add auth

Author: coltondotio

.github/workflows/deploy-fdr-lambda-dev.yml

@@ -17,6 +17,12 @@ env:
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
   GITHUB_TOKEN: ${{ secrets.FERN_GITHUB_TOKEN }}
   DATABASE_URL: ${{ secrets.DEV2_RDS_PROXY_URL }}
+  VENUS_URL: ${{ secrets.DEV2_VENUS_URL }}
+  PUBLIC_DOCS_CDN_URL: ${{ secrets.DEV2_PUBLIC_DOCS_CDN_URL }}
+  PUBLIC_DOCS_S3_BUCKET_NAME: ${{ secrets.DEV2_PUBLIC_DOCS_S3_BUCKET_NAME }}
+  PUBLIC_DOCS_S3_BUCKET_REGION: ${{ secrets.DEV2_PUBLIC_DOCS_S3_BUCKET_REGION }}
+  PRIVATE_DOCS_S3_BUCKET_NAME: ${{ secrets.DEV2_PRIVATE_DOCS_S3_BUCKET_NAME }}
+  PRIVATE_DOCS_S3_BUCKET_REGION: ${{ secrets.DEV2_PRIVATE_DOCS_S3_BUCKET_REGION }}
 
 jobs:
   deploy_dev:

.github/workflows/deploy-fdr-lambda-prod.yml

@@ -12,6 +12,12 @@ env:
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
   GITHUB_TOKEN: ${{ secrets.FERN_GITHUB_TOKEN }}
   DATABASE_URL: ${{ secrets.PROD_RDS_PROXY_URL }}
+  VENUS_URL: ${{ secrets.VENUS_URL }}
+  PUBLIC_DOCS_CDN_URL: ${{ secrets.PUBLIC_DOCS_CDN_URL }}
+  PUBLIC_DOCS_S3_BUCKET_NAME: ${{ secrets.PUBLIC_DOCS_S3_BUCKET_NAME }}
+  PUBLIC_DOCS_S3_BUCKET_REGION: ${{ secrets.PUBLIC_DOCS_S3_BUCKET_REGION }}
+  PRIVATE_DOCS_S3_BUCKET_NAME: ${{ secrets.PRIVATE_DOCS_S3_BUCKET_NAME }}
+  PRIVATE_DOCS_S3_BUCKET_REGION: ${{ secrets.PRIVATE_DOCS_S3_BUCKET_REGION }}
 
 jobs:
   deploy_prod:

.github/workflows/preview-fdr-lambda.yml

@@ -15,6 +15,12 @@ env:
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
   GITHUB_TOKEN: ${{ secrets.FERN_GITHUB_TOKEN }}
   DATABASE_URL: ${{ secrets.DEV2_RDS_PROXY_URL }}
+  VENUS_URL: ${{ secrets.DEV2_VENUS_URL }}
+  PUBLIC_DOCS_CDN_URL: ${{ secrets.DEV2_PUBLIC_DOCS_CDN_URL }}
+  PUBLIC_DOCS_S3_BUCKET_NAME: ${{ secrets.DEV2_PUBLIC_DOCS_S3_BUCKET_NAME }}
+  PUBLIC_DOCS_S3_BUCKET_REGION: ${{ secrets.DEV2_PUBLIC_DOCS_S3_BUCKET_REGION }}
+  PRIVATE_DOCS_S3_BUCKET_NAME: ${{ secrets.DEV2_PRIVATE_DOCS_S3_BUCKET_NAME }}
+  PRIVATE_DOCS_S3_BUCKET_REGION: ${{ secrets.DEV2_PRIVATE_DOCS_S3_BUCKET_REGION }}
 
 jobs:
   preview_lambda:
@@ -108,17 +114,24 @@ jobs:
             **📝 Available Endpoints:**
             - Base: \`GET ${previewUrl}\`
             - Health: \`GET ${previewUrl}/health\`
-            - Metadata: \`POST ${previewUrl}/metadata-for-url\`
+            - Metadata (public): \`POST ${previewUrl}/metadata-for-url\`
+            - Load Docs (requires auth): \`POST ${previewUrl}/load-docs-for-url\`
 
             **📋 Example Usage:**
             \`\`\`bash
             # Test default endpoint
             curl "${previewUrl}"
 
-            # Test metadata endpoint
+            # Test metadata endpoint (public - no auth required)
             curl -X POST "${previewUrl}/metadata-for-url" \\
               -H "Content-Type: application/json" \\
               -d '{"url":"https://docs.buildwithfern.com"}'
+
+            # Test load docs endpoint (requires Fern token)
+            curl -X POST "${previewUrl}/load-docs-for-url" \\
+              -H "Content-Type: application/json" \\
+              -H "Authorization: Bearer \$FERN_TOKEN" \\
+              -d '{"url":"https://docs.buildwithfern.com"}'
             \`\`\`
 
             **🏷️ Stack Name:** \`fdr-lambda-preview-${prNumber}\`

servers/fdr-lambda-deploy/scripts/fdr-lambda-deploy-stack.ts

@@ -96,6 +96,14 @@ export class FdrLambdaDeployStack extends Stack {
                 NODE_ENV: "production",
                 ENVIRONMENT_TYPE: environmentType,
                 DATABASE_URL: getEnvironmentVariableOrThrow("DATABASE_URL"),
+                VENUS_URL: getEnvironmentVariableOrThrow("VENUS_URL"),
+                PUBLIC_DOCS_CDN_URL: getEnvironmentVariableOrThrow("PUBLIC_DOCS_CDN_URL"),
+                PUBLIC_DOCS_S3_BUCKET_NAME: getEnvironmentVariableOrThrow("PUBLIC_DOCS_S3_BUCKET_NAME"),
+                PUBLIC_DOCS_S3_BUCKET_REGION: getEnvironmentVariableOrDefault("PUBLIC_DOCS_S3_BUCKET_REGION", "us-east-1"),
+                PRIVATE_DOCS_S3_BUCKET_NAME: getEnvironmentVariableOrThrow("PRIVATE_DOCS_S3_BUCKET_NAME"),
+                PRIVATE_DOCS_S3_BUCKET_REGION: getEnvironmentVariableOrDefault("PRIVATE_DOCS_S3_BUCKET_REGION", "us-east-1"),
+                AWS_ACCESS_KEY_ID: getEnvironmentVariableOrThrow("AWS_ACCESS_KEY_ID"),
+                AWS_SECRET_ACCESS_KEY: getEnvironmentVariableOrThrow("AWS_SECRET_ACCESS_KEY"),
                 ...(isPreview && { IS_PREVIEW: "true", PR_NUMBER: prNumber! })
             }
         });
@@ -192,3 +200,7 @@ function getEnvironmentVariableOrThrow(environmentVariable: string): string {
     }
     return value;
 }
+
+function getEnvironmentVariableOrDefault(environmentVariable: string, defaultValue: string): string {
+    return process.env[environmentVariable] ?? defaultValue;
+}

servers/fdr-lambda/package.json

@@ -16,6 +16,7 @@
     "@aws-sdk/client-s3": "^3.744.0",
     "@aws-sdk/s3-request-presigner": "^3.744.0",
     "@fern-api/fdr-sdk": "workspace:*",
+    "@fern-api/venus-api-sdk": "^0.19.5",
     "@types/aws-lambda": "^8.10.143"
   },
   "devDependencies": {

servers/fdr-lambda/src/__test__/handler.test.ts

@@ -4,6 +4,7 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 // Use vi.hoisted to ensure mocks are set up before module imports
 const mockQuery = vi.hoisted(() => vi.fn());
 const mockGetPresignedUrl = vi.hoisted(() => vi.fn());
+const mockIsMember = vi.hoisted(() => vi.fn());
 
 vi.mock("pg", () => {
     return {
@@ -18,6 +19,17 @@ vi.mock("../utils/s3", () => ({
     getPresignedDocsAssetsDownloadUrl: mockGetPresignedUrl
 }));
 
+vi.mock("@fern-api/venus-api-sdk", () => ({
+    FernVenusApiClient: vi.fn(() => ({
+        organization: {
+            isMember: mockIsMember
+        }
+    })),
+    FernVenusApi: {
+        OrganizationId: (id: string) => id
+    }
+}));
+
 // Import handler after mocks are configured
 import { handler } from "../index";
 
@@ -27,16 +39,21 @@ describe("Lambda Handler", () => {
         vi.clearAllMocks();
         mockQuery.mockReset();
         mockGetPresignedUrl.mockReset();
+        mockIsMember.mockReset();
         // Default S3 mock to return a URL
         mockGetPresignedUrl.mockResolvedValue("https://s3.example.com/file.png");
+        // Default Venus mock to allow access (member of fern org)
+        mockIsMember.mockResolvedValue({ ok: true, body: true });
+        // Set VENUS_URL for tests
+        process.env.VENUS_URL = "https://venus.buildwithfern.com";
     });
 
-    const createMockEvent = (path: string, method: string, body?: any): APIGatewayProxyEvent => {
+    const createMockEvent = (path: string, method: string, body?: any, headers?: Record<string, string>): APIGatewayProxyEvent => {
         return {
             path,
             httpMethod: method,
             body: body ? JSON.stringify(body) : null,
-            headers: {},
+            headers: headers || {},
             multiValueHeaders: {},
             isBase64Encoded: false,
             pathParameters: null,
@@ -305,7 +322,7 @@ describe("Lambda Handler", () => {
     });
 
     describe("POST /load-docs-for-url", () => {
-        it("should return docs for a valid URL", async () => {
+        it("should return docs for a valid URL with auth", async () => {
             const mockDocsDefinition = Buffer.from(
                 JSON.stringify({
                     type: "v3",
@@ -345,6 +362,8 @@ describe("Lambda Handler", () => {
 
             const event = createMockEvent("/load-docs-for-url", "POST", {
                 url: "https://docs.example.com"
+            }, {
+                Authorization: "Bearer test-token"
             });
             const context = createMockContext();
 
@@ -390,6 +409,8 @@ describe("Lambda Handler", () => {
 
             const event = createMockEvent("/v2/registry/docs/load-docs-for-url", "POST", {
                 url: "docs.test.com"
+            }, {
+                Authorization: "Bearer test-token"
             });
             const context = createMockContext();
 
@@ -429,6 +450,89 @@ describe("Lambda Handler", () => {
             expect(body.error).toBe("InvalidUrlError");
         });
 
+        it("should return 401 when authorization header is missing", async () => {
+            const mockDocsDefinition = Buffer.from(
+                JSON.stringify({
+                    type: "v3",
+                    pages: {},
+                    config: {
+                        navigation: { items: [] },
+                        colorsV3: { type: "light" }
+                    },
+                    files: {},
+                    referencedApis: []
+                })
+            );
+
+            mockQuery.mockResolvedValueOnce({
+                rows: [
+                    {
+                        orgID: "test-org",
+                        domain: "docs.example.com",
+                        path: "",
+                        docsDefinition: mockDocsDefinition,
+                        docsConfigInstanceId: "config-123",
+                        authType: "PUBLIC",
+                        hasPublicS3Assets: true
+                    }
+                ]
+            });
+
+            const event = createMockEvent("/load-docs-for-url", "POST", {
+                url: "https://docs.example.com"
+            }); // No auth header
+            const context = createMockContext();
+
+            const result = await handler(event, context);
+
+            expect(result.statusCode).toBe(401);
+            expect(JSON.parse(result.body).error).toBe("UnauthorizedError");
+        });
+
+        it("should return 403 when user is not in the org", async () => {
+            const mockDocsDefinition = Buffer.from(
+                JSON.stringify({
+                    type: "v3",
+                    pages: {},
+                    config: {
+                        navigation: { items: [] },
+                        colorsV3: { type: "light" }
+                    },
+                    files: {},
+                    referencedApis: []
+                })
+            );
+
+            mockQuery.mockResolvedValueOnce({
+                rows: [
+                    {
+                        orgID: "test-org",
+                        domain: "docs.example.com",
+                        path: "",
+                        docsDefinition: mockDocsDefinition,
+                        docsConfigInstanceId: "config-123",
+                        authType: "PUBLIC",
+                        hasPublicS3Assets: true
+                    }
+                ]
+            });
+
+            // Mock Venus to deny access (not in fern org, not in specific org)
+            mockIsMember.mockResolvedValue({ ok: true, body: false });
+
+            const event = createMockEvent("/load-docs-for-url", "POST", {
+                url: "https://docs.example.com"
+            }, {
+                Authorization: "Bearer test-token"
+            });
+            const context = createMockContext();
+
+            const result = await handler(event, context);
+
+            expect(result.statusCode).toBe(403);
+            expect(JSON.parse(result.body).error).toBe("UserNotInOrgError");
+        });
+
         it("should return 404 when domain is not registered", async () => {
             // Mock empty DocsV2 result and empty V1 Docs result (fallback)
             mockQuery
@@ -437,6 +541,8 @@ describe("Lambda Handler", () => {
 
             const event = createMockEvent("/load-docs-for-url", "POST", {
                 url: "https://unknown.example.com"
+            }, {
+                Authorization: "Bearer test-token"
             });
             const context = createMockContext();
 
@@ -516,6 +622,8 @@ describe("Lambda Handler", () => {
 
             const event = createMockEvent("/load-docs-for-url", "POST", {
                 url: "https://docs.example.com"
+            }, {
+                Authorization: "Bearer test-token"
             });
             const context = createMockContext();
 

servers/fdr-lambda/src/errors.ts

@@ -0,0 +1,35 @@
+export class DomainNotRegisteredError extends Error {
+    constructor() {
+        super("Domain not registered");
+        this.name = "DomainNotRegisteredError";
+    }
+}
+
+export class InvalidUrlError extends Error {
+    constructor(url: string, originalError: Error) {
+        super(`Invalid URL: ${url}`);
+        this.name = "InvalidUrlError";
+        this.cause = originalError;
+    }
+}
+
+export class UnauthorizedError extends Error {
+    constructor(message: string) {
+        super(message);
+        this.name = "UnauthorizedError";
+    }
+}
+
+export class UserNotInOrgError extends Error {
+    constructor(message: string) {
+        super(message);
+        this.name = "UserNotInOrgError";
+    }
+}
+
+export class UnavailableError extends Error {
+    constructor(message: string) {
+        super(message);
+        this.name = "UnavailableError";
+    }
+}

servers/fdr-lambda/src/index.ts

@@ -1,7 +1,8 @@
 import type { APIGatewayProxyEvent, APIGatewayProxyResult, Context } from "aws-lambda";
 import { Pool } from "pg";
+import { DomainNotRegisteredError, InvalidUrlError, UnauthorizedError, UserNotInOrgError } from "./errors";
 import { getDocsForUrl } from "./services/getDocsForUrl";
-import { DomainNotRegisteredError, getMetadataForUrl, InvalidUrlError } from "./services/getMetadataForUrl";
+import { getMetadataForUrl } from "./services/getMetadataForUrl";
 import { initializeS3 } from "./utils/s3";
 
 // Create connection pool outside handler for connection reuse
@@ -103,7 +104,14 @@ export const handler = async (event: APIGatewayProxyEvent, context: Context): Pr
                 throw new InvalidUrlError(body.url, error as Error);
             }
 
-            const docsResponse = await getDocsForUrl(parsedUrl, pool);
+            // Extract Authorization header (case-insensitive)
+            const authHeader =
+                event.headers?.Authorization ||
+                event.headers?.authorization ||
+                event.headers?.["x-fern-token"] ||
+                event.headers?.["X-Fern-Token"];
+
+            const docsResponse = await getDocsForUrl(parsedUrl, pool, authHeader);
 
             return {
                 statusCode: 200,
@@ -173,6 +181,38 @@ export const handler = async (event: APIGatewayProxyEvent, context: Context): Pr
             };
         }
 
+        // Handle UnauthorizedError
+        if (error instanceof UnauthorizedError) {
+            return {
+                statusCode: 401,
+                headers: {
+                    "Content-Type": "application/json",
+                    "Access-Control-Allow-Origin": "*"
+                },
+                body: JSON.stringify({
+                    error: "UnauthorizedError",
+                    message: error.message,
+                    requestId: context.awsRequestId
+                })
+            };
+        }
+
+        // Handle UserNotInOrgError
+        if (error instanceof UserNotInOrgError) {
+            return {
+                statusCode: 403,
+                headers: {
+                    "Content-Type": "application/json",
+                    "Access-Control-Allow-Origin": "*"
+                },
+                body: JSON.stringify({
+                    error: "UserNotInOrgError",
+                    message: error.message,
+                    requestId: context.awsRequestId
+                })
+            };
+        }
+
         return {
             statusCode: 500,
             headers: {