impress-2020/src/server/index.js

import { beelinePlugin } from "./lib/beeline-graphql";
import { gql, makeExecutableSchema } from "apollo-server";
import { getUserIdFromToken as getUserIdFromTokenViaAuth0 } from "./auth";
import connectToDb from "./db";
import buildLoaders from "./loaders";
import { plugin as cacheControlPluginFork } from "./lib/apollo-cache-control-fork";
import {
  getAuthToken,
  getUserIdFromToken as getUserIdFromTokenViaDb,
} from "./auth-by-db";

const rootTypeDefs = gql`
  enum CacheScope {
    PUBLIC
    PRIVATE
  }
  directive @cacheControl(
    maxAge: Int
    staleWhileRevalidate: Int
    scope: CacheScope
  ) on FIELD_DEFINITION | OBJECT

  type Mutation
  type Query
`;

function mergeTypeDefsAndResolvers(modules) {
  const allTypeDefs = [];
  const allResolvers = {};

  for (const { typeDefs, resolvers } of modules) {
    allTypeDefs.push(typeDefs);
    for (const typeName of Object.keys(resolvers)) {
      allResolvers[typeName] = {
        ...allResolvers[typeName],
        ...resolvers[typeName],
      };
    }
  }

  return { typeDefs: allTypeDefs, resolvers: allResolvers };
}

const schema = makeExecutableSchema(
  mergeTypeDefsAndResolvers([
    { typeDefs: rootTypeDefs, resolvers: {} },
    require("./types/AppearanceLayer"),
    require("./types/ClosetList"),
    require("./types/Item"),
    require("./types/MutationsForSupport"),
    require("./types/Outfit"),
    require("./types/Pet"),
    require("./types/PetAppearance"),
    require("./types/User"),
    require("./types/Zone"),
  ])
);

const plugins = [cacheControlPluginFork({ calculateHttpHeaders: true })];

if (process.env["NODE_ENV"] !== "test") {
  plugins.push(beelinePlugin);
}

const config = {
  schema,
  context: async ({ req, res }) => {
    const db = await connectToDb();

    let authMode = req.headers["dti-auth-mode"] || "auth0";
    let currentUserId;
    if (authMode === "auth0") {
      const auth = (req && req.headers && req.headers.authorization) || "";
      const authMatch = auth.match(/^Bearer (.+)$/);
      const token = authMatch && authMatch[1];
      currentUserId = await getUserIdFromTokenViaAuth0(token);
    } else if (authMode === "db") {
      currentUserId = await getCurrentUserIdViaDb(req);
    } else {
      console.warn(
        `Unexpected auth mode: ${JSON.stringify(authMode)}. Skipping auth.`
      );
      currentUserId = null;
    }

    return {
      db,
      currentUserId,
      login: async (params) => {
        const authToken = await getAuthToken(params, db);
        if (authToken == null) {
          return null;
        }
        const oneWeekFromNow = new Date();
        oneWeekFromNow.setDate(oneWeekFromNow.getDate() + 7);
        res.setHeader(
          "Set-Cookie",
          `DTIAuthToken=${encodeURIComponent(JSON.stringify(authToken))}; ` +
            `Max-Age=${60 * 60 * 24 * 7}; Secure; HttpOnly; SameSite=Strict`
        );
        return authToken;
      },
      logout: async () => {
        // NOTE: This function isn't actually async in practice, but we mark it
        //       as such for consistency with `login`!
        // Set a header to delete the cookie. (That is, empty and expired.)
        res.setHeader("Set-Cookie", `DTIAuthToken=; Max-Age=-1`);
      },
      ...buildLoaders(db),
    };
  },
  formatResponse: (res, context) => {
    // The Authorization header can affect the response, so we signal that here
    // for caching user data! That way, login/logout will refresh user data,
    // even if it was briefly cached.
    //
    // NOTE: Our frontend JS only sends the Authorization header for user data
    //       queries. For public data, the header will be absent, and different
    //       users will still be able to share the same public cache data.
    //
    // NOTE: At time of writing, I'm not sure we use this in app? I think all
    //       current user data queries request fields with `maxAge: 0`. But I'm
    //       adding it just to remove a potential surprise gotcha later!
    context.response.http.headers.set("Vary", "Authorization");

    return res;
  },

  plugins,

  // We use our own fork of the cacheControl plugin!
  cacheControl: false,

  // Enable Playground in production :)
  introspection: true,
  playground: {
    endpoint: "/api/graphql",
  },
};

async function getCurrentUserIdViaDb(req) {
  const authTokenCookieString = req.cookies.DTIAuthToken;
  if (!authTokenCookieString) {
    return null;
  }

  let authTokenFromCookie = null;
  try {
    authTokenFromCookie = JSON.parse(authTokenCookieString);
  } catch (error) {
    console.warn(`DTIAuthToken cookie was not valid JSON, ignoring.`);
  }

  return await getUserIdFromTokenViaDb(authTokenFromCookie);
}

if (require.main === module) {
  const { ApolloServer } = require("apollo-server");
  const server = new ApolloServer(config);
  server.listen().then(({ url }) => {
    console.info(`🚀  Server ready at ${url}`);
  });
}

module.exports = { config };
Use ES module syntax in backend instead of require Ok cool, so apparently another win we get from using `ts-node` is that I can finally easily use some non-native-Node features like ES module import syntax, for consistency with what I'm doing in the main app source! That was getting on my nerves tbh. Ooh I bet I can finally use `?.` too, I've had to rewrite that a bunch… 2021-02-02 22:26:55 -08:00			`import { beelinePlugin } from "./lib/beeline-graphql";`
			`import { gql, makeExecutableSchema } from "apollo-server";`
Support actual login via db?? :0 Yeah cool the login button seems to. work now? And subsequent requests serve user data correctly based on that, and let you edit stuff. I also tested the following attacks: - Using the wrong password indeed fails! lol basic one - Changing the userId or createdAt fields in the cookie causes the auth token to be rejected for an invalid signature. Tbh that's all that comes to mind… like, you either attack us by tricking the login itself into giving you a token when it shouldn't, or you attack us by tricking the subsequent requests into accepting a token when it shouldn't. Seems like we're covered? 😳🤞 Still need to add logout, but yeah, this is… looking surprisingly feature-parity with our Auth0 integration already lmao. Maybe it'll be ready to launch sooner than expected? 2022-08-17 15:24:17 -07:00			`import { getUserIdFromToken as getUserIdFromTokenViaAuth0 } from "./auth";`
Use ES module syntax in backend instead of require Ok cool, so apparently another win we get from using `ts-node` is that I can finally easily use some non-native-Node features like ES module import syntax, for consistency with what I'm doing in the main app source! That was getting on my nerves tbh. Ooh I bet I can finally use `?.` too, I've had to rewrite that a bunch… 2021-02-02 22:26:55 -08:00			`import connectToDb from "./db";`
			`import buildLoaders from "./loaders";`
			`import { plugin as cacheControlPluginFork } from "./lib/apollo-cache-control-fork";`
Support actual login via db?? :0 Yeah cool the login button seems to. work now? And subsequent requests serve user data correctly based on that, and let you edit stuff. I also tested the following attacks: - Using the wrong password indeed fails! lol basic one - Changing the userId or createdAt fields in the cookie causes the auth token to be rejected for an invalid signature. Tbh that's all that comes to mind… like, you either attack us by tricking the login itself into giving you a token when it shouldn't, or you attack us by tricking the subsequent requests into accepting a token when it shouldn't. Seems like we're covered? 😳🤞 Still need to add logout, but yeah, this is… looking surprisingly feature-parity with our Auth0 integration already lmao. Maybe it'll be ready to launch sooner than expected? 2022-08-17 15:24:17 -07:00			`import {`
			`getAuthToken,`
			`getUserIdFromToken as getUserIdFromTokenViaDb,`
			`} from "./auth-by-db";`
set up Apollo server! 2020-04-22 11:51:36 -07:00
refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			const rootTypeDefs = gql`
More cache hint tags for Item etc Trying to get that Item page fast! I don't really want to ship this as-is, because I'd really like to get stale-while-revalidate working before shipping a 1-week cache timer… will be tricky though! 2021-02-02 17:51:54 -08:00			`enum CacheScope {`
			`PUBLIC`
			`PRIVATE`
			`}`
			`directive @cacheControl(`
			`maxAge: Int`
Add stale-while-revalidate cache headers Oh yay, I'm pleased with this! I hope it works out well! stale-while-revalidate is an HTTP caching feature that gives us the ability to still serve relatively static content like item pages ASAP, while also making sure users generally see updates quickly. The trick is that we declare a period of time where, you can still serve the data from the cache, but you should _then_ go re-fetch the latest data in the background for next time. This works on end users and on the CDN! I've scanned the basic wardrobe and homepage stuff and brought them up-to-date, and gave particular attention to the item page, which I hope can be very very snappy now! :3 Note to self: Vercel says we can manually clear out a stale-while-revalidate resource by requesting it with `Pragma: no-cache`. I'm not sure it will listen to us for _fresh_ resources, though, so I'm not sure we can actually use that to flush things out in the way I had been hoping until writing this sentence lol :p 2021-02-02 19:07:38 -08:00			`staleWhileRevalidate: Int`
More cache hint tags for Item etc Trying to get that Item page fast! I don't really want to ship this as-is, because I'd really like to get stale-while-revalidate working before shipping a 1-week cache timer… will be tricky though! 2021-02-02 17:51:54 -08:00			`scope: CacheScope`
			`) on FIELD_DEFINITION \| OBJECT`
add Honeycomb logging This will let me see traces for stuff! 2020-08-16 23:28:41 -07:00
refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			`type Mutation`
			`type Query`
set up Apollo server! 2020-04-22 11:51:36 -07:00			`;

refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			`function mergeTypeDefsAndResolvers(modules) {`
			`const allTypeDefs = [];`
			`const allResolvers = {};`
can submit the actual body ID Support mutation! it seems to actually be changing the things correctly aaaa 2020-08-01 15:30:26 -07:00
refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			`for (const { typeDefs, resolvers } of modules) {`
			`allTypeDefs.push(typeDefs);`
			`for (const typeName of Object.keys(resolvers)) {`
			`allResolvers[typeName] = {`
			`...allResolvers[typeName],`
			`...resolvers[typeName],`
move neopets.com loading into server the client stuff worked locally, but not in prod because you can't request http from https, even with cors set up correctly 😅 2020-04-25 06:50:34 -07:00			`};`
refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			`}`
			`}`
compact the svg logs 2020-05-23 11:32:05 -07:00
refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			`return { typeDefs: allTypeDefs, resolvers: allResolvers };`
			`}`
compact the svg logs 2020-05-23 11:32:05 -07:00
refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			`const schema = makeExecutableSchema(`
			`mergeTypeDefsAndResolvers([`
			`{ typeDefs: rootTypeDefs, resolvers: {} },`
			`require("./types/AppearanceLayer"),`
real trade data on the page! 2020-11-24 14:24:34 -08:00			`require("./types/ClosetList"),`
refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			`require("./types/Item"),`
			`require("./types/MutationsForSupport"),`
			`require("./types/Outfit"),`
extract Pet GQL to Pet.js from Outfit.js 2020-10-06 05:04:44 -07:00			`require("./types/Pet"),`
refactor GQL typedefs/resolvers into separate files get that giant index file broken up a bit! 2020-09-06 01:51:58 -07:00			`require("./types/PetAppearance"),`
			`require("./types/User"),`
			`require("./types/Zone"),`
			`])`
			`);`

Add stale-while-revalidate cache headers Oh yay, I'm pleased with this! I hope it works out well! stale-while-revalidate is an HTTP caching feature that gives us the ability to still serve relatively static content like item pages ASAP, while also making sure users generally see updates quickly. The trick is that we declare a period of time where, you can still serve the data from the cache, but you should _then_ go re-fetch the latest data in the background for next time. This works on end users and on the CDN! I've scanned the basic wardrobe and homepage stuff and brought them up-to-date, and gave particular attention to the item page, which I hope can be very very snappy now! :3 Note to self: Vercel says we can manually clear out a stale-while-revalidate resource by requesting it with `Pragma: no-cache`. I'm not sure it will listen to us for _fresh_ resources, though, so I'm not sure we can actually use that to flush things out in the way I had been hoping until writing this sentence lol :p 2021-02-02 19:07:38 -08:00			`const plugins = [cacheControlPluginFork({ calculateHttpHeaders: true })];`
don't do Honeycomb in test env 2020-08-17 01:27:05 -07:00
			`if (process.env["NODE_ENV"] !== "test") {`
			`plugins.push(beelinePlugin);`
			`}`
add Honeycomb logging This will let me see traces for stuff! 2020-08-16 23:28:41 -07:00
move to vercel now function api structure I haven't really tested the API yet, because it's hard to query GraphQL directly, but I'll set up the client in a bit for it! 2020-04-22 13:03:32 -07:00			`const config = {`
add Honeycomb logging This will let me see traces for stuff! 2020-08-16 23:28:41 -07:00			`schema,`
Login form checks the db, and saves a cookie Okay so one of the trickiest parts of login is done! 🤞 and now we need to make it actually show up in the UI. (and also pressure-test the security a bit, I've only really checked the happy path!) 2022-08-17 00:58:52 -07:00			`context: async ({ req, res }) => {`
set up Apollo server! 2020-04-22 11:51:36 -07:00			`const db = await connectToDb();`
compact the svg logs 2020-05-23 11:32:05 -07:00
Support actual login via db?? :0 Yeah cool the login button seems to. work now? And subsequent requests serve user data correctly based on that, and let you edit stuff. I also tested the following attacks: - Using the wrong password indeed fails! lol basic one - Changing the userId or createdAt fields in the cookie causes the auth token to be rejected for an invalid signature. Tbh that's all that comes to mind… like, you either attack us by tricking the login itself into giving you a token when it shouldn't, or you attack us by tricking the subsequent requests into accepting a token when it shouldn't. Seems like we're covered? 😳🤞 Still need to add logout, but yeah, this is… looking surprisingly feature-parity with our Auth0 integration already lmao. Maybe it'll be ready to launch sooner than expected? 2022-08-17 15:24:17 -07:00			`let authMode = req.headers["dti-auth-mode"] \|\| "auth0";`
			`let currentUserId;`
			`if (authMode === "auth0") {`
			`const auth = (req && req.headers && req.headers.authorization) \|\| "";`
			`const authMatch = auth.match(/^Bearer (.+)$/);`
			`const token = authMatch && authMatch[1];`
			`currentUserId = await getUserIdFromTokenViaAuth0(token);`
			`} else if (authMode === "db") {`
			`currentUserId = await getCurrentUserIdViaDb(req);`
			`} else {`
			`console.warn(`
			`Unexpected auth mode: ${JSON.stringify(authMode)}. Skipping auth.`
			`);`
			`currentUserId = null;`
			`}`
set up auth on the server + test utils 2020-09-02 23:00:16 -07:00
add db snapshotting & better translation loader 2020-04-22 12:00:52 -07:00			`return {`
special color mutation actually working! Note that there's a bug when switching back to the null case… when I look in the Apollo dev tools, it's definitely getting set in the cache correctly at the right time… but the query isn't updating for some reason? I'm hoping it's an Apollo bug that will fix itself someday with an upgrade! 2020-08-01 00:04:11 -07:00			`db,`
set up auth on the server + test utils 2020-09-02 23:00:16 -07:00			`currentUserId,`
Login form checks the db, and saves a cookie Okay so one of the trickiest parts of login is done! 🤞 and now we need to make it actually show up in the UI. (and also pressure-test the security a bit, I've only really checked the happy path!) 2022-08-17 00:58:52 -07:00			`login: async (params) => {`
			`const authToken = await getAuthToken(params, db);`
			`if (authToken == null) {`
			`return null;`
			`}`
			`const oneWeekFromNow = new Date();`
			`oneWeekFromNow.setDate(oneWeekFromNow.getDate() + 7);`
			`res.setHeader(`
			`"Set-Cookie",`
			`DTIAuthToken=${encodeURIComponent(JSON.stringify(authToken))}; ` +
			`Max-Age=${60 * 60 * 24 * 7}; Secure; HttpOnly; SameSite=Strict`
			`);`
			`return authToken;`
			`},`
Logout button for new auth mode Hey hey, logging out works! The server side of this was easy, but I made a few refactors to support it well on the client, like `useLoginActions` becoming just `useLogout` lol, and updating how the nav menu chooses between buttons vs menu because I wanted `<LogoutButton />` to contain some state. We also did good Apollo cache stuff to update the page after you log in or out! I think some fields that don't derive from `User`, like `Item.currentUserOwnsThis`, are gonna fail to update until you reload the page but like that's fine idk :p There's a known bug where logging out on the Your Outfits page turns into an infinite loop situation, because it's trying to do Auth0 stuff but the login keeps failing to have any effect because we're in db mode! I'll fix that next. 2022-08-17 16:05:36 -07:00			`logout: async () => {`
			`// NOTE: This function isn't actually async in practice, but we mark it`
			// as such for consistency with `login`!
			`// Set a header to delete the cookie. (That is, empty and expired.)`
			res.setHeader("Set-Cookie", `DTIAuthToken=; Max-Age=-1`);
			`},`
added pet appearance queries, using in frontend 2020-04-23 14:23:46 -07:00			`...buildLoaders(db),`
add db snapshotting & better translation loader 2020-04-22 12:00:52 -07:00			`};`
set up Apollo server! 2020-04-22 11:51:36 -07:00			`},`
Send `Vary: Authorization` cache header I don't think this is actually relevant in-app right now, but I figured sending it is More Correct, and is likely to prevent future bugs if anything (and prevent future question about why we're _not_ sending it). I also removed the `maxAge: 0` on `currentUser`, now that I've updated Fastly to no longer default to 5-minute caching when no cache time is specified. I can see why that's a reasonable default for Fastly, but we've been pretty careful about specifying Cache-Control headers when relevant, so the extra caching is mostly incorrect. 2021-11-23 13:00:56 -08:00			`formatResponse: (res, context) => {`
			`// The Authorization header can affect the response, so we signal that here`
			`// for caching user data! That way, login/logout will refresh user data,`
			`// even if it was briefly cached.`
			`//`
			`// NOTE: Our frontend JS only sends the Authorization header for user data`
			`// queries. For public data, the header will be absent, and different`
			`// users will still be able to share the same public cache data.`
			`//`
			`// NOTE: At time of writing, I'm not sure we use this in app? I think all`
			// current user data queries request fields with `maxAge: 0`. But I'm
			`// adding it just to remove a potential surprise gotcha later!`
			`context.response.http.headers.set("Vary", "Authorization");`

			`return res;`
			`},`
enable playground in production :) 2020-04-23 01:09:17 -07:00
don't do Honeycomb in test env 2020-08-17 01:27:05 -07:00			`plugins,`
compact the svg logs 2020-05-23 11:32:05 -07:00
Add stale-while-revalidate cache headers Oh yay, I'm pleased with this! I hope it works out well! stale-while-revalidate is an HTTP caching feature that gives us the ability to still serve relatively static content like item pages ASAP, while also making sure users generally see updates quickly. The trick is that we declare a period of time where, you can still serve the data from the cache, but you should _then_ go re-fetch the latest data in the background for next time. This works on end users and on the CDN! I've scanned the basic wardrobe and homepage stuff and brought them up-to-date, and gave particular attention to the item page, which I hope can be very very snappy now! :3 Note to self: Vercel says we can manually clear out a stale-while-revalidate resource by requesting it with `Pragma: no-cache`. I'm not sure it will listen to us for _fresh_ resources, though, so I'm not sure we can actually use that to flush things out in the way I had been hoping until writing this sentence lol :p 2021-02-02 19:07:38 -08:00			`// We use our own fork of the cacheControl plugin!`
			`cacheControl: false,`

enable playground in production :) 2020-04-23 01:09:17 -07:00			`// Enable Playground in production :)`
			`introspection: true,`
set default graphql endpoint in playground 2020-04-23 01:12:52 -07:00			`playground: {`
			`endpoint: "/api/graphql",`
			`},`
move to vercel now function api structure I haven't really tested the API yet, because it's hard to query GraphQL directly, but I'll set up the client in a bit for it! 2020-04-22 13:03:32 -07:00			`};`
set up Apollo server! 2020-04-22 11:51:36 -07:00
Support actual login via db?? :0 Yeah cool the login button seems to. work now? And subsequent requests serve user data correctly based on that, and let you edit stuff. I also tested the following attacks: - Using the wrong password indeed fails! lol basic one - Changing the userId or createdAt fields in the cookie causes the auth token to be rejected for an invalid signature. Tbh that's all that comes to mind… like, you either attack us by tricking the login itself into giving you a token when it shouldn't, or you attack us by tricking the subsequent requests into accepting a token when it shouldn't. Seems like we're covered? 😳🤞 Still need to add logout, but yeah, this is… looking surprisingly feature-parity with our Auth0 integration already lmao. Maybe it'll be ready to launch sooner than expected? 2022-08-17 15:24:17 -07:00			`async function getCurrentUserIdViaDb(req) {`
			`const authTokenCookieString = req.cookies.DTIAuthToken;`
			`if (!authTokenCookieString) {`
			`return null;`
			`}`

			`let authTokenFromCookie = null;`
			`try {`
			`authTokenFromCookie = JSON.parse(authTokenCookieString);`
			`} catch (error) {`
			console.warn(`DTIAuthToken cookie was not valid JSON, ignoring.`);
			`}`

			`return await getUserIdFromTokenViaDb(authTokenFromCookie);`
			`}`

set up Apollo server! 2020-04-22 11:51:36 -07:00			`if (require.main === module) {`
move to vercel now function api structure I haven't really tested the API yet, because it's hard to query GraphQL directly, but I'll set up the client in a bit for it! 2020-04-22 13:03:32 -07:00			`const { ApolloServer } = require("apollo-server");`
			`const server = new ApolloServer(config);`
set up Apollo server! 2020-04-22 11:51:36 -07:00			`server.listen().then(({ url }) => {`
Lint against console.log and replace `console.log` instances in the codebase with better alternatives! 2021-05-03 15:01:49 -07:00			console.info(`🚀 Server ready at ${url}`);
set up Apollo server! 2020-04-22 11:51:36 -07:00			`});`
			`}`

move to vercel now function api structure I haven't really tested the API yet, because it's hard to query GraphQL directly, but I'll set up the client in a bit for it! 2020-04-22 13:03:32 -07:00			`module.exports = { config };`
No results found.