add jwt and terraform setting update

.gitignore

@@ -2,6 +2,7 @@ node_modules
 aws_key.json
 google_key.json
 .terraform
+*.tar
 *.log
 dist
 index.zip

.travis.yml

@@ -8,14 +8,13 @@ cache:
     - "$HOME/terraform"
 env:
   global:
-    - secure: p/c6ViUEAHhs0nV7xWVZCrfxjFwSVVENcT89HwgaPk0t8KsPbmA13dR8Zz6lJ8qUBMpx+MKm0c98/aG/JFUQrc9D8gbpBpU5wJUlHpO4ZdXww2U13+baDFe3md84t7oFxKzEcAvFo0G/tRFTFyir+jgzGwlwAlB18+iKwc+4Zg9GmFgkp/sO84A/SIIAa9VM7ELNG4Z9B8wtYd+iTQfy20noF6M6QYq9HyhU5oeVLjnrchpjUO4SCXsHuh6uAVbCuFNA9yXxrD3IVEedfB0Grpniwvcjlfj+LvximYccn1Ppw+Q6pQEif2ZgfQySuk/T53ZFnZTpEy2U3uc470rLaaRYLiBOdG3Fad1Lh8SOfXPPrX1pc2BOdg4962XtlD//88FXzWyxk2bg4ID27xFc+huWUJ8dEjzFNFjT74o2dO0BW7u0RtK9JqggI2kwcJn4NkbXUomhO7LeEe6gST2vL7AZt7+A2i72N4y2EZiMaIsgPlgrQ8zesX/yI4/Oju2Q6eq4WNCygyHwQvMeNt5nP5MI136MyBKAV22abxLgqVnlP1xSXNAgHMDxBkd5I/oSciDZ+kx36sEpRKOlbyYSP7QTPHekR1B6XWXBtL2VwwFuPQ2lBmlgOVMwBFZQGL6KQgljJ2suC2gpdq1duEjqZsjHzSvrilKT75UqkaXRqHk=
-    - secure: TGzr6ASX+P6AVAaL5Kw+PjD+embUp4IXjette2HIWRNht39bJiaYIWv9noM61xPa6yn49EbwcMtDOsfwehF7BwnBcH3c8YrvGYOpCgC8StpEvFi5QLbOz/GcUd/pSjW5zdQHtIiJF/BrYj76neiFZ7+y4CNUICZYyChUkBPeughWqMZH0RQ9CqikGVgDekYADay93MQXzFYBoYgk3fPfXYtBZyW5xSh4F/NebogL6WTy6zcC9cBROxY8dTsncUZg/DLDxdsAbgbpgHM6mHmrMPIbKF9JxJZZl3xw6lqSBfODOu00eKksMlZbcENkHNt5KBlB0iiVQ7QWUpHqlf8iuMN8tHnE6RZaKbU/XbAjcT6trPELkIntuMyiKNHYuNJenuLxuLhDpbbTAJRQFpp7Aehelp9f1xPEpqBb/lsqZKIy35mqIRefmRyVYLFX+VmUSyf5jozSd4OJaGIqoikNf6NVHeT4UPinAyNmGe1q9rnRuJL0BYNa0Itm4IUzXziM0EtZizGCkhT+2uAd46OH9qxfakOroZ87XCRZ9ikv2otNRF30hEztqH7xtzFoMbLNuxxnjEPVF5IqwsAmxF7L4aCs5eg1ODuM5nuAU29GmvseDMb/TM/UzaNxGF7wZheiVy8rziL9xMp7rjjVYrA43WNmIyua/FRfCVh7KwxhW6c=
-    - secure: nHqOVtDgV8c07r7+BJeSnsGlZ+l1tHHgK+FDVi1c2rkGkmS8lhbLU3+JZp1HbSBZmgn3bVe8rxQqz2cPFVXOVwWHWA/xoSTj2xXtHQaKwMvat6ia1f0H94/+ugjAWvm+KI3v87TPUJCFaIo03qQQ0tSdfA+Ik0d3zRyjT7cN0DeNeLg3cNyhffT6D9j117LGCPgOt6UtK39ugIbsjc6HAz0alzEcnLEB8ejb+4g5dNK0YFuY7MlUuVD7EgCM6+0gjrZ392vqM1UXMmEUBzabbpaZ8NCoAO+u94O9lQBtDTU2dIVE3qEi6V1WgqYdu28ThfpVAdBl2OSgcGVIpF2lReQ/u/NimbWGwhCuut9YOQA9gRtJUefylHIgy1OMZroFA8466p+mkdTnH39iORNH5Hx/2pgGCPHk8t/jTfp+Y5XwRppSOARph3hKk/FNf9yAqck/aw30OshX9RWqlDN6v48psc2uyinzm9mNEXCdTYmdcrcvyRPK+fPPOQte3FZVUoabJ3mxzD7d68YQuVdJ8R4DtYYAwQYblLtijUrvfDjuCGvnt4syH9y3gytrcsp+q3pALp4I503pvnMtL0RdTQ1Qvy7Z8K1hEu6UzoQl9dnxNZQMYxtjsxfCuPsEAnHhvgGanimZ1H4jtxfnxXpaUOHwLhDDM7k3tgjyJhSGe2E=
+    - secure: 2T+why6MSVDYZfYagUX1R61xqw1c23b7plCZDRHSqPeVFWXaK27HVwP7+EZZgo54mRmbrp2hyHjvro2l4oG/d2aEu28adGZ5YY/Wbg+LOc2xI6U5cK/9yPtTLiiGXXCbDCehIqoQKcdhWtfWGo0niN9UcDK1NYjSx8BsG402BjYgTgesjda6VvwFeaHNmwfgiGi+XYRWTEBwPFdW0+du1QMrFUHZxKFPAkW6JGz3Xl0JNWcLCidd9tyhMOw+HZxVpVClYvtYhbasl++oQvQ77mmWrdmxxpmjiF4RazpqT4skxZAsgp7DFK7q71r0wnJeQOXbH8uSwLAoqGHHlt9MZi5GftW0OqdUDGLloIuKXLoMI3mNwnXoUCwFXx6dCjlcXJx63taV+u65yAaOMJ1surzoPLPO0RPpKOROyvBCasrx5ybfXxG3GxZf0uEGBVqP3lhIaxGLMTKNDb3eXmqSCwaGREAsJp+CdFtcOEdLRtUpF2hrVTY/fkLTo7FBO7ecU6xHGqqLS9Y7xlnFm89jxyKiq8UPt/lxSsL/N1VOvNo5i2aB3QmW7I8/K0dxR+4Cx7i/KHz5JxrjJAfH2Q13ANhwPHHVKL1dhiiHncUfLUd31XmREHfCA+GtLc3lAK98xX6SzJS6ifkRxGlInVJJbhBfPwUZ70RJBxHKzVJr5A8=
+    - secure: aD4re//j89fthO8x/AdKafB1oixJjhXgiC7KEHcCHtF8eCV2tvn4eRCSmYeMoysZGC5Ln9W8jjJk5FcJbbxLo+wPytsPTf5yD5OZ0cPoNuHb60fTCF/H4kzMEE91uvEdJ/IhOzhijBEoEhRYtYsJe9B9LDccAAHrEXWW111v2iRJopY1qgzrphQRP0f+wg3bafunxS7ZVGSq1WfySfbaDH/U3LgJjkmeMSSMDSJJ4/L1cgWRdSSLVz+1MyTMhGAhGWF94JupSQOZB3Y0IBFujJ6ZLNefO5lelItshabdD1KeBWBs4eruJNmZ4fFbSEH/0YwQE2E94OOkZuIMzXy5KX8kM0MexWALXhA0E1dqbPRCOxMXg4RbumiiBVJ0UhAM9feTDC36CYWzkNoLgnc8RdWPx2KXqVRabW3HocWjkoHRXp4nEPmMxL0RktDQtOLNf1MI/S/Nj7rR7kRk0+dvmKr4Nn7CyxCcUIYM8v0DYH3ZGhmbBnBFpgXr5lIhXpdEdarGOlsgXsV0BghRK7eeJf/stYV1QfdsHo/xbxA9R4ccz5pMk+AkbsLwLcH0W0ql29sydkWgmedQXA8a2rkmVBsWrSKJDC4chJqro3B7D8IvOmrIkd6UgXBEl5ZSgw+uxzeQoDC4v3KXaZJKM91bUco+8Iof1dKy6EH6nzLS3Zk=
+    - secure: ohsHhBqbfVoIClmzHyzUGifuQIFln9cj6qppBX0dGMI0Y0U68Y9IBhRHBu/vjrXvRCy/sT4XwPOy6Wt1NQLLmdr8ic7c8qYx7D526qccbktMYgpOWTyPc0G3U6k+qOy7R9WXve4H5w0/vDsPR8xcwyXV9DCam5iMqhccCzJy3ygvcTA4UoX0tUfESHOEFzFjVzxAIyiVxWHU1LuziKr/lyflxTHCZFwjZBKSadKylBmeXQNlfNsTMaWiVkW6ZL7qXxwNhkvcHuItlVFEJ6x4iqMhi9XOdQ7R8fIylDHCZZZ3tr0QPta8lRSXl06w/B6ZHlt/8nBQ5WMG+4puPYwCKKcHIceKZGWfZGKtrUue9f8COFqIpetMB0uBwPrUbKQVceOO41CCgHaHWXBMXaRPz1Yy27tH9hSNMDstYs8guc+G+AZqJCzJhZoRbKwIlvoNwAWw/juV97K9iTLpeGLMnH8CZy2UwrLwIqW+mfBLWopC00PeM/UPtcmUa4CejupuXJd0sbPmhiu/XISiLlcp7olcE64R+7h+QHaNYGyG2XA/f0yjBO4dsV75fgUn0ptlH7r+HCwTQupzkZD5djmwhh9BR5iOdEGJ47m8LBMQYKtyjP67wmV0B8EYfnB+K+d7g060v24+4FA4QlU77vRyqg8qhxbTtLAY/ee0WR2b0to=
 before_install:
   - openssl aes-256-cbc -K $encrypted_3e39b73e0d5c_key -iv $encrypted_3e39b73e0d5c_iv
-    -in google_key.json.enc -out google_key.json -d
-  - openssl aes-256-cbc -K $encrypted_a0b6ad2b92c2_key -iv $encrypted_a0b6ad2b92c2_iv
-    -in .env.enc -out .env -d
+    -in private.tar.enc -out private.tar -d
+  - tar xvf private.tar
   - |
     if [ ! -d "$HOME/terraform/bin" ]; then
       rm -rf "$HOME/terraform"

src/controllers/graphql/aws.ts

@@ -2,22 +2,34 @@ import { ApolloServer } from "apollo-server-lambda";
 import { typeDefs } from "@/models/graphql/types";
 import { resolvers } from "@/controllers/graphql/resolvers";
 import jwt from "jsonwebtoken";
+import { schemaDirectives } from "@/models/graphql/directives";
 
 export const awsServer = new ApolloServer({
   typeDefs,
   resolvers,
-  context: ({ APIGatewayProxyEvent }) => {
-    if (!APIGatewayProxyEvent.headers.authorization) return { user: undefined };
+  context: ({ event }) => {
+    console.log("event", event);
+    console.log("event.header", event.headers);
+    if (!event.headers.Authorization) {
+      console.log("no header");
+      return { user: undefined };
+    }
 
-    const token = APIGatewayProxyEvent.headers.authorization.substr(7);
+    const token = event.headers.Authorization.substr(7);
+    console.log("token", token);
 
     try {
-      const user = jwt.verify(token, Buffer.from(process.env.JWT_SECRET, "base64"));
+      const user = jwt.verify(token, process.env.JWT_SECRET);
+      console.log("auth success");
+
       return { user };
     } catch {
+      console.log("auth fail");
+
       return { user: undefined };
     }
   },
+  schemaDirectives,
   playground: false,
   introspection: false,
 });

src/controllers/graphql/gcp.ts

@@ -2,23 +2,32 @@ import { ApolloServer, gql } from "apollo-server-cloud-functions";
 import { typeDefs } from "@/models/graphql/types";
 import { resolvers } from "@/controllers/graphql/resolvers";
 import jwt from "jsonwebtoken";
+import { schemaDirectives } from "@/models/graphql/directives";
 
 export const gcpServer = new ApolloServer({
   typeDefs,
   resolvers,
   context: ({ req }) => {
-    if (!req.headers.authorization) return { user: undefined };
+    if (!req.headers.authorization) {
+      console.log("no header");
+      return { user: undefined };
+    }
 
     const token = req.headers.authorization.substr(7);
-
+    console.log("token", token);
     try {
-      const user = jwt.verify(token, Buffer.from(process.env.JWT_SECRET, "base64"));
+      const user = jwt.verify(token, process.env.JWT_SECRET);
+      console.log("yes verify");
+
       return { user };
     } catch {
+      console.log("no verify");
+
       return { user: undefined };
     }
   },
-  playground: false,
-  introspection: false,
+  schemaDirectives,
+  // playground: false,
+  // introspection: false,
 });
 gcpServer.setGraphQLPath("/");

src/controllers/graphql/mutation.ts

@@ -1,9 +1,19 @@
 import { sendmail } from "../mail/ses";
 
 export default {
-  sendEmail: async (_, { to, title, body }, { user }) => {
-    if (!user) return "no auth";
-    const result = await sendmail(to, title, body);
-    return result;
+  sendEmail: async (_, { to, title, body }, { user, ...etc }) => {
+    console.log("user", user);
+    console.log("etc", etc);
+    if (!user) {
+      console.log("true");
+      return { status: 403, message: "no auth" };
+    }
+    console.log("false");
+    try {
+      const result = await sendmail(to, title, body);
+      return { status: 200, message: result.messageId };
+    } catch (err) {
+      return { status: 500, message: err };
+    }
   },
 };

src/models/graphql/directives/auth.ts

@@ -0,0 +1,16 @@
+import { SchemaDirectiveVisitor } from "apollo-server-cloud-functions";
+import { defaultFieldResolver } from "graphql";
+
+export class IsAuthDirective extends SchemaDirectiveVisitor {
+  public visitFieldDefinition(field) {
+    const { resolve = defaultFieldResolver } = field;
+    field.resolve = async function(...args) {
+      const [, {}, { user }] = args;
+      if (!user) {
+        throw new Error("User not authenticated");
+      }
+      // args[2].authUser = authUser;
+      return resolve.apply(this, args);
+    };
+  }
+}

src/models/graphql/directives/index.ts

@@ -0,0 +1,5 @@
+import { IsAuthDirective } from "./auth";
+
+export const schemaDirectives = {
+  isAuth: IsAuthDirective,
+};

src/models/graphql/types.ts

@@ -1,6 +1,8 @@
 import { gql } from "apollo-server-lambda";
 
 export const typeDefs = gql`
+  directive @isAuth on FIELD_DEFINITION
+
   type Response {
     status: Int!
     message: String!

terraform.tf

@@ -1,6 +1,6 @@
 # TF-UPGRADE-TODO: Block type was not recognized, so this block and its contents were not automatically upgraded.
 #init
-
+#module
 terraform {
   backend "remote" {
     hostname     = "app.terraform.io"
@@ -52,7 +52,22 @@ resource "google_cloudfunctions_function" "function" {
 provider "aws" {
   region = "us-east-1"
 }
+#data
+data "aws_vpc" "jclip" {
+  default = true
+}
+
+data "aws_subnet_ids" "default" {
+  vpc_id = data.aws_vpc.jclip.id
+
+
+}
 
+data "aws_security_groups" "default" {
+  tags = {
+    service = "jclip"
+  }
+}
 #source upload
 
 resource "aws_s3_bucket" "jclip_bucket" {
@@ -106,18 +121,85 @@ resource "aws_lambda_permission" "apigw_lambda" {
 }
 
 resource "aws_lambda_function" "lambda" {
-  depends_on    = [aws_s3_bucket_object.jclip_bucket_object]
+
+  depends_on    = [aws_iam_role_policy_attachment.lambda_logs, aws_cloudwatch_log_group.example, aws_s3_bucket_object.jclip_bucket_object]
+  role          = aws_iam_role.iam_for_lambda.arn
   s3_bucket     = "jclip"
   s3_key        = "${data.archive_file.jclip_zip.output_md5}.zip"
   function_name = "jclip_api"
-  role          = aws_iam_role.role.arn
   handler       = "index.awsHandler"
   runtime       = "nodejs8.10"
+   vpc_config {
+    subnet_ids         = data.aws_subnet_ids.default.ids
+    security_group_ids = data.aws_security_groups.default.ids
+  }
   # The filebase64sha256() function is available in Terraform 0.11.12 and later
   # For Terraform 0.11.11 and earlier, use the base64sha256() function and the file() function:
   # source_code_hash = "${base64sha256(file("lambda.zip"))}"
 }
 
+#Aplication LoadBalancer
+
+resource "aws_lb" "default" {
+  name               = "jcliplb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = data.aws_security_groups.default.ids
+  subnets            = data.aws_subnet_ids.default.ids
+
+  enable_deletion_protection = false
+}
+
+resource "aws_lb_target_group" "default" {
+  name        = "jcliplb-TG"
+  target_type = "lambda"
+}
+
+resource "aws_lb_listener" "default" {
+  load_balancer_arn = aws_lb.default.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.default.arn
+  }
+}
+
+resource "aws_lb_listener_rule" "lambda" {
+  listener_arn = aws_lb_listener.default.arn
+  priority     = 100
+
+  action {
+    type             = "forward"
+    target_group_arn =  aws_lb_target_group.default.arn
+  }
+  condition{
+    path_pattern {
+      values = ["/**"]
+    }
+  }
+
+}
+
+resource "aws_lambda_permission" "with_lb" {
+  statement_id  = "AllowExecutionFromLB"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda.function_name
+  principal     = "elasticloadbalancing.amazonaws.com"
+  source_arn    = aws_lb_target_group.default.arn
+}
+
+resource "aws_lb_target_group_attachment" "default" {
+  target_group_arn = aws_lb_target_group.default.arn
+  target_id        = aws_lambda_function.lambda.arn
+}
+
+# return base url
+output "base_url" {
+  value = aws_lb.default.dns_name
+}
+#API gateway
 resource "aws_api_gateway_stage" "default" {
   stage_name    = "default"
   rest_api_id   = aws_api_gateway_rest_api.api.id
@@ -137,11 +219,75 @@ resource "aws_api_gateway_method_response" "response_200" {
   status_code = "200"
 }
 
-# IAM
-resource "aws_iam_role" "role" {
-  name = "myrole"
+# This is to optionally manage the CloudWatch Log Group for the Lambda Function.
+# If skipping this resource configuration, also add "logs:CreateLogGroup" to the IAM policy below.
+resource "aws_cloudwatch_log_group" "example" {
+  name              = "/aws/lambda/jclip_api"
+  retention_in_days = 14
+}
+
+# See also the following AWS managed policy: AWSLambdaBasicExecutionRole
+resource "aws_iam_policy" "lambda_logging" {
+  name = "lambda_logging"
+  path = "/"
+  description = "IAM policy for logging from a lambda"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"],
+      "Resource": "arn:aws:logs:*:*:*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "network" {
+  name = "lambda_network"
+  path = "/"
+  description = "IAM policy for logging from a lambda"
 
-  assume_role_policy = <<POLICY
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:CreateNetworkInterface",
+        "ec2:DeleteNetworkInterface",
+        "ec2:DescribeInstances",
+        "ec2:AttachNetworkInterface"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_logs" {
+  role = aws_iam_role.iam_for_lambda.name
+  policy_arn = aws_iam_policy.network.arn
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_network" {
+  role = aws_iam_role.iam_for_lambda.name
+  policy_arn = aws_iam_policy.lambda_logging.arn
+}
+
+resource "aws_iam_role" "iam_for_lambda" {
+  name = "iam_for_lambda"
+
+  assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -155,7 +301,5 @@ resource "aws_iam_role" "role" {
     }
   ]
 }
-POLICY
-
-}
-
+EOF
+}