Store and retrieve paid membership from the user info table (#292)

Author: devksingh4

onetime/uinHash-migration.py renamed to onetime/paidMember.py

@@ -2,16 +2,18 @@
 import boto3
 import logging
 from botocore.exceptions import ClientError
+from datetime import datetime, timezone
+
 
 # --- Configuration ---
-SOURCE_TABLE_NAME = "infra-core-api-uin-mapping"
+SOURCE_TABLE_NAME = "infra-core-api-membership-provisioning"
 DESTINATION_TABLE_NAME = "infra-core-api-user-info"
-DESTINATION_ID_SUFFIX = "@illinois.edu"
 
 # --- Logging Setup ---
 logging.basicConfig(
     level=logging.INFO, format="%(asctime)s - %(levelname)s - %(message)s"
 )
+utc_iso_timestamp = datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
 
 
 def migrate_uin_hashes():
@@ -36,25 +38,27 @@ def migrate_uin_hashes():
         for page in page_iterator:
             for item in page.get("Items", []):
                 scanned_count += 1
-                net_id = item.get("netId")
-                uin_hash = item.get("uinHash")
+                email = item.get("email")
 
-                # Validate that the necessary fields exist
-                if not net_id or not uin_hash:
-                    logging.warning(
-                        f"Skipping item with missing 'netId' or 'uinHash': {item}"
-                    )
+                if not email:
+                    logging.warning(f"Skipping item with missing 'email': {item}")
                     continue
 
                 # Construct the primary key and update parameters for the destination table
-                destination_pk_id = f"{net_id}{DESTINATION_ID_SUFFIX}"
-                update_expression = "SET uinHash = :uh, netId = :ne"
-                expression_attribute_values = {":uh": uin_hash, ":ne": net_id}
+                netId = email.replace("@illinois.edu", "")
+                update_expression = (
+                    "SET isPaidMember = :uh, netId = :ne, updatedAt = :up"
+                )
+                expression_attribute_values = {
+                    ":uh": True,
+                    ":ne": netId,
+                    ":up": utc_iso_timestamp,
+                }
 
                 # Update the item in the destination DynamoDB table
                 try:
                     destination_table.update_item(
-                        Key={"id": destination_pk_id},
+                        Key={"id": email},
                         UpdateExpression=update_expression,
                         ExpressionAttributeValues=expression_attribute_values,
                     )
@@ -64,9 +68,7 @@ def migrate_uin_hashes():
                             f"Scanned {scanned_count} items, updated {updated_count} so far..."
                         )
                 except ClientError as e:
-                    logging.error(
-                        f"Failed to update item with id '{destination_pk_id}': {e}"
-                    )
+                    logging.error(f"Failed to update item with id '{email}': {e}")
 
         logging.info("--- Script Finished ---")
         logging.info(f"Total items scanned from source: {scanned_count}")

src/api/functions/membership.ts

@@ -4,6 +4,7 @@ import {
   DynamoDBClient,
   PutItemCommand,
   QueryCommand,
+  UpdateItemCommand,
 } from "@aws-sdk/client-dynamodb";
 import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
 import { genericConfig } from "common/config.js";
@@ -218,10 +219,10 @@ export async function checkPaidMembershipFromTable(
 ): Promise<boolean> {
   const { Items } = await dynamoClient.send(
     new QueryCommand({
-      TableName: genericConfig.MembershipTableName,
+      TableName: genericConfig.UserInfoTable,
       KeyConditionExpression: "#pk = :pk",
       ExpressionAttributeNames: {
-        "#pk": "email",
+        "#pk": "id",
       },
       ExpressionAttributeValues: marshall({
         ":pk": `${netId}@illinois.edu`,
@@ -231,6 +232,10 @@ export async function checkPaidMembershipFromTable(
   if (!Items || Items.length === 0) {
     return false;
   }
+  const item = unmarshall(Items[0]);
+  if (!item.isPaidMember) {
+    return false;
+  }
   return true;
 }
 
@@ -256,20 +261,29 @@ export async function checkPaidMembershipFromEntra(
 export async function setPaidMembershipInTable(
   netId: string,
   dynamoClient: DynamoDBClient,
-  actor: string = "core-api-queried",
 ): Promise<{ updated: boolean }> {
-  const obj = {
-    email: `${netId}@illinois.edu`,
-    inserted_at: new Date().toISOString(),
-    inserted_by: actor,
-  };
-
+  const email = `${netId}@illinois.edu`;
   try {
     await dynamoClient.send(
-      new PutItemCommand({
-        TableName: genericConfig.MembershipTableName,
-        Item: marshall(obj),
-        ConditionExpression: "attribute_not_exists(email)",
+      new UpdateItemCommand({
+        TableName: genericConfig.UserInfoTable,
+        Key: {
+          id: {
+            S: email,
+          },
+        },
+        UpdateExpression: `SET #netId = :netId, #updatedAt = :updatedAt, #isPaidMember = :isPaidMember`,
+        ConditionExpression: `#isPaidMember <> :isPaidMember`,
+        ExpressionAttributeNames: {
+          "#netId": "netId",
+          "#updatedAt": "updatedAt",
+          "#isPaidMember": "isPaidMember",
+        },
+        ExpressionAttributeValues: {
+          ":netId": { S: netId },
+          ":isPaidMember": { BOOL: true },
+          ":updatedAt": { S: new Date().toISOString() },
+        },
       }),
     );
     return { updated: true };
@@ -302,11 +316,7 @@ export async function setPaidMembership({
   firstName,
   lastName,
 }: SetPaidMembershipInput): Promise<SetPaidMembershipOutput> {
-  const dynamoResult = await setPaidMembershipInTable(
-    netId,
-    dynamoClient,
-    "core-api-provisioned",
-  );
+  const dynamoResult = await setPaidMembershipInTable(netId, dynamoClient);
   if (!dynamoResult.updated) {
     const inEntra = await checkPaidMembershipFromEntra(
       netId,

src/api/routes/iam.ts

@@ -17,8 +17,13 @@ import {
   EntraInvitationError,
   InternalServerError,
   NotFoundError,
+  ValidationError,
 } from "../../common/errors/index.js";
-import { DynamoDBClient, PutItemCommand } from "@aws-sdk/client-dynamodb";
+import {
+  DynamoDBClient,
+  PutItemCommand,
+  UpdateItemCommand,
+} from "@aws-sdk/client-dynamodb";
 import {
   GENERIC_CACHE_SECONDS,
   genericConfig,
@@ -96,19 +101,59 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
           message: "Could not find token payload and/or username.",
         });
       }
+      const netId = request.username.replace("@illinois.edu", "");
+      if (netId.includes("@")) {
+        request.log.error(
+          `Found username ${request.username} which cannot be turned into NetID via simple replacement.`,
+        );
+        throw new ValidationError({
+          message: "Username could not be parsed.",
+        });
+      }
       const userOid = request.tokenPayload.oid;
       const entraIdToken = await getEntraIdToken({
         clients: await getAuthorizedClients(),
         clientId: fastify.environmentConfig.AadValidClientId,
         secretName: genericConfig.EntraSecretName,
         logger: request.log,
       });
-      await patchUserProfile(
+      const { discordUsername } = request.body;
+      const ddbUpdateCommand = fastify.dynamoClient.send(
+        new UpdateItemCommand({
+          TableName: genericConfig.UserInfoTable,
+          Key: {
+            id: {
+              S: request.username,
+            },
+          },
+          UpdateExpression: `SET #netId = :netId, #updatedAt = :updatedAt, #firstName = :firstName, #lastName = :lastName ${discordUsername ? ", #discordUsername = :discordUsername" : ""}`,
+          ExpressionAttributeNames: {
+            "#netId": "netId",
+            "#updatedAt": "updatedAt",
+            "#firstName": "firstName",
+            "#lastName": "lastName",
+            ...(discordUsername
+              ? { "#discordUsername": "discordUsername" }
+              : {}),
+          },
+          ExpressionAttributeValues: {
+            ":netId": { S: netId },
+            ":firstName": { S: request.body.givenName },
+            ":lastName": { S: request.body.surname },
+            ":updatedAt": { S: new Date().toISOString() },
+            ...(discordUsername
+              ? { ":discordUsername": { S: discordUsername } }
+              : {}),
+          },
+        }),
+      );
+      const entraUpdateCommand = patchUserProfile(
         entraIdToken,
         request.username,
         userOid,
         request.body,
       );
+      await Promise.all([ddbUpdateCommand, entraUpdateCommand]);
       reply.status(201).send();
     },
   );
@@ -170,7 +215,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         });
         const groupMembers = listGroupMembers(entraIdToken, groupId);
         const command = new PutItemCommand({
-          TableName: `${genericConfig.IAMTablePrefix}-grouproles`,
+          TableName: `${genericConfig.IAMTablePrefix} - grouproles`,
           Item: marshall({
             groupUuid: groupId,
             roles: request.body.roles,
@@ -190,7 +235,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         await fastify.dynamoClient.send(command);
         await logPromise;
         fastify.nodeCache.set(
-          `grouproles-${groupId}`,
+          `grouproles - ${groupId}`,
           request.body.roles,
           GENERIC_CACHE_SECONDS,
         );
@@ -202,7 +247,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
         });
         reply.send({ message: "OK" });
       } catch (e: unknown) {
-        fastify.nodeCache.del(`grouproles-${groupId}`);
+        fastify.nodeCache.del(`grouproles - ${groupId}`);
         if (e instanceof BaseError) {
           throw e;
         }
@@ -462,7 +507,7 @@ const iamRoutes: FastifyPluginAsync = async (fastify, _options) => {
               content: `
 Hello,
 
-We're letting you know that you have been added to the "${groupMetadata.displayName}" access group by ${request.username}. Changes may take up to 2 hours to reflect in all systems.
+          We're letting you know that you have been added to the "${groupMetadata.displayName}" access group by ${request.username}. Changes may take up to 2 hours to reflect in all systems.
 
 No action is required from you at this time.
           `,
@@ -484,7 +529,7 @@ No action is required from you at this time.
               content: `
 Hello,
 
-We're letting you know that you have been removed from the "${groupMetadata.displayName}" access group by ${request.username}.
+          We're letting you know that you have been removed from the "${groupMetadata.displayName}" access group by ${request.username}.
 
 No action is required from you at this time.
           `,

src/api/routes/v2/membership.ts

@@ -297,30 +297,34 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
             const batch = netIdsToCheck.slice(i, i + BATCH_SIZE);
             const command = new BatchGetItemCommand({
               RequestItems: {
-                [genericConfig.MembershipTableName]: {
+                [genericConfig.UserInfoTable]: {
                   Keys: batch.map((netId) =>
-                    marshall({ email: `${netId}@illinois.edu` }),
+                    marshall({ id: `${netId}@illinois.edu` }),
                   ),
+                  AttributesToGet: ["id", "isPaidMember"],
                 },
               },
             });
+
             const { Responses } = await fastify.dynamoClient.send(command);
-            const items = Responses?.[genericConfig.MembershipTableName] ?? [];
+            const items = Responses?.[genericConfig.UserInfoTable] ?? [];
             for (const item of items) {
-              const { email } = unmarshall(item);
-              const netId = email.split("@")[0];
-              members.add(netId);
+              const { id, isPaidMember } = unmarshall(item);
+              console.log(id, isPaidMember);
+              const netId = id.split("@")[0];
               foundInDynamo.add(netId);
-              cachePipeline.set(
-                `membership:${netId}:${list}`,
-                JSON.stringify({ isMember: true }),
-                "EX",
-                MEMBER_CACHE_SECONDS,
-              );
+              if (isPaidMember === true) {
+                members.add(netId);
+                cachePipeline.set(
+                  `membership:${netId}:${list}`,
+                  JSON.stringify({ isMember: true }),
+                  "EX",
+                  MEMBER_CACHE_SECONDS,
+                );
+              }
             }
           }
 
-          // 3. Fallback to Entra ID for remaining paid members
           const netIdsForEntra = netIdsToCheck.filter(
             (id) => !foundInDynamo.has(id),
           );
@@ -340,7 +344,6 @@ const membershipV2Plugin: FastifyPluginAsync = async (fastify, _options) => {
               );
               if (isMember) {
                 members.add(netId);
-                // Fire-and-forget writeback to DynamoDB to warm it up
                 setPaidMembershipInTable(netId, fastify.dynamoClient).catch(
                   (err) =>
                     request.log.error(

src/common/config.ts

@@ -41,7 +41,6 @@ export type GenericConfigType = {
   MerchStorePurchasesTableName: string;
   TicketPurchasesTableName: string;
   TicketMetadataTableName: string;
-  MembershipTableName: string;
   ExternalMembershipTableName: string;
   MerchStoreMetadataTableName: string;
   IAMTablePrefix: string;
@@ -86,7 +85,6 @@ const genericConfig: GenericConfigType = {
   TicketMetadataTableName: "infra-events-ticketing-metadata",
   IAMTablePrefix: "infra-core-api-iam",
   ProtectedEntraIDGroups: [infraChairsGroupId, officersGroupId],
-  MembershipTableName: "infra-core-api-membership-provisioning",
   ExternalMembershipTableName: "infra-core-api-membership-external-v3",
   RoomRequestsTableName: "infra-core-api-room-requests",
   RoomRequestsStatusTableName: "infra-core-api-room-requests-status",

src/common/types/iam.ts

@@ -79,7 +79,8 @@ export const entraProfilePatchRequest = z.object({
   displayName: z.string().min(1),
   givenName: z.string().min(1),
   surname: z.string().min(1),
-  mail: z.email()
+  mail: z.email(),
+  discordUsername: z.optional(z.string().min(1))
 });
 
 export type ProfilePatchRequest = z.infer<typeof entraProfilePatchRequest>;

terraform/modules/dynamo/main.tf

@@ -1,3 +1,15 @@
+resource "null_resource" "onetime_paid_migration" {
+  depends_on = [aws_dynamodb_table.user_info]
+  provisioner "local-exec" {
+    command     = <<-EOT
+      set -e
+      python paidMember.py
+    EOT
+    interpreter = ["bash", "-c"]
+    working_dir = "${path.module}/../../../onetime/"
+  }
+}
+
 resource "aws_dynamodb_table" "app_audit_log" {
   billing_mode                = "PAY_PER_REQUEST"
   name                        = "${var.ProjectId}-audit-log"
@@ -26,7 +38,7 @@ resource "aws_dynamodb_table" "app_audit_log" {
 resource "aws_dynamodb_table" "membership_provisioning_log" {
   billing_mode                = "PAY_PER_REQUEST"
   name                        = "${var.ProjectId}-membership-provisioning"
-  deletion_protection_enabled = true
+  deletion_protection_enabled = false
   hash_key                    = "email"
   point_in_time_recovery {
     enabled = true