DEV Community: Promise Ogbonna The latest articles on DEV Community by Promise Ogbonna (@6ones). https://dev.to/6ones https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F39948%2Fe5fa1aad-5368-40b8-9aea-a335faeab64e.jpg DEV Community: Promise Ogbonna https://dev.to/6ones en API Authorization with AWS at Emergency Response Africa Promise Ogbonna Mon, 04 Oct 2021 15:21:18 +0000 https://dev.to/6ones/api-authorization-with-aws-at-emergency-response-africa-4gbk https://dev.to/6ones/api-authorization-with-aws-at-emergency-response-africa-4gbk <h2> Introduction </h2> <p><a href="//emergencyresponseafrica.com">Emergency Response Africa</a> is a healthcare technology company that is changing how medical emergencies are managed in Africa.<br> As you can imagine, this means we manage a lot of web and mobile applications, used internally and externally.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fres.cloudinary.com%2Fcheapflix%2Fimage%2Fupload%2Fv1633360788%2FScreenshot_2021-10-04_at_16.19.27.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fres.cloudinary.com%2Fcheapflix%2Fimage%2Fupload%2Fv1633360788%2FScreenshot_2021-10-04_at_16.19.27.png" alt="Emergency Response Africa"></a></p> <p>The importance of securing access to resources from these client applications can't be overstated. The wrong user having access to the wrong resources can cause a lot of problem.</p> <p>In this post, I'll discuss in detail how we handle Authorization to our internal APIs using Amazon Web Services (AWS) and how we determine the extent of the permissions to assign to the client making the request.</p> <h2> What is Authorization </h2> <p>Authorization is the process of verifying the resources a client has access to. While often used interchangeably with authentication, authorization represents a fundamentally different function. To learn more, read this post on <a href="https://auth0.com/docs/get-started/authentication-and-authorization" rel="noopener noreferrer">Authentication and Authorization</a> by Auth0.</p> <h2> Our Workflow </h2> <p>Our workflow is pretty simple, and our API is deployed using the <a href="https://aws.amazon.com/serverless/sam/" rel="noopener noreferrer">Serverless Application Model</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fres.cloudinary.com%2Fcheapflix%2Fimage%2Fupload%2Fv1633353149%2FAPI_Authorization.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fres.cloudinary.com%2Fcheapflix%2Fimage%2Fupload%2Fv1633353149%2FAPI_Authorization.png" alt="ERA Authentication Architecture"></a></p> <p>In this architecture, we make use of TOKEN Lambda authorizer. This means it expects the caller's identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.</p> <ol> <li><p>The client app calls a method on an <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html" rel="noopener noreferrer">Amazon API Gateway</a> API method, passing a bearer token in the header.</p></li> <li><p>API Gateway checks whether a Lambda authorizer is configured for the method. If it is, API Gateway calls the Lambda function.</p></li> <li><p>The Lambda function authenticates the client app by means generating an IAM policy based on the preconfigured settings in our API.</p></li> <li><p>If the call succeeds, the Lambda function grants access by returning an output object containing at least an IAM policy and a principal identifier.</p></li> <li><p>API Gateway evaluates the policy.<br> If access is denied, API Gateway returns a suitable HTTP status code, such as 403 ACCESS_DENIED.<br> If access is allowed, API Gateway executes the method.</p></li> </ol> <h2> Implementation </h2> <p>The most technical aspect of this post. <br> TLDR, You can jump straight to the <a href="https://github.com/chidindu-ogbonna/AWS-Lambda-Authorizer" rel="noopener noreferrer">code</a> on GitHub.</p> <ol> <li>First thing, define the resources in our SAM template.</li> </ol> <p>This includes:</p> <ul> <li>The API</li> <li>Authorizer</li> <li>Environment variables <code>template.yml</code>. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Globals</span><span class="pi">:</span> <span class="na">Function</span><span class="pi">:</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">nodejs12.x</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">540</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">256</span> <span class="na">Environment</span><span class="pi">:</span> <span class="na">Variables</span><span class="pi">:</span> <span class="c1"># Environment variables for our application</span> <span class="na">STAGE</span><span class="pi">:</span> <span class="s">test</span> <span class="na">USER_POOL</span><span class="pi">:</span> <span class="s">eu-west-1_xxxxxxxxx</span> <span class="na">REGION</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">ApplicationAPI</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Api</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">StageName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">Stage</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">DefaultAuthorizer</span><span class="pi">:</span> <span class="s">APIAuthorizer</span> <span class="na">Authorizers</span><span class="pi">:</span> <span class="na">APIAuthorizer</span><span class="pi">:</span> <span class="na">FunctionPayloadType</span><span class="pi">:</span> <span class="s">REQUEST</span> <span class="c1"># Get the Amazon Resource Name (Arn) of our Authorizer function</span> <span class="na">FunctionArn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">Authorizer.Arn</span> <span class="na">Identity</span><span class="pi">:</span> <span class="na">Headers</span><span class="pi">:</span> <span class="c1"># Define the headers the API would look for. We make use of Bearer tokens so it's stored in Authorization header.</span> <span class="pi">-</span> <span class="s">Authorization</span> <span class="c1"># Caching policy; here we define in seconds how long API Gateway should cache the policy for.</span> <span class="na">ReauthorizeEvery</span><span class="pi">:</span> <span class="m">300</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="c1"># Reference the relative path to our authorizer handler</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">src/functions/middlewares/authorizer.handler</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Custom authorizer for controlling access to API</span> </code></pre> </div> <ol> <li>We implement our authorization function <code>authorizer.js</code> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">getUserClaim</span><span class="p">,</span> <span class="nx">AuthError</span><span class="p">,</span> <span class="nx">getPublicKeys</span><span class="p">,</span> <span class="nx">webTokenVerify</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./utils</span><span class="dl">"</span><span class="p">);</span> <span class="cm">/** * Authorizer handler */</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="nx">callback</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">principalId</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">client</span><span class="dl">"</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">headers</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUserClaim</span><span class="p">(</span><span class="nx">headers</span><span class="p">);</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nf">generatePolicy</span><span class="p">(</span><span class="nx">principalId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="nx">response</span><span class="p">));</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">denyErrors</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">auth/invalid_token</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">auth/expired_token</span><span class="dl">"</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">denyErrors</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">code</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// 401 Unauthorized</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// 403 Forbidden</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nf">generatePolicy</span><span class="p">(</span><span class="nx">principalId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Deny</span><span class="dl">"</span><span class="p">));</span> <span class="p">}</span> <span class="p">};</span> <span class="cm">/** * Generate IAM policy to access API */</span> <span class="kd">const</span> <span class="nx">generatePolicy</span> <span class="o">=</span> <span class="nf">function </span><span class="p">(</span><span class="nx">principalId</span><span class="p">,</span> <span class="nx">effect</span><span class="p">,</span> <span class="nx">resource</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="nx">context</span> <span class="o">=</span> <span class="p">{})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">policy</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">principalId</span><span class="p">,</span> <span class="na">policyDocument</span><span class="p">:</span> <span class="p">{</span> <span class="na">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="na">Statement</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">execute-api:Invoke</span><span class="dl">"</span><span class="p">,</span> <span class="na">Effect</span><span class="p">:</span> <span class="nx">effect</span><span class="p">,</span> <span class="na">Resource</span><span class="p">:</span> <span class="nx">resource</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="nx">context</span><span class="p">,</span> <span class="c1">// Optional output with custom properties of the String, Number or Boolean type.</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">policy</span><span class="p">;</span> <span class="p">};</span> <span class="cm">/** * Grant API access to request * @param {object} h Request headers */</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">getUserClaim</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">h</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authorization</span> <span class="o">=</span> <span class="nx">h</span><span class="p">[</span><span class="dl">"</span><span class="s2">Authorization</span><span class="dl">"</span><span class="p">]</span> <span class="o">||</span> <span class="nx">h</span><span class="p">[</span><span class="dl">"</span><span class="s2">authorization</span><span class="dl">"</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authorization</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">tokenSections</span> <span class="o">=</span> <span class="p">(</span><span class="nx">token</span> <span class="o">||</span> <span class="dl">""</span><span class="p">).</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">tokenSections</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="nc">AuthError</span><span class="p">(</span><span class="dl">"</span><span class="s2">invalid_token</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Requested token is incomplete</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">headerJSON</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">tokenSections</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">header</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">headerJSON</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">keys</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getPublicKeys</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">keys</span><span class="p">[</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">key</span> <span class="o">===</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="nc">AuthError</span><span class="p">(</span><span class="dl">"</span><span class="s2">invalid_token</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Claim made for unknown kid</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// claims is verified.</span> <span class="kd">const</span> <span class="nx">claims</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">webTokenVerify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">key</span><span class="p">.</span><span class="nx">pem</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">claims</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">claims</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2"> - </span><span class="p">${</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">TokenExpiredError</span><span class="dl">"</span><span class="p">)</span> <span class="k">throw</span> <span class="nc">AuthError</span><span class="p">(</span><span class="dl">"</span><span class="s2">expired_token</span><span class="dl">"</span><span class="p">,</span> <span class="nx">message</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">JsonWebTokenError</span><span class="dl">"</span><span class="p">)</span> <span class="k">throw</span> <span class="nc">AuthError</span><span class="p">(</span><span class="dl">"</span><span class="s2">invalid_token</span><span class="dl">"</span><span class="p">,</span> <span class="nx">message</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <ol> <li>We implement our utils file <code>utils.js</code> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">promisify</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">util</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fetch</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">node-fetch</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwkToPem</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">jwk-to-pem</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jsonwebtoken</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">);</span> <span class="cm">/** * Get public keys from Amazon Cognito */</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">getPublicKeys</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">issuer</span> <span class="o">=</span> <span class="s2">`https://cognito-idp.</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REGION</span><span class="p">}</span><span class="s2">.amazonaws.com/</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">USER_POOL</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">issuer</span><span class="p">}</span><span class="s2">/.well-known/jwks.json`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">get</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">publicKeys</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="nx">publicKeys</span><span class="p">.</span><span class="nx">keys</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">total</span><span class="p">,</span> <span class="nx">currentValue</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pem</span> <span class="o">=</span> <span class="nf">jwkToPem</span><span class="p">(</span><span class="nx">currentValue</span><span class="p">);</span> <span class="nx">total</span><span class="p">[</span><span class="nx">currentValue</span><span class="p">.</span><span class="nx">kid</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="na">instance</span><span class="p">:</span> <span class="nx">currentValue</span><span class="p">,</span> <span class="nx">pem</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">total</span><span class="p">;</span> <span class="p">},</span> <span class="p">{});</span> <span class="p">};</span> <span class="cm">/** * Using JSON Web Token we verify our token */</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">webTokenVerify</span> <span class="o">=</span> <span class="nf">promisify</span><span class="p">(</span><span class="nx">jsonwebtoken</span><span class="p">.</span><span class="nx">verify</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="nx">jsonwebtoken</span><span class="p">));</span> <span class="cm">/** * Generate Auth Error */</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">AuthError</span> <span class="o">=</span> <span class="p">(</span><span class="nx">code</span><span class="p">,</span> <span class="nx">message</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="nx">error</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">AuthError</span><span class="dl">"</span><span class="p">;</span> <span class="nx">error</span><span class="p">.</span><span class="nx">code</span> <span class="o">=</span> <span class="s2">`auth/</span><span class="p">${</span><span class="nx">code</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">return</span> <span class="nx">error</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <ol> <li>We define helper functions to help us parse our event request.</li> </ol> <p>Our claims is stored in <code>event.requestContext.authorizer</code>.<br> From our authorization function above we are only able to pass strings from our API Gateway authorizer, so it's stringified in the <code>claims</code> objects</p> <p><code>helpers.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="o">*</span> <span class="nx">Parse</span> <span class="nx">claims</span> <span class="k">from</span> <span class="nx">event</span> <span class="nx">request</span> <span class="nx">context</span> <span class="o">*</span> <span class="p">@</span><span class="nd">param</span> <span class="p">{</span><span class="k">import</span><span class="p">(</span><span class="dl">"</span><span class="s2">aws-lambda</span><span class="dl">"</span><span class="p">).</span><span class="nx">APIGatewayProxyEvent</span><span class="p">}</span> <span class="nx">event</span> <span class="o">*</span><span class="sr">/</span><span class="err"> </span><span class="nx">exports</span><span class="p">.</span><span class="nx">parseClaims</span> <span class="o">=</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">authorizer</span><span class="p">.</span><span class="nx">claims</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h2> Conclusion </h2> <p>This rounds up our implementation.<br> This post serves as a reference to how we implemented authorization in our API, any further updates to our workflow would be made on this post.</p> <p>For more clarification, you can reach out to me on <a href="//mailto:promise.bones@gmail.com">Email</a> or <a href="https://twitter.com/6ones_" rel="noopener noreferrer">Twitter</a></p> <h2> Resources </h2> <p><a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html" rel="noopener noreferrer">Use API Gateway Lambda authorizers</a></p> aws node javascript webdev How We Collect Payments at Medherd Promise Ogbonna Mon, 07 Sep 2020 20:28:29 +0000 https://dev.to/6ones/how-we-collect-payments-at-medherd-10ad https://dev.to/6ones/how-we-collect-payments-at-medherd-10ad <p>At <a href="https://medherd.com">Medherd</a>, we create a platform for medical practitioners and businesses to stay ahead of what's going on in the digital health space. Keeping them updated and providing a collaborative environment to discover and review products and most importantly share ideas.</p> <p>In doing that, we aim to get paid. This post is a guide on how we handle payments at <a href="https://medherd.com/">Medherd</a> using <a href="https://stripe.com">Stripe</a> in a robust and secure manner, and we hope this can help you navigate the <strong>large</strong> Stripe documentation.</p> <p>Medherd is built <strong>Serverlessly</strong> on Google Cloud Platform, with Cloud Functions at the heart of our architecture. All the endpoints used in our payment setup are created with Cloud Functions.</p> <h2> A Plan </h2> <p>First, we had to decide on how our "Plans" would be structured.</p> <p>A plan is seen as a "mixture" of products and prices, which are created either through the stripe dashboard or using the <a href="https://stripe.com/docs/api/products">Products API</a> and <a href="https://stripe.com/docs/api/prices">Prices API</a> respectively.</p> <p>A product can have one price. This is the most common implementation you'll find in SAAS payment structures. This is also what we use at Medherd.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--G5FHYvdw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468987/projects-images/medherd-stripe/A_Plan_-_single_pricing.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--G5FHYvdw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468987/projects-images/medherd-stripe/A_Plan_-_single_pricing.png" alt="single pricing"></a></p> <p>A product can also have multiple prices. A use case for this would be a product with an annual, monthly and weekly variation.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--pOshw6Dn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599469001/projects-images/medherd-stripe/A_Plan_-_multiple_pricing_1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--pOshw6Dn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599469001/projects-images/medherd-stripe/A_Plan_-_multiple_pricing_1.png" alt="second type of plan"></a></p> <h3> Types of Plans </h3> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ApwhT7nz--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468986/projects-images/medherd-stripe/Types_of_Plans.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ApwhT7nz--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468986/projects-images/medherd-stripe/Types_of_Plans.png" alt="types of plan"></a></p> <p>Stripe allows you to create 2 types of plans.</p> <ul> <li><p><strong>Recurring Plans (Subscription)</strong> - These are subscription based plans, used to collect payment on a weekly, monthly or annual basis depending on your billing structure</p></li> <li><p><strong>One-Time Plans</strong> - These are plans that are to be paid for at once. Similar to products sold on an e-commerce platform.</p></li> </ul> <h2> Setup a User for Billing </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--zN6QLAAC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468986/projects-images/medherd-stripe/Sign_up.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--zN6QLAAC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468986/projects-images/medherd-stripe/Sign_up.png" alt="on sign up"></a></p> <p>This is the first and most important step. When a user creates an account on our platform, we create a customer account for the user on Stripe, making use of the <a href="https://stripe.com/docs/api/customers">Customers API</a>.</p> <blockquote> <p>Ideally, for every user on our platform, there is a customer account on Stripe.</p> </blockquote> <h2> Recurring (subscription) Payments </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--KNUWBL9a--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599469122/projects-images/medherd-stripe/Subscription_Payment_1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--KNUWBL9a--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599469122/projects-images/medherd-stripe/Subscription_Payment_1.png" alt="subscription payment"></a></p> <p>Using the <a href="https://stripe.com/docs/api/setup_intents">SetupIntents API</a> and the <a href="https://stripe.com/docs/api/subscriptions">Subscriptions API</a>, we handle subscriptions in the smoothest way possible.</p> <p>Using the SetupIntents API, we create an "intent" to "setup" a user for a recurring billing. After the intent has been setup, we can collect payment details using the Stripe client-side SDK, and then create the subscriptions on our platform.</p> <h2> One-Time Payments </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--4b-Wm3o2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599469122/projects-images/medherd-stripe/One-Time_payment_1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--4b-Wm3o2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599469122/projects-images/medherd-stripe/One-Time_payment_1.png" alt="One time payment"></a></p> <p>Using the <a href="https://stripe.com/docs/api/payment_intents">PaymentIntents API</a> (similar to the SetupIntents API), we create an "intent" to receive "payments", and then complete this process using the <code>confirmCardPayment</code> method directly on the client device, making use of the client-side SDK.</p> <h2> Stripe Webhooks </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--7zPO2G5d--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468986/projects-images/medherd-stripe/webhooks_1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--7zPO2G5d--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468986/projects-images/medherd-stripe/webhooks_1.png" alt="webhooks"></a></p> <p><a href="https://stripe.com/docs/webhooks">Stripe Webhooks</a> allow us to respond to events we care about. This is done on the Stripe dashboard.</p> <p>We create an endpoint which we add to Stripe, and select the events we would like to be notified of.</p> <p>Using this approach, we stay ahead of everything going on with payments and are able to respond to activities that have occurred on Stripe, such as <code>payment_intents.payment_failed</code> or <code>setup_intents.canceled</code>.</p> <p>This enables us to be act accordingly to activities that have occurred in our platform, such as recording a transaction in our database, notifing the user through email or in-app or in terrible situations retry the billing process.</p> <h2> More Uses </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9rOHiXW9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468986/projects-images/medherd-stripe/Misc_1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9rOHiXW9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/cheapflix/image/upload/v1599468986/projects-images/medherd-stripe/Misc_1.png" alt="misc"></a><br> We also have more uses which are not covered thoroughly in this post, but are pretty simple to implement.</p> <p>This includes</p> <ul> <li> <strong>Get Plans</strong> - Get plans to display to a user</li> <li> <strong>Get User Subscriptions</strong> - Display existing subscriptions to the user.</li> <li> <strong>Cancel User Subscription</strong> - Cancel an existing user subscription</li> <li> <strong>Set User Card</strong> - Set a default card, which the user uses for future payments</li> </ul> <h2> Conclusion </h2> <p>This guide also doubles as a personal documentation to know how we have implemented payments. Expect this to be updated as time goes on.</p> <p>You can also checkout the following Stripe tutorials to see how Stripe suggests to make use of the API.</p> <ul> <li><a href="https://stripe.com/docs/payments/save-and-reuse">Setup later payments</a></li> <li><a href="https://stripe.com/docs/billing/subscriptions/fixed-price#collect-payment">Collect payment</a></li> <li><a href="https://stripe.com/docs/payments/accept-a-payment">Accept a payment</a></li> <li><a href="https://stripe.com/docs/billing/subscriptions/overview">Subscription lifecycle and events</a></li> <li><a href="https://stripe.com/docs/payments/3d-secure">Safely implement 3D secure to improve security</a></li> </ul> cloudcomputing payment Should I Read a Programming book from the beginning to the end Promise Ogbonna Mon, 24 Aug 2020 11:47:44 +0000 https://dev.to/6ones/should-i-read-a-programming-book-from-the-beginning-to-the-end-577a https://dev.to/6ones/should-i-read-a-programming-book-from-the-beginning-to-the-end-577a <p>As a programmer, do I still need to read a book from the beginning of the book to the end of the book before I get started in that technology ?</p> programming webdev Do you use a UI kit for your front-end and how do you decide on which to use ? Promise Ogbonna Mon, 25 Mar 2019 15:31:03 +0000 https://dev.to/6ones/do-you-use-a-ui-kit-for-your-front-end-and-how-do-you-decide-on-which-to-use--386j https://dev.to/6ones/do-you-use-a-ui-kit-for-your-front-end-and-how-do-you-decide-on-which-to-use--386j frontend