DEV Community: Vinicius Senger The latest articles on DEV Community by Vinicius Senger (@vsenger). https://dev.to/vsenger https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3594510%2Fd85d5ead-f67c-474b-8864-ae2185615ec9.png DEV Community: Vinicius Senger https://dev.to/vsenger en 16 Botões, 1 Lâmpada WiFi e um Agente de AI: Projeto de Sexta-Feira Vinicius Senger Fri, 01 May 2026 17:54:27 +0000 https://dev.to/vsenger/16-botoes-1-lampada-wifi-e-um-agente-de-ai-projeto-de-sexta-feira-52mo https://dev.to/vsenger/16-botoes-1-lampada-wifi-e-um-agente-de-ai-projeto-de-sexta-feira-52mo <p>Como eu combinei uma lâmpada WiFi de $15, uma mesa controladora MIDI de 16 botões coloridos e o Kiro CLI para criar um controlador de cores físico — projeto de sexta-feira para se divertir no fim de semana!</p> <p> <iframe src="https://www.youtube.com/embed/_cZMewbwlCs"> </iframe> </p> <p>Fala galera! Há 15 anos atrás eu criei o <strong>jHome Automation</strong>, um sistema de automação residencial baseado em Arduino com Java da época que nem chamávamos de Internet of Things. De lá pra cá, muita coisa mudou. Os módulos WiFi se popularizaram, o preço caiu absurdamente, e a inteligência artificial mudou completamente a velocidade com que a gente consegue hackear as coisas.</p> <p>Neste post eu vou mostrar em detalhes como combinei uma <strong>lâmpada WiFi de $15</strong>, uma <strong>mesa controladora MIDI com 16 botões coloridos</strong> e o <strong>Kiro CLI</strong> para criar um controlador de cores físico — um projetinho de sexta-feira que você pode replicar no fim de semana.</p> <h2> O Hardware </h2> <h3> Kauf Bulb — a lâmpada inteligente de $15 </h3> <p>A <a href="https://kaufha.com/blf10/" rel="noopener noreferrer">Kauf Bulb</a> é uma lâmpada WiFi que custa cerca de $15 na Amazon — apenas uns $4 a mais que uma lâmpada WiFi convencional. O diferencial dela é que ela vem com um <strong>ESP32</strong> dentro e já roda o firmware <strong>ESPHome</strong>, o que significa que:</p> <ul> <li>Você consegue <strong>controlar via REST</strong> na sua rede local (sem nuvem!)</li> <li>Você pode configurar um <strong>broker MQTT</strong> e controlar remotamente</li> <li>Você pode <strong>trocar o firmware</strong> se quiser customizar ainda mais</li> </ul> <p>Sem depender de app proprietário, sem cloud obrigatório. Conectou na WiFi, já tem uma API REST pronta.</p> <h3> Presonus ATOM — a mesa de 16 pads </h3> <p>A <a href="https://www.amazon.com/dp/B07H6BVHSV" rel="noopener noreferrer">Presonus ATOM</a> (~$136) é uma interface originalmente feita para produção musical / DJ, mas que funciona perfeitamente como interface de controle genérica. Ela tem:</p> <ul> <li> <strong>16 pads</strong> sensíveis a velocidade com LEDs RGB programáveis</li> <li> <strong>4 knobs</strong> rotativos (encoders relativos)</li> <li> <strong>Conectividade USB</strong> — plug and play, sem drivers</li> <li>Comunicação via <strong>MIDI</strong> — protocolo universal e simples</li> </ul> <p>O que eu fiz com ela: cada pad virou uma cor, e os 4 knobs controlam a intensidade (brightness) e os canais Red, Green e Blue da lâmpada.</p> <h2> Configurando a Lâmpada com ESPHome </h2> <p>A primeira coisa que fiz foi configurar a Kauf Bulb para se conectar ao meu broker MQTT. O ESPHome usa um arquivo YAML de configuração. Basicamente você define:</p> <ul> <li>A rede WiFi</li> <li>O endereço do broker MQTT</li> <li>O topic prefix para as mensagens </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">wifi</span><span class="pi">:</span> <span class="na">ssid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SuaRedeWiFi"</span> <span class="na">password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SuaSenha"</span> <span class="na">mqtt</span><span class="pi">:</span> <span class="na">broker</span><span class="pi">:</span> <span class="s">broker.hivemq.com</span> <span class="na">port</span><span class="pi">:</span> <span class="m">1883</span> <span class="na">topic_prefix</span><span class="pi">:</span> <span class="s">playground/bulb1</span> </code></pre> </div> <p>Com o ESPHome CLI, subi essa configuração para a lâmpada:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>esphome run kauf_bulb.yaml </code></pre> </div> <p>A partir daí, a lâmpada já aceita comandos tanto via REST local quanto via MQTT. A documentação do ESPHome é bem direta, e se tiver qualquer dúvida, o Kiro CLI te ajuda — eu inclusive usei ele para gerar os arquivos de configuração. Pedi "set up my ESPHome MQTT config" e ele já sabia o que fazer.</p> <h2> O Código: Controlando a Lâmpada com Python </h2> <h3> A Paleta de 16 Cores </h3> <p>Cada um dos 16 pads tem uma cor atribuída. Defini valores RGB separados para os LEDs dos pads (range 0-127, padrão MIDI) e para a lâmpada (range 0-255):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">COLORS</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="sh">"</span><span class="s">Red</span><span class="sh">"</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Orange</span><span class="sh">"</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">80</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Yellow</span><span class="sh">"</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Lime</span><span class="sh">"</span><span class="p">,</span> <span class="mi">64</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">128</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Green</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Mint</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">64</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">128</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Cyan</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">255</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Sky</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">64</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">128</span><span class="p">,</span> <span class="mi">255</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Blue</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Purple</span><span class="sh">"</span><span class="p">,</span> <span class="mi">64</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">128</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Magenta</span><span class="sh">"</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">255</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Pink</span><span class="sh">"</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">64</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">128</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">White</span><span class="sh">"</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">255</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Warm White</span><span class="sh">"</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">180</span><span class="p">,</span> <span class="mi">80</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Cool White</span><span class="sh">"</span><span class="p">,</span> <span class="mi">80</span><span class="p">,</span> <span class="mi">100</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">160</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="mi">255</span><span class="p">),</span> <span class="p">(</span><span class="sh">"</span><span class="s">Coral</span><span class="sh">"</span><span class="p">,</span> <span class="mi">127</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">255</span><span class="p">,</span> <span class="mi">100</span><span class="p">,</span> <span class="mi">80</span><span class="p">),</span> <span class="p">]</span> </code></pre> </div> <p>Quando o programa inicia, todos os pads acendem com suas cores — você tem uma paleta física na sua mesa:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Red Orange Yellow Lime Green Mint Cyan Sky Blue Purple Magenta Pink White Warm Wh Cool Wh Coral </code></pre> </div> <p>Apertou um pad, a lâmpada muda pra aquela cor. Simples assim.</p> <h3> Versão REST (Rede Local) </h3> <p>A primeira versão controla a lâmpada via HTTP direto na rede local:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">bulb_color</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">g</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BULB</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">LIGHT</span><span class="si">}</span><span class="s">/turn_on?r=</span><span class="si">{</span><span class="n">r</span><span class="si">}</span><span class="s">&amp;g=</span><span class="si">{</span><span class="n">g</span><span class="si">}</span><span class="s">&amp;b=</span><span class="si">{</span><span class="n">b</span><span class="si">}</span><span class="sh">"</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">),</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> <span class="k">def</span> <span class="nf">bulb_brightness</span><span class="p">(</span><span class="n">bright</span><span class="p">):</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BULB</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">LIGHT</span><span class="si">}</span><span class="s">/turn_on?brightness=</span><span class="si">{</span><span class="n">bright</span><span class="si">}</span><span class="sh">"</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">method</span><span class="o">=</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">),</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> </code></pre> </div> <p>Funciona muito bem quando a lâmpada e o computador estão na mesma rede. Zero latência perceptível.</p> <h3> Versão MQTT (Controle Remoto) </h3> <p>Depois troquei para MQTT, o que abre possibilidades de controle remoto e integração com outros sistemas:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">paho.mqtt.client</span> <span class="k">as</span> <span class="n">mqtt</span> <span class="n">MQTT_BROKER</span> <span class="o">=</span> <span class="sh">"</span><span class="s">broker.hivemq.com</span><span class="sh">"</span> <span class="n">MQTT_PORT</span> <span class="o">=</span> <span class="mi">1883</span> <span class="n">MQTT_TOPIC</span> <span class="o">=</span> <span class="sh">"</span><span class="s">playground/bulb1/light/kauf_bulb/command</span><span class="sh">"</span> <span class="n">client</span> <span class="o">=</span> <span class="n">mqtt</span><span class="p">.</span><span class="nc">Client</span><span class="p">()</span> <span class="n">client</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="n">MQTT_BROKER</span><span class="p">,</span> <span class="n">MQTT_PORT</span><span class="p">)</span> <span class="n">client</span><span class="p">.</span><span class="nf">loop_start</span><span class="p">()</span> <span class="k">def</span> <span class="nf">bulb_color</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">g</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ON</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">color</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">:</span> <span class="n">r</span><span class="p">,</span> <span class="sh">"</span><span class="s">g</span><span class="sh">"</span><span class="p">:</span> <span class="n">g</span><span class="p">,</span> <span class="sh">"</span><span class="s">b</span><span class="sh">"</span><span class="p">:</span> <span class="n">b</span><span class="p">}})</span> <span class="n">client</span><span class="p">.</span><span class="nf">publish</span><span class="p">(</span><span class="n">MQTT_TOPIC</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="k">def</span> <span class="nf">bulb_brightness</span><span class="p">(</span><span class="n">bright</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ON</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">brightness</span><span class="sh">"</span><span class="p">:</span> <span class="n">bright</span><span class="p">})</span> <span class="n">client</span><span class="p">.</span><span class="nf">publish</span><span class="p">(</span><span class="n">MQTT_TOPIC</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> </code></pre> </div> <p>A mesma interface, os mesmos pads, os mesmos knobs — mas agora os comandos viajam via MQTT. Você pode controlar a lâmpada de qualquer lugar, ter múltiplas lâmpadas no mesmo topic, ou integrar com Home Assistant, Node-RED, etc.</p> <h2> Os Desafios (e como o Kiro resolveu) </h2> <h3> Desafio 1: Encoder Relativo vs. Absoluto </h3> <p>O Kiro gerou a primeira versão rapidinho. Funcionou de primeira para as cores dos pads. Mas quando fui controlar a intensidade com o knob, o comportamento era estranho — a intensidade ficava travada em ~50% e parecia invertida.</p> <p>O problema: o Kiro tratou o knob como um controlador <strong>absoluto</strong> (valores de 0 a 127), mas a Presonus ATOM usa <strong>encoders relativos</strong>. Cada tick do knob manda:</p> <ul> <li> <code>value = 1</code> → sentido horário (aumentar)</li> <li> <code>value = 65</code> → sentido anti-horário (diminuir)</li> </ul> <p>A correção foi manter o estado da intensidade manualmente e incrementar/decrementar a cada tick:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">brightness</span> <span class="o">=</span> <span class="mi">255</span> <span class="c1"># estado inicial: máximo </span><span class="n">STEP</span> <span class="o">=</span> <span class="mi">8</span> <span class="k">def</span> <span class="nf">knob_delta</span><span class="p">(</span><span class="n">value</span><span class="p">):</span> <span class="k">if</span> <span class="n">value</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="k">return</span> <span class="n">STEP</span> <span class="c1"># clockwise → aumenta </span> <span class="k">if</span> <span class="n">value</span> <span class="o">==</span> <span class="mi">65</span><span class="p">:</span> <span class="k">return</span> <span class="o">-</span><span class="n">STEP</span> <span class="c1"># counter-clockwise → diminui </span> <span class="k">return</span> <span class="mi">0</span> <span class="c1"># No loop MIDI: </span><span class="n">brightness</span> <span class="o">=</span> <span class="nf">clamp</span><span class="p">(</span><span class="n">brightness</span> <span class="o">+</span> <span class="nf">knob_delta</span><span class="p">(</span><span class="n">msg</span><span class="p">.</span><span class="n">value</span><span class="p">))</span> </code></pre> </div> <p>Esse é o tipo de detalhe que só se descobre rodando no hardware real. Expliquei o comportamento pro Kiro e ele corrigiu na hora.</p> <h3> Desafio 2: Debounce — a lâmpada piscando </h3> <p>Com o encoder corrigido, a intensidade funcionava perfeitamente... até eu girar o knob rápido. A lâmpada ficava piscando porque cada tick disparava uma requisição HTTP/MQTT, e a lâmpada não conseguia processar tão rápido.</p> <p>A solução é uma técnica clássica da eletrônica chamada <strong>debounce</strong>: ao invés de enviar a cada tick, você espera uns 200ms sem atividade e só então envia. Se o usuário continua girando, o timer reseta.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">_brightness_timer</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">_timer_lock</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Lock</span><span class="p">()</span> <span class="k">def</span> <span class="nf">schedule_brightness_update</span><span class="p">():</span> <span class="k">global</span> <span class="n">_brightness_timer</span> <span class="k">with</span> <span class="n">_timer_lock</span><span class="p">:</span> <span class="k">if</span> <span class="n">_brightness_timer</span><span class="p">:</span> <span class="n">_brightness_timer</span><span class="p">.</span><span class="nf">cancel</span><span class="p">()</span> <span class="n">_brightness_timer</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Timer</span><span class="p">(</span> <span class="mf">0.1</span><span class="p">,</span> <span class="k">lambda</span><span class="p">:</span> <span class="nf">bulb_brightness</span><span class="p">(</span><span class="n">brightness</span><span class="p">)</span> <span class="p">)</span> <span class="n">_brightness_timer</span><span class="p">.</span><span class="n">daemon</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">_brightness_timer</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> </code></pre> </div> <p>O estado atualiza instantaneamente na memória, mas a chamada de rede é coalescida. Resultado: giro suave, sem flicker.</p> <h3> Desafio 3: De REST para MQTT </h3> <p>A primeira versão usava REST direto na rede local. Quando configurei o broker MQTT na lâmpada, precisei trocar o transporte no código Python. Falei pro Kiro: "troca de REST pra MQTT" e ele substituiu as chamadas HTTP por <code>client.publish()</code> mantendo toda a lógica de MIDI e debounce intacta.</p> <h2> O Resultado Final </h2> <p>O programa roda no terminal. Quando inicia:</p> <ol> <li>Conecta ao broker MQTT</li> <li>Abre a interface MIDI</li> <li>Acende todos os 16 pads com suas cores</li> <li>Inicializa a lâmpada em branco, intensidade máxima</li> </ol> <p>A partir daí:</p> <ul> <li> <strong>Aperta um pad</strong> → lâmpada muda pra aquela cor instantaneamente</li> <li> <strong>Gira o Knob 1</strong> → controla a intensidade (brightness)</li> <li> <strong>Gira o Knob 2</strong> → ajusta o canal Red</li> <li> <strong>Gira o Knob 3</strong> → ajusta o canal Green</li> <li> <strong>Gira o Knob 4</strong> → ajusta o canal Blue</li> </ul> <p>Você pode escolher uma cor base no pad e depois refinar com os knobs. Quer um pink? Aperta o vermelho, depois aumenta um pouco de blue no knob 4. Quer um verde mais escuro? Aperta o green, depois diminui a intensidade no knob 1.</p> <h2> Por que Interfaces Minimalistas? </h2> <p>Eu estou pirando nessa ideia de <strong>interfaces minimalistas</strong> — e tem um motivo. Com a computação agêntica e AI, a gente vai conseguir comandar computadores com poucos botões. Muitas das operações que hoje exigem mouse, teclado, navegar em menus — acessar conta bancária, ver saldo, abrir aplicativos — o agente de AI já vai fazer pra gente.</p> <p>Na minha visão, não vamos precisar de computadores completos com teclado e monitor para tudo. Você pode juntar um <strong>Raspberry Pi</strong>, uma <strong>interface dessas</strong>, um <strong>audiozinho</strong> e ter um sistema completo para controlar a automação da sua casa.</p> <p>O projeto re:Button já faz muito mais do que controlar lâmpada:</p> <ul> <li> <strong>Demos de palestra</strong> — botão 1 é uma demo, botão 2 é outra, botão 3 toca um áudio, botão 4 roda um vídeo</li> <li> <strong>Atalhos de sistema</strong> — volume, screenshots, respostas rápidas em reuniões</li> <li> <strong>Lançar projetos</strong> — cada pad abre um workspace diferente no Kiro</li> <li> <strong>Smart home</strong> — controlar lâmpadas, ventiladores, cenas</li> </ul> <h2> Como Rodar </h2> <h3> Dependências </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>mido python-rtmidi paho-mqtt </code></pre> </div> <h3> Versão REST (rede local) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Edite o IP da lâmpada no arquivo</span> python3 rebutton-lamp.py </code></pre> </div> <h3> Versão MQTT </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 rebutton-lamp-mqtt.py </code></pre> </div> <p>Não precisa ser uma Presonus ATOM — qualquer controlador MIDI com pads funciona, basta ajustar os números das notas. Não precisa ser uma Kauf Bulb — qualquer lâmpada compatível com ESPHome ou MQTT serve.</p> <h2> O Papel do Kiro CLI </h2> <p>O <a href="https://kiro.dev" rel="noopener noreferrer">Kiro CLI</a> foi meu parceiro em todo o processo:</p> <ol> <li> <strong>Gerou a primeira versão</strong> completa — listener MIDI, chamadas REST, mapeamento de cores, setup dos LEDs dos pads</li> <li> <strong>Ajudou a configurar o ESPHome</strong> — gerou os arquivos YAML de configuração do MQTT</li> <li> <strong>Corrigiu o bug do encoder</strong> — expliquei o sintoma, ele entendeu e reescreveu a lógica</li> <li> <strong>Implementou o debounce</strong> — descrevi o problema do flicker, ele escolheu o padrão correto com <code>threading.Timer</code> </li> <li> <strong>Portou de REST para MQTT</strong> — trocou a camada de transporte preservando toda a lógica existente</li> <li> <strong>Adicionou os 4 knobs</strong> — generalizou o padrão de um knob para quatro com debounce independente</li> </ol> <p>Nos dias de hoje, a gente consegue fazer as coisas muito rápido. O tempo total de desenvolvimento das quatro versões foi menos de uma hora.</p> <h2> Conclusão </h2> <p>Projetinho de sexta-feira: uma lâmpada WiFi de $15, uma mesa MIDI, Python e o Kiro CLI. O resultado é uma interface física, tátil, colorida, que controla a iluminação da sua casa sem abrir nenhum app.</p> <p>É o tipo de projeto pra se divertir no fim de semana com a família e transformar a sua casa em um parque tecnológico. </p> <p>Se você montar o seu, me conta nos comentários!</p> homeautomation iot kiro ai Adding MCP to a Quarkus App: One Dependency, a Few Annotations, Done Vinicius Senger Thu, 23 Apr 2026 04:46:50 +0000 https://dev.to/vsenger/adding-mcp-to-a-quarkus-app-one-dependency-a-few-annotations-done-393m https://dev.to/vsenger/adding-mcp-to-a-quarkus-app-one-dependency-a-few-annotations-done-393m <p>I added MCP (Model Context Protocol) to <a href="https://github.com/renascence-computing/reos-money" rel="noopener noreferrer"><strong>re:Money</strong></a> — my Quarkus + DynamoDB financial tracking app — in under 30 minutes. One dependency, a few annotations on existing service methods, and my MCP client (Kiro / Claude) could call my actual backend during development. Here's exactly what I did.</p> <blockquote> <p><strong>New to re:Money?</strong> Check out the <a href="https://builder.aws.com/content/37adLQq1qXgQRVXa0LZQlRGV9t4/remoney-personal-financial-management-re-imagined-with-ai" rel="noopener noreferrer">full tutorial on AWS Community</a> to get started.</p> </blockquote> <h2> The Starting Point </h2> <p>re:Money is a standard three-tier Quarkus app:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Model</strong></td> <td> <code>Entry</code> — accountID, category, amount, balance, date</td> </tr> <tr> <td><strong>Service</strong></td> <td> <code>EntryService</code> — business logic and DynamoDB queries</td> </tr> <tr> <td><strong>Resource</strong></td> <td>JAX-RS REST endpoints</td> </tr> </tbody> </table></div> <p>The service layer already had methods like <code>findByAccountID()</code>, <code>findByCategory()</code>, <code>listCategories()</code>, <code>getLastBalance()</code>. All I needed was to make them discoverable by AI tools.</p> <h2> Step 1: Add the Dependency </h2> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.quarkiverse.mcp<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>quarkus-mcp-server-http<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.10.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>No configuration needed. Quarkus auto-discovers MCP tools and exposes them at <code>/mcp</code>.</p> <h2> Step 2: Annotate Your Service Methods </h2> <p>Add <code>@Tool</code> and <code>@ToolArg</code> to existing methods — no new code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">io.quarkiverse.mcp.server.Tool</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">io.quarkiverse.mcp.server.ToolArg</span><span class="o">;</span> <span class="nd">@ApplicationScoped</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">EntryService</span> <span class="kd">extends</span> <span class="nc">AbstractService</span> <span class="o">{</span> <span class="nd">@Tool</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"Find all financial entries for a specific bank account"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Entry</span><span class="o">&gt;</span> <span class="nf">findByAccountID</span><span class="o">(</span> <span class="nd">@ToolArg</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"The account identifier, e.g. ACC001"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">accountID</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">findAll</span><span class="o">().</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">e</span> <span class="o">-&gt;</span> <span class="n">e</span><span class="o">.</span><span class="na">getAccountID</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="n">accountID</span><span class="o">))</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toList</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@Tool</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"Find financial entries by spending category"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Entry</span><span class="o">&gt;</span> <span class="nf">findByCategory</span><span class="o">(</span> <span class="nd">@ToolArg</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"Category name like Food, Transport, Housing"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">category</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">findAll</span><span class="o">().</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">e</span> <span class="o">-&gt;</span> <span class="n">category</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getCategory</span><span class="o">()))</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toList</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@Tool</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"List all available spending categories"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">listCategories</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">findAll</span><span class="o">().</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">Entry:</span><span class="o">:</span><span class="n">getCategory</span><span class="o">)</span> <span class="o">.</span><span class="na">distinct</span><span class="o">().</span><span class="na">sorted</span><span class="o">()</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toList</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@Tool</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"List all bank accounts"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">listAccounts</span><span class="o">()</span> <span class="o">{</span> <span class="cm">/* ... */</span> <span class="o">}</span> <span class="nd">@Tool</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"Get the last known balance for a bank account"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">BigDecimal</span> <span class="nf">getLastBalance</span><span class="o">(</span> <span class="nd">@ToolArg</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"The account identifier"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">accountID</span><span class="o">)</span> <span class="o">{</span> <span class="cm">/* ... */</span> <span class="o">}</span> <span class="nd">@Tool</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"Find entries for an account within a date range"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Entry</span><span class="o">&gt;</span> <span class="nf">findByAccountIDAndDates</span><span class="o">(</span> <span class="nd">@ToolArg</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"Account identifier"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">accountID</span><span class="o">,</span> <span class="nd">@ToolArg</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"Start date as epoch millis"</span><span class="o">)</span> <span class="nc">Long</span> <span class="n">init</span><span class="o">,</span> <span class="nd">@ToolArg</span><span class="o">(</span><span class="n">description</span> <span class="o">=</span> <span class="s">"End date as epoch millis"</span><span class="o">)</span> <span class="nc">Long</span> <span class="n">end</span><span class="o">)</span> <span class="o">{</span> <span class="cm">/* ... */</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The <code>description</code> fields matter — they're what the AI reads to decide which tool to call. Be specific to your domain.</p> <h2> Step 3: Run It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./mvnw compile quarkus:dev </code></pre> </div> <p>MCP endpoint is live at <code>http://localhost:8080/mcp</code>.</p> <h2> Step 4: Configure Kiro as MCP Client </h2> <p>With re:Money running, you tell Kiro where to find the MCP server. Create <code>.kiro/settings/mcp.json</code> in your project root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"remoney"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/mcp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This is a <strong>workspace-scoped</strong> configuration — it only applies when you're working in this project. You can also set it globally at <code>~/.kiro/settings/mcp.json</code> if you want it available everywhere.</p> <p>Another option is to create a dedicated Kiro agent for working with re:Money. Create <code>.kiro/agents/finance-dev.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"finance-dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Development assistant with live access to re:Money"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"remoney"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8080/mcp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Once configured, start a Kiro chat session and run <code>/mcp</code> to verify the server is connected and the tools are loaded:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdec2gd6ky6ef6m2ddttv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdec2gd6ky6ef6m2ddttv.png" alt=" " width="800" height="430"></a></p> <p>You should see <code>remoney</code> listed with all your <code>@Tool</code>-annotated methods as available tools.</p> <h2> Demo: Kiro Calling re:Money </h2> <p>Once connected, Kiro chat now can reach your financial data and I love it because I can keep coding and using the chat to input data and query my re:Money app in a single place.</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63ec06ttsfopjshqyasw.png" alt=" " width="696" height="1308"> </h2> <h2> One Catch: MCP and Lambda Don't Mix </h2> <p>re:Money deploys to AWS Lambda using Quarkus's Lambda HTTP extension. But MCP requires a persistent HTTP connection — the server needs to stay alive to handle tool calls from the AI client. Lambda's request-response model doesn't support that.</p> <p>So if your app runs on Lambda (or any short-lived serverless compute), you can't just add MCP to the same module and deploy it. You need to <strong>separate the MCP server into its own module</strong> and deploy it on a service that keeps a long-running process: ECS, App Runner, EC2, or even a local dev server.</p> <p>In practice, this means:</p> <ul> <li> <strong>Your Lambda module</strong> stays as-is — REST API, UI, the production workload</li> <li> <strong>A new MCP module</strong> imports your service layer and exposes it via <code>quarkus-mcp-server-http</code>, deployed on ECS/App Runner/EC2</li> </ul> <p>The service layer stays shared. The only difference is how it's exposed and where it runs. This is another reason to keep your business logic in the service layer and out of your REST controllers — it makes splitting modules painless.</p> <p>For local development, this isn't an issue. <code>./mvnw quarkus:dev</code> runs a long-lived process and MCP works fine. The separation only matters when you deploy to production.</p> <h2> What I Learned </h2> <p><strong>Your service layer is the API.</strong> If your business logic lives in the service layer and not in your REST controllers, adding MCP is almost free.</p> <p><strong>Descriptions are the real work.</strong> The AI picks tools based on descriptions alone. Writing clear, domain-specific descriptions took more thought than any code change.</p> <p><strong>Start read-only.</strong> Expose queries first. Open up writes when you're ready.</p> <p><strong>Quarkus makes this trivial.</strong> One dependency, a few annotations, no config. The Quarkiverse MCP extension handles protocol, discovery, and transport. If you have a Quarkus app with a clean service layer, try it.</p> <h2> Resources </h2> <ul> <li><a href="https://github.com/renascence-computing/reos-money" rel="noopener noreferrer">re:Money on GitHub</a></li> <li><a href="https://builder.aws.com/content/37adLQq1qXgQRVXa0LZQlRGV9t4/remoney-personal-financial-management-re-imagined-with-ai" rel="noopener noreferrer">re:Money Tutorial — Personal Financial Management Re-imagined with AI</a></li> </ul> java quarkus ai mcp Goodbye localhost, hello AWS: adding security to your Java serveless app Vinicius Senger Tue, 14 Apr 2026 18:55:31 +0000 https://dev.to/vsenger/goodbye-localhost-hello-aws-adding-security-to-remoney-42f8 https://dev.to/vsenger/goodbye-localhost-hello-aws-adding-security-to-remoney-42f8 <p>In the <a href="https://dev.to/vsenger/why-quarkus-vanilla-js-aws-lambda-dynamodb-is-the-fastest-path-from-idea-to-production-3nlc">first part of this series</a>, we took re:Money from localhost to production with <code>sam build &amp;&amp; sam deploy</code>. Two commands, zero servers, and a fully working financial tracking app on AWS Lambda.</p> <p>But there's a problem: <strong>anyone with the URL can see your data.</strong></p> <p>That API Gateway endpoint we got? It's public. No login, no authentication, no authorization. For a personal finance app, that's not acceptable. Time to fix it.</p> <p>In this article, we'll add <strong>Amazon Cognito</strong> with <strong>Google sign-in</strong> to re:Money — so only you (or people you invite) can access the app.</p> <h2> What We're Building </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────┐ ┌──────────────┐ ┌─────────────┐ ┌────────┐ ┌──────────┐ │ Browser │────▶│ Google Login │────▶│ Cognito │────▶│ JWT │ │ │ │ │ │ (OAuth 2.0) │ │ User Pool │ │ Token │ │ │ └──────────┘ └──────────────┘ └─────────────┘ └───┬────┘ │ │ │ │ │ ▼ │ │ ┌───────────┐ │ │ │ API │──▶ │ Lambda │──▶ DynamoDB │ Gateway │ │(Quarkus) │ │ (JWT Auth)│ │ │ └───────────┘ └──────────┘ </code></pre> </div> <p>We protect re:Money at <strong>two layers</strong>:</p> <ol> <li> <strong>API Gateway JWT authorizer</strong> — REST API routes (<code>/entryResource/*</code>, <code>/csv-import/*</code>) require a valid Cognito JWT in the <code>Authorization</code> header. No token? 401 before Lambda even wakes up.</li> <li> <strong>Server-side cookie check</strong> — The Qute-rendered UI pages (<code>/ui/*</code>) are public at the gateway level (they have to be — browsers don't send <code>Authorization</code> headers on page navigation). Instead, the Java resource checks for an <code>id_token</code> cookie and redirects to Cognito login if it's missing.</li> </ol> <p>The glue between these two layers is a small JavaScript file (<code>auth.js</code>) that stores the Cognito token in both <code>localStorage</code> (for <code>fetch()</code> calls) and a cookie (for server-side checks).</p> <h2> Step 1: Get Google OAuth Credentials </h2> <p>Before touching AWS, you need a Google OAuth client:</p> <ol> <li>Go to <a href="https://console.cloud.google.com/apis/credentials" rel="noopener noreferrer">Google Cloud Console → Credentials</a> </li> <li>Create a new project (or use an existing one)</li> <li>Click <strong>Create Credentials → OAuth 2.0 Client ID</strong> </li> <li>Application type: <strong>Web application</strong> </li> <li>Leave the redirect URI blank for now — we'll come back after creating the Cognito domain</li> <li>Save your <strong>Client ID</strong> and <strong>Client Secret</strong> </li> </ol> <h2> Step 2: Update template.yaml </h2> <p>Here's the full picture. We add Cognito resources, a JWT authorizer on API Gateway, and split routes into protected (API) and public (UI):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Transform</span><span class="pi">:</span> <span class="s">AWS::Serverless-2016-10-31</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">re:Money Quarkus Lambda Application with Cognito Auth</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">GoogleClientId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Google OAuth Client ID</span> <span class="na">NoEcho</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">GoogleClientSecret</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Google OAuth Client Secret</span> <span class="na">NoEcho</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Globals</span><span class="pi">:</span> <span class="na">Function</span><span class="pi">:</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">512</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">java21</span> <span class="na">Environment</span><span class="pi">:</span> <span class="na">Variables</span><span class="pi">:</span> <span class="na">QUARKUS_PROFILE</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># --- Cognito ---</span> <span class="na">ReMoneyUserPool</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPool</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">UserPoolName</span><span class="pi">:</span> <span class="s">remoney-users</span> <span class="na">AutoVerifiedAttributes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">email</span> <span class="na">Schema</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">email</span> <span class="na">Required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Mutable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ReMoneyUserPoolDomain</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPoolDomain</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Domain</span><span class="pi">:</span> <span class="s">remoney-auth</span> <span class="c1"># Must be globally unique</span> <span class="na">UserPoolId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyUserPool</span> <span class="na">GoogleIdentityProvider</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPoolIdentityProvider</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">UserPoolId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyUserPool</span> <span class="na">ProviderName</span><span class="pi">:</span> <span class="s">Google</span> <span class="na">ProviderType</span><span class="pi">:</span> <span class="s">Google</span> <span class="na">ProviderDetails</span><span class="pi">:</span> <span class="na">client_id</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GoogleClientId</span> <span class="na">client_secret</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GoogleClientSecret</span> <span class="na">authorize_scopes</span><span class="pi">:</span> <span class="s2">"</span><span class="s">openid</span><span class="nv"> </span><span class="s">email</span><span class="nv"> </span><span class="s">profile"</span> <span class="na">AttributeMapping</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="s">email</span> <span class="na">name</span><span class="pi">:</span> <span class="s">name</span> <span class="na">username</span><span class="pi">:</span> <span class="s">sub</span> <span class="na">ReMoneyUserPoolClient</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPoolClient</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">GoogleIdentityProvider</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ClientName</span><span class="pi">:</span> <span class="s">remoney-web</span> <span class="na">UserPoolId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyUserPool</span> <span class="na">GenerateSecret</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">SupportedIdentityProviders</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Google</span> <span class="na">AllowedOAuthFlows</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">implicit</span> <span class="na">AllowedOAuthScopes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">openid</span> <span class="pi">-</span> <span class="s">email</span> <span class="pi">-</span> <span class="s">profile</span> <span class="na">AllowedOAuthFlowsUserPoolClient</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">CallbackURLs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://YOUR-API-ID.execute-api.us-east-1.amazonaws.com/ui/callback</span> <span class="pi">-</span> <span class="s">https://localhost/ui/callback</span> <span class="na">LogoutURLs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://YOUR-API-ID.execute-api.us-east-1.amazonaws.com/ui/callback</span> <span class="pi">-</span> <span class="s">https://localhost/ui/callback</span> </code></pre> </div> <blockquote> <p><strong>Note on CallbackURLs:</strong> You can't use <code>!Sub "${ReMoneyHttpApi}"</code> here because it creates a circular dependency — the API references the UserPoolClient for its authorizer, and the client would reference the API for its callback URL. Use <code>https://localhost/ui/callback</code> for the first deploy, then update with the actual API Gateway URL from the stack outputs.</p> <p><strong>Why <code>/ui/callback</code> and not <code>/ui</code>?</strong> This is critical. Cognito's implicit flow returns the token in the URL fragment (<code>#id_token=...</code>). Fragments are client-side only — the server never sees them. If Cognito redirects to <code>/ui</code>, the server-side auth check sees no cookie, and redirects back to Cognito — an infinite loop. The <code>/ui/callback</code> endpoint serves a minimal page with no auth check, giving JavaScript a chance to capture the token and set the cookie before navigating to <code>/ui</code>.</p> </blockquote> <p>Next, the API Gateway with a JWT authorizer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># --- API Gateway with JWT Auth ---</span> <span class="na">ReMoneyHttpApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">DefaultAuthorizer</span><span class="pi">:</span> <span class="s">CognitoAuthorizer</span> <span class="na">Authorizers</span><span class="pi">:</span> <span class="na">CognitoAuthorizer</span><span class="pi">:</span> <span class="na">AuthorizationScopes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">openid</span> <span class="na">IdentitySource</span><span class="pi">:</span> <span class="s">$request.header.Authorization</span> <span class="na">JwtConfiguration</span><span class="pi">:</span> <span class="na">issuer</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">https://cognito-idp.${AWS::Region}.amazonaws.com/${ReMoneyUserPool}"</span> <span class="na">audience</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">ReMoneyUserPoolClient</span> </code></pre> </div> <p>And the Lambda function with split routes — protected API vs public UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># --- Lambda ---</span> <span class="na">ReMoneyFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CodeUri</span><span class="pi">:</span> <span class="s">target/function.zip</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">1024</span> <span class="na">Events</span><span class="pi">:</span> <span class="c1"># Protected API routes (JWT required)</span> <span class="na">EntryApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/entryResource/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="na">CsvImportApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/csv-import/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="c1"># Public UI routes (no gateway auth — server checks cookie)</span> <span class="na">PublicUI</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/ui/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="s">NONE</span> <span class="na">PublicUIRoot</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/ui</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="s">NONE</span> <span class="c1"># Static assets</span> <span class="na">PublicCss</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/css/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="s">NONE</span> <span class="na">PublicJs</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/js/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="s">NONE</span> </code></pre> </div> <p>The key insight: <code>/entryResource/*</code> and <code>/csv-import/*</code> use the default JWT authorizer. <code>/ui/*</code>, <code>/css/*</code>, and <code>/js/*</code> override with <code>Authorizer: NONE</code> so the browser can load pages and static assets. The UI pages are protected at the application level instead.</p> <h2> Step 3: Update the Google Redirect URI </h2> <p>After the first deploy, go back to Google Cloud Console and add the Cognito redirect URI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://remoney-auth.auth.us-east-1.amazoncognito.com/oauth2/idpresponse </code></pre> </div> <p>Replace <code>remoney-auth</code> with your domain and <code>us-east-1</code> with your region.</p> <h2> Step 4: The Auth JavaScript — auth.js </h2> <p>This is the client-side glue. It handles the Cognito OAuth callback, stores the token, and bridges the gap between browser navigation and API calls.</p> <p>Create <code>src/main/resources/META-INF/resources/js/auth.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// re:Money Auth - Cognito + Google sign-in</span> <span class="kd">const</span> <span class="nx">AUTH_CONFIG</span> <span class="o">=</span> <span class="p">{</span> <span class="na">cognitoDomain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">remoney-auth.auth.us-east-1.amazoncognito.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_COGNITO_CLIENT_ID</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// From SAM outputs</span> <span class="na">redirectUri</span><span class="p">:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/ui/callback</span><span class="dl">'</span><span class="p">,</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Google</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">remoneyLogin</span><span class="p">()</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">cognitoDomain</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/oauth2/authorize?</span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">response_type=token&amp;client_id=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">clientId</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&amp;redirect_uri=</span><span class="dl">'</span> <span class="o">+</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">redirectUri</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&amp;scope=openid+email+profile&amp;identity_provider=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">provider</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Note the <code>redirectUri</code> points to <code>/ui/callback</code>, not <code>/ui</code>. This is essential to avoid the redirect loop (more on that in the Gotchas section).</p> <p><strong>Cookie management</strong> — this is what makes server-side auth work. After Cognito redirects back with a token in the URL fragment, we store it in both <code>localStorage</code> and a cookie:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">setAuthCookie</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">maxAgeSec</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">id_token=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">token</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">;path=/;max-age=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">maxAgeSec</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">;SameSite=Lax;Secure</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">clearAuthCookie</span><span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">id_token=;path=/;max-age=0</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">remoneyLogout</span><span class="p">()</span> <span class="p">{</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_expiry</span><span class="dl">'</span><span class="p">);</span> <span class="nf">clearAuthCookie</span><span class="p">();</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">cognitoDomain</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/logout?</span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">client_id=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">clientId</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&amp;logout_uri=</span><span class="dl">'</span> <span class="o">+</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">redirectUri</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">getToken</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">expiry</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_expiry</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">expiry</span> <span class="o">&amp;&amp;</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&gt;</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">expiry</span><span class="p">))</span> <span class="p">{</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_expiry</span><span class="dl">'</span><span class="p">);</span> <span class="nf">clearAuthCookie</span><span class="p">();</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Token capture and redirect</strong> — Cognito uses the implicit flow, which puts the token in the URL fragment (<code>#id_token=...</code>). We parse it on the callback page and redirect to the main UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">(</span><span class="kd">function</span> <span class="nf">handleCallback</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hash</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nx">hash</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">expiresIn</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">expires_in</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">ttl</span> <span class="o">=</span> <span class="nx">expiresIn</span> <span class="p">?</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">expiresIn</span><span class="p">)</span> <span class="p">:</span> <span class="mi">3600</span><span class="p">;</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">token</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_expiry</span><span class="dl">'</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nx">ttl</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">));</span> <span class="nf">setAuthCookie</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">ttl</span><span class="p">);</span> <span class="c1">// Redirect to the main UI now that cookie is set</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/ui</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">})();</span> </code></pre> </div> <p>The key line is <code>window.location.href = window.location.origin + '/ui'</code>. After setting the cookie, we navigate to <code>/ui</code> — and this time the server-side check will find the cookie and render the dashboard.</p> <p><strong>Fetch interceptor</strong> — patches <code>window.fetch</code> so every AJAX call includes the <code>Authorization</code> header. This is what protects the <code>/entryResource/*</code> API calls made from the UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">(</span><span class="kd">function</span> <span class="nf">patchFetch</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">originalFetch</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">fetch</span><span class="p">;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">fetch</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">token</span> <span class="o">=</span> <span class="nf">getToken</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="nx">options</span> <span class="o">=</span> <span class="nx">options</span> <span class="o">||</span> <span class="p">{};</span> <span class="nx">options</span><span class="p">.</span><span class="nx">headers</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">assign</span><span class="p">({},</span> <span class="nx">options</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">token</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">originalFetch</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="nx">url</span><span class="p">,</span> <span class="nx">options</span><span class="p">);</span> <span class="p">};</span> <span class="p">})();</span> </code></pre> </div> <p><strong>Auth UI</strong> — dynamically adds a login or logout button to the menu bar, and shows the user's email when logged in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">(</span><span class="kd">function</span> <span class="nf">renderAuthUI</span><span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">DOMContentLoaded</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">menuBar</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.menu-bar</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">menuBar</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">token</span> <span class="o">=</span> <span class="nf">getToken</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">el</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">div</span><span class="dl">'</span><span class="p">);</span> <span class="nx">el</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">menu-separator</span><span class="dl">'</span><span class="p">;</span> <span class="nx">menuBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">el</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nf">atob</span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]));</span> <span class="kd">var</span> <span class="nx">userEl</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">span</span><span class="dl">'</span><span class="p">);</span> <span class="nx">userEl</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">menu-item</span><span class="dl">'</span><span class="p">;</span> <span class="nx">userEl</span><span class="p">.</span><span class="nx">style</span><span class="p">.</span><span class="nx">cursor</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">default</span><span class="dl">'</span><span class="p">;</span> <span class="nx">userEl</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;span class="menu-icon"&gt;👤&lt;/span&gt;&lt;span class="menu-label"&gt;</span><span class="dl">'</span> <span class="o">+</span> <span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">email</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">User</span><span class="dl">'</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;/span&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">menuBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">userEl</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{}</span> <span class="kd">var</span> <span class="nx">logoutEl</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">);</span> <span class="nx">logoutEl</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">#</span><span class="dl">'</span><span class="p">;</span> <span class="nx">logoutEl</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">menu-item</span><span class="dl">'</span><span class="p">;</span> <span class="nx">logoutEl</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;span class="menu-icon"&gt;🚪&lt;/span&gt;&lt;span class="menu-label"&gt;Logout&lt;/span&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">logoutEl</span><span class="p">.</span><span class="nx">onclick</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">remoneyLogout</span><span class="p">();</span> <span class="p">};</span> <span class="nx">menuBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">logoutEl</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">loginEl</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">);</span> <span class="nx">loginEl</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">#</span><span class="dl">'</span><span class="p">;</span> <span class="nx">loginEl</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">menu-item</span><span class="dl">'</span><span class="p">;</span> <span class="nx">loginEl</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;span class="menu-icon"&gt;🔐&lt;/span&gt;&lt;span class="menu-label"&gt;Sign in with Google&lt;/span&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">loginEl</span><span class="p">.</span><span class="nx">onclick</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">remoneyLogin</span><span class="p">();</span> <span class="p">};</span> <span class="nx">menuBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">loginEl</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">})();</span> </code></pre> </div> <p>Include it in every Qute template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"/js/auth.js"</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <h2> Step 5: Server-Side Auth Check in ExpenseUIResource </h2> <p>Here's the problem with server-rendered pages: when a user navigates to <code>/ui</code>, the browser makes a plain GET request. There's no <code>Authorization</code> header, no way for API Gateway to validate a JWT. That's why <code>/ui/*</code> routes are set to <code>Authorizer: NONE</code>.</p> <p>But we can't leave them completely unprotected. The solution: check for the <code>id_token</code> cookie that <code>auth.js</code> sets after login. If it's missing, redirect to Cognito.</p> <p>We also need a <strong>callback endpoint</strong> — a minimal page with no auth check that loads <code>auth.js</code> so it can capture the token from the URL fragment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Path</span><span class="o">(</span><span class="s">"/ui"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ExpenseUIResource</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">COGNITO_DOMAIN</span> <span class="o">=</span> <span class="s">"remoney-auth.auth.us-east-1.amazoncognito.com"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">CLIENT_ID</span> <span class="o">=</span> <span class="s">"YOUR_COGNITO_CLIENT_ID"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">IDP</span> <span class="o">=</span> <span class="s">"Google"</span><span class="o">;</span> <span class="nd">@CookieParam</span><span class="o">(</span><span class="s">"id_token"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">idToken</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">Response</span> <span class="nf">requireAuth</span><span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">idToken</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">idToken</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="c1">// authenticated</span> <span class="o">}</span> <span class="nc">String</span> <span class="n">redirectUri</span> <span class="o">=</span> <span class="s">"https://YOUR-API-ID.execute-api.us-east-1.amazonaws.com/ui/callback"</span><span class="o">;</span> <span class="nc">String</span> <span class="n">loginUrl</span> <span class="o">=</span> <span class="s">"https://"</span> <span class="o">+</span> <span class="no">COGNITO_DOMAIN</span> <span class="o">+</span> <span class="s">"/oauth2/authorize?response_type=token&amp;client_id="</span> <span class="o">+</span> <span class="no">CLIENT_ID</span> <span class="o">+</span> <span class="s">"&amp;redirect_uri="</span> <span class="o">+</span> <span class="n">java</span><span class="o">.</span><span class="na">net</span><span class="o">.</span><span class="na">URLEncoder</span><span class="o">.</span><span class="na">encode</span><span class="o">(</span> <span class="n">redirectUri</span><span class="o">,</span> <span class="n">java</span><span class="o">.</span><span class="na">nio</span><span class="o">.</span><span class="na">charset</span><span class="o">.</span><span class="na">StandardCharsets</span><span class="o">.</span><span class="na">UTF_8</span><span class="o">)</span> <span class="o">+</span> <span class="s">"&amp;scope=openid+email+profile&amp;identity_provider="</span> <span class="o">+</span> <span class="no">IDP</span><span class="o">;</span> <span class="k">return</span> <span class="nc">Response</span><span class="o">.</span><span class="na">seeOther</span><span class="o">(</span><span class="no">URI</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="n">loginUrl</span><span class="o">)).</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="c1">// OAuth callback — no auth check, just loads auth.js</span> <span class="nd">@GET</span> <span class="nd">@Path</span><span class="o">(</span><span class="s">"/callback"</span><span class="o">)</span> <span class="nd">@Produces</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">TEXT_HTML</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">authCallback</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"&lt;!DOCTYPE html&gt;&lt;html&gt;&lt;head&gt;&lt;meta charset=\"UTF-8\"&gt;"</span> <span class="o">+</span> <span class="s">"&lt;title&gt;Signing in...&lt;/title&gt;&lt;/head&gt;"</span> <span class="o">+</span> <span class="s">"&lt;body&gt;&lt;p&gt;Signing in...&lt;/p&gt;"</span> <span class="o">+</span> <span class="s">"&lt;script src=\"/js/auth.js\"&gt;&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;"</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@GET</span> <span class="nd">@Produces</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">TEXT_HTML</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">Object</span> <span class="nf">getDashboard</span><span class="o">(</span><span class="cm">/* ... params ... */</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">Response</span> <span class="n">authRedirect</span> <span class="o">=</span> <span class="n">requireAuth</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">authRedirect</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="k">return</span> <span class="n">authRedirect</span><span class="o">;</span> <span class="c1">// ... render dashboard as before ...</span> <span class="o">}</span> <span class="c1">// Same pattern for all other GET endpoints:</span> <span class="c1">// getCategories(), getAccounts(), getPivotTable(), getCsvImport(), getSetup()</span> <span class="o">}</span> </code></pre> </div> <p>Key details:</p> <ul> <li> <code>@CookieParam("id_token")</code> reads the cookie set by <code>auth.js</code> </li> <li>Return type changes from <code>TemplateInstance</code> to <code>Object</code> so we can return either a template or a redirect <code>Response</code> </li> <li> <code>requireAuth()</code> returns <code>null</code> if authenticated, or a redirect <code>Response</code> to Cognito login</li> <li>The <code>redirect_uri</code> points to <code>/ui/callback</code> — not <code>/ui</code> — to avoid the redirect loop</li> <li>The <code>/ui/callback</code> endpoint has <strong>no auth check</strong> — it's a bare HTML page that loads <code>auth.js</code> </li> </ul> <blockquote> <p><strong>Why not use <code>uriInfo.getBaseUri()</code>?</strong> Inside Lambda behind API Gateway, <code>getBaseUri()</code> returns an internal URL (like <code>http://localhost/</code>), not the actual API Gateway domain. You need to hardcode the API Gateway URL or pass it via an environment variable.</p> </blockquote> <h2> Step 6: The Complete Auth Flow </h2> <p>Here's what happens end-to-end:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User opens https://YOUR-API.execute-api.us-east-1.amazonaws.com/ui 2. API Gateway: /ui route has Auth: NONE → passes through to Lambda 3. Lambda (ExpenseUIResource.getDashboard): checks for id_token cookie → NOT FOUND → Returns 303 redirect to Cognito 4. Browser redirects to: https://remoney-auth.auth.us-east-1.amazoncognito.com/oauth2/authorize? response_type=token&amp;client_id=... &amp;redirect_uri=.../ui/callback ← note: /ui/callback, not /ui &amp;identity_provider=Google 5. Cognito redirects to Google sign-in 6. User signs in with Google → Google redirects back to Cognito 7. Cognito redirects back to: https://YOUR-API.execute-api.us-east-1.amazonaws.com/ui/callback#id_token=eyJ... 8. API Gateway: /ui/callback matches /ui/{proxy+} with Auth: NONE → Lambda 9. Lambda (ExpenseUIResource.authCallback): returns minimal HTML page → No auth check — just loads auth.js 10. auth.js runs on the callback page: - Parses id_token from URL fragment - Stores in localStorage + sets id_token cookie - Redirects to /ui 11. Browser navigates to /ui → sends cookie with request 12. Lambda (ExpenseUIResource.getDashboard): checks for id_token cookie → FOUND → Renders the dashboard 13. Any fetch() call to /entryResource/* includes Authorization: Bearer header → API Gateway validates JWT → Lambda processes request </code></pre> </div> <p>The callback page is the key piece. It breaks the redirect loop by giving JavaScript a place to run before the server-side auth check kicks in.</p> <h2> Step 7: Deploy </h2> <p>First deploy (with Google credentials):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./build-lambda.sh sam deploy <span class="nt">--parameter-overrides</span> <span class="se">\</span> <span class="nv">GoogleClientId</span><span class="o">=</span>your-google-client-id <span class="se">\</span> <span class="nv">GoogleClientSecret</span><span class="o">=</span>your-google-client-secret </code></pre> </div> <p>After the first deploy, note the API Gateway URL from the outputs and update the <code>CallbackURLs</code> in <code>template.yaml</code> to use <code>/ui/callback</code>. Then deploy again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sam build <span class="o">&amp;&amp;</span> sam deploy </code></pre> </div> <p>For subsequent deploys, SAM remembers the parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./build-lambda.sh <span class="o">&amp;&amp;</span> sam deploy </code></pre> </div> <h2> Step 8: Test the Flow </h2> <ol> <li>Open your API Gateway URL + <code>/ui</code> </li> <li>You should be redirected to Google sign-in</li> <li>Sign in with your Google account</li> <li>You'll briefly see "Signing in..." on the callback page</li> <li>You're redirected to re:Money with the dashboard loaded</li> <li>Check the menu bar — you should see your email and a Logout button</li> <li>Open browser DevTools → Application → Cookies → verify <code>id_token</code> is set</li> <li>Open Network tab → verify <code>Authorization: Bearer ...</code> on fetch calls to <code>/entryResource/*</code> </li> </ol> <h2> What Changed from Part 1 </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Before (Part 1)</th> <th>After (Security Part)</th> </tr> </thead> <tbody> <tr> <td>Public API Gateway</td> <td>JWT-protected API routes</td> </tr> <tr> <td>No authentication</td> <td>Google sign-in via Cognito</td> </tr> <tr> <td>Anyone can access data</td> <td>Cookie check on UI, JWT check on API</td> </tr> <tr> <td>No user identity</td> <td>JWT carries user email</td> </tr> <tr> <td><code>sam deploy</code></td> <td> <code>sam deploy --parameter-overrides</code> (first time)</td> </tr> </tbody> </table></div> <p>And what <em>didn't</em> change:</p> <ul> <li>Still two commands to deploy</li> <li>Still zero servers to manage</li> <li>Still a single <code>function.zip</code> artifact</li> <li>Still pay-per-request pricing</li> <li>No VPC, no security groups, no network config</li> <li>No new Java dependencies — just <code>@CookieParam</code> and <code>Response.seeOther()</code> </li> </ul> <h2> Cost Impact </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td>Cognito</td> <td>Free tier: 50,000 MAU (monthly active users)</td> </tr> <tr> <td>API Gateway</td> <td>Same as before — free tier covers it</td> </tr> <tr> <td>Lambda</td> <td>Same as before</td> </tr> <tr> <td>DynamoDB</td> <td>Same as before</td> </tr> <tr> <td><strong>Total</strong></td> <td> <strong>Still ~$0/month</strong> for personal use</td> </tr> </tbody> </table></div> <h2> Gotchas We Hit </h2> <p>A few things that tripped us up during implementation:</p> <ol> <li><p><strong>Redirect loop on <code>/ui</code></strong> — This was the biggest one. Cognito's implicit flow returns the token in the URL fragment (<code>#id_token=...</code>). Fragments are client-side only — the server never sees them. If Cognito redirects back to <code>/ui</code>, the server checks for a cookie, finds nothing, and redirects back to Cognito. Infinite loop. The fix: use a dedicated <code>/ui/callback</code> endpoint that serves a bare HTML page (no auth check) where <code>auth.js</code> can capture the token, set the cookie, and then redirect to <code>/ui</code>.</p></li> <li><p><strong>Circular dependency in CloudFormation</strong> — You can't use <code>!Sub "${ReMoneyHttpApi}"</code> in the UserPoolClient's <code>CallbackURLs</code> because the API references the client (for its authorizer) and the client would reference the API. Solution: use <code>https://localhost/ui/callback</code> for the first deploy, then hardcode the actual API Gateway URL after you get it from the stack outputs.</p></li> <li><p><strong><code>redirect_mismatch</code> error</strong> — The <code>redirect_uri</code> in the login request must exactly match one of the <code>CallbackURLs</code> registered in Cognito — character for character. Inside Lambda, <code>uriInfo.getBaseUri()</code> returns an internal URL, not the API Gateway domain. Solution: hardcode the API Gateway URL in the Java resource.</p></li> <li><p><strong>Cookies need <code>Secure</code> flag</strong> — API Gateway endpoints are HTTPS, so the cookie must have <code>Secure</code> to be sent back. <code>SameSite=Lax</code> allows the cookie to be sent on top-level navigations (which is what we need for page loads).</p></li> <li><p><strong><code>build-lambda.sh</code> artifact name</strong> — If your Maven <code>artifactId</code> changes, the zip script breaks. Make sure the jar name in the script matches what Maven produces.</p></li> </ol> <h2> What's Next </h2> <p>Your app is now deployed <em>and</em> secured. In the next parts of this series, we could cover:</p> <ul> <li> <strong>Custom domain</strong> — putting re:Money behind <code>money.yourdomain.com</code> with Route 53 + ACM</li> <li> <strong>Multi-tenancy</strong> — using the Cognito user ID to isolate data per user in DynamoDB</li> <li> <strong>CI/CD</strong> — automating <code>./build-lambda.sh &amp;&amp; sam deploy</code> with GitHub Actions</li> <li> <strong>Restricting access</strong> — adding a Cognito Pre-Sign-Up Lambda trigger to allow only specific email addresses</li> </ul> <p>But for now, you've gone from "anyone can see my bank transactions" to "Google sign-in required" — with auth handled at two layers: API Gateway for REST calls, and a simple cookie check for server-rendered pages. No new dependencies, no auth framework, just Cognito + a cookie + a callback page + 10 lines of Java.</p> <p><em>This is Part 2 of the "Goodbye Localhost, Hello AWS" series. <a href="https://dev.to/vsenger/why-quarkus-vanilla-js-aws-lambda-dynamodb-is-the-fastest-path-from-idea-to-production-3nlc">Part 1</a> covers the initial deployment. re:Money is open source as part of the <a href="https://github.com/renascence-computing/reos-money" rel="noopener noreferrer">Renascence Computing Project</a>.</em></p> java aws quarkus security Goodbye localhost, hello AWS: adding security to re:Money Vinicius Senger Tue, 14 Apr 2026 18:55:30 +0000 https://dev.to/vsenger/goodbye-localhost-hello-aws-adding-security-to-remoney-2063 https://dev.to/vsenger/goodbye-localhost-hello-aws-adding-security-to-remoney-2063 <p>In the <a href="https://dev.to/vsenger/why-quarkus-vanilla-js-aws-lambda-dynamodb-is-the-fastest-path-from-idea-to-production-3nlc">first part of this series</a>, we took re:Money from localhost to production with <code>sam build &amp;&amp; sam deploy</code>. Two commands, zero servers, and a fully working financial tracking app on AWS Lambda.</p> <p>But there's a problem: <strong>anyone with the URL can see your data.</strong></p> <p>That API Gateway endpoint we got? It's public. No login, no authentication, no authorization. For a personal finance app, that's not acceptable. Time to fix it.</p> <p>In this article, we'll add <strong>Amazon Cognito</strong> with <strong>Google sign-in</strong> to re:Money — so only you (or people you invite) can access the app.</p> <h2> What We're Building </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────┐ ┌──────────────┐ ┌─────────────┐ ┌────────┐ ┌──────────┐ │ Browser │────▶│ Google Login │────▶│ Cognito │────▶│ JWT │ │ │ │ │ │ (OAuth 2.0) │ │ User Pool │ │ Token │ │ │ └──────────┘ └──────────────┘ └─────────────┘ └───┬────┘ │ │ │ │ │ ▼ │ │ ┌───────────┐ │ │ │ API │──▶ │ Lambda │──▶ DynamoDB │ Gateway │ │(Quarkus) │ │ (JWT Auth)│ │ │ └───────────┘ └──────────┘ </code></pre> </div> <p>We protect re:Money at <strong>two layers</strong>:</p> <ol> <li> <strong>API Gateway JWT authorizer</strong> — REST API routes (<code>/entryResource/*</code>, <code>/csv-import/*</code>) require a valid Cognito JWT in the <code>Authorization</code> header. No token? 401 before Lambda even wakes up.</li> <li> <strong>Server-side cookie check</strong> — The Qute-rendered UI pages (<code>/ui/*</code>) are public at the gateway level (they have to be — browsers don't send <code>Authorization</code> headers on page navigation). Instead, the Java resource checks for an <code>id_token</code> cookie and redirects to Cognito login if it's missing.</li> </ol> <p>The glue between these two layers is a small JavaScript file (<code>auth.js</code>) that stores the Cognito token in both <code>localStorage</code> (for <code>fetch()</code> calls) and a cookie (for server-side checks).</p> <h2> Step 1: Get Google OAuth Credentials </h2> <p>Before touching AWS, you need a Google OAuth client:</p> <ol> <li>Go to <a href="https://console.cloud.google.com/apis/credentials" rel="noopener noreferrer">Google Cloud Console → Credentials</a> </li> <li>Create a new project (or use an existing one)</li> <li>Click <strong>Create Credentials → OAuth 2.0 Client ID</strong> </li> <li>Application type: <strong>Web application</strong> </li> <li>Leave the redirect URI blank for now — we'll come back after creating the Cognito domain</li> <li>Save your <strong>Client ID</strong> and <strong>Client Secret</strong> </li> </ol> <h2> Step 2: Update template.yaml </h2> <p>Here's the full picture. We add Cognito resources, a JWT authorizer on API Gateway, and split routes into protected (API) and public (UI):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Transform</span><span class="pi">:</span> <span class="s">AWS::Serverless-2016-10-31</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">re:Money Quarkus Lambda Application with Cognito Auth</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">GoogleClientId</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Google OAuth Client ID</span> <span class="na">NoEcho</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">GoogleClientSecret</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Google OAuth Client Secret</span> <span class="na">NoEcho</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Globals</span><span class="pi">:</span> <span class="na">Function</span><span class="pi">:</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">512</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">java21</span> <span class="na">Environment</span><span class="pi">:</span> <span class="na">Variables</span><span class="pi">:</span> <span class="na">QUARKUS_PROFILE</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># --- Cognito ---</span> <span class="na">ReMoneyUserPool</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPool</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">UserPoolName</span><span class="pi">:</span> <span class="s">remoney-users</span> <span class="na">AutoVerifiedAttributes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">email</span> <span class="na">Schema</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">email</span> <span class="na">Required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Mutable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ReMoneyUserPoolDomain</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPoolDomain</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Domain</span><span class="pi">:</span> <span class="s">remoney-auth</span> <span class="c1"># Must be globally unique</span> <span class="na">UserPoolId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyUserPool</span> <span class="na">GoogleIdentityProvider</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPoolIdentityProvider</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">UserPoolId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyUserPool</span> <span class="na">ProviderName</span><span class="pi">:</span> <span class="s">Google</span> <span class="na">ProviderType</span><span class="pi">:</span> <span class="s">Google</span> <span class="na">ProviderDetails</span><span class="pi">:</span> <span class="na">client_id</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GoogleClientId</span> <span class="na">client_secret</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">GoogleClientSecret</span> <span class="na">authorize_scopes</span><span class="pi">:</span> <span class="s2">"</span><span class="s">openid</span><span class="nv"> </span><span class="s">email</span><span class="nv"> </span><span class="s">profile"</span> <span class="na">AttributeMapping</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="s">email</span> <span class="na">name</span><span class="pi">:</span> <span class="s">name</span> <span class="na">username</span><span class="pi">:</span> <span class="s">sub</span> <span class="na">ReMoneyUserPoolClient</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPoolClient</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">GoogleIdentityProvider</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ClientName</span><span class="pi">:</span> <span class="s">remoney-web</span> <span class="na">UserPoolId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyUserPool</span> <span class="na">GenerateSecret</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">SupportedIdentityProviders</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Google</span> <span class="na">AllowedOAuthFlows</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">implicit</span> <span class="na">AllowedOAuthScopes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">openid</span> <span class="pi">-</span> <span class="s">email</span> <span class="pi">-</span> <span class="s">profile</span> <span class="na">AllowedOAuthFlowsUserPoolClient</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">CallbackURLs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://YOUR-API-ID.execute-api.us-east-1.amazonaws.com/ui/callback</span> <span class="pi">-</span> <span class="s">https://localhost/ui/callback</span> <span class="na">LogoutURLs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://YOUR-API-ID.execute-api.us-east-1.amazonaws.com/ui/callback</span> <span class="pi">-</span> <span class="s">https://localhost/ui/callback</span> </code></pre> </div> <blockquote> <p><strong>Note on CallbackURLs:</strong> You can't use <code>!Sub "${ReMoneyHttpApi}"</code> here because it creates a circular dependency — the API references the UserPoolClient for its authorizer, and the client would reference the API for its callback URL. Use <code>https://localhost/ui/callback</code> for the first deploy, then update with the actual API Gateway URL from the stack outputs.</p> <p><strong>Why <code>/ui/callback</code> and not <code>/ui</code>?</strong> This is critical. Cognito's implicit flow returns the token in the URL fragment (<code>#id_token=...</code>). Fragments are client-side only — the server never sees them. If Cognito redirects to <code>/ui</code>, the server-side auth check sees no cookie, and redirects back to Cognito — an infinite loop. The <code>/ui/callback</code> endpoint serves a minimal page with no auth check, giving JavaScript a chance to capture the token and set the cookie before navigating to <code>/ui</code>.</p> </blockquote> <p>Next, the API Gateway with a JWT authorizer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># --- API Gateway with JWT Auth ---</span> <span class="na">ReMoneyHttpApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">DefaultAuthorizer</span><span class="pi">:</span> <span class="s">CognitoAuthorizer</span> <span class="na">Authorizers</span><span class="pi">:</span> <span class="na">CognitoAuthorizer</span><span class="pi">:</span> <span class="na">AuthorizationScopes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">openid</span> <span class="na">IdentitySource</span><span class="pi">:</span> <span class="s">$request.header.Authorization</span> <span class="na">JwtConfiguration</span><span class="pi">:</span> <span class="na">issuer</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">https://cognito-idp.${AWS::Region}.amazonaws.com/${ReMoneyUserPool}"</span> <span class="na">audience</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">ReMoneyUserPoolClient</span> </code></pre> </div> <p>And the Lambda function with split routes — protected API vs public UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1"># --- Lambda ---</span> <span class="na">ReMoneyFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CodeUri</span><span class="pi">:</span> <span class="s">target/function.zip</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">1024</span> <span class="na">Events</span><span class="pi">:</span> <span class="c1"># Protected API routes (JWT required)</span> <span class="na">EntryApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/entryResource/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="na">CsvImportApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/csv-import/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="c1"># Public UI routes (no gateway auth — server checks cookie)</span> <span class="na">PublicUI</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/ui/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="s">NONE</span> <span class="na">PublicUIRoot</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/ui</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="s">NONE</span> <span class="c1"># Static assets</span> <span class="na">PublicCss</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/css/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="s">NONE</span> <span class="na">PublicJs</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReMoneyHttpApi</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/js/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">Authorizer</span><span class="pi">:</span> <span class="s">NONE</span> </code></pre> </div> <p>The key insight: <code>/entryResource/*</code> and <code>/csv-import/*</code> use the default JWT authorizer. <code>/ui/*</code>, <code>/css/*</code>, and <code>/js/*</code> override with <code>Authorizer: NONE</code> so the browser can load pages and static assets. The UI pages are protected at the application level instead.</p> <h2> Step 3: Update the Google Redirect URI </h2> <p>After the first deploy, go back to Google Cloud Console and add the Cognito redirect URI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://remoney-auth.auth.us-east-1.amazoncognito.com/oauth2/idpresponse </code></pre> </div> <p>Replace <code>remoney-auth</code> with your domain and <code>us-east-1</code> with your region.</p> <h2> Step 4: The Auth JavaScript — auth.js </h2> <p>This is the client-side glue. It handles the Cognito OAuth callback, stores the token, and bridges the gap between browser navigation and API calls.</p> <p>Create <code>src/main/resources/META-INF/resources/js/auth.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// re:Money Auth - Cognito + Google sign-in</span> <span class="kd">const</span> <span class="nx">AUTH_CONFIG</span> <span class="o">=</span> <span class="p">{</span> <span class="na">cognitoDomain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">remoney-auth.auth.us-east-1.amazoncognito.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_COGNITO_CLIENT_ID</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// From SAM outputs</span> <span class="na">redirectUri</span><span class="p">:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/ui/callback</span><span class="dl">'</span><span class="p">,</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Google</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">remoneyLogin</span><span class="p">()</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">cognitoDomain</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/oauth2/authorize?</span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">response_type=token&amp;client_id=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">clientId</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&amp;redirect_uri=</span><span class="dl">'</span> <span class="o">+</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">redirectUri</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&amp;scope=openid+email+profile&amp;identity_provider=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">provider</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Note the <code>redirectUri</code> points to <code>/ui/callback</code>, not <code>/ui</code>. This is essential to avoid the redirect loop (more on that in the Gotchas section).</p> <p><strong>Cookie management</strong> — this is what makes server-side auth work. After Cognito redirects back with a token in the URL fragment, we store it in both <code>localStorage</code> and a cookie:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">setAuthCookie</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">maxAgeSec</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">id_token=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">token</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">;path=/;max-age=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">maxAgeSec</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">;SameSite=Lax;Secure</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">clearAuthCookie</span><span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">id_token=;path=/;max-age=0</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">remoneyLogout</span><span class="p">()</span> <span class="p">{</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_expiry</span><span class="dl">'</span><span class="p">);</span> <span class="nf">clearAuthCookie</span><span class="p">();</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">cognitoDomain</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/logout?</span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">client_id=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">clientId</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&amp;logout_uri=</span><span class="dl">'</span> <span class="o">+</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">AUTH_CONFIG</span><span class="p">.</span><span class="nx">redirectUri</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">getToken</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">expiry</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_expiry</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">expiry</span> <span class="o">&amp;&amp;</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&gt;</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">expiry</span><span class="p">))</span> <span class="p">{</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_expiry</span><span class="dl">'</span><span class="p">);</span> <span class="nf">clearAuthCookie</span><span class="p">();</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Token capture and redirect</strong> — Cognito uses the implicit flow, which puts the token in the URL fragment (<code>#id_token=...</code>). We parse it on the callback page and redirect to the main UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">(</span><span class="kd">function</span> <span class="nf">handleCallback</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hash</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nx">hash</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">expiresIn</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">expires_in</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">ttl</span> <span class="o">=</span> <span class="nx">expiresIn</span> <span class="p">?</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">expiresIn</span><span class="p">)</span> <span class="p">:</span> <span class="mi">3600</span><span class="p">;</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">token</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">token_expiry</span><span class="dl">'</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nx">ttl</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">));</span> <span class="nf">setAuthCookie</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">ttl</span><span class="p">);</span> <span class="c1">// Redirect to the main UI now that cookie is set</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/ui</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">})();</span> </code></pre> </div> <p>The key line is <code>window.location.href = window.location.origin + '/ui'</code>. After setting the cookie, we navigate to <code>/ui</code> — and this time the server-side check will find the cookie and render the dashboard.</p> <p><strong>Fetch interceptor</strong> — patches <code>window.fetch</code> so every AJAX call includes the <code>Authorization</code> header. This is what protects the <code>/entryResource/*</code> API calls made from the UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">(</span><span class="kd">function</span> <span class="nf">patchFetch</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">originalFetch</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">fetch</span><span class="p">;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">fetch</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">token</span> <span class="o">=</span> <span class="nf">getToken</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="nx">options</span> <span class="o">=</span> <span class="nx">options</span> <span class="o">||</span> <span class="p">{};</span> <span class="nx">options</span><span class="p">.</span><span class="nx">headers</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">assign</span><span class="p">({},</span> <span class="nx">options</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">token</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">originalFetch</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="nx">url</span><span class="p">,</span> <span class="nx">options</span><span class="p">);</span> <span class="p">};</span> <span class="p">})();</span> </code></pre> </div> <p><strong>Auth UI</strong> — dynamically adds a login or logout button to the menu bar, and shows the user's email when logged in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">(</span><span class="kd">function</span> <span class="nf">renderAuthUI</span><span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">DOMContentLoaded</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">menuBar</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.menu-bar</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">menuBar</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">token</span> <span class="o">=</span> <span class="nf">getToken</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">el</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">div</span><span class="dl">'</span><span class="p">);</span> <span class="nx">el</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">menu-separator</span><span class="dl">'</span><span class="p">;</span> <span class="nx">menuBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">el</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nf">atob</span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]));</span> <span class="kd">var</span> <span class="nx">userEl</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">span</span><span class="dl">'</span><span class="p">);</span> <span class="nx">userEl</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">menu-item</span><span class="dl">'</span><span class="p">;</span> <span class="nx">userEl</span><span class="p">.</span><span class="nx">style</span><span class="p">.</span><span class="nx">cursor</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">default</span><span class="dl">'</span><span class="p">;</span> <span class="nx">userEl</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;span class="menu-icon"&gt;👤&lt;/span&gt;&lt;span class="menu-label"&gt;</span><span class="dl">'</span> <span class="o">+</span> <span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">email</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">User</span><span class="dl">'</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;/span&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">menuBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">userEl</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{}</span> <span class="kd">var</span> <span class="nx">logoutEl</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">);</span> <span class="nx">logoutEl</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">#</span><span class="dl">'</span><span class="p">;</span> <span class="nx">logoutEl</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">menu-item</span><span class="dl">'</span><span class="p">;</span> <span class="nx">logoutEl</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;span class="menu-icon"&gt;🚪&lt;/span&gt;&lt;span class="menu-label"&gt;Logout&lt;/span&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">logoutEl</span><span class="p">.</span><span class="nx">onclick</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">remoneyLogout</span><span class="p">();</span> <span class="p">};</span> <span class="nx">menuBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">logoutEl</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">loginEl</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">);</span> <span class="nx">loginEl</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">#</span><span class="dl">'</span><span class="p">;</span> <span class="nx">loginEl</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">menu-item</span><span class="dl">'</span><span class="p">;</span> <span class="nx">loginEl</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;span class="menu-icon"&gt;🔐&lt;/span&gt;&lt;span class="menu-label"&gt;Sign in with Google&lt;/span&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">loginEl</span><span class="p">.</span><span class="nx">onclick</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">remoneyLogin</span><span class="p">();</span> <span class="p">};</span> <span class="nx">menuBar</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">loginEl</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">})();</span> </code></pre> </div> <p>Include it in every Qute template:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"/js/auth.js"</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <h2> Step 5: Server-Side Auth Check in ExpenseUIResource </h2> <p>Here's the problem with server-rendered pages: when a user navigates to <code>/ui</code>, the browser makes a plain GET request. There's no <code>Authorization</code> header, no way for API Gateway to validate a JWT. That's why <code>/ui/*</code> routes are set to <code>Authorizer: NONE</code>.</p> <p>But we can't leave them completely unprotected. The solution: check for the <code>id_token</code> cookie that <code>auth.js</code> sets after login. If it's missing, redirect to Cognito.</p> <p>We also need a <strong>callback endpoint</strong> — a minimal page with no auth check that loads <code>auth.js</code> so it can capture the token from the URL fragment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Path</span><span class="o">(</span><span class="s">"/ui"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ExpenseUIResource</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">COGNITO_DOMAIN</span> <span class="o">=</span> <span class="s">"remoney-auth.auth.us-east-1.amazoncognito.com"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">CLIENT_ID</span> <span class="o">=</span> <span class="s">"YOUR_COGNITO_CLIENT_ID"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">IDP</span> <span class="o">=</span> <span class="s">"Google"</span><span class="o">;</span> <span class="nd">@CookieParam</span><span class="o">(</span><span class="s">"id_token"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">idToken</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">Response</span> <span class="nf">requireAuth</span><span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">idToken</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">idToken</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="c1">// authenticated</span> <span class="o">}</span> <span class="nc">String</span> <span class="n">redirectUri</span> <span class="o">=</span> <span class="s">"https://YOUR-API-ID.execute-api.us-east-1.amazonaws.com/ui/callback"</span><span class="o">;</span> <span class="nc">String</span> <span class="n">loginUrl</span> <span class="o">=</span> <span class="s">"https://"</span> <span class="o">+</span> <span class="no">COGNITO_DOMAIN</span> <span class="o">+</span> <span class="s">"/oauth2/authorize?response_type=token&amp;client_id="</span> <span class="o">+</span> <span class="no">CLIENT_ID</span> <span class="o">+</span> <span class="s">"&amp;redirect_uri="</span> <span class="o">+</span> <span class="n">java</span><span class="o">.</span><span class="na">net</span><span class="o">.</span><span class="na">URLEncoder</span><span class="o">.</span><span class="na">encode</span><span class="o">(</span> <span class="n">redirectUri</span><span class="o">,</span> <span class="n">java</span><span class="o">.</span><span class="na">nio</span><span class="o">.</span><span class="na">charset</span><span class="o">.</span><span class="na">StandardCharsets</span><span class="o">.</span><span class="na">UTF_8</span><span class="o">)</span> <span class="o">+</span> <span class="s">"&amp;scope=openid+email+profile&amp;identity_provider="</span> <span class="o">+</span> <span class="no">IDP</span><span class="o">;</span> <span class="k">return</span> <span class="nc">Response</span><span class="o">.</span><span class="na">seeOther</span><span class="o">(</span><span class="no">URI</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="n">loginUrl</span><span class="o">)).</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="c1">// OAuth callback — no auth check, just loads auth.js</span> <span class="nd">@GET</span> <span class="nd">@Path</span><span class="o">(</span><span class="s">"/callback"</span><span class="o">)</span> <span class="nd">@Produces</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">TEXT_HTML</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">authCallback</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"&lt;!DOCTYPE html&gt;&lt;html&gt;&lt;head&gt;&lt;meta charset=\"UTF-8\"&gt;"</span> <span class="o">+</span> <span class="s">"&lt;title&gt;Signing in...&lt;/title&gt;&lt;/head&gt;"</span> <span class="o">+</span> <span class="s">"&lt;body&gt;&lt;p&gt;Signing in...&lt;/p&gt;"</span> <span class="o">+</span> <span class="s">"&lt;script src=\"/js/auth.js\"&gt;&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;"</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@GET</span> <span class="nd">@Produces</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">TEXT_HTML</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">Object</span> <span class="nf">getDashboard</span><span class="o">(</span><span class="cm">/* ... params ... */</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">Response</span> <span class="n">authRedirect</span> <span class="o">=</span> <span class="n">requireAuth</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">authRedirect</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="k">return</span> <span class="n">authRedirect</span><span class="o">;</span> <span class="c1">// ... render dashboard as before ...</span> <span class="o">}</span> <span class="c1">// Same pattern for all other GET endpoints:</span> <span class="c1">// getCategories(), getAccounts(), getPivotTable(), getCsvImport(), getSetup()</span> <span class="o">}</span> </code></pre> </div> <p>Key details:</p> <ul> <li> <code>@CookieParam("id_token")</code> reads the cookie set by <code>auth.js</code> </li> <li>Return type changes from <code>TemplateInstance</code> to <code>Object</code> so we can return either a template or a redirect <code>Response</code> </li> <li> <code>requireAuth()</code> returns <code>null</code> if authenticated, or a redirect <code>Response</code> to Cognito login</li> <li>The <code>redirect_uri</code> points to <code>/ui/callback</code> — not <code>/ui</code> — to avoid the redirect loop</li> <li>The <code>/ui/callback</code> endpoint has <strong>no auth check</strong> — it's a bare HTML page that loads <code>auth.js</code> </li> </ul> <blockquote> <p><strong>Why not use <code>uriInfo.getBaseUri()</code>?</strong> Inside Lambda behind API Gateway, <code>getBaseUri()</code> returns an internal URL (like <code>http://localhost/</code>), not the actual API Gateway domain. You need to hardcode the API Gateway URL or pass it via an environment variable.</p> </blockquote> <h2> Step 6: The Complete Auth Flow </h2> <p>Here's what happens end-to-end:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User opens https://YOUR-API.execute-api.us-east-1.amazonaws.com/ui 2. API Gateway: /ui route has Auth: NONE → passes through to Lambda 3. Lambda (ExpenseUIResource.getDashboard): checks for id_token cookie → NOT FOUND → Returns 303 redirect to Cognito 4. Browser redirects to: https://remoney-auth.auth.us-east-1.amazoncognito.com/oauth2/authorize? response_type=token&amp;client_id=... &amp;redirect_uri=.../ui/callback ← note: /ui/callback, not /ui &amp;identity_provider=Google 5. Cognito redirects to Google sign-in 6. User signs in with Google → Google redirects back to Cognito 7. Cognito redirects back to: https://YOUR-API.execute-api.us-east-1.amazonaws.com/ui/callback#id_token=eyJ... 8. API Gateway: /ui/callback matches /ui/{proxy+} with Auth: NONE → Lambda 9. Lambda (ExpenseUIResource.authCallback): returns minimal HTML page → No auth check — just loads auth.js 10. auth.js runs on the callback page: - Parses id_token from URL fragment - Stores in localStorage + sets id_token cookie - Redirects to /ui 11. Browser navigates to /ui → sends cookie with request 12. Lambda (ExpenseUIResource.getDashboard): checks for id_token cookie → FOUND → Renders the dashboard 13. Any fetch() call to /entryResource/* includes Authorization: Bearer header → API Gateway validates JWT → Lambda processes request </code></pre> </div> <p>The callback page is the key piece. It breaks the redirect loop by giving JavaScript a place to run before the server-side auth check kicks in.</p> <h2> Step 7: Deploy </h2> <p>First deploy (with Google credentials):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./build-lambda.sh sam deploy <span class="nt">--parameter-overrides</span> <span class="se">\</span> <span class="nv">GoogleClientId</span><span class="o">=</span>your-google-client-id <span class="se">\</span> <span class="nv">GoogleClientSecret</span><span class="o">=</span>your-google-client-secret </code></pre> </div> <p>After the first deploy, note the API Gateway URL from the outputs and update the <code>CallbackURLs</code> in <code>template.yaml</code> to use <code>/ui/callback</code>. Then deploy again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sam build <span class="o">&amp;&amp;</span> sam deploy </code></pre> </div> <p>For subsequent deploys, SAM remembers the parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./build-lambda.sh <span class="o">&amp;&amp;</span> sam deploy </code></pre> </div> <h2> Step 8: Test the Flow </h2> <ol> <li>Open your API Gateway URL + <code>/ui</code> </li> <li>You should be redirected to Google sign-in</li> <li>Sign in with your Google account</li> <li>You'll briefly see "Signing in..." on the callback page</li> <li>You're redirected to re:Money with the dashboard loaded</li> <li>Check the menu bar — you should see your email and a Logout button</li> <li>Open browser DevTools → Application → Cookies → verify <code>id_token</code> is set</li> <li>Open Network tab → verify <code>Authorization: Bearer ...</code> on fetch calls to <code>/entryResource/*</code> </li> </ol> <h2> What Changed from Part 1 </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Before (Part 1)</th> <th>After (Security Part)</th> </tr> </thead> <tbody> <tr> <td>Public API Gateway</td> <td>JWT-protected API routes</td> </tr> <tr> <td>No authentication</td> <td>Google sign-in via Cognito</td> </tr> <tr> <td>Anyone can access data</td> <td>Cookie check on UI, JWT check on API</td> </tr> <tr> <td>No user identity</td> <td>JWT carries user email</td> </tr> <tr> <td><code>sam deploy</code></td> <td> <code>sam deploy --parameter-overrides</code> (first time)</td> </tr> </tbody> </table></div> <p>And what <em>didn't</em> change:</p> <ul> <li>Still two commands to deploy</li> <li>Still zero servers to manage</li> <li>Still a single <code>function.zip</code> artifact</li> <li>Still pay-per-request pricing</li> <li>No VPC, no security groups, no network config</li> <li>No new Java dependencies — just <code>@CookieParam</code> and <code>Response.seeOther()</code> </li> </ul> <h2> Cost Impact </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td>Cognito</td> <td>Free tier: 50,000 MAU (monthly active users)</td> </tr> <tr> <td>API Gateway</td> <td>Same as before — free tier covers it</td> </tr> <tr> <td>Lambda</td> <td>Same as before</td> </tr> <tr> <td>DynamoDB</td> <td>Same as before</td> </tr> <tr> <td><strong>Total</strong></td> <td> <strong>Still ~$0/month</strong> for personal use</td> </tr> </tbody> </table></div> <h2> Gotchas We Hit </h2> <p>A few things that tripped us up during implementation:</p> <ol> <li><p><strong>Redirect loop on <code>/ui</code></strong> — This was the biggest one. Cognito's implicit flow returns the token in the URL fragment (<code>#id_token=...</code>). Fragments are client-side only — the server never sees them. If Cognito redirects back to <code>/ui</code>, the server checks for a cookie, finds nothing, and redirects back to Cognito. Infinite loop. The fix: use a dedicated <code>/ui/callback</code> endpoint that serves a bare HTML page (no auth check) where <code>auth.js</code> can capture the token, set the cookie, and then redirect to <code>/ui</code>.</p></li> <li><p><strong>Circular dependency in CloudFormation</strong> — You can't use <code>!Sub "${ReMoneyHttpApi}"</code> in the UserPoolClient's <code>CallbackURLs</code> because the API references the client (for its authorizer) and the client would reference the API. Solution: use <code>https://localhost/ui/callback</code> for the first deploy, then hardcode the actual API Gateway URL after you get it from the stack outputs.</p></li> <li><p><strong><code>redirect_mismatch</code> error</strong> — The <code>redirect_uri</code> in the login request must exactly match one of the <code>CallbackURLs</code> registered in Cognito — character for character. Inside Lambda, <code>uriInfo.getBaseUri()</code> returns an internal URL, not the API Gateway domain. Solution: hardcode the API Gateway URL in the Java resource.</p></li> <li><p><strong>Cookies need <code>Secure</code> flag</strong> — API Gateway endpoints are HTTPS, so the cookie must have <code>Secure</code> to be sent back. <code>SameSite=Lax</code> allows the cookie to be sent on top-level navigations (which is what we need for page loads).</p></li> <li><p><strong><code>build-lambda.sh</code> artifact name</strong> — If your Maven <code>artifactId</code> changes, the zip script breaks. Make sure the jar name in the script matches what Maven produces.</p></li> </ol> <h2> What's Next </h2> <p>Your app is now deployed <em>and</em> secured. In the next parts of this series, we could cover:</p> <ul> <li> <strong>Custom domain</strong> — putting re:Money behind <code>money.yourdomain.com</code> with Route 53 + ACM</li> <li> <strong>Multi-tenancy</strong> — using the Cognito user ID to isolate data per user in DynamoDB</li> <li> <strong>CI/CD</strong> — automating <code>./build-lambda.sh &amp;&amp; sam deploy</code> with GitHub Actions</li> <li> <strong>Restricting access</strong> — adding a Cognito Pre-Sign-Up Lambda trigger to allow only specific email addresses</li> </ul> <p>But for now, you've gone from "anyone can see my bank transactions" to "Google sign-in required" — with auth handled at two layers: API Gateway for REST calls, and a simple cookie check for server-rendered pages. No new dependencies, no auth framework, just Cognito + a cookie + a callback page + 10 lines of Java.</p> <p><em>This is Part 2 of the "Goodbye Localhost, Hello AWS" series. <a href="https://dev.to/vsenger/why-quarkus-vanilla-js-aws-lambda-dynamodb-is-the-fastest-path-from-idea-to-production-3nlc">Part 1</a> covers the initial deployment. re:Money is open source as part of the <a href="https://github.com/renascence-computing/reos-money" rel="noopener noreferrer">Renascence Computing Project</a>.</em></p> java aws quarkus security Goodbye localhost: why Quarkus + Vanilla JS + AWS Lambda + DynamoDB Is the Fastest Path from Idea to Production Vinicius Senger Tue, 07 Apr 2026 22:29:46 +0000 https://dev.to/vsenger/why-quarkus-vanilla-js-aws-lambda-dynamodb-is-the-fastest-path-from-idea-to-production-3nlc https://dev.to/vsenger/why-quarkus-vanilla-js-aws-lambda-dynamodb-is-the-fastest-path-from-idea-to-production-3nlc <p>AI-assisted development has changed everything. You describe what you want, an AI builds it, and in a couple of hours you have a working app on your laptop. I built <strong>re:Money</strong> — a full financial tracking app with dashboards, pivot tables, CSV import, and a chat interface — using <a href="https://kiro.dev" rel="noopener noreferrer">Kiro</a>, and it was genuinely fun.</p> <p>But here's the pattern I keep seeing: developers build something incredible with AI, demo it on localhost, and then... it stays on localhost. Deploying to production becomes the hard part. Suddenly you need Docker, Kubernetes, a managed database, VPC configs, CI/CD pipelines, and a cloud architecture degree.</p> <p><strong>It doesn't have to be that way.</strong></p> <p>The secret isn't just <em>how</em> you code — it's <em>what you choose</em> to build with. re:Money deploys to AWS Lambda with two commands because of four deliberate architectural choices: <strong>Quarkus</strong> as the framework, <strong>vanilla JavaScript</strong> for the front-end, <strong>AWS Lambda</strong> for compute, and <strong>DynamoDB</strong> for storage. Together, these four pieces made the gap between "works on my machine" and "running in production" almost zero.</p> <h2> But First — What Is "Vanilla JS"? </h2> <p>If you've never heard the term, there's a great backstory. In 2012, a satirical website called <a href="http://vanilla-js.com" rel="noopener noreferrer">Vanilla-JS.com</a> appeared, presenting Vanilla JS as a "fast, lightweight framework" already "used by more websites than jQuery and React combined." When you clicked to "download" the library, you got an empty file — because Vanilla JS <em>is</em> just JavaScript itself. No framework. No dependencies. Just the language your browser already speaks.</p> <p>That joke carries a real insight: for many applications, plain JavaScript is all you need. And when it comes to deployment, what you <em>don't</em> depend on matters just as much as what you use.</p> <h2> Why This Stack Is a Serverless Superpower </h2> <p>Before we get into the deployment steps, let's talk about <em>why</em> each piece of this stack is uniquely suited for going from idea to production.</p> <h3> Quarkus: One Framework, One Artifact, Zero Friction </h3> <p>Quarkus is the glue that holds everything together. It gives you:</p> <ul> <li> <strong>Server-side rendering with Qute</strong> — HTML templates that live inside the JAR, no separate front-end build</li> <li> <strong>First-class AWS Lambda support</strong> — Quarkus has a dedicated Lambda extension that handles the HTTP adapter for you</li> <li> <strong>Fast startup</strong> — designed from the ground up for cloud-native and serverless workloads</li> <li> <strong>Single uber-JAR</strong> — your entire app (REST API, templates, CSS, JS) compiles into one artifact</li> <li> <strong>Dev mode with hot reload</strong> — <code>./mvnw quarkus:dev</code> gives you instant feedback during development</li> </ul> <p>With Spring Boot, you'd need extra configuration for Lambda. With Quarkus, it's a dependency and a handler class. Done.</p> <h3> Vanilla JS: No Build Pipeline for the Front-End </h3> <p>With React or Angular, you need Node.js, npm, a bundler (Webpack/Vite), and a separate build step that produces static assets you then have to serve from S3 or CloudFront. With re:Money, the UI is Qute templates + vanilla JS. It's all inside the JAR. One build, one artifact, one deployment.</p> <h3> AWS Lambda: Serverless Compute That Scales to Zero </h3> <p>Lambda means:</p> <ul> <li> <strong>No servers to manage</strong> — no EC2 instances, no ECS clusters, no Kubernetes</li> <li> <strong>Pay only for what you use</strong> — billed per request and compute time, idle = free</li> <li> <strong>Automatic scaling</strong> — from zero to thousands of concurrent requests without configuration</li> <li> <strong>SAM makes it declarative</strong> — your entire infrastructure is defined in one <code>template.yaml</code> </li> </ul> <p>Lambda is the reason <code>sam build &amp;&amp; sam deploy</code> is all you need. No Docker registry, no container orchestration, no load balancers.</p> <h3> DynamoDB: The Only Database That Matches Lambda's Model </h3> <p>This is the big one. If re:Money used PostgreSQL or MySQL, you'd need:</p> <ul> <li>An RDS instance (always running, always billing)</li> <li>VPC configuration for Lambda to reach the database</li> <li>Connection pooling (Lambda cold starts + relational DBs = pain)</li> <li>Database migrations on every deploy</li> </ul> <p>DynamoDB has none of these problems. It's:</p> <ul> <li> <strong>Pay-per-request</strong> — zero cost when idle</li> <li> <strong>No connections to manage</strong> — it's HTTP-based, perfect for Lambda's ephemeral nature</li> <li> <strong>No VPC required</strong> — Lambda talks to DynamoDB over the public AWS API</li> <li> <strong>No migrations</strong> — schema-free, so your code <em>is</em> your schema</li> <li> <strong>Scales to zero and to infinity</strong> — just like Lambda itself</li> </ul> <p>Lambda + DynamoDB is the only truly serverless compute + storage combo on AWS. Everything else requires something running 24/7.</p> <h3> The Four Pieces Working Together </h3> <p>Here's why these four choices compound:</p> <ul> <li> <strong>Quarkus</strong> bundles your templates and JS into a single JAR → no separate front-end deployment</li> <li> <strong>Vanilla JS</strong> means no Node.js build step → that JAR is all you need to build</li> <li> <strong>Lambda</strong> runs that JAR serverlessly → no infrastructure to provision</li> <li> <strong>DynamoDB</strong> needs no VPC or connections → Lambda talks to it out of the box</li> </ul> <p>Remove any one piece and the deployment story gets harder. Together, they create a frictionless path from <code>git clone</code> to production.</p> <h3> Single Deployable Artifact </h3> <p>re:Money compiles to one <code>function.zip</code>. No Docker images, no container registries, no multi-stage builds. SAM uploads it to S3, Lambda runs it. That's it.</p> <h3> The Cost Equation </h3> <p>For a personal finance app (or any low-to-moderate traffic tool), this architecture can run for <strong>pennies per month</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td>Lambda</td> <td>Free tier: 1M requests/month</td> </tr> <tr> <td>API Gateway</td> <td>Free tier: 1M calls/month</td> </tr> <tr> <td>DynamoDB</td> <td>Free tier: 25GB storage, 25 WCU/RCU</td> </tr> <tr> <td><strong>Total</strong></td> <td> <strong>~$0/month</strong> for personal use</td> </tr> </tbody> </table></div> <p>Try getting that with ECS + RDS.</p> <h2> Prerequisites </h2> <p>Before starting, make sure you have:</p> <ul> <li> <strong>Java 21+</strong> installed</li> <li> <strong>Maven 3.8+</strong> (or use the included <code>mvnw</code> wrapper)</li> <li> <strong>AWS CLI</strong> configured with credentials (<code>aws configure</code>)</li> <li> <strong>AWS SAM CLI</strong> installed (<a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-sam-cli.html" rel="noopener noreferrer">install guide</a>)</li> </ul> <h2> Step 1: Clone and Build </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/renascence-computing/reos-money.git <span class="nb">cd </span>reos-money </code></pre> </div> <p>Build the Lambda-ready artifact:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./build-lambda.sh </code></pre> </div> <p>This script does three things:</p> <ol> <li>Runs <code>mvn clean package</code> with the uber-jar profile</li> <li>Renames the runner JAR to <code>function.jar</code> </li> <li>Zips it into <code>target/function.zip</code> </li> </ol> <p>That's your entire application — backend, front-end, templates, CSS, JavaScript — in one zip file.</p> <h2> Step 2: Review the SAM Template </h2> <p>The <code>template.yaml</code> defines everything Lambda needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Transform</span><span class="pi">:</span> <span class="s">AWS::Serverless-2016-10-31</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">re:Money Quarkus Lambda Application</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">ReMoneyFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CodeUri</span><span class="pi">:</span> <span class="s">target/function.zip</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">java21</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">1024</span> <span class="na">Events</span><span class="pi">:</span> <span class="na">ReMoneyApi</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="na">ReMoneyRoot</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">HttpApi</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">ANY</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">DynamoDBCrudPolicy</span><span class="pi">:</span> <span class="na">TableName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">EntryTable</span> <span class="na">EntryTable</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::DynamoDB::Table</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">TableName</span><span class="pi">:</span> <span class="s">entry</span> <span class="na">BillingMode</span><span class="pi">:</span> <span class="s">PAY_PER_REQUEST</span> <span class="na">AttributeDefinitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">AttributeName</span><span class="pi">:</span> <span class="s">id</span> <span class="na">AttributeType</span><span class="pi">:</span> <span class="s">S</span> <span class="na">KeySchema</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">AttributeName</span><span class="pi">:</span> <span class="s">id</span> <span class="na">KeyType</span><span class="pi">:</span> <span class="s">HASH</span> </code></pre> </div> <p>Key things to notice:</p> <ul> <li> <strong><code>HttpApi</code></strong> (API Gateway v2) — cleaner URLs with no <code>/Prod</code> stage prefix</li> <li> <strong><code>PAY_PER_REQUEST</code></strong> billing — you only pay for what you use</li> <li> <strong><code>/{proxy+}</code></strong> catches all routes and forwards them to Quarkus</li> <li> <strong>DynamoDB table is created automatically</strong> — no manual setup needed</li> <li> <strong>No VPC, no subnets, no security groups</strong> — DynamoDB doesn't need them</li> </ul> <h2> Step 3: Deploy with SAM </h2> <p>For your first deployment, run the guided flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sam build sam deploy <span class="nt">--guided</span> </code></pre> </div> <p>SAM will ask you a few questions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Stack Name [reMoney]: reMoney AWS Region [us-east-1]: us-east-1 Confirm changes before deploy [y/N]: y Allow SAM CLI IAM role creation [Y/n]: Y ReMoneyFunction has no authentication. Is this okay? [y/N]: y Save arguments to configuration file [Y/n]: Y </span></code></pre> </div> <p>This creates a <code>samconfig.toml</code> so future deploys are just:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sam build <span class="o">&amp;&amp;</span> sam deploy </code></pre> </div> <p>That's it. Two commands.</p> <h2> Step 4: Get Your API URL </h2> <p>After deployment, SAM prints your endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Outputs --------------------------------------------------------------------------- Key ReMoneyApi Description API Gateway endpoint URL for re:Money application Value https://abc123xyz.execute-api.us-east-1.amazonaws.com/ --------------------------------------------------------------------------- </code></pre> </div> <p>Open that URL in your browser and you'll see re:Money running — dashboard, accounts, categories, pivot tables, everything.</p> <h2> Step 5: Verify It Works </h2> <p>Test the API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get all entries</span> curl https://abc123xyz.execute-api.us-east-1.amazonaws.com/entryResource/findAll <span class="c"># List categories</span> curl https://abc123xyz.execute-api.us-east-1.amazonaws.com/entryResource/listCategories <span class="c"># Add an entry</span> curl <span class="nt">-X</span> POST https://abc123xyz.execute-api.us-east-1.amazonaws.com/entryResource <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "accountID": "checking", "description": "Coffee", "category": "Food", "amount": -4.50, "date": "2026-04-06T09:00" }'</span> </code></pre> </div> <p>Open the UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>open https://abc123xyz.execute-api.us-east-1.amazonaws.com/ui </code></pre> </div> <h2> Step 6: Update and Redeploy </h2> <p>Made changes? Redeploy in under a minute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./build-lambda.sh sam build <span class="o">&amp;&amp;</span> sam deploy </code></pre> </div> <p>No Docker push, no CI/CD pipeline required, no container orchestration. Build, deploy, done.</p> <h2> Architecture Overview </h2> <p>Here's what you end up with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────┐ ┌─────────────┐ ┌──────────────────┐ ┌──────────┐ │ Browser │────▶│ API Gateway │────▶│ Lambda (Java 21) │────▶│ DynamoDB │ │ │◀────│ │◀────│ Quarkus + Qute │◀────│ │ └──────────┘ └─────────────┘ └──────────────────┘ └──────────┘ │ ┌──────┴──────┐ │ Single JAR │ │ - REST API │ │ - HTML/CSS │ │ - Vanilla JS│ └─────────────┘ </code></pre> </div> <p>Three managed AWS services. Zero servers. Zero containers. Zero infrastructure to maintain.</p> <h2> Why This Wouldn't Work with a Traditional Stack </h2> <p>Let's compare what deployment looks like with a typical modern stack:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concern</th> <th>React + Spring Boot + PostgreSQL</th> <th>re:Money (Quarkus + Vanilla JS + Lambda + DynamoDB)</th> </tr> </thead> <tbody> <tr> <td>Framework</td> <td>Spring Boot (heavier cold starts)</td> <td>Quarkus (Lambda-optimized, SnapStart-ready)</td> </tr> <tr> <td>Front-end build</td> <td><code>npm install &amp;&amp; npm run build</code></td> <td>None (Qute templates + vanilla JS in JAR)</td> </tr> <tr> <td>Front-end hosting</td> <td>S3 + CloudFront</td> <td>Served by Lambda (bundled in artifact)</td> </tr> <tr> <td>Compute</td> <td>ECS/EKS or Lambda with extra config</td> <td>Lambda (native Quarkus support)</td> </tr> <tr> <td>Database</td> <td>RDS ($15+/month minimum)</td> <td>DynamoDB (free tier)</td> </tr> <tr> <td>VPC needed?</td> <td>Yes (for RDS)</td> <td>No</td> </tr> <tr> <td>Connection pooling</td> <td>Yes (RDS Proxy)</td> <td>No (HTTP-based)</td> </tr> <tr> <td>Cold start impact</td> <td>High (Spring + DB connections)</td> <td>Low (Quarkus + SnapStart, no DB pool)</td> </tr> <tr> <td>Deploy commands</td> <td>5-10 steps</td> <td><code>sam build &amp;&amp; sam deploy</code></td> </tr> <tr> <td>Monthly cost (low traffic)</td> <td>$20-50+</td> <td>$0-1</td> </tr> </tbody> </table></div> <p>The combination of Quarkus + vanilla JS + Lambda + DynamoDB isn't just a preference — it's an architectural decision that eliminates entire categories of deployment complexity.</p> <h2> Bonus: Eliminate Cold Starts with Lambda SnapStart </h2> <p>Java on Lambda has one well-known trade-off: cold starts. The first request after a period of inactivity can take a few seconds while the JVM initializes. Lambda SnapStart solves this.</p> <h3> What SnapStart Does </h3> <p>SnapStart takes a Firecracker microVM snapshot of your function <em>after</em> initialization — the JVM is booted, Quarkus is loaded, DynamoDB clients are ready. When a new invocation arrives, Lambda restores from that snapshot instead of starting from scratch. The result: cold starts drop from seconds to <strong>milliseconds</strong>.</p> <h3> How to Enable It </h3> <p>Add two lines to your <code>template.yaml</code> function properties:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ReMoneyFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="c1"># ... existing properties ...</span> <span class="na">SnapStart</span><span class="pi">:</span> <span class="na">ApplyOn</span><span class="pi">:</span> <span class="s">PublishedVersions</span> <span class="na">AutoPublishAlias</span><span class="pi">:</span> <span class="s">live</span> </code></pre> </div> <p>That's it. <code>SnapStart</code> tells Lambda to snapshot after init, and <code>AutoPublishAlias</code> creates a published version (required — SnapStart only works on published versions, not <code>$LATEST</code>).</p> <p>You can also add this JVM flag to squeeze out extra startup performance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Environment</span><span class="pi">:</span> <span class="na">Variables</span><span class="pi">:</span> <span class="na">JAVA_TOOL_OPTIONS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-XX:+TieredCompilation</span><span class="nv"> </span><span class="s">-XX:TieredStopAtLevel=1"</span> </code></pre> </div> <p>Then redeploy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sam build <span class="o">&amp;&amp;</span> sam deploy </code></pre> </div> <h3> Why This Matters </h3> <p>Without SnapStart, Java Lambda cold starts are typically 3-5 seconds for a Quarkus app. With SnapStart, you're looking at <strong>~200-400ms</strong> — comparable to Node.js or Python cold starts, but with all the benefits of Java's type safety and Quarkus's performance at steady state.</p> <p>Combined with DynamoDB (no connection pool to re-establish on restore), SnapStart makes Java on Lambda a genuinely production-ready choice with no latency excuses.</p> <h2> Tips for Production </h2> <ul> <li> <strong>Custom domain</strong>: Add a custom domain via API Gateway custom domain names + Route 53</li> <li> <strong>Authentication</strong>: Add Amazon Cognito or a Lambda authorizer to protect your endpoints</li> <li> <strong>Cold starts</strong>: Enable SnapStart (see above) — it's the single biggest improvement you can make</li> <li> <strong>Monitoring</strong>: CloudWatch Logs are enabled by default — check the Lambda function's log group</li> <li> <strong>Backups</strong>: DynamoDB supports on-demand backups and point-in-time recovery — enable PITR for peace of mind</li> </ul> <h2> Wrapping Up </h2> <p>AI-assisted development gave us the power to build apps in hours. But the dirty secret is that most of those apps never leave localhost — not because the code is bad, but because the architecture wasn't chosen with deployment in mind.</p> <p>re:Money works in production because of four choices made <em>before</em> writing a single line of code: Quarkus as the framework, vanilla JS for the front-end, Lambda for compute, and DynamoDB for storage. Those choices eliminated the entire deployment gap.</p> <p>No <code>node_modules</code>. No database migrations. No VPC. No containers. No orchestration.</p> <p>Just <code>sam build &amp;&amp; sam deploy</code>.</p> <p>Next time you're building something new with AI, think about where it needs to run — not just where it's being built. The best architecture is the one that makes production feel as easy as localhost.</p> <p><em>re:Money was built with <a href="https://kiro.dev" rel="noopener noreferrer">Kiro</a> and is open source as part of the <a href="https://github.com/renascence-computing/reos-money" rel="noopener noreferrer">Renascence Computing Project</a>. Try it out, deploy it to your own AWS account, and see how far you can go without a framework.</em></p> java aws quarkus serverless Building a Full-Stack Java App with Quarkus — No React, No Angular, No Problem Vinicius Senger Tue, 31 Mar 2026 19:37:16 +0000 https://dev.to/vsenger/building-a-full-stack-java-app-with-quarkus-no-react-no-angular-no-problem-j1m https://dev.to/vsenger/building-a-full-stack-java-app-with-quarkus-no-react-no-angular-no-problem-j1m <p>You don't need React. You don't need Angular. You don't need Vue, Svelte, or the JavaScript framework that launched last Tuesday.</p> <p>I built <strong>re:Money</strong> — a full-stack financial tracking application with a dashboard, pivot tables, CSV import, inline editing, modals, and filtering — using nothing but <strong>Quarkus</strong>, its built-in <strong>Qute</strong> template engine, plain <strong>CSS</strong>, and a sprinkle of <strong>vanilla JavaScript</strong>. The backend talks to <strong>DynamoDB</strong> and the whole thing runs as a single JAR.</p> <p>Let me show you how.</p> <h2> Why Skip the Front-End Framework? </h2> <p>For many internal tools, personal projects, and CRUD apps, a full SPA (single page application) framework adds:</p> <ul> <li>A separate build pipeline (Node, npm, Webpack/Vite)</li> <li>A JSON API contract you have to maintain</li> <li>Client-side state management</li> <li>Hundreds of megabytes of <code>node_modules</code> </li> </ul> <p>With Quarkus + Qute, you get <strong>server-side rendering</strong> with type-safe templates, hot reload in dev mode, and a single <code>mvn</code> build. Your HTML is your UI. Your Java objects flow directly into your pages. Done.</p> <h2> The Stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Technology</th> </tr> </thead> <tbody> <tr> <td>Runtime</td> <td>Java 21</td> </tr> <tr> <td>Framework</td> <td>Quarkus 3.x</td> </tr> <tr> <td>Templating</td> <td>Qute (built into Quarkus)</td> </tr> <tr> <td>Styling</td> <td>Plain CSS</td> </tr> <tr> <td>Interactivity</td> <td>Vanilla JavaScript</td> </tr> <tr> <td>Database</td> <td>Amazon DynamoDB</td> </tr> <tr> <td>Build</td> <td>Maven</td> </tr> </tbody> </table></div> <p>One language. One build tool. One deployable artifact.</p> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/main/java/org/reos/money/ ├── model/ # Domain POJOs ├── resource/ # REST + UI endpoints (JAX-RS) └── service/ # Business logic + DynamoDB access src/main/resources/ ├── templates/ # Qute HTML templates ├── META-INF/resources/css/ # Static CSS └── application.properties </code></pre> </div> <p>The key insight: <strong>UI endpoints and API endpoints live side by side</strong> in the same Quarkus app. No separate front-end project.</p> <h2> Step 1: Add the Dependencies </h2> <p>You only need one extra dependency beyond the standard Quarkus REST setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="c">&lt;!-- Qute templating with REST integration --&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.quarkus<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>quarkus-rest-qute<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>That's it. Qute ships with Quarkus — <code>quarkus-rest-qute</code> just wires it into your JAX-RS resources so you can return <code>TemplateInstance</code> from your endpoints.</p> <h2> Step 2: Define Your Model </h2> <p>A plain Java class. No JPA annotations, no ORM magic — just fields and a factory method to map from DynamoDB's <code>AttributeValue</code> maps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RegisterForReflection</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Entry</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">id</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">Long</span> <span class="n">timestamp</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">String</span> <span class="n">accountID</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">String</span> <span class="n">description</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">String</span> <span class="n">category</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">BigDecimal</span> <span class="n">amount</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">BigDecimal</span> <span class="n">balance</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">String</span> <span class="n">date</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">Entry</span><span class="o">()</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">id</span> <span class="o">=</span> <span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">();</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">Entry</span> <span class="nf">from</span><span class="o">(</span><span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">AttributeValue</span><span class="o">&gt;</span> <span class="n">item</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Entry</span> <span class="n">entry</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Entry</span><span class="o">();</span> <span class="n">entry</span><span class="o">.</span><span class="na">id</span> <span class="o">=</span> <span class="n">item</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"id"</span><span class="o">).</span><span class="na">s</span><span class="o">();</span> <span class="n">entry</span><span class="o">.</span><span class="na">setAccountID</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"accountID"</span><span class="o">).</span><span class="na">s</span><span class="o">());</span> <span class="n">entry</span><span class="o">.</span><span class="na">setDescription</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"description"</span><span class="o">).</span><span class="na">s</span><span class="o">());</span> <span class="n">entry</span><span class="o">.</span><span class="na">setAmount</span><span class="o">(</span><span class="k">new</span> <span class="nc">BigDecimal</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"amount"</span><span class="o">).</span><span class="na">n</span><span class="o">()));</span> <span class="n">entry</span><span class="o">.</span><span class="na">setBalance</span><span class="o">(</span><span class="k">new</span> <span class="nc">BigDecimal</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"balance"</span><span class="o">).</span><span class="na">n</span><span class="o">()));</span> <span class="n">entry</span><span class="o">.</span><span class="na">setDate</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"date"</span><span class="o">).</span><span class="na">s</span><span class="o">());</span> <span class="n">entry</span><span class="o">.</span><span class="na">setTimestamp</span><span class="o">(</span><span class="nc">Long</span><span class="o">.</span><span class="na">parseLong</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"timestamp"</span><span class="o">).</span><span class="na">n</span><span class="o">()));</span> <span class="n">entry</span><span class="o">.</span><span class="na">setCategory</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"category"</span><span class="o">).</span><span class="na">s</span><span class="o">());</span> <span class="k">return</span> <span class="n">entry</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// getters and setters...</span> <span class="o">}</span> </code></pre> </div> <p><code>@RegisterForReflection</code> is there for Quarkus native compilation support. The <code>from()</code> static factory keeps DynamoDB mapping logic close to the model.</p> <h2> Step 3: Build the Service Layer </h2> <p>The service layer handles all DynamoDB operations. A base class encapsulates the repetitive request-building:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">AbstractService</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">ENTRY_ID_COL</span> <span class="o">=</span> <span class="s">"id"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">ENTRY_ACCOUNTID_COL</span> <span class="o">=</span> <span class="s">"accountID"</span><span class="o">;</span> <span class="c1">// ... other column constants</span> <span class="nd">@ConfigProperty</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"dynamodb.table.account.data"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">tableName</span><span class="o">;</span> <span class="kd">protected</span> <span class="nc">ScanRequest</span> <span class="nf">scanRequest</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">ScanRequest</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">tableName</span><span class="o">(</span><span class="n">tableName</span><span class="o">)</span> <span class="o">.</span><span class="na">attributesToGet</span><span class="o">(</span><span class="no">ENTRY_ID_COL</span><span class="o">,</span> <span class="no">ENTRY_ACCOUNTID_COL</span><span class="o">,</span> <span class="cm">/* ... */</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="kd">protected</span> <span class="nc">PutItemRequest</span> <span class="nf">putRequest</span><span class="o">(</span><span class="nc">Entry</span> <span class="n">entry</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">AttributeValue</span><span class="o">&gt;</span> <span class="n">item</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="n">item</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="no">ENTRY_ID_COL</span><span class="o">,</span> <span class="nc">AttributeValue</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">s</span><span class="o">(</span><span class="n">entry</span><span class="o">.</span><span class="na">getId</span><span class="o">()).</span><span class="na">build</span><span class="o">());</span> <span class="n">item</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="no">ENTRY_AMOUNT_COL</span><span class="o">,</span> <span class="nc">AttributeValue</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">n</span><span class="o">(</span><span class="n">entry</span><span class="o">.</span><span class="na">getAmount</span><span class="o">().</span><span class="na">toString</span><span class="o">()).</span><span class="na">build</span><span class="o">());</span> <span class="c1">// ... map all fields</span> <span class="k">return</span> <span class="nc">PutItemRequest</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">tableName</span><span class="o">(</span><span class="n">tableName</span><span class="o">).</span><span class="na">item</span><span class="o">(</span><span class="n">item</span><span class="o">).</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="kd">protected</span> <span class="nc">DeleteItemRequest</span> <span class="nf">deleteRequest</span><span class="o">(</span><span class="nc">String</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">DeleteItemRequest</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">tableName</span><span class="o">(</span><span class="n">tableName</span><span class="o">)</span> <span class="o">.</span><span class="na">key</span><span class="o">(</span><span class="nc">Map</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="no">ENTRY_ID_COL</span><span class="o">,</span> <span class="nc">AttributeValue</span><span class="o">.</span><span class="na">builder</span><span class="o">().</span><span class="na">s</span><span class="o">(</span><span class="n">id</span><span class="o">).</span><span class="na">build</span><span class="o">()))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Then the concrete service adds business logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@ApplicationScoped</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">EntryService</span> <span class="kd">extends</span> <span class="nc">AbstractService</span> <span class="o">{</span> <span class="nd">@Inject</span> <span class="nc">DynamoDbClient</span> <span class="n">dynamoDB</span><span class="o">;</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Entry</span><span class="o">&gt;</span> <span class="nf">findAll</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">dynamoDB</span><span class="o">.</span><span class="na">scan</span><span class="o">(</span><span class="n">scanRequest</span><span class="o">()).</span><span class="na">items</span><span class="o">().</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="nl">Entry:</span><span class="o">:</span><span class="n">from</span><span class="o">)</span> <span class="o">.</span><span class="na">sorted</span><span class="o">(</span><span class="nc">Comparator</span><span class="o">.</span><span class="na">comparing</span><span class="o">(</span><span class="nl">Entry:</span><span class="o">:</span><span class="n">getTimestamp</span><span class="o">))</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toList</span><span class="o">());</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">Entry</span> <span class="nf">addEntry</span><span class="o">(</span><span class="nc">Entry</span> <span class="n">entry</span><span class="o">)</span> <span class="o">{</span> <span class="n">dynamoDB</span><span class="o">.</span><span class="na">putItem</span><span class="o">(</span><span class="n">putRequest</span><span class="o">(</span><span class="n">entry</span><span class="o">));</span> <span class="k">return</span> <span class="n">entry</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Entry</span><span class="o">&gt;</span> <span class="nf">findByFilters</span><span class="o">(</span><span class="nc">String</span> <span class="n">accountID</span><span class="o">,</span> <span class="nc">String</span> <span class="n">category</span><span class="o">,</span> <span class="nc">Long</span> <span class="n">startDate</span><span class="o">,</span> <span class="nc">Long</span> <span class="n">endDate</span><span class="o">,</span> <span class="nc">String</span> <span class="n">sortOrder</span><span class="o">,</span> <span class="nc">String</span> <span class="n">excludeCategories</span><span class="o">,</span> <span class="nc">String</span> <span class="n">description</span><span class="o">)</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Entry</span><span class="o">&gt;</span> <span class="n">entries</span> <span class="o">=</span> <span class="n">findAll</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">accountID</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="n">entries</span> <span class="o">=</span> <span class="n">entries</span><span class="o">.</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">e</span> <span class="o">-&gt;</span> <span class="n">accountID</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getAccountID</span><span class="o">()))</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toList</span><span class="o">());</span> <span class="k">if</span> <span class="o">(</span><span class="n">category</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="n">entries</span> <span class="o">=</span> <span class="n">entries</span><span class="o">.</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">e</span> <span class="o">-&gt;</span> <span class="n">category</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getCategory</span><span class="o">()))</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toList</span><span class="o">());</span> <span class="c1">// ... date range, exclude, description filters</span> <span class="k">if</span> <span class="o">(</span><span class="s">"desc"</span><span class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">sortOrder</span><span class="o">))</span> <span class="n">entries</span><span class="o">.</span><span class="na">sort</span><span class="o">(</span><span class="nc">Comparator</span><span class="o">.</span><span class="na">comparing</span><span class="o">(</span><span class="nl">Entry:</span><span class="o">:</span><span class="n">getTimestamp</span><span class="o">).</span><span class="na">reversed</span><span class="o">());</span> <span class="k">else</span> <span class="n">entries</span><span class="o">.</span><span class="na">sort</span><span class="o">(</span><span class="nc">Comparator</span><span class="o">.</span><span class="na">comparing</span><span class="o">(</span><span class="nl">Entry:</span><span class="o">:</span><span class="n">getTimestamp</span><span class="o">));</span> <span class="k">return</span> <span class="n">entries</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// replaceCategory, deleteAccount, recalculateBalances, etc.</span> <span class="o">}</span> </code></pre> </div> <p>No Spring Data, no Hibernate — just the AWS SDK DynamoDB client injected by Quarkus.</p> <h2> Step 4: The UI Resource — Where the Magic Happens </h2> <p>This is the core pattern. Instead of returning JSON, your endpoint returns a <code>TemplateInstance</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Path</span><span class="o">(</span><span class="s">"/ui"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ExpenseUIResource</span> <span class="o">{</span> <span class="nd">@Inject</span> <span class="nc">Template</span> <span class="n">dashboard</span><span class="o">;</span> <span class="c1">// Matches templates/dashboard.html</span> <span class="nd">@Inject</span> <span class="nc">EntryService</span> <span class="n">entryService</span><span class="o">;</span> <span class="nd">@GET</span> <span class="nd">@Produces</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">TEXT_HTML</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">TemplateInstance</span> <span class="nf">getDashboard</span><span class="o">(</span> <span class="nd">@QueryParam</span><span class="o">(</span><span class="s">"account"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">account</span><span class="o">,</span> <span class="nd">@QueryParam</span><span class="o">(</span><span class="s">"category"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">category</span><span class="o">,</span> <span class="nd">@QueryParam</span><span class="o">(</span><span class="s">"startDate"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">startDate</span><span class="o">,</span> <span class="nd">@QueryParam</span><span class="o">(</span><span class="s">"endDate"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">endDate</span><span class="o">,</span> <span class="nd">@QueryParam</span><span class="o">(</span><span class="s">"sortOrder"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">sortOrder</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="c1">// Parse dates, apply filters...</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Entry</span><span class="o">&gt;</span> <span class="n">entries</span> <span class="o">=</span> <span class="n">entryService</span><span class="o">.</span><span class="na">findByFilters</span><span class="o">(</span> <span class="n">account</span><span class="o">,</span> <span class="n">category</span><span class="o">,</span> <span class="n">start</span><span class="o">,</span> <span class="n">end</span><span class="o">,</span> <span class="n">order</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="k">return</span> <span class="n">dashboard</span> <span class="o">.</span><span class="na">data</span><span class="o">(</span><span class="s">"entries"</span><span class="o">,</span> <span class="n">entries</span><span class="o">)</span> <span class="o">.</span><span class="na">data</span><span class="o">(</span><span class="s">"accounts"</span><span class="o">,</span> <span class="n">entryService</span><span class="o">.</span><span class="na">listAccounts</span><span class="o">())</span> <span class="o">.</span><span class="na">data</span><span class="o">(</span><span class="s">"categories"</span><span class="o">,</span> <span class="n">entryService</span><span class="o">.</span><span class="na">listCategories</span><span class="o">())</span> <span class="o">.</span><span class="na">data</span><span class="o">(</span><span class="s">"selectedAccount"</span><span class="o">,</span> <span class="n">account</span><span class="o">)</span> <span class="o">.</span><span class="na">data</span><span class="o">(</span><span class="s">"selectedCategory"</span><span class="o">,</span> <span class="n">category</span><span class="o">)</span> <span class="o">.</span><span class="na">data</span><span class="o">(</span><span class="s">"sortOrder"</span><span class="o">,</span> <span class="n">order</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>When you <code>@Inject Template dashboard</code>, Quarkus automatically looks for <code>src/main/resources/templates/dashboard.html</code>. You pass data with <code>.data("key", value)</code> and Qute renders it server-side. The browser gets plain HTML.</p> <h3> Handling Form Submissions </h3> <p>Forms use standard HTML <code>&lt;form&gt;</code> posts — no <code>fetch()</code>, no JSON serialization:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@POST</span> <span class="nd">@Path</span><span class="o">(</span><span class="s">"/entry"</span><span class="o">)</span> <span class="nd">@Consumes</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">APPLICATION_FORM_URLENCODED</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">Response</span> <span class="nf">addEntry</span><span class="o">(</span> <span class="nd">@FormParam</span><span class="o">(</span><span class="s">"accountID"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">accountID</span><span class="o">,</span> <span class="nd">@FormParam</span><span class="o">(</span><span class="s">"description"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">description</span><span class="o">,</span> <span class="nd">@FormParam</span><span class="o">(</span><span class="s">"category"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">category</span><span class="o">,</span> <span class="nd">@FormParam</span><span class="o">(</span><span class="s">"amount"</span><span class="o">)</span> <span class="nc">BigDecimal</span> <span class="n">amount</span><span class="o">,</span> <span class="nd">@FormParam</span><span class="o">(</span><span class="s">"date"</span><span class="o">)</span> <span class="nc">String</span> <span class="n">date</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">Entry</span> <span class="n">entry</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Entry</span><span class="o">();</span> <span class="n">entry</span><span class="o">.</span><span class="na">setAccountID</span><span class="o">(</span><span class="n">accountID</span><span class="o">);</span> <span class="n">entry</span><span class="o">.</span><span class="na">setDescription</span><span class="o">(</span><span class="n">description</span><span class="o">);</span> <span class="n">entry</span><span class="o">.</span><span class="na">setCategory</span><span class="o">(</span><span class="n">category</span><span class="o">);</span> <span class="n">entry</span><span class="o">.</span><span class="na">setAmount</span><span class="o">(</span><span class="n">amount</span><span class="o">);</span> <span class="n">entry</span><span class="o">.</span><span class="na">setDate</span><span class="o">(</span><span class="n">date</span><span class="o">);</span> <span class="n">entryService</span><span class="o">.</span><span class="na">addEntry</span><span class="o">(</span><span class="n">entry</span><span class="o">);</span> <span class="c1">// Post-Redirect-Get pattern</span> <span class="k">return</span> <span class="nc">Response</span><span class="o">.</span><span class="na">seeOther</span><span class="o">(</span><span class="no">URI</span><span class="o">.</span><span class="na">create</span><span class="o">(</span><span class="s">"/ui"</span><span class="o">)).</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>The <strong>Post-Redirect-Get</strong> pattern prevents duplicate submissions on refresh. The browser submits a form, the server processes it, then redirects back to the dashboard. Classic web development — and it works perfectly.</p> <h2> Step 5: Qute Templates — Your View Layer </h2> <p>Qute templates look like HTML with simple expressions. Here's a simplified version of the dashboard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1.0"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>re:Money Dashboard<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"/css/app.css"</span><span class="nt">&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- Filter form — plain HTML, no framework --&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"get"</span> <span class="na">class=</span><span class="s">"filters"</span><span class="nt">&gt;</span> <span class="nt">&lt;select</span> <span class="na">name=</span><span class="s">"account"</span> <span class="na">onchange=</span><span class="s">"this.form.submit()"</span><span class="nt">&gt;</span> <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">""</span><span class="nt">&gt;</span>All Accounts<span class="nt">&lt;/option&gt;</span> {#for account in accounts} <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">"{account}"</span> <span class="err">{</span><span class="na">#if</span> <span class="na">selectedAccount =</span><span class="s">=</span> <span class="na">account</span><span class="err">}</span><span class="na">selected</span><span class="err">{/</span><span class="na">if</span><span class="err">}</span><span class="nt">&gt;</span> {account} <span class="nt">&lt;/option&gt;</span> {/for} <span class="nt">&lt;/select&gt;</span> <span class="nt">&lt;select</span> <span class="na">name=</span><span class="s">"category"</span> <span class="na">onchange=</span><span class="s">"this.form.submit()"</span><span class="nt">&gt;</span> <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">""</span><span class="nt">&gt;</span>All Categories<span class="nt">&lt;/option&gt;</span> {#for category in categories} <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">"{category}"</span> <span class="err">{</span><span class="na">#if</span> <span class="na">selectedCategory =</span><span class="s">=</span> <span class="na">category</span><span class="err">}</span><span class="na">selected</span><span class="err">{/</span><span class="na">if</span><span class="err">}</span><span class="nt">&gt;</span> {category} <span class="nt">&lt;/option&gt;</span> {/for} <span class="nt">&lt;/select&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"datetime-local"</span> <span class="na">name=</span><span class="s">"startDate"</span> <span class="na">value=</span><span class="s">"{selectedStartDate ?: ''}"</span> <span class="na">onchange=</span><span class="s">"this.form.submit()"</span><span class="nt">&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="c">&lt;!-- Data table --&gt;</span> <span class="nt">&lt;table&gt;</span> <span class="nt">&lt;thead&gt;</span> <span class="nt">&lt;tr&gt;</span> <span class="nt">&lt;th&gt;</span>Date<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;th&gt;</span>Description<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;th&gt;</span>Account<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;th&gt;</span>Category<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;th&gt;</span>Amount<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;/tr&gt;</span> <span class="nt">&lt;/thead&gt;</span> <span class="nt">&lt;tbody&gt;</span> {#for entry in entries} <span class="nt">&lt;tr&gt;</span> <span class="nt">&lt;td&gt;</span>{entry.date}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;</span>{entry.description}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;</span>{entry.accountID}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;</span>{entry.category}<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td</span> <span class="na">class=</span><span class="s">"{#if entry.amount &lt; 0}negative{#else}positive{/if}"</span><span class="nt">&gt;</span> ${entry.amount} <span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;/tr&gt;</span> {/for} <span class="nt">&lt;/tbody&gt;</span> <span class="nt">&lt;/table&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>Key Qute features used here:</p> <ul> <li> <strong><code>{#for ... in ...}</code></strong> — loops over collections</li> <li> <strong><code>{#if ...}</code></strong> — conditional rendering</li> <li> <strong><code>{expression ?: 'default'}</code></strong> — elvis operator for defaults</li> <li> <strong><code>{entry.amount}</code></strong> — direct property access on Java objects</li> </ul> <p>The <code>onchange="this.form.submit()"</code> on the selects gives you instant filtering without any JavaScript framework. The browser submits the form as a GET request, the server re-renders the page with filtered data. Simple.</p> <h2> Step 6: Adding Interactivity with Vanilla JS </h2> <p>You don't need React for modals, inline editing, or dynamic filters. Here's how re:Money handles it:</p> <h3> Modal for Adding/Editing Entries </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"entryModal"</span> <span class="na">class=</span><span class="s">"modal"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"modal-content"</span><span class="nt">&gt;</span> <span class="nt">&lt;h2</span> <span class="na">id=</span><span class="s">"modalTitle"</span><span class="nt">&gt;</span>Add New Entry<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">action=</span><span class="s">"/ui/entry"</span> <span class="na">id=</span><span class="s">"entryForm"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"description"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"number"</span> <span class="na">name=</span><span class="s">"amount"</span> <span class="na">step=</span><span class="s">"0.01"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"datetime-local"</span> <span class="na">name=</span><span class="s">"date"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Add Entry<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nf">openModal</span><span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">entryModal</span><span class="dl">'</span><span class="p">).</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">editEntry</span><span class="p">(</span><span class="nx">id</span><span class="p">,</span> <span class="nx">accountID</span><span class="p">,</span> <span class="nx">description</span><span class="p">,</span> <span class="nx">category</span><span class="p">,</span> <span class="nx">amount</span><span class="p">,</span> <span class="nx">date</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">modalTitle</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Edit Entry</span><span class="dl">'</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">entryForm</span><span class="dl">'</span><span class="p">).</span><span class="nx">action</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/ui/entry/</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">id</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">/update</span><span class="dl">'</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">descriptionUI</span><span class="dl">'</span><span class="p">).</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">description</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">amountUI</span><span class="dl">'</span><span class="p">).</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">amount</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">dateUI</span><span class="dl">'</span><span class="p">).</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">date</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">entryModal</span><span class="dl">'</span><span class="p">).</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>The modal is pure CSS (<code>.modal.active { display: flex; }</code>). The form posts to the server. No state management library needed.</p> <h3> Inline Category Editing </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;td&gt;</span> <span class="nt">&lt;span</span> <span class="na">class=</span><span class="s">"category-display"</span> <span class="na">id=</span><span class="s">"category-display-{entry.id}"</span><span class="nt">&gt;</span> {entry.category} <span class="nt">&lt;/span&gt;</span> <span class="nt">&lt;select</span> <span class="na">class=</span><span class="s">"category-edit"</span> <span class="na">id=</span><span class="s">"category-edit-{entry.id}"</span> <span class="na">style=</span><span class="s">"display: none;"</span> <span class="na">onchange=</span><span class="s">"updateCategory('{entry.id}', this.value)"</span><span class="nt">&gt;</span> {#for cat in categories} <span class="nt">&lt;option</span> <span class="na">value=</span><span class="s">"{cat}"</span> <span class="err">{</span><span class="na">#if</span> <span class="na">entry.category =</span><span class="s">=</span> <span class="na">cat</span><span class="err">}</span><span class="na">selected</span><span class="err">{/</span><span class="na">if</span><span class="err">}</span><span class="nt">&gt;</span> {cat} <span class="nt">&lt;/option&gt;</span> {/for} <span class="nt">&lt;/select&gt;</span> <span class="nt">&lt;button</span> <span class="na">onclick=</span><span class="s">"toggleCategoryEdit('{entry.id}')"</span><span class="nt">&gt;</span>✏️<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/td&gt;</span> </code></pre> </div> <p>Click the pencil, the span hides, the select shows. Pick a new category, a small <code>fetch()</code> call updates it server-side. This is the <em>only</em> place we use <code>fetch()</code> — for a better UX on a single field update. Everything else is plain form submissions.</p> <h2> Step 7: DynamoDB Setup </h2> <p>Create the table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws dynamodb create-table <span class="se">\</span> <span class="nt">--table-name</span> entry <span class="se">\</span> <span class="nt">--attribute-definitions</span> <span class="nv">AttributeName</span><span class="o">=</span><span class="nb">id</span>,AttributeType<span class="o">=</span>S <span class="se">\</span> <span class="nt">--key-schema</span> <span class="nv">AttributeName</span><span class="o">=</span><span class="nb">id</span>,KeyType<span class="o">=</span>HASH <span class="se">\</span> <span class="nt">--billing-mode</span> PAY_PER_REQUEST <span class="se">\</span> <span class="nt">--region</span> us-east-1 </code></pre> </div> <p>For local development, add <code>--endpoint-url http://localhost:8000</code> and configure Quarkus:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">%</span><span class="py">dev.quarkus.dynamodb.endpoint-override</span><span class="p">=</span><span class="s">http://localhost:8000</span> <span class="py">dynamodb.table.account.data</span><span class="p">=</span><span class="s">entry</span> </code></pre> </div> <p>The <code>%dev.</code> prefix means this config only applies in dev mode. In production, Quarkus uses your default AWS credentials.</p> <h2> Step 8: Run It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./mvnw compile quarkus:dev </code></pre> </div> <p>Open <code>http://localhost:8080/ui</code> and you have a full working app. Quarkus dev mode gives you:</p> <ul> <li> <strong>Live reload</strong> — edit a Java file or a template, save, refresh the browser</li> <li> <strong>Dev UI</strong> at <code>/q/dev/</code> — inspect beans, config, endpoints</li> <li> <strong>Zero restart</strong> — changes apply instantly</li> </ul> <h2> The Result </h2> <p>With this approach, re:Money has:</p> <ul> <li>📊 <strong>Dashboard</strong> with multi-criteria filtering and sorting</li> <li>➕ <strong>Add/Edit/Delete</strong> entries via modal forms</li> <li>🗂️ <strong>Category management</strong> — rename, delete, inline edit</li> <li>🏦 <strong>Account management</strong> — rename, delete, recalculate balances</li> <li>📈 <strong>Pivot tables</strong> — cross-account category analysis</li> <li>📁 <strong>CSV import</strong> — bulk data loading</li> <li>💬 <strong>Chat interface</strong> — natural language queries (via Bedrock)</li> </ul> <p>All in a single Quarkus application. No <code>npm install</code>. No <code>package.json</code>. No webpack config. No CORS issues. No separate deployment for the front-end.</p> <h2> When Should You Use This Approach? </h2> <p>✅ <strong>Good fit:</strong></p> <ul> <li>Internal tools and admin panels</li> <li>Personal projects and prototypes</li> <li>CRUD-heavy applications</li> <li>Small team projects where everyone knows Java</li> <li>Apps where SEO matters (server-rendered HTML)</li> </ul> <p>❌ <strong>Consider a SPA when:</strong></p> <ul> <li>You need rich real-time interactivity (collaborative editing, drag-and-drop)</li> <li>Your front-end team is specialized in JavaScript/TypeScript</li> <li>You're building a complex single-page experience with heavy client-side state</li> </ul> <h2> Key Takeaways </h2> <ol> <li><p><strong>Qute is underrated.</strong> It's type-safe, fast, and integrates seamlessly with Quarkus CDI. Just <code>@Inject Template myPage</code> and you're rendering HTML.</p></li> <li><p><strong>HTML forms still work.</strong> The Post-Redirect-Get pattern handles 90% of CRUD interactions without any JavaScript.</p></li> <li><p><strong>Vanilla JS is enough.</strong> Modals, toggles, inline edits — you don't need 200KB of framework for this.</p></li> <li><p><strong>One deployable artifact.</strong> Your UI, API, and business logic ship as a single JAR. Deploy it anywhere Java runs.</p></li> <li><p><strong>DynamoDB + Quarkus is a clean combo.</strong> The Quarkiverse extension handles client configuration. You write <code>putItem</code> / <code>scan</code> / <code>deleteItem</code> and move on.</p></li> </ol> <p>The web platform is more capable than we give it credit for. Sometimes the best front-end framework is no framework at all.</p> <h2> Get re:Money </h2> <p>Want to try it yourself or use it as a starting point for your own project?</p> <ul> <li>📖 <a href="https://builder.aws.com/content/37adLQq1qXgQRVXa0LZQlRGV9t4/remoney-personal-financial-management-re-imagined-with-ai" rel="noopener noreferrer">re:Money — Personal Financial Management Re-imagined with AI</a> — full project overview on AWS Community</li> <li>💻 <a href="https://github.com/vsenger/reos-money" rel="noopener noreferrer">Source code on GitHub</a> </li> </ul> <p>Clone it, run <code>./mvnw compile quarkus:dev</code>, and you're up in seconds.</p> java quarkus fullstack aws Building Your Own AI-Powered StreamDeck with re:Button Vinicius Senger Sat, 28 Feb 2026 04:42:39 +0000 https://dev.to/vsenger/building-your-own-ai-powered-streamdeck-with-rebutton-4ol5 https://dev.to/vsenger/building-your-own-ai-powered-streamdeck-with-rebutton-4ol5 <h2> Physical Computing Meets AI! </h2> <p>Imagine creating your own keyboard but instead of regular keys, it triggers smart shortcuts in your computer that helps you to operate your life. That's the <strong>re:Button</strong> project: it transforms any physical MIDI controllers into intelligent command centers for your digital life, similar to StreamDeck, but open-source, DIY and much more simple and powerful.</p> <p> <iframe src="https://www.youtube.com/embed/03QHMr9Wwr4"> </iframe> </p> <p>In this post I will show how I built my own re:Button "StreamDeck" device using a <a href="https://www.amazon.com/dp/B07H6BVHSV?ref=ppx_yo2ov_dt_b_fed_asin_title" rel="noopener noreferrer">Presonus ATOM (US$ 136)</a> but you can use any other MIDI device, including a regular musical keyboard.</p> <h2> AWS DeepComposer Compatible </h2> <p>If you own a DeepComposer keyboard you can convert it TODAY in a re:Button device and creating a cool StreamDeck device with it! Just need to change the key codes...</p> <h2> What You Can Do with re:Button </h2> <p>Here are some real examples from my setup:</p> <ul> <li> <strong>Press a button</strong> to hear your bank balance via text-to-speech</li> <li> <strong>Turn a knob</strong> to control system volume</li> <li> <strong>Launch projects</strong> in Kiro with dedicated buttons for each workspace</li> <li> <strong>Control Spotify</strong> (play, pause, next track) without leaving your keyboard</li> <li> <strong>Trigger workflows</strong> like taking a photo, checking calendar, or sending MQTT commands to smart home devices</li> <li> <strong>Type common responses</strong> ("yes", "no", "thanks") with a single button press</li> </ul> <p>The possibilities are endless because you can map any button to any shell command, AppleScript, or Python script.</p> <p>Check the running demo in this video:</p> <h2> Step-by-Step: Building Your re:Button </h2> <h3> 1. Get Your MIDI Controller </h3> <p>I chose the <strong>Presonus ATOM</strong> because it has:</p> <ul> <li>16 velocity-sensitive pads</li> <li>8 knobs for continuous control</li> <li>20 additional buttons</li> <li>USB connectivity (no drivers needed)</li> <li>Solid build quality</li> </ul> <p>But you can use <strong>any MIDI controller</strong>: a $30 USB keyboard, a DJ controller, or even build your own with Arduino.</p> <h3> 2. Plug in the USB Device </h3> <p>Connect your MIDI controller via USB. On macOS and Linux, it should work immediately. On Windows, you might need to install drivers (check your device manufacturer's website).</p> <p>To verify it's working, you can list MIDI devices:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">-c</span> <span class="s2">"import mido; print(mido.get_input_names())"</span> </code></pre> </div> <p>You should see your device listed.</p> <h3> 3. Using Kiro CLI to Create the First App </h3> <p>I used <a href="https://kiro.dev" rel="noopener noreferrer">Kiro CLI</a>, an AI-powered development assistant, to help build the initial version. Here's how:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kiro-cli chat </code></pre> </div> <p>Then I asked:</p> <blockquote> <p>"Help me create a Python script that listens to MIDI input and publishes the events to MQTT. I want to see the note number, velocity, and event type for each button press."</p> </blockquote> <p>Kiro generated the first version of <code>rebutton-mqtt.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="kn">import</span> <span class="n">mido</span> <span class="kn">import</span> <span class="n">paho.mqtt.client</span> <span class="k">as</span> <span class="n">mqtt</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">MQTT_BROKER</span> <span class="o">=</span> <span class="sh">"</span><span class="s">localhost</span><span class="sh">"</span> <span class="n">MQTT_PORT</span> <span class="o">=</span> <span class="mi">1883</span> <span class="n">MQTT_TOPIC</span> <span class="o">=</span> <span class="sh">"</span><span class="s">reos/key/atom</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">on_connect</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="n">userdata</span><span class="p">,</span> <span class="n">flags</span><span class="p">,</span> <span class="n">rc</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Connected to MQTT broker: </span><span class="si">{</span><span class="n">rc</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">client</span> <span class="o">=</span> <span class="n">mqtt</span><span class="p">.</span><span class="nc">Client</span><span class="p">()</span> <span class="n">client</span><span class="p">.</span><span class="n">on_connect</span> <span class="o">=</span> <span class="n">on_connect</span> <span class="n">client</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="n">MQTT_BROKER</span><span class="p">,</span> <span class="n">MQTT_PORT</span><span class="p">)</span> <span class="n">client</span><span class="p">.</span><span class="nf">loop_start</span><span class="p">()</span> <span class="n">midi_port</span> <span class="o">=</span> <span class="n">mido</span><span class="p">.</span><span class="nf">open_input</span><span class="p">(</span><span class="n">mido</span><span class="p">.</span><span class="nf">get_input_names</span><span class="p">()[</span><span class="mi">0</span><span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Listening on </span><span class="si">{</span><span class="n">midi_port</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">msg</span> <span class="ow">in</span> <span class="n">midi_port</span><span class="p">:</span> <span class="k">if</span> <span class="n">msg</span><span class="p">.</span><span class="nb">type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">aftertouch</span><span class="sh">"</span> <span class="ow">or</span> <span class="n">msg</span><span class="p">.</span><span class="nb">type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">polytouch</span><span class="sh">"</span><span class="p">:</span> <span class="k">continue</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="n">msg</span><span class="p">.</span><span class="nb">type</span><span class="p">,</span> <span class="sh">"</span><span class="s">note</span><span class="sh">"</span><span class="p">:</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="sh">'</span><span class="s">note</span><span class="sh">'</span><span class="p">,</span> <span class="bp">None</span><span class="p">),</span> <span class="sh">"</span><span class="s">velocity</span><span class="sh">"</span><span class="p">:</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="sh">'</span><span class="s">velocity</span><span class="sh">'</span><span class="p">,</span> <span class="bp">None</span><span class="p">),</span> <span class="sh">"</span><span class="s">control</span><span class="sh">"</span><span class="p">:</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="sh">'</span><span class="s">control</span><span class="sh">'</span><span class="p">,</span> <span class="bp">None</span><span class="p">),</span> <span class="sh">"</span><span class="s">value</span><span class="sh">"</span><span class="p">:</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="p">})</span> <span class="n">client</span><span class="p">.</span><span class="nf">publish</span><span class="p">(</span><span class="n">MQTT_TOPIC</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Sent: </span><span class="si">{</span><span class="n">payload</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 4. The MQTT Version Came First </h3> <p>Why MQTT? It gave me two benefits:</p> <ol> <li> <strong>Discovery</strong>: I could see exactly what MIDI events my controller was sending</li> <li> <strong>Integration</strong>: I could trigger actions from other systems (Node-RED, Home Assistant, etc.)</li> </ol> <p>Running this script, I pressed each button and noted the MIDI note numbers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{"type": "note_on", "note": 96, "velocity": 127} {"type": "control_change", "control": 14, "value": 64} </code></pre> </div> <p>This told me that pad #1 sends note 96, and knob #1 sends control change 14.</p> <h3> 5. Mapping Buttons and Actions with a Markdown File </h3> <p>Instead of hardcoding mappings in Python, I created a simple markdown configuration file: <code>rebutton-config.md</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># re:button Config</span> <span class="gu">## Quick Responses</span> <span class="p">-</span> 109[control_change]=osascript -e 'tell application "System Events" to keystroke "y"' <span class="p">-</span> 107[control_change]=osascript -e 'tell application "System Events" to keystroke "n"' <span class="gu">## System Control</span> <span class="p">-</span> 14[control_change]=osascript -e "set volume output volume $value" <span class="gu">## Launch Apps</span> <span class="p">-</span> 96[note_on]=/Applications/Kiro.app/Contents/MacOS/Electron /Users/vsenger/code/renascence/reos-core <span class="p">-</span> 97[note_on]=/Applications/Kiro.app/Contents/MacOS/Electron /Users/vsenger/code/renascence/reos-money <span class="p">-</span> 92[note_on]=open -a "Microsoft PowerPoint" <span class="p">-</span> 93[note_on]=open -a Firefox <span class="gu">## Media Control</span> <span class="p">-</span> 86[note_on]=open -a Spotify &amp;&amp; osascript -e 'tell application "Spotify" to play' <span class="p">-</span> 87[note_on]=open -a Spotify &amp;&amp; osascript -e 'tell application "Spotify" to pause' <span class="gu">## Smart Shortcuts</span> <span class="p">-</span> 112[note_on]=balance=$(curl -s http://localhost:8080/entryResource/balance/BofA | jq -r '.balance'); python3 text_to_speech.py "Your balance is $balance" </code></pre> </div> <p>The format is simple: <code>note_number[event_type]=command</code></p> <p>Variables like <code>$value</code> and <code>$velocity</code> get replaced with actual MIDI values.</p> <h3> 6. The Main Script: rebutton.py </h3> <p>Again, I used Kiro to generate the parser and executor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="kn">import</span> <span class="n">mido</span> <span class="kn">import</span> <span class="n">re</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">parse_config</span><span class="p">(</span><span class="n">filename</span><span class="p">):</span> <span class="n">config</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">filename</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">f</span><span class="p">:</span> <span class="n">match</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">^-\s*(\d+)\[(\w+)\]=(.+)$</span><span class="sh">'</span><span class="p">,</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">())</span> <span class="k">if</span> <span class="n">match</span><span class="p">:</span> <span class="n">note</span><span class="p">,</span> <span class="n">event_type</span><span class="p">,</span> <span class="n">command</span> <span class="o">=</span> <span class="n">match</span><span class="p">.</span><span class="nf">groups</span><span class="p">()</span> <span class="n">config</span><span class="p">[(</span><span class="nf">int</span><span class="p">(</span><span class="n">note</span><span class="p">),</span> <span class="n">event_type</span><span class="p">)]</span> <span class="o">=</span> <span class="n">command</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">return</span> <span class="n">config</span> <span class="n">config</span> <span class="o">=</span> <span class="nf">parse_config</span><span class="p">(</span><span class="sh">"</span><span class="s">rebutton-config.md</span><span class="sh">"</span><span class="p">)</span> <span class="n">midi_port</span> <span class="o">=</span> <span class="n">mido</span><span class="p">.</span><span class="nf">open_input</span><span class="p">(</span><span class="n">mido</span><span class="p">.</span><span class="nf">get_input_names</span><span class="p">()[</span><span class="mi">0</span><span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Listening on </span><span class="si">{</span><span class="n">midi_port</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">msg</span> <span class="ow">in</span> <span class="n">midi_port</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="p">(</span><span class="nf">getattr</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="sh">'</span><span class="s">note</span><span class="sh">'</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="ow">or</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="sh">'</span><span class="s">control</span><span class="sh">'</span><span class="p">,</span> <span class="bp">None</span><span class="p">),</span> <span class="n">msg</span><span class="p">.</span><span class="nb">type</span><span class="p">)</span> <span class="k">if</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">config</span> <span class="ow">and</span> <span class="n">config</span><span class="p">[</span><span class="n">key</span><span class="p">]:</span> <span class="n">command</span> <span class="o">=</span> <span class="n">config</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="n">command</span> <span class="o">=</span> <span class="n">command</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">$value</span><span class="sh">'</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="nf">getattr</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)))</span> <span class="n">command</span> <span class="o">=</span> <span class="n">command</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">$velocity</span><span class="sh">'</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="nf">getattr</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="sh">'</span><span class="s">velocity</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)))</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Executing: </span><span class="si">{</span><span class="n">command</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">subprocess</span><span class="p">.</span><span class="nc">Popen</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <p>That's it! Less than 30 lines of Python.</p> <h3> 7. Using Kiro CLI Agent to Improve </h3> <p>The real power comes from using AI to enhance your setup. Here's how I use Kiro:</p> <p><strong>Discovering new commands:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; "Create a command that takes a screenshot and saves it to my Desktop" </code></pre> </div> <p><strong>Building complex workflows:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; "Help me create a script that checks my calendar for the next meeting and speaks the meeting title and time" </code></pre> </div> <p><strong>Optimizing button layouts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; "I have 16 pads. Suggest an ergonomic layout for: 4 project launchers, 4 media controls, 4 quick responses, and 4 smart shortcuts" </code></pre> </div> <p><strong>Generating API integrations:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; "Write a curl command to get my bank balance from my re:Money API and format it for text-to-speech" </code></pre> </div> <p>Kiro understands context, so you can iterate quickly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; "Make that command shorter" &gt; "Add error handling" &gt; "Now create a version for my credit card balance" </code></pre> </div> <h2> Installation &amp; Setup </h2> <h3> Requirements </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>mido python-rtmidi paho-mqtt </code></pre> </div> <p>On macOS, you might also need:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>portmidi </code></pre> </div> <h3> Quick Start </h3> <ol> <li>Clone or download the re:Button files</li> <li>Connect your MIDI controller</li> <li>Run the MQTT version to discover your button numbers: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> python3 rebutton-mqtt.py </code></pre> </div> <ol> <li>Create your <code>rebutton-config.md</code> file</li> <li>Run the main script: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> python3 rebutton.py </code></pre> </div> <h2> Real-World Usage </h2> <p>After using re:Button for a few weeks, here's what I've learned:</p> <p><strong>Most-used buttons:</strong></p> <ul> <li>Project launchers (I have 4 different workspaces)</li> <li>Volume control knob (so much better than keyboard shortcuts)</li> <li>"Yes/No/Thanks" quick responses (saves typing in meetings)</li> </ul> <p><strong>Surprising use cases:</strong></p> <ul> <li>Taking quick photos with Photo Booth for video calls</li> <li>Checking bank balance without opening apps</li> <li>Controlling smart home devices via MQTT</li> </ul> <p><strong>What I'd improve:</strong></p> <ul> <li>Add visual feedback (LEDs on the pads)</li> <li>Create profiles for different contexts (work, home, creative)</li> <li>Build a web UI for easier configuration</li> </ul> <h2> Why This Matters </h2> <p>re:Button is part of a larger vision called <a href="https://renascence-computing.github.io/rebutton/" rel="noopener noreferrer">Renascence Computing</a>—rethinking how we interact with computers to serve our lives, not the other way around.</p> <p>Physical buttons create a <strong>tangible interface</strong> to your digital life. Instead of context-switching between apps and memorizing shortcuts, you have dedicated controls for what matters most.</p> <p>Combined with AI (via Kiro), you can rapidly prototype and evolve your interface. The barrier between "I wish I could..." and "Done!" shrinks to minutes.</p> <h2> Get Started </h2> <ul> <li> <strong>Code</strong>: <a href="https://github.com/renascence-computing/rebutton" rel="noopener noreferrer">GitHub - re:button</a> </li> <li> <strong>Kiro CLI</strong>: <a href="https://kiro.dev" rel="noopener noreferrer">kiro.dev</a> </li> <li> <strong>Community</strong>: Join the Renascence Computing community</li> </ul> <h2> What Will You Build? </h2> <p>The beauty of re:Button is that it's infinitely customizable. Your button layout will be completely different from mine because your life and workflows are different.</p> <p>What would you put on your buttons? Share in the comments!</p> <p><em>This is part of the Renascence Computing project—a movement to rebuild our relationship with technology. Learn more at <a href="https://renascence.dev" rel="noopener noreferrer">Renascence Github Repositoy</a></em></p> diy opensource automation ai