violet-ts · solufa · Nov 20, 2021 · Nov 19, 2021 · Nov 19, 2021 · Nov 19, 2021
diff --git a/.env.example b/.env.example
@@ -14,4 +14,6 @@ TZ=Asia/Tokyo
 MINIO_ROOT_USER=minio
 MINIO_ROOT_PASSWORD=password
 S3_ENDPOINT=http://localhost:9000
+FIREBASE_AUTH_EMULATOR_HOST=localhost:9099
+GCIP_PROJECT=emulator
 PRETTY_LOGGING=1
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -48,6 +48,12 @@ module.exports = {
     '@typescript-eslint/explicit-module-boundary-types': 'off',
     '@typescript-eslint/no-empty-function': 'off',
     '@typescript-eslint/consistent-type-imports': 'error',
+    '@typescript-eslint/no-unused-vars': [
+      'error',
+      {
+        argsIgnorePattern: '^_',
+      },
+    ],
     'object-shorthand': [
       'error',
       'always',
@@ -69,6 +75,10 @@ module.exports = {
           'error',
           {
             patterns: [
+              {
+                group: ['firebase/*'],
+                message: `do not directly import firebase/* instead use src/utils/firebase`,
+              },
               {
                 group: ['.prisma/*'],
                 message: `do not use .prisma/* instead use @prisma/*`,

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -13,23 +13,33 @@
 
 # security
 /.github/ @violet-ts/security
-**/package.json @violet-ts/security
+package.json @violet-ts/security
+pnpm-lock.yaml @violet-ts/security
+ws-credential.ts @violet-ts/security
+/pkg/api/api/auth/ @violet-ts/security
+/pkg/api/api/csrf/ @violet-ts/security
+.env @violet-ts/security
+.env.production @violet-ts/security
+.env.example @violet-ts/security
 pnpm-lock.yaml @violet-ts/security
-**/aws-credential.ts @violet-ts/infrastructure
 
 # infrastructure
 /.github/ @violet-ts/infrastructure
-**/package.json @violet-ts/infrastructure
+package.json @violet-ts/infrastructure
 /pkg/api/scripts/ @violet-ts/infrastructure
 /pkg/api/prisma/ @violet-ts/infrastructure
 /pkg/api/api/healthz/ @violet-ts/infrastructure
-/pkg/api/.env.example @violet-ts/infrastructure
-/pkg/api/src/utils/envValues.ts @violet-ts/infrastructure
-/pkg/api/src/utils/envValues.ts @violet-ts/infrastructure
-**/s3.ts @violet-ts/infrastructure
-**/aws-credential.ts @violet-ts/infrastructure
-
+/pkg/api/api/auth/ @violet-ts/infrastructure
+/pkg/api/api/csrf/ @violet-ts/infrastructure
+/pkg/api/src/service/firebase-admin/ @violet-ts/infrastructure
+.env @violet-ts/infrastructure
+.env.production @violet-ts/infrastructure
+.env.example @violet-ts/infrastructure
+/pkg/def/ @violet-ts/infrastructure
+s3.ts @violet-ts/infrastructure
+aws-credential.ts @violet-ts/infrastructure
 /pkg/web/public/ @violet-ts/infrastructure
 /pkg/web/next.config.js @violet-ts/infrastructure
+/pkg/web/src/utils/firebase/ @violet-ts/infrastructure
 /docker/ @violet-ts/infrastructure
 /docker-compose.yml @violet-ts/infrastructure
diff --git a/CONTRIBUTING-ja.md b/CONTRIBUTING-ja.md
@@ -21,6 +21,7 @@ pnpm run dev
 - web: [http://localhost:3000](http://localhost:3000)
 - api: [http://localhost:8080](http://localhost:8080)
 - minio ui: [http://localhost:9001](http://localhost:9001)
+- Firebase Auth Suite Auth:[http://localhost:4000/auth](http://localhost:4000/auth)
 
 ### チェックアウト後
 
@@ -53,12 +54,49 @@ pnpm exec prisma studio
 docker-compose exec mysql bash -c "mysql -u root -proot"
 ```
 
+### Authentication
+
+プロダクションのアイデンティティ管理には [Google Cloud Identity Platform (GCIP)](https://cloud.google.com/identity-platform) を使用します。
+ただし、開発中はデフォルトで Firebase emulator を使う用になっています。
+
+#### Firebase エミュレータを使用
+
+特に設定は要りません。以下のユーザ名とパスワードのセットがデフォルトで入った状態で起動します。 noicon1 はアイコンが設定されていないユーザです。
+認証方法はメール以外は使用できません。
+
+```
+[email protected]
+testuserexample1
+[email protected]
+testuserexample2
+[email protected]
+noicon1
+```
+
+#### GCIP につなぐ
+
+ローカル環境を GCIP 環境に接続することも可能です。以下のように環境変数をセットします。
+
+```
+# .env
+GOOGLE_APPLICATION_CREDENTIALS=/path/to/dir/gcloud-violet-credential.json
+GCLOUD_PROJECT=your-proj
+FIREBASE_AUTH_EMULATOR_HOST=
+```
+
+```
+# pkg/web/.env.local
+NEXT_PUBLIC_GCIP_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+NEXT_PUBLIC_GCIP_AUTH_DOMAIN=your-proj.firebaseapp.com
+NEXT_PUBLIC_AUTH_EMULATOR=
+```
+
 ### Lambda 内のソースコードに変更があった際
 
-Lambda Docker は起動時のコードが使用され続けるので、リビルドしても、再起動が必要です。これは一瞬で終わります。
+Lambda Docker は、依存のバージョンアップをしたなど、場合によっては再起動が必要です。これは一瞬で終わります。
 
-- `docker rm -f lambda; docker up -d lambda`
-- `docker up lambda` でアタッチされている状態のまま `CTRL-C` (`CTRL-\` で抜けれます)、その後 `docker up lambda`
+- `docker-compose rm -f lambda; docker-compose up -d lambda`
+- `docker-compose up lambda` でアタッチされている状態のまま `CTRL-C` (`CTRL-\` で抜けれます)、その後 `docker-compose up lambda`
 
 
 ## コーディングルール
@@ -68,6 +106,11 @@ Lambda Docker は起動時のコードが使用され続けるので、リビル
 - `pnpm run lint -w` でチェック
 - `pnpm run lint:fix -w` で自動修正
 
+### ルーティング
+
+- api, web ともに `/dev/` 配下は staging 以降はロードバランサで弾きます。 (予定)
+  - 危険な操作ができるような API は作成を避けてください
+
 ### Dockerfile
 
 - `hadolint` を使用します。ルール指定をスクリプト経由でしているので、スクリプトから起動してください

diff --git a/NOTICE b/NOTICE
@@ -0,0 +1,17 @@
+## googleapis/google-auth-library-nodejs awsclient.ts
+
+https://github.com/googleapis/google-auth-library-nodejs/blob/5ed910513451c82e2551777a3e2212964799ef8e/src/auth/awsclient.ts
+
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -12,6 +12,17 @@ services:
       - mysql_data:/var/lib/mysql
       - ./docker/dev/mysql/my.cnf:/etc/mysql/conf.d/my.cnf
 
+  firebase:
+    build: ./docker/dev/firebase
+    restart: always
+    ports:
+      - 9099:9099 # Auth
+      - 4000:4000 # Emulator Suite UI
+    env_file:
+      - ./.env
+    working_dir: /opt/workspace
+    command: firebase emulators:start --only=auth --project=emulator --import=seeder
+
   minio:
     image: minio/minio
     restart: always

diff --git a/docker/dev/firebase/Dockerfile b/docker/dev/firebase/Dockerfile
@@ -0,0 +1,10 @@
+FROM node:14-buster
+
+RUN apt-get update -y
+RUN ( \
+  apt-get install -y --no-install-recommends \
+    curl \
+    openjdk-11-jre-headless \
+)
+RUN npm install -g firebase-tools
+COPY . /opt/workspace/
diff --git a/docker/dev/firebase/firebase.json b/docker/dev/firebase/firebase.json
@@ -0,0 +1,13 @@
+{
+  "emulators": {
+    "auth": {
+      "host": "0.0.0.0",
+      "port": 9099
+    },
+    "ui": {
+      "enabled": true,
+      "host": "0.0.0.0",
+      "port": 4000
+    }
+  }
+}
diff --git a/docker/dev/firebase/seeder/auth_export/accounts.json b/docker/dev/firebase/seeder/auth_export/accounts.json
@@ -0,0 +1,74 @@
+{
+  "kind": "identitytoolkit#DownloadAccountResponse",
+  "users": [
+    {
+      "localId": "DPSkoJjj8KsGHcQbxTgrjBvWBvry",
+      "createdAt": "1637156432583",
+      "lastLoginAt": "1637156432583",
+      "displayName": "Test User1",
+      "photoUrl": "https://github.com/icons8/flat-color-icons/raw/master/svg/businessman.svg",
+      "emailVerified": false,
+      "email": "[email protected]",
+      "salt": "fakeSaltgovA2leAJckPXg5eYKxn",
+      "passwordHash": "fakeHash:salt=fakeSaltgovA2leAJckPXg5eYKxn:password=testuserexample1",
+      "passwordUpdatedAt": 1637156432583,
+      "validSince": "1637156432",
+      "providerUserInfo": [
+        {
+          "providerId": "password",
+          "email": "[email protected]",
+          "federatedId": "[email protected]",
+          "rawId": "[email protected]",
+          "displayName": "Test User1",
+          "photoUrl": "https://github.com/icons8/flat-color-icons/raw/master/svg/businessman.svg"
+        }
+      ]
+    },
+    {
+      "localId": "K9oXOw5p4rYejYmqSUnmOTszIayh",
+      "createdAt": "1637156463904",
+      "lastLoginAt": "1637156463903",
+      "displayName": "No Icon1",
+      "photoUrl": "",
+      "emailVerified": false,
+      "email": "[email protected]",
+      "salt": "fakeSaltTtKyT0aMQ0ejTo3WMwE2",
+      "passwordHash": "fakeHash:salt=fakeSaltTtKyT0aMQ0ejTo3WMwE2:password=noicon1",
+      "passwordUpdatedAt": 1637156463903,
+      "validSince": "1637156463",
+      "providerUserInfo": [
+        {
+          "providerId": "password",
+          "email": "[email protected]",
+          "federatedId": "[email protected]",
+          "rawId": "[email protected]",
+          "displayName": "No Icon1",
+          "photoUrl": ""
+        }
+      ]
+    },
+    {
+      "localId": "t5lq8rDTp238rIIhJm1se9xniNmR",
+      "createdAt": "1637156455279",
+      "lastLoginAt": "1637156455279",
+      "displayName": "Test User2",
+      "photoUrl": "https://github.com/icons8/flat-color-icons/raw/master/svg/businesswoman.svg",
+      "emailVerified": false,
+      "email": "[email protected]",
+      "salt": "fakeSaltdbUljyCSmcidArL2dqed",
+      "passwordHash": "fakeHash:salt=fakeSaltdbUljyCSmcidArL2dqed:password=testuserexample2",
+      "passwordUpdatedAt": 1637156455279,
+      "validSince": "1637156455",
+      "providerUserInfo": [
+        {
+          "providerId": "password",
+          "email": "[email protected]",
+          "federatedId": "[email protected]",
+          "rawId": "[email protected]",
+          "displayName": "Test User2",
+          "photoUrl": "https://github.com/icons8/flat-color-icons/raw/master/svg/businesswoman.svg"
+        }
+      ]
+    }
+  ]
+}
diff --git a/docker/dev/firebase/seeder/auth_export/config.json b/docker/dev/firebase/seeder/auth_export/config.json
@@ -0,0 +1 @@
+{ "signIn": { "allowDuplicateEmails": false } }
diff --git a/docker/dev/firebase/seeder/firebase-export-metadata.json b/docker/dev/firebase/seeder/firebase-export-metadata.json
@@ -0,0 +1,7 @@
+{
+  "version": "9.22.0",
+  "auth": {
+    "version": "9.22.0",
+    "path": "auth_export"
+  }
+}
diff --git a/docker/dev/lambda/conv2img/Dockerfile b/docker/dev/lambda/conv2img/Dockerfile
@@ -7,8 +7,7 @@ RUN yum install -y libreoffice
 RUN yum install -y libreoffice-langpack-ja
 RUN yum install -y ImageMagick
 RUN yum install -y libwebp-tools
-RUN yum clean all
 
 ENV NODE_ENV development
 
-CMD ["pkg/lambda/conv2img/bin/index.handler"]
+CMD ["pkg/lambda/conv2img/build/index.handler"]
diff --git a/docker/prod/api/Dockerfile b/docker/prod/api/Dockerfile
@@ -27,4 +27,4 @@ WORKDIR /app/pkg/api
 EXPOSE 80
 
 ENTRYPOINT []
-CMD ["node", "--require=source-map-support/register", "./build/index.js"]
+CMD ["node", "./build/index.js"]
diff --git a/docker/prod/lambda/apiexec/Dockerfile b/docker/prod/lambda/apiexec/Dockerfile
@@ -17,4 +17,4 @@ RUN ( \
   && rm -rf "$HOME/.pnpm-store" \
 )
 
-CMD ["pkg/api/bin/lambda.handler"]
+CMD ["pkg/api/build/lambda.handler"]
diff --git a/docker/prod/lambda/conv2img/Dockerfile b/docker/prod/lambda/conv2img/Dockerfile
@@ -27,4 +27,4 @@ RUN ( \
   && rm -rf "$HOME/.pnpm-store" \
 )
 
-CMD ["pkg/lambda/conv2img/bin/index.handler"]
+CMD ["pkg/lambda/conv2img/build/index.handler"]
diff --git a/docker/prod/web/Dockerfile b/docker/prod/web/Dockerfile
@@ -1,5 +1,9 @@
 FROM node:14-buster
 ARG API_ORIGIN
+ARG API_BASE_PATH
+ARG NEXT_PUBLIC_AUTH_SHOW_EMAIL
+ARG NEXT_PUBLIC_GCIP_API_KEY
+ARG NEXT_PUBLIC_GCIP_AUTH_DOMAIN
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN ( \

diff --git a/package.json b/package.json
@@ -60,6 +60,7 @@
     "jest-fetch-mock": "^3.0.3",
     "node-dev": "^7.1.0",
     "npm-run-all": "^4.1.5",
+    "onchange": "^7.1.0",
     "pathpida": "^0.17.0",
     "postcss": "^8.3.6",
     "prettier": "^2.3.2",

diff --git a/pkg/api/api/auth/controller.ts b/pkg/api/api/auth/controller.ts
@@ -0,0 +1,3 @@
+import { defineController } from './$relay'
+
+export default defineController(() => ({}))
diff --git a/pkg/api/api/auth/index.ts b/pkg/api/api/auth/index.ts
@@ -0,0 +1 @@
+export type Methods = Record<string, never>
diff --git a/pkg/api/api/auth/session/controller.ts b/pkg/api/api/auth/session/controller.ts
@@ -0,0 +1,34 @@
+import { getCachedApp } from '@violet/api/src/service/firebase-admin'
+import { defineController } from './$relay'
+
+// https://firebase.google.com/docs/auth/admin/manage-cookies
+export default defineController(() => ({
+  post: async ({ body: { idToken }, env, logger, setCookie }) => {
+    // TODO(security): kick too old tokens
+    const auth = getCachedApp({ env, logger }).auth()
+    // 5 days
+    const expiresIn = 60 * 60 * 24 * 5 * 1000
+    const sessionCookie = await auth.createSessionCookie(idToken, { expiresIn })
+    setCookie('session', sessionCookie, {
+      signed: true,
+      maxAge: expiresIn,
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      path: '/',
+    })
+    return {
+      status: 200,
+      body: {},
+    }
+  },
+  delete: async ({ setCookie }) => {
+    setCookie('session', '', {
+      maxAge: 0,
+      path: '/',
+    })
+    return {
+      status: 200,
+      body: {},
+    }
+  },
+}))
diff --git a/pkg/api/api/auth/session/index.ts b/pkg/api/api/auth/session/index.ts
@@ -0,0 +1,10 @@
+export type Methods = {
+  post: {
+    reqBody: {
+      idToken: string
+    }
+  }
+  delete: {
+    reqBody: Record<string, never>
+  }
+}
diff --git a/pkg/api/api/auth/user/controller.ts b/pkg/api/api/auth/user/controller.ts
@@ -0,0 +1,8 @@
+import { defineController } from './$relay'
+
+export default defineController(() => ({
+  get: async ({ getUserClaims }) => ({
+    status: 200,
+    body: await getUserClaims(),
+  }),
+}))