@infoxchange/make-it-so-sst-v2 1.0.0-internal-testing-disambiguate-release-id-bc6e5bb.1

package/dist/cdk-constructs/SiteOidcAuth/auth-check-handler-body.js

@@ -0,0 +1,130 @@
+// Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
+// Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function. For example, no
+// external libraries can be used, and the runtime is more limited. Because SST v2's SsrSite construct uses JS v1.0
+// runtime for CloudFront Functions, this code must also be compatible with that runtime. Also this is used in the body
+// of a function where the variables event and request are already defined.
+// eslint-disable-next-line @typescript-eslint/no-var-requires -- v1 runtime for CloudFront Functions do not support import statements
+const crypto = require("crypto");
+const jwtSecret = "__placeholder-for-jwt-secret__";
+const authRoutePrefix = "__placeholder-for-auth-route-prefix__";
+// Set to true to enable console logging
+const loggingEnabled = false;
+// Simple logger that can be enabled/disabled via the loggingEnabled variable.
+const log = function () {
+    if (!loggingEnabled)
+        return;
+    // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+    // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+    let message = arguments[0];
+    if (arguments.length > 1) {
+        const otherArgs = [];
+        for (let i = 1; i < arguments.length; i++) {
+            // eslint-disable-next-line prefer-rest-params
+            otherArgs[i - 1] = arguments[i];
+        }
+        message += " - additional args: " + JSON.stringify(otherArgs);
+    }
+    console.log(message);
+};
+//Response when JWT is not valid.
+const redirectResponse = {
+    statusCode: 302,
+    headers: {
+        location: { value: `${authRoutePrefix}/oidc/authorize` },
+    },
+};
+// Takes a JWT token to decode and throws an error if invalid
+function jwtDecode(token, key, noVerify) {
+    // check segments
+    const segments = token.split(".");
+    if (segments.length !== 3) {
+        throw new Error("Not enough or too many segments");
+    }
+    // All segment should be base64
+    const headerSeg = segments[0];
+    const payloadSeg = segments[1];
+    const signatureSeg = segments[2];
+    // base64 decode and parse JSON
+    const payload = JSON.parse(_base64urlDecode(payloadSeg));
+    if (noVerify) {
+        return payload;
+    }
+    const signingMethod = "sha256";
+    const signingType = "hmac";
+    // Verify signature. `sign` will return base64 string.
+    const signingInput = [headerSeg, payloadSeg].join(".");
+    if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
+        throw new Error("Signature verification failed");
+    }
+    // Support for nbf and exp claims.
+    // According to the RFC, they should be in seconds.
+    if (payload.nbf && Date.now() < payload.nbf * 1000) {
+        throw new Error("Token not yet active");
+    }
+    if (payload.exp && Date.now() > payload.exp * 1000) {
+        throw new Error("Token expired");
+    }
+    return payload;
+}
+// Function to ensure a constant time comparison to prevent timing side channels.
+function _constantTimeEquals(a, b) {
+    if (a.length != b.length) {
+        return false;
+    }
+    let xor = 0;
+    for (let i = 0; i < a.length; i++) {
+        xor |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return 0 === xor;
+}
+// Verifies some input matches an expected signature.
+function _verify(input, key, method, type, signature) {
+    if (type === "hmac") {
+        return _constantTimeEquals(signature, _sign(input, key, method));
+    }
+    else {
+        throw new Error("Algorithm type not recognized");
+    }
+}
+// Signs some input with a key and method.
+function _sign(input, key, method) {
+    return crypto.createHmac(method, key).update(input).digest("base64url");
+}
+// Very annoying that we have to implement this ourselves but it seems like the v1 runtime does not have atob/btoa or
+// Buffer available.
+function _base64urlDecode(str) {
+    str = str.replace(/-/g, "+").replace(/_/g, "/");
+    while (str.length % 4)
+        str += "=";
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+    let output = "";
+    let bc = 0, bs = 0, buffer, i = 0;
+    for (; i < str.length; i++) {
+        buffer = chars.indexOf(str.charAt(i));
+        if (buffer === -1)
+            continue;
+        bs = (bs << 6) | buffer;
+        bc += 6;
+        if (bc >= 8) {
+            bc -= 8;
+            output += String.fromCharCode((bs >> bc) & 0xff);
+        }
+    }
+    return output;
+}
+const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
+if (!jwtToken) {
+    log("Error: No JWT in the cookies");
+    // @ts-expect-error -- This code is added to a function body so we can use return here but typescript doesn't know that.
+    return redirectResponse;
+}
+try {
+    jwtDecode(jwtToken, jwtSecret);
+}
+catch (e) {
+    log(e);
+    // @ts-expect-error -- This code is added to a function body so we can use return here but typescript doesn't know that.
+    return redirectResponse;
+}
+log("Valid JWT token");
+export {};

package/dist/cdk-constructs/SiteOidcAuth/auth-route.d.ts

@@ -0,0 +1,2 @@
+export declare const handler: (event: any, context: any) => Promise<any>;
+//# sourceMappingURL=auth-route.d.ts.map

package/dist/cdk-constructs/SiteOidcAuth/auth-route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/SiteOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAiCnB,CAAC"}

package/dist/cdk-constructs/SiteOidcAuth/auth-route.js

@@ -0,0 +1,59 @@
+import { AuthHandler, OidcAdapter } from "sst/node/auth";
+import { Issuer } from "openid-client";
+import jwt from "jsonwebtoken";
+const oidcClientId = process.env.OIDC_CLIENT_ID;
+if (!oidcClientId) {
+    throw new Error("OIDC_CLIENT_ID not set");
+}
+const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
+if (!oidcIssuerUrl) {
+    throw new Error("OIDC_ISSUER_URL not set");
+}
+const oidcScope = process.env.OIDC_SCOPE;
+if (!oidcScope) {
+    throw new Error("OIDC_SCOPE not set");
+}
+const jwtSecret = process.env.JWT_SECRET;
+if (!jwtSecret) {
+    throw new Error("JWT_SECRET not set");
+}
+const oidcIssuerConfigUrl = new URL(`${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`);
+export const handler = addRequiredContext(AuthHandler({
+    providers: {
+        oidc: OidcAdapter({
+            issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
+            clientID: oidcClientId,
+            scope: oidcScope,
+            onSuccess: async (tokenset) => {
+                // Payload to include in the token
+                const payload = {
+                    userID: tokenset.claims().sub,
+                };
+                const expiresInMs = 1000 * 60 * 60;
+                // Create the token
+                const token = jwt.sign(payload, jwtSecret, {
+                    algorithm: "HS256",
+                    expiresIn: expiresInMs / 1000,
+                });
+                const expiryDate = new Date(Date.now() + expiresInMs);
+                return {
+                    statusCode: 302,
+                    headers: {
+                        location: "/",
+                    },
+                    cookies: [
+                        `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expiryDate}`,
+                    ],
+                };
+            },
+        }),
+    },
+}));
+function addRequiredContext(handler) {
+    return async function (...args) {
+        const [event] = args;
+        // Used by AuthHandler to create callback url sent to oidc server
+        event.requestContext.domainName = event.headers["x-forwarded-host"];
+        return await handler(...args);
+    };
+}

package/dist/cdk-constructs/SiteOidcAuth/index.d.ts

@@ -0,0 +1,197 @@
+import { Construct } from "constructs";
+import CloudFront from "aws-cdk-lib/aws-cloudfront";
+import CDK from "aws-cdk-lib";
+import * as SST from "sst/constructs";
+import type { ExtendedNextjsSiteProps, ExtendedStaticSiteProps } from "../../lib/site/support.js";
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+export type Props = {
+    oidcIssuerUrl: string;
+    oidcClientId: string;
+    oidcScope: string;
+};
+export type AddToSiteProps = {
+    prefix?: string;
+};
+export declare class SiteOidcAuth extends Construct {
+    readonly oidcIssuerUrl: string;
+    readonly oidcClientId: string;
+    readonly oidcScope: string;
+    readonly id: string;
+    constructor(scope: ConstructScope, id: ConstructId, props: Props);
+    addToStaticSiteProps<SiteProps extends ExtendedStaticSiteProps>(scope: ConstructScope, siteProps: SiteProps, { prefix }?: AddToSiteProps): SiteProps & {
+        cdk: {
+            distribution: {
+                additionalBehaviors: Record<string, CloudFront.BehaviorOptions>;
+                defaultBehavior: {
+                    functionAssociations: CloudFront.FunctionAssociation[];
+                    allowedMethods?: CloudFront.AllowedMethods | undefined;
+                    cachedMethods?: CloudFront.CachedMethods | undefined;
+                    cachePolicy?: CloudFront.ICachePolicy | undefined;
+                    compress?: boolean | undefined;
+                    originRequestPolicy?: CloudFront.IOriginRequestPolicy | undefined;
+                    realtimeLogConfig?: CloudFront.IRealtimeLogConfig | undefined;
+                    responseHeadersPolicy?: CloudFront.IResponseHeadersPolicy | undefined;
+                    smoothStreaming?: boolean | undefined;
+                    viewerProtocolPolicy?: CloudFront.ViewerProtocolPolicy | undefined;
+                    edgeLambdas?: CloudFront.EdgeLambda[] | undefined;
+                    trustedKeyGroups?: CloudFront.IKeyGroup[] | undefined;
+                    origin?: CloudFront.IOrigin | undefined;
+                };
+            } | {
+                additionalBehaviors: Record<string, CloudFront.BehaviorOptions>;
+                defaultBehavior: {
+                    functionAssociations: CloudFront.FunctionAssociation[];
+                    allowedMethods?: CloudFront.AllowedMethods | undefined;
+                    cachedMethods?: CloudFront.CachedMethods | undefined;
+                    cachePolicy?: CloudFront.ICachePolicy | undefined;
+                    compress?: boolean | undefined;
+                    originRequestPolicy?: CloudFront.IOriginRequestPolicy | undefined;
+                    realtimeLogConfig?: CloudFront.IRealtimeLogConfig | undefined;
+                    responseHeadersPolicy?: CloudFront.IResponseHeadersPolicy | undefined;
+                    smoothStreaming?: boolean | undefined;
+                    viewerProtocolPolicy?: CloudFront.ViewerProtocolPolicy | undefined;
+                    edgeLambdas?: CloudFront.EdgeLambda[] | undefined;
+                    trustedKeyGroups?: CloudFront.IKeyGroup[] | undefined;
+                    origin?: CloudFront.IOrigin | undefined;
+                };
+                distributionDomainName: string;
+                distributionId: string;
+                grant(identity: CDK.aws_iam.IGrantable, ...actions: string[]): CDK.aws_iam.Grant;
+                grantCreateInvalidation(identity: CDK.aws_iam.IGrantable): CDK.aws_iam.Grant;
+                stack: CDK.Stack;
+                env: CDK.ResourceEnvironment;
+                applyRemovalPolicy(policy: CDK.RemovalPolicy): void;
+                node: import("constructs").Node;
+            } | {
+                additionalBehaviors: Record<string, CloudFront.BehaviorOptions>;
+                defaultBehavior: {
+                    functionAssociations: CloudFront.FunctionAssociation[];
+                    allowedMethods?: CloudFront.AllowedMethods | undefined;
+                    cachedMethods?: CloudFront.CachedMethods | undefined;
+                    cachePolicy?: CloudFront.ICachePolicy | undefined;
+                    compress?: boolean | undefined;
+                    originRequestPolicy?: CloudFront.IOriginRequestPolicy | undefined;
+                    realtimeLogConfig?: CloudFront.IRealtimeLogConfig | undefined;
+                    responseHeadersPolicy?: CloudFront.IResponseHeadersPolicy | undefined;
+                    smoothStreaming?: boolean | undefined;
+                    viewerProtocolPolicy?: CloudFront.ViewerProtocolPolicy | undefined;
+                    edgeLambdas?: CloudFront.EdgeLambda[] | undefined;
+                    trustedKeyGroups?: CloudFront.IKeyGroup[] | undefined;
+                    origin?: CloudFront.IOrigin | undefined;
+                };
+                certificate?: CDK.aws_certificatemanager.ICertificate | undefined;
+                comment?: string | undefined;
+                defaultRootObject?: string | undefined;
+                domainNames?: string[] | undefined;
+                enabled?: boolean | undefined;
+                enableIpv6?: boolean | undefined;
+                enableLogging?: boolean | undefined;
+                geoRestriction?: CloudFront.GeoRestriction | undefined;
+                httpVersion?: CloudFront.HttpVersion | undefined;
+                logBucket?: CDK.aws_s3.IBucket | undefined;
+                logIncludesCookies?: boolean | undefined;
+                logFilePrefix?: string | undefined;
+                priceClass?: CloudFront.PriceClass | undefined;
+                webAclId?: string | undefined;
+                errorResponses?: CloudFront.ErrorResponse[] | undefined;
+                minimumProtocolVersion?: CloudFront.SecurityPolicyProtocol | undefined;
+                sslSupportMethod?: CloudFront.SSLMethod | undefined;
+                publishAdditionalMetrics?: boolean | undefined;
+            };
+            id?: string | undefined;
+            bucket?: CDK.aws_s3.IBucket | CDK.aws_s3.BucketProps | undefined;
+        };
+    };
+    addToSsrSiteProps<SiteProps extends ExtendedNextjsSiteProps>(scope: ConstructScope, siteProps: SiteProps, { prefix }?: AddToSiteProps): SiteProps & {
+        cdk: {
+            distribution: {
+                additionalBehaviors: Record<string, CloudFront.BehaviorOptions>;
+                defaultBehavior?: (Omit<CloudFront.BehaviorOptions, "origin"> & {
+                    origin?: CloudFront.IOrigin | undefined;
+                }) | undefined;
+                certificate?: CDK.aws_certificatemanager.ICertificate | undefined;
+                comment?: string | undefined;
+                defaultRootObject?: string | undefined;
+                domainNames?: string[] | undefined;
+                enabled?: boolean | undefined;
+                enableIpv6?: boolean | undefined;
+                enableLogging?: boolean | undefined;
+                geoRestriction?: CloudFront.GeoRestriction | undefined;
+                httpVersion?: CloudFront.HttpVersion | undefined;
+                logBucket?: CDK.aws_s3.IBucket | undefined;
+                logIncludesCookies?: boolean | undefined;
+                logFilePrefix?: string | undefined;
+                priceClass?: CloudFront.PriceClass | undefined;
+                webAclId?: string | undefined;
+                errorResponses?: CloudFront.ErrorResponse[] | undefined;
+                minimumProtocolVersion?: CloudFront.SecurityPolicyProtocol | undefined;
+                sslSupportMethod?: CloudFront.SSLMethod | undefined;
+                publishAdditionalMetrics?: boolean | undefined;
+            };
+            id?: string | undefined;
+            bucket?: CDK.aws_s3.IBucket | CDK.aws_s3.BucketProps | undefined;
+            s3Origin?: CDK.aws_cloudfront_origins.S3OriginProps | undefined;
+            serverCachePolicy?: CloudFront.ICachePolicy | undefined;
+            responseHeadersPolicy?: CloudFront.IResponseHeadersPolicy | undefined;
+            viewerProtocolPolicy?: CloudFront.ViewerProtocolPolicy | undefined;
+            server?: (Pick<CDK.aws_lambda.FunctionProps, "vpc" | "layers" | "vpcSubnets" | "securityGroups" | "allowAllOutbound" | "allowPublicSubnet" | "architecture" | "logRetention"> & Pick<SST.FunctionProps, "copyFiles">) | undefined;
+            transform?: ((args: {
+                cloudFrontFunctions?: Record<string, {
+                    constructId: string;
+                    injections: string[];
+                }> | undefined;
+                edgeFunctions?: Record<string, {
+                    constructId: string;
+                    function: import("sst/constructs/EdgeFunction.js").EdgeFunctionProps;
+                }> | undefined;
+                origins: Record<string, {
+                    type: "function";
+                    constructId: string;
+                    function: import("sst/constructs/SsrFunction.js").SsrFunctionProps;
+                    injections?: string[] | undefined;
+                    streaming?: boolean | undefined;
+                } | {
+                    type: "image-optimization-function";
+                    function: CDK.aws_lambda.FunctionProps;
+                } | {
+                    type: "s3";
+                    originPath?: string | undefined;
+                    copy: {
+                        from: string;
+                        to: string;
+                        cached: boolean;
+                        versionedSubDir?: string | undefined;
+                    }[];
+                } | {
+                    type: "group";
+                    primaryOriginName: string;
+                    fallbackOriginName: string;
+                    fallbackStatusCodes?: number[] | undefined;
+                }>;
+                edge: boolean;
+                behaviors: {
+                    cacheType: "server" | "static";
+                    pattern?: string | undefined;
+                    origin: string;
+                    allowedMethods?: CloudFront.AllowedMethods | undefined;
+                    cfFunction?: string | undefined;
+                    edgeFunction?: string | undefined;
+                }[];
+                errorResponses?: CloudFront.ErrorResponse[] | undefined;
+                serverCachePolicy?: {
+                    allowedHeaders?: string[] | undefined;
+                } | undefined;
+                buildId?: string | undefined;
+            }) => void) | undefined;
+            revalidation?: Pick<CDK.aws_lambda.FunctionProps, "vpc" | "vpcSubnets"> | undefined;
+        };
+    };
+    private createJwtSecret;
+    private getFunctionAssociation;
+    private getAuthCheckHandlerBodyCode;
+    private convertToCloudFrontFunctionCompatibleCode;
+    private getAuthBehaviorOptions;
+}
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/SiteOidcAuth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/SiteOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,OAAO,UAAU,MAAM,4BAA4B,CAAC;AACpD,OAAO,GAAG,MAAM,aAAa,CAAC;AAE9B,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AAOtC,OAAO,KAAK,EACV,uBAAuB,EACvB,uBAAuB,EACxB,MAAM,2BAA2B,CAAC;AAEnC,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,MAAM,MAAM,KAAK,GAAG;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AACF,MAAM,MAAM,cAAc,GAAG;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAIjD,qBAAa,YAAa,SAAQ,SAAS;IACzC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,oBAAoB,CAAC,SAAS,SAAS,uBAAuB,EAC5D,KAAK,EAAE,cAAc,EACrB,SAAS,EAAE,SAAS,EACpB,EAAE,MAA+B,EAAE,GAAE,cAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA4C1D,iBAAiB,CAAC,SAAS,SAAS,uBAAuB,EACzD,KAAK,EAAE,cAAc,EACrB,SAAS,EAAE,SAAS,EACpB,EAAE,MAA+B,EAAE,GAAE,cAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuC1D,OAAO,CAAC,eAAe;IAgBvB,OAAO,CAAC,sBAAsB;IA8B9B,OAAO,CAAC,2BAA2B;IAsBnC,OAAO,CAAC,yCAAyC;IAgBjD,OAAO,CAAC,sBAAsB;CAkF/B"}

package/dist/cdk-constructs/SiteOidcAuth/index.js

@@ -0,0 +1,188 @@
+import { Construct } from "constructs";
+import SecretsManager from "aws-cdk-lib/aws-secretsmanager";
+import CloudFront from "aws-cdk-lib/aws-cloudfront";
+import CDK from "aws-cdk-lib";
+import Lambda from "aws-cdk-lib/aws-lambda";
+import * as SST from "sst/constructs";
+import { isCDKConstruct } from "sst/constructs/Construct.js";
+import { Config as SSTInternalConfig } from "sst/config.js";
+import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
+import path from "node:path";
+import fs from "node:fs";
+import { transformSync } from "esbuild";
+const defaultAuthRoutePrefix = "/auth";
+export class SiteOidcAuth extends Construct {
+    oidcIssuerUrl;
+    oidcClientId;
+    oidcScope;
+    id;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.oidcIssuerUrl = props.oidcIssuerUrl;
+        this.oidcClientId = props.oidcClientId;
+        this.oidcScope = props.oidcScope;
+        this.id = id;
+    }
+    addToStaticSiteProps(scope, siteProps, { prefix = defaultAuthRoutePrefix } = {}) {
+        prefix = prefix.replace(/\/$/, ""); // Remove trailing slash from prefix if it has one
+        const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+        const distribution = siteProps.cdk?.distribution;
+        if (isCDKConstruct(distribution)) {
+            throw new Error(`CDK Construct for distribution is not supported when adding CloudFront OIDC Auth behavior for prefix ${prefix}`);
+        }
+        const updatedSiteProps = {
+            ...siteProps,
+            cdk: {
+                ...siteProps.cdk,
+                distribution: {
+                    ...siteProps.cdk?.distribution,
+                    additionalBehaviors: distribution?.additionalBehaviors ?? {},
+                    defaultBehavior: {
+                        ...distribution?.defaultBehavior,
+                        functionAssociations: distribution?.defaultBehavior?.functionAssociations ?? [],
+                    },
+                },
+            },
+        };
+        if (updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName]) {
+            throw new Error(`Behavior for prefix ${prefix} already exists in distribution definition`);
+        }
+        const jwtSecret = this.createJwtSecret();
+        updatedSiteProps.cdk.distribution.defaultBehavior.functionAssociations.push(this.getFunctionAssociation(scope, jwtSecret, prefix));
+        updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName] =
+            this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+        return updatedSiteProps;
+    }
+    addToSsrSiteProps(scope, siteProps, { prefix = defaultAuthRoutePrefix } = {}) {
+        prefix = prefix.replace(/\/$/, ""); // Remove trailing slash from prefix if it has one
+        const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+        const updatedSiteProps = {
+            ...siteProps,
+            cdk: {
+                ...siteProps.cdk,
+                distribution: {
+                    ...siteProps.cdk?.distribution,
+                    additionalBehaviors: siteProps.cdk?.distribution?.additionalBehaviors ?? {},
+                },
+            },
+        };
+        if (updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName]) {
+            throw new Error(`Behavior for prefix ${prefix} already exists in distribution definition`);
+        }
+        const jwtSecret = this.createJwtSecret();
+        updatedSiteProps.cdk.transform = (plan) => {
+            siteProps?.cdk?.transform?.(plan);
+            plan.cloudFrontFunctions?.serverCfFunction.injections.push(this.convertToCloudFrontFunctionCompatibleCode(this.getAuthCheckHandlerBodyCode(jwtSecret, prefix)));
+        };
+        updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName] =
+            this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+        return updatedSiteProps;
+    }
+    createJwtSecret() {
+        return new SecretsManager.Secret(this, `${this.id}JwtSecret`, {
+            description: "JWT Signing Secret",
+            generateSecretString: {
+                passwordLength: 32,
+                excludePunctuation: true,
+                includeSpace: false,
+                requireEachIncludedType: true,
+            },
+            // Secret is only used for sessions so it's safe to delete on stack removal
+            removalPolicy: CDK.RemovalPolicy.DESTROY,
+        });
+    }
+    // Get the CloudFront Function Association for auth checking
+    // Roughly based off https://github.com/sst/v2/blob/4283d706f251724308b397996ff307929bf3a976/packages/sst/src/constructs/SsrSite.ts#L941
+    getFunctionAssociation(scope, jwtSecret, authRoutePrefix) {
+        const authCheckFunction = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
+            code: CloudFront.FunctionCode.fromInline(this.convertToCloudFrontFunctionCompatibleCode(`function handler(event) {
+              var request = event.request;
+              ${this.getAuthCheckHandlerBodyCode(jwtSecret, authRoutePrefix)}
+              return request;
+            }`, { minify: true })),
+            // We could specify the JS v2.0 runtime here but for SSR sites SST does the function creation and that currently
+            // uses JS v1.0 so no point using v2.0 here as the code has to be compatible with v1.0 anyway.
+        });
+        return {
+            function: authCheckFunction,
+            eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+        };
+    }
+    getAuthCheckHandlerBodyCode(jwtSecret, authRoutePrefix) {
+        return (fs
+            .readFileSync(path.join(import.meta.dirname, "auth-check-handler-body.js"), "utf8")
+            .replace("__placeholder-for-jwt-secret__", jwtSecret.secretValue.toString())
+            .replace("__placeholder-for-auth-route-prefix__", authRoutePrefix)
+            // When typescript builds the make-it-so code including "auth-check-handler-body.ts" it will add "export {}" to
+            // the end of the file if it's not already a module. This will cause a syntax error in CloudFront Functions so we
+            // remove it here.
+            .replace(/export {};\s*$/g, ""));
+    }
+    convertToCloudFrontFunctionCompatibleCode(sourceCode, esbuildOptions) {
+        // ESBuild doesn't currently support transforming const/let to var, which is required for CloudFront Functions
+        // JS runtime 1.0.
+        sourceCode = sourceCode
+            .replaceAll(/const /g, "var ")
+            .replaceAll(/let /g, "var ");
+        return transformSync(sourceCode, {
+            target: "es5",
+            ...esbuildOptions,
+        }).code;
+    }
+    // Get the behavior options for the auth route
+    getAuthBehaviorOptions(scope, jwtSecret, prefix) {
+        const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
+            runtime: "nodejs20.x",
+            handler: path.join(import.meta.dirname, "auth-route.handler"),
+            environment: {
+                OIDC_ISSUER_URL: this.oidcIssuerUrl,
+                OIDC_CLIENT_ID: this.oidcClientId,
+                OIDC_SCOPE: this.oidcScope,
+                JWT_SECRET: jwtSecret.secretValue.toString(),
+            },
+        });
+        // authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
+        // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
+        // by the Auth construct so we have to set them ourselves here to keep it happy.
+        const envVarName = SSTInternalConfig.envFor({
+            type: "Auth",
+            id: "id", // It seems like the env var will still be found no matter what this value is
+            prop: "prefix",
+        });
+        authRouteFunction.addEnvironment(envVarName, prefix);
+        const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
+            authType: Lambda.FunctionUrlAuthType.NONE,
+        });
+        const forwardHostHeaderCfFunction = new CloudFront.Function(scope, `${this.id}ForwardHostHeaderFunction`, {
+            code: CloudFront.FunctionCode.fromInline(this.convertToCloudFrontFunctionCompatibleCode(`function handler(event) {
+              const request = event.request;
+              request.headers["x-forwarded-host"] = { value: request.headers.host.value };
+              return request;
+            }`, { minify: true })),
+            runtime: CloudFront.FunctionRuntime.JS_2_0,
+        });
+        return {
+            origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(authRouteFunctionUrl.url)),
+            allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
+            cachePolicy: new CloudFront.CachePolicy(scope, `${this.id}AllowAllCookiesPolicy`, {
+                cachePolicyName: `${this.id}-AllowAllCookiesPolicy`,
+                comment: "Cache policy that forwards all cookies",
+                defaultTtl: CDK.Duration.seconds(1),
+                minTtl: CDK.Duration.seconds(1),
+                maxTtl: CDK.Duration.seconds(1),
+                cookieBehavior: CloudFront.CacheCookieBehavior.all(),
+                headerBehavior: CloudFront.CacheHeaderBehavior.allowList("X-Forwarded-Host"),
+                queryStringBehavior: CloudFront.CacheQueryStringBehavior.all(),
+                enableAcceptEncodingGzip: true,
+                enableAcceptEncodingBrotli: true,
+            }),
+            viewerProtocolPolicy: CloudFront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+            functionAssociations: [
+                {
+                    function: forwardHostHeaderCfFunction,
+                    eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+                },
+            ],
+        };
+    }
+}

package/dist/cdk-constructs/index.d.ts

@@ -0,0 +1,11 @@
+export * from "./IxVpcDetails.js";
+export * from "./IxCertificate.js";
+export * from "./IxDnsRecord.js";
+export * from "./IxSESIdentity.js";
+export * from "./IxNextjsSite.js";
+export * from "./IxStaticSite.js";
+export * from "./IxElasticache.js";
+export * from "./IxApi.js";
+export * from "./IxQuicksightWorkspace.js";
+export * from "./SiteOidcAuth/index.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC"}

package/dist/cdk-constructs/index.js

@@ -0,0 +1,10 @@
+export * from "./IxVpcDetails.js";
+export * from "./IxCertificate.js";
+export * from "./IxDnsRecord.js";
+export * from "./IxSESIdentity.js";
+export * from "./IxNextjsSite.js";
+export * from "./IxStaticSite.js";
+export * from "./IxElasticache.js";
+export * from "./IxApi.js";
+export * from "./IxQuicksightWorkspace.js";
+export * from "./SiteOidcAuth/index.js";