@infoxchange/make-it-so 2.10.0-internal-testing-vdt-199-add-oidc-auth.3 → 2.10.0-internal-testing-vdt-199-add-oidc-auth.4

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts

@@ -1,2 +1,2 @@
-export {};
+export declare const handler: (event: any, context: any) => Promise<APIGatewayProxyStructuredResultV2>;
 //# sourceMappingURL=auth-check.d.ts.map

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts"],"names":[],"mappings":""}
+{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts"],"names":[],"mappings":"AA+FA,eAAO,MAAM,OAAO,0EAiClB,CAAA"}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.js

@@ -1,26 +1,18 @@
-// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-// @ts-nocheck
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
 import crypto from "crypto";
-// @ts-expect-error -- This library only exists in the CloudFront Functions runtime that this code runs in
 import cf from "cloudfront";
+import { ApiHandler, useCookie } from "sst/node/api";
 //Response when JWT is not valid.
-// const response401 = {
-//     statusCode: 401,
-//     statusDescription: 'Unauthorized'
-// };
-const response401 = {
+const redirectResponse = {
     statusCode: 302,
     headers: {
         location: { value: "/auth/oidc/authorize" },
     },
 };
-// Remember to associate the KVS with your function before calling the const kvsKey = 'jwt.secret'.
-// https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-associate.html
 const kvsKey = "__placeholder-for-jwt-secret-key__";
 // set to true to enable console logging
-const loggingEnabled = true; // false;
-function jwt_decode(token, key, noVerify, algorithm) {
+const loggingEnabled = true;
+function jwtDecode(token, key, noVerify) {
     // check token
     if (!token) {
         throw new Error("No token supplied");
@@ -36,22 +28,23 @@ function jwt_decode(token, key, noVerify, algorithm) {
     const signatureSeg = segments[2];
     // base64 decode and parse JSON
     const payload = JSON.parse(_base64urlDecode(payloadSeg));
-    if (!noVerify) {
-        const signingMethod = "sha256";
-        const signingType = "hmac";
-        // Verify signature. `sign` will return base64 string.
-        const signingInput = [headerSeg, payloadSeg].join(".");
-        if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
-            throw new Error("Signature verification failed");
-        }
-        // Support for nbf and exp claims.
-        // According to the RFC, they should be in seconds.
-        if (payload.nbf && Date.now() < payload.nbf * 1000) {
-            throw new Error("Token not yet active");
-        }
-        if (payload.exp && Date.now() > payload.exp * 1000) {
-            throw new Error("Token expired");
-        }
+    if (noVerify) {
+        return payload;
+    }
+    const signingMethod = "sha256";
+    const signingType = "hmac";
+    // Verify signature. `sign` will return base64 string.
+    const signingInput = [headerSeg, payloadSeg].join(".");
+    if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
+        throw new Error("Signature verification failed");
+    }
+    // Support for nbf and exp claims.
+    // According to the RFC, they should be in seconds.
+    if (payload.nbf && Date.now() < payload.nbf * 1000) {
+        throw new Error("Token not yet active");
+    }
+    if (payload.exp && Date.now() > payload.exp * 1000) {
+        throw new Error("Token expired");
     }
     return payload;
 }
@@ -79,46 +72,41 @@ function _sign(input, key, method) {
     return crypto.createHmac(method, key).update(input).digest("base64url");
 }
 function _base64urlDecode(str) {
-    return Buffer.from(str, "base64url");
+    return Buffer.from(str, "base64url").toString();
 }
-async function handler(event) {
+export const handler = ApiHandler(async (event) => {
+    console.log("Auth check event:", event);
     const request = event.request;
-    //Secret key used to verify JWT token.
-    //Update with your own key.
     const secret_key = await getSecret();
     if (!secret_key) {
-        return response401;
-    }
-    console.log("request");
-    console.log(request);
-    console.log(request.cookies);
-    console.log(request.cookies["auth-token"]);
-    console.log(Object.keys(request.cookies));
-    // console.logObject.keys(request.cookies))
+        return redirectResponse;
+    }
+    // console.log(request);
+    // console.log(request.cookies);
+    // console.log(request.cookies["auth-token"]);
+    // console.log(Object.keys(request.cookies));
+    const jwtToken = useCookie("auth-token");
+    console.log("jwtToken:", jwtToken);
+    // console.log(Object.keys(request.cookies));
     // If no JWT token, then generate HTTP redirect 401 response.
-    if (!request.cookies["auth-token"]) {
+    if (!jwtToken) {
         log("Error: No JWT in the cookies");
-        return response401;
+        return redirectResponse;
     }
-    const jwtToken = request.cookies["auth-token"].value;
     try {
-        jwt_decode(jwtToken, secret_key);
+        jwtDecode(jwtToken, secret_key);
     }
     catch (e) {
         log(e);
-        return response401;
+        return redirectResponse;
     }
-    //Remove the JWT from the query string if valid and return.
-    delete request.querystring.jwt;
+    // //Remove the JWT from the query string if valid and return.
+    // delete request.querystring.jwt;
     log("Valid JWT token");
     return request;
-}
-const publicKey = `very-secret`;
-// get secret from key value store
+});
+// Get secret from key value store
 async function getSecret() {
-    //   console.log("auth key is:", publicKey)
-    //   return publicKey
-    // initialize cloudfront kv store and get the key value
     try {
         const kvsHandle = cf.kvs();
         return await kvsHandle.get(kvsKey);
@@ -128,8 +116,8 @@ async function getSecret() {
         return null;
     }
 }
-function log(message) {
+const log = (...args) => {
     if (loggingEnabled) {
-        console.log(message);
+        console.log(...args);
     }
-}
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.3",
+  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.4",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",
@@ -51,6 +51,8 @@
     "sst": "^2.0.0"
   },
   "dependencies": {
+    "@aws-sdk/client-lambda": "^3.920.0",
+    "@types/aws-cloudfront-function": "^1.0.6",
     "jsonwebtoken": "^9.0.2",
     "zod": "^3.24.2"
   }

package/src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts

@@ -1,30 +1,22 @@
-// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-// @ts-nocheck
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
 
 import crypto from "crypto";
-// @ts-expect-error -- This library only exists in the CloudFront Functions runtime that this code runs in
 import cf from "cloudfront";
+import { ApiHandler, useCookie } from "sst/node/api";
 
 //Response when JWT is not valid.
-// const response401 = {
-//     statusCode: 401,
-//     statusDescription: 'Unauthorized'
-// };
-const response401 = {
+const redirectResponse = {
   statusCode: 302,
   headers: {
     location: { value: "/auth/oidc/authorize" },
   },
 };
 
-// Remember to associate the KVS with your function before calling the const kvsKey = 'jwt.secret'.
-// https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-associate.html
 const kvsKey = "__placeholder-for-jwt-secret-key__";
 // set to true to enable console logging
-const loggingEnabled = true; // false;
+const loggingEnabled = true;
 
-function jwt_decode(token, key, noVerify, algorithm) {
+function jwtDecode(token: string, key: string, noVerify?: boolean) {
   // check token
   if (!token) {
     throw new Error("No token supplied");
@@ -43,26 +35,28 @@ function jwt_decode(token, key, noVerify, algorithm) {
   // base64 decode and parse JSON
   const payload = JSON.parse(_base64urlDecode(payloadSeg));
 
-  if (!noVerify) {
-    const signingMethod = "sha256";
-    const signingType = "hmac";
+  if (noVerify) {
+    return payload;
+  }
 
-    // Verify signature. `sign` will return base64 string.
-    const signingInput = [headerSeg, payloadSeg].join(".");
+  const signingMethod = "sha256";
+  const signingType = "hmac";
 
-    if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
-      throw new Error("Signature verification failed");
-    }
+  // Verify signature. `sign` will return base64 string.
+  const signingInput = [headerSeg, payloadSeg].join(".");
 
-    // Support for nbf and exp claims.
-    // According to the RFC, they should be in seconds.
-    if (payload.nbf && Date.now() < payload.nbf * 1000) {
-      throw new Error("Token not yet active");
-    }
+  if (!_verify(signingInput, key, signingMethod, signingType, signatureSeg)) {
+    throw new Error("Signature verification failed");
+  }
 
-    if (payload.exp && Date.now() > payload.exp * 1000) {
-      throw new Error("Token expired");
-    }
+  // Support for nbf and exp claims.
+  // According to the RFC, they should be in seconds.
+  if (payload.nbf && Date.now() < payload.nbf * 1000) {
+    throw new Error("Token not yet active");
+  }
+
+  if (payload.exp && Date.now() > payload.exp * 1000) {
+    throw new Error("Token expired");
   }
 
   return payload;
@@ -70,7 +64,7 @@ function jwt_decode(token, key, noVerify, algorithm) {
 
 //Function to ensure a constant time comparison to prevent
 //timing side channels.
-function _constantTimeEquals(a, b) {
+function _constantTimeEquals(a: string, b: string) {
   if (a.length != b.length) {
     return false;
   }
@@ -83,7 +77,7 @@ function _constantTimeEquals(a, b) {
   return 0 === xor;
 }
 
-function _verify(input, key, method, type, signature) {
+function _verify(input: string, key: string, method: string, type: string, signature: string) {
   if (type === "hmac") {
     return _constantTimeEquals(signature, _sign(input, key, method));
   } else {
@@ -91,60 +85,51 @@ function _verify(input, key, method, type, signature) {
   }
 }
 
-function _sign(input, key, method) {
+function _sign(input: string, key: string, method: string) {
   return crypto.createHmac(method, key).update(input).digest("base64url");
 }
 
-function _base64urlDecode(str) {
-  return Buffer.from(str, "base64url");
+function _base64urlDecode(str: string) {
+  return Buffer.from(str, "base64url").toString();
 }
 
-async function handler(event) {
+export const handler = ApiHandler(async (event) => {
+  console.log("Auth check event:", event);
   const request = event.request;
-
-  //Secret key used to verify JWT token.
-  //Update with your own key.
   const secret_key = await getSecret();
 
   if (!secret_key) {
-    return response401;
+    return redirectResponse;
   }
 
-  console.log("request");
-  console.log(request);
-  console.log(request.cookies);
-  console.log(request.cookies["auth-token"]);
-  console.log(Object.keys(request.cookies));
-  // console.logObject.keys(request.cookies))
+  // console.log(request);
+  // console.log(request.cookies);
+  // console.log(request.cookies["auth-token"]);
+  // console.log(Object.keys(request.cookies));
+  const jwtToken = useCookie("auth-token");
+  console.log("jwtToken:", jwtToken);
+  // console.log(Object.keys(request.cookies));
 
   // If no JWT token, then generate HTTP redirect 401 response.
-  if (!request.cookies["auth-token"]) {
+  if (!jwtToken) {
     log("Error: No JWT in the cookies");
-    return response401;
+    return redirectResponse;
   }
-
-  const jwtToken = request.cookies["auth-token"].value;
-
   try {
-    jwt_decode(jwtToken, secret_key);
+    jwtDecode(jwtToken, secret_key);
   } catch (e) {
     log(e);
-    return response401;
+    return redirectResponse;
   }
 
-  //Remove the JWT from the query string if valid and return.
-  delete request.querystring.jwt;
+  // //Remove the JWT from the query string if valid and return.
+  // delete request.querystring.jwt;
   log("Valid JWT token");
   return request;
-}
-
-const publicKey = `very-secret`;
+})
 
-// get secret from key value store
+// Get secret from key value store
 async function getSecret() {
-  //   console.log("auth key is:", publicKey)
-  //   return publicKey
-  // initialize cloudfront kv store and get the key value
   try {
     const kvsHandle = cf.kvs();
     return await kvsHandle.get(kvsKey);
@@ -154,8 +139,8 @@ async function getSecret() {
   }
 }
 
-function log(message) {
+const log: typeof console.log = (...args) => {
   if (loggingEnabled) {
-    console.log(message);
+    console.log(...args);
   }
 }

package/src/cdk-constructs/CloudWatchOidcAuth/cloudfront.d.ts

@@ -0,0 +1,243 @@
+// NOTE: once this is no longer needed we can remove typeRoots from tsconfig.json as well
+
+// This is a copy of @types/aws-cloudfront-function but with optional kvsId in kvs() function. We can't just modify the
+// kvs type since we can't modify the default export without messing up the rest of the types. Which is why we
+// unfortunately have to duplicate the whole file here.
+// But once https://github.com/DefinitelyTyped/DefinitelyTyped/issues/73959 is sorted we can get rid of this.
+
+declare namespace AWSCloudFrontFunction {
+    interface Event {
+        version: "1.0";
+        context: Context;
+        viewer: Viewer;
+        request: Request;
+        response: Response;
+    }
+
+    interface Context {
+        distributionDomainName: string;
+        distributionId: string;
+        eventType: "viewer-request" | "viewer-response";
+        requestId: string;
+    }
+
+    interface Viewer {
+        ip: string;
+    }
+
+    interface Request {
+        method: string;
+        uri: string;
+        querystring: ValueObject;
+        headers: ValueObject;
+        cookies: ValueObject;
+    }
+
+    interface Response {
+        statusCode: number;
+        statusDescription?: string;
+        headers?: ValueObject;
+        cookies?: ResponseCookie;
+        body?: string | ResponseBody;
+    }
+
+    interface ResponseBody {
+        data: string;
+        encoding: "text" | "base64";
+    }
+
+    interface ValueObject {
+        [name: string]: {
+            value: string;
+            multiValue?: Array<{
+                value: string;
+            }>;
+        };
+    }
+
+    interface ResponseCookie {
+        [name: string]: {
+            value: string;
+            attributes: string;
+            multiValue?: Array<{
+                value: string;
+                attributes: string;
+            }>;
+        };
+    }
+}
+
+declare module "cloudfront" {
+    /**
+     * Retrieves a reference to a CloudFront Key-Value Store (KVS) by its ID.
+     * @param kvsId The identifier of the KVS to use.
+     * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/functions-custom-methods.html
+     */
+    function kvs(kvsId?: string): KVStore;
+
+    interface KVStore {
+        /**
+         * Retrieve a value from the store.
+         * @param key Key to retrieve.
+         * @throws If key does not exist.
+         */
+        get(key: string): Promise<string>;
+        get(key: string, options: { format: "string" }): Promise<string>;
+        get(key: string, options: { format: "bytes" }): Promise<Uint8Array>;
+        get(key: string, options: { format: "json" }): Promise<unknown>;
+
+        /**
+         * Check if the key exists in the store.
+         * @param key Key to check.
+         */
+        exists(key: string): Promise<boolean>;
+
+        /**
+         * Retrieve metadata about the key-value store.
+         */
+        meta(): Promise<{
+            creationDateTime: string;
+            lastUpdatedDateTime: string;
+            keyCount: number;
+        }>;
+    }
+
+    interface OriginAccessControlConfig {
+        enabled: boolean;
+        signingBehavior: "always" | "never" | "no-override";
+        signingProtocol: "sigv4";
+        originType: "s3" | "mediapackagev2" | "mediastore" | "lambda";
+    }
+
+    interface OriginShield {
+        enabled: boolean;
+        region: string;
+    }
+
+    interface Timeouts {
+        /**
+         * Max time (seconds) to wait for a response or next packet. (1–60)
+         */
+        readTimeout?: number;
+
+        /**
+         * Max time (seconds) to keep the connection alive after response. (1–60)
+         */
+        keepAliveTimeout?: number;
+
+        /**
+         * Max time (seconds) to wait for connection establishment. (1–10)
+         */
+        connectionTimeout?: number;
+    }
+
+    interface CustomOriginConfig {
+        /**
+         * Port number of the origin. e.g., 80 or 443
+         */
+        port: number;
+
+        /**
+         * Protocol used to connect. Must be "http" or "https"
+         */
+        protocol: "http" | "https";
+
+        /**
+         * Minimum TLS/SSL version to use for HTTPS connections.
+         */
+        sslProtocols: Array<"SSLv3" | "TLSv1" | "TLSv1.1" | "TLSv1.2">;
+    }
+
+    interface UpdateRequestOriginParams {
+        /**
+         * New origin's domain name. Optional if reusing existing origin's domain.
+         */
+        domainName?: string;
+
+        /**
+         * Path prefix to append when forwarding request to origin.
+         */
+        originPath?: string;
+
+        /**
+         * Override or clear custom headers for the origin request.
+         */
+        customHeaders?: Record<string, string>;
+
+        /**
+         * Number of connection attempts (1–3).
+         */
+        connectionAttempts?: number;
+
+        /**
+         * Origin Shield configuration. Enables shield layer if specified.
+         */
+        originShield?: OriginShield;
+
+        /**
+         * Origin Access Control (OAC) configuration.
+         */
+        originAccessControlConfig?: OriginAccessControlConfig;
+
+        /**
+         * Response and connection timeout configurations.
+         */
+        timeouts?: Timeouts;
+
+        /**
+         * Settings for non-S3 origins or S3 with static website hosting.
+         */
+        customOriginConfig?: CustomOriginConfig;
+    }
+
+    /**
+     * Mutates the current request’s origin.
+     * You can specify a new origin (e.g., S3 or ALB), change custom headers, enable OAC, or enable Origin Shield.
+     * Missing fields will inherit values from the assigned origin.
+     * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#update-request-origin-helper-function
+     */
+    function updateRequestOrigin(params: UpdateRequestOriginParams): void;
+
+    /**
+     * Switches to another origin already defined in the distribution by origin ID.
+     * This is more efficient than defining a new one via `updateRequestOrigin()`.
+     * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#select-request-origin-id-helper-function
+     */
+    function selectRequestOriginById(originId: string): void;
+
+    interface CreateRequestOriginGroupParams {
+        /**
+         * Two origin IDs to form an origin group.
+         * The first is primary; the second is used for failover.
+         */
+        originIds: [string, string];
+
+        /**
+         * Failover selection strategy: default or media-quality-score.
+         */
+        selectionCriteria?: "default" | "media-quality-score";
+
+        /**
+         * List of status codes that trigger failover to the secondary origin.
+         */
+        failoverCriteria: {
+            statusCodes: number[];
+        };
+    }
+
+    /**
+     * Creates a new origin group for failover logic.
+     * The origin group can be referenced later via origin ID.
+     * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#create-request-origin-group-helper-function
+     */
+    function createRequestOriginGroup(params: CreateRequestOriginGroupParams): void;
+
+    const cf: {
+        kvs: typeof kvs;
+        updateRequestOrigin: typeof updateRequestOrigin;
+        selectRequestOriginById: typeof selectRequestOriginById;
+        createRequestOriginGroup: typeof createRequestOriginGroup;
+    };
+
+    export default cf;
+}