/
Infrastructure

Infrastructure

Owned by Grace Kan
Last updated: Feb 16, 2025
3 min read

Stages

There are 3 environments (stages) in the infrastructure, namely dev (short for development), staging (for staging) and prod (short for production). Practically, these environments should be isolated from each other.

Gateway

The gateway provides a unified entry point for all the services provided by the company. It works as a router for different services based on the route. Usually, a gateway can provide functionalities of authentication, authorization, load balancing, etc. In our infrastructure, we are using API Gateway HTTP API provided by AWS to route your services. (Read more: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-basic-concept.html)

Authentication

The authentication has already been implemented and integrated into the gateway. When you deploy your service, you can should use it to protect your service. The authentication method being used is a typical JWT token-based authentication.

The authentication service is formed by 4 lambda functions implementing registration, login, logout and token validation respectively. These 4 functions have been correctly integrated into the gateway with routes /sign_up, /login, /logout and /token_validation.

The image above shows one successful access to the protected resource.

  1. The gateway receives an API request with a JWT token being carried in the request header and calls the provided token verification service.

  2. The token verification service verifies the service and extracts user information from the JWT token.

  3. The protected resource is then called by the gateway. Extracted user information is carried as the context of the request, being visible to the resource. (For an ECS, you may need to parse the JWT token yourself to obtain user information)

To sign up, send a POST request to /sign_up with a JSON payload including username, password and group fields. Similarly, send a POST request to /login with the same payload for login. On success, the endpoint will return a valid token in the response body.

A valid request body for /sign_up and /login should look like this below.

{ "username": "test", "password": "hello", "group": "test" }

When successful, you will receive a response like this below.

{ "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJncm91cCI6InRlc3QiLCJleHAiOjE2NzcyMTExMjMsIm5iZiI6MTY3NzEyNDcyMywiaWF0IjoxNjc3MTI0NzIzLCJpc3MiOiJnYXRld2F5IiwiZW52IjoiZGV2In0.UVwjnRXTQnJ9Ig_24MGUZR4SWxrRq82fKGy_G64EJkI" }

To access a protected resource, you need to attach the previously generated token in the Authorization header of your request, prefixing by Bearer (Note: Make sure you separate the word and the token with one space).

A valid request header for a protected resource should include this below.

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJncm91cCI6InRlc3QiLCJleHAiOjE2NzcyMTExMjMsIm5iZiI6MTY3NzEyNDcyMywiaWF0IjoxNjc3MTI0NzIzLCJpc3MiOiJnYXRld2F5IiwiZW52IjoiZGV2In0.UVwjnRXTQnJ9Ig_24MGUZR4SWxrRq82fKGy_G64EJkI

To logout, send a POST request to /logout with the token in the header as mentioned above. For the logout request, the payload will be ignored. After successful logout, the token will be invalidated and should not be reused.

For debugging/testing purposes, although your token will be automatically validated for protected resources, you may also manually verify a token by sending a POST request to /verify_token. The response of this endpoint will return the parsing result for the token you provided. The same result will be injected into your resource by the gateway as the context.

A valid request header for a protected resource should include this below.

When successful, you will receive a response like this below.

Services

In order to adapt your service to be run under our infrastructure, your services should be one or a set of lambda functions, or a container. Below are some examples of services.

 

 

Related content