@infoxchange/make-it-so 2.10.0-internal-testing-vdt-199-add-oidc-auth.1 → 2.10.0-internal-testing-vdt-199-add-oidc-auth.3

package/README.md

@@ -13,6 +13,8 @@ npm --save-dev @infoxchange/make-it-so
 yarn add --dev @infoxchange/make-it-so
 ```
 
+
+
 ## Features
 
 ### deployConfig

package/commitlint.config.ts

@@ -0,0 +1,14 @@
+import type { UserConfig } from "@commitlint/types";
+
+export default {
+  ignores: [
+    (message) =>
+      // Allow "wip" commits except when publishing a production release or on PR CI jobs
+      process.env.GITHUB_EVENT_NAME !== "pull_request" &&
+      (process.env.GITHUB_WORKFLOW !== "Publish" ||
+        (process.env.GITHUB_REF_NAME?.startsWith("internal-testing-") ??
+          true)) &&
+      (message === "wip" || message.startsWith("wip:")),
+  ],
+  extends: ["@commitlint/config-conventional"],
+} satisfies UserConfig;

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.js

@@ -1,9 +1,9 @@
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-nocheck
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
-import crypto from 'crypto';
+import crypto from "crypto";
 // @ts-expect-error -- This library only exists in the CloudFront Functions runtime that this code runs in
-import cf from 'cloudfront';
+import cf from "cloudfront";
 //Response when JWT is not valid.
 // const response401 = {
 //     statusCode: 401,
@@ -12,23 +12,23 @@ import cf from 'cloudfront';
 const response401 = {
     statusCode: 302,
     headers: {
-        location: { "value": '/auth/oidc/authorize' },
+        location: { value: "/auth/oidc/authorize" },
     },
 };
 // Remember to associate the KVS with your function before calling the const kvsKey = 'jwt.secret'.
 // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-associate.html
-const kvsKey = '__placeholder-for-jwt-secret-key__';
+const kvsKey = "__placeholder-for-jwt-secret-key__";
 // set to true to enable console logging
 const loggingEnabled = true; // false;
 function jwt_decode(token, key, noVerify, algorithm) {
     // check token
     if (!token) {
-        throw new Error('No token supplied');
+        throw new Error("No token supplied");
     }
     // check segments
-    const segments = token.split('.');
+    const segments = token.split(".");
     if (segments.length !== 3) {
-        throw new Error('Not enough or too many segments');
+        throw new Error("Not enough or too many segments");
     }
     // All segment should be base64
     const headerSeg = segments[0];
@@ -37,20 +37,20 @@ function jwt_decode(token, key, noVerify, algorithm) {
     // base64 decode and parse JSON
     const payload = JSON.parse(_base64urlDecode(payloadSeg));
     if (!noVerify) {
-        const signingMethod = 'sha256';
-        const signingType = 'hmac';
+        const signingMethod = "sha256";
+        const signingType = "hmac";
         // Verify signature. `sign` will return base64 string.
-        const signingInput = [headerSeg, payloadSeg].join('.');
+        const signingInput = [headerSeg, payloadSeg].join(".");
         if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
-            throw new Error('Signature verification failed');
+            throw new Error("Signature verification failed");
         }
         // Support for nbf and exp claims.
         // According to the RFC, they should be in seconds.
         if (payload.nbf && Date.now() < payload.nbf * 1000) {
-            throw new Error('Token not yet active');
+            throw new Error("Token not yet active");
         }
         if (payload.exp && Date.now() > payload.exp * 1000) {
-            throw new Error('Token expired');
+            throw new Error("Token expired");
         }
     }
     return payload;
@@ -63,7 +63,7 @@ function _constantTimeEquals(a, b) {
     }
     let xor = 0;
     for (let i = 0; i < a.length; i++) {
-        xor |= (a.charCodeAt(i) ^ b.charCodeAt(i));
+        xor |= a.charCodeAt(i) ^ b.charCodeAt(i);
     }
     return 0 === xor;
 }
@@ -72,17 +72,17 @@ function _verify(input, key, method, type, signature) {
         return _constantTimeEquals(signature, _sign(input, key, method));
     }
     else {
-        throw new Error('Algorithm type not recognized');
+        throw new Error("Algorithm type not recognized");
     }
 }
 function _sign(input, key, method) {
-    return crypto.createHmac(method, key).update(input).digest('base64url');
+    return crypto.createHmac(method, key).update(input).digest("base64url");
 }
 function _base64urlDecode(str) {
-    return Buffer.from(str, 'base64url');
+    return Buffer.from(str, "base64url");
 }
 async function handler(event) {
-    let request = event.request;
+    const request = event.request;
     //Secret key used to verify JWT token.
     //Update with your own key.
     const secret_key = await getSecret();

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AA0BA,eAAO,MAAM,OAAO,4CAiDnB,CAAA"}
+{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAiDnB,CAAC"}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.js

@@ -33,14 +33,14 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(AuthHandler({
                 };
                 // Options (optional)
                 const options = {
-                    algorithm: 'HS256',
-                    expiresIn: '1h',
+                    algorithm: "HS256",
+                    expiresIn: "1h",
                 };
                 // Create the token
                 const token = jwt.sign(payload, jwtSecret, options);
                 const expires = new Date(
                 // @ ts-ignore error in GH action
-                Date.now() + (1000 * 60 * 60 * 24 * 7));
+                Date.now() + 1000 * 60 * 60 * 24 * 7);
                 return {
                     statusCode: 302,
                     headers: {
@@ -58,7 +58,7 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(AuthHandler({
                 //   },
                 // });
             },
-        })
+        }),
     },
 }));
 // @ts-expect-error - testing
@@ -66,8 +66,8 @@ function convertApiGatewayHandlerToCloudFrontHandler(callback) {
     // @ts-expect-error - testing
     return async function (event, context) {
         // Used by AuthHandler to create callback url sent to oidc server
-        event.requestContext.domainName = event.headers['x-forwarded-host'];
-        console.log('----', event, context);
+        event.requestContext.domainName = event.headers["x-forwarded-host"];
+        console.log("----", event, context);
         // console.log("event", event)
         // console.log("context", context)
         const response = await callback(event, context);

package/dist/cdk-constructs/CloudWatchOidcAuth/index.d.ts

@@ -16,7 +16,7 @@ export declare class CloudWatchOidcAuth extends Construct {
     readonly oidcScope: string;
     readonly id: string;
     constructor(scope: ConstructScope, id: ConstructId, props: Props);
-    addToDistributionDefinition<DistributionProps extends BaseSiteCdkDistributionProps>(scope: ConstructScope, { distributionDefinition, prefix }: {
+    addToDistributionDefinition<DistributionProps extends BaseSiteCdkDistributionProps>(scope: ConstructScope, { distributionDefinition, prefix, }: {
         distributionDefinition: Mutable<DistributionProps>;
         prefix?: string;
     }): Mutable<DistributionProps>;

package/dist/cdk-constructs/CloudWatchOidcAuth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAUvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAE1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAGF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CAAC,iBAAiB,SAAS,4BAA4B,EAChF,KAAK,EAAE,cAAc,EACrB,EAAE,sBAAsB,EAAE,MAAgB,EAAE,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAmCvH,OAAO,CAAC,sBAAsB;IA4F9B,OAAO,CAAC,sBAAsB;CA4D/B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA6C5E,OAAO,CAAC,sBAAsB;IAyH9B,OAAO,CAAC,sBAAsB;CA0E/B"}

package/dist/cdk-constructs/CloudWatchOidcAuth/index.js

@@ -2,12 +2,13 @@ import { Construct } from "constructs";
 import SecretsManager from "aws-cdk-lib/aws-secretsmanager";
 import CloudFront from "aws-cdk-lib/aws-cloudfront";
 import CDK from "aws-cdk-lib";
-import CdkCustomResources from 'aws-cdk-lib/custom-resources';
-import Lambda from 'aws-cdk-lib/aws-lambda';
-import { getFileContentsWithoutTypes } from "../../lib/utils/source-code.js";
+import CdkCustomResources from "aws-cdk-lib/custom-resources";
+import Lambda from "aws-cdk-lib/aws-lambda";
 import * as SST from "sst/constructs";
 import { Config as SSTInternalConfig } from "sst/config.js";
 import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
+import path from "node:path";
+import fs from "node:fs";
 export class CloudWatchOidcAuth extends Construct {
     oidcIssuerUrl;
     oidcClientId;
@@ -20,23 +21,24 @@ export class CloudWatchOidcAuth extends Construct {
         this.oidcScope = props.oidcScope;
         this.id = id;
     }
-    addToDistributionDefinition(scope, { distributionDefinition, prefix = "/auth" }) {
+    addToDistributionDefinition(scope, { distributionDefinition, prefix = "/auth", }) {
         console.log("------", import.meta.dirname, import.meta.url, import.meta.filename);
         const updatedDistributionDefinition = { ...distributionDefinition };
-        const behaviourName = `${prefix.replace(/^\//g, '')}/*`;
-        updatedDistributionDefinition.additionalBehaviors = updatedDistributionDefinition.additionalBehaviors
-            ? { ...updatedDistributionDefinition.additionalBehaviors }
-            : {};
+        const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+        updatedDistributionDefinition.additionalBehaviors =
+            updatedDistributionDefinition.additionalBehaviors
+                ? { ...updatedDistributionDefinition.additionalBehaviors }
+                : {};
         if (updatedDistributionDefinition.additionalBehaviors[behaviourName]) {
             throw new Error(`Behavior for prefix ${prefix} already exists in distribution definition`);
         }
         const jwtSecret = new SecretsManager.Secret(this, `${this.id}JwtSecret`, {
-            description: 'JWT Signing Secret',
+            description: "JWT Signing Secret",
             generateSecretString: {
                 passwordLength: 32,
                 excludePunctuation: true,
                 includeSpace: false,
-                requireEachIncludedType: true
+                requireEachIncludedType: true,
             },
             // Secret is only used for sessions so it's safe to delete on stack removal
             removalPolicy: CDK.RemovalPolicy.DESTROY,
@@ -44,11 +46,13 @@ export class CloudWatchOidcAuth extends Construct {
         updatedDistributionDefinition.defaultBehavior = {
             ...updatedDistributionDefinition.defaultBehavior,
             functionAssociations: [
-                ...(updatedDistributionDefinition.defaultBehavior?.functionAssociations || []),
-                this.getFunctionAssociation(scope, jwtSecret)
+                ...(updatedDistributionDefinition.defaultBehavior
+                    ?.functionAssociations || []),
+                this.getFunctionAssociation(scope, jwtSecret),
             ],
         };
-        updatedDistributionDefinition.additionalBehaviors[behaviourName] = this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+        updatedDistributionDefinition.additionalBehaviors[behaviourName] =
+            this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
         return updatedDistributionDefinition;
     }
     getFunctionAssociation(scope, jwtSecret) {
@@ -60,8 +64,9 @@ export class CloudWatchOidcAuth extends Construct {
         const getEtag = new CdkCustomResources.AwsCustomResource(this, `${this.id}GetKVStoreEtag`, {
             installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
             onUpdate: {
-                service: '@aws-sdk/client-cloudfront-keyvaluestore',
-                action: 'describeKeyValueStore',
+                // Since there's no onCreate, onUpdate will be called for CREATE events
+                service: "@aws-sdk/client-cloudfront-keyvaluestore",
+                action: "describeKeyValueStore",
                 parameters: { KvsARN: kvsArn },
                 // We include a timestamp in the physicalResourceId to ensure we fetch the latest etag on every update
                 physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${kvStoreId}-etag-${Date.now()}`),
@@ -70,7 +75,7 @@ export class CloudWatchOidcAuth extends Construct {
                 resources: [kvsArn],
             }),
         });
-        const etag = getEtag.getResponseField('ETag');
+        const etag = getEtag.getResponseField("ETag");
         // An annoying limitation of CloudFormation is that it won't resolve dynamic references for secrets when
         // used as a parameter to a custom resource. To get around this we manually resolve it with another custom
         // resource. Note this won't result in the secret being exposed in CloudFormation templates but it will
@@ -81,8 +86,8 @@ export class CloudWatchOidcAuth extends Construct {
             installLatestAwsSdk: false,
             // Since there's no onCreate, onUpdate will be called for CREATE events
             onUpdate: {
-                service: '@aws-sdk/client-secrets-manager',
-                action: 'getSecretValue',
+                service: "@aws-sdk/client-secrets-manager",
+                action: "getSecretValue",
                 parameters: {
                     SecretId: jwtSecret.secretArn,
                 },
@@ -97,12 +102,13 @@ export class CloudWatchOidcAuth extends Construct {
         const putKeyValue = new CdkCustomResources.AwsCustomResource(this, `${this.id}PutKeyValue`, {
             installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
             onUpdate: {
-                service: '@aws-sdk/client-cloudfront-keyvaluestore',
-                action: 'putKey',
+                // Since there's no onCreate, onUpdate will be called for CREATE events
+                service: "@aws-sdk/client-cloudfront-keyvaluestore",
+                action: "putKey",
                 parameters: {
                     KvsARN: kvsArn,
                     Key: key,
-                    Value: secretValue.getResponseField('SecretString'),
+                    Value: secretValue.getResponseField("SecretString"),
                     IfMatch: etag,
                 },
                 physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${kvStoreId}-${key}`),
@@ -115,16 +121,15 @@ export class CloudWatchOidcAuth extends Construct {
         // as well. But AwsCustomResource doesn't give us direct access to the underlying Lambda function so we inject a
         // NODE_OPTIONS env var to import on start. At some point AwsCustomResource will presumably switch to a later node
         // version and we might need to update this to '--import=' instead of '--require='.
-        const fn = putKeyValue.node.findChild('Provider');
+        const fn = putKeyValue.node.findChild("Provider");
         if (!(fn instanceof Lambda.SingletonFunction)) {
             throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
         }
-        fn.addEnvironment('NODE_OPTIONS', '--require=@aws-sdk/signature-v4-crt');
+        fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
         const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}EdgeFunctionAuthCheck`, {
-            code: CloudFront.FunctionCode.fromInline(getFileContentsWithoutTypes("CloudWatchOidcAuth/auth-check.ts")
-                .replace("__placeholder-for-jwt-secret-key__", key)),
+            code: CloudFront.FunctionCode.fromInline(fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key)),
             runtime: CloudFront.FunctionRuntime.JS_2_0,
-            keyValueStore: cfKeyValueStore
+            keyValueStore: cfKeyValueStore,
         });
         return {
             function: edgeFuncAuthCheck,
@@ -134,13 +139,13 @@ export class CloudWatchOidcAuth extends Construct {
     getAuthBehaviorOptions(scope, jwtSecret, prefix) {
         const edgeFuncAuth = new SST.Function(scope, `${this.id}EdgeFunctionAuth`, {
             runtime: "nodejs20.x",
-            handler: "CloudWatchOidcAuth/auth-route.handler",
+            handler: path.join(import.meta.dirname, "auth-route.handler"),
             environment: {
                 OIDC_ISSUER_URL: this.oidcIssuerUrl,
                 OIDC_CLIENT_ID: this.oidcClientId,
                 OIDC_SCOPE: this.oidcScope,
                 JWT_SECRET: jwtSecret.secretValue.toString(),
-            }
+            },
         });
         // edgeFuncAuth uses SST's AuthHandler construct which is normally run inside a lambda that's
         // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
@@ -168,8 +173,8 @@ export class CloudWatchOidcAuth extends Construct {
             origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(edgeFuncAuthUrl.url)),
             allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
             cachePolicy: new CloudFront.CachePolicy(scope, `${this.id}AllowAllCookiesPolicy`, {
-                cachePolicyName: 'AllowAllCookiesPolicy',
-                comment: 'Cache policy that forwards all cookies',
+                cachePolicyName: "AllowAllCookiesPolicy",
+                comment: "Cache policy that forwards all cookies",
                 defaultTtl: CDK.Duration.seconds(1),
                 minTtl: CDK.Duration.seconds(1),
                 maxTtl: CDK.Duration.seconds(1),
@@ -183,7 +188,7 @@ export class CloudWatchOidcAuth extends Construct {
                 {
                     function: forwardHostHeaderCfFunction,
                     eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
-                }
+                },
             ],
         };
     }

package/dist/lib/utils/source-code.d.ts

@@ -1,2 +1,2 @@
-export declare function getFileContentsWithoutTypes(filePath: string): string;
+export {};
 //# sourceMappingURL=source-code.d.ts.map

package/dist/lib/utils/source-code.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"source-code.d.ts","sourceRoot":"","sources":["../../../src/lib/utils/source-code.ts"],"names":[],"mappings":"AAGA,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAOpE"}
+{"version":3,"file":"source-code.d.ts","sourceRoot":"","sources":["../../../src/lib/utils/source-code.ts"],"names":[],"mappings":""}

package/dist/lib/utils/source-code.js

@@ -1,9 +1 @@
-import ts from "typescript";
-import fs from "fs";
-export function getFileContentsWithoutTypes(filePath) {
-    const source = fs.readFileSync(filePath, "utf8");
-    const result = ts.transpileModule(source, {
-        compilerOptions: { module: ts.ModuleKind.ESNext, target: ts.ScriptTarget.ES2020 }
-    });
-    return result.outputText;
-}
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.1",
+  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.3",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",

package/src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts

@@ -2,9 +2,9 @@
 // @ts-nocheck
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
 
-import crypto from 'crypto';
+import crypto from "crypto";
 // @ts-expect-error -- This library only exists in the CloudFront Functions runtime that this code runs in
-import cf from 'cloudfront';
+import cf from "cloudfront";
 
 //Response when JWT is not valid.
 // const response401 = {
@@ -14,154 +14,148 @@ import cf from 'cloudfront';
 const response401 = {
   statusCode: 302,
   headers: {
-    location: { "value": '/auth/oidc/authorize' },
+    location: { value: "/auth/oidc/authorize" },
   },
-}
+};
 
 // Remember to associate the KVS with your function before calling the const kvsKey = 'jwt.secret'.
 // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-associate.html
-const kvsKey = '__placeholder-for-jwt-secret-key__';
+const kvsKey = "__placeholder-for-jwt-secret-key__";
 // set to true to enable console logging
 const loggingEnabled = true; // false;
 
-
 function jwt_decode(token, key, noVerify, algorithm) {
-    // check token
-    if (!token) {
-        throw new Error('No token supplied');
+  // check token
+  if (!token) {
+    throw new Error("No token supplied");
+  }
+  // check segments
+  const segments = token.split(".");
+  if (segments.length !== 3) {
+    throw new Error("Not enough or too many segments");
+  }
+
+  // All segment should be base64
+  const headerSeg = segments[0];
+  const payloadSeg = segments[1];
+  const signatureSeg = segments[2];
+
+  // base64 decode and parse JSON
+  const payload = JSON.parse(_base64urlDecode(payloadSeg));
+
+  if (!noVerify) {
+    const signingMethod = "sha256";
+    const signingType = "hmac";
+
+    // Verify signature. `sign` will return base64 string.
+    const signingInput = [headerSeg, payloadSeg].join(".");
+
+    if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
+      throw new Error("Signature verification failed");
     }
-    // check segments
-    const segments = token.split('.');
-    if (segments.length !== 3) {
-        throw new Error('Not enough or too many segments');
-    }
-
-    // All segment should be base64
-    const headerSeg = segments[0];
-    const payloadSeg = segments[1];
-    const signatureSeg = segments[2];
-
-    // base64 decode and parse JSON
-    const payload = JSON.parse(_base64urlDecode(payloadSeg));
-
-    if (!noVerify) {
-        const signingMethod = 'sha256';
-        const signingType = 'hmac';
-
-        // Verify signature. `sign` will return base64 string.
-        const signingInput = [headerSeg, payloadSeg].join('.');
 
-        if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
-            throw new Error('Signature verification failed');
-        }
-
-        // Support for nbf and exp claims.
-        // According to the RFC, they should be in seconds.
-        if (payload.nbf && Date.now() < payload.nbf*1000) {
-            throw new Error('Token not yet active');
-        }
+    // Support for nbf and exp claims.
+    // According to the RFC, they should be in seconds.
+    if (payload.nbf && Date.now() < payload.nbf * 1000) {
+      throw new Error("Token not yet active");
+    }
 
-        if (payload.exp && Date.now() > payload.exp*1000) {
-            throw new Error('Token expired');
-        }
+    if (payload.exp && Date.now() > payload.exp * 1000) {
+      throw new Error("Token expired");
     }
+  }
 
-    return payload;
+  return payload;
 }
 
 //Function to ensure a constant time comparison to prevent
 //timing side channels.
 function _constantTimeEquals(a, b) {
-    if (a.length != b.length) {
-        return false;
-    }
+  if (a.length != b.length) {
+    return false;
+  }
 
-    let xor = 0;
-    for (let i = 0; i < a.length; i++) {
-    xor |= (a.charCodeAt(i) ^ b.charCodeAt(i));
-    }
+  let xor = 0;
+  for (let i = 0; i < a.length; i++) {
+    xor |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
 
-    return 0 === xor;
+  return 0 === xor;
 }
 
 function _verify(input, key, method, type, signature) {
-    if(type === "hmac") {
-        return _constantTimeEquals(signature, _sign(input, key, method));
-    }
-    else {
-        throw new Error('Algorithm type not recognized');
-    }
+  if (type === "hmac") {
+    return _constantTimeEquals(signature, _sign(input, key, method));
+  } else {
+    throw new Error("Algorithm type not recognized");
+  }
 }
 
 function _sign(input, key, method) {
-    return crypto.createHmac(method, key).update(input).digest('base64url');
+  return crypto.createHmac(method, key).update(input).digest("base64url");
 }
 
 function _base64urlDecode(str) {
-    return Buffer.from(str, 'base64url')
+  return Buffer.from(str, "base64url");
 }
 
 async function handler(event) {
-    let request = event.request;
-
-    //Secret key used to verify JWT token.
-    //Update with your own key.
-    const secret_key = await getSecret()
-
-    if(!secret_key) {
-        return response401;
-    }
-
-    console.log("request")
-    console.log(request)
-    console.log(request.cookies)
-    console.log(request.cookies["auth-token"])
-    console.log(Object.keys(request.cookies))
-    // console.logObject.keys(request.cookies))
-
-    // If no JWT token, then generate HTTP redirect 401 response.
-    if(!request.cookies["auth-token"]) {
-        log("Error: No JWT in the cookies");
-        return response401;
-    }
-
-    const jwtToken = request.cookies["auth-token"].value;
-
-    try{
-      jwt_decode(jwtToken, secret_key);
-    }
-    catch(e) {
-        log(e);
-        return response401;
-    }
-
-    //Remove the JWT from the query string if valid and return.
-    delete request.querystring.jwt;
-    log("Valid JWT token");
-    return request;
+  const request = event.request;
+
+  //Secret key used to verify JWT token.
+  //Update with your own key.
+  const secret_key = await getSecret();
+
+  if (!secret_key) {
+    return response401;
+  }
+
+  console.log("request");
+  console.log(request);
+  console.log(request.cookies);
+  console.log(request.cookies["auth-token"]);
+  console.log(Object.keys(request.cookies));
+  // console.logObject.keys(request.cookies))
+
+  // If no JWT token, then generate HTTP redirect 401 response.
+  if (!request.cookies["auth-token"]) {
+    log("Error: No JWT in the cookies");
+    return response401;
+  }
+
+  const jwtToken = request.cookies["auth-token"].value;
+
+  try {
+    jwt_decode(jwtToken, secret_key);
+  } catch (e) {
+    log(e);
+    return response401;
+  }
+
+  //Remove the JWT from the query string if valid and return.
+  delete request.querystring.jwt;
+  log("Valid JWT token");
+  return request;
 }
 
-const publicKey =
-`very-secret`
+const publicKey = `very-secret`;
 
 // get secret from key value store
 async function getSecret() {
-//   console.log("auth key is:", publicKey)
-//   return publicKey
-    // initialize cloudfront kv store and get the key value
-    try {
-        const kvsHandle = cf.kvs();
-        return await kvsHandle.get(kvsKey);
-    } catch (err) {
-        log(`Error reading value for key: ${kvsKey}, error: ${err}`);
-        return null;
-    }
-
+  //   console.log("auth key is:", publicKey)
+  //   return publicKey
+  // initialize cloudfront kv store and get the key value
+  try {
+    const kvsHandle = cf.kvs();
+    return await kvsHandle.get(kvsKey);
+  } catch (err) {
+    log(`Error reading value for key: ${kvsKey}, error: ${err}`);
+    return null;
+  }
 }
 
 function log(message) {
-    if (loggingEnabled) {
-        console.log(message);
-    }
+  if (loggingEnabled) {
+    console.log(message);
+  }
 }
-

package/src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts

@@ -1,28 +1,27 @@
 import { AuthHandler, OidcAdapter } from "sst/node/auth";
 import { Issuer } from "openid-client";
-import jwt from "jsonwebtoken"
+import jwt from "jsonwebtoken";
 
-const oidcClientId = process.env.OIDC_CLIENT_ID
+const oidcClientId = process.env.OIDC_CLIENT_ID;
 if (!oidcClientId) {
   throw new Error("OIDC_CLIENT_ID not set");
 }
-const oidcIssuerUrl = process.env.OIDC_ISSUER_URL
+const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
 if (!oidcIssuerUrl) {
   throw new Error("OIDC_ISSUER_URL not set");
 }
-const oidcScope = process.env.OIDC_SCOPE
+const oidcScope = process.env.OIDC_SCOPE;
 if (!oidcScope) {
   throw new Error("OIDC_SCOPE not set");
 }
-const jwtSecret = process.env.JWT_SECRET
+const jwtSecret = process.env.JWT_SECRET;
 if (!jwtSecret) {
   throw new Error("JWT_SECRET not set");
 }
 
-
-
-
-const oidcIssuerConfigUrl = new URL(`${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`);
+const oidcIssuerConfigUrl = new URL(
+  `${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`,
+);
 
 export const handler = convertApiGatewayHandlerToCloudFrontHandler(
   AuthHandler({
@@ -39,19 +38,19 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(
           // Payload to include in the token
           const payload = {
             userID: tokenset.claims().sub,
-          }
+          };
 
           // Options (optional)
           const options = {
-            algorithm: 'HS256',
-            expiresIn: '1h',
+            algorithm: "HS256",
+            expiresIn: "1h",
           } as const;
 
           // Create the token
           const token = jwt.sign(payload, jwtSecret, options);
           const expires = new Date(
             // @ ts-ignore error in GH action
-            Date.now() + (1000 * 60 * 60 * 24 * 7)
+            Date.now() + 1000 * 60 * 60 * 24 * 7,
           );
           return {
             statusCode: 302,
@@ -70,21 +69,21 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(
           //   },
           // });
         },
-      })
+      }),
     },
-  })
-)
+  }),
+);
 
 // @ts-expect-error - testing
 function convertApiGatewayHandlerToCloudFrontHandler(callback) {
   // @ts-expect-error - testing
   return async function (event, context) {
     // Used by AuthHandler to create callback url sent to oidc server
-    event.requestContext.domainName = event.headers['x-forwarded-host']
-    console.log('----', event, context)
+    event.requestContext.domainName = event.headers["x-forwarded-host"];
+    console.log("----", event, context);
     // console.log("event", event)
     // console.log("context", context)
-    const response = await callback(event, context)
+    const response = await callback(event, context);
     // if (response.cookies) {
     //   if (!response.headers) {
     //     response.headers = {}
@@ -93,6 +92,6 @@ function convertApiGatewayHandlerToCloudFrontHandler(callback) {
     // }
     // response.headers.location += "&cake=blar"
     // response.headers.foo = "bar"
-    return response
-  }
+    return response;
+  };
 }

package/src/cdk-constructs/CloudWatchOidcAuth/index.ts

@@ -2,13 +2,14 @@ import { Construct } from "constructs";
 import SecretsManager from "aws-cdk-lib/aws-secretsmanager";
 import CloudFront from "aws-cdk-lib/aws-cloudfront";
 import CDK from "aws-cdk-lib";
-import CdkCustomResources from 'aws-cdk-lib/custom-resources';
-import Lambda from 'aws-cdk-lib/aws-lambda';
-import { getFileContentsWithoutTypes } from "../../lib/utils/source-code.js";
+import CdkCustomResources from "aws-cdk-lib/custom-resources";
+import Lambda from "aws-cdk-lib/aws-lambda";
 import * as SST from "sst/constructs";
-import { Config as SSTInternalConfig } from "sst/config.js"
+import { Config as SSTInternalConfig } from "sst/config.js";
 import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
 import { BaseSiteCdkDistributionProps } from "sst/constructs/BaseSite.js";
+import path from "node:path";
+import fs from "node:fs";
 
 type ConstructScope = ConstructorParameters<typeof Construct>[0];
 type ConstructId = ConstructorParameters<typeof Construct>[1];
@@ -17,7 +18,6 @@ type Mutable<T> = {
   -readonly [P in keyof T]: T[P];
 };
 
-
 type Props = {
   oidcIssuerUrl: string;
   oidcClientId: string;
@@ -38,27 +38,40 @@ export class CloudWatchOidcAuth extends Construct {
     this.id = id;
   }
 
-  addToDistributionDefinition<DistributionProps extends BaseSiteCdkDistributionProps>(
+  addToDistributionDefinition<
+    DistributionProps extends BaseSiteCdkDistributionProps,
+  >(
     scope: ConstructScope,
-    { distributionDefinition, prefix = "/auth" }: { distributionDefinition: Mutable<DistributionProps>, prefix?: string }
+    {
+      distributionDefinition,
+      prefix = "/auth",
+    }: { distributionDefinition: Mutable<DistributionProps>; prefix?: string },
   ) {
-    console.log("------", import.meta.dirname, import.meta.url, import.meta.filename)
+    console.log(
+      "------",
+      import.meta.dirname,
+      import.meta.url,
+      import.meta.filename,
+    );
     const updatedDistributionDefinition = { ...distributionDefinition };
-    const behaviourName = `${prefix.replace(/^\//g, '')}/*`
-    updatedDistributionDefinition.additionalBehaviors = updatedDistributionDefinition.additionalBehaviors
-      ? {...updatedDistributionDefinition.additionalBehaviors}
-      : {};
+    const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+    updatedDistributionDefinition.additionalBehaviors =
+      updatedDistributionDefinition.additionalBehaviors
+        ? { ...updatedDistributionDefinition.additionalBehaviors }
+        : {};
     if (updatedDistributionDefinition.additionalBehaviors[behaviourName]) {
-      throw new Error(`Behavior for prefix ${prefix} already exists in distribution definition`);
+      throw new Error(
+        `Behavior for prefix ${prefix} already exists in distribution definition`,
+      );
     }
 
     const jwtSecret = new SecretsManager.Secret(this, `${this.id}JwtSecret`, {
-      description: 'JWT Signing Secret',
+      description: "JWT Signing Secret",
       generateSecretString: {
         passwordLength: 32,
         excludePunctuation: true,
         includeSpace: false,
-        requireEachIncludedType: true
+        requireEachIncludedType: true,
       },
       // Secret is only used for sessions so it's safe to delete on stack removal
       removalPolicy: CDK.RemovalPolicy.DESTROY,
@@ -67,116 +80,151 @@ export class CloudWatchOidcAuth extends Construct {
     updatedDistributionDefinition.defaultBehavior = {
       ...updatedDistributionDefinition.defaultBehavior,
       functionAssociations: [
-        ...(updatedDistributionDefinition.defaultBehavior?.functionAssociations || []),
-        this.getFunctionAssociation(scope, jwtSecret)
+        ...(updatedDistributionDefinition.defaultBehavior
+          ?.functionAssociations || []),
+        this.getFunctionAssociation(scope, jwtSecret),
       ],
-    }
-    updatedDistributionDefinition.additionalBehaviors[behaviourName] = this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+    };
+    updatedDistributionDefinition.additionalBehaviors[behaviourName] =
+      this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
     return updatedDistributionDefinition;
   }
 
-  private getFunctionAssociation(scope: ConstructScope, jwtSecret: SecretsManager.Secret) : CloudFront.FunctionAssociation {
-    const cfKeyValueStore = new CloudFront.KeyValueStore(scope, `${this.id}CFKeyValueStore`);
+  private getFunctionAssociation(
+    scope: ConstructScope,
+    jwtSecret: SecretsManager.Secret,
+  ): CloudFront.FunctionAssociation {
+    const cfKeyValueStore = new CloudFront.KeyValueStore(
+      scope,
+      `${this.id}CFKeyValueStore`,
+    );
 
     const kvStoreId = cfKeyValueStore.keyValueStoreId; // Your KV store ID
     const key = "jwt-secret";
     const kvsArn = `arn:aws:cloudfront::${CDK.Stack.of(this).account}:key-value-store/${kvStoreId}`;
 
     // Updating the KVM requires a valid ETag to be provided in the IfMatch parameter so we first must fetch the ETag
-    const getEtag = new CdkCustomResources.AwsCustomResource(this, `${this.id}GetKVStoreEtag`, {
-      installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
-      onUpdate: { // Since there's no onCreate, onUpdate will be called for CREATE events
-        service: '@aws-sdk/client-cloudfront-keyvaluestore',
-        action: 'describeKeyValueStore',
-        parameters: { KvsARN: kvsArn },
-        // We include a timestamp in the physicalResourceId to ensure we fetch the latest etag on every update
-        physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${kvStoreId}-etag-${Date.now()}`),
+    const getEtag = new CdkCustomResources.AwsCustomResource(
+      this,
+      `${this.id}GetKVStoreEtag`,
+      {
+        installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
+        onUpdate: {
+          // Since there's no onCreate, onUpdate will be called for CREATE events
+          service: "@aws-sdk/client-cloudfront-keyvaluestore",
+          action: "describeKeyValueStore",
+          parameters: { KvsARN: kvsArn },
+          // We include a timestamp in the physicalResourceId to ensure we fetch the latest etag on every update
+          physicalResourceId: CdkCustomResources.PhysicalResourceId.of(
+            `${kvStoreId}-etag-${Date.now()}`,
+          ),
+        },
+        policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+          resources: [kvsArn],
+        }),
       },
-      policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
-        resources: [kvsArn],
-      }),
-    });
-    const etag = getEtag.getResponseField('ETag');
-
+    );
+    const etag = getEtag.getResponseField("ETag");
 
     // An annoying limitation of CloudFormation is that it won't resolve dynamic references for secrets when
     // used as a parameter to a custom resource. To get around this we manually resolve it with another custom
     // resource. Note this won't result in the secret being exposed in CloudFormation templates but it will
     // be visible in the CloudWatch logs of the custom resource lambda. In our case that is acceptable.
     // https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/341
-    const secretValue = new CdkCustomResources.AwsCustomResource(this, `${this.id}GetSecret`, {
-      // There's no real benefit of fetching the latest sdk our case for the cost of a longer execution time
-      installLatestAwsSdk: false,
-      // Since there's no onCreate, onUpdate will be called for CREATE events
-      onUpdate: {
-        service: '@aws-sdk/client-secrets-manager',
-        action: 'getSecretValue',
-        parameters: {
-          SecretId: jwtSecret.secretArn,
+    const secretValue = new CdkCustomResources.AwsCustomResource(
+      this,
+      `${this.id}GetSecret`,
+      {
+        // There's no real benefit of fetching the latest sdk our case for the cost of a longer execution time
+        installLatestAwsSdk: false,
+        // Since there's no onCreate, onUpdate will be called for CREATE events
+        onUpdate: {
+          service: "@aws-sdk/client-secrets-manager",
+          action: "getSecretValue",
+          parameters: {
+            SecretId: jwtSecret.secretArn,
+          },
+          // We include a timestamp in the physicalResourceId to ensure we fetch the latest secret value on every update
+          physicalResourceId: CdkCustomResources.PhysicalResourceId.of(
+            `${this.id}GetSecret-${Date.now()}`,
+          ),
         },
-        // We include a timestamp in the physicalResourceId to ensure we fetch the latest secret value on every update
-        physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${this.id}GetSecret-${Date.now()}`),
+        policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+          resources: [jwtSecret.secretArn],
+        }),
       },
-      policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
-        resources: [jwtSecret.secretArn],
-      }),
-    });
-
+    );
 
     // Now we can actually update the KVS with the secret value
-    const putKeyValue = new CdkCustomResources.AwsCustomResource(this, `${this.id}PutKeyValue`, {
-      installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
-      onUpdate: { // Since there's no onCreate, onUpdate will be called for CREATE events
-        service: '@aws-sdk/client-cloudfront-keyvaluestore',
-        action: 'putKey',
-        parameters: {
-          KvsARN: kvsArn,
-          Key: key,
-          Value: secretValue.getResponseField('SecretString'),
-          IfMatch: etag,
+    const putKeyValue = new CdkCustomResources.AwsCustomResource(
+      this,
+      `${this.id}PutKeyValue`,
+      {
+        installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
+        onUpdate: {
+          // Since there's no onCreate, onUpdate will be called for CREATE events
+          service: "@aws-sdk/client-cloudfront-keyvaluestore",
+          action: "putKey",
+          parameters: {
+            KvsARN: kvsArn,
+            Key: key,
+            Value: secretValue.getResponseField("SecretString"),
+            IfMatch: etag,
+          },
+          physicalResourceId: CdkCustomResources.PhysicalResourceId.of(
+            `${kvStoreId}-${key}`,
+          ),
         },
-        physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${kvStoreId}-${key}`),
+        policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
+          resources: [kvsArn],
+        }),
       },
-      policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
-        resources: [kvsArn],
-      }),
-    });
+    );
 
     // putKey in the @aws-sdk/client-cloudfront-keyvaluestore package requires @aws-sdk/signature-v4-crt to be imported
     // as well. But AwsCustomResource doesn't give us direct access to the underlying Lambda function so we inject a
     // NODE_OPTIONS env var to import on start. At some point AwsCustomResource will presumably switch to a later node
     // version and we might need to update this to '--import=' instead of '--require='.
-    const fn = putKeyValue.node.findChild('Provider');
+    const fn = putKeyValue.node.findChild("Provider");
     if (!(fn instanceof Lambda.SingletonFunction)) {
-      throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
+      throw new Error(
+        "Could not find the underlying Lambda function of the AwsCustomResource",
+      );
     }
-    fn.addEnvironment('NODE_OPTIONS', '--require=@aws-sdk/signature-v4-crt');
+    fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
 
-    const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}EdgeFunctionAuthCheck`, {
-      code: CloudFront.FunctionCode.fromInline(
-        getFileContentsWithoutTypes("CloudWatchOidcAuth/auth-check.ts")
-          .replace("__placeholder-for-jwt-secret-key__", key)
-      ),
-      runtime: CloudFront.FunctionRuntime.JS_2_0,
-      keyValueStore: cfKeyValueStore
-    });
+    const edgeFuncAuthCheck = new CloudFront.Function(
+      scope,
+      `${this.id}EdgeFunctionAuthCheck`,
+      {
+        code: CloudFront.FunctionCode.fromInline(
+          fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key),
+        ),
+        runtime: CloudFront.FunctionRuntime.JS_2_0,
+        keyValueStore: cfKeyValueStore,
+      },
+    );
 
     return {
       function: edgeFuncAuthCheck,
       eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
-    }
+    };
   }
 
-  private getAuthBehaviorOptions(scope: ConstructScope, jwtSecret: SecretsManager.Secret, prefix: string): CloudFront.BehaviorOptions {
+  private getAuthBehaviorOptions(
+    scope: ConstructScope,
+    jwtSecret: SecretsManager.Secret,
+    prefix: string,
+  ): CloudFront.BehaviorOptions {
     const edgeFuncAuth = new SST.Function(scope, `${this.id}EdgeFunctionAuth`, {
       runtime: "nodejs20.x",
-      handler: "CloudWatchOidcAuth/auth-route.handler",
+      handler: path.join(import.meta.dirname, "auth-route.handler"),
       environment: {
         OIDC_ISSUER_URL: this.oidcIssuerUrl,
         OIDC_CLIENT_ID: this.oidcClientId,
         OIDC_SCOPE: this.oidcScope,
         JWT_SECRET: jwtSecret.secretValue.toString(),
-      }
+      },
     });
 
     // edgeFuncAuth uses SST's AuthHandler construct which is normally run inside a lambda that's
@@ -192,39 +240,49 @@ export class CloudWatchOidcAuth extends Construct {
     const edgeFuncAuthUrl = edgeFuncAuth.addFunctionUrl({
       authType: Lambda.FunctionUrlAuthType.NONE,
     });
-    const forwardHostHeaderCfFunction = new CloudFront.Function(scope, `${this.id}ForwardHostHeaderFunction`, {
-      code: CloudFront.FunctionCode.fromInline(`
+    const forwardHostHeaderCfFunction = new CloudFront.Function(
+      scope,
+      `${this.id}ForwardHostHeaderFunction`,
+      {
+        code: CloudFront.FunctionCode.fromInline(`
         function handler(event) {
           const request = event.request;
           request.headers["x-forwarded-host"] = { value: request.headers.host.value };
           return request;
         }
       `),
-      runtime: CloudFront.FunctionRuntime.JS_2_0,
-    });
+        runtime: CloudFront.FunctionRuntime.JS_2_0,
+      },
+    );
 
     return {
-      origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(edgeFuncAuthUrl.url)),
+      origin: new CloudFrontOrigins.HttpOrigin(
+        CDK.Fn.parseDomainName(edgeFuncAuthUrl.url),
+      ),
       allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
-      cachePolicy: new CloudFront.CachePolicy(scope, `${this.id}AllowAllCookiesPolicy`, {
-        cachePolicyName: 'AllowAllCookiesPolicy',
-        comment: 'Cache policy that forwards all cookies',
-        defaultTtl: CDK.Duration.seconds(1),
-        minTtl: CDK.Duration.seconds(1),
-        maxTtl: CDK.Duration.seconds(1),
-        cookieBehavior: CloudFront.CacheCookieBehavior.all(),
-        headerBehavior: CloudFront.CacheHeaderBehavior.allowList("X-Forwarded-Host"),
-        queryStringBehavior: CloudFront.CacheQueryStringBehavior.all(),
-        enableAcceptEncodingGzip: true,
-        enableAcceptEncodingBrotli: true,
-      }),
+      cachePolicy: new CloudFront.CachePolicy(
+        scope,
+        `${this.id}AllowAllCookiesPolicy`,
+        {
+          cachePolicyName: "AllowAllCookiesPolicy",
+          comment: "Cache policy that forwards all cookies",
+          defaultTtl: CDK.Duration.seconds(1),
+          minTtl: CDK.Duration.seconds(1),
+          maxTtl: CDK.Duration.seconds(1),
+          cookieBehavior: CloudFront.CacheCookieBehavior.all(),
+          headerBehavior:
+            CloudFront.CacheHeaderBehavior.allowList("X-Forwarded-Host"),
+          queryStringBehavior: CloudFront.CacheQueryStringBehavior.all(),
+          enableAcceptEncodingGzip: true,
+          enableAcceptEncodingBrotli: true,
+        },
+      ),
       functionAssociations: [
         {
           function: forwardHostHeaderCfFunction,
           eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
-        }
+        },
       ],
-    }
+    };
   }
-
 }

package/src/lib/utils/source-code.ts

@@ -1,11 +0,0 @@
-import ts from "typescript";
-import fs from "fs";
-
-export function getFileContentsWithoutTypes(filePath: string): string {
-  const source = fs.readFileSync(filePath, "utf8");
-
-  const result = ts.transpileModule(source, {
-    compilerOptions: { module: ts.ModuleKind.ESNext, target: ts.ScriptTarget.ES2020 }
-  });
-  return result.outputText
-}