@infoxchange/make-it-so 2.10.0-internal-testing-vdt-199-add-oidc-auth.4 → 2.10.0-internal-testing-vdt-199-add-oidc-auth.6

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts

@@ -1,2 +1,2 @@
-export declare const handler: (event: any, context: any) => Promise<APIGatewayProxyStructuredResultV2>;
+export {};
 //# sourceMappingURL=auth-check.d.ts.map

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts"],"names":[],"mappings":"AA+FA,eAAO,MAAM,OAAO,0EAiClB,CAAA"}
+{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts"],"names":[],"mappings":""}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.js

@@ -1,7 +1,8 @@
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
+// Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function.
+// For example, no external libraries can be used, and the runtime is more limited.
 import crypto from "crypto";
 import cf from "cloudfront";
-import { ApiHandler, useCookie } from "sst/node/api";
 //Response when JWT is not valid.
 const redirectResponse = {
     statusCode: 302,
@@ -74,8 +75,9 @@ function _sign(input, key, method) {
 function _base64urlDecode(str) {
     return Buffer.from(str, "base64url").toString();
 }
-export const handler = ApiHandler(async (event) => {
-    console.log("Auth check event:", event);
+async function handler(event, context) {
+    console.log("🟢 Auth check event:", event);
+    console.log("🔵 Auth check context:", context);
     const request = event.request;
     const secret_key = await getSecret();
     if (!secret_key) {
@@ -85,7 +87,7 @@ export const handler = ApiHandler(async (event) => {
     // console.log(request.cookies);
     // console.log(request.cookies["auth-token"]);
     // console.log(Object.keys(request.cookies));
-    const jwtToken = useCookie("auth-token");
+    const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
     console.log("jwtToken:", jwtToken);
     // console.log(Object.keys(request.cookies));
     // If no JWT token, then generate HTTP redirect 401 response.
@@ -104,7 +106,7 @@ export const handler = ApiHandler(async (event) => {
     // delete request.querystring.jwt;
     log("Valid JWT token");
     return request;
-});
+}
 // Get secret from key value store
 async function getSecret() {
     try {
@@ -116,8 +118,13 @@ async function getSecret() {
         return null;
     }
 }
-const log = (...args) => {
+const log = function () {
     if (loggingEnabled) {
-        console.log(...args);
+        // @ts-expect-error We can't use spread or rest parameters in CloudFront Functions
+        // eslint-disable-next-line prefer-spread, prefer-rest-params
+        console.log.apply(console, arguments);
     }
 };
+// This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't
+// export handler as an alterative because CloudFront Functions don't support exports.
+handler;

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAiDnB,CAAC"}
+{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAyCnB,CAAC"}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.js

@@ -18,7 +18,7 @@ if (!jwtSecret) {
     throw new Error("JWT_SECRET not set");
 }
 const oidcIssuerConfigUrl = new URL(`${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`);
-export const handler = convertApiGatewayHandlerToCloudFrontHandler(AuthHandler({
+export const handler = addRequiredContext(AuthHandler({
     providers: {
         oidc: OidcAdapter({
             issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
@@ -26,7 +26,7 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(AuthHandler({
             scope: oidcScope,
             onSuccess: async (tokenset) => {
                 console.log("tokenset", tokenset, tokenset.claims());
-                console.log("Config.jwtSecret:", jwtSecret);
+                // console.log("Config.jwtSecret:", jwtSecret);
                 // Payload to include in the token
                 const payload = {
                     userID: tokenset.claims().sub,
@@ -38,9 +38,7 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(AuthHandler({
                 };
                 // Create the token
                 const token = jwt.sign(payload, jwtSecret, options);
-                const expires = new Date(
-                // @ ts-ignore error in GH action
-                Date.now() + 1000 * 60 * 60 * 24 * 7);
+                const expires = new Date(Date.now() + 1000 * 60 * 60 * 24 * 7);
                 return {
                     statusCode: 302,
                     headers: {
@@ -50,35 +48,17 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(AuthHandler({
                         `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
                     ],
                 };
-                // return Session.cookie({
-                //   redirect: "https://openidconnect.net/callback",
-                //   type: "public",
-                //   properties: {
-                //     userID: tokenset.claims().sub,
-                //   },
-                // });
             },
         }),
     },
 }));
-// @ts-expect-error - testing
-function convertApiGatewayHandlerToCloudFrontHandler(callback) {
-    // @ts-expect-error - testing
-    return async function (event, context) {
+function addRequiredContext(handler) {
+    return async function (...args) {
+        const [event, context] = args;
         // Used by AuthHandler to create callback url sent to oidc server
         event.requestContext.domainName = event.headers["x-forwarded-host"];
-        console.log("----", event, context);
-        // console.log("event", event)
-        // console.log("context", context)
-        const response = await callback(event, context);
-        // if (response.cookies) {
-        //   if (!response.headers) {
-        //     response.headers = {}
-        //   }
-        //   response.headers["set-cookie"] = response.cookies
-        // }
-        // response.headers.location += "&cake=blar"
-        // response.headers.foo = "bar"
-        return response;
+        console.log("🟢 event", event);
+        console.log("🔵 context", context);
+        return await handler(...args);
     };
 }

package/dist/cdk-constructs/CloudWatchOidcAuth/index.js

@@ -126,7 +126,7 @@ export class CloudWatchOidcAuth extends Construct {
             throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
         }
         fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
-        const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}EdgeFunctionAuthCheck`, {
+        const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
             code: CloudFront.FunctionCode.fromInline(fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key)),
             runtime: CloudFront.FunctionRuntime.JS_2_0,
             keyValueStore: cfKeyValueStore,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.4",
+  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.6",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",

package/src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts

@@ -1,8 +1,10 @@
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
+// Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function.
+// For example, no external libraries can be used, and the runtime is more limited.
+
 
 import crypto from "crypto";
 import cf from "cloudfront";
-import { ApiHandler, useCookie } from "sst/node/api";
 
 //Response when JWT is not valid.
 const redirectResponse = {
@@ -93,8 +95,9 @@ function _base64urlDecode(str: string) {
   return Buffer.from(str, "base64url").toString();
 }
 
-export const handler = ApiHandler(async (event) => {
-  console.log("Auth check event:", event);
+async function handler(event: AWSCloudFrontFunction.Event, context: AWSCloudFrontFunction.Context) {
+  console.log("🟢 Auth check event:", event);
+  console.log("🔵 Auth check context:", context);
   const request = event.request;
   const secret_key = await getSecret();
 
@@ -106,7 +109,7 @@ export const handler = ApiHandler(async (event) => {
   // console.log(request.cookies);
   // console.log(request.cookies["auth-token"]);
   // console.log(Object.keys(request.cookies));
-  const jwtToken = useCookie("auth-token");
+  const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
   console.log("jwtToken:", jwtToken);
   // console.log(Object.keys(request.cookies));
 
@@ -126,7 +129,7 @@ export const handler = ApiHandler(async (event) => {
   // delete request.querystring.jwt;
   log("Valid JWT token");
   return request;
-})
+}
 
 // Get secret from key value store
 async function getSecret() {
@@ -139,8 +142,14 @@ async function getSecret() {
   }
 }
 
-const log: typeof console.log = (...args) => {
+const log: typeof console.log = function () {
   if (loggingEnabled) {
-    console.log(...args);
+    // @ts-expect-error We can't use spread or rest parameters in CloudFront Functions
+    // eslint-disable-next-line prefer-spread, prefer-rest-params
+    console.log.apply(console, arguments);
   }
 }
+
+// This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't
+// export handler as an alterative because CloudFront Functions don't support exports.
+handler;

package/src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts

@@ -23,7 +23,7 @@ const oidcIssuerConfigUrl = new URL(
   `${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`,
 );
 
-export const handler = convertApiGatewayHandlerToCloudFrontHandler(
+export const handler = addRequiredContext(
   AuthHandler({
     providers: {
       oidc: OidcAdapter({
@@ -33,7 +33,7 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(
         onSuccess: async (tokenset) => {
           console.log("tokenset", tokenset, tokenset.claims());
 
-          console.log("Config.jwtSecret:", jwtSecret);
+          // console.log("Config.jwtSecret:", jwtSecret);
 
           // Payload to include in the token
           const payload = {
@@ -49,7 +49,6 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(
           // Create the token
           const token = jwt.sign(payload, jwtSecret, options);
           const expires = new Date(
-            // @ ts-ignore error in GH action
             Date.now() + 1000 * 60 * 60 * 24 * 7,
           );
           return {
@@ -61,37 +60,20 @@ export const handler = convertApiGatewayHandlerToCloudFrontHandler(
               `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
             ],
           };
-          // return Session.cookie({
-          //   redirect: "https://openidconnect.net/callback",
-          //   type: "public",
-          //   properties: {
-          //     userID: tokenset.claims().sub,
-          //   },
-          // });
         },
       }),
     },
   }),
 );
 
-// @ts-expect-error - testing
-function convertApiGatewayHandlerToCloudFrontHandler(callback) {
-  // @ts-expect-error - testing
-  return async function (event, context) {
+function addRequiredContext(handler: ReturnType<typeof AuthHandler>): ReturnType<typeof AuthHandler> {
+  return async function (...args) {
+    const [event, context] = args;
     // Used by AuthHandler to create callback url sent to oidc server
     event.requestContext.domainName = event.headers["x-forwarded-host"];
-    console.log("----", event, context);
-    // console.log("event", event)
-    // console.log("context", context)
-    const response = await callback(event, context);
-    // if (response.cookies) {
-    //   if (!response.headers) {
-    //     response.headers = {}
-    //   }
-    //   response.headers["set-cookie"] = response.cookies
-    // }
-    // response.headers.location += "&cake=blar"
-    // response.headers.foo = "bar"
-    return response;
+    console.log("🟢 event", event)
+    console.log("🔵 context", context)
+
+    return await handler(...args);
   };
 }

package/src/cdk-constructs/CloudWatchOidcAuth/index.ts

@@ -195,7 +195,7 @@ export class CloudWatchOidcAuth extends Construct {
 
     const edgeFuncAuthCheck = new CloudFront.Function(
       scope,
-      `${this.id}EdgeFunctionAuthCheck`,
+      `${this.id}AuthCheckFunction`,
       {
         code: CloudFront.FunctionCode.fromInline(
           fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key),