feat: implement requester_user validation and integration across user-related controllers

Author: Rubiozito

iac/iac/iac_stack.py

@@ -1,7 +1,6 @@
 import os
 
 from aws_cdk import (
-    Duration,
     Stack,
     # aws_sqs as sqs,
 )
@@ -56,8 +55,8 @@ def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
 
 
         self.lambda_stack = LambdaStack(self, api_gateway_resource=api_gateway_resource,
-                                        environment_variables=ENVIRONMENT_VARIABLES)
+                                        environment_variables=ENVIRONMENT_VARIABLES,
+                                        user_pool=self.cognito_stack.user_pool)
 
         for function in self.lambda_stack.functions_that_need_dynamo_permissions:
             self.dynamo_table.table.grant_read_write_data(function)
-

iac/iac/lambda_stack.py

@@ -2,16 +2,23 @@
     aws_lambda as lambda_,
     Duration
 )
-from aws_cdk.aws_apigateway import Resource, LambdaIntegration
+from aws_cdk.aws_apigateway import Resource, LambdaIntegration, AuthorizationType, CognitoUserPoolsAuthorizer
 from constructs import Construct
 
 
 class LambdaStack(Construct):
     functions_that_need_dynamo_permissions = []
 
-    def __init__(self, scope: Construct, api_gateway_resource: Resource, environment_variables: dict) -> None:
+    def __init__(self, scope: Construct, api_gateway_resource: Resource, environment_variables: dict, user_pool) -> None:
         super().__init__(scope, "KnowlyApiLambdas")
 
+        # Authorizer Cognito (User Pool)
+        self.authorizer = CognitoUserPoolsAuthorizer(
+            self,
+            "KnowlyCognitoAuthorizer",
+            cognito_user_pools=[user_pool]
+        )
+
         self.lambda_layer = lambda_.LayerVersion(self, "Knowly_Layer",
                                                  code=lambda_.Code.from_asset("./lambda_layer_out_temp"),
                                                  compatible_runtimes=[lambda_.Runtime.PYTHON_3_13]
@@ -24,7 +31,8 @@ def __init__(self, scope: Construct, api_gateway_resource: Resource, environment
             module_name="get_user",
             http_method="GET",
             target_resource=user_resource,
-            environment_variables=environment_variables
+            environment_variables=environment_variables,
+            requires_authorizer=True
         )
 
         self.create_user_function = self._add_method_to_resource(
@@ -38,14 +46,16 @@ def __init__(self, scope: Construct, api_gateway_resource: Resource, environment
             module_name="delete_user",
             http_method="DELETE",
             target_resource=user_resource,
-            environment_variables=environment_variables
+            environment_variables=environment_variables,
+            requires_authorizer=True
         )
 
         self.update_user_function = self._add_method_to_resource(
             module_name="update_user",
             http_method="PATCH",
             target_resource=user_resource,
-            environment_variables=environment_variables
+            environment_variables=environment_variables,
+            requires_authorizer=True
         )
 
         # ---- Auth Resource ----
@@ -65,7 +75,8 @@ def __init__(self, scope: Construct, api_gateway_resource: Resource, environment
             module_name="get_transactions_by_user",
             http_method="GET",
             target_resource=transactions_resource,
-            environment_variables=environment_variables
+            environment_variables=environment_variables,
+            requires_authorizer=True
         )
 
         # ---- Subscriptions Resource ----
@@ -75,14 +86,16 @@ def __init__(self, scope: Construct, api_gateway_resource: Resource, environment
             module_name="get_subscriptions_by_user",
             http_method="GET",
             target_resource=subscriptions_resource,
-            environment_variables=environment_variables
+            environment_variables=environment_variables,
+            requires_authorizer=True
         )
 
         self.update_subscription_function = self._add_method_to_resource(
             module_name="update_subscription",
             http_method="PUT",
             target_resource=subscriptions_resource,
-            environment_variables=environment_variables
+            environment_variables=environment_variables,
+            requires_authorizer=True
         )
 
         self.functions_that_need_dynamo_permissions = [self.get_user_function, self.create_user_function,
@@ -96,7 +109,8 @@ def _add_method_to_resource(
             module_name: str,
             http_method: str,
             target_resource: Resource,
-            environment_variables: dict
+            environment_variables: dict,
+            requires_authorizer: bool = False
       ) -> lambda_.Function:
         fn = lambda_.Function(
             self,
@@ -109,5 +123,14 @@ def _add_method_to_resource(
             timeout=Duration.seconds(15),
         )
 
-        target_resource.add_method(http_method, LambdaIntegration(fn))
+        integration = LambdaIntegration(fn)
+        if requires_authorizer:
+            target_resource.add_method(
+                http_method,
+                integration,
+                authorization_type=AuthorizationType.COGNITO,
+                authorizer=self.authorizer
+            )
+        else:
+            target_resource.add_method(http_method, integration)
         return fn

src/modules/delete_user/app/delete_user_controller.py

@@ -3,6 +3,7 @@
 from src.shared.helpers.errors.usecase_errors import NoItemsFound
 from src.shared.helpers.external_interfaces.external_interface import IRequest, IResponse
 from src.shared.helpers.external_interfaces.http_codes import OK, NotFound, BadRequest, InternalServerError
+from src.shared.infra.dto.user_api_gateway_dto import UserApiGatewayDTO
 from .delete_user_usecase import DeleteUserUseCase
 
 
@@ -13,18 +14,21 @@ def __init__(self, usecase: DeleteUserUseCase):
 
     def __call__(self, request: IRequest) -> IResponse:
         try:
-            if request.data.get('user_id') is None:
-                raise MissingParameters('user_id')
+            # Authorizer obrigatório
+            if request.data.get('requester_user') is None:
+                raise MissingParameters('requester_user')
 
-            if type(request.data.get('user_id')) != str:
+            requester_user = UserApiGatewayDTO.from_api_gateway(request.data.get('requester_user'))
+
+            if type(requester_user.user_id) != str:
                 raise WrongTypeParameter(
-                    field_name="user_id",
-                    field_type_expected="str",
-                    field_type_received=request.data.get('user_id').__class__.__name__
+                    field_name='user_id',
+                    field_type_expected='str',
+                    field_type_received=type(requester_user.user_id)
                 )
 
             user = self.DeleteUserUsecase(
-                user_id=request.data.get('user_id')
+                user_id=requester_user.user_id
             )
 
             viewmodel = {

src/modules/delete_user/app/delete_user_presenter.py

@@ -10,6 +10,8 @@
 
 def lambda_handler(event, context):
     http_request = LambdaHttpRequest(data=event)
+    # Injeta o usuário autenticado vindo do API Gateway/Cognito para o controller
+    http_request.data['requester_user'] = event.get('requestContext', {}).get('authorizer', {}).get('claims', None)
     response = controller(http_request)
     http_response = LambdaHttpResponse(status_code=response.status_code, body=response.body, headers=response.headers)
 

src/modules/get_subscriptions_by_user/app/get_subscriptions_by_user_controller.py

@@ -3,6 +3,7 @@
 from src.shared.helpers.errors.usecase_errors import NoItemsFound
 from src.shared.helpers.external_interfaces.external_interface import IRequest, IResponse
 from src.shared.helpers.external_interfaces.http_codes import OK, NotFound, BadRequest, InternalServerError
+from src.shared.infra.dto.user_api_gateway_dto import UserApiGatewayDTO
 from .get_subscriptions_by_user_usecase import GetUserSubscriptionsUseCase
 
 
@@ -12,14 +13,18 @@ def __init__(self, usecase: GetUserSubscriptionsUseCase):
 
     def __call__(self, request: IRequest) -> IResponse:
         try:
-            user_id = request.data.get("user_id")
-            if user_id is None:
-                raise MissingParameters("user_id")
-            if not isinstance(user_id, str):
+            # Authorizer obrigatório
+            if request.data.get('requester_user') is None:
+                raise MissingParameters('requester_user')
+
+            requester_user = UserApiGatewayDTO.from_api_gateway(request.data.get('requester_user'))
+
+            user_id = requester_user.user_id
+            if type(user_id) != str:
                 raise WrongTypeParameter(
                     field_name="user_id",
                     field_type_expected="str",
-                    field_type_received=type(user_id).__name__,
+                    field_type_received=type(user_id)
                 )
             if not user_id.strip():
                 raise EntityError("user_id")

src/modules/get_subscriptions_by_user/app/get_subscriptions_by_user_presenter.py

@@ -9,7 +9,7 @@
 
 def lambda_handler(event, context):
     http_request = LambdaHttpRequest(data=event)
-
+    http_request.data['requester_user'] = event.get('requestContext', {}).get('authorizer', {}).get('claims', None)
     response = controller(http_request)
     http_response = LambdaHttpResponse(
         status_code=response.status_code,

src/modules/get_transactions_by_user/app/get_transactions_by_user_controller.py

@@ -3,6 +3,7 @@
 from src.shared.helpers.errors.usecase_errors import NoItemsFound
 from src.shared.helpers.external_interfaces.external_interface import IRequest, IResponse
 from src.shared.helpers.external_interfaces.http_codes import OK, NotFound, BadRequest, InternalServerError
+from src.shared.infra.dto.user_api_gateway_dto import UserApiGatewayDTO
 from .get_transactions_by_user_usecase import GetTransactionsByUserUseCase
 
 
@@ -12,17 +13,20 @@ def __init__(self, usecase: GetTransactionsByUserUseCase):
 
     def __call__(self, request: IRequest) -> IResponse:
         try:
-            user_id = request.data.get("user_id")
-            if user_id is None:
-                raise MissingParameters("user_id")
-            if not isinstance(user_id, str):
+            if request.data.get('requester_user') is None:
+                raise MissingParameters('requester_user')
+
+            requester_user = UserApiGatewayDTO.from_api_gateway(request.data.get('requester_user'))
+            user_id = requester_user.user_id
+
+            if type(user_id) != str:
                 raise WrongTypeParameter(
-                    field_name="user_id",
-                    field_type_expected="str",
-                    field_type_received=type(user_id).__name__
+                    field_name='user_id',
+                    field_type_expected='str',
+                    field_type_received=type(user_id)
                 )
             if not user_id.strip():
-                raise EntityError("user_id")
+                raise EntityError('user_id')
 
             transactions = self.get_transactions_by_user_usecase(user_id=user_id)
 

src/modules/get_transactions_by_user/app/get_transactions_by_user_presenter.py

@@ -9,6 +9,7 @@
 
 def lambda_handler(event, context):
     http_request = LambdaHttpRequest(data=event)
+    http_request.data['requester_user'] = event.get('requestContext', {}).get('authorizer', {}).get('claims', None)
     response = controller(request=http_request)
     http_response = LambdaHttpResponse(
         status_code=response.status_code,

src/modules/get_user/app/get_user_controller.py

@@ -3,6 +3,7 @@
 from src.shared.helpers.errors.usecase_errors import NoItemsFound
 from src.shared.helpers.external_interfaces.external_interface import IRequest, IResponse
 from src.shared.helpers.external_interfaces.http_codes import OK, NotFound, BadRequest, InternalServerError
+from src.shared.infra.dto.user_api_gateway_dto import UserApiGatewayDTO
 from .get_user_usecase import GetUserUseCase
 
 
@@ -13,21 +14,23 @@ def __init__(self, usecase: GetUserUseCase):
 
     def __call__(self, request: IRequest) -> IResponse:
         try:
-            if request.data.get('user_id') is None:
-                raise MissingParameters('user_id')
+            if request.data.get('requester_user') is None:
+                raise MissingParameters('requester_user')
 
-            if type(request.data.get('user_id')) != str:
-                raise WrongTypeParameter('user_id', 'str', type(request.data.get('user_id')))
+            requester_user = UserApiGatewayDTO.from_api_gateway(request.data.get('requester_user'))
+
+            if type(requester_user.user_id) != str:
+                raise WrongTypeParameter('user_id', 'str', type(requester_user.user_id))
 
             user = self.GetUserUsecase(
-                user_id=request.data.get('user_id')
+                user_id=requester_user.user_id,
             )
 
             viewmodel = {
                 'user': user.__to_dict__(),
                 'message': 'Usuário encontrado com sucesso'
             }
-            
+
             response = OK(viewmodel)
             return response
 

src/modules/get_user/app/get_user_presenter.py

@@ -11,6 +11,7 @@
 
 def lambda_handler(event, context):
     http_request = LambdaHttpRequest(data=event)
+    http_request.data['requester_user'] = event.get('requestContext', {}).get('authorizer', {}).get('claims', None)
     response = controller(http_request)
     http_response = LambdaHttpResponse(status_code=response.status_code, body=response.body, headers=response.headers)
     return http_response.toDict()