All files / auth switch-flow.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
1x
1x
 
 
 
1x
 
1x
1x
1x
 
1x
14x
14x
13x
 
13x
1x
 
 
 
 
 
 
 
 
 
12x
1x
 
 
 
 
 
 
 
 
 
 
 
11x
 
 
 
 
 
 
 
 
 
 
10x
1x
 
 
 
 
 
 
 
 
 
9x
1x
 
 
 
 
 
 
 
 
 
 
8x
 
 
 
 
 
 
 
 
 
 
 
 
7x
 
 
 
 
 
 
 
 
 
 
 
 
3x
3x
 
 
 
 
 
 
 
 
 
 
const { DynamoDBClient } = require('@aws-sdk/client-dynamodb')
const { DynamoDBDocumentClient, GetCommand } = require('@aws-sdk/lib-dynamodb')
const {
  CognitoIdentityProviderClient,
  AdminUpdateUserAttributesCommand
} = require('@aws-sdk/client-cognito-identity-provider')
 
const dynamoClient = new DynamoDBClient({})
const docClient = DynamoDBDocumentClient.from(dynamoClient)
const cognitoClient = new CognitoIdentityProviderClient({})
 
exports.handler = async (event) => {
  try {
    const body = JSON.parse(event.body || '{}')
    const userId = event.requestContext?.authorizer?.claims?.sub
 
    if (!userId) {
      return {
        statusCode: 401,
        headers: {
          'Content-Type': 'application/json',
          'Access-Control-Allow-Origin': '*'
        },
        body: JSON.stringify({ error: 'Not authenticated' })
      }
    }
 
    if (!body.flowId) {
      return {
        statusCode: 400,
        headers: {
          'Content-Type': 'application/json',
          'Access-Control-Allow-Origin': '*'
        },
        body: JSON.stringify({ error: 'Missing flowId' })
      }
    }
 
    // Verify user is member of the target flow
    // ConsistentRead ensures we see memberships created moments ago by create-flow
    const membership = await docClient.send(
      new GetCommand({
        TableName: process.env.FLOW_MEMBERSHIPS_TABLE_NAME,
        Key: {
          userId: userId,
          flowId: body.flowId
        },
        ConsistentRead: true
      })
    )
 
    if (!membership.Item) {
      return {
        statusCode: 403,
        headers: {
          'Content-Type': 'application/json',
          'Access-Control-Allow-Origin': '*'
        },
        body: JSON.stringify({ error: 'You are not a member of this flow' })
      }
    }
 
    if (membership.Item.status !== 'active') {
      return {
        statusCode: 403,
        headers: {
          'Content-Type': 'application/json',
          'Access-Control-Allow-Origin': '*'
        },
        body: JSON.stringify({ error: `Membership status is ${membership.Item.status}` })
      }
    }
 
    // Update Cognito user custom attribute
    await cognitoClient.send(
      new AdminUpdateUserAttributesCommand({
        UserPoolId: process.env.USER_POOL_ID,
        Username: userId,
        UserAttributes: [
          {
            Name: 'custom:flowId',
            Value: body.flowId
          }
        ]
      })
    )
 
    return {
      statusCode: 200,
      headers: {
        'Content-Type': 'application/json',
        'Access-Control-Allow-Origin': '*'
      },
      body: JSON.stringify({
        message: 'Flow context switched successfully',
        flowId: body.flowId,
        roleIds: membership.Item.roleIds
      })
    }
  } catch (error) {
    console.error('Error:', error)
    return {
      statusCode: 500,
      headers: {
        'Content-Type': 'application/json',
        'Access-Control-Allow-Origin': '*'
      },
      body: JSON.stringify({ error: 'Failed to switch flow context' })
    }
  }
}