feat(server): support AWS Cognito auth server (#450)

server/.env.example

@@ -17,6 +17,11 @@ REEARTH_AUTH0_CLIENTID=
 REEARTH_AUTH0_CLIENTSECRET=
 REEARTH_AUTH0_WEBCLIENTID=
 
+# AWS cognito
+REEARTH_COGNITO_REGION=
+REEARTH_COGNITO_USERPOOLID=
+REEARTH_COGNITO_CLIENTID=
+
 # Auth client
 #REEARTH_AUTH_ISS=https://hoge.com
 #REEARTH_AUTH_AUD=https://api.reearth.example.com

server/e2e/common.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/gavv/httpexpect/v2"
 	"github.com/reearth/reearth/server/internal/app"
+	"github.com/reearth/reearth/server/internal/app/config"
 	"github.com/reearth/reearth/server/internal/infrastructure/fs"
 	"github.com/reearth/reearth/server/internal/infrastructure/memory"
 	"github.com/reearth/reearth/server/internal/infrastructure/mongo"
@@ -24,12 +25,12 @@ func init() {
 	mongotest.Env = "REEARTH_DB"
 }
 
-func StartServer(t *testing.T, cfg *app.Config, useMongo bool, seeder Seeder) *httpexpect.Expect {
+func StartServer(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder) *httpexpect.Expect {
 	e, _ := StartServerAndRepos(t, cfg, useMongo, seeder)
 	return e
 }
 
-func StartServerAndRepos(t *testing.T, cfg *app.Config, useMongo bool, seeder Seeder) (*httpexpect.Expect, *repo.Container) {
+func StartServerAndRepos(t *testing.T, cfg *config.Config, useMongo bool, seeder Seeder) (*httpexpect.Expect, *repo.Container) {
 	ctx := context.Background()
 
 	var repos *repo.Container
@@ -48,7 +49,7 @@ func StartServerAndRepos(t *testing.T, cfg *app.Config, useMongo bool, seeder Se
 
 	return StartServerWithRepos(t, cfg, repos), repos
 }
-func StartServerWithRepos(t *testing.T, cfg *app.Config, repos *repo.Container) *httpexpect.Expect {
+func StartServerWithRepos(t *testing.T, cfg *config.Config, repos *repo.Container) *httpexpect.Expect {
 	t.Helper()
 
 	if testing.Short() {

server/e2e/dataset_export_test.go

@@ -4,14 +4,14 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/reearth/reearth/server/internal/app"
+	"github.com/reearth/reearth/server/internal/app/config"
 	"github.com/reearth/reearth/server/pkg/dataset"
 )
 
 func TestDatasetExport(t *testing.T) {
-	e := StartServer(t, &app.Config{
+	e := StartServer(t, &config.Config{
 		Origins: []string{"https://example.com"},
-		AuthSrv: app.AuthSrvConfig{
+		AuthSrv: config.AuthSrvConfig{
 			Disabled: true,
 		},
 	}, true, baseSeeder)

server/e2e/gql_me_test.go

@@ -4,13 +4,13 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/reearth/reearth/server/internal/app"
+	"github.com/reearth/reearth/server/internal/app/config"
 )
 
 func TestMe(t *testing.T) {
-	e := StartServer(t, &app.Config{
+	e := StartServer(t, &config.Config{
 		Origins: []string{"https://example.com"},
-		AuthSrv: app.AuthSrvConfig{
+		AuthSrv: config.AuthSrvConfig{
 			Disabled: true,
 		},
 	},

server/e2e/gql_project_test.go

@@ -4,13 +4,13 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/reearth/reearth/server/internal/app"
+	"github.com/reearth/reearth/server/internal/app/config"
 )
 
 func TestCreateProject(t *testing.T) {
-	e := StartServer(t, &app.Config{
+	e := StartServer(t, &config.Config{
 		Origins: []string{"https://example.com"},
-		AuthSrv: app.AuthSrvConfig{
+		AuthSrv: config.AuthSrvConfig{
 			Disabled: true,
 		},
 	},

server/e2e/ping_test.go

@@ -4,13 +4,13 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/reearth/reearth/server/internal/app"
+	"github.com/reearth/reearth/server/internal/app/config"
 )
 
 func TestPingAPI(t *testing.T) {
-	e := StartServer(t, &app.Config{
+	e := StartServer(t, &config.Config{
 		Origins: []string{"https://example.com"},
-		AuthSrv: app.AuthSrvConfig{
+		AuthSrv: config.AuthSrvConfig{
 			Disabled: true,
 		},
 	}, false, nil)

server/go.mod

@@ -7,9 +7,6 @@ require (
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace v1.8.3
 	github.com/auth0/go-jwt-middleware/v2 v2.0.1
 	github.com/avast/retry-go/v4 v4.0.4
-	github.com/aws/aws-sdk-go-v2 v1.18.0
-	github.com/aws/aws-sdk-go-v2/config v1.18.25
-	github.com/aws/aws-sdk-go-v2/service/ses v1.15.9
 	github.com/blang/semver v3.5.1+incompatible
 	github.com/gavv/httpexpect/v2 v2.3.1
 	github.com/goccy/go-yaml v1.9.8
@@ -27,9 +24,8 @@ require (
 	github.com/paulmach/go.geojson v1.4.0
 	github.com/pkg/errors v0.9.1
 	github.com/ravilushqa/otelgqlgen v0.8.0
-	github.com/reearth/reearthx v0.0.0-20230526094658-d163edc277db
+	github.com/reearth/reearthx v0.0.0-20230530055440-86a8d4675853
 	github.com/samber/lo v1.27.0
-	github.com/sendgrid/sendgrid-go v3.12.0+incompatible
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/afero v1.9.3
 	github.com/square/mongo-lock v0.0.0-20201208161834-4db518ed7fb2
@@ -68,19 +64,21 @@ require (
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20210927113745-59d0afb8317a // indirect
 	github.com/andybalholm/brotli v1.0.2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.18.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.18.25 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.24 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ses v1.15.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.12.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.19.0 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dgryski/trifles v0.0.0-20200705224438-cafc02a1ee2b // indirect
 	github.com/fatih/color v1.12.0 // indirect
 	github.com/fatih/structs v1.0.0 // indirect
 	github.com/felixge/httpsnoop v1.0.2 // indirect
@@ -119,10 +117,10 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sendgrid/rest v2.6.9+incompatible // indirect
+	github.com/sendgrid/sendgrid-go v3.12.0+incompatible // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/smartystreets/assertions v1.1.1 // indirect
 	github.com/smartystreets/goconvey v1.6.4 // indirect
-	github.com/tidwall/pretty v1.0.1 // indirect
 	github.com/urfave/cli/v2 v2.8.1 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasthttp v1.27.0 // indirect

server/go.sum

@@ -156,7 +156,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/dgryski/trifles v0.0.0-20200705224438-cafc02a1ee2b h1:8xx0j7yceTAgVxonE+qOOepmwWS/Ic3OLQapY9HJajc=
-github.com/dgryski/trifles v0.0.0-20200705224438-cafc02a1ee2b/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -481,12 +480,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/ravilushqa/otelgqlgen v0.8.0 h1:x48k+D1GMgm87xhMO2Lekrr9YGzFbpG3yijn9GpxuAY=
 github.com/ravilushqa/otelgqlgen v0.8.0/go.mod h1:6JO5YO2iY4POC7R6yB/L/RKXCcyISL8qQt5NnHOhh0o=
-github.com/reearth/reearthx v0.0.0-20230417135043-7b80b5104916 h1:L7aw1N3g8YNspo/9gcikpGePQlXL8C/6L+Dj+Fu3RBY=
-github.com/reearth/reearthx v0.0.0-20230417135043-7b80b5104916/go.mod h1:AsJomXOp70gxN3lq8amcJ1Erd6gl7dwCj4P2K5ih4DM=
-github.com/reearth/reearthx v0.0.0-20230525175729-1a205c0ffb05 h1:2rBmqZtFlOUb0O4jP/IsblQvTSTl0tO3Y/QMMlci2dk=
-github.com/reearth/reearthx v0.0.0-20230525175729-1a205c0ffb05/go.mod h1:845tCGtkSH+HTYzb52oTlJRkDJPD0hRvLdCOcU2G9jQ=
-github.com/reearth/reearthx v0.0.0-20230526094658-d163edc277db h1:Ho8UcqeIz81iGE83qcxDu6AudktaHvkt93kQSZjP/MI=
-github.com/reearth/reearthx v0.0.0-20230526094658-d163edc277db/go.mod h1:Rh7MJPKq43f+HZ/PwjZ5vEbGPpllNFvUrxn9sBn2b+s=
+github.com/reearth/reearthx v0.0.0-20230530055440-86a8d4675853 h1:eO1u6WJ/B1j/uC0ZnHS21EYuaREbdYDgHAExy7LLAnw=
+github.com/reearth/reearthx v0.0.0-20230530055440-86a8d4675853/go.mod h1:Rh7MJPKq43f+HZ/PwjZ5vEbGPpllNFvUrxn9sBn2b+s=
 github.com/robertkrimen/godocdown v0.0.0-20130622164427-0bfa04905481/go.mod h1:C9WhFzY47SzYBIvzFqSvHIR6ROgDo4TtdTuRaOMjF/s=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -545,7 +540,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/thoas/go-funk v0.9.1 h1:O549iLZqPpTUQ10ykd26sZhzD+rmR5pWhuElrhbC20M=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tidwall/pretty v1.0.1 h1:WE4RBSZ1x6McVVC8S/Md+Qse8YUv6HRObAx6ke00NY8=
-github.com/tidwall/pretty v1.0.1/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/twpayne/go-kml v1.5.2 h1:rFMw2/EwgkVssGS2MT6YfWSPZz6BgcJkLxQ53jnE8rQ=
 github.com/twpayne/go-kml v1.5.2/go.mod h1:kz8jAiIz6FIdU2Zjce9qGlVtgFYES9vt7BTPBHf5jl4=
 github.com/twpayne/go-polyline v1.0.0/go.mod h1:ICh24bcLYBX8CknfvNPKqoTbe+eg+MX1NPyJmSBo7pU=

server/internal/app/app.go

@@ -53,8 +53,8 @@ func initEcho(ctx context.Context, cfg *ServerConfig) *echo.Echo {
 
 	e.Use(
 		jwtEchoMiddleware(cfg),
-		parseJwtMiddleware(),
-		authMiddleware(cfg),
+		loadAuthInfoMiddleware(),
+		attachOpMiddleware(cfg),
 	)
 
 	// enable pprof
@@ -100,11 +100,11 @@ func initEcho(ctx context.Context, cfg *ServerConfig) *echo.Echo {
 
 	// apis
 	api := e.Group("/api")
-	api.GET("/ping", Ping(), private)
+	api.GET("/ping", Ping(), privateCache)
 	api.GET("/published/:name", PublishedMetadata())
 	api.GET("/published_data/:name", PublishedData("", true))
 
-	apiPrivate := api.Group("", private)
+	apiPrivate := api.Group("", privateCache)
 	apiPrivate.POST("/graphql", GraphqlAPI(cfg.Config.GraphQL, gqldev))
 	apiPrivate.GET("/layers/:param", ExportLayer(), AuthRequiredMiddleware())
 	apiPrivate.GET("/datasets/:datasetSchemaId", http2.ExportDataset(), AuthRequiredMiddleware())
@@ -196,7 +196,7 @@ func errorMessage(err error, log func(string, ...interface{})) (int, string) {
 	return code, msg
 }
 
-func private(next echo.HandlerFunc) echo.HandlerFunc {
+func privateCache(next echo.HandlerFunc) echo.HandlerFunc {
 	return func(c echo.Context) error {
 		c.Response().Header().Set(echo.HeaderCacheControl, "private, no-store, no-cache, must-revalidate")
 		return next(c)

server/internal/app/auth_client.go

@@ -13,7 +13,10 @@ import (
 	"github.com/reearth/reearthx/util"
 )
 
-func authMiddleware(cfg *ServerConfig) echo.MiddlewareFunc {
+// load user from db and attach it to context along with operator
+// user id can be from debug header or jwt token
+// if its new user, create new user and attach it to context
+func attachOpMiddleware(cfg *ServerConfig) echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
 			req := c.Request()
@@ -31,8 +34,8 @@ func authMiddleware(cfg *ServerConfig) echo.MiddlewareFunc {
 			// debug mode
 			if cfg.Debug {
 				if userID := c.Request().Header.Get(debugUserHeader); userID != "" {
-					if id, err := id.UserIDFrom(userID); err == nil {
-						user2, err := cfg.Repos.User.FindByID(ctx, id)
+					if uId, err := id.UserIDFrom(userID); err == nil {
+						user2, err := cfg.Repos.User.FindByID(ctx, uId)
 						if err == nil && user2 != nil {
 							u = user2
 						}

server/internal/app/auth_server.go

@@ -5,19 +5,18 @@ import (
 	"errors"
 
 	"github.com/labstack/echo/v4"
+	"github.com/reearth/reearth/server/internal/app/config"
 	"github.com/reearth/reearth/server/internal/usecase/repo"
-	"github.com/reearth/reearth/server/pkg/config"
+	authconfig "github.com/reearth/reearth/server/pkg/config"
 	"github.com/reearth/reearth/server/pkg/user"
 	"github.com/reearth/reearthx/authserver"
 	"github.com/reearth/reearthx/rerror"
 	"github.com/zitadel/oidc/pkg/oidc"
 )
 
-const authServerDefaultClientID = "reearth-authsrv-client-default"
-
 var ErrInvalidEmailORPassword = errors.New("wrong email or password")
 
-func authServer(ctx context.Context, e *echo.Echo, cfg *AuthSrvConfig, repos *repo.Container) {
+func authServer(ctx context.Context, e *echo.Echo, cfg *config.AuthSrvConfig, repos *repo.Container) {
 	if cfg.Disabled {
 		return
 	}
@@ -26,7 +25,7 @@ func authServer(ctx context.Context, e *echo.Echo, cfg *AuthSrvConfig, repos *re
 		Issuer:          cfg.Issuer,
 		URL:             cfg.DomainURL(),
 		WebURL:          cfg.UIDomainURL(),
-		DefaultClientID: authServerDefaultClientID,
+		DefaultClientID: config.AuthServerDefaultClientID,
 		Dev:             cfg.Dev,
 		Key:             cfg.Key,
 		DN:              cfg.DN.AuthServerDNConfig(),
@@ -101,7 +100,7 @@ func (c *authServerConfig) Save(ctx context.Context, cfg *authserver.Config) err
 	if cfg == nil {
 		return nil
 	}
-	return c.Config.SaveAuth(ctx, &config.Auth{
+	return c.Config.SaveAuth(ctx, &authconfig.Auth{
 		Cert: cfg.Cert,
 		Key:  cfg.Key,
 	})

server/internal/app/auth_server_test.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/labstack/echo/v4"
+	"github.com/reearth/reearth/server/internal/app/config"
 	"github.com/reearth/reearth/server/internal/infrastructure/mongo"
 	"github.com/reearth/reearth/server/internal/usecase/repo"
 	"github.com/reearth/reearth/server/pkg/user"
@@ -55,7 +56,7 @@ func TestEndpoint(t *testing.T) {
 	ts := httptest.NewServer(e)
 	defer ts.Close()
 
-	authServer(ctx, e, &AuthSrvConfig{
+	authServer(ctx, e, &config.AuthSrvConfig{
 		Domain:   "https://example.com",
 		UIDomain: "https://web.example.com",
 	}, &repo.Container{
@@ -68,7 +69,7 @@ func TestEndpoint(t *testing.T) {
 	verifier, challenge := randomCodeChallenge()
 	res := send(http.MethodGet, ts.URL+"/authorize", false, map[string]string{
 		"response_type":         "code",
-		"client_id":             authServerDefaultClientID,
+		"client_id":             config.AuthServerDefaultClientID,
 		"redirect_uri":          "https://web.example.com",
 		"scope":                 "openid email profile",
 		"state":                 "hogestate",
@@ -110,7 +111,7 @@ func TestEndpoint(t *testing.T) {
 	res2 := send(http.MethodPost, ts.URL+"/oauth/token", true, map[string]string{
 		"grant_type":    "authorization_code",
 		"redirect_uri":  "https://web.example.com",
-		"client_id":     authServerDefaultClientID,
+		"client_id":     config.AuthServerDefaultClientID,
 		"code":          code,
 		"code_verifier": verifier,
 	}, nil)