Merge pull request #658 from cornell-dti/matt/add-cert-to-env

Prepare Carriage for deployment

Author: mjaydenkim

frontend/public/_redirects

@@ -0,0 +1 @@
+/*  /index.html  200

frontend/src/components/AuthManager/AuthManager.tsx

@@ -75,13 +75,45 @@ const AuthManager = () => {
     }
   }, []);
 
+  // Common logic to complete login from a JWT issued by the backend
+  const completeLoginFromToken = (serverJWT: string) => {
+    setCookie('jwt', serverJWT);
+    const decoded: any = jwtDecode(serverJWT);
+    setId(decoded.id);
+    localStorage.setItem('userId', decoded.id);
+    localStorage.setItem('userType', decoded.userType);
+    setAuthToken(serverJWT);
+
+    // Refresh user data
+    const refreshFunc = createRefresh(decoded.id, decoded.userType, serverJWT);
+    refreshFunc();
+    setRefreshUser(() => refreshFunc);
+    setSignedIn(true);
+
+    // Navigate to appropriate dashboard based on userType
+    if (decoded.userType === 'Admin') {
+      navigate('/admin/home', { replace: true });
+    } else if (decoded.userType === 'Driver') {
+      navigate('/driver/rides', { replace: true });
+    } else if (decoded.userType === 'Rider') {
+      navigate('/rider/schedule', { replace: true });
+    } else {
+      // Invalid userType - this should never happen if backend is working correctly
+      setSsoError('Invalid user type received. Please contact support.');
+      logout();
+    }
+  };
+
   // SSO Callback handler - fetches profile and JWT after successful SSO login
-  const handleSSOCallback = async () => {
+  // This is now primarily a fallback for environments where server-side
+  // sessions are same-site (e.g., local development). In production, we
+  // prefer the stateless JWT passed via the URL query parameter.
+  const handleSSOCallback = async (event?: React.FormEvent<HTMLFormElement>) => {
     try {
       const response = await fetch(
         `${process.env.REACT_APP_SERVER_URL}/api/sso/profile`,
         {
-          credentials: 'include', // CRITICAL: Sends session cookie
+          credentials: 'include', // Send session cookie
         }
       );
 
@@ -93,40 +125,8 @@ const AuthManager = () => {
       const { user: ssoUser, token: serverJWT } = data;
 
       if (serverJWT && ssoUser) {
-        // Store JWT in encrypted cookie (matching Google OAuth pattern)
-        setCookie('jwt', serverJWT);
-
-        // Decode JWT to get user info
-        const decoded: any = jwtDecode(serverJWT);
-
-        // Set auth state
-        setId(decoded.id);
-        localStorage.setItem('userId', decoded.id);
-        localStorage.setItem('userType', decoded.userType);
-        setAuthToken(serverJWT);
-
-        // Refresh user data
-        const refreshFunc = createRefresh(
-          decoded.id,
-          decoded.userType,
-          serverJWT
-        );
-        refreshFunc();
-        setRefreshUser(() => refreshFunc);
-        setSignedIn(true);
-
-        // Navigate to appropriate dashboard based on userType
-        if (decoded.userType === 'Admin') {
-          navigate('/admin/home', { replace: true });
-        } else if (decoded.userType === 'Driver') {
-          navigate('/driver/rides', { replace: true });
-        } else if (decoded.userType === 'Rider') {
-          navigate('/rider/schedule', { replace: true });
-        } else {
-          // Invalid userType - this should never happen if backend is working correctly
-          setSsoError('Invalid user type received. Please contact support.');
-          logout();
-        }
+        // Reuse common JWT login logic
+        completeLoginFromToken(serverJWT);
       } else {
         setSsoError('Failed to complete SSO login. Please try again.');
         logout();
@@ -142,6 +142,7 @@ const AuthManager = () => {
   useEffect(() => {
     const authParam = searchParams.get('auth');
     const errorParam = searchParams.get('error');
+    const tokenParam = searchParams.get('token');
 
     if (errorParam) {
       // Handle user_not_found specially - fetch unregistered user info
@@ -185,8 +186,12 @@ const AuthManager = () => {
     }
 
     if (authParam === 'sso_success') {
-      // Fetch profile and JWT token from backend
-      handleSSOCallback();
+      if (tokenParam) {
+        completeLoginFromToken(tokenParam);
+      } else {
+        // Fallback to session-based profile fetch (useful for local dev)
+        handleSSOCallback();
+      }
     }
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [searchParams]);
@@ -248,6 +253,7 @@ const AuthManager = () => {
     deleteCookie('jwt');
     setAuthToken('');
     setSignedIn(false);
+    setRefreshUser(() => () => {});
     window.location.href = `${process.env.REACT_APP_SERVER_URL}/api/sso/logout`;
   }
 

server/src/auth/passport-sso.ts

@@ -10,10 +10,18 @@ interface SamlProfile extends Profile {
   email?: string;
 }
 
-// Load IdP certificate
+// Load IdP certificate, necessary to authenticate with Cornell's SSO/SAML system. Get from Cornell IT or ask a previous developer.
 const idpCertPath =
   process.env.SAML_IDP_CERT_PATH || './config/cornell-idp-test.crt';
-const idpCert = fs.readFileSync(path.resolve(idpCertPath), 'utf-8');
+let idpCert = '';
+try {
+  idpCert = fs.readFileSync(path.resolve(idpCertPath), 'utf-8');
+} catch (error) {
+  if (!process.env.SAML_IDP_CERT) {
+    throw new Error('SAML_IDP_CERT is not available');
+  }
+  idpCert = process.env.SAML_IDP_CERT;
+}
 
 // Configure SAML strategy
 const samlStrategy = new SamlStrategy(

server/src/auth/session.ts

@@ -25,7 +25,7 @@ export const sessionMiddleware = session({
   cookie: {
     httpOnly: true,
     secure: process.env.NODE_ENV === 'production', // HTTPS only in production
-    sameSite: 'lax',
+    sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
     maxAge: sessionTTL,
   },
 });

server/src/router/common.ts

@@ -6,6 +6,44 @@ import { Rider } from '../models/rider';
 import { Location } from '../models/location';
 import { Driver } from '../models/driver';
 
+const MAX_BATCH_GET_ITEMS = 100;
+
+// Internal helper: perform Dynamoose batchGet in chunks of MAX_BATCH_GET_ITEMS
+async function batchGetAllItems<T extends Item>(
+  model: ModelType<T>,
+  keys: ObjectType[]
+): Promise<T[]> {
+  if (!keys.length) return [];
+
+  const chunks: ObjectType[][] = [];
+  for (let i = 0; i < keys.length; i += MAX_BATCH_GET_ITEMS) {
+    chunks.push(keys.slice(i, i + MAX_BATCH_GET_ITEMS));
+  }
+
+  const chunkResults = await Promise.all(
+    chunks.map(
+      (chunk) =>
+        new Promise<T[]>((resolve, reject) => {
+          model.batchGet(chunk, (err: any, data: any) => {
+            if (err) {
+              reject(err);
+            } else if (!data) {
+              resolve([]);
+            } else if (Array.isArray(data)) {
+              resolve(data as T[]);
+            } else if (typeof (data as any)[Symbol.iterator] === 'function') {
+              resolve(Array.from(data as Iterable<T>));
+            } else {
+              resolve([]);
+            }
+          });
+        })
+    )
+  );
+
+  return chunkResults.flat();
+}
+
 // Helper: batch fetch locations, riders, drivers and return maps keyed by id
 async function buildEntityMapsFromSets(
   locationIds: Set<string>,
@@ -14,13 +52,22 @@ async function buildEntityMapsFromSets(
 ) {
   const [locationsArr, ridersArr, driversArr] = await Promise.all([
     locationIds.size
-      ? Location.batchGet(Array.from(locationIds).map((id) => ({ id })))
+      ? batchGetAllItems(
+          Location,
+          Array.from(locationIds).map((id) => ({ id }))
+        )
       : Promise.resolve([]),
     riderIds.size
-      ? Rider.batchGet(Array.from(riderIds).map((id) => ({ id })))
+      ? batchGetAllItems(
+          Rider,
+          Array.from(riderIds).map((id) => ({ id }))
+        )
       : Promise.resolve([]),
     driverIds.size
-      ? Driver.batchGet(Array.from(driverIds).map((id) => ({ id })))
+      ? batchGetAllItems(
+          Driver,
+          Array.from(driverIds).map((id) => ({ id }))
+        )
       : Promise.resolve([]),
   ]);
 
@@ -208,19 +255,43 @@ export function batchGet(
 ) {
   if (!keys.length) {
     res.send({ data: [] });
-  } else {
-    model.batchGet(keys, async (err, data) => {
-      if (err) {
-        res.status(err.statusCode || 500).send({ err: err.message });
-      } else if (!data) {
-        res.status(400).send({ err: `items not found in ${table}` });
-      } else if (callback) {
-        callback((await data.populate()).toJSON());
+    return;
+  }
+
+  (async () => {
+    try {
+      // Fetch all items in chunks to respect DynamoDB's 100-item batchGet limit
+      const items = await batchGetAllItems(model, keys);
+
+      // Populate each item individually (since we no longer rely on a single DocumentArray)
+      const populatedJson: any[] = [];
+      for (const item of items as any[]) {
+        if (item && typeof item.populate === 'function') {
+          const populated = await item.populate();
+          populatedJson.push(
+            typeof populated.toJSON === 'function'
+              ? populated.toJSON()
+              : populated
+          );
+        } else if (item && typeof item.toJSON === 'function') {
+          populatedJson.push(item.toJSON());
+        } else {
+          populatedJson.push(item);
+        }
+      }
+
+      if (callback) {
+        callback(populatedJson);
       } else {
-        res.status(200).send({ data: (await data.populate()).toJSON() });
+        res.status(200).send({ data: populatedJson });
       }
-    });
-  }
+    } catch (err: any) {
+      console.error('Error in batchGet:', err);
+      const status = err?.statusCode || 500;
+      const message = err?.message || `Error fetching items from ${table}`;
+      res.status(status).send({ err: message });
+    }
+  })();
 }
 
 export function getAll(

server/src/router/sso.ts

@@ -109,7 +109,7 @@ router.post(
         return res.redirect(`${frontendUrl}/?error=user_not_found`);
       }
 
-      const { userType } = result as any;
+      const { user, userType } = result as any;
 
       // Store user in session
       req.session.user = {
@@ -119,12 +119,19 @@ router.post(
         lastName: samlUser.lastName,
       };
       req.session.authMethod = 'sso';
-      // CRITICAL: Store the validated userType in session for /profile endpoint
+      // Store the validated userType in session for /profile endpoint
       req.session.userType = userType;
-      console.log('[SSO Callback] Stored userType in session:', userType);
 
-      // Redirect to frontend with success flag
-      res.redirect(`${redirectUri}?auth=sso_success`);
+      const token = sign({ id: user.id, userType }, JWT_SECRET, {
+        expiresIn: '7d',
+      });
+
+      const separator = redirectUri.includes('?') ? '&' : '?';
+      const redirectWithToken = `${redirectUri}${separator}auth=sso_success&token=${encodeURIComponent(
+        token
+      )}`;
+
+      res.redirect(redirectWithToken);
     } catch (err) {
       console.error('SSO callback error:', err);
       const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:3000';