Merge pull request #25 from MealCraft/feature/magic_link_user_login

Feature/magic link user login
2025-12-29 14:00:31 +00:00 · 2025-12-29 14:00:31 +00:00 · 000e531615
commit 000e531615
parent 8c15e6be43 541b51b3f6
15 changed files with 403 additions and 28 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@ -1,6 +1,8 @@
 FROM library/python:3.12-bullseye
 # Personal access token 'mist _runner'
 ENV GITHUB_PAT=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
+ENV TERRAFORM_VERSION=1.6.6
+

 ARG USER=vscode
 ARG DEBIAN_FRONTEND=noninteractive
@ -37,15 +39,12 @@ RUN ./aws/install

 # Install terraform
 RUN apt-get update && sudo apt-get install -y gnupg software-properties-common
-RUN wget -O- https://apt.releases.hashicorp.com/gpg | \
-gpg --dearmor | \
-sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg > /dev/null
-RUN echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \
-https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \
-tee /etc/apt/sources.list.d/hashicorp.list
-RUN apt update
-RUN apt-get install terraform
-RUN terraform -install-autocomplete
+RUN wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip \
+    && unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip \
+    && mv terraform /usr/local/bin/terraform \
+    && rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip
+
+RUN terraform version


 # Set the working directory
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -29,7 +29,8 @@
        "4ops.terraform",
        "fabiospampinato.vscode-todo-plus",
        "jgclark.vscode-todo-highlight",
-        "corentinartaud.pdfpreview"
+        "corentinartaud.pdfpreview",
+        "github.vscode-github-actions"
      ]
    }
  }
--- a/.github/workflows/ses-juntekim.yml
+++ b/.github/workflows/ses-juntekim.yml
@ -0,0 +1,67 @@
+name: SES - juntekim.com [Simple Email Service]
+
+on:
+  pull_request:
+
+  push:
+    branches:
+      - main
+    paths:
+      - "aws_environment/ses-juntekim/**"
+
+  workflow_dispatch:
+
+env:
+  TF_VERSION: "1.6.6"
+  WORKING_DIR: "aws_environment/ses-juntekim"
+
+jobs:
+  terraform:
+    name: Terraform SES
+    runs-on: mealcraft-runners
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Install modern Node.js
+        run: |
+          curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
+          sudo apt-get install -y nodejs
+          node --version
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - name: Install AWS CLI
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y awscli
+
+      # Optional but recommended once
+      - name: Verify AWS identity
+        run: aws sts get-caller-identity
+
+      - name: Terraform Init
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform init
+
+      - name: Terraform Validate
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform validate
+      
+      - name: Terraform Plan
+        if: github.event_name == 'pull_request'
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform plan -input=false
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main'
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform apply -auto-approve -input=false
--- a/aws_environment/ses-juntekim/README.md
+++ b/aws_environment/ses-juntekim/README.md
@ -0,0 +1 @@
+Files to set up a simple email service in AWS
--- a/aws_environment/ses-juntekim/backend.tf
+++ b/aws_environment/ses-juntekim/backend.tf
@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket         = "juntekim-terraform-state"
+    key            = "ses/terraform.tfstate"
+    region         = "eu-west-2"
+    dynamodb_table = "terraform-locks"
+    encrypt        = true
+  }
+}
--- a/aws_environment/ses-juntekim/iam.tf
+++ b/aws_environment/ses-juntekim/iam.tf
@ -0,0 +1,25 @@
+resource "aws_iam_user" "ses_smtp" {
+  name = "ses-smtp-${replace(var.email_domain, ".", "-")}"
+}
+
+resource "aws_iam_user_policy" "ses_policy" {
+  user = aws_iam_user.ses_smtp.name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ses:SendEmail",
+          "ses:SendRawEmail"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_access_key" "ses_smtp" {
+  user = aws_iam_user.ses_smtp.name
+}
--- a/aws_environment/ses-juntekim/outputs.tf
+++ b/aws_environment/ses-juntekim/outputs.tf
@ -0,0 +1,30 @@
+output "domain_verification_record" {
+  value = {
+    name  = "_amazonses.${var.email_domain}"
+    type  = "TXT"
+    value = aws_ses_domain_identity.this.verification_token
+  }
+}
+
+output "dkim_records" {
+  value = [
+    for token in aws_ses_domain_dkim.this.dkim_tokens : {
+      name  = "${token}._domainkey.${var.email_domain}"
+      type  = "CNAME"
+      value = "${token}.dkim.amazonses.com"
+    }
+  ]
+}
+
+output "mail_from_domain" {
+  value = aws_ses_domain_mail_from.this.mail_from_domain
+}
+
+output "smtp_username" {
+  value = aws_iam_access_key.ses_smtp.id
+}
+
+output "smtp_secret" {
+  value     = aws_iam_access_key.ses_smtp.secret
+  sensitive = true
+}
--- a/aws_environment/ses-juntekim/provider.tf
+++ b/aws_environment/ses-juntekim/provider.tf
@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
--- a/aws_environment/ses-juntekim/ses.tf
+++ b/aws_environment/ses-juntekim/ses.tf
@ -0,0 +1,12 @@
+resource "aws_ses_domain_identity" "this" {
+  domain = var.email_domain
+}
+
+resource "aws_ses_domain_dkim" "this" {
+  domain = aws_ses_domain_identity.this.domain
+}
+
+resource "aws_ses_domain_mail_from" "this" {
+  domain           = aws_ses_domain_identity.this.domain
+  mail_from_domain = "${var.mail_from_subdomain}.${var.email_domain}"
+}
--- a/aws_environment/ses-juntekim/terraform.tfvars
+++ b/aws_environment/ses-juntekim/terraform.tfvars
@ -0,0 +1 @@
+email_domain = "juntekim.com"
--- a/aws_environment/ses-juntekim/variables.tf
+++ b/aws_environment/ses-juntekim/variables.tf
@ -0,0 +1,14 @@
+variable "aws_region" {
+  type    = string
+  default = "eu-west-2"
+}
+
+variable "email_domain" {
+  type        = string
+  description = "Domain used for SES email sending"
+}
+
+variable "mail_from_subdomain" {
+  type        = string
+  default     = "mail"
+}
--- a/db/atlas/stripe_invoice/add_new_migration.sh
+++ b/db/atlas/stripe_invoice/add_new_migration.sh
@ -0,0 +1 @@
+atlas migrate new add_used_at_to_login_tokens
--- a/db/atlas/stripe_invoice/migrations/20251228182659_add_used_at_to_login_tokens.sql
+++ b/db/atlas/stripe_invoice/migrations/20251228182659_add_used_at_to_login_tokens.sql
@ -0,0 +1,6 @@
+ALTER TABLE login_tokens
+ADD COLUMN IF NOT EXISTS used_at TIMESTAMPTZ;
+
+CREATE INDEX IF NOT EXISTS idx_login_tokens_unused
+ON login_tokens (id)
+WHERE used_at IS NULL;
--- a/db/atlas/stripe_invoice/migrations/atlas.sum
+++ b/db/atlas/stripe_invoice/migrations/atlas.sum
@ -1,5 +1,6 @@
-h1:ELwFHTBDb63mdRBhmjXMMSpy05pUSVxH03zuUuHYAto=
+h1:dTHZRXvfJ8E0dSqq2PAuMLfFFRSDvt3OzgJKEGeXz2g=
 0001_init.sql h1:gzb02ZbjrrJkXOC+2qIZsngnj7A+29O2/b4awScPlPs=
 0002_auth.sql h1:4NhBu26dIBMy9gxMxM3tf6Z2CS2kfKlGjFBj07T/aBw=
 0003_stripe_xero.sql h1:E2bcdUDnondsXwbdIwVlZqR4DQwzcoDiyeRFJwVxXwg=
 0004_login_tokens.sql h1:rj1KcWu/0znh2YvtI7JV8Z2nwtL5rZzONbPwX1P+/PI=
+20251228182659_add_used_at_to_login_tokens.sql h1:/0puYQvwBFzpfSKjiZj2XR/7Mui39lS/IbFZW1TPQOc=
--- a/stripe_to_invoice/app/page.tsx
+++ b/stripe_to_invoice/app/page.tsx
@ -1,57 +1,251 @@
 // app/page.tsx
+// This page doubles as:
+// 1. A landing page
+// 2. A product spec
+// 3. A reminder to future-me what the hell I was building
+//
+// If you’re reading this months later: hi 👋
+// The product is the automation, not the UI.

 export default function Home() {
  return (
-    <main className="max-w-3xl mx-auto p-8 space-y-12">
+    <main className="max-w-3xl mx-auto p-8 space-y-16">

-      {/* What this is */}
+      {/* --------------------------------------------------
+          Intro
+      -------------------------------------------------- */}
      <section>
        <h1 className="text-2xl font-semibold">
          Stripe → Xero automation
        </h1>
+
        <p className="mt-2 text-gray-600">
          Automatically create and mark Xero invoices as paid when a Stripe payment succeeds.
-          
+          <br />
          Built for people who value time more than pressing buttons.
        </p>
      </section>

-      {/* Steps */}
+      {/* --------------------------------------------------
+          High-level flow (human readable)
+      -------------------------------------------------- */}
      <section>
-        <h2 className="text-xl font-medium">How it works</h2>
+        <h2 className="text-xl font-medium">How it works (high level)</h2>
+
        <ol className="mt-4 space-y-3 list-decimal list-inside text-gray-700">
-          <li>Log in ( Set up magic link, db has been set up)</li>
-          <li>Connect Stripe</li>
-          <li>Connect Xero</li>
-          <li>Make a payment</li>
-          <li>Invoice appears in Xero as paid</li>
+          <li>Log in via magic link (passwordless)</li>
+          <li>Connect your Stripe account</li>
+          <li>Connect your Xero organisation</li>
+          <li>A Stripe payment succeeds</li>
+          <li>An invoice appears in Xero as paid</li>
        </ol>
      </section>

-      {/* Proof */}
+      {/* --------------------------------------------------
+          Magic link auth – detailed flow
+      -------------------------------------------------- */}
      <section>
-        <h2 className="text-xl font-medium">Proof, not promises</h2>
+        <h2 className="text-xl font-medium">Login flow (magic link)</h2>
+
        <p className="mt-2 text-gray-600">
-          Your next Stripe payment will automatically reconcile in Xero.
-          No manual matching. No “awaiting payment”.
+          Authentication is passwordless. We only store intent and proof of login.
+        </p>
+
+        {/* Text-based flow diagram (easy to read + copy) */}
+        <pre className="mt-4 p-4 bg-gray-50 border rounded text-sm overflow-x-auto">
+{`Browser
+  |
+  | POST /auth/login (email)
+  v
+Backend
+  - find or create user
+  - generate token
+  - hash token
+  - store login_tokens row
+  - send email (SES)
+  |
+  v
+Email (magic link)
+  |
+  | GET /auth/callback?token=XYZ
+  v
+Backend
+  - hash token
+  - validate token (unused + not expired)
+  - mark token as used
+  - create session
+  |
+  v
+Set session cookie
+`}
+        </pre>
+
+        {/* Step-by-step breakdown */}
+        <ol className="mt-6 space-y-4 list-decimal list-inside text-gray-700">
+          <li>
+            User enters their email address.
+          </li>
+
+          <li>
+            Backend creates (or finds) a user record and stores a one-time login token
+            in <code className="px-1 bg-gray-100 rounded">login_tokens</code>.
+          </li>
+
+          <li>
+            An email is sent containing a short-lived magic link.
+          </li>
+
+          <li>
+            When the link is clicked, the token is validated, marked as used,
+            and a session is created.
+          </li>
+
+          <li>
+            A secure session cookie is set. No passwords. No OAuth popups.
+          </li>
+        </ol>
+      </section>
+
+      {/* --------------------------------------------------
+          Stripe → Xero automation flow
+      -------------------------------------------------- */}
+      <section>
+        <h2 className="text-xl font-medium">Stripe → Xero automation flow</h2>
+
+        <pre className="mt-4 p-4 bg-gray-50 border rounded text-sm overflow-x-auto">
+{`Stripe payment succeeds
+  |
+  | Webhook
+  v
+Backend
+  - verify Stripe event
+  - map payment to customer
+  - create Xero invoice
+  - mark invoice as paid
+  |
+  v
+Xero (reconciled automatically)
+`}
+        </pre>
+
+        <p className="mt-4 text-gray-600">
+          Once connected, everything runs automatically.
+          No manual reconciliation. No “awaiting payment” state.
        </p>
      </section>

-      {/* Pricing */}
+      {/* --------------------------------------------------
+          Proof
+      -------------------------------------------------- */}
+      <section>
+        <h2 className="text-xl font-medium">Proof, not promises</h2>
+
+        <p className="mt-2 text-gray-600">
+          Your next Stripe payment will automatically reconcile in Xero.
+          <br />
+          No manual matching. No bookkeeping busywork.
+        </p>
+      </section>
+
+      {/* --------------------------------------------------
+          Pricing
+      -------------------------------------------------- */}
      <section>
        <h2 className="text-xl font-medium">Pricing</h2>
+
        <p className="mt-2 text-gray-700">
          £200 / month — unlimited invoices.
        </p>
      </section>

-      {/* CTA */}
+      {/* --------------------------------------------------
+          Footer / reminder
+      -------------------------------------------------- */}
      <section className="pt-8 border-t">
        <p className="text-gray-500 text-sm">
-          This page is a placeholder. The product is the automation.
+          This page is intentionally simple.
+          <br />
+          The product is the automation, not the UI.
        </p>
      </section>

+
+<section>
+  <h2 className="text-xl font-medium">Implementation notes (for future me)</h2>
+
+  <p className="mt-2 text-gray-600">
+    These are the only docs needed to implement magic-link auth with Next.js + AWS SES.
+  </p>
+
+  <ul className="mt-4 space-y-2 list-disc list-inside text-gray-700">
+    <li>
+      Next.js Route Handlers (auth endpoints):{" "}
+      <a
+        href="https://nextjs.org/docs/app/building-your-application/routing/route-handlers"
+        className="text-blue-600 underline"
+        target="_blank"
+      >
+        nextjs.org/docs/app/.../route-handlers
+      </a>
+    </li>
+
+    <li>
+      Next.js Server Actions (optional):{" "}
+      <a
+        href="https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions"
+        className="text-blue-600 underline"
+        target="_blank"
+      >
+        nextjs.org/docs/app/.../server-actions
+      </a>
+    </li>
+
+    <li>
+      AWS SES – sending email (Node.js):{" "}
+      <a
+        href="https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/sesv2/"
+        className="text-blue-600 underline"
+        target="_blank"
+      >
+        AWS SDK SESv2
+      </a>
+    </li>
+
+    <li>
+      AWS SES sandbox → production access:{" "}
+      <a
+        href="https://docs.aws.amazon.com/ses/latest/dg/request-production-access.html"
+        className="text-blue-600 underline"
+        target="_blank"
+      >
+        Request production access
+      </a>
+    </li>
+
+    <li>
+      Node.js crypto (token generation + hashing):{" "}
+      <a
+        href="https://nodejs.org/api/crypto.html"
+        className="text-blue-600 underline"
+        target="_blank"
+      >
+        nodejs.org/api/crypto
+      </a>
+    </li>
+
+    <li>
+      Cookies & sessions:{" "}
+      <a
+        href="https://nextjs.org/docs/app/api-reference/functions/cookies"
+        className="text-blue-600 underline"
+        target="_blank"
+      >
+        Next.js cookies API
+      </a>
+    </li>
+  </ul>
+</section>
+
    </main>
  )
 }
				`@ -0,0 +1 @@`
				`Files to set up a simple email service in AWS`
				`@ -0,0 +1 @@`
				`atlas migrate new add_used_at_to_login_tokens`