@go-to-k/cdkd 0.118.0 → 0.119.0

package/dist/cli.js

@@ -40448,14 +40448,23 @@ function resolveRestV1Authorizer(authorizerLogicalId, template, stackName, decla
 	if (type === "COGNITO_USER_POOLS") {
 		const arns = props["ProviderARNs"];
 		if (!Array.isArray(arns) || arns.length === 0) throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: COGNITO_USER_POOLS authorizer is missing ProviderARNs.`);
-		const arn = pickStringFromArn(arns[0], `${stackName}/${authorizerLogicalId}.ProviderARNs[0]`);
-		const parsed = parseCognitoUserPoolArn(arn, `${stackName}/${authorizerLogicalId}`);
+		const pools = arns.map((entry, idx) => {
+			const arn = pickStringFromArn(entry, `${stackName}/${authorizerLogicalId}.ProviderARNs[${idx}]`);
+			const parsed = parseCognitoUserPoolArn(arn, `${stackName}/${authorizerLogicalId}.ProviderARNs[${idx}]`);
+			return {
+				userPoolArn: arn,
+				region: parsed.region,
+				userPoolId: parsed.userPoolId
+			};
+		});
+		const first = pools[0];
 		return {
 			kind: "cognito",
 			logicalId: authorizerLogicalId,
-			userPoolArn: arn,
-			region: parsed.region,
-			userPoolId: parsed.userPoolId,
+			pools,
+			userPoolArn: first.userPoolArn,
+			region: first.region,
+			userPoolId: first.userPoolId,
 			declaredAt
 		};
 	}
@@ -40677,7 +40686,9 @@ function parseCognitoIssuer(issuer) {
 /**
 * Pull a string out of a {Ref} / literal entry under `ProviderARNs`.
 * CDK's CognitoUserPoolsAuthorizer emits a literal array of `Fn::GetAtt:
-* [<UserPool>, 'Arn']` entries — we accept both.
+* [<UserPool>, 'Arn']` entries — we accept both. The `location` argument
+* carries the full `<stack>/<authorizer>.ProviderARNs[<idx>]` path so the
+* error names the offending entry exactly.
 */
 function pickStringFromArn(value, location) {
 	if (typeof value === "string") return value;
@@ -40685,10 +40696,10 @@ function pickStringFromArn(value, location) {
 		const obj = value;
 		if ("Fn::GetAtt" in obj) {
 			const arg = obj["Fn::GetAtt"];
-			if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") throw new RouteDiscoveryError(`${location}: ProviderARNs[0] uses Fn::GetAtt against logical ID '${arg[0]}'. cdkd local start-api needs the literal ARN string to derive the JWKS URL — set the user pool ARN explicitly via 'authorizer.providerArns' on the CDK construct, or upgrade to JWT (HTTP v2) which encodes the pool in the Issuer URL.`);
+			if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") throw new RouteDiscoveryError(`${location}: uses Fn::GetAtt against logical ID '${arg[0]}'. cdkd local start-api needs the literal ARN string to derive the JWKS URL — set the user pool ARN explicitly via 'authorizer.providerArns' on the CDK construct, or upgrade to JWT (HTTP v2) which encodes the pool in the Issuer URL.`);
 		}
 	}
-	throw new RouteDiscoveryError(`${location}: ProviderARNs[0] must be a literal string (got ${shortJson(value)}).`);
+	throw new RouteDiscoveryError(`${location}: must be a literal string (got ${shortJson(value)}).`);
 }
 /**
 * Parse and clamp a TTL value to `[0, max]` with a default fallback.
@@ -41206,21 +41217,36 @@ function buildJwksUrlFromIssuer(issuer) {
 	return `${issuer.replace(/\/+$/, "")}/.well-known/jwks.json`;
 }
 /**
-* Verify a Bearer JWT against the Cognito user pool referenced by the
-* authorizer. Returns a {@link CachedAuthorizerResult} the http-server
-* can both cache (briefly — JWT exp itself is the cache deadline) and
-* propagate into the route event.
+* Build the expected `iss` claim URL for a Cognito user pool. Matches the
+* issuer Cognito embeds in every minted JWT.
+*/
+function buildCognitoIssuer(region, userPoolId) {
+	return `https://cognito-idp.${region}.amazonaws.com/${userPoolId}`;
+}
+/**
+* Verify a Bearer JWT against the Cognito user pool(s) referenced by the
+* authorizer. With a multi-pool authorizer (`ProviderARNs[]` of length
+* 1+) the request-time pool selection is driven by the JWT's unverified
+* `iss` claim — only the matching pool's JWKS is used for signature
+* verification, so a token issued by pool A cannot be verified against
+* pool B's keys. Issuer mismatch against EVERY configured pool rejects
+* with 401.
 *
 * Returns `{ allow: false }` on:
 *   - missing / malformed Authorization header (caller surfaces 401);
 *   - signature verification failure;
 *   - expired token (`exp` in the past);
-*   - issuer mismatch (token's `iss` doesn't match the pool's URL);
+*   - issuer mismatch (token's `iss` doesn't match any configured pool);
 *   - audience mismatch (token's `aud` not in the configured allowlist).
 *
 * Returns `{ allow: true, principalId, context }` on:
-*   - successful verification;
-*   - JWKS-unreachable pass-through mode (with a warn line on first hit).
+*   - successful verification against the matching pool;
+*   - JWKS-unreachable pass-through mode for the matching pool (with a
+*     warn line on first hit; per-pool TTL handled by the cache).
+*
+* Backward compat: a single-element `ProviderARNs[]` (the historical
+* single-pool case) behaves identically to pre-PR — `pools[0]` is the
+* only candidate and the `iss` check matches it.
 */
 async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts = {}) {
 	const now = opts.now ?? (() => Date.now());
@@ -41230,7 +41256,33 @@ async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts
 		identityHash: void 0,
 		ttlSeconds: 0
 	};
-	return verifyAndShape(token, buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId), `https://cognito-idp.${authorizer.region}.amazonaws.com/${authorizer.userPoolId}`, void 0, jwksCache, opts.warned, now);
+	const pools = authorizer.pools && authorizer.pools.length > 0 ? authorizer.pools : [{
+		userPoolArn: authorizer.userPoolArn,
+		region: authorizer.region,
+		userPoolId: authorizer.userPoolId
+	}];
+	const parsed = parseJwt(token);
+	const identityHash = buildIdentityHash([token]);
+	let selectedPool = pools[0];
+	let issMatched = false;
+	if (parsed && typeof parsed.payload["iss"] === "string") {
+		const tokenIss = parsed.payload["iss"].replace(/\/+$/, "");
+		for (const pool of pools) if (buildCognitoIssuer(pool.region, pool.userPoolId) === tokenIss) {
+			selectedPool = pool;
+			issMatched = true;
+			break;
+		}
+		if (!issMatched) return {
+			allow: false,
+			identityHash,
+			ttlSeconds: 0
+		};
+	} else if (pools.length > 1) return {
+		allow: false,
+		identityHash,
+		ttlSeconds: 0
+	};
+	return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, jwksCache, opts.warned, now);
 }
 /**
 * Verify a Bearer JWT against an HTTP v2 JWT authorizer's `JwtConfiguration`.
@@ -42712,7 +42764,7 @@ async function prewarmJwks(routesWithAuth, jwksCache) {
 	for (const entry of routesWithAuth) {
 		const auth = entry.authorizer;
 		if (!auth) continue;
-		if (auth.kind === "cognito") urls.add(buildCognitoJwksUrl(auth.region, auth.userPoolId));
+		if (auth.kind === "cognito") for (const pool of auth.pools) urls.add(buildCognitoJwksUrl(pool.region, pool.userPoolId));
 		else if (auth.kind === "jwt") {
 			const url = auth.region && auth.userPoolId ? buildCognitoJwksUrl(auth.region, auth.userPoolId) : buildJwksUrlFromIssuer(auth.issuer);
 			urls.add(url);
@@ -46172,7 +46224,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.118.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.119.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());