From 79f6aa4da7ea4861d870ed11f3c51575e56d0ef6 Mon Sep 17 00:00:00 2001
From: mbret <bret.maxime@gmail.com>
Date: Tue, 3 Dec 2024 20:16:45 +0100
Subject: [PATCH] feat: added cloudfare header

---
 packages/api/src/functions/signin/handler.ts | 14 ++++++---
 packages/api/src/libs/couch/dbHelpers.ts     | 31 +++++++-------------
 packages/api/src/libs/ssm.ts                 |  1 +
 3 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/packages/api/src/functions/signin/handler.ts b/packages/api/src/functions/signin/handler.ts
index 772ad003..481c25e6 100644
--- a/packages/api/src/functions/signin/handler.ts
+++ b/packages/api/src/functions/signin/handler.ts
@@ -7,7 +7,10 @@
 import { ValidatedEventAPIGatewayProxyEvent } from "@libs/api-gateway"
 import schema from "./schema"
 import { getAuth } from "firebase-admin/auth"
-import { getAdminNano, getOrCreateUserFromEmail } from "@libs/couch/dbHelpers"
+import {
+  getDangerousAdminNano,
+  getOrCreateUserFromEmail
+} from "@libs/couch/dbHelpers"
 import { generateToken } from "@libs/auth"
 import { ObokuErrorCode } from "@oboku/shared"
 import { createHttpError } from "@libs/httpErrors"
@@ -18,8 +21,8 @@ import { getFirebaseApp } from "@libs/firebase/app"
 const lambda: ValidatedEventAPIGatewayProxyEvent<typeof schema> = async (
   event
 ) => {
-  const [jwtPrivateKey = ``] = await getParametersValue({
-    Names: ["jwt-private-key"],
+  const [jwtPrivateKey = ``, xAccessSecret = ``] = await getParametersValue({
+    Names: ["jwt-private-key", "x-access-secret"],
     WithDecryption: true
   })
 
@@ -41,7 +44,10 @@ const lambda: ValidatedEventAPIGatewayProxyEvent<typeof schema> = async (
     })
   }
 
-  const adminNano = await getAdminNano({ privateKey: jwtPrivateKey })
+  const adminNano = await getDangerousAdminNano({
+    privateKey: jwtPrivateKey,
+    xAccessSecret
+  })
 
   const user = await getOrCreateUserFromEmail(adminNano, email)
 
diff --git a/packages/api/src/libs/couch/dbHelpers.ts b/packages/api/src/libs/couch/dbHelpers.ts
index 96c86e70..48a10e05 100644
--- a/packages/api/src/libs/couch/dbHelpers.ts
+++ b/packages/api/src/libs/couch/dbHelpers.ts
@@ -359,12 +359,16 @@ export const getNanoDbForUser = async (name: string, privateKey: string) => {
   return db.use(`userdb-${hexEncodedUserId}`)
 }
 
-export const getNano = async ({ jwtToken }: { jwtToken?: string } = {}) => {
+export const getNano = async ({
+  jwtToken,
+  xAccessSecret
+}: { jwtToken?: string; xAccessSecret?: string } = {}) => {
   return createNano({
     url: COUCH_DB_URL,
     requestDefaults: {
       headers: {
         "content-type": "application/json",
+        "x-access-secret": xAccessSecret,
         accept: "application/json",
         ...(jwtToken && {
           Authorization: `Bearer ${jwtToken}`
@@ -378,24 +382,11 @@ export const getNano = async ({ jwtToken }: { jwtToken?: string } = {}) => {
  * WARNING: be very careful when using nano as admin since you will have full power.
  * As you know with great power comes great responsibilities
  */
-export const getAdminNano = async (options: {
-  sub?: string
-  privateKey: string
-}) => {
+export const getDangerousAdminNano = async (
+  options: {
+    sub?: string
+    privateKey: string
+  } & Omit<NonNullable<Parameters<typeof getNano>[0]>, "jwtToken">
+) => {
   return getNano({ jwtToken: await generateAdminToken(options) })
 }
-
-export const auth = async (username: string, userpass: string) => {
-  const db = await getNano()
-
-  try {
-    const response = await db.auth(username, userpass)
-    if (!response.ok || !response.name) {
-      return null
-    }
-    return response
-  } catch (e) {
-    if ((e as any)?.statusCode === 401) return null
-    throw e
-  }
-}
diff --git a/packages/api/src/libs/ssm.ts b/packages/api/src/libs/ssm.ts
index a33adbca..4a69caec 100644
--- a/packages/api/src/libs/ssm.ts
+++ b/packages/api/src/libs/ssm.ts
@@ -9,6 +9,7 @@ const ssm = new SSMClient({ region: "us-east-1" })
 
 type ParameterName =
   | `jwt-private-key`
+  | `x-access-secret`
   | `GOOGLE_CLIENT_SECRET`
   | `GOOGLE_API_KEY`
   | `GOOGLE_CLIENT_ID`