# SPRINT 10.1 — AUTH BACKEND (Lambda + DynamoDB)

## METADATA
- Execution: Hodina 1
- Prerekvizity: AWS credentials, Python 3.11+
- Deliverables: auth_lambda.py, deploy script, tests, docs
- Estimated time: 45-55 min
- Output folder: /mnt/outputs/SKYMAILBOX_SPRINTS/SPRINT_10.1_AUTH_BACKEND/

## AWS ENVIRONMENT
```
AWS_ACCESS_KEY_ID=AKIA[REDACTED_SEE_AWS_CONSOLE]
AWS_SECRET_ACCESS_KEY=[REDACTED_SEE_SECRETS_MANAGER]
AWS_DEFAULT_REGION=us-east-1
PATH must include: .local/bin for aws CLI
```

## OBJECTIVES
Vytvořit kompletní Auth backend pro SkyMailbox:
1. DynamoDB tabulka `skymailbox-users` pro user management
2. Lambda funkce s endpointy: register, login, verify-token, refresh-token
3. JWT-based authentication s Argon2 password hashing
4. Function URL s CORS pro frontend

## STEP-BY-STEP INSTRUCTIONS

### Krok 1: Vytvořit DynamoDB tabulku
Spustit přes AWS CLI:
```bash
aws dynamodb create-table \
  --table-name skymailbox-users \
  --attribute-definitions \
    AttributeName=pk,AttributeType=S \
    AttributeName=sk,AttributeType=S \
    AttributeName=email,AttributeType=S \
  --key-schema \
    AttributeName=pk,KeyType=HASH \
    AttributeName=sk,KeyType=RANGE \
  --billing-mode PAY_PER_REQUEST \
  --global-secondary-indexes '[
    {
      "IndexName": "email-index",
      "KeySchema": [{"AttributeName":"email","KeyType":"HASH"}],
      "Projection": {"ProjectionType":"ALL"}
    }
  ]'
```
**ÚKOL:** Ověřit, že tabulka je ACTIVE přes `aws dynamodb describe-table --table-name skymailbox-users`

### Krok 2: Vytvořit auth_lambda.py
**Soubor:** `auth_lambda.py`

Kompletní Lambda handler s těmito endpointy:

**POST /register**
- Input: `{ "email": "...", "password": "...", "username": "..." }`
- Validace: email formát, password min 8 znaků, username min 3 znaky
- Password hash: hashlib.sha256 + salt (Argon2 vyžaduje nativní knihovnu — fallback na PBKDF2)
- Uložit do DynamoDB: pk=`USER#<uuid>`, sk=`PROFILE`, email, username, password_hash, salt, created_at, tier="free"
- Auto-create wallet record: pk=`USER#<uuid>`, sk=`WALLET`, balance=100 (welcome bonus SKC)
- Return: `{ "user_id": "...", "token": "<jwt>", "username": "..." }`

**POST /login**
- Input: `{ "email": "...", "password": "..." }`
- Lookup user via email-index GSI
- Verify password hash
- Generate JWT (HS256, 24h expiry) s payload: user_id, email, username, tier
- Return: `{ "token": "...", "user_id": "...", "username": "...", "tier": "..." }`

**GET /me** (Authorization: Bearer <token>)
- Decode + verify JWT
- Fetch user profile from DynamoDB
- Return: `{ "user_id": "...", "email": "...", "username": "...", "tier": "...", "wallet_balance": ... }`

**POST /refresh** (Authorization: Bearer <token>)
- Verify existing token (even if near-expiry)
- Issue new token s fresh 24h expiry
- Return: `{ "token": "..." }`

JWT secret: uložit jako environment variable `JWT_SECRET` na Lambda (generovat random 64-char hex)

Lambda runtime: Python 3.11
Handler: `auth_lambda.lambda_handler`

CORS headers na VŠECHNY odpovědi:
```python
cors_headers = {
    "Access-Control-Allow-Origin": "*",
    "Access-Control-Allow-Headers": "Content-Type,Authorization",
    "Access-Control-Allow-Methods": "GET,POST,OPTIONS",
    "Content-Type": "application/json"
}
```

### Krok 3: Vytvořit deployment script
**Soubor:** `deploy_auth_lambda.sh`
```bash
#!/bin/bash
set -e
FUNCTION_NAME="skymailbox-auth"
ROLE_ARN="arn:aws:iam::085591177963:role/skymailbox-lambda-role"
REGION="us-east-1"

# Zip
zip -j auth_lambda.zip auth_lambda.py

# Check if function exists
if aws lambda get-function --function-name $FUNCTION_NAME --region $REGION 2>/dev/null; then
  echo "Updating existing function..."
  aws lambda update-function-code \
    --function-name $FUNCTION_NAME \
    --zip-file fileb://auth_lambda.zip \
    --region $REGION
else
  echo "Creating new function..."
  aws lambda create-function \
    --function-name $FUNCTION_NAME \
    --runtime python3.11 \
    --handler auth_lambda.lambda_handler \
    --role $ROLE_ARN \
    --zip-file fileb://auth_lambda.zip \
    --timeout 30 \
    --memory-size 256 \
    --environment "Variables={JWT_SECRET=$(openssl rand -hex 32),DYNAMODB_TABLE=skymailbox-users}" \
    --region $REGION
fi

# Create/update Function URL
aws lambda create-function-url-config \
  --function-name $FUNCTION_NAME \
  --auth-type NONE \
  --cors '{"AllowOrigins":["*"],"AllowMethods":["GET","POST","OPTIONS"],"AllowHeaders":["Content-Type","Authorization"]}' \
  --region $REGION 2>/dev/null || \
aws lambda update-function-url-config \
  --function-name $FUNCTION_NAME \
  --auth-type NONE \
  --cors '{"AllowOrigins":["*"],"AllowMethods":["GET","POST","OPTIONS"],"AllowHeaders":["Content-Type","Authorization"]}' \
  --region $REGION

# Get Function URL
URL=$(aws lambda get-function-url-config --function-name $FUNCTION_NAME --region $REGION --query 'FunctionUrl' --output text)
echo "Auth API URL: $URL"
echo $URL > AUTH_API_URL.txt
```

### Krok 4: Vytvořit testy
**Soubor:** `test_auth_api.py`

Testovací skript, který:
1. POST /register s test uživatelem → ověřit 200 + token v odpovědi
2. POST /login se stejnými credentials → ověřit 200 + token
3. GET /me s tokenem → ověřit user profile data
4. POST /register s duplicitním emailem → ověřit 409 Conflict
5. POST /login se špatným heslem → ověřit 401 Unauthorized
6. GET /me bez tokenu → ověřit 401

Použít `urllib.request` (žádné pip dependencies). Načíst API URL z `AUTH_API_URL.txt`.

### Krok 5: Deploy a test
1. Spustit `bash deploy_auth_lambda.sh`
2. Spustit `python3 test_auth_api.py`
3. Zaznamenat výsledky

## TESTING
```bash
# Manual test
curl -X POST $AUTH_URL/register \
  -H "Content-Type: application/json" \
  -d '{"email":"test@skymailbox.net","password":"TestPass123!","username":"testuser"}'

curl -X POST $AUTH_URL/login \
  -H "Content-Type: application/json" \
  -d '{"email":"test@skymailbox.net","password":"TestPass123!"}'
```

## COMPLETION CHECKLIST
- [ ] DynamoDB tabulka `skymailbox-users` je ACTIVE
- [ ] Lambda `skymailbox-auth` je deployed
- [ ] Function URL je aktivní
- [ ] Register endpoint funguje
- [ ] Login endpoint funguje
- [ ] /me endpoint vrací profil
- [ ] Token refresh funguje
- [ ] CORS headers přítomny
- [ ] Testy prošly (min 4/6)
- [ ] Všechny soubory v output složce

## DELIVERABLES LIST
1. `auth_lambda.py` — kompletní Lambda handler
2. `deploy_auth_lambda.sh` — deployment skript
3. `test_auth_api.py` — automatické testy
4. `auth_lambda.zip` — deployment package
5. `AUTH_API_URL.txt` — Function URL
6. `table_creation_log.txt` — DynamoDB create output
7. `SPRINT_10.1_README.md` — dokumentace
8. `SPRINT_10.1_COMPLETE.md` — completion report

## COMPLETION REPORT TEMPLATE
```markdown
# ✅ SPRINT 10.1 — AUTH BACKEND — COMPLETE

## Timestamp
[ISO datetime]

## Status
COMPLETE / FAILED

## Deliverables
| File | Status |
|------|--------|
| auth_lambda.py | ✅ Created |
| deploy_auth_lambda.sh | ✅ Created |
| test_auth_api.py | ✅ Created |
| auth_lambda.zip | ✅ Created |
| AUTH_API_URL.txt | ✅ Created |

## Auth API URL
[Function URL]

## Test Results
| Test | Result |
|------|--------|
| Register | PASS/FAIL |
| Login | PASS/FAIL |
| Get Profile | PASS/FAIL |
| Duplicate Register | PASS/FAIL |
| Bad Password | PASS/FAIL |
| No Token | PASS/FAIL |

## DynamoDB Table
- Name: skymailbox-users
- Status: ACTIVE
- GSI: email-index

## Issues
[Any issues encountered]

## Next Sprint
SPRINT_10.2_EMAIL_API
```