Merge branch 'develop'

.github/workflows/build-image.yml

@@ -0,0 +1,61 @@
+on:
+  push:
+    branches:
+      - main
+      - develop
+    tags:
+      - 'v*'
+    paths:
+      - 'backend/**'
+  workflow_dispatch:
+
+name: Build Docker image
+
+jobs:
+  build-docker-image:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::166485377238:role/github-actions-onghub-ecr
+          aws-region: eu-west-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ steps.login-ecr.outputs.registry }}/onghub
+          tags: |
+            type=edge
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: backend
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

README.md

@@ -1,4 +1,4 @@
-# ONG Hub
+# NGO Hub
 
 [![GitHub contributors][ico-contributors]][link-contributors]
 [![GitHub last commit][ico-last-commit]][link-last-commit]

backend/.dockerignore

@@ -1,2 +1,4 @@
-# node_modules
-# npm-debug.log
+/dist
+/node_modules
+npm-debug.log
+.env

backend/.env.example

@@ -1,9 +1,38 @@
-DATABASE_USER=postgres
-DATABASE_PASSWORD=pass123
-DATABASE_NAME=onghub
-DATABASE_PORT=5432
-DATABASE_HOST=localhost
-THROTTLE_TTL=60
-THROTTLE_LIMIT=10
-PORT=3001
-NODE_ENV=local
+DATABASE_HOST=
+DATABASE_USER=
+DATABASE_PASSWORD=
+DATABASE_NAME=
+
+DATABASE_PORT=
+
+THROTTLE_TTL=
+THROTTLE_LIMIT=
+PORT=
+NODE_ENV=
+
+REDIS_HOST=
+REDIS_PORT=
+CACHE_TTL=
+
+MAIL_HOST=
+MAIL_PORT=
+MAIL_USER=
+MAIL_PASS=
+MAIL_FROM=
+MAIL_CONTACT=
+
+COGNITO_USER_POOL_ID=
+COGNITO_CLIENT_ID=
+COGNITO_REGION=
+
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_S3_BUCKET_NAME=
+
+AWS_S3_BUCKET_NAME_PUBLIC=
+
+ENCRYPTION_KEY=
+
+ONGHUB_URL=
+
+LOGGING_LEVEL=

backend/.gitignore

@@ -34,4 +34,9 @@ lerna-debug.log*
 !.vscode/extensions.json
 
 # Env config
-*.env
+*.env
+# Elastic Beanstalk Files
+.elasticbeanstalk/*
+!.elasticbeanstalk/*.cfg.yml
+!.elasticbeanstalk/*.global.yml
+.ebextensions/*

backend/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:14.18.0-alpine3.14 As development
+FROM --platform=linux/amd64 node:16.15.1-alpine As development
 
 WORKDIR /usr/src/app
 
@@ -12,7 +12,7 @@ COPY . .
 
 RUN npm run build
 
-FROM node:14.18.0-alpine3.14 as production
+FROM --platform=linux/amd64 node:16.15.1-alpine as production
 
 ARG NODE_ENV=production
 ENV NODE_ENV=${NODE_ENV}
@@ -23,8 +23,6 @@ COPY package*.json ./
 
 RUN npm install --only=production
 
-COPY . .
-
 COPY --from=development /usr/src/app/dist ./dist
 
 CMD ["node", "dist/main"]

backend/data/pre-auth-hook.json

@@ -0,0 +1,24 @@
+{
+    "version": "1",
+    "region": "eu-central-1",
+    "userPoolId": "eu-central-1_TwmnT1UC2",
+    "userName": "2b0f20b7-9469-4bc6-bd55-c03d93c38b41",
+    "callerContext": {
+        "awsSdkVersion": "aws-sdk-unknown-unknown",
+        "clientId": "400vdublp0f6ln8ijerca34324"
+    },
+    "triggerSource": "PreAuthentication_Authentication",
+    "request": {
+        "userAttributes": {
+            "sub": "2b0f20b7-9469-4bc6-bd55-c03d93c38b41",
+            "cognito:user_status": "CONFIRMED",
+            "email_verified": "true",
+            "phone_number_verified": "true",
+            "phone_number": "+40763764310",
+            "email": "[email protected]"
+        },
+        "validationData": null,
+        "userNotFound": false
+    },
+    "response": {}
+}

backend/docker-compose.yml

@@ -1,6 +1,15 @@
 version: '3'
 
 services:
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    env_file:
+      - .env
+    ports:
+      - 3000:3000
+
   db:
     image: postgres
     restart: always
@@ -9,9 +18,13 @@ services:
     environment:
       POSTGRES_PASSWORD: pass123
       POSTGRES_DB: onghub
-  # mailcatcher:
-  #   restart: on-failure:10
-  #   image: dockage/mailcatcher:0.7.1
-  #   ports:
-  #     - '1080:1080'
-  #     - '1025:1025'
+  redis:
+    image: redis:latest
+    ports:
+      - 6379:6379
+  mailcatcher:
+    restart: on-failure:10
+    image: dockage/mailcatcher:0.7.1
+    ports:
+      - '1080:1080'
+      - '1025:1025'

backend/docs/HMAC_README.md

@@ -0,0 +1,117 @@
+# API Client HMAC Authentication
+
+To perform client API Authentication we use the basic HMAC Authentication scheme in which the request is signed with a **secret key** and sent along with the **api key** to the server.
+
+Each request requires three headers: `authorization`, `signature` and either `date` or `timestamp` (but we will use `timestamp` further). If the HTTP request contains a body, the `content-length` and `content-type` headers are also required.
+
+## Prerequisites
+
+- **API key** - the API key
+- **Client secret** - the secret used by the client to sign the request
+
+## Steps to create the request
+
+1.  Get the uppercase value of the request method type (GET, POST, PUT etc)
+2.  Add `"authorization": "apiKey ${apiKeyValue}"` header to the request
+3.  Add `"timestamp": "${timeStampValue}"` header to the request, where **timeStampValue** represents the date of the request, formatted as UTC String (e.g. 2022-10-10T13:31:38.506Z)
+4.  Get the query value from the request ( = { } if undefined || null || typeof != 'object' )
+    If query != { } ( meaning that the request has query params ) then generate the **queryString** as:
+
+        a) sort the query params by key
+        b) stringify each query param value
+        c) encode the key and the value
+        d) concatenate the key value pair to form the queryString by joining the key - value pair with **=** and multiple pairs with **&**
+
+        Example. For request `https://onghub/api/users?max=3000&active=true&search=Ana Maria` the **queryString** will be `active=true&max=3000&search=Ana%20Maria`.
+
+        If the request does not have any query values, then **queryString = ''** (empty string).
+
+5.  Get the body value from the request.
+    If the request body is present, add the `"content-length": ${bodyBufferByteLength}` header to the request, where **bodyBufferByteLength** is the size in bytes of the body content.
+
+    If the request body is a JSON format, add `"content-type": "application/json"` header to the request
+
+    If the request does not have a body, then **bodyData = ''** (empty string)
+
+6.  [Canonicalize](#canonicalize-the-request) the request to obtain the string to sign.
+7.  Sign the canonical resulting value with **client secret** by applying the HMAC SHA256 algorithm and get the result encoded as string hex value.
+8.  Add the `"signature": "simple-hmac-auth sha256 ${signature}"` header to the request, where **signature** is the one obtained at point 7.
+
+---
+
+### Canonicalize the request
+
+To canonicalize the request, you would need:
+
+1. the uppercase method value obtained at point 1.
+2. the encoded URI of the request (e.q. for request `https://onghub/api/users?max=3000&active=true&search=Ana Maria` the URI is `api/users`
+3. the queryString obtained at point 4.
+4. the request headers
+5. the request body obtained at point 5.
+
+**Steps:**
+
+1. Lowercase the request headers and extract only those included in the following list:
+   - authorization
+   - timestamp
+   - date
+   - content-length (\* don't add this if value = 0)
+   - content-type (\* don't add this if request does not have a body)
+2. Sort the obtained header list alphabetically by key
+3. Take each key - value header pair, make sure the value is a string to trim it, then create the **headerString** by joining the key and trimmed value with **:** . Each key-value pair is separated by **\n** .
+4. Hash the body data with SHA256 and the result as string hex value.
+5. Generate the canonicalized string as:
+   ```
+   let  string  =  '';
+   string  +=  `${method}\n`;
+   string  +=  `${uri}\n`;
+   string  +=  `${queryString}\n`;
+   string  +=  `${headerString}\n`;
+   string  +=  dataHash;
+   ```
+
+#### Example
+
+For a `POST` request
+of `https://onghub/api/users?max=3000&active=true&search=Ana Maria`
+with body `{ "userId": "123" }`
+timestamp `Tue, 11 Oct 2022 07:24:10 GMT`
+API key `ABC.5ec6a9320444e748e3944adf0a7e3caa`
+Secret `iamD2s7IPoPqCfcsabcdQvgdFfD08RlefUUUVNh5XaI=`
+
+the canonicalized result is:
+
+```
+POST
+/api/users
+active=true&max=3000&search=Ana%20Maria
+authorization:apiKey ABC.5ec6a9320444e748e3944adf0a7e3caa
+content-length:23
+content-type:application/json
+timestamp:Tue, 11 Oct 2022 07:24:10 GMT
+88086e099e776844c285c85abab66ffea3ed996220158b1a3b22834036654fcb
+```
+
+If no query params are provided, then the canonicalized string will look like:
+
+```
+POST
+/api/users
+
+authorization:apiKey ABC.5ec6a9320444e748e3944adf0a7e3caa
+content-length:23
+content-type:application/json
+timestamp:Tue, 11 Oct 2022 07:24:10 GMT
+88086e099e776844c285c85abab66ffea3ed996220158b1a3b22834036654fcb
+```
+
+If there is no body in the request, the **dataHash** will be the hash of an empty string. `content-type` and `content-length` headers will not be included:
+
+```
+POST
+/api/users
+
+authorization:apiKey ABC.5ec6a9320444e748e3944adf0a7e3caa
+timestamp:Tue, 11 Oct 2022 07:24:10 GMT
+e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+```