The latest articles on Forem by Tanja Bayer (@tanjabayer). https://forem.com/tanjabayer https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1067458%2F27865ba6-ca2d-4051-ae68-e17e5cadcb76.jpeg https://forem.com/tanjabayer en Tanja Bayer Tue, 25 Feb 2025 18:00:00 +0000 https://forem.com/cubesoft/vector-search-demystified-a-guide-to-pgvector-ivfflat-and-hnsw-36hf https://forem.com/cubesoft/vector-search-demystified-a-guide-to-pgvector-ivfflat-and-hnsw-36hf <h2> Vector Databases: The Engine Behind Modern AI Applications </h2> <p>In an era where AI is reshaping how we interact with data, vector databases have emerged as the unsung heroes powering everything from Netflix recommendations to ChatGPT's semantic understanding. Let's decode why they're becoming the backbone of intelligent applications—and how to choose the right approach for your needs.</p> <h2> The Rise of Vector Search: More Than Just Keywords </h2> <p>Remember the old days of exact-match search? Type "running shoes" and pray the product had those exact words in its title. Vector databases changed the game entirely. Now your search for "comfortable athletic footwear" finds those perfect Nike Air Max sneakers—even if they never used those exact words in their description.</p> <blockquote> <p>"Traditional databases are like dictionaries—great for looking up exact words. Vector databases are like having a librarian who understands what you mean, not just what you say."</p> </blockquote> <h2> What Makes Vector Databases Special? </h2> <p>Vector databases store data as mathematical coordinates in high-dimensional space. Think of it like this:</p> <ul> <li> <strong>Traditional Database</strong>: "Does this word match exactly?"</li> <li> <strong>Vector Database</strong>: "How close is this concept to what we're looking for?" This fundamental shift enables:</li> </ul> <ol> <li> <strong>Semantic Search</strong>: Understanding meaning, not just matching text</li> <li> <strong>Recommendation Systems</strong>: Finding truly similar items</li> <li> <strong>AI-Powered Features</strong>: Natural language processing at scale</li> <li> <strong>Image and Audio Search</strong>: Finding visual or sonic similarities</li> </ol> <h2> The Technical Foundation: Vector Embeddings </h2> <p>At their core, vector databases work with embeddings—numerical representations of data in multi-dimensional space. Here's what that means in practice:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Example: Word embeddings "cat" → [0.2, 0.5, -0.1, 0.8, ...] "kitten" → [0.3, 0.4, -0.2, 0.7, ...] "dog" → [-0.1, 0.6, 0.2, 0.3, ...] </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcseyteja6bh125itihyt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcseyteja6bh125itihyt.png" alt="Simplified query vector representation of the query “Kitten” [Source](https://opendatascience.com/a-gentle-introduction-to-vector-search/)&lt;br&gt; " width="800" height="375"></a></p> <p>These vectors capture semantic relationships. Similar concepts end up closer together in this mathematical space.</p> <h2> Choosing Your Vector Index: IVFFlat vs. HNSW </h2> <p>When implementing vector search with pgvector, you'll face a crucial decision between two indexing methods. Here's the practical breakdown:</p> <h3> IVFFlat: The Efficient Workhorse </h3> <ul> <li> <strong>Build Time</strong>: ️ Fast</li> <li> <strong>Memory Usage</strong>: Lower</li> <li> <strong>Query Speed</strong>: Moderate</li> <li> <strong>Best For</strong>: Smaller datasets, limited resources</li> </ul> <h3> HNSW: The Speed Demon </h3> <ul> <li> <strong>Build Time</strong>: Slower</li> <li> <strong>Memory Usage</strong>: Higher</li> <li> <strong>Query Speed</strong>: Very Fast</li> <li> <strong>Best For</strong>: Production apps needing quick responses</li> </ul> <h2> Real-World Decision Matrix </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Requirement</th> <th>IVFFlat</th> <th>HNSW</th> </tr> </thead> <tbody> <tr> <td>Dataset &lt; 1M vectors</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Low memory environment</td> <td>✅</td> <td>❌</td> </tr> <tr> <td>Sub-10ms queries needed</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Frequent updates</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Quick initial setup.</td> <td>✅</td> <td>❌</td> </tr> </tbody> </table></div> <h2> Performance in Numbers </h2> <p>Results of a dataset of around 1M vectors of 50 dimensions. With 10K queries and 10 nearest neighbors.</p> <ul> <li>Build Time: <ul> <li>IVFFlat: 128 seconds</li> <li>HNSW: 4065 seconds</li> </ul> </li> <li>Query Speed: <ul> <li>IVFFlat: 2.6 QPS</li> <li>HNSW: 40.5 QPS</li> </ul> </li> <li>Memory Usage: <ul> <li>IVFFlat: 257MB</li> <li>HNSW: 729MB</li> </ul> </li> </ul> <p><a href="https://www.tembo.io/blog/vector-indexes-in-pgvector" rel="noopener noreferrer">Resource</a></p> <h2> Best Practices &amp; Implementation Tips </h2> <ol> <li> <p>Start Simple</p> <ul> <li>Begin with IVFFlat unless you know you need HNSW's speed</li> <li>Measure real-world query patterns before optimizing</li> </ul> </li> <li> <p>Monitor &amp; Maintain</p> <ul> <li>Track query times and accuracy</li> <li>Schedule regular index rebuilds for IVFFlat</li> <li>Monitor memory usage, especially with HNSW</li> </ul> </li> <li> <p>Optimize Gradually</p> <ul> <li>Start with default parameters</li> <li>Tune based on actual performance metrics</li> <li>Consider A/B testing different configurations</li> </ul> </li> </ol> <h2> Looking Forward: The Future of Vector Search </h2> <p>As AI continues to evolve, vector databases will become even more crucial. We're seeing exciting developments in:</p> <ul> <li>Hybrid searches combining vector and traditional queries</li> <li>Automated index optimization</li> <li>Hardware acceleration for vector operations</li> </ul> <h2> Next Steps </h2> <p>Ready to implement vector search in your application?</p> <ol> <li>Start Small: Test with a subset of your data</li> <li>Measure: Benchmark what matters for your use case</li> <li>Scale: Choose the right index based on real requirements</li> </ol> <p>Want to dive deeper? Join our community <a href="https://discord.com/invite/7MrycEAgak" rel="noopener noreferrer">Discord</a>.</p> <p>Remember: The best vector database implementation is the one that meets your specific needs - not necessarily the one with the most impressive benchmark numbers.</p> postgres vectordatabase ai Tanja Bayer Wed, 05 Feb 2025 09:37:48 +0000 https://forem.com/cubesoft/how-to-set-up-a-github-actions-self-hosted-runner-on-macos-15-2pid https://forem.com/cubesoft/how-to-set-up-a-github-actions-self-hosted-runner-on-macos-15-2pid <p>Migrating to GitHub offers numerous advantages, but it also presents opportunities to optimize your workflow environment. In our journey, we aimed to reduce operational costs without sacrificing the flexibility required for our continuous integration and deployment (CI/CD) processes. By setting up self-hosted runners on macOS 15+, we gained control over our build environment while managing expenses effectively. This guide will walk you through the steps we took, the challenges we faced, and how you can implement a similar setup.</p> <h2> Introduction </h2> <p>In an effort to optimize costs while maintaining the flexibility of our CI/CD pipelines, we decided to set up self-hosted runners on macOS after migrating from Bitbucket to GitHub. Self-hosted runners allow us to use our own infrastructure (using all the idle capacity of our powerful developer MacBooks) for running GitHub Actions workflows, which can lead to significant cost savings, especially when dealing with resource-intensive tasks or macOS-specific builds.<br> However, the process wasn't without its hurdles. We encountered several challenges, particularly with setting up the runners as services on macOS 15+. This guide aims to help you navigate these challenges and set up your own self-hosted runners efficiently.</p> <h2> General Setup of a Self-Hosted Runner </h2> <p>Setting up a self-hosted runner involves adding the runner to your GitHub organization and configuring it on your macOS machine.</p> <h3> Adding a Self-Hosted Runner to Your Organization </h3> <ol> <li>Navigate to Your Organization on GitHub:</li> </ol> <ul> <li>Go to the main page of your GitHub organization.</li> <li>Under your organization name, click on Settings.</li> </ul> <ol> <li>Access Runners Settings: <ul> <li>In the left sidebar, click Actions.</li> <li>Then, click on Runners.</li> </ul> </li> <li>Add a New Runner: <ul> <li>Click New runner, then select New self-hosted runner.</li> </ul> </li> <li>Choose Operating System and Architecture: <ul> <li>Select macOS as the operating system.</li> <li>Choose the appropriate architecture (usually x64 ).</li> </ul> </li> <li>Follow Setup Instructions: <ul> <li>GitHub will provide you with a series of shell commands.</li> <li>Open a terminal on your macOS machine.</li> <li>Run each command in order to download and configure the runner application.</li> </ul> </li> </ol> <h3> Verifying the Runner </h3> <p>After completing the setup:</p> <ul> <li>Ensure the runner is listed under Runners in your organization's settings.</li> <li>The terminal should display:</li> <li>Code kopieren</li> <li>√ Connected to GitHub [Timestamp]: Listening for Jobs This means your runner is active and ready to accept jobs.</li> </ul> <h2> Configuring the Runner as a Service on macOS 15+ </h2> <p>Running the self-hosted runner as a service ensures it starts automatically and runs in the background.</p> <h3> Installing the Service </h3> <h4> Stop the Runner Application: </h4> <p>If the runner is currently running, stop it by pressing Ctrl + C in the terminal.</p> <h4> Install the Service </h4> <p>Navigate to your runner's directory in the terminal.<br> Run the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./svc.sh <span class="nb">install</span> </code></pre> </div> <h4> Starting the Service </h4> <p>Start the service with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./svc.sh start </code></pre> </div> <h4> Checking the Service Status </h4> <p>Check if the service is running correctly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./svc.sh status </code></pre> </div> <h4> Stopping and Uninstalling the Service </h4> <p>Stop the Service<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./svc.sh stop </code></pre> </div> <h4> Uninstall the Service </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./svc.sh uninstall </code></pre> </div> <h2> Prioritizing Self-Hosted Runners in Workflows </h2> <p>To optimize resource usage, you can configure your workflows to prioritize self-hosted runners but fall back to GitHub-hosted runners if none are available.<br> Modifying Your Workflow YAML<br> Add the following jobs to your workflow file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">check-runner</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">runner-label</span><span class="pi">:</span> <span class="s">${{ steps.set-runner.outputs.runner-label }}</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.ORG_RUNNER_STATUS_ACCESS_TOKEN }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set runner</span> <span class="na">id</span><span class="pi">:</span> <span class="s">set-runner</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">runners=$(gh api -H "Accept: application/vnd.github+json" /orgs/${{ github.repository_owner }}/actions/runners)</span> <span class="s">available=$(echo "$runners" | jq '.runners[] | select(.status == "online" and .busy == false and .labels[] .name == "self-hosted")')</span> <span class="s">if [ -n "$available" ]; then</span> <span class="s">echo "runner-label=self-hosted" &gt;&gt; $GITHUB_OUTPUT</span> <span class="s">else</span> <span class="s">echo "runner-label=ubuntu-latest" &gt;&gt; $GITHUB_OUTPUT</span> <span class="s">fi</span> <span class="na">your-job</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">check-runner</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">${{ needs.check-runner.outputs.runner-label }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="c1"># Your job steps here</span> </code></pre> </div> <h3> Explanation </h3> <h4> Check-Runner Job </h4> <p>Checks if any self-hosted runners are online and not busy. Sets runner-label to self-hosted if available, otherwise ubuntu-latest .</p> <h4> Your-Job : </h4> <p>Specifies runs-on dynamically based on runner-label . Ensures your job uses a self-hosted runner if available.</p> <h3> Setting Up Organization Secrets </h3> <h4> Create an Access Token : </h4> <p>Generate a Personal Access Token (PAT) with read access to organization self hosted runners : <a href="https://github.com/settings/tokens?type=beta" rel="noopener noreferrer">Github Settings</a> . This token is used to authenticate GitHub CLI commands in your workflow.</p> <h4> Add the Token to Organization Secrets : </h4> <p>Go to your organization settings on GitHub. Navigate to <strong>Secrets and variables &gt; Actions &gt; New organization secret</strong> . Name it ORG_RUNNER_STATUS_ACCESS_TOKEN and paste your PAT.</p> <h2> Common Pitfalls and Solutions </h2> <p>During our setup, we faced several issues. Here's how to solve them.</p> <h3> 1. Permission Issues with Installing the Service </h3> <h4> Problem: </h4> <p>Running ./svc.sh install fails due to permission issues with LaunchAgents.</p> <h4> Solution: </h4> <p>Grant read/write permissions to your user for the LaunchAgents directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo chown</span> <span class="nt">-R</span> <span class="si">$(</span><span class="nb">whoami</span><span class="si">)</span> ~/Library/LaunchAgents/ </code></pre> </div> <h3> 2. Runner Not Showing as "Online" </h3> <h4> Problem : </h4> <p>The runner remains offline, and the stderr.log file shows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>shell-init: error retrieving current directory: getcwd: cannot access parent directories: Operation not permitted /bin/bash: /path/to/actions-runner/runsvc.sh: Operation not permitted </code></pre> </div> <h4> Solution : </h4> <p><strong>Grant Full Disk Access to Bash :</strong></p> <ul> <li>Open System Preferences &gt; Security &amp; Privacy &gt; Privacy tab.</li> <li>Scroll down and select Full Disk Access .</li> <li>Click the lock icon to make changes and authenticate.</li> <li>Click the + button to add an application.</li> <li>Press Command + Shift + . to reveal hidden folders.</li> <li>Navigate to /bin and select bash . <strong>Reinstall the Service :</strong> Stop and uninstall the service: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./svc.sh stop ./svc.sh uninstall </code></pre> </div> <p>Reinstall and start the service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./svc.sh <span class="nb">install</span> ./svc.sh start </code></pre> </div> <h2> Conclusion </h2> <p>By setting up self-hosted runners on macOS 15+, we achieved significant cost savings without compromising on the flexibility of our CI/CD pipelines. This hybrid approach allows us to utilize our own infrastructure when available and seamlessly fall back to GitHub-hosted runners when necessary.</p> <h3> Key takeaways: </h3> <ul> <li>Cost Optimization : Self-hosted runners reduce reliance on paid GitHub-hosted runners, lowering operational costs.</li> <li>Flexibility : Maintaining the ability to run workflows on GitHub-hosted runners ensures builds are not stalled due to unavailable resources.</li> <li>Control Over Environment : Self-hosted runners provide full control over the software and hardware environment.</li> </ul> githubactions github ci cicd Tanja Bayer Wed, 08 May 2024 06:26:22 +0000 https://forem.com/cubesoft/mastering-angular-ssr-enabling-custom-http-responses-404-301-55pc https://forem.com/cubesoft/mastering-angular-ssr-enabling-custom-http-responses-404-301-55pc <p>Welcome to the first post in our series on optimizing Angular apps for search enginge optimisation (SEO)! In this post, we'll walk you through enabling your Angular app to return custom HTTP responses, such as 404 (Not Found) and 301 (Permanent Redirect), using Angular SSR.</p> <h2> Why is This Important? </h2> <p>When optimizing your Angular app for SEO, it's crucial to provide the correct HTTP status codes. Here's why returning accurate 404 and 301 responses improves SEO over always returning a 200 status:</p> <h3> Search Engine Understanding: </h3> <ul> <li><p><strong>404 (Not Found)</strong>: When search engines encounter a 404 status, they understand that the page does not exist. This prevents them from indexing non-existent content, which could lead to penalties for having "soft 404" pages (pages that return a 200 status but have no useful content).</p></li> <li><p><strong>301 (Permanent Redirect)</strong>: Tells search engines that the requested URL has permanently moved to a new location. This consolidates SEO value to the new URL, ensuring that link equity (backlinks, page authority) is transferred correctly.</p></li> </ul> <h3> Crawl Efficiency: </h3> <ul> <li>By signaling the correct 404 status for non-existent pages, search engines won't waste crawl budget trying to index irrelevant pages.</li> <li>With a 301 status, search engines quickly find and index the new URL, improving the discoverability of updated content.</li> </ul> <h3> Improved User Experience: </h3> <ul> <li>While the user is still redirected internally or sees a custom 404 page, search engines receive accurate status codes that help them index the site correctly.</li> <li>Ensuring users land on useful, relevant content reduces bounce rates and increases engagement.</li> <li>By implementing 404 and 301 responses correctly, you ensure that search engines interpret your content accurately, improving your app's search visibility and overall user experience.</li> </ul> <h2> Implementation Details </h2> <p>To enable custom HTTP responses (404, 301) in your Angular 17+ app with built-in SSR support, follow these steps:</p> <h3> 1. Soft 404 Component </h3> <p>In your component that handles soft 404 pages, inject the Response object conditionally to ensure it's only used server-side:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CommonModule</span><span class="p">,</span> <span class="nx">isPlatformServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ChangeDetectionStrategy</span><span class="p">,</span> <span class="nx">Component</span><span class="p">,</span> <span class="nx">Inject</span><span class="p">,</span> <span class="nx">Optional</span><span class="p">,</span> <span class="nx">PLATFORM_ID</span><span class="p">,</span> <span class="nx">inject</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RESPONSE</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./server.token</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Component</span><span class="p">({</span> <span class="na">selector</span><span class="p">:</span> <span class="dl">'</span><span class="s1">app-soft-404</span><span class="dl">'</span><span class="p">,</span> <span class="na">standalone</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">CommonModule</span><span class="p">],</span> <span class="na">templateUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./soft-404.component.html</span><span class="dl">'</span><span class="p">,</span> <span class="na">styleUrls</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">./soft-404.component.scss</span><span class="dl">'</span><span class="p">],</span> <span class="na">changeDetection</span><span class="p">:</span> <span class="nx">ChangeDetectionStrategy</span><span class="p">.</span><span class="nx">OnPush</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">Soft404Component</span> <span class="p">{</span> <span class="nx">platformId</span> <span class="o">=</span> <span class="nf">inject</span><span class="p">(</span><span class="nx">PLATFORM_ID</span><span class="p">);</span> <span class="nf">constructor</span><span class="p">(</span> <span class="p">@</span><span class="nd">Optional</span><span class="p">()</span> <span class="p">@</span><span class="nd">Inject</span><span class="p">(</span><span class="nx">RESPONSE</span><span class="p">)</span> <span class="k">private</span> <span class="nx">response</span><span class="p">:</span> <span class="nx">Response</span> <span class="p">)</span> <span class="p">{</span> <span class="c1">// Only executes server-side</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPlatformServer</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">platformId</span><span class="p">))</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">response</span><span class="p">?.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Create a Response Token </h3> <p>Provide the Response token that you'll use for dependency injection (<code>server.token.ts</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">InjectionToken</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">RESPONSE</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">InjectionToken</span><span class="o">&lt;</span><span class="nx">Response</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">RESPONSE</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h3> 3. 301 Redirect Component </h3> <p>In a component that handles redirects, use the Response object for server-side 301 redirection. If you're not on the server, navigate client-side with Angular Router.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CommonModule</span><span class="p">,</span> <span class="nx">isPlatformServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ChangeDetectionStrategy</span><span class="p">,</span> <span class="nx">Component</span><span class="p">,</span> <span class="nx">Inject</span><span class="p">,</span> <span class="nx">Optional</span><span class="p">,</span> <span class="nx">PLATFORM_ID</span><span class="p">,</span> <span class="nx">inject</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Router</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/router</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RESPONSE</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./tokens/server.token</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Component</span><span class="p">({</span> <span class="na">selector</span><span class="p">:</span> <span class="dl">'</span><span class="s1">app-redirect</span><span class="dl">'</span><span class="p">,</span> <span class="na">standalone</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">CommonModule</span><span class="p">],</span> <span class="na">templateUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./redirect.component.html</span><span class="dl">'</span><span class="p">,</span> <span class="na">styleUrls</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">./redirect.component.scss</span><span class="dl">'</span><span class="p">],</span> <span class="na">changeDetection</span><span class="p">:</span> <span class="nx">ChangeDetectionStrategy</span><span class="p">.</span><span class="nx">OnPush</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">RedirectComponent</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">platformId</span> <span class="o">=</span> <span class="nf">inject</span><span class="p">(</span><span class="nx">PLATFORM_ID</span><span class="p">);</span> <span class="nf">constructor</span><span class="p">(</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">router</span><span class="p">:</span> <span class="nx">Router</span><span class="p">,</span> <span class="p">@</span><span class="nd">Optional</span><span class="p">()</span> <span class="p">@</span><span class="nd">Inject</span><span class="p">(</span><span class="nx">RESPONSE</span><span class="p">)</span> <span class="k">private</span> <span class="nx">response</span><span class="p">:</span> <span class="nx">Response</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">redirectUrl</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/new-url</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Build your URL with your own logic</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPlatformServer</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">platformId</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="k">this</span><span class="p">.</span><span class="nx">response</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="mi">301</span><span class="p">,</span> <span class="nx">redirectUrl</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">router</span><span class="p">.</span><span class="nf">navigate</span><span class="p">([</span><span class="nx">redirectUrl</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Update server.ts </h3> <p>Update server.ts to include the Response token and ensure proper error handling:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="c1">// All regular routes use the Angular engine</span> <span class="nx">server</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">commonEngine</span> <span class="p">.</span><span class="nf">render</span><span class="p">({</span> <span class="na">bootstrap</span><span class="p">:</span> <span class="nx">AppServerModule</span><span class="p">,</span> <span class="na">documentFilePath</span><span class="p">:</span> <span class="nx">indexHtml</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">protocol</span><span class="p">}</span><span class="s2">://</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">host</span><span class="p">}${</span><span class="nx">req</span><span class="p">.</span><span class="nx">originalUrl</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">publicPath</span><span class="p">:</span> <span class="nx">browserDistFolder</span><span class="p">,</span> <span class="c1">// Make sure to provide the RESPONSE here</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="nx">RESPONSE</span><span class="p">,</span> <span class="na">useValue</span><span class="p">:</span> <span class="nx">res</span> <span class="p">}</span> <span class="p">],</span> <span class="na">inlineCriticalCss</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="c1">// If the res.headersSent is true do not send again</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">html</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">headersSent</span> <span class="p">?</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">html</span><span class="p">)</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">))</span> <span class="p">.</span><span class="k">catch</span><span class="p">((</span><span class="na">error</span><span class="p">:</span> <span class="nb">Error</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">next</span><span class="p">(</span><span class="nx">error</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>By following these steps, your Angular app will be able to handle custom 404 and 301 responses accurately, improving both user experience and SEO.</p> <h2> Trouble Shooting </h2> <ul> <li> <strong>I you receive the error: <code>Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client</code>.</strong> Make sure you have the following line in your <code>server.ts</code> file. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">html</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="o">!</span><span class="nx">res</span><span class="p">.</span><span class="nx">headersSent</span> <span class="p">?</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">html</span><span class="p">)</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">))</span> </code></pre> </div> <ul> <li><p><strong>If you get the error: <code>TypeError: Cannot read properties of null (reading 'status')</code>.</strong><br> It looks like you are running your app in development mode and forgot to mark the <code>this.response</code> as optional. Make sure you add the <code>?</code>. The <code>RESPONSE</code> is only injected on a production build.</p></li> <li><p><strong>If you receive the error: <code>Error [NullInjectorError]: R3InjectorError(Standalone[_a])[InjectionToken RESPONSE -&gt; InjectionToken RESPONSE -&gt; InjectionToken RESPONSE -&gt; InjectionToken RESPONSE]</code></strong><br> It seems you forgot to mark the RESPONSE injection as Optional. In your constructur check you added the @Optional() before the @Inject(RESPONSE).</p></li> </ul> <h2> Final Thoughts </h2> <p>Now your Angular app is capable of returning 404 and 301 HTTP responses! Server-side rendering helps provide better responses and search engine optimization. Stay tuned for the next blog post in this series, where we dive deeper into enhancing SSR performance and improving SEO.</p> <p><strong>What other topics are you interested in related to Angular an SEO? Let me know, I am always on the search for new topics to write about.</strong></p> <p><em>Hey there, dear readers! Just a quick heads-up: we're code whisperers, not Shakespearean poets, so we've enlisted the help of a snazzy AI buddy to jazz up our written word a bit. Don't fret, the information is top-notch, but if any phrases seem to twinkle with literary brilliance, credit our bot. Remember, behind every great blog post is a sleep-deprived developer and their trusty AI sidekick.</em></p> seo angular ssr howto Tanja Bayer Tue, 16 Jan 2024 18:00:00 +0000 https://forem.com/cubesoft/mastering-log-retrieval-in-ecs-services-from-initial-trials-to-advanced-solutions-1bf8 https://forem.com/cubesoft/mastering-log-retrieval-in-ecs-services-from-initial-trials-to-advanced-solutions-1bf8 <p>In the ever-evolving landscape of containerized applications, managing and accessing logs presents a universal challenge for developers and system administrators alike. Effective log management is crucial for maintaining operational efficiency, ensuring security, and facilitating prompt troubleshooting. However, the diverse nature of applications and the complexity of container orchestration platforms often turn log management into a daunting task. This blog post delves into a common yet intricate issue faced in log management within Amazon ECS (Elastic Container Service) environments. We encountered this challenge firsthand while working with various applications, including Shopware, where the intricacies of plugin-generated logs posed a unique set of hurdles. Our journey from an initial, straightforward approach to a more sophisticated and effective solution offers insights and lessons valuable for anyone grappling with similar log management challenges in containerized services.</p> <h2> The Problem </h2> <p>The challenge we faced was integrating Shopware's file-based logs into a centralized logging system like AWS CloudWatch. Unlike standard logging practices, Shopware writes logs to separate files, not the console, complicating their capture and monitoring in Amazon ECS environments.</p> <h2> The First Approach </h2> <p>Initially, we attempted to tackle the log integration issue using a configuration within supervisord.conf. Our strategy was to employ the tail command to continuously read the latest entries from Shopware's log files and redirect these entries to the standard output (stdout) and standard error (stderr). This method was designed to mimic the behavior of console logging, thereby facilitating the integration of these logs into AWS CloudWatch. The relevant part of our supervisord.conf looked something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[program:prod_logs] command=tail -f /sw6/var/log/prod*.log stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 autorestart=false startretries=0 </code></pre> </div> <p>This setup aimed to ensure that all log data from Shopware's files were captured as if they were console outputs, theoretically allowing for seamless integration into CloudWatch.</p> <p>However, we encountered a significant limitation. The tail command in our supervisor configuration was initiated at the start of the container's lifecycle. This meant that if the log files specified did not exist at startup (a common occurrence with dynamically created plugin logs), tail would fail to track these files, resulting in missed log entries. Consequently, this approach proved to be partially effective but not entirely reliable, especially for logs generated after the initial startup process.</p> <p>Recognizing these limitations, we realized the need for a more robust solution that could dynamically adapt to the creation of new log files and ensure comprehensive log capture for our monitoring needs.</p> <h2> A Better Approach </h2> <p>Realizing the limitations of our initial method, we shifted our focus towards a more dynamic and robust solution: the implementation of the FireLens Log Driver in our ECS service. FireLens, a log router for Amazon ECS, offers the flexibility to route container logs to various destinations, including AWS CloudWatch, with enhanced processing capabilities.</p> <p>We configured our ECS tasks to use FireLens, specifically utilizing Fluent Bit, an open-source log processor and forwarder. This setup enabled us to define custom log routing and processing rules, tailored to the unique structure of Shopware's log files.</p> <p>Here’s an overview of how we configured FireLens with Fluent Bit:</p> <ol> <li> <strong>Task Definition Enhancement</strong>: We modified our ECS task definitions to include the FireLens configuration, specifying Fluent Bit as the log router.</li> <li> <strong>Custom Log Processing</strong>: Fluent Bit allowed us to create custom configurations to tail the Shopware log files, process the log data (like adding metadata, filtering, or transforming log formats), and then route them effectively to CloudWatch.</li> <li> <strong>Dynamic Log File Handling</strong>: Unlike our initial approach, Fluent Bit's ability to dynamically detect and tail new log files resolved the issue of missing logs that were created after the container started.</li> <li> <strong>Streamlined Integration</strong>: This setup streamlined the integration of Shopware’s logs into CloudWatch, ensuring that all log data, regardless of when it was generated, was consistently captured and made available for monitoring and analysis.</li> </ol> <p>By leveraging FireLens's flexibility and Fluent Bit’s dynamic file tailing capabilities, we successfully integrated Shopware's logs into CloudWatch, enhancing our overall monitoring and operational efficiency in the ECS environment.</p> <h2> Implementation Details </h2> <p>Implementing the FireLens Log Driver in our ECS service involved several key steps. Below, I outline the process with generic code snippets, providing a blueprint that can be adapted to similar scenarios.</p> <h3> Configuring the Logs for the Firelens Container </h3> <p>First, we set up the FireLens container, ensuring that its logs, particularly errors, were captured for monitoring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">containerLogDriver</span> <span class="o">=</span> <span class="nx">LogDriver</span><span class="p">.</span><span class="nf">awsLogs</span><span class="p">({</span> <span class="na">streamPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">firelens</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Replace if you want</span> <span class="na">logGroup</span><span class="p">:</span> <span class="nx">logGroup</span> <span class="p">});</span> </code></pre> </div> <h3> FireLens Log Driver Setup </h3> <p>We configured the FireLens Log Driver with specific options to route logs to AWS CloudWatch<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fireLensLogDriver</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FireLensLogDriver</span><span class="p">({</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cloudwatch</span><span class="dl">'</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-region</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Specify the AWS region</span> <span class="na">delivery_stream</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application-stream-name</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Customize the stream name</span> <span class="na">log_group_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">name-of-aws-log-group</span><span class="dl">'</span><span class="p">,</span> <span class="na">log_stream_name</span><span class="p">:</span> <span class="s2">`/application/</span><span class="p">${</span><span class="nf">uuid</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="c1">// Replace with a unique identifier</span> <span class="na">log_key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">log</span><span class="dl">'</span><span class="p">,</span> <span class="na">auto_create_group</span><span class="p">:</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> Task Definition for the Application Container </h3> <p>In the task definition for the application container, we included the FireLens Log Driver and specified mount points for log volumes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">taskDefinition</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TaskDefinition</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TaskDefinition</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Task definition properties</span> <span class="na">volumes</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// Other volumes</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">logVolumeName</span> <span class="p">}</span> <span class="c1">// use a preferred name here</span> <span class="p">]</span> <span class="p">});</span> <span class="nx">taskDefinition</span> <span class="p">.</span><span class="nf">addContainer</span><span class="p">(</span><span class="dl">'</span><span class="s1">ApplicationContainer</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// Other container properties</span> <span class="na">containerName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application</span><span class="dl">'</span><span class="p">,</span> <span class="na">essential</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">logging</span><span class="p">:</span> <span class="nx">fireLensLogDriver</span> <span class="p">}).</span><span class="nf">addMountPoints</span><span class="p">({</span> <span class="na">sourceVolume</span><span class="p">:</span> <span class="nx">logVolumeName</span><span class="p">,</span> <span class="na">containerPath</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/path/to/logs</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Path to the log directory for shopware /sw6/var/logs</span> <span class="na">readOnly</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> </code></pre> </div> <h3> Custom FireLens Image </h3> <p>We created a custom Docker image for FireLens to tailor it to our specific needs. This involved starting with the base image from Amazon's AWS for Fluent Bit and adding our custom configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># We run on ARM64, but you can use the x86 version just remove the platform part FROM --platform=linux/arm64 amazon/aws-for-fluent-bit:latest RUN mkdir -p /sw6/var/log ADD logConfig.conf /logConfig.conf </code></pre> </div> <h3> Fluent Bit Configuration: logConfig.conf </h3> <p>The logConfig.conf file is crucial as it defines how Fluent Bit will process and forward logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INPUT] Name tail Tag container-logs # Change if you have another directory, according to the path in the Path /sw6/var/log/*.log DB /sw6/var/log/flb_service.db DB.locking true Skip_Long_Lines On Refresh_Interval 10 Rotate_Wait 30 [OUTPUT] Name cloudwatch # make sure the part before -firelens* matches your container name in the task definition Match shopware-firelens* region eu-west-1 log_group_name shopware-$(ecs_cluster) log_stream_name /console/$(ecs_task_id) auto_create_group true retry_limit 2 Name cloudwatch # use same name as in the Tag section of Input Match container-logs region eu-west-1 log_group_name shopware-$(ecs_cluster) log_stream_name /container/$(ecs_task_id) auto_create_group true retry_limit 2 </code></pre> </div> <p>This configuration allows us to tail all log files dynamically in the Shopware logs folder and manage console output effectively.</p> <h3> Adaptions to Dockerfile used in Service </h3> <p>If you encounter problems with your service - in our case shopware - writing to the log files, because of missing permissions make sure you create the DIR in your Dockerfile and mount it in your Docker<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>USER sw6 RUN mkdir -P /sw6/var/log &amp;&amp; chown -R sw6:sw6 /sw6/var/log VOLUME ["/sw6/var/log"] </code></pre> </div> <h3> Repository Creation and Docker Image Deployment </h3> <p>We then created a repository and deployed the custom Fluent Bit Docker image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">tag</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">toString</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">fluentbitRepository</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Repository</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">aws-for-fluentbit</span><span class="dl">'</span><span class="p">);</span> <span class="nx">shopwareContainerRepository</span><span class="p">.</span><span class="nf">grantPull</span><span class="p">(</span><span class="nx">shopwareTaskDefinition</span><span class="p">.</span><span class="nf">obtainExecutionRole</span><span class="p">());</span> <span class="k">new</span> <span class="nc">DockerImageDeployment</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">fluentbit-docker-image-deployment</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="c1">// make sure to specify the correct platform, which matches to the one specified in your Dockerfile</span> <span class="na">source</span><span class="p">:</span> <span class="nx">Source</span><span class="p">.</span><span class="nf">directory</span><span class="p">(</span><span class="dl">'</span><span class="s1">/path/to/docker/fluent-bit/</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="nx">Platform</span><span class="p">.</span><span class="nx">LINUX_ARM64</span> <span class="p">}),</span> <span class="na">destination</span><span class="p">:</span> <span class="nx">Destination</span><span class="p">.</span><span class="nf">ecr</span><span class="p">(</span><span class="nx">fluentbitRepository</span><span class="p">,</span> <span class="p">{</span> <span class="nx">tag</span> <span class="p">})</span> <span class="p">});</span> </code></pre> </div> <h3> FireLens Log Router Configuration </h3> <p>Finally, we configured the FireLens log router with Fluent Bit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">taskDefinition</span> <span class="p">.</span><span class="nf">addFirelensLogRouter</span><span class="p">(</span><span class="dl">'</span><span class="s1">firelog-router</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">firelensConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">FirelensLogRouterType</span><span class="p">.</span><span class="nx">FLUENTBIT</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">configFileType</span><span class="p">:</span> <span class="nx">FirelensConfigFileType</span><span class="p">.</span><span class="nx">FILE</span><span class="p">,</span> <span class="na">configFileValue</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/logConfig.conf</span><span class="dl">'</span><span class="p">,</span> <span class="na">enableECSLogMetadata</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">},</span> <span class="na">logging</span><span class="p">:</span> <span class="nx">containerLogDriver</span><span class="p">,</span> <span class="na">image</span><span class="p">:</span> <span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromEcrRepository</span><span class="p">(</span><span class="nx">repository</span><span class="p">,</span> <span class="nx">tag</span><span class="p">),</span> <span class="c1">// Additional properties</span> <span class="na">containerName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">firelens-router</span><span class="dl">'</span><span class="p">,</span> <span class="na">cpu</span><span class="p">:</span> <span class="nx">cpuValue</span><span class="p">,</span> <span class="na">memoryLimitMiB</span><span class="p">:</span> <span class="nx">memoryValue</span> <span class="p">})</span> <span class="p">.</span><span class="nf">addMountPoints</span><span class="p">({</span> <span class="na">sourceVolume</span><span class="p">:</span> <span class="nx">logVolumeName</span><span class="p">,</span> <span class="na">containerPath</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/path/to/logs</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Path to the log directory same as the one in the application container above</span> <span class="na">readOnly</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> </code></pre> </div> <h3> Permission Policy for CloudWatch Logs </h3> <p>Lastly, we added a policy to the task role to allow the necessary actions for logging to CloudWatch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">logPolicyStatement</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">logs:CreateLogGroup</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:CreateLogStream</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:PutLogEvents</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:DescribeLogStreams</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">]</span> <span class="c1">// Adjust as needed for specific log groups</span> <span class="p">});</span> <span class="nx">shopwareTaskDefinition</span><span class="p">.</span><span class="nf">addToTaskRolePolicy</span><span class="p">(</span><span class="nx">logPolicyStatement</span><span class="p">);</span> </code></pre> </div> <p>These steps illustrate the general process we followed to configure FireLens with Fluent Bit for efficient log management. The configuration ensures dynamic log file handling and seamless integration of application logs into CloudWatch, significantly improving our monitoring and troubleshooting capabilities.</p> <h2> Conclusion </h2> <p>Our journey in mastering log retrieval in ECS services, particularly with Shopware, highlights the importance of adaptable and dynamic log management strategies in containerized environments. By moving from a basic supervisord.conf configuration to a more sophisticated approach using FireLens and Fluent Bit, we were able to overcome the challenges posed by file-based logging. This transition not only enhanced our ability to effectively integrate logs into AWS CloudWatch but also underscored the significance of choosing the right tools and configurations for specific use cases. Our experience demonstrates that with the right approach, even complex logging scenarios can be managed efficiently, ensuring comprehensive monitoring and analysis capabilities in cloud-based applications.</p> <p><em>Hey there, dear readers! Just a quick heads-up: we're code whisperers, not Shakespearean poets, so we've enlisted the help of a snazzy AI buddy to jazz up our written word a bit. Don't fret, the information is top-notch, but if any phrases seem to twinkle with literary brilliance, credit our bot. Remember, behind every great blog post is a sleep-deprived developer and their trusty AI sidekick.</em></p> <p><strong>Resources</strong>:<br> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FireLensLogDriver.html">AWS CDK Documentation</a></p> <p><a href="https://github.com/aws-samples/amazon-ecs-firelens-examples/tree/mainline/examples/fluent-bit/ecs-log-collectionConnect%20your%20Github%20account">FluentBit ECS Log Collection</a> </p> <p><a href="https://docs.aws.amazon.com/AmazonECS/latest/developerguide/firelens-taskdef.html">Creating a task definition that uses a FireLens configuration</a></p> shopware aws ecs typescript Tanja Bayer Tue, 18 Jul 2023 16:05:00 +0000 https://forem.com/cubesoft/securing-your-serverless-graphql-api-part-iii-3e5a https://forem.com/cubesoft/securing-your-serverless-graphql-api-part-iii-3e5a <p>Welcome back, serverless security trailblazers! We've come a long way in our 'From Zero to Serverless Hero' series. In our previous chapter, we transitioned from the theoretical realm into the tangible world of implementation, securing our serverless GraphQL API with the power of AWS Cognito and a strong authorization setup.</p> <p>In today's session, we push the boundaries of our serverless security prowess further. We're set to embark on a deeper exploration of the fascinating world of authorization. We're not just concerned with who can access our serverless API - but also the level and extent of their access. We'll decipher how to devise different access levels, meticulously tailoring permissions based on the roles of individual users.</p> <p>This installment promises to be both challenging and enlightening, delving into the complexities of managing user permissions, all to add an extra layer of fortification to our serverless GraphQL API. At the end of this post, our serverless security expertise will have broadened significantly, and we'll be a few steps closer to reaching our ultimate goal.</p> <p>Are you ready to level up your serverless security skills and go beyond the basics of API security? Let's move forward in our journey towards becoming the true serverless security heroes we aspire to be! It's time to roll up our sleeves, dive deep, and get started. The serverless saga continues!</p> <h2> Table of Contents </h2> <ul> <li>Creating Custom Scopes</li> <li>Restricting Access Bases on Scopes</li> <li>Conclusion</li> </ul> <h2> Creating Custom Scopes <a></a> </h2> <p>Before diving into the implementation part, let's quickly have a look on the theory. What are scopes and what are they used for? Scopes are like keys to the doors of our applications, opening the right passageways for users and restricting unnecessary or dangerous access.</p> <p>In the OIDC world, scopes are used to specify what access a client has to a user's details and what information is available from the user's ID token and userinfo endpoint. They act as a mechanism for the client to express the desired granularity of requested permissions.</p> <p>For example, a client could request the 'profile' scope to access the user's default profile information, such as name, picture, and locale. Or the client could request the 'email' scope to fetch user's email address. These scopes allow clients to function with the necessary user information while respecting the principle of least privilege - the concept that a client should only have access to the information it absolutely needs to perform its function.</p> <p>Understanding and implementing scopes in your OIDC configuration is an important step in creating a secure and efficient serverless infrastructure. It allows for better control and a more personalized user experience.</p> <p>You might be wondering: why are we going to implement <strong>custom</strong> scopes in our AWS Cognito setup, shouldn't Cognito support it out of the box because it is part of the OpenID definitions? Good question! Let's explore the rationale behind this move.</p> <p>In the realm of AWS Cognito, scopes are akin to permissions that are attached to an OAuth 2.0 token. When an application requires an access token from AWS Cognito, it specifies the scopes it requires. These scopes correlate to the specific API operations the application needs to execute.</p> <p>However, it's important to understand that, within AWS Cognito, scopes are not assigned on a per-user basis. Rather, they're linked to an application client or a resource server. This means that every user of a particular application client has access to the same scopes, which are defined by the client or by the resource server connected to that client.</p> <p>Now, you might be wondering, what if I need user-specific permissions? This is a common requirement in many applications, but AWS Cognito itself doesn't provide this granularity. To handle this, you would typically need to include this logic within your application or API.</p> <p>Consider a scenario where a request is made to your API. This request includes an access token from AWS Cognito. Upon receiving the request, your API would first verify this token, then extract the identity of the user. Once the user's identity is confirmed, your application would then use this identity to look up the specific permissions that apply to this user within your system.</p> <p>This is precisely why we are venturing into the domain of custom scopes. Our goal is to have an efficient, robust system that allows us to manage permissions at a granular level, ultimately delivering a secure and user-specific experience. </p> <p>Now we have reached the point where we need to update our UserModel, because it we will use it to store and check the scopes a user has:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Model</span><span class="p">,</span> <span class="nx">PartitionKey</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@cubesoft/dynamo-easy</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ScopeEnum</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../enums/scope.enum</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Model</span><span class="p">({</span> <span class="na">tableName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user_table</span><span class="dl">'</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">UserModel</span> <span class="p">{</span> <span class="p">@</span><span class="nd">PartitionKey</span><span class="p">()</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">createdAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">updatedAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">scopes</span><span class="p">:</span> <span class="nx">ScopeEnum</span><span class="p">[];</span> <span class="kd">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">createdAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nx">now</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">updatedAt</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">createdAt</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We add a array of scopes to our Model. Instead of using a string for the scopes we define a Scope enum which allows us to restrict the scopes to only specified scopes. This helps us to assign the correct scopes to a user. E.g. via an API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kr">enum</span> <span class="nx">ScopeEnum</span> <span class="p">{</span> <span class="nx">PLANT_READ</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">plant:read</span><span class="dl">'</span><span class="p">,</span> <span class="nx">PLANT_WRITE</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">plant:write</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Now that we have updated the model we would need to assign the new scopes to some of our users so that we will be able to check their scopes later. Normally you would provide this functionality via a mutation similar to a <code>addPlant</code> Mutation, and only users who have the <code>user:write</code> access would be allowed to access the mutation. However, as this is not significantly different than what we already did, we will skip this part and directly update the users in the database. In either way you need to do this one time by hand for one user, because if you restrict the user to a specific scope and no user has this scope already, you will be locked out via the api.</p> <p>So we will do it just via the aws management console:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--RHOH7T6B--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ldg6cum3juo0uoodi32x.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--RHOH7T6B--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ldg6cum3juo0uoodi32x.png" alt="Adding Scopes to a User in AWS" width="800" height="392"></a></p> <p>This gives the user the right to make changes on a plant and to view the plant object.</p> <h2> Restricting Access Bases on Scopes <a></a> </h2> <p>Now that we have granted the user the access rights we need to make sure the api checks those rights, first we will update the authChecker to read the rights from the database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">customAuthChecker</span><span class="p">:</span> <span class="nx">AuthChecker</span><span class="o">&lt;</span><span class="nx">Context</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span> <span class="p">{</span> <span class="nx">context</span> <span class="p">},</span> <span class="nx">roles</span> <span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">context</span><span class="p">.</span><span class="nx">authToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span><span class="dl">'</span><span class="s1">No valid Token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">checkTokenAndUpdateUserId</span><span class="p">(</span><span class="nx">context</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">userService</span> <span class="o">=</span> <span class="nx">Container</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="nx">UserRepository</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">UserRepository</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">context</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userService</span><span class="p">.</span><span class="nx">getUser</span><span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="nx">context</span><span class="p">.</span><span class="nx">scopes</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">scopes</span> <span class="o">??</span> <span class="p">[];</span> <span class="c1">// if the @Authorized() defines no roles</span> <span class="k">if</span> <span class="p">(</span><span class="nx">roles</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Check roles: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">roles</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nx">scopes</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span><span class="dl">'</span><span class="s1">User lacks required role</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// check roles if the @Authorized('ROLE') defines a role(s)</span> <span class="k">if</span> <span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nx">scopes</span><span class="p">.</span><span class="nx">some</span><span class="p">((</span><span class="nx">role</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">roles</span><span class="p">.</span><span class="nx">includes</span><span class="p">(</span><span class="nx">role</span><span class="p">)))</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span><span class="dl">'</span><span class="s1">User lacks required role</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p>Just updating our auth-checker like this we will see no changed behavior. To see the effect of this update we need to change the @Authorized decorator on our mutation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="p">@</span><span class="nd">Authorized</span><span class="p">([</span><span class="dl">'</span><span class="s1">plant:write</span><span class="dl">'</span><span class="p">])</span> <span class="p">@</span><span class="nd">Mutation</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">PlantType</span><span class="p">,</span> <span class="p">{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Add a new plant to the library.</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="k">async</span> <span class="nx">addPlant</span><span class="p">(</span> <span class="p">@</span><span class="nd">Arg</span><span class="p">(</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">)</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">@</span><span class="nd">Arg</span><span class="p">(</span><span class="dl">'</span><span class="s1">description</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">)</span> <span class="nx">description</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">PlantType</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">plant</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">PlantModel</span><span class="p">();</span> <span class="nx">plant</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="nx">name</span><span class="p">;</span> <span class="nx">plant</span><span class="p">.</span><span class="nx">description</span> <span class="o">=</span> <span class="nx">description</span><span class="p">;</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">plantRepository</span><span class="p">.</span><span class="nx">createOrUpdatePlant</span><span class="p">(</span><span class="nx">plant</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The new auth-checker needs access to read the data from the user table, so we need to add the following right in the <code>serverless.stack.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="nx">userTable</span><span class="p">.</span><span class="nx">grantReadWriteData</span><span class="p">(</span><span class="nx">lambda</span><span class="p">);</span> </code></pre> </div> <p>Now we can deploy the change again with <code>nx build serverless-api &amp;&amp; nx deploy serverless-cdk --profile serverless-hero</code></p> <p>Afterwards we can check again in our playground, if we log in with a user without a scope we will receive an Unauthorized Error. If we log in with a user with the plant:write scope we will be able to execute the <code>addPlant</code> mutation.</p> <h2> Conclusion <a></a> </h2> <p>In today's installment of our 'From Zero to Serverless Hero' series, we've further deepened our understanding of AWS Cognito and the intricate role of scopes within our serverless infrastructure. We've examined the way scopes are attached to an OAuth 2.0 token, acting as the gatekeepers of API operations that our applications need to perform.</p> <p>However, we've also identified a critical point: In AWS Cognito, scopes are not user-specific. They are connected to an application client or a resource server, granting the same permissions to all users of a particular application client. For more granular, user-specific permissions, we have learned that the solution must be baked into our own application or API logic.</p> <p>This realization has paved the way for us to explore custom scopes, setting the stage for us to build a system that can effectively manage user-specific permissions and deliver a tailored, secure experience. It's an exciting step forward on our journey to becoming serverless security heroes, as it introduces a new layer of depth to our understanding and capability.</p> <p>As we wrap up this post, remember that the journey to mastering serverless security is akin to piecing together a complex puzzle. Every piece of information adds a new dimension, and every step we take gets us closer to seeing the whole picture.</p> <p><em>Hey there, dear readers! Just a quick heads-up: we're code whisperers, not Shakespearean poets, so we've enlisted the help of a snazzy AI buddy to jazz up our written word a bit. Don't fret, the information is top-notch, but if any phrases seem to twinkle with literary brilliance, credit our bot. Remember, behind every great blog post is a sleep-deprived developer and their trusty AI sidekick.</em></p> aws typescript graphql serverless Tanja Bayer Wed, 05 Jul 2023 11:48:16 +0000 https://forem.com/cubesoft/securing-your-serverless-graphql-api-part-ii-166m https://forem.com/cubesoft/securing-your-serverless-graphql-api-part-ii-166m <p>Welcome back, future serverless security heroes! In the previous instalment of our 'From Zero to Serverless Hero' series, we embarked on a theoretical exploration of API security in serverless GraphQL APIs. We've discussed the critical importance of API security and unveiled various strategic considerations that need to be taken into account.</p> <p>Today, we shift gears from theory to practice. This time, we're getting our hands dirty, delving deep into the practical elements of API security and actually implementing the strategies we've previously discussed. The main goal? Transforming our knowledge into actionable intelligence, and, consequently, securing our serverless GraphQL API.</p> <p>In this session, we will be focusing on two vital topics: AWS Cognito, a robust service for user authentication, and setting up authorization for secured data access. We will understand why AWS Cognito can be the perfect tool in our arsenal for handling user authentication and how we can successfully set it up. We will also unravel the mysteries of setting up authorization, thereby ensuring that data access is tightly controlled and only accessible to the appropriate users.</p> <p>By the end of this post, we will be one step closer to our target of becoming not just serverless enthusiasts, but true serverless security heroes. Roll up your sleeves and prepare to dive into the technical deep-end of serverless GraphQL API security. The serverless journey continues, and this time, it’s all about the practicalities. Let's get started!</p> <h2> Table of Contents </h2> <ul> <li>AWS Cognito: The Perfect Tool for User Authentication and Setting It Up</li> <li>Setting Up Authorization for Secured Data Access</li> <li>Conclusion</li> </ul> <h2> AWS Cognito: The Perfect Tool for User Authentication and Setting It Up <a></a> </h2> <p>As we've discussed, user authentication is an integral part of API security. After exploring various solutions, AWS Cognito emerges as our choice for managing this crucial aspect. AWS Cognito is a comprehensive user identity and access management service that scales to millions of users, offers seamless integration with social identity providers, and comes with the robust support of Amazon's infrastructure.</p> <p>In this section, we'll walk through a step-by-step guide on setting up AWS Cognito, detailing how to effectively leverage its features to secure our serverless GraphQL API.</p> <p>Let's start with creating a cognito user pool, we will need the <code>@aws-sdk/client-cognito-identity-provider</code> library, first we will create a construct in <code>src/construct/user-authentication.construct.ts</code> to have clearly seperated functionalities, which increases code reusability:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CfnOutput</span><span class="p">,</span> <span class="nx">RemovalPolicy</span><span class="p">,</span> <span class="nx">Stack</span><span class="p">,</span> <span class="nx">custom_resources</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AccountRecovery</span><span class="p">,</span> <span class="nx">StringAttribute</span><span class="p">,</span> <span class="nx">UserPool</span><span class="p">,</span> <span class="nx">UserPoolClient</span><span class="p">,</span> <span class="nx">UserPoolDomain</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cognito</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getWorkspaceRoot</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/workspace</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">lambda</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/lambda</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ITable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-dynamodb</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Effect</span><span class="p">,</span> <span class="nx">Policy</span><span class="p">,</span> <span class="nx">PolicyStatement</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">join</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">UserAuthenticationProps</span> <span class="p">{</span> <span class="nl">userTable</span><span class="p">:</span> <span class="nx">ITable</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">UserAuthentication</span> <span class="kd">extends</span> <span class="nx">Construct</span> <span class="p">{</span> <span class="nl">userPool</span><span class="p">:</span> <span class="nx">UserPool</span><span class="p">;</span> <span class="nl">webClient</span><span class="p">:</span> <span class="nx">UserPoolClient</span><span class="p">;</span> <span class="kd">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">UserAuthenticationProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">UserPool</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user-pool</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">standardAttributes</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">mutable</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">},</span> <span class="na">customAttributes</span><span class="p">:</span> <span class="p">{</span> <span class="na">authChallenge</span><span class="p">:</span> <span class="k">new</span> <span class="nx">StringAttribute</span><span class="p">({</span> <span class="na">mutable</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">passwordPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">requireDigits</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">requireUppercase</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">requireSymbols</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="na">accountRecovery</span><span class="p">:</span> <span class="nx">AccountRecovery</span><span class="p">.</span><span class="nx">NONE</span><span class="p">,</span> <span class="na">selfSignUpEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">signInAliases</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">UserPoolDomain</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Domain</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userPool</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">,</span> <span class="na">cognitoDomain</span><span class="p">:</span> <span class="p">{</span> <span class="na">domainPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">serverless-hero</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Here you define your domain prefix</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">postConfirmationHandler</span> <span class="o">=</span> <span class="nx">lambda</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">post-auth</span><span class="dl">'</span><span class="p">,</span> <span class="nx">join</span><span class="p">(</span> <span class="nx">getWorkspaceRoot</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">dist/packages/serverless-api/post-auth</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">handler.zip</span><span class="dl">'</span> <span class="p">),</span> <span class="p">{</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">REGION</span><span class="p">:</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">region</span><span class="p">,</span> <span class="na">COGNITO_USER_POOL_ID</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// For being able to add the lambda triggers https://github.com/aws/aws-cdk/issues/10002 we can not add it directly with addTrigger, because of the userPoolId reference which would result in a circular dependency</span> <span class="k">new</span> <span class="nx">custom_resources</span><span class="p">.</span><span class="nx">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">UpdateUserPool</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">logRetention</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Custom::UpdateUserPool</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html#CognitoUserPools-UpdateUserPool-request-EmailConfiguration</span> <span class="c1">// https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources.AwsCustomResource.html</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">region</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CognitoIdentityServiceProvider</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">updateUserPool</span><span class="dl">'</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">UserPoolId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">,</span> <span class="na">AutoVerifiedAttributes</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">],</span> <span class="na">LambdaConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">PostConfirmation</span><span class="p">:</span> <span class="nx">postConfirmationHandler</span><span class="p">.</span><span class="nx">functionArn</span><span class="p">,</span> <span class="p">},</span> <span class="na">Policies</span><span class="p">:</span> <span class="p">{</span> <span class="na">PasswordPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">MinimumLength</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">RequireLowercase</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">RequireNumbers</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">RequireSymbols</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">RequireUppercase</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">custom_resources</span><span class="p">.</span><span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span> <span class="p">),</span> <span class="p">},</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">custom_resources</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nx">fromSdkCalls</span><span class="p">({</span> <span class="na">resources</span><span class="p">:</span> <span class="nx">custom_resources</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nx">ANY_RESOURCE</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="nx">props</span><span class="p">.</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">grantReadWriteData</span><span class="p">(</span><span class="nx">postConfirmationHandler</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">addDomain</span><span class="p">(</span><span class="dl">'</span><span class="s1">CognitoDomain</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cognitoDomain</span><span class="p">:</span> <span class="p">{</span> <span class="na">domainPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">serverless-hero</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">webClient</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">addClient</span><span class="p">(</span><span class="dl">'</span><span class="s1">web-client</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">authFlows</span><span class="p">:</span> <span class="p">{</span> <span class="na">custom</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Using inline policy as a workaround to fix: https://github.com/aws/aws-cdk/issues/7016</span> <span class="nx">postConfirmationHandler</span><span class="p">.</span><span class="nx">role</span><span class="p">?.</span><span class="nx">attachInlinePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nx">Policy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">allow-update-user</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">cognito-idp:AdminUpdateUserAttributes</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolArn</span><span class="p">],</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">})</span> <span class="p">);</span> <span class="c1">// You do not need this, it is only for logging the information in the end of the deployment process.</span> <span class="k">new</span> <span class="nx">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user-pool-id</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User Pool ID</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">client-id</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">webClient</span><span class="p">.</span><span class="nx">userPoolClientId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User Pool Client ID</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This looks a bit complicated and to some extend it is, because there are some tweaks required to get around some problems with the constructs which are used.<br> I added some comments directly in the code so you can understand why some parts are required.</p> <p>What we are doing is creating a cognito pool, adding a custom domain prefix it. Then we are adding a lambda function which will do some processing once the user is signed up. Then we are adding a cognito client app, which we will need for doing a sign up/sign in. And in the end we are providing the required rights for the lambda function.</p> <p>So, we have the cdk construct now, but what we are missing is the code implementing our logic. Let's do this now. We will start with the PostConfirmation lambda which gets called after the signup of a user and which allows us to do some processing on the data of the signed-up user. Here is the <code>handler/post-auth.ts</code> code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CfnOutput</span><span class="p">,</span> <span class="nx">RemovalPolicy</span><span class="p">,</span> <span class="nx">Stack</span><span class="p">,</span> <span class="nx">custom_resources</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AccountRecovery</span><span class="p">,</span> <span class="nx">StringAttribute</span><span class="p">,</span> <span class="nx">UserPool</span><span class="p">,</span> <span class="nx">UserPoolClient</span><span class="p">,</span> <span class="nx">UserPoolDomain</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cognito</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getWorkspaceRoot</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/workspace</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">lambda</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils/lambda</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ITable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-dynamodb</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Effect</span><span class="p">,</span> <span class="nx">Policy</span><span class="p">,</span> <span class="nx">PolicyStatement</span><span class="p">,</span> <span class="nx">ServicePrincipal</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">join</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">UserAuthenticationProps</span> <span class="p">{</span> <span class="nl">userTable</span><span class="p">:</span> <span class="nx">ITable</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">UserAuthentication</span> <span class="kd">extends</span> <span class="nx">Construct</span> <span class="p">{</span> <span class="nl">userPool</span><span class="p">:</span> <span class="nx">UserPool</span><span class="p">;</span> <span class="nl">webClient</span><span class="p">:</span> <span class="nx">UserPoolClient</span><span class="p">;</span> <span class="kd">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">UserAuthenticationProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">UserPool</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user-pool</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">standardAttributes</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">mutable</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">},</span> <span class="na">customAttributes</span><span class="p">:</span> <span class="p">{</span> <span class="na">authChallenge</span><span class="p">:</span> <span class="k">new</span> <span class="nx">StringAttribute</span><span class="p">({</span> <span class="na">mutable</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="p">},</span> <span class="na">passwordPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">requireDigits</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">requireUppercase</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">requireSymbols</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="na">accountRecovery</span><span class="p">:</span> <span class="nx">AccountRecovery</span><span class="p">.</span><span class="nx">NONE</span><span class="p">,</span> <span class="na">selfSignUpEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">signInAliases</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">UserPoolDomain</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Domain</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userPool</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">,</span> <span class="na">cognitoDomain</span><span class="p">:</span> <span class="p">{</span> <span class="na">domainPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">serverless-hero</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Here you define your domain prefix</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">postConfirmationHandler</span> <span class="o">=</span> <span class="nx">lambda</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">post-auth</span><span class="dl">'</span><span class="p">,</span> <span class="nx">join</span><span class="p">(</span> <span class="nx">getWorkspaceRoot</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">dist/packages/serverless-api/post-auth</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">handler.zip</span><span class="dl">'</span> <span class="p">),</span> <span class="p">{</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">REGION</span><span class="p">:</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">region</span><span class="p">,</span> <span class="na">COGNITO_USER_POOL_ID</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// For being able to add the lambda triggers https://github.com/aws/aws-cdk/issues/10002 we can not add it directly with addTrigger, because of the userPoolId reference which would result in a circular dependency</span> <span class="k">new</span> <span class="nx">custom_resources</span><span class="p">.</span><span class="nx">AwsCustomResource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">update-user-pool</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">logRetention</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">resourceType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Custom::UpdateUserPool</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html#CognitoUserPools-UpdateUserPool-request-EmailConfiguration</span> <span class="c1">// https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources.AwsCustomResource.html</span> <span class="na">onUpdate</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">region</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CognitoIdentityServiceProvider</span><span class="dl">'</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">updateUserPool</span><span class="dl">'</span><span class="p">,</span> <span class="na">parameters</span><span class="p">:</span> <span class="p">{</span> <span class="na">UserPoolId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">,</span> <span class="na">AutoVerifiedAttributes</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">],</span> <span class="na">LambdaConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">PostConfirmation</span><span class="p">:</span> <span class="nx">postConfirmationHandler</span><span class="p">.</span><span class="nx">functionArn</span><span class="p">,</span> <span class="p">},</span> <span class="na">Policies</span><span class="p">:</span> <span class="p">{</span> <span class="na">PasswordPolicy</span><span class="p">:</span> <span class="p">{</span> <span class="na">MinimumLength</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">RequireLowercase</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">RequireNumbers</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">RequireSymbols</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">RequireUppercase</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="na">physicalResourceId</span><span class="p">:</span> <span class="nx">custom_resources</span><span class="p">.</span><span class="nx">PhysicalResourceId</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span> <span class="p">),</span> <span class="p">},</span> <span class="na">policy</span><span class="p">:</span> <span class="nx">custom_resources</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nx">fromSdkCalls</span><span class="p">({</span> <span class="na">resources</span><span class="p">:</span> <span class="nx">custom_resources</span><span class="p">.</span><span class="nx">AwsCustomResourcePolicy</span><span class="p">.</span><span class="nx">ANY_RESOURCE</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">invokeCognitoTriggerPermission</span> <span class="o">=</span> <span class="p">{</span> <span class="na">principal</span><span class="p">:</span> <span class="k">new</span> <span class="nx">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">cognito-idp.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">sourceArn</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolArn</span><span class="p">,</span> <span class="p">};</span> <span class="nx">postConfirmationHandler</span><span class="p">.</span><span class="nx">addPermission</span><span class="p">(</span> <span class="dl">'</span><span class="s1">InvokePostConfirmationHandlerPermission</span><span class="dl">'</span><span class="p">,</span> <span class="nx">invokeCognitoTriggerPermission</span> <span class="p">);</span> <span class="nx">props</span><span class="p">.</span><span class="nx">userTable</span><span class="p">.</span><span class="nx">grantReadWriteData</span><span class="p">(</span><span class="nx">postConfirmationHandler</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">addDomain</span><span class="p">(</span><span class="dl">'</span><span class="s1">CognitoDomain</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cognitoDomain</span><span class="p">:</span> <span class="p">{</span> <span class="na">domainPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">serverless-hero</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">webClient</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">addClient</span><span class="p">(</span><span class="dl">'</span><span class="s1">web-client</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">authFlows</span><span class="p">:</span> <span class="p">{</span> <span class="na">custom</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Using inline policy as a workaround to fix: https://github.com/aws/aws-cdk/issues/7016</span> <span class="nx">postConfirmationHandler</span><span class="p">.</span><span class="nx">role</span><span class="p">?.</span><span class="nx">attachInlinePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nx">Policy</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">allow-update-user</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">cognito-idp:AdminUpdateUserAttributes</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolArn</span><span class="p">],</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">})</span> <span class="p">);</span> <span class="c1">// You do not need this, it is only for logging the information in the end of the deployment process.</span> <span class="k">new</span> <span class="nx">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user-pool-id</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User Pool ID</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">client-id</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">webClient</span><span class="p">.</span><span class="nx">userPoolClientId</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User Pool Client ID</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This code does two specific things:</p> <ol> <li>It creates a user in DynamoDB, this way we will be able to store additional information for our user and are able to easily access this information later.</li> <li>It checks if the login mail is lower case and if not it will correct the email to be lower case. Having a user sign up with a email containing uppercases letters might be a problem later so we apply this fix. But you are free to remove this part of the code.</li> </ol> <p>As you can see the code uses a repository called UserRepository, as we did not create this one so far let's continue adding this code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">Container</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">typedi</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AdminUpdateUserAttributesCommand</span><span class="p">,</span> <span class="nx">CognitoIdentityProviderClient</span><span class="p">,</span> <span class="nx">CognitoIdentityProviderClientConfig</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-cognito-identity-provider</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoDB</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-dynamodb</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoStore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@cubesoft/dynamo-easy</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UserModel</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../model/user.model</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">COGNITO_USER_POOL_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../token/cognito</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">REGION</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../token/env</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Service</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">UserRepository</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">dynamoDb</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DynamoDB</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">Container</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="nx">REGION</span><span class="p">)</span> <span class="p">});</span> <span class="k">private</span> <span class="nx">cognitoUserPoolId</span> <span class="o">=</span> <span class="nx">Container</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="nx">COGNITO_USER_POOL_ID</span><span class="p">);</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">userStore</span><span class="p">:</span> <span class="nx">DynamoStore</span><span class="o">&lt;</span><span class="nx">UserModel</span><span class="o">&gt;</span><span class="p">;</span> <span class="kd">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">userStore</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DynamoStore</span><span class="p">(</span><span class="nx">UserModel</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">dynamoDb</span><span class="p">);</span> <span class="p">}</span> <span class="cm">/** * Create a new user in cognito * * @param id Unique id of the user can be used for anonymised usage e.g in logs * @param email Email address of the user to create * @returns The created UserType */</span> <span class="k">async</span> <span class="nx">createUser</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">UserModel</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">UserModel</span><span class="p">();</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="o">=</span> <span class="nx">id</span><span class="p">;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="nx">email</span><span class="p">;</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userStore</span><span class="p">.</span><span class="nx">put</span><span class="p">(</span><span class="nx">user</span><span class="p">).</span><span class="nx">exec</span><span class="p">();</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * Update a user in cognito * * @param email Email address of the user to update */</span> <span class="k">async</span> <span class="nx">updateCognitoUserMail</span><span class="p">(</span> <span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">provider</span><span class="p">:</span> <span class="nx">CognitoIdentityProviderClientConfig</span> <span class="o">=</span> <span class="p">{}</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">CognitoIdentityProviderClient</span><span class="p">(</span><span class="nx">provider</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AdminUpdateUserAttributesCommand</span><span class="p">({</span> <span class="na">Username</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">UserPoolId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">cognitoUserPoolId</span><span class="p">,</span> <span class="na">UserAttributes</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email_verified</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="nx">command</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">$metadata</span><span class="p">.</span><span class="nx">httpStatusCode</span> <span class="o">!==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to create user</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>For our userRepository to be able to store the user data in the database we need to create a UserModel:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">v4</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Model</span><span class="p">,</span> <span class="nx">PartitionKey</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@cubesoft/dynamo-easy</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Model</span><span class="p">({</span> <span class="na">tableName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user_table</span><span class="dl">'</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">UserModel</span> <span class="p">{</span> <span class="p">@</span><span class="nd">PartitionKey</span><span class="p">()</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">createdAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">updatedAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="kd">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">createdAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nx">now</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">updatedAt</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">createdAt</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>So let's recap: We created the construct for setting up cognito and provided the code for adding user data into our database. But we are not yet at the finish line, so far this will have no effect on our deployment. For the changes to take effect, we will need to add our construct into our stack, additionally we also need to create a table for storing information about our users later. For this we need to extend our <code>lib/serverless-stack.ts</code> with the following code snippet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">userTable</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Table</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user-table</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">tableName</span><span class="p">:</span> <span class="s2">`user_table`</span><span class="p">,</span> <span class="na">billingMode</span><span class="p">:</span> <span class="nx">BillingMode</span><span class="p">.</span><span class="nx">PAY_PER_REQUEST</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="na">partitionKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">UserAuthentication</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user-authentication</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">userTable</span> <span class="p">});</span> </code></pre> </div> <p>And we also need to add the function to our handler functions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">{</span> <span class="dl">"</span><span class="s2">entrypoints</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">serverless-api</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">src/handler/serverless-api</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">post-auth</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">src/handler/post-auth</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now we can deploy the code with our known command <code>nx build serverless-api &amp;&amp; nx deploy serverless-cdk --profile serverless-hero</code>.</p> <p>Once we have deployed this changes we will be able to visit the Hosted Cognito UI for signing up or signing in a user.<br> The Hosted UI will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://&lt;your_domain&gt;/login?response_type=token&amp;client_id=&lt;your_app_client_id&gt;&amp;redirect_uri=&lt;your_callback_url&gt; </code></pre> </div> <p><strong>Where to find the required information?</strong></p> <ul> <li> <code>your_domain</code>: In the AWS Console go to Cognito &gt; User Pools, select your newly created user pool. Go to the <strong>App Integration</strong> Tab, there you will find the Cognito Domain, but basically it is has the following structure <code>https://&lt;configured_prefix&gt;.auth.&lt;aws-region&gt;.amazoncognito.com</code> </li> <li> <code>your_app_client_id&gt;</code>: On the same page like your domain, scroll down to the <em>App client list</em> and you will find your Client ID</li> <li> <code>your_callback_url</code>: In the same section as the Client ID click on the App client name, in the new page you will find all allowed callback URLs in the <em>Hosted UI</em> section. For a proper login process you will need to configure a callback URL which will redirect you to your website, however as we do not implement a UI in this blog post we do not care about the callback URL, we just need to make sure we provide one which is configured, if not Cognito will reject the login attempt.</li> </ul> <p>If you provided all the correct variables you will be redirected to a UI similar like this.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Z_HzHFH1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/z3y52arcdyd66httc86s.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Z_HzHFH1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/z3y52arcdyd66httc86s.jpg" alt="Default Hosted Cognito Signup Page" width="473" height="400"></a></p> <p>After a successful signup you will be redirected to a url with the following structure:<br> <code>&lt;your_callback_url&gt;/#id_token=&lt;token&gt;&amp;expires_in=3600&amp;token_type=Bearer</code></p> <p>We are interested in the <code>&lt;token&gt;</code>. We will need it later for authenticating ourself to our api. </p> <h2> Setting Up Authorization for Secured Data Access <a></a> </h2> <p>Now that we have all prerequits, we can extend our API to make sure only authenticated users will have access to specific routes.</p> <p>We want to make sure only authenticated people are able to add new plants to our database. This for example allows us to track who made a change and in case we have some questions we would know who to contact. To apply this change we need to decorate our Mutation with the <code>@Authorized()</code> decorator:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="p">@</span><span class="nd">Authorized</span><span class="p">()</span> <span class="p">@</span><span class="nd">Mutation</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">PlantType</span><span class="p">,</span> <span class="p">{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Add a new plant to the library.</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="k">async</span> <span class="nx">addPlant</span><span class="p">(</span> <span class="p">@</span><span class="nd">Arg</span><span class="p">(</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">)</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">@</span><span class="nd">Arg</span><span class="p">(</span><span class="dl">'</span><span class="s1">description</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">)</span> <span class="nx">description</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">PlantType</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">plant</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">PlantModel</span><span class="p">();</span> <span class="nx">plant</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="nx">name</span><span class="p">;</span> <span class="nx">plant</span><span class="p">.</span><span class="nx">description</span> <span class="o">=</span> <span class="nx">description</span><span class="p">;</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">plantRepository</span><span class="p">.</span><span class="nx">createOrUpdatePlant</span><span class="p">(</span><span class="nx">plant</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Now the server knows it needs to check for the authorization of a user, but it does not yet know how to do this. For this we need to provide a helper function <code>auth.checker.ts</code>. For this function we need to install two packages <code>npm i jwk-to-pem jsonwebtoken</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AuthChecker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">type-graphql</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Context</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../model/context.model</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">GraphQLError</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Token</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../interface/token.interface</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwkToPem</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jwk-to-pem</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TokenExpiredError</span><span class="p">,</span> <span class="nx">decode</span><span class="p">,</span> <span class="nx">verify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">keysCache</span> <span class="o">=</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">userPoolUrl</span> <span class="o">=</span> <span class="s2">`https://cognito-idp.</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REGION</span><span class="p">}</span><span class="s2">.amazonaws.com/</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">COGNITO_USER_POOL_ID</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">customAuthChecker</span><span class="p">:</span> <span class="nx">AuthChecker</span><span class="o">&lt;</span><span class="nx">Context</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">async</span> <span class="p">({</span> <span class="nx">context</span><span class="p">,</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">context</span><span class="p">.</span><span class="nx">authToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span><span class="dl">'</span><span class="s1">No valid Token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">checkTokenAndUpdateUserId</span><span class="p">(</span><span class="nx">context</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">checkTokenAndUpdateUserId</span><span class="p">(</span><span class="nx">context</span><span class="p">:</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="nx">Context</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">token</span><span class="p">:</span> <span class="nx">Token</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tokenParts</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nx">authToken</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authToken</span> <span class="o">=</span> <span class="nx">tokenParts</span><span class="p">[</span><span class="nx">tokenParts</span><span class="p">.</span><span class="nx">length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">];</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">verifyToken</span><span class="p">(</span><span class="nx">authToken</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">TokenExpiredError</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Token is expired</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">?.</span><span class="nx">sub</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Token is not valid</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">context</span><span class="p">.</span><span class="nx">userId</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">sub</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">verifyToken</span><span class="p">(</span> <span class="nx">rawToken</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Token</span> <span class="o">|</span> <span class="kc">undefined</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decodedToken</span> <span class="o">=</span> <span class="nx">decode</span><span class="p">(</span><span class="nx">rawToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">complete</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">decodedToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">pem</span> <span class="o">=</span> <span class="nx">keysCache</span><span class="p">[</span><span class="nx">decodedToken</span><span class="p">.</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="p">];</span> <span class="c1">// this is a fallback to load a new set of keys</span> <span class="c1">// according to the documentation, this should be done in case of rotation</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">pem</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">loadKeys</span><span class="p">(</span><span class="nx">userPoolUrl</span><span class="p">);</span> <span class="nx">pem</span> <span class="o">=</span> <span class="nx">keysCache</span><span class="p">[</span><span class="nx">decodedToken</span><span class="p">.</span><span class="nx">header</span><span class="p">.</span><span class="nx">kid</span><span class="p">];</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed loading JWKS keys: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// if pem is still not found, the requestor is maybe using a wrong key (from other stage or forged)</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">pem</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Token is not supported</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">verify</span><span class="p">(</span><span class="nx">rawToken</span><span class="p">,</span> <span class="nx">pem</span><span class="p">,</span> <span class="p">{</span> <span class="na">issuer</span><span class="p">:</span> <span class="nx">userPoolUrl</span><span class="p">,</span> <span class="p">})</span> <span class="k">as</span> <span class="nx">Token</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">loadKeys</span><span class="p">(</span><span class="nx">userPoolUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">respones</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">userPoolUrl</span><span class="p">}</span><span class="s2">/.well-known/jwks.json`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">respones</span><span class="p">.</span><span class="nx">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">keys</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">keys</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span><span class="kd">const</span> <span class="nx">key</span> <span class="k">of</span> <span class="nx">keys</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pem</span> <span class="o">=</span> <span class="nx">jwkToPem</span><span class="p">(</span><span class="nx">key</span><span class="p">);</span> <span class="nx">keysCache</span><span class="p">[</span><span class="nx">key</span><span class="p">.</span><span class="nx">kid</span><span class="p">]</span> <span class="o">=</span> <span class="nx">pem</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This function does several things:</p> <ol> <li>It checks if an authToken is provided</li> <li>It verifies if the provided token is valid by loading the well-known jwks from cognito and using those for checking the validity of the token.</li> <li>We take the userId from the encrypted token and add it to the context, so that it will be available during the mutation or query execution if required.</li> </ol> <p>We used two unknown classes in this code, the contextModel:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nx">Context</span> <span class="p">{</span> <span class="nl">clientId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">clientIp</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">authToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// from auth.checker.ts</span> <span class="nl">userId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>and the token interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kr">interface</span> <span class="nx">Token</span> <span class="p">{</span> <span class="nl">sub</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">event_id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">token_use</span><span class="p">:</span> <span class="dl">'</span><span class="s1">access</span><span class="dl">'</span><span class="p">;</span> <span class="nl">scope</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">auth_time</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">iss</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">exp</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">iat</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">jti</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">client_id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">username</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="dl">'</span><span class="s1">cognito:groups</span><span class="dl">'</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">}</span> </code></pre> </div> <p>Now we need to make sure or server is able to perform the authorization check. For this we need to add the authChecker into the <code>buildSchemaSync</code> function and need to make sure the accessToken is properly added to our context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nx">buildSchemaSync</span><span class="p">({</span> <span class="na">resolvers</span><span class="p">:</span> <span class="p">[</span><span class="nx">PlantLibraryResolver</span><span class="p">],</span> <span class="na">container</span><span class="p">:</span> <span class="nx">Container</span><span class="p">,</span> <span class="na">validate</span><span class="p">:</span> <span class="p">{</span> <span class="na">forbidUnknownValues</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="na">dateScalarMode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">timestamp</span><span class="dl">'</span><span class="p">,</span> <span class="na">authChecker</span><span class="p">:</span> <span class="nx">customAuthChecker</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ApolloServer</span><span class="p">({</span> <span class="na">schema</span><span class="p">:</span> <span class="nx">schema</span><span class="p">,</span> <span class="na">introspection</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">csrfPrevention</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="nx">startServerAndCreateLambdaHandler</span><span class="p">(</span> <span class="nx">server</span><span class="p">,</span> <span class="nx">handlers</span><span class="p">.</span><span class="nx">createAPIGatewayProxyEventV2RequestHandler</span><span class="p">(),</span> <span class="p">{</span> <span class="na">context</span><span class="p">:</span> <span class="k">async</span> <span class="p">({</span> <span class="nx">event</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">getHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">headers</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">apiKey</span> <span class="o">||</span> <span class="o">!</span><span class="nx">API_KEYS</span><span class="p">.</span><span class="nx">includes</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span> <span class="dl">'</span><span class="s1">You are not authorized to perform this action.</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">authToken</span> <span class="o">=</span> <span class="nx">getHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">headers</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">clientIp</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">sourceIp</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">authToken</span><span class="p">,</span> <span class="nx">apiKey</span><span class="p">,</span> <span class="nx">clientIp</span><span class="p">,</span> <span class="p">};</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <p>Additionaly, you might have seen that we are using two environment variables, <code>COGNITO_USER_POOL_ID</code> and <code>REGION</code> we need to make sure that those are available in our handler for this we need to add them during the function creation in our <code>serverless.stack.ts</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">lambda</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">api-handler</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_18_X</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">'</span><span class="s1">serverless-api.handler</span><span class="dl">'</span><span class="p">,</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">serverless-api</span><span class="dl">'</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nx">Code</span><span class="p">.</span><span class="nx">fromAsset</span><span class="p">(</span> <span class="nx">join</span><span class="p">(</span> <span class="nx">getWorkspaceRoot</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">dist/packages/serverless-api/serverless-api</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">handler.zip</span><span class="dl">'</span> <span class="p">)</span> <span class="p">),</span> <span class="na">memorySize</span><span class="p">:</span> <span class="nx">Size</span><span class="p">.</span><span class="nx">gibibytes</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nx">toMebibytes</span><span class="p">(),</span> <span class="na">architecture</span><span class="p">:</span> <span class="nx">Architecture</span><span class="p">.</span><span class="nx">ARM_64</span><span class="p">,</span> <span class="na">logRetention</span><span class="p">:</span> <span class="nx">RetentionDays</span><span class="p">.</span><span class="nx">ONE_DAY</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nx">seconds</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">COGNITO_USER_POOL_ID</span><span class="p">:</span> <span class="nx">userAuthentication</span><span class="p">.</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">,</span> <span class="na">REGION</span><span class="p">:</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nx">region</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Let's deploy the changes with <code>nx build serverless-api &amp;&amp; nx deploy serverless-cdk --profile serverless-hero</code> and see what effect it has.</p> <p>If we now run our <code>addPlant</code> mutation from last time we will get a GraphQL Error with the message <code>No valid Token</code>. So it works, without the authorization header, we are no longer able to add a new plant. Let's to the check if it works with a correct token. For this we need to get the cognito token from section one and add this token in the header section in the Apollo Server Playground:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--WMeY1eIO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/d7e8u5qekr79twtnkeab.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--WMeY1eIO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/d7e8u5qekr79twtnkeab.png" alt="Headers for Graphql" width="764" height="322"></a></p> <p>With this you should again get the expected output from your newly created plant.</p> <h2> Conclusion <a></a> </h2> <p>We've now established AWS Cognito as a key tool in our serverless hero arsenal, leveraging its power to handle user authentication with finesse. Furthermore, we've successfully set up authorization to ensure our data access remains secure and uncompromised.</p> <p>But remember, the journey to becoming a serverless security hero is one of continuous learning and constant improvement. Security is a dynamic field that demands consistent attention and updates. The work we've done today, though essential, represents only one facet of the broader API security landscape.</p> <p>In the next session of our 'From Zero to Serverless Hero' series, we will delve deeper into the realm of authorization. We will explore how to tailor different levels of access based on the permissions granted to individual users. Managing user permissions adds an additional layer of security, enabling more granular control over who can access what within your serverless GraphQL API.</p> <p>Stay tuned for our next adventure where we will take one more step closer to becoming full-fledged serverless security heroes. Remember, every piece of knowledge, every step we take, brings us closer to our goal. Until next time, keep learning, keep experimenting, and keep secure!’</p> <p><em>Hey there, dear readers! Just a quick heads-up: we're code whisperers, not Shakespearean poets, so we've enlisted the help of a snazzy AI buddy to jazz up our written word a bit. Don't fret, the information is top-notch, but if any phrases seem to twinkle with literary brilliance, credit our bot. Remember, behind every great blog post is a sleep-deprived developer and their trusty AI sidekick.</em></p> aws typescript graphql serverless Tanja Bayer Tue, 20 Jun 2023 20:48:54 +0000 https://forem.com/cubesoft/securing-your-serverless-graphql-api-part-i-20i2 https://forem.com/cubesoft/securing-your-serverless-graphql-api-part-i-20i2 <p>In the modern digital era, our reliance on APIs has become more pronounced than ever. As developers, we are tasked with building secure, scalable systems, and a significant part of that responsibility involves safeguarding the APIs that power these systems.</p> <p>Over the course of our 'From Zero to Serverless Hero' series, we've taken a deep dive into creating a serverless environment, setting up an Apollo server with TypeGraphQL, and implementing data resolvers using Node.js. Now, our journey brings us to a critical stage: securing our serverless GraphQL API.</p> <p>Security is a non-negotiable aspect of any application. In this post, we'll explore the importance of securing APIs, examine different strategies, and explain what combination is a good choice for the beginning.</p> <p>By the end of this article, you'll have a much clearer understanding of API security. However, due to the extensive nature of this topic, we will focus more on the theory in this blog post and cover most of the implementation part in the next blog post. Strap in and prepare to level up from being just a serverless enthusiast to becoming a serverless security hero!</p> <h2> Table of Contents </h2> <ul> <li>Understanding API Security</li> <li>API Security Strategies</li> <li>Our Choice for Security</li> <li>Implementing Authentication in Your API</li> <li>Testing the Security of Your API</li> <li>Conclusion</li> </ul> <h2> Understanding API Security <a></a> </h2> <p>API Security, at its core, involves implementing measures to protect the integrity of APIs from threats and attacks. APIs, or Application Programming Interfaces, are the conduits through which software applications communicate and exchange data. As such, they have become a prime target for malicious actors intent on exploiting vulnerabilities for data theft, denial of service attacks, and other nefarious purposes.</p> <p>Securing your API is crucial because it serves as the gatekeeper to your application. If left unprotected, your API could serve as a weak point that attackers can exploit to access sensitive information. This risk is especially high in today's interconnected digital landscape, where APIs often interface with multiple external systems, each potentially introducing new vulnerabilities.</p> <p>But what does it mean to secure an API? It involves several key aspects:</p> <p><strong>Authentication</strong>: This process verifies the identity of the client trying to access the API. It ensures that only recognized, authenticated users or systems are granted access.</p> <p><strong>Authorization</strong>: Once a user is authenticated, authorization determines what resources they can access and what operations they can perform. Not every user should have access to every part of your system.</p> <p><strong>Encryption</strong>: To safeguard data during transmission, APIs should use secure protocols such as HTTPS, which encrypts the data to prevent it from being intercepted and understood by unauthorized parties.</p> <p><strong>Input Validation</strong>: APIs should validate the input they receive to prevent attacks such as SQL injection or Cross-Site Scripting (XSS) that are designed to exploit poorly validated input.</p> <p><strong>Rate Limiting</strong>: This involves limiting the number of requests a client can make to the API within a specific timeframe, preventing DoS attacks where an attacker might aim to overwhelm an API with a flood of requests.</p> <p><strong>Auditing and Logging</strong>: Keeping a record of who accesses your API and what they do with it provides a trail that can be analyzed for suspicious activity. It also serves as a forensic tool if a breach does occur.<br> API security is not a 'set it and forget it' concept; rather, it is a continuous, proactive endeavor. It requires vigilance, regular updates, and a commitment to best practices in order to keep pace with evolving threats. In the following sections, we will discuss these aspects in greater detail, particularly focusing on our chosen strategy, user authentication.</p> <h2> API Security Strategies <a></a> </h2> <p>There are numerous strategies and techniques at our disposal when it comes to securing APIs. The choice depends on a variety of factors, including the specific needs of the application, the sensitivity of the data being handled, and the nature of the clients that will be interacting with the API. Here, we'll outline a few commonly used API security strategies and briefly discuss their pros and cons.</p> <h3> 1. API Keys </h3> <p>API keys are unique identifiers that are used to control access to an API. They are simple to implement and use. The client includes the API key in each request, and the server checks this key to decide whether or not to process the request.</p> <p><strong>Pros</strong>: Easy to use; straightforward implementation.</p> <p><strong>Cons</strong>: API keys are not inherently secure. If a key is stolen, it can be used to gain unauthorized access to the API. Also, API keys alone can't provide fine-grained control over what resources a client can access.</p> <h3> 2. OAuth </h3> <p>OAuth is an open standard for access delegation. It allows users to grant third-party applications access to their information on other services, without sharing their passwords.</p> <p><strong>Pros</strong>: Highly secure; allows for fine-grained access control; widely adopted standard.</p> <p><strong>Cons</strong>: Can be complex to implement; involves a multi-step process for the user, which can affect the user experience.</p> <h3> 3. JSON Web Tokens (JWT) </h3> <p>JWT is a standard for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.</p> <p><strong>Pros</strong>: Enables stateless authentication; allows for fine-grained access control.</p> <p><strong>Cons</strong>: Requires careful management of the token lifecycle; vulnerable to theft if not properly secured.</p> <h3> 4. Mutual TLS (mTLS) </h3> <p>mTLS is a version of the standard TLS protocol where both the client and the server authenticate each other. This mutual authentication provides an additional layer of trust.</p> <p><strong>Pros</strong>: Provides strong, mutual authentication.</p> <p><strong>Cons</strong>: Requires the distribution and management of client certificates, which can be complex.</p> <h3> 5. GraphQL Shield </h3> <p>GraphQL Shield is a library specifically for the GraphQL server, offering an easy-to-use middleware-style API to create a permission layer for your application.</p> <p><strong>Pros</strong>: Easy integration with GraphQL; flexible rule-based access control.</p> <p><strong>Cons</strong>: Specific to GraphQL; requires an understanding of its rule and permission system.</p> <p>Each of these strategies has its strengths and weaknesses, and there's no 'one-size-fits-all' answer. You might even use a combination of these strategies for different aspects of your API. In our case, we've chosen user authentication as our primary strategy, and we will use AWS Cognito to implement it. In the next sections, we'll discuss why we made this choice and how to get it set up.</p> <h2> Our Choice for Security: User Authorization and Authentication via ApiKeys and OAuth <a></a> </h2> <p>Striking the right balance between accessibility and security is essential when designing APIs. Some functionalities, such as browsing through a library, should be accessible to all users, even those who aren't logged in. However, other actions, particularly those that alter data or user preferences, need stricter control. To address these needs, we've opted for a dual approach for our serverless GraphQL API: ApiKeys for public endpoints and OAuth for protected operations.</p> <h3> ApiKeys for Public Endpoints </h3> <p>ApiKeys provide a simple, effective way to regulate access to our API's public-facing endpoints. Users can engage with aspects of our service, such as browsing the library, without logging in. ApiKeys simplify user experience for new or casual users while offering control through unique keys issued to each client. By limiting the number of requests a client can make within a certain timeframe, we ensure these public endpoints are not exploited or overloaded.</p> <h3> OAuth for Protected Operations </h3> <p>When it comes to sensitive operations like changing user settings or updating records, we need more robust protection. That's where OAuth comes in. OAuth is a widely used standard that allows for user-specific authorization and authentication. Using OAuth, we can confirm the identity of users, grant them access, and control what operations they can perform once logged in. This protects sensitive data and functionalities, enhancing our API's security.</p> <h3> A Balanced Approach </h3> <p>This blend of ApiKeys and OAuth offers a balanced, secure, and user-friendly API. ApiKeys ensure public services are accessible, attracting potential users to our application. OAuth, meanwhile, protects sensitive operations, offering peace of mind for users and administrators alike. This approach effectively combines robust security with an optimal user experience. In the next sections, we'll explore how to implement these ApiKeys. The implementation of authorization with OAuth will be covered in the next blog post.</p> <h2> Implementing Authentication in Your API with an API Key <a></a> </h2> <p>Let's start with the easy one: checking if the user provides a valid ApiKey. For this, we will check the headers in the context, and if the required <code>x-api-key</code> header is not provided or the apiKey is not in our whitelist, we will throw an error.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">API_KEYS</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">your-key</span><span class="dl">'</span><span class="p">];</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="nx">startServerAndCreateLambdaHandler</span><span class="p">(</span> <span class="nx">server</span><span class="p">,</span> <span class="nx">handlers</span><span class="p">.</span><span class="nx">createAPIGatewayProxyEventV2RequestHandler</span><span class="p">(),</span> <span class="p">{</span> <span class="na">context</span><span class="p">:</span> <span class="k">async</span> <span class="p">({</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">context</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">getHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-api-key</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">headers</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">apiKey</span> <span class="o">||</span> <span class="o">!</span><span class="nx">API_KEYS</span><span class="p">.</span><span class="nx">includes</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nx">GraphQLError</span><span class="p">(</span> <span class="dl">'</span><span class="s1">You are not authorized to perform this action.</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">extensions</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">lambdaEvent</span><span class="p">:</span> <span class="nx">event</span><span class="p">,</span> <span class="na">lambdaContext</span><span class="p">:</span> <span class="nx">context</span><span class="p">,</span> <span class="p">};</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <p>In the above example we add a list of api keys via a variable in the code. However, for easier configuration putting this into a database or at least making it configurable via environment variables would be the recommended option.</p> <p>We also used a helper function in the above code, it will just get the header values from the header <code>helper/grapqhl.helper.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">function</span> <span class="nx">getHeader</span><span class="p">(</span> <span class="nx">headerName</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">headers</span><span class="p">:</span> <span class="p">{</span> <span class="p">[</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="nx">unknown</span> <span class="p">}</span> <span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">keys</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nx">keys</span><span class="p">(</span><span class="nx">headers</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">keys</span><span class="p">.</span><span class="nx">find</span><span class="p">((</span><span class="nx">k</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">k</span><span class="p">.</span><span class="nx">toLowerCase</span><span class="p">()</span> <span class="o">===</span> <span class="nx">headerName</span><span class="p">.</span><span class="nx">toLowerCase</span><span class="p">());</span> <span class="k">if</span> <span class="p">(</span><span class="nx">key</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">headers</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="k">as</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Add the above snippets to your API handler, build and deploy the code, and check how your API behaves now.</p> <p>If you query your server now, you will get a 500 server response with the code UNAUTHENTICATED in the error message.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--CGPABSMF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yaolccm0gwgwy3cjrzps.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--CGPABSMF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yaolccm0gwgwy3cjrzps.png" alt="Error For Unauthenticated Client" width="800" height="499"></a><br> From now on you need to provide your apiKey with every call query and mutation you make. In the Apollo Playground, you are able to configure this header in a specific tab:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--djk9adCs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ptql1uwsuysvfn39bsb5.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--djk9adCs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ptql1uwsuysvfn39bsb5.png" alt="Apollo Playground Header Configuration" width="702" height="129"></a></p> <p>As easy as this, now only people who know your apiKeys are able to communicate with your API.</p> <h2> Testing the Security of Your API <a></a> </h2> <p>After implementing the security measures for your API, it's critical to ensure that they work as expected. Testing the security of your API is a continuous process that helps identify potential vulnerabilities and ensure that the implemented security mechanisms function correctly.</p> <p><strong>1. Unit Testing</strong>: Start with unit tests for your authentication and authorization code. Ensure that only authenticated users can access protected routes, and are authorized to perform the operations they're trying to carry out.</p> <p><strong>2. Integration Testing</strong>: Conduct integration tests where you simulate a user's interaction with the API, performing various tasks. Check that the system correctly identifies users and grants them appropriate permissions.</p> <p><strong>3. Penetration Testing</strong>: Here, you simulate an attack on your system to identify potential vulnerabilities. Use automated tools, and, if possible, consider hiring a security firm that specializes in this type of testing. Test for common attack vectors such as SQL Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF).</p> <p><strong>4. API Scanning</strong>: Use API security scanners that can scan your APIs for vulnerabilities. These tools can help find issues that could be exploited by an attacker.</p> <p><strong>5. Load Testing</strong>: Overloading an API can reveal security vulnerabilities. Simulate high load situations to make sure that your rate limiting is effective and the system doesn't reveal sensitive information under stress.</p> <p><strong>6. Regular Auditing</strong>: Regularly review your security logs to identify any suspicious activity. Automated auditing tools can flag unusual behavior, making it easier to catch and respond to potential security threats.</p> <p><strong>7. Dependency Checking</strong>: Regularly check your dependencies for known vulnerabilities. Tools exist that can automatically check for and alert you to security issues in your dependencies.</p> <p><strong>8. Security Training</strong>: Keep your team up-to-date with the latest security best practices and common threats. A well-informed team is one of your best defenses against security breaches.</p> <p>Remember, security isn't a one-time event but a continuous process of improvement. Regular testing, auditing, and updating your security measures are key to maintaining a robust, secure API. Stay proactive and vigilant in order to keep your API—and your users' data—safe and secure.</p> <h2> Conclusion <a></a> </h2> <p>In our journey from zero to serverless hero, understanding and implementing robust security measures is of paramount importance. In this post, we've explored the essentials of API security and strategies to safeguard our serverless GraphQL API.</p> <p>We've elucidated why a mix of ApiKeys and OAuth provides a well-rounded security solution, allowing both public access to certain services and stringent protection for sensitive operations. This balance between openness and security forms the cornerstone of an effective, user-friendly, and secure API.</p> <p>Furthermore, we've underscored the importance of continuous testing to validate the effectiveness of our security implementations, and to proactively uncover and patch potential vulnerabilities.</p> <p>Implementing these strategies, however, is not the end. Security is a dynamic and continuous process. It requires regular evaluation and updates to keep up with the ever-evolving landscape of digital threats.</p> <p>In the end, the key to effective API security lies not just in a one-time setup, but in continuous vigilance, regular testing, and an unwavering commitment to protecting your data and your users. Through this post, we hope to have equipped you with a good base of knowledge about API security. In the next blog post, we will head to the implementation part. So stay tuned.</p> <p><em>Hey there, dear readers! Just a quick heads-up: we're code whisperers, not Shakespearean poets, so we've enlisted the help of a snazzy AI buddy to jazz up our written word a bit. Don't fret, the information is top-notch, but if any phrases seem to twinkle with literary brilliance, credit our bot. Remember, behind every great blog post is a sleep-deprived developer and their trusty AI sidekick.</em></p> aws typescript graphql serverless Tanja Bayer Tue, 06 Jun 2023 19:15:00 +0000 https://forem.com/cubesoft/implementing-data-resolvers-with-nodejs-d0k https://forem.com/cubesoft/implementing-data-resolvers-with-nodejs-d0k <p>Welcome back to our series on working with GraphQL, Node.js, and Apollo Server. In our previous posts, we set up our serverless environment and configured our Apollo Server with TypeGraphQL. We even created our first basic resolver. It's been quite a journey, but we're only just getting started.</p> <p>Today, we're going to delve deeper into the exciting world of data resolvers. As we know, resolvers play a crucial role in a GraphQL server, acting as the bridge between our schema and the data we need to fetch from various sources. They're what make GraphQL such a dynamic and efficient tool for developers.</p> <p>In this post, we will enhance our understanding of data resolvers. We'll start by exploring how to query data from a database using resolvers. We'll then venture into the integration of external APIs into our GraphQL server — a powerful way to leverage additional data sources and functionality. From there, we'll turn our attention to mutations, allowing us to not only fetch data but also modify it. To wrap it all up, we'll discuss some best practices for working with resolvers.</p> <p>By the end of this blog post, you'll have a robust understanding of data resolvers and how to utilize them effectively within your Node.js and Apollo Server setup. Let's jump right in!</p> <h2> Querying Data from a Database </h2> <p>Up until now, we've been focusing on building the structure of our GraphQL server, without working with any persisted data. All our operations so far have dealt with data held temporarily in memory. But to develop a fully functional, real-world application, we need a persistent storage system - a database.</p> <p>That's where we're heading in this section. We'll take a crucial step forward in our project and set up a database. To achieve this, we'll use Amazon DynamoDB.</p> <p>Amazon DynamoDB is a fast, fully managed NoSQL database service from AWS, offering seamless scalability and reliable performance. Ideal for applications requiring single-digit millisecond latency, it provides a key-value and document data model that enables flexible, dynamic schemas. Its compatibility with GraphQL makes it a robust choice for modern web applications.</p> <p>Not only is it a powerful, flexible, and high-performance NoSQL database service, but it also happens to be part of the AWS Free Tier. This means we can experiment and build our knowledge without incurring extra costs, making it an ideal choice for our exploration of GraphQL. You can check out all the details of the AWS Free Tier, including DynamoDB, at this <a href="https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&amp;all-free-tier.sort-order=asc&amp;awsf.Free%20Tier%20Types=*all&amp;awsf.Free%20Tier%20Categories=categories%23databases&amp;all-free-tier.q=Amazon%2BDynamoDB&amp;all-free-tier.q_operator=AND">link</a>. So, let's get started with setting up our DynamoDB!</p> <h3> Setting Up The Database </h3> <p>We need to put this snippet into our <code>serverless.stack.ts</code> file. This creates a database with the table name <code>data_table</code> and afterwards we grant read and write access to our lambda.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">dataTable</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Table</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">data-table</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">tableName</span><span class="p">:</span> <span class="s2">`data_table`</span><span class="p">,</span> <span class="na">timeToLiveAttribute</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ttl</span><span class="dl">'</span><span class="p">,</span> <span class="na">billingMode</span><span class="p">:</span> <span class="nx">BillingMode</span><span class="p">.</span><span class="nx">PAY_PER_REQUEST</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="na">partitionKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">dataTable</span><span class="p">.</span><span class="nx">grantReadWriteData</span><span class="p">(</span><span class="nx">lambda</span><span class="p">);</span> </code></pre> </div> <h3> Updating the Resolver and Accessing the Data </h3> <p>Now that we have created the database we need to create a repository for adding, accessing, updating and deleting data in the database. We will use dynamo-easy for this, a wrapper around the AWS dynamodb client, written by <a href="https://www.shiftcode.ch/en/hello">shiftcode</a> which does the data mapping to typescript object by using decorators. We will use a fork of it because we want to use the aws sdk v3 version with some additional fixes added. Let's install it via <code>npm i @cubesoft/dynamo-easy typedi @types/uuid</code>. Now that we have it installed, let's create the repository and our data model. Let's pretend we want to create a database with plants. There are several different classes we need to create.</p> <p>The <code>interface/plant.interface.ts</code>, which will be used as an interface for our plant model to make sure all inheriting classes have all required fields.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kr">interface</span> <span class="nx">PlantInterface</span> <span class="p">{</span> <span class="nl">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">description</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">createdAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">updatedAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The <code>model/plant.model.ts</code> file, which represents our plant object for storing it in dynamodb:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">v4</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Model</span><span class="p">,</span> <span class="nx">PartitionKey</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@cubesoft/dynamo-easy</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PlantInterface</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../interface/plant.interface</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Model</span><span class="p">({</span> <span class="na">tableName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">data_table</span><span class="dl">'</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">PlantModel</span> <span class="k">implements</span> <span class="nx">PlantInterface</span> <span class="p">{</span> <span class="p">@</span><span class="nd">PartitionKey</span><span class="p">()</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">description</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">createdAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">updatedAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="kd">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">id</span> <span class="o">=</span> <span class="nx">v4</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">createdAt</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nx">now</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">updatedAt</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">createdAt</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>repository/plant.repository.ts</code> file, for storing and retrieving the data from dynamodb:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">typedi</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoDB</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-dynamodb</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoStore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@cubesoft/dynamo-easy</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PlantModel</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../model/plant.model</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Service</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">PlantRepository</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">dynamoDb</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DynamoDB</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">eu-central-1</span><span class="dl">'</span> <span class="p">});</span> <span class="k">async</span> <span class="nx">createOrUpdatePlant</span><span class="p">(</span><span class="nx">plant</span><span class="p">:</span> <span class="nx">PlantModel</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DynamoStore</span><span class="p">(</span><span class="nx">PlantModel</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">dynamoDb</span><span class="p">);</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nx">put</span><span class="p">(</span><span class="nx">plant</span><span class="p">).</span><span class="nx">execFullResponse</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nx">deletePlant</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DynamoStore</span><span class="p">(</span><span class="nx">PlantModel</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">dynamoDb</span><span class="p">);</span> <span class="k">return</span> <span class="nx">store</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="na">PartitionKey</span><span class="p">:</span> <span class="nx">id</span> <span class="p">}).</span><span class="nx">exec</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nx">getPlant</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">PlantModel</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DynamoStore</span><span class="p">(</span><span class="nx">PlantModel</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">dynamoDb</span><span class="p">);</span> <span class="k">return</span> <span class="nx">store</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="nx">id</span><span class="p">).</span><span class="nx">exec</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>model/plant.type.ts</code> file which represents our plant model annotated with the necessary decorators so that they will appear in our GraphQL Schema. It is good to provide an ID field type for every model, because this helps Apollo when identifying unique objects for it's caching mechanism.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PlantInterface</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../interface/plant.interface</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Field</span><span class="p">,</span> <span class="nx">Float</span><span class="p">,</span> <span class="nx">ID</span><span class="p">,</span> <span class="nx">ObjectType</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">type-graphql</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">ObjectType</span><span class="p">(</span><span class="dl">'</span><span class="s1">PlantType</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Object representing a plant</span><span class="dl">'</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">PlantType</span> <span class="k">implements</span> <span class="nx">PlantInterface</span> <span class="p">{</span> <span class="p">@</span><span class="nd">Field</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">ID</span><span class="p">)</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">@</span><span class="nd">Field</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">)</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">@</span><span class="nd">Field</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">,</span> <span class="p">{</span> <span class="na">nullable</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="nx">description</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">@</span><span class="nd">Field</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">Float</span><span class="p">)</span> <span class="nx">createdAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">@</span><span class="nd">Field</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">Float</span><span class="p">)</span> <span class="nx">updatedAt</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Last but not least we need to update our resolver so that it will actually use the new models and is able to read from the database. I renamed the resolver and put it in in a file <code>resolver/plant.resolver.ts</code>. Instead of returning a string now, our new query <code>getPlant</code> will return a list of plants from dynamodb.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> </code></pre> </div> <p>If you like me did also update the name of the resolver from last time, make sure to update the name also in our <code>handler/serverless-api.ts</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const schema = buildSchemaSync({ resolvers: [PlantLibraryResolver], container: Container, validate: { forbidUnknownValues: false }, dateScalarMode: 'timestamp', }); </code></pre> </div> <p>Now we can build and deploy our api again using <code>nx build serverless-api &amp;&amp; nx deploy serverless-cdk --profile serverless-hero</code>.</p> <p>When we open our Apollo Playground this time we will see the updated query:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--7AUfglon--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ztq30mgsokz00x8ps98b.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--7AUfglon--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ztq30mgsokz00x8ps98b.png" alt="getPlants Query in Apollo Playground" width="578" height="748"></a></p> <p>And if you execute the query you will get an empty array, because we did not yet add any plants to our database, which can be returned. For this we will have a look at mutations in the next section.</p> <h2> Handling Mutations </h2> <p>In the realm of GraphQL, while queries allow us to fetch and read data, mutations empower us to modify data. Essentially, mutations are operations that can create, update, or delete data in our backend - be it a database or another data source.</p> <p>Understanding and implementing mutations is crucial for any application that requires dynamic user interactions. From adding a product to a shopping cart, updating user details, to deleting an old post, all these operations rely on mutations. It's through mutations we shape and reshape our data, creating a more interactive and responsive user experience.</p> <p>So let's create a mutation for adding a plant to our database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="dl">'</span><span class="s1">reflect-metadata</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Arg</span><span class="p">,</span> <span class="nx">Mutation</span><span class="p">,</span> <span class="nx">Query</span><span class="p">,</span> <span class="nx">Resolver</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">type-graphql</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PlantType</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../model/plant.type</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PlantRepository</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../repository/plant.repository</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">typedi</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PlantModel</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../model/plant.model</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Service</span><span class="p">()</span> <span class="p">@</span><span class="nd">Resolver</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">PlantLibraryResolver</span> <span class="p">{</span> <span class="kd">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">plantRepository</span><span class="p">:</span> <span class="nx">PlantRepository</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Query</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="nx">PlantType</span><span class="p">],</span> <span class="p">{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Returns a list of plants.</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="k">async</span> <span class="nx">getPlants</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">PlantType</span><span class="p">[]</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">plantRepository</span><span class="p">.</span><span class="nx">listPlants</span><span class="p">();</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Mutation</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">PlantType</span><span class="p">,</span> <span class="p">{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Add a new plant to the library.</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="k">async</span> <span class="nx">addPlant</span><span class="p">(</span> <span class="p">@</span><span class="nd">Arg</span><span class="p">(</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">)</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">@</span><span class="nd">Arg</span><span class="p">(</span><span class="dl">'</span><span class="s1">description</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">String</span><span class="p">,</span> <span class="p">{</span><span class="na">nullable</span><span class="p">:</span><span class="kc">true</span><span class="p">})</span> <span class="nx">description</span><span class="p">?:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">PlantType</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">plant</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">PlantModel</span><span class="p">();</span> <span class="nx">plant</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="nx">name</span><span class="p">;</span> <span class="nx">plant</span><span class="p">.</span><span class="nx">description</span> <span class="o">=</span> <span class="nx">description</span><span class="p">;</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">plantRepository</span><span class="p">.</span><span class="nx">createOrUpdatePlant</span><span class="p">(</span><span class="nx">plant</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We add a new function <code>addPlant</code> to the resolver and annotate it with the @Mutation decorator. The function will take two inputs a variable <code>name</code> of type string and an optional variable <code>description</code> of type string, in TypeGrapQL we need to add the <code>{nullable:true}</code> in the decorator to tell TypeGrapQL that the variable is optional.</p> <p>After deploying your last change with <code>nx build serverless-api &amp;&amp; nx deploy serverless-cdk --profile serverless-hero</code> you will now be able to use the mutation and add your first plant in the Apollo Playground:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--KGg0RWYD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/d148kunkdraquxbkb5h1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--KGg0RWYD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/d148kunkdraquxbkb5h1.png" alt="AddPlant Mutation in Apollo Playground" width="800" height="372"></a></p> <p>Now you can run your Query again and you will get an array with your new plant item. You did it, you have written your first mutation in a lambda function.</p> <h2> Conclusion </h2> <p>In this post, we delved into the essentials of interacting with a database using Apollo Server and DynamoDB, from setting up the database to querying data. We also introduced mutations, crucial operations for changing data, and explained their various use cases. </p> <p>We encourage you to apply what you've learned here to your own projects. Experiment with different types of queries, API integrations, and mutations. Dive deeper into error handling mechanisms and resolver optimization techniques. Remember, the best way to learn is by doing, so don't be afraid to get your hands dirty.</p> <p>Looking forward, get ready for our next deep-dive - into GraphQL subscriptions and the WebSocket gateway. This exciting topic will take our real-time data handling capabilities to the next level, further expanding the possibilities of what we can achieve with GraphQL and Apollo Server. Stay tuned!</p> <p><em>Hey there, dear readers! Just a quick heads-up: we're code whisperers, not Shakespearean poets, so we've enlisted the help of a snazzy AI buddy to jazz up our written word a bit. Don't fret, the information is top-notch, but if any phrases seem to twinkle with literary brilliance, credit our bot. Remember, behind every great blog post is a sleep-deprived developer and their trusty AI sidekick.</em></p> serverless aws typescript graphql Tanja Bayer Tue, 30 May 2023 20:16:22 +0000 https://forem.com/cubesoft/creating-a-simple-generator-for-nx-plugins-fp2 https://forem.com/cubesoft/creating-a-simple-generator-for-nx-plugins-fp2 <h2> Introduction </h2> <p>Welcome to the second blog post in our series on creating custom Nx plugins! This post targets developers who are familiar with the basics of the Nx ecosystem but have never built a plugin for Nx before. In this article, we'll dive deep into generators, learn how to set up a development environment, and create a simple generator for an Nx plugin. Let's get started!</p> <h3> Table of Contents </h3> <ol> <li>Deep Dive into Generators</li> <li>Setting Up the Development Environment</li> <li>Creating a Simple Generator</li> <li>Working with the Nx Devkit Tree</li> <li>Summary</li> </ol> <h2> Deep Dive into Generators </h2> <p>Nx Generators are an integral part of the Nx ecosystem, providing an interface for code generation and modification. They operate by reading and altering the Abstract Syntax Tree (AST) of your codebase, enabling precise and flexible modifications. This fine-grained control fosters creation of tailored development environments that reflect the unique needs of your project.</p> <p>At its core, a generator is a function that accepts a <code>Tree</code> and an options object. The <code>Tree</code> represents your filesystem, and you interact with it to make file changes. The options object carries the values provided by the user when invoking the generator.</p> <p>A fundamental concept in understanding Nx generators is their immutability. All changes you make to the <code>Tree</code> within a generator are staged, and not immediately applied. This staged approach allows changes to be grouped into an atomic commit, ensuring your filesystem stays in a consistent state even if the generator fails partway through execution.</p> <p>To create a custom generator, you define a generator function in a file named <code>generator.ts</code>. The function receives a host <code>Tree</code> and an options object. For complex generators, Nx provides the <code>generateFiles</code> utility. This powerful utility employs schematics-like template syntax to interpolate variables into file contents and filenames.</p> <p>For input control, Nx uses JSON Schema, allowing generators to accept complex inputs, validate them, and provide interactive prompts to the users. Defining a schema makes your generator self-documenting, as Nx can automatically generate descriptions, validations, and prompts based on it.</p> <p>Generators can invoke other generators, allowing code reuse and composition. Nx provides helper functions like <code>runTasksInSerial</code> or <code>runTasksInParallel</code> to manage the lifecycle of these generator executions.</p> <p>Testing generators is crucial, and Nx's virtual file system makes this easy. During tests, you can verify that the right changes are being applied without affecting your actual filesystem.</p> <p>In conclusion, Nx Generators provide a powerful way to automate your development tasks, creating a robust, repeatable, and efficient development workflow. </p> <h2> Setting Up the Development Environment </h2> <p>Creating an Nx workspace and a custom plugin begins by using the <code>create-nx-workspace</code> utility. Let's create a new workspace named <code>nx-tools</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npx create-nx-workspace@latest nx-tools </code></pre> </div> <p>Select "empty" when prompted for a preset to create a bare workspace.</p> <p>Now, incorporate the <code>@nx/nx-plugin</code> into your workspace. The <code>@nx/nx-plugin</code> furnishes essential tools for creating and managing Nx plugins.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> nx add @nx/nx-plugin </code></pre> </div> <p>With the Nx Plugin established, we'll now generate our custom plugin, named <code>nx-cdk</code>, in our workspace. This plugin will be designed to generate, build, and deploy AWS CDK projects, facilitating efficient development in our Nx monorepo.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> nx g @nx/nx-plugin:plugin nx-cdk </code></pre> </div> <p>This command creates a new plugin with the name <code>nx-cdk</code> and provides the preliminary code and configuration.</p> <p>Finally, open your freshly created workspace in your preferred code editor. For Visual Studio Code users, this can be done with:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> code nx-tools </code></pre> </div> <p>With these steps completed, your development environment is primed for crafting your <code>nx-cdk</code> plugin.</p> <h2> Creating a Simple Generator for our nx-cdk Plugin </h2> <p>Now that the development environment for <code>nx-tools</code> is set up, we can begin with creating a simple generator for our <code>nx-cdk</code> plugin. The generator will help scaffold AWS CDK applications.</p> <p>Nx Devkit provides a built-in schematic to help generate the boilerplate for our generator. Run the following command to create the generator:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> nx g @nrwl/nx-plugin:generator NxCdk <span class="nt">--project</span><span class="o">=</span>nx-cdk </code></pre> </div> <p>This command does several things:</p> <ol> <li>It adds a new generator named <code>nx-cdk</code> in the <code>nx-cdk</code> plugin.</li> <li>It creates a new <code>nx-cdk</code> directory inside the generators directory of our nx-cdk plugin.</li> <li>Inside the <code>generators/nx-cdk</code> directory, it creates a <code>generator.ts</code> file which is the main file for our generator, a <code>generator.spec.ts</code> file which contains the test cases for our generator, a <code>schema.json</code> file which will be used to define the options for our generator and a <code>schema.d.ts</code> file containing the interface definition for our schema.</li> </ol> <p>Open the <code>schema.json</code> and modify the content as per your requirements:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://json-schema.org/schema"</span><span class="err">,</span><span class="w"> </span><span class="nl">"$id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NxCdk"</span><span class="err">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="err">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"object"</span><span class="err">,</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"$default"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"$source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"argv"</span><span class="p">,</span><span class="w"> </span><span class="nl">"index"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"x-prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"What name would you like to use?"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Add tags to the project (used for linting)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"alias"</span><span class="p">:</span><span class="w"> </span><span class="s2">"t"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"directory"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"A directory where the project is placed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"alias"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="err">,</span><span class="w"> </span><span class="nl">"required"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"name"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Next, update the <code>generator.ts</code> file with the code to scaffold a new AWS CDK project in your workspace:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">readFileSync</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">resolve</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">GeneratorCallback</span><span class="p">,</span> <span class="nx">Tree</span><span class="p">,</span> <span class="nx">addDependenciesToPackageJson</span><span class="p">,</span> <span class="nx">addProjectConfiguration</span><span class="p">,</span> <span class="nx">formatFiles</span><span class="p">,</span> <span class="nx">generateFiles</span><span class="p">,</span> <span class="nx">getWorkspaceLayout</span><span class="p">,</span> <span class="nx">names</span><span class="p">,</span> <span class="nx">offsetFromRoot</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nx/devkit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">jestProjectGenerator</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nx/jest</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Linter</span><span class="p">,</span> <span class="nx">lintProjectGenerator</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nx/linter</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">runTasksInSerial</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nx/workspace/src/utilities/run-tasks-in-serial</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">awsCdkLibVersion</span><span class="p">,</span> <span class="nx">awsCdkVersion</span><span class="p">,</span> <span class="nx">constructsVersion</span><span class="p">,</span> <span class="nx">sourceMapSupportVersion</span><span class="p">,</span> <span class="nx">tsJestVersion</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../utils/versions</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">addJestPlugin</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./lib/add-jest-plugin</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">addLinterPlugin</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./lib/add-linter-plugin</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NxCdkGeneratorSchema</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./schema</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">NormalizedSchema</span> <span class="kd">extends</span> <span class="nx">NxCdkGeneratorSchema</span> <span class="p">{</span> <span class="nl">projectName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">projectRoot</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">projectDirectory</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">parsedTags</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">normalizeOptions</span><span class="p">(</span><span class="nx">tree</span><span class="p">:</span> <span class="nx">Tree</span><span class="p">,</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">NxCdkGeneratorSchema</span><span class="p">):</span> <span class="nx">NormalizedSchema</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nf">names</span><span class="p">(</span><span class="nx">options</span><span class="p">.</span><span class="nx">name</span><span class="p">).</span><span class="nx">fileName</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">projectDirectory</span> <span class="o">=</span> <span class="nx">options</span><span class="p">.</span><span class="nx">directory</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nf">names</span><span class="p">(</span><span class="nx">options</span><span class="p">.</span><span class="nx">directory</span><span class="p">).</span><span class="nx">fileName</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="nx">name</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">projectName</span> <span class="o">=</span> <span class="nx">projectDirectory</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="k">new</span> <span class="nc">RegExp</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">g</span><span class="dl">'</span><span class="p">),</span> <span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">projectRoot</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nf">getWorkspaceLayout</span><span class="p">(</span><span class="nx">tree</span><span class="p">).</span><span class="nx">appsDir</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">projectDirectory</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">parsedTags</span> <span class="o">=</span> <span class="nx">options</span><span class="p">.</span><span class="nx">tags</span> <span class="p">?</span> <span class="nx">options</span><span class="p">.</span><span class="nx">tags</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">).</span><span class="nf">map</span><span class="p">((</span><span class="nx">s</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">s</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="p">:</span> <span class="p">[];</span> <span class="k">return</span> <span class="p">{</span> <span class="p">...</span><span class="nx">options</span><span class="p">,</span> <span class="nx">projectName</span><span class="p">,</span> <span class="nx">projectRoot</span><span class="p">,</span> <span class="nx">projectDirectory</span><span class="p">,</span> <span class="nx">parsedTags</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">addFiles</span><span class="p">(</span><span class="nx">tree</span><span class="p">:</span> <span class="nx">Tree</span><span class="p">,</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">NormalizedSchema</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">templateOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">options</span><span class="p">,</span> <span class="p">...</span><span class="nf">names</span><span class="p">(</span><span class="nx">options</span><span class="p">.</span><span class="nx">name</span><span class="p">),</span> <span class="na">offsetFromRoot</span><span class="p">:</span> <span class="nf">offsetFromRoot</span><span class="p">(</span><span class="nx">options</span><span class="p">.</span><span class="nx">projectRoot</span><span class="p">),</span> <span class="na">template</span><span class="p">:</span> <span class="dl">''</span> <span class="p">};</span> <span class="nf">generateFiles</span><span class="p">(</span><span class="nx">tree</span><span class="p">,</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">files</span><span class="dl">'</span><span class="p">),</span> <span class="nx">options</span><span class="p">.</span><span class="nx">projectRoot</span><span class="p">,</span> <span class="nx">templateOptions</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">tree</span><span class="p">:</span> <span class="nx">Tree</span><span class="p">,</span> <span class="nx">options</span><span class="p">:</span> <span class="nx">NxCdkGeneratorSchema</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tasks</span><span class="p">:</span> <span class="nx">GeneratorCallback</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">normalizedOptions</span> <span class="o">=</span> <span class="nf">normalizeOptions</span><span class="p">(</span><span class="nx">tree</span><span class="p">,</span> <span class="nx">options</span><span class="p">);</span> <span class="nf">addProjectConfiguration</span><span class="p">(</span><span class="nx">tree</span><span class="p">,</span> <span class="nx">normalizedOptions</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="p">{</span> <span class="na">root</span><span class="p">:</span> <span class="nx">normalizedOptions</span><span class="p">.</span><span class="nx">projectRoot</span><span class="p">,</span> <span class="na">projectType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application</span><span class="dl">'</span><span class="p">,</span> <span class="na">sourceRoot</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">normalizedOptions</span><span class="p">.</span><span class="nx">projectRoot</span><span class="p">}</span><span class="s2">/src`</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">{</span> <span class="na">bootstrap</span><span class="p">:</span> <span class="p">{</span> <span class="na">executor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@myorg/nx-cdk:bootstrap</span><span class="dl">'</span> <span class="p">},</span> <span class="na">deploy</span><span class="p">:</span> <span class="p">{</span> <span class="na">executor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@myorg/nx-cdk:deploy</span><span class="dl">'</span> <span class="p">},</span> <span class="na">destroy</span><span class="p">:</span> <span class="p">{</span> <span class="na">executor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@myorg/nx-cdk:destroy</span><span class="dl">'</span> <span class="p">},</span> <span class="na">diff</span><span class="p">:</span> <span class="p">{</span> <span class="na">executor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@myorg/nx-cdk:diff</span><span class="dl">'</span> <span class="p">},</span> <span class="na">ls</span><span class="p">:</span> <span class="p">{</span> <span class="na">executor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@myorg/nx-cdk:ls</span><span class="dl">'</span> <span class="p">},</span> <span class="na">synth</span><span class="p">:</span> <span class="p">{</span> <span class="na">executor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@myorg/nx-cdk:synth</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">normalizedOptions</span><span class="p">.</span><span class="nx">parsedTags</span> <span class="p">});</span> <span class="nf">addFiles</span><span class="p">(</span><span class="nx">tree</span><span class="p">,</span> <span class="nx">normalizedOptions</span><span class="p">);</span> <span class="nx">tasks</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nf">addJestPlugin</span><span class="p">(</span><span class="nx">tree</span><span class="p">));</span> <span class="nx">tasks</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nf">addLinterPlugin</span><span class="p">(</span><span class="nx">tree</span><span class="p">));</span> <span class="nx">tasks</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nf">addDependencies</span><span class="p">(</span><span class="nx">tree</span><span class="p">));</span> <span class="k">await</span> <span class="nf">lintProjectGenerator</span><span class="p">(</span><span class="nx">tree</span><span class="p">,</span> <span class="p">{</span> <span class="na">project</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">skipFormat</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">linter</span><span class="p">:</span> <span class="nx">Linter</span><span class="p">.</span><span class="nx">EsLint</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">jestProjectGenerator</span><span class="p">(</span><span class="nx">tree</span><span class="p">,</span> <span class="p">{</span> <span class="na">project</span><span class="p">:</span> <span class="nx">options</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">setupFile</span><span class="p">:</span> <span class="dl">'</span><span class="s1">none</span><span class="dl">'</span><span class="p">,</span> <span class="na">skipSerializers</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">testEnvironment</span><span class="p">:</span> <span class="dl">'</span><span class="s1">node</span><span class="dl">'</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">ignoreCdkOut</span><span class="p">(</span><span class="nx">tree</span><span class="p">);</span> <span class="k">await</span> <span class="nf">formatFiles</span><span class="p">(</span><span class="nx">tree</span><span class="p">);</span> <span class="k">return</span> <span class="nf">runTasksInSerial</span><span class="p">(...</span><span class="nx">tasks</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">addDependencies</span><span class="p">(</span><span class="nx">tree</span><span class="p">:</span> <span class="nx">Tree</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">dependencies</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">devDependencies</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws-cdk</span><span class="dl">'</span><span class="p">:</span> <span class="nx">awsCdkVersion</span><span class="p">,</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">:</span> <span class="nx">awsCdkLibVersion</span><span class="p">,</span> <span class="na">constructs</span><span class="p">:</span> <span class="nx">constructsVersion</span><span class="p">,</span> <span class="dl">'</span><span class="s1">source-map-support</span><span class="dl">'</span><span class="p">:</span> <span class="nx">sourceMapSupportVersion</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ts-jest</span><span class="dl">'</span><span class="p">:</span> <span class="nx">tsJestVersion</span> <span class="p">};</span> <span class="k">return</span> <span class="nf">addDependenciesToPackageJson</span><span class="p">(</span><span class="nx">tree</span><span class="p">,</span> <span class="nx">dependencies</span><span class="p">,</span> <span class="nx">devDependencies</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">ignoreCdkOut</span><span class="p">(</span><span class="nx">tree</span><span class="p">:</span> <span class="nx">Tree</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ignores</span> <span class="o">=</span> <span class="nf">readFileSync</span><span class="p">(</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">tree</span><span class="p">.</span><span class="nx">root</span><span class="p">,</span> <span class="dl">'</span><span class="s1">.gitignore</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">encoding</span><span class="p">:</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span> <span class="p">}).</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">ignores</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">cdk.out</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">ignores</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1"># AWS CDK</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cdk.out</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="p">}</span> <span class="nx">tree</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">./.gitignore</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ignores</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>Here's the explanation of what the <code>generator.ts</code> file does:</p> <ol> <li> <code>NormalizedSchema</code> Interface: A TypeScript interface is defined that extends the NxCdkGeneratorSchema interface from <code>schema.d.ts</code>. It adds properties like <code>projectName</code>, <code>projectRoot</code>, <code>projectDirectory</code>, and <code>parsedTags</code>.</li> <li> <code>normalizeOptions</code> Function: It accepts a Tree and generator options and returns the options after performing transformations like naming conventions, file path conventions, and tag parsing.</li> <li> <code>addFiles</code> Function: This function generates files from the provided template and places them in the project directory.</li> <li>The Main Generator Function: It's an async function that performs several tasks: <ul> <li>Normalize the options using the <code>normalizeOptions</code> function.</li> <li>Add project configuration using the <code>addProjectConfiguration</code> function.</li> <li>Generate files using the <code>addFiles</code> function.</li> <li>Add Jest and Linter plugins to the Nx tree.</li> <li>Add dependencies to the <code>package.json</code> file using the <code>addDependenciesToPackageJson</code> function.</li> <li>Setup Jest and ESLint for the newly generated project.</li> <li>Ignore the <code>cdk.out</code> directory in <code>.gitignore</code>.</li> <li>Finally, format all the generated files. 5 <code>addDependencies</code> Function: Adds dependencies required for the AWS CDK project, like <code>aws-cdk</code>, <code>aws-cdk-lib</code>, <code>constructs</code>, <code>source-map-support</code>, and <code>ts-jest</code> to the <code>devDependencies</code> of <code>package.json</code>.</li> </ul> </li> <li> <code>ignoreCdkOut</code> Function: Reads the <code>.gitignore</code> file and checks if 'cdk.out' is included in the ignore list. If not, it adds 'cdk.out' to the list, which prevents the generated AWS CDK output files from being tracked by git.</li> </ol> <p>The <code>schema.d.ts</code> file is where we define the TypeScript interface for our generator options. This interface helps TypeScript to understand the structure of the options and provide type checking. In our case, the interface for the <code>NxCdkGeneratorSchema</code> should look like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">NxCdkGeneratorSchema</span> <span class="p">{</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">tags</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">directory</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This TypeScript interface aligns with the <code>schema.json</code> file and provides a typed way of accessing the generator options.</p> <p>Testing is a critical part of any software development, and Nx generators are not an exception. Nx provides a built-in way to test generators using Jest. When we created our <code>NxCdk</code> generator, Nx also created a <code>generator.spec.ts</code> file in the <code>nx-cdk</code> directory. This is a test specification file for our generator.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">Tree</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nrwl/devkit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">testingUtils</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../../utils/testing</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">generator</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./generator</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NxCdkGeneratorSchema</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./schema</span><span class="dl">'</span><span class="p">;</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">myCdkApp generator</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="na">appTree</span><span class="p">:</span> <span class="nx">Tree</span><span class="p">;</span> <span class="kd">const</span> <span class="na">options</span><span class="p">:</span> <span class="nx">NxCdkGeneratorSchema</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span> <span class="p">};</span> <span class="nf">beforeEach</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">appTree</span> <span class="o">=</span> <span class="nx">testingUtils</span><span class="p">.</span><span class="nf">createEmptyWorkspace</span><span class="p">(</span><span class="nx">Tree</span><span class="p">.</span><span class="nf">empty</span><span class="p">());</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should run successfully</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span> <span class="nf">generator</span><span class="p">(</span><span class="nx">appTree</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">).</span><span class="nx">resolves</span><span class="p">.</span><span class="nx">not</span><span class="p">.</span><span class="nf">toThrowError</span><span class="p">();</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>In this test case, we first create an empty Nx workspace. We then run our generator with a given set of options. The <code>expect</code> function is then used to assert that our generator should run without throwing any errors.</p> <h2> Working with the Nx Devkit Tree </h2> <p>The Nx Devkit <code>Tree</code> object represents the workspace's file system. It allows you to read, write, and manipulate files and directories. In our simple generator, we use the <code>generateFiles</code> function to create files from templates located in the <code>./files</code> directory.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5qrh4rbwn5m34fkj03ty.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5qrh4rbwn5m34fkj03ty.png" alt="File templates in files directory"></a></p> <h2> Registering the Generator </h2> <p>Register the generator in <code>nx-cdk/generators.json</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"><br> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"<a href="http://json-schema.org/schema" rel="noopener noreferrer">http://json-schema.org/schema</a>"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nx-cdk"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.0.1"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"generators"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"><br> </span><span class="nl">"nx-cdk"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"><br> </span><span class="nl">"factory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./src/generators/nx-cdk/generator"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./src/generators/nx-cdk/schema.json"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nx-cdk generator"</span><span class="w"><br> </span><span class="p">}</span><span class="w"><br> </span><span class="p">}</span><span class="w"><br> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> <br> <br> <br> Summary<br> </h2> <p>The blog post provides an in-depth guide on creating a simple generator for Nx plugins. It introduces the Nx ecosystem and the concept of generators, functions that manipulate your codebase via the Abstract Syntax Tree (AST). The key idea is the immutability of generators, where changes are staged and grouped into atomic commits for filesystem consistency.</p> <p>The post presents a step-by-step tutorial on setting up an Nx workspace and crafting a custom Nx plugin. This involves creating a new workspace, incorporating the @nx/nx-plugin, generating a custom plugin, and opening the workspace in your code editor.</p> <p>The main tutorial focuses on creating a generator for an nx-cdk plugin designed to generate, build, and deploy AWS CDK projects. This process includes running commands to create the generator, modifying the schema.json file to fit your requirements, and updating the generator.ts file with code to scaffold a new AWS CDK project.</p> <p>Alright, you've made it this far and hopefully enjoyed the ride. The next stop on our journey will be implementing an executor. So grab some popcorn and stay tuned - I promise it will be just as fun, if not more! See you next time, folks!</p> <p><em>Hey there, dear readers! Just a quick heads-up: we're code whisperers, not Shakespearean poets, so we've enlisted the help of a snazzy AI buddy to jazz up our written word a bit. Don't fret, the information is top-notch, but if any phrases seem to twinkle with literary brilliance, credit our bot. Remember, behind every great blog post is a sleep-deprived developer and their trusty AI sidekick.</em></p> nx plugins typescript Tanja Bayer Tue, 16 May 2023 20:07:11 +0000 https://forem.com/cubesoft/zero-to-serverless-hero-setting-up-your-apollo-server-with-typegraphql-4ige https://forem.com/cubesoft/zero-to-serverless-hero-setting-up-your-apollo-server-with-typegraphql-4ige <p>Welcome back to the second part of the <em>Zero to Serverless Hero Series</em>. In this blog post I will cover how you can configure your lambda to handle GraphQL queries.</p> <p>If you are not yet familiar with how GraphQL works, I would recommend you to read the <a href="https://graphql.org/learn/" rel="noopener noreferrer">GraphQL Documentation</a>. </p> <h2> Getting Started </h2> <p>For implementing the GraphQL schemas we will be using <a href="https://typegraphql.com/" rel="noopener noreferrer">TypeGraphQL</a> because this gives us an easy to understand and maintainable way to implement the GraphQL schema by using decorators. As of the time of writing the support for Apollo v4 version is still in beta, nevertheless, we will use the beta, because Apollo v3 is already deprecated. So let’s install it, along with the aws-lambda package which we will need <code>npm i type-graphql@2.0.0-beta.1 aws-lambda</code>. For building and deploying the lambda we will additionally install the following package as dev dependencies: <code>npm i -D @cubesoft/nx-lambda-build depcheck</code>.</p> <h2> Creating the Lambda Handler </h2> <p>In the last blog post we used inline code for our lambda handler. However, that should be only done only for testing or if you have pretty small functions, because you loose a lot of code maintainability there. So first we will put our lambda code into a separate file called <code>serverless-api.ts</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> typescript import { APIGatewayProxyEventV2, Context } from 'aws-lambda'; export async function handler(event: APIGatewayProxyEventV2, context: Context) { console.log('Hello, CDK!'); return { statusCode: 200, body: JSON.stringify('Hello from Lambda!'), }; } </code></pre> </div> <p>Then we need to tell the cdk how to find the code. Therefore, we need to change the lambda part in our stack (<code>serverless-stack.ts</code>):</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> typescript const lambda = new Function(this, 'api-handler', { runtime: Runtime.NODEJS_18_X, handler: 'serverless-api.handler', functionName: 'serverless-api', code: Code.fromAsset( join( getWorkspaceRoot(), 'dist/packages/serverless-api/serverless-api', 'handler.zip' ) ), memorySize: Size.gibibytes(1).toMebibytes(), architecture: Architecture.ARM_64, logRetention: RetentionDays.ONE_DAY, timeout: Duration.seconds(5), }); </code></pre> </div> <p>Additionally we also need to tell the nx-lambda-build plugin where our handler will be located. Therefore, we need to create a file called <code>serverless-api/src/handlers.json</code> to create a mapping between the handler name and the code location:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"entrypoints"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"serverless-api"</span><span class="p">:</span><span class="w"> </span><span class="s2">"src/handler/serverless-api"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Before updating our lambda to be able to function as a GraphQL server, we first want to check if what we did so far is functioning. Because it is much easier to test smaller changes and fixing errors right after they occur, instead of searching for the problem in a whole stack of changes. For testing our lambda we first need to build it and then deploy it:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash nx build serverless-api nx deploy serverless-cdk --profile &lt;your-profile&gt; </code></pre> </div> <p>You need to confirm that you want to deploy the changes and afterwards you can check, that your /graphql endpoint still returns <code>"Hello from Lambda!"</code>. If you go to your AWS Console and open your lambda function (Lambda &gt; Functions &gt; serverless-api), you will also see that your code is now deployed:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fagu7eluqkfqfl8d8a6nc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fagu7eluqkfqfl8d8a6nc.png" alt="AWS Lambda Console View"></a></p> <h2> Configuring the Apollo Server </h2> <p>We need to install some dependency for using the Apollo server <code>npm i -S typedi reflect-metadata @apollo/server graphql reflect-metadata @as-integrations/aws-lambda</code>. After installing these dependencies we can start creating our first resolver, which we can later pass to our Apollo Server, which we will create in the next step.</p> <p>We will stick with our easy lambda example and for the beginning and start with an easy query that will just return a message.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> typescript import { Query, Resolver } from 'type-graphql'; import { Service } from 'typedi'; @Service() @Resolver() export class GreetingResolver { @Query(() =&gt; String, { description: 'Returns a greeting message. This is a sample query that returns a string', }) async hello(): Promise&lt;string&gt; { return 'world'; } } </code></pre> </div> <p>Make sure to add both the <code>@Resolver</code> and the <code>@Query</code> decorator to your class. The <code>@Resolver</code> class is TypeGraphQL specific and is required to build the GraphQL schema from your implementation. The <code>@Query</code> decorator marks the class method as a GraphQL query.</p> <p>After we have created our resolver we can create the Apollo Server and a build a GraphQL schema including our resolver. For this we replace the content of our <code>serverless.api.ts</code> file with the following code.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> typescript import 'reflect-metadata'; import { ApolloServer } from '@apollo/server'; import 'graphql'; import { buildSchemaSync } from 'type-graphql'; import { handlers, startServerAndCreateLambdaHandler, } from '@as-integrations/aws-lambda'; import { GreetingResolver } from '../resolver/greeting.resolver'; const schema = buildSchemaSync({ resolvers: [GreetingResolver], validate: { forbidUnknownValues: false }, dateScalarMode: 'timestamp', }); const server = new ApolloServer({ schema: schema, introspection: true, csrfPrevention: true, }); export const handler = startServerAndCreateLambdaHandler( server, handlers.createAPIGatewayProxyEventV2RequestHandler() ); </code></pre> </div> <p>As you can see we tell our schema to use our newly created resolver. Afterward this schema is injected into the Apollo Server and as a last part we create the handler to tell our lambda how to execute our calls.</p> <h2> Deploy your stack </h2> <p>Finally, you can build and deploy your CDK stack using the command <code>nx build serverless-api &amp;&amp; nx deploy serverless-cdk --profile serverless-hero</code>. If you open your browser this time using the same url as last time (/graphql) you will no longer see the message "Hello from Lambda!" but you will see the apollo playground like in the image below. Now you have a GraphQL lambda hander, it only supports one simple query but this is a good starting point, isn’t it? </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzfixrgacvb5j6ymlyqqd.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzfixrgacvb5j6ymlyqqd.png" alt="Apollo Playground"></a></p> <p>Next time we will setup a database for storing and retrieving data for your application.</p> <p>You can find my sample repo <a href="https://github.com/TanjaBayer/Zero-to-Serverless-Hero" rel="noopener noreferrer">here</a></p> serverless aws typescript graphql Tanja Bayer Tue, 09 May 2023 20:42:41 +0000 https://forem.com/cubesoft/introduction-to-nx-plugins-and-nx-devkit-hhm https://forem.com/cubesoft/introduction-to-nx-plugins-and-nx-devkit-hhm <p>Welcome to the first blog post in our series on creating custom Nx plugins! This post targets developers who are familiar with the basics of the Nx ecosystem but have never built a plugin for Nx before. In this article, we'll explore the importance of Nx plugins, introduce the Nx Devkit, and discuss the core concepts and basic structure of an Nx plugin. Let's dive in!</p> <h2> Table of Contents: </h2> <ol> <li>Why Nx Plugins Matter</li> <li>The Nx Devkit</li> <li>Core Concepts of Nx Devkit</li> <li>The Basic Structure of an Nx Plugin</li> <li>Summary</li> </ol> <h2> Why Nx Plugins Matter </h2> <p>Nx plugins play a crucial role in the Nx ecosystem, as they extend the functionality of an Nx workspace. By creating custom Nx plugins, developers can tailor the Nx experience to their specific project requirements, streamline workflows, and enhance productivity. Moreover, Nx plugins can be shared as npm packages or directly referenced within a single repo, allowing developers to leverage the power of the Nx community and build on the work of others.</p> <h2> The Nx Devkit </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn0tu0pfaamafr8fr6kk1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn0tu0pfaamafr8fr6kk1.png" alt="Image description"></a><br> The Nx Devkit is the foundation for creating Nx plugins. It provides a simple and powerful API for creating generators and executors, which are the primary building blocks of Nx plugins. By using the Nx Devkit, developers can write custom code that seamlessly integrates with the underlying Nx core and benefits from its powerful features, such as computation caching and code generation.</p> <h2> Core Concepts of Nx Devkit </h2> <p>The Nx Devkit is based on a few core concepts:</p> <ol> <li> <strong>Executors</strong>: Executors are responsible for running tasks within an Nx workspace. They define how a specific task should be executed, such as building, testing, or deploying an application.</li> <li> <strong>Generators</strong>: Generators are responsible for generating code or modifying the workspace structure based on predefined templates and user input. They simplify repetitive tasks and enforce best practices.</li> <li> <strong>Language Primitives and Immutable Objects</strong>: The Nx Devkit relies on language primitives and immutable objects, with the tree being the only exception. This simplicity makes the Devkit easy to understand and work with.</li> </ol> <p>The Nx Devkit offers a set of core APIs and utilities to help developers get started with their plugin:</p> <ol> <li> <code>Tree</code>: An in-memory file system representation that allows for manipulating files and directories in the workspace. It is used by generators to make changes to the workspace.</li> <li> <code>ProjectConfiguration</code>: A utility for managing project configuration in an Nx workspace.</li> <li> <code>runExecutor</code>: A function for running executors programmatically, useful for testing.</li> <li> <code>readJson</code>: A utility for reading JSON files in the workspace.</li> <li> <code>writeJson</code>: A utility for writing JSON files in the workspace.</li> <li> <code>generateFiles</code>: A utility for generating files from templates.</li> </ol> <p>These tools make it easier for developers to create and test Nx plugins while ensuring compatibility with the Nx ecosystem.</p> <h2> The Basic Structure of an Nx Plugin </h2> <p>An Nx plugin consists of the following main components:</p> <ol> <li> <code>executors.json</code>: This file registers executors in the plugin.</li> <li> <code>generators.json</code>: This file registers generators in the plugin.</li> <li> <code>src/</code>: This directory contains the source code for the plugin's executors and generators.</li> <li> <code>package.json</code>: Contains references to the generators and executors schematics.</li> </ol> <p>Example of a simple package.json:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"><br> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"@org/my-custom-plugin"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"src/index.js"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"generators"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./generators.json"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"executors"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./executors.json"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"devDependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"><br> </span><span class="err">...</span><span class="w"><br> </span><span class="p">},</span><span class="w"><br> </span><span class="nl">"peerDependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"><br> </span><span class="err">...</span><span class="w"><br> </span><span class="p">}</span><span class="w"><br> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> <br> <br> <br> Summary<br> </h2> <p>In this introductory blog post, we've covered the importance of Nx plugins, introduced the Nx Devkit, and discussed the core concepts of the Nx Devkit. We also looked at the basic structure of an Nx plugin. In the next blog post, we'll dive deeper into generators and guide you through creating a simple generator step by step. Stay tuned!</p> nx plugins typescript devrel Tanja Bayer Tue, 02 May 2023 16:00:00 +0000 https://forem.com/cubesoft/zero-to-serverless-hero-setting-up-your-environment-for-a-serverless-graphql-api-on-aws-lambda-45hh https://forem.com/cubesoft/zero-to-serverless-hero-setting-up-your-environment-for-a-serverless-graphql-api-on-aws-lambda-45hh <p>Serverless is cool and can save you a lot of money, because you do not have servers running all the time, only when someone wants to use your service - an that is also good for our environment, isn't it? But when you want to start with serverless the amount of documentation might be really overwhelming and you might not know where to start. This blog posts series should help you getting an easy entry into the topic. It will cover the process of constructing a fully serverless GraphQL API, which will include queries, mutations, and subscriptions. The deployment of this API will be accomplished through the use of the AWS CDK. </p> <p>In this first part we will do the initial setup using the AWS CDK and build an initial version with the AWS Api Gateway and AWS Lambda.</p> <h2> Getting Started </h2> <p>First of all we will be doing everything as code so that it can be reused and easily adapted to future needs. We assume you already have an AWS account and setup your AWS CLI with your credentials. If you did not do this yet, create a account following the <a href="https://docs.aws.amazon.com/SetUp/latest/UserGuide/setup-AWSsignup.html">AWS User Guide</a> and setup your CLI following the <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html">Getting started with the AWS CLI</a> and the user guide on <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles">Configuration and credential file settings</a>.</p> <p>So lets start setting up our project and creating our lambda function with the CDK.</p> <h3> Create a Workspace and your Project </h3> <p>First things first, setup the repo. We will be using nx to create a monorepo to have all our code in one place. Run <code>npx create-nx-workspace@latest serverless-hero --preset=ts</code> and follow the steps and confirm the request to install the necessary packages. Now we have our repo let's setup our package: <code>npm i @nx/node &amp;&amp; nx g @nx/node:application serverless-api</code>. When nx asks you which framework to install choose none.</p> <h3> Install the AWS CDK </h3> <p>For being able to use the CDK we first need to install it, for this run <code>npm i -D aws-cdk-lib</code> in the root of your newly created project.</p> <h3> Create the CDK App </h3> <p>For creating our cdk app as an nx package we will use the <a href="https://github.com/cubesoftorg/nx/tree/main/packages/nx-cdk">nx-cdk</a> package. First install the package with <code>npm i -D @nrwl/workspace &amp;&amp; npm i -D @cubesoft/nx-cdk</code> and then you can create your cdk app with <code>nx g @cubesoft/nx-cdk:nx-cdk serverless-cdk</code>. This creates a new package called serverless-cdk for us, for finishing the setup we need to provide the correct environment values in the serverless-cdk/src/app.ts file for account and region. And make sure the line in which you put it is uncommented. Then we need to run <code>nx bootstrap serverless-cdk --profile &lt;profile&gt;</code> (the profile parameter is only required if you have multiple profiles in your aws credentials file) and we are ready to go.</p> <h2> Defining the CDK Stack </h2> <p>Now that we have setup everything we can start with the interesting stuff. Let's have a quick look an what we want to achieve.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--1bABQSmV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/n1d2dpa28wwsq0lk54l3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--1bABQSmV--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/n1d2dpa28wwsq0lk54l3.png" alt="API Gateway Lambda Connection" width="569" height="111"></a><br> So there are two main parts we need to setup: </p> <ol> <li>The API Gateway</li> <li>The Lambda Function</li> </ol> <h3> The API Gateway </h3> <p>Let's start with the fun part, setting up the API Gateway<br> We will create a HTTP API because this comes at lower costs than the REST API, and we do not need the additional features of the REST API however if you are interested in the differences between both you can read more <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html">here</a>.</p> <p>In the serverless-cdk/src/lib/my-stack.ts you can add the add the HttpApi with the required configurations. Btw. you can also rename the my-stack file and the name of the Stack itself, I renamed it to ServerlessStack, but make sure you correctly reference it in your app.ts file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Stack</span><span class="p">,</span> <span class="nx">StackProps</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CorsHttpMethod</span><span class="p">,</span> <span class="nx">HttpApi</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-apigatewayv2-alpha</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">ServerlessStack</span> <span class="kd">extends</span> <span class="nx">Stack</span> <span class="p">{</span> <span class="kd">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">HttpApi</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">httpAPI</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">apiName</span><span class="p">:</span> <span class="s2">`http-api`</span><span class="p">,</span> <span class="na">corsPreflight</span><span class="p">:</span> <span class="p">{</span> <span class="na">allowHeaders</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">],</span> <span class="na">allowMethods</span><span class="p">:</span> <span class="p">[</span><span class="nx">CorsHttpMethod</span><span class="p">.</span><span class="nx">GET</span><span class="p">,</span> <span class="nx">CorsHttpMethod</span><span class="p">.</span><span class="nx">POST</span><span class="p">],</span> <span class="na">allowOrigins</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Make sure to install the <code>@aws-cdk/aws-apigatewayv2-alpha</code> package.</p> <p>To ensure that the API can later be called via a browser we need to provide the corsPreflight options, because we also want to also add authorisation functionality later we provide a specific 'Authorization' header, but you can add even more if you need them.</p> <h2> The Lambda Function </h2> <p>Now that we have the Gateway we can create the Lambda function. For this blog post we will create a really simple Lambda Function and we will focus on the GraphQL part in the next blog post.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Duration</span><span class="p">,</span> <span class="nx">Size</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Architecture</span><span class="p">,</span> <span class="nx">Code</span><span class="p">,</span> <span class="nb">Function</span><span class="p">,</span> <span class="nx">Runtime</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-lambda</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RetentionDays</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-logs</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">lambda</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span><span class="k">this</span><span class="p">,</span><span class="dl">'</span><span class="s1">api-handler</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_18_X</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">'</span><span class="s1">handler</span><span class="dl">'</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Code</span><span class="p">.</span><span class="nx">fromInline</span><span class="p">(</span><span class="s2">` exports.handler = async function(event) { console.log("Hello, CDK!"); return { statusCode: 200, body: JSON.stringify('Hello from Lambda!'), }; } `</span><span class="p">),</span> <span class="na">memorySize</span><span class="p">:</span> <span class="nx">Size</span><span class="p">.</span><span class="nx">gibibytes</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nx">toMebibytes</span><span class="p">(),</span> <span class="na">architecture</span><span class="p">:</span> <span class="nx">Architecture</span><span class="p">.</span><span class="nx">ARM_64</span><span class="p">,</span> <span class="na">logRetention</span><span class="p">:</span> <span class="nx">RetentionDays</span><span class="p">.</span><span class="nx">ONE_MONTH</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nx">seconds</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="p">});</span> </code></pre> </div> <p>This creates the Lambda Function, now we need to connect it with the API Gateway, so that someone can call it. For this you need to install <code>@aws-cdk/aws-apigatewayv2-integrations-alpha</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">HttpApi</span><span class="p">,</span> <span class="nx">HttpMethod</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-apigatewayv2-alpha</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">HttpLambdaIntegration</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-apigatewayv2-integrations-alpha</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">readIntegration</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">HttpLambdaIntegration</span><span class="p">(</span><span class="dl">'</span><span class="s1">apiReadIntegration</span><span class="dl">'</span><span class="p">,</span> <span class="nx">lambda</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">writeIntegration</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">HttpLambdaIntegration</span><span class="p">(</span><span class="dl">'</span><span class="s1">apiWriteIntegration</span><span class="dl">'</span><span class="p">,</span> <span class="nx">lambda</span><span class="p">);</span> <span class="nx">api</span><span class="p">.</span><span class="nx">addRoutes</span><span class="p">({</span> <span class="na">integration</span><span class="p">:</span> <span class="nx">readIntegration</span><span class="p">,</span> <span class="na">methods</span><span class="p">:</span> <span class="p">[</span><span class="nx">HttpMethod</span><span class="p">.</span><span class="nx">GET</span><span class="p">],</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/graphql</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">api</span><span class="p">.</span><span class="nx">addRoutes</span><span class="p">({</span> <span class="na">integration</span><span class="p">:</span> <span class="nx">writeIntegration</span><span class="p">,</span> <span class="na">methods</span><span class="p">:</span> <span class="p">[</span><span class="nx">HttpMethod</span><span class="p">.</span><span class="nx">POST</span><span class="p">],</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/graphql</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <h2> Deploy your stack </h2> <p>Finally, you can deploy your CDK stack using the command <code>nx deploy serverless-cdk</code>. And there you are, you have just created and deployed your first lambda function on AWS. When you visit your AWS Console and go to the AWS API Gateway you can find your invoke url which you can use to check if your deployed api works. Just open it in your browser /graphql and you should see the text <code>"Hello from Lambda!"</code>. You made it!</p> <p>You can find my sample repo <a href="https://github.com/TanjaBayer/Zero-to-Serverless-Hero">here</a></p> graphql aws typescript serverless