Bump to new netlify-functions package with better TypeScript defs, sh…

…ow metaprogramming for auth scope detection at runtime.

lib.ts

@@ -0,0 +1,21 @@
+// This function replaces all but the last four digits of a string with zeroes
+const sanitizeToken = (str: string, length = 16): string => {
+  const len = str.length;
+  const displayed = len > 4 ? str.substr(len - 4, len) : str;
+
+  const padLength = length - displayed.length;
+  return displayed.padStart(padLength, "*");
+};
+
+export const formatSecret = (secret: any): any => {
+  if (!secret) {
+    return;
+  }
+
+  return {
+    bearerToken: secret.bearerToken ? sanitizeToken(secret.bearerToken) : null,
+    friendlyServiceName: secret.friendlyServiceName,
+    service: secret.service,
+    grantedScopes: secret.grantedScopes?.map((scope: any) => scope.scope),
+  };
+};

netlify/functions/addIssueComment.ts

@@ -2,6 +2,8 @@ import { withSecrets } from "@sgrove/netlify-functions";
 import { Octokit } from "@octokit/core";
 import { restEndpointMethods } from "@octokit/plugin-rest-endpoint-methods";
 
+const sufficientScopes = ["public_repo", "repo"];
+
 export const handler = withSecrets(async (event, { secrets }) => {
   const issueComment = (
     event.queryStringParameters.comment || ""
@@ -31,6 +33,27 @@ export const handler = withSecrets(async (event, { secrets }) => {
     };
   }
 
+  const tokenHasScope = secrets.gitHub.grantedScopes?.some((grantedScope) =>
+    sufficientScopes.includes(grantedScope.scope)
+  );
+
+  // Libraries, applications, and packages can metaprogram checks at run time to make the DX
+  // buttery smooth for the end developers. Notice here how we tell the developer exactly what's missing.
+  // With just a bit more work, we could even link them directly into the dashboard to fix this in two clicks.
+  if (!tokenHasScope) {
+    return {
+      statusCode: 412,
+      body: JSON.stringify({
+        error: `You have enabled GitHub auth in your Authlify dashboard, but it's missing a required scope. The auth must have one (or both) of the scopes: ${sufficientScopes.join(
+          ", "
+        )}`,
+      }),
+      headers: {
+        "Content-Type": "application/json",
+      },
+    };
+  }
+
   const MyOctokit = Octokit.plugin(restEndpointMethods);
   const octokit = new MyOctokit({ auth: secrets.gitHub?.bearerToken });
 
@@ -43,7 +66,7 @@ export const handler = withSecrets(async (event, { secrets }) => {
 
   return {
     statusCode: 200,
-    body: JSON.stringify(result.data),
+    body: JSON.stringify(result),
     headers: {
       "Content-Type": "application/json",
     },

netlify/functions/conditionalSecrets.ts

@@ -1,13 +1,5 @@
 import { getSecrets, NetlifySecrets } from "@sgrove/netlify-functions";
-
-// This function replaces all but the last four digits of a string with zeroes
-const sanitizeToken = (str: string, length = 16): string => {
-  const len = str.length;
-  const displayed = len > 4 ? str.substr(len - 4, len) : str;
-
-  const padLength = length - displayed.length;
-  return displayed.padStart(padLength, "*");
-};
+import { formatSecret } from "../../lib";
 
 export const handler = async (event) => {
   const skipSecrets = event.queryStringParameters.skipSecrets === "true";
@@ -16,28 +8,13 @@ export const handler = async (event) => {
 
   if (!skipSecrets) {
     secrets = await getSecrets();
-    const { gitHub, salesforce, spotify } = secrets;
 
     // Sanitize the secrets before showing them to the user
     secrets = {
-      gitHub: {
-        ...gitHub,
-        bearerToken: gitHub?.bearerToken
-          ? sanitizeToken(gitHub.bearerToken)
-          : null,
-      },
-      salesforce: {
-        ...salesforce,
-        bearerToken: salesforce?.bearerToken
-          ? sanitizeToken(salesforce.bearerToken)
-          : null,
-      },
-      spotify: {
-        ...spotify,
-        bearerToken: spotify?.bearerToken
-          ? sanitizeToken(spotify.bearerToken)
-          : null,
-      },
+      gitHub: formatSecret(secrets.gitHub),
+      salesforce: formatSecret(secrets.salesforce),
+      spotify: formatSecret(secrets.spotify),
+      stripe: formatSecret(secrets.stripe),
     };
   }
 

netlify/functions/secrets.ts

@@ -1,37 +1,14 @@
 import { NetlifySecrets, withSecrets } from "@sgrove/netlify-functions";
-
-// This function replaces all but the last four digits of a string with zeroes
-const sanitizeToken = (str: string, length = 16): string => {
-  const len = str.length;
-  const displayed = len > 4 ? str.substr(len - 4, len) : str;
-
-  const padLength = length - displayed.length;
-  return displayed.padStart(padLength, "*");
-};
+import { formatSecret } from "../../lib";
 
 export const handler = withSecrets(async (event, { secrets }) => {
-  const { gitHub, salesforce, spotify } = secrets;
-
+  console.log("All secrets JSON: ", JSON.stringify(secrets, null, 2));
   // Sanitize the secrets before showing them to the user
   const sanitizedSecrets: NetlifySecrets = {
-    gitHub: {
-      ...gitHub,
-      bearerToken: gitHub?.bearerToken
-        ? sanitizeToken(gitHub.bearerToken)
-        : null,
-    },
-    salesforce: {
-      ...salesforce,
-      bearerToken: salesforce?.bearerToken
-        ? sanitizeToken(salesforce.bearerToken)
-        : null,
-    },
-    spotify: {
-      ...spotify,
-      bearerToken: spotify?.bearerToken
-        ? sanitizeToken(spotify.bearerToken)
-        : null,
-    },
+    gitHub: formatSecret(secrets.gitHub),
+    salesforce: formatSecret(secrets.salesforce),
+    spotify: formatSecret(secrets.spotify),
+    stripe: formatSecret(secrets.stripe),
   };
 
   return {

package.json

@@ -12,7 +12,7 @@
   "dependencies": {
     "@octokit/core": "^3.5.1",
     "@octokit/plugin-rest-endpoint-methods": "^5.5.2",
-    "@sgrove/netlify-functions": "^0.7.3-handle-secrets.3"
+    "@sgrove/netlify-functions": "^0.7.3-handle-secrets.7"
   },
   "devDependencies": {
     "@octokit/openapi-types": "^9.2.0",

public/index.html

@@ -0,0 +1 @@
+<h1>Hi there!</h1>