@infoxchange/make-it-so 2.10.0-internal-testing-vdt-199-add-oidc-auth.5 → 2.10.0-internal-testing-vdt-199-add-oidc-auth.7

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts

@@ -1,10 +1,2 @@
-/// <reference types="node" resolution-mode="require"/>
-export declare const handler: (event: AWSCloudFrontFunction.Event, context: AWSCloudFrontFunction.Context) => Promise<{
-    statusCode: number;
-    headers: {
-        location: {
-            value: string;
-        };
-    };
-} | AWSCloudFrontFunction.Request>;
+export {};
 //# sourceMappingURL=auth-check.d.ts.map

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts"],"names":[],"mappings":";AA8FA,eAAO,MAAM,OAAO,UAAiB,2BAA2B,WAAW,sBAAsB,OAAO;;;;;;;kCAkCvG,CAAA"}
+{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts"],"names":[],"mappings":""}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.js

@@ -1,4 +1,6 @@
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
+// Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function.
+// For example, no external libraries can be used, and the runtime is more limited.
 import crypto from "crypto";
 import cf from "cloudfront";
 //Response when JWT is not valid.
@@ -9,13 +11,9 @@ const redirectResponse = {
     },
 };
 const kvsKey = "__placeholder-for-jwt-secret-key__";
-// set to true to enable console logging
-const loggingEnabled = true;
+// Set to true to enable console logging
+const loggingEnabled = false;
 function jwtDecode(token, key, noVerify) {
-    // check token
-    if (!token) {
-        throw new Error("No token supplied");
-    }
     // check segments
     const segments = token.split(".");
     if (segments.length !== 3) {
@@ -47,8 +45,7 @@ function jwtDecode(token, key, noVerify) {
     }
     return payload;
 }
-//Function to ensure a constant time comparison to prevent
-//timing side channels.
+// Function to ensure a constant time comparison to prevent timing side channels.
 function _constantTimeEquals(a, b) {
     if (a.length != b.length) {
         return false;
@@ -73,22 +70,14 @@ function _sign(input, key, method) {
 function _base64urlDecode(str) {
     return Buffer.from(str, "base64url").toString();
 }
-export const handler = async (event, context) => {
-    console.log("🟢 Auth check event:", event);
-    console.log("🔵 Auth check context:", context);
+async function handler(event) {
     const request = event.request;
     const secret_key = await getSecret();
     if (!secret_key) {
-        return redirectResponse;
+        // It's not possible for us to validate requests without the secret key so we have no choice but to block all requests.
+        throw new Error("Error retrieving JWT secret key");
     }
-    // console.log(request);
-    // console.log(request.cookies);
-    // console.log(request.cookies["auth-token"]);
-    // console.log(Object.keys(request.cookies));
-    const jwtToken = request.cookies["auth-token"]?.value;
-    console.log("jwtToken:", jwtToken);
-    // console.log(Object.keys(request.cookies));
-    // If no JWT token, then generate HTTP redirect 401 response.
+    const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
     if (!jwtToken) {
         log("Error: No JWT in the cookies");
         return redirectResponse;
@@ -100,11 +89,9 @@ export const handler = async (event, context) => {
         log(e);
         return redirectResponse;
     }
-    // //Remove the JWT from the query string if valid and return.
-    // delete request.querystring.jwt;
     log("Valid JWT token");
     return request;
-};
+}
 // Get secret from key value store
 async function getSecret() {
     try {
@@ -116,8 +103,22 @@ async function getSecret() {
         return null;
     }
 }
-const log = (...args) => {
-    if (loggingEnabled) {
-        console.log(...args);
-    }
+const log = function () {
+    if (!loggingEnabled)
+        return;
+    // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+    // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+    let message = arguments[0];
+    if (arguments.length > 1) {
+        const otherArgs = [];
+        for (let i = 1; i < arguments.length; i++) {
+            // eslint-disable-next-line prefer-rest-params
+            otherArgs[i - 1] = arguments[i];
+        }
+        message += " - additional args: " + JSON.stringify(otherArgs);
+    }
+    console.log(message);
 };
+// This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't
+// export handler as an alterative because CloudFront Functions don't support exports.
+handler;

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAyCnB,CAAC"}
+{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAsCnB,CAAC"}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.js

@@ -24,28 +24,26 @@ export const handler = addRequiredContext(AuthHandler({
             issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
             clientID: oidcClientId,
             scope: oidcScope,
-            onSuccess: async (tokenset) => {
-                console.log("tokenset", tokenset, tokenset.claims());
-                // console.log("Config.jwtSecret:", jwtSecret);
+            onSuccess: async (tokenset, client) => {
+                console.log("🟢", client);
                 // Payload to include in the token
                 const payload = {
                     userID: tokenset.claims().sub,
                 };
-                // Options (optional)
-                const options = {
-                    algorithm: "HS256",
-                    expiresIn: "1h",
-                };
+                const expiresInMs = 1000 * 60 * 60;
                 // Create the token
-                const token = jwt.sign(payload, jwtSecret, options);
-                const expires = new Date(Date.now() + 1000 * 60 * 60 * 24 * 7);
+                const token = jwt.sign(payload, jwtSecret, {
+                    algorithm: "HS256",
+                    expiresIn: expiresInMs / 1000,
+                });
+                const expiryDate = new Date(Date.now() + expiresInMs);
                 return {
                     statusCode: 302,
                     headers: {
                         location: "/",
                     },
                     cookies: [
-                        `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
+                        `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expiryDate}`,
                     ],
                 };
             },

package/dist/cdk-constructs/CloudWatchOidcAuth/index.js

@@ -126,7 +126,7 @@ export class CloudWatchOidcAuth extends Construct {
             throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
         }
         fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
-        const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}EdgeFunctionAuthCheck`, {
+        const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
             code: CloudFront.FunctionCode.fromInline(fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key)),
             runtime: CloudFront.FunctionRuntime.JS_2_0,
             keyValueStore: cfKeyValueStore,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.5",
+  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.7",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",

package/src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts

@@ -1,5 +1,6 @@
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
-
+// Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function.
+// For example, no external libraries can be used, and the runtime is more limited.
 import crypto from "crypto";
 import cf from "cloudfront";
 
@@ -12,14 +13,10 @@ const redirectResponse = {
 };
 
 const kvsKey = "__placeholder-for-jwt-secret-key__";
-// set to true to enable console logging
-const loggingEnabled = true;
+// Set to true to enable console logging
+const loggingEnabled = false;
 
 function jwtDecode(token: string, key: string, noVerify?: boolean) {
-  // check token
-  if (!token) {
-    throw new Error("No token supplied");
-  }
   // check segments
   const segments = token.split(".");
   if (segments.length !== 3) {
@@ -61,8 +58,7 @@ function jwtDecode(token: string, key: string, noVerify?: boolean) {
   return payload;
 }
 
-//Function to ensure a constant time comparison to prevent
-//timing side channels.
+// Function to ensure a constant time comparison to prevent timing side channels.
 function _constantTimeEquals(a: string, b: string) {
   if (a.length != b.length) {
     return false;
@@ -92,25 +88,17 @@ function _base64urlDecode(str: string) {
   return Buffer.from(str, "base64url").toString();
 }
 
-export const handler = async (event: AWSCloudFrontFunction.Event, context: AWSCloudFrontFunction.Context) => {
-  console.log("🟢 Auth check event:", event);
-  console.log("🔵 Auth check context:", context);
+async function handler(event: AWSCloudFrontFunction.Event) {
   const request = event.request;
   const secret_key = await getSecret();
 
   if (!secret_key) {
-    return redirectResponse;
+    // It's not possible for us to validate requests without the secret key so we have no choice but to block all requests.
+    throw new Error("Error retrieving JWT secret key");
   }
 
-  // console.log(request);
-  // console.log(request.cookies);
-  // console.log(request.cookies["auth-token"]);
-  // console.log(Object.keys(request.cookies));
-  const jwtToken = request.cookies["auth-token"]?.value;
-  console.log("jwtToken:", jwtToken);
-  // console.log(Object.keys(request.cookies));
+  const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
 
-  // If no JWT token, then generate HTTP redirect 401 response.
   if (!jwtToken) {
     log("Error: No JWT in the cookies");
     return redirectResponse;
@@ -122,8 +110,6 @@ export const handler = async (event: AWSCloudFrontFunction.Event, context: AWSCl
     return redirectResponse;
   }
 
-  // //Remove the JWT from the query string if valid and return.
-  // delete request.querystring.jwt;
   log("Valid JWT token");
   return request;
 }
@@ -139,8 +125,24 @@ async function getSecret() {
   }
 }
 
-const log: typeof console.log = (...args) => {
-  if (loggingEnabled) {
-    console.log(...args);
+const log: typeof console.log = function () {
+  if (!loggingEnabled) return;
+
+  // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+  // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+  let message = arguments[0]
+  if (arguments.length > 1) {
+    const otherArgs = [];
+    for (let i = 1; i < arguments.length; i++) {
+      // eslint-disable-next-line prefer-rest-params
+      otherArgs[i-1] = arguments[i];
+    }
+
+    message += " - additional args: " + JSON.stringify(otherArgs);
   }
+  console.log(message);
 }
+
+// This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't
+// export handler as an alterative because CloudFront Functions don't support exports.
+handler;

package/src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts

@@ -30,34 +30,31 @@ export const handler = addRequiredContext(
         issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
         clientID: oidcClientId,
         scope: oidcScope,
-        onSuccess: async (tokenset) => {
-          console.log("tokenset", tokenset, tokenset.claims());
-
-          // console.log("Config.jwtSecret:", jwtSecret);
-
+        onSuccess: async (tokenset, client) => {
+          console.log("🟢", client);
           // Payload to include in the token
           const payload = {
             userID: tokenset.claims().sub,
           };
-
-          // Options (optional)
-          const options = {
-            algorithm: "HS256",
-            expiresIn: "1h",
-          } as const;
+          const expiresInMs = 1000 * 60 * 60;
 
           // Create the token
-          const token = jwt.sign(payload, jwtSecret, options);
-          const expires = new Date(
-            Date.now() + 1000 * 60 * 60 * 24 * 7,
+          const token = jwt.sign(
+            payload,
+            jwtSecret,
+            {
+              algorithm: "HS256",
+              expiresIn: expiresInMs / 1000,
+            }
           );
+          const expiryDate = new Date(Date.now() + expiresInMs);
           return {
             statusCode: 302,
             headers: {
               location: "/",
             },
             cookies: [
-              `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
+              `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expiryDate}`,
             ],
           };
         },

package/src/cdk-constructs/CloudWatchOidcAuth/index.ts

@@ -195,7 +195,7 @@ export class CloudWatchOidcAuth extends Construct {
 
     const edgeFuncAuthCheck = new CloudFront.Function(
       scope,
-      `${this.id}EdgeFunctionAuthCheck`,
+      `${this.id}AuthCheckFunction`,
       {
         code: CloudFront.FunctionCode.fromInline(
           fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key),