login mvp

Author: Logan-Dang

app/backend/src/api_impl/api/auth.rs

@@ -1,31 +1,77 @@
-use aws_sdk_cognitoidentityprovider::types::AuthFlowType;
+use anyhow::{Error, Result, anyhow};
+use aws_sdk_cognitoidentityprovider::{
+    error::SdkError, operation::admin_initiate_auth::AdminInitiateAuthError, types::AuthFlowType,
+};
 use axum_extra::extract::{CookieJar, Host};
 use http::Method;
 use openapi::{
     apis::auth::{Auth, AuthLoginPostResponse},
-    models::AuthLoginPostRequest,
+    models::{AuthLoginPost200Response, AuthLoginPostRequest},
 };
 
-use crate::api_impl::{api::ApiImpl, error::ApiError};
+use crate::api_impl::api::ApiImpl;
 
 #[async_trait::async_trait]
-impl Auth<ApiError> for ApiImpl {
+impl Auth<Error> for ApiImpl {
     async fn auth_login_post(
         &self,
 
         _method: &Method,
         _host: &Host,
         _cookies: &CookieJar,
-        _body: &AuthLoginPostRequest,
-    ) -> Result<AuthLoginPostResponse, ApiError> {
-        // self.cognito_client
-        //     .admin_initiate_auth()
-        //     .user_pool_id(self.cognito_user_pool_id.clone())
-        //     .client_id(self.cognito_client_id.clone())
-        //     .auth_flow(AuthFlowType::AdminUserPasswordAuth)
-        //     .send()
-        //     .await?;
-
-        todo!()
+        body: &AuthLoginPostRequest,
+    ) -> Result<AuthLoginPostResponse> {
+        let admin_initiate_auth_result = self
+            .cognito_client
+            .admin_initiate_auth()
+            .user_pool_id(&self.cognito_user_pool_id)
+            .client_id(&self.cognito_client_id)
+            .auth_flow(AuthFlowType::AdminUserPasswordAuth)
+            .auth_parameters("USERNAME", &body.email)
+            .auth_parameters("PASSWORD", &body.password)
+            .send()
+            .await;
+
+        let admin_initiate_auth_output = match admin_initiate_auth_result {
+            Ok(output) => output,
+            Err(SdkError::ServiceError(err))
+                if matches!(
+                    err.err(),
+                    AdminInitiateAuthError::UserNotFoundException { .. }
+                        | AdminInitiateAuthError::NotAuthorizedException { .. }
+                ) =>
+            {
+                return Ok(AuthLoginPostResponse::Status401_InvalidCredentials(
+                    "Invalid email or password".to_string(),
+                ));
+            }
+            Err(err) => {
+                return Err(anyhow!(
+                    "Error during Cognito authentication. for user {:?}: {:?}",
+                    body.email,
+                    err
+                ));
+            }
+        };
+
+        let auth_result = admin_initiate_auth_output
+            .authentication_result()
+            .ok_or(anyhow!(
+                "Authentication result missing from Cognito response"
+            ))?;
+
+        let token = auth_result
+            .access_token()
+            .map(|at| at.to_string())
+            .ok_or(anyhow!("Access token missing from Cognito response"))?;
+
+        let user_id = auth_result
+            .id_token()
+            .map(|id| id.to_string())
+            .ok_or(anyhow!("ID token missing from Cognito response"))?;
+
+        Ok(AuthLoginPostResponse::Status200_LoginSuccessful(
+            AuthLoginPost200Response { token, user_id },
+        ))
     }
 }

app/backend/src/main.rs

@@ -11,6 +11,7 @@ mod api_impl;
 #[tokio::main]
 async fn main() -> Result<()> {
     tracing_subscriber::fmt()
+        .with_ansi(false)
         .with_max_level(tracing::Level::ERROR)
         .init();
 

app/deployment/lib/deployment-stack.ts

@@ -15,6 +15,23 @@ export class HeartOfTheValleyStack extends cdk.Stack {
       deletionProtection: true,
     });
 
+    const adminUserPool = new cdk.aws_cognito.UserPool(
+      this,
+      "HeartOfValleyAdminUserPool",
+      {
+        selfSignUpEnabled: false,
+        signInAliases: {
+          email: true,
+        },
+      },
+    );
+    const cognitoClient = adminUserPool.addClient("AdminUserPoolClient", {
+      disableOAuth: true,
+      authFlows: {
+        adminUserPassword: true,
+      },
+    });
+
     const apiHandler = new cdk.aws_lambda.Function(
       this,
       "HeartOfValleyApiHandler",
@@ -44,11 +61,14 @@ export class HeartOfTheValleyStack extends cdk.Stack {
         ],
         environment: {
           TABLE_NAME: table.tableName,
+          COGNITO_USER_POOL_ID: adminUserPool.userPoolId,
+          COGNITO_CLIENT_ID: cognitoClient.userPoolClientId,
         },
       },
     );
 
     table.grantReadWriteData(apiHandler);
+    adminUserPool.grant(apiHandler, "cognito-idp:AdminInitiateAuth");
 
     const frontendBucket = new cdk.aws_s3.Bucket(
       this,
@@ -133,20 +153,6 @@ export class HeartOfTheValleyStack extends cdk.Stack {
       },
     });
 
-    const adminUserPool = new cdk.aws_cognito.UserPool(
-      this,
-      "HeartOfValleyAdminUserPool",
-      {
-        selfSignUpEnabled: false,
-        signInAliases: {
-          email: true,
-        },
-      },
-    );
-    adminUserPool.addClient("AdminUserPoolClient", {
-      disableOAuth: true,
-    });
-
     new cdk.CfnOutput(this, "FrontendBucketName", {
       value: frontendBucket.bucketName,
     });

openapi-spec/paths/auth/login.yaml

@@ -22,7 +22,7 @@ post:
             - email
             - password
   responses:
-    '200':
+    "200":
       description: Login successful
       content:
         application/json:
@@ -32,14 +32,23 @@ post:
               token:
                 type: string
                 description: Authentication token
-              user:
-                type: object
-                properties:
-                  id:
-                    type: string
-                  email:
-                    type: string
-    '401':
+              userId:
+                type: string
+                description: ID of the authenticated user
+            required:
+              - token
+              - userId
+    "400":
+      description: Bad request
+      content:
+        text/plain:
+          schema:
+            type: string
+    "401":
       description: Invalid credentials
-    '400':
-      description: Bad request
+      content:
+        text/plain:
+          schema:
+            type: string
+    "500":
+      description: Internal server error