClient;
+
+const INTERNAL_MONADA = 'rol_OcFCwJSr66yn4ypb';
+const WING_ALPHA = 'rol_11Yl2F0IzsPqrKap';
+const management = new ManagementClient({
+  domain: 'dev-9zrd68w6.us.auth0.com',
+  clientId: 'knS4VZ6cYmn4zYksQx6IbLMXvxU01LT6',
+  clientSecret: '<generate from auth0 ui>',
+  scope: 'read:users update:users create:role_members read:role_members',
+});
+
+const serviceCredentials = {
+  username: "[email protected]",
+  password: "<get from auth0 ui>",
+};
+const IS_AUTHORIZED_FLAG = 'IsAuthorized';
+const baseApi = `https://0ed4s65ntl.execute-api.us-east-1.amazonaws.com`;
+
+exports.onExecutePostLogin = async (event, api) => {
+  if (!event.user.user_metadata[IS_AUTHORIZED_FLAG]) {
+    console.log("getting oauth client");
+    const tokenResults = await axios.post('https://dev-9zrd68w6.us.auth0.com/oauth/token', {
+      ...serviceCredentials,
+      grant_type: "client_credentials",
+      client_id: "VM5b43had3mDliqXzlua3lTAVA2OXa2v",
+      client_secret: "<get from auth0 ui>",
+      audience: "https://api.contribute.monada.co"
+    });
+    const {access_token: token} = tokenResults.data;
+
+    console.log("Checking if authorized");
+
+    const results = await axios.get(`${baseApi}/isAuthorized`, {
+      params: {
+        username: event.user.nickname
+      },
+      headers:{
+        Authorization: `Bearer ${token}`
+      }
+    });
+    console.log("got auth info");
+
+    if (results.data.isAuthorized) {
+      await management.assignRolestoUser({id: event.user.user_id}, {roles: [WING_ALPHA]});
+      await api.user.setUserMetadata('WingAlpha', 'true');
+      await api.user.setUserMetadata(IS_AUTHORIZED_FLAG, 'true');
+    }
+  }
+
+  // is this a monada user?
+  if (event.user.email?.endsWith('@monada.co')) {
+    await management.assignRolestoUser({id: event.user.user_id}, {roles: [INTERNAL_MONADA]});
+  }
+};
diff --git a/infrastructure/src/constructs/BackendApi.ts b/infrastructure/src/constructs/BackendApi.ts
@@ -0,0 +1,34 @@
+import { HttpApi } from '@aws-cdk/aws-apigatewayv2-alpha';
+import { HttpJwtAuthorizer } from '@aws-cdk/aws-apigatewayv2-authorizers-alpha';
+import { CfnOutput } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+
+export class BackendApi extends Construct {
+  api: HttpApi;
+  jwtAuthorizer: HttpJwtAuthorizer;
+
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+    this.jwtAuthorizer = new HttpJwtAuthorizer('Auth0', 'https://dev-9zrd68w6.us.auth0.com/', {
+      jwtAudience: ['https://api.contribute.monada.co'],
+      identitySource: ['$request.header.Authorization'],
+      authorizerName: 'Auth0',
+    });
+
+    this.api = new HttpApi(this, 'Api', {
+      apiName: 'ContributorPortalApi',
+      createDefaultStage: true,
+      // defaultDomainMapping: {
+      //   domainName: new DomainName(this, 'DomainName', {
+      //     domainName: 'api.winglang.io',
+      //     certificate: new DnsValidatedCertificate()
+      //   },
+      // },
+    });
+
+    new CfnOutput(this, 'ApiEndpoint', {
+      value: this.api.url!,
+    });
+  }
+
+}