@infoxchange/make-it-so 2.10.0-internal-testing-vdt-199-add-oidc-auth.6 → 2.10.0-internal-testing-vdt-199-add-oidc-auth.7

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.js

@@ -11,13 +11,9 @@ const redirectResponse = {
     },
 };
 const kvsKey = "__placeholder-for-jwt-secret-key__";
-// set to true to enable console logging
-const loggingEnabled = true;
+// Set to true to enable console logging
+const loggingEnabled = false;
 function jwtDecode(token, key, noVerify) {
-    // check token
-    if (!token) {
-        throw new Error("No token supplied");
-    }
     // check segments
     const segments = token.split(".");
     if (segments.length !== 3) {
@@ -49,8 +45,7 @@ function jwtDecode(token, key, noVerify) {
     }
     return payload;
 }
-//Function to ensure a constant time comparison to prevent
-//timing side channels.
+// Function to ensure a constant time comparison to prevent timing side channels.
 function _constantTimeEquals(a, b) {
     if (a.length != b.length) {
         return false;
@@ -75,22 +70,14 @@ function _sign(input, key, method) {
 function _base64urlDecode(str) {
     return Buffer.from(str, "base64url").toString();
 }
-async function handler(event, context) {
-    console.log("🟢 Auth check event:", event);
-    console.log("🔵 Auth check context:", context);
+async function handler(event) {
     const request = event.request;
     const secret_key = await getSecret();
     if (!secret_key) {
-        return redirectResponse;
+        // It's not possible for us to validate requests without the secret key so we have no choice but to block all requests.
+        throw new Error("Error retrieving JWT secret key");
     }
-    // console.log(request);
-    // console.log(request.cookies);
-    // console.log(request.cookies["auth-token"]);
-    // console.log(Object.keys(request.cookies));
     const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
-    console.log("jwtToken:", jwtToken);
-    // console.log(Object.keys(request.cookies));
-    // If no JWT token, then generate HTTP redirect 401 response.
     if (!jwtToken) {
         log("Error: No JWT in the cookies");
         return redirectResponse;
@@ -102,8 +89,6 @@ async function handler(event, context) {
         log(e);
         return redirectResponse;
     }
-    // //Remove the JWT from the query string if valid and return.
-    // delete request.querystring.jwt;
     log("Valid JWT token");
     return request;
 }
@@ -119,11 +104,20 @@ async function getSecret() {
     }
 }
 const log = function () {
-    if (loggingEnabled) {
-        // @ts-expect-error We can't use spread or rest parameters in CloudFront Functions
-        // eslint-disable-next-line prefer-spread, prefer-rest-params
-        console.log.apply(console, arguments);
-    }
+    if (!loggingEnabled)
+        return;
+    // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+    // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+    let message = arguments[0];
+    if (arguments.length > 1) {
+        const otherArgs = [];
+        for (let i = 1; i < arguments.length; i++) {
+            // eslint-disable-next-line prefer-rest-params
+            otherArgs[i - 1] = arguments[i];
+        }
+        message += " - additional args: " + JSON.stringify(otherArgs);
+    }
+    console.log(message);
 };
 // This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't
 // export handler as an alterative because CloudFront Functions don't support exports.

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAyCnB,CAAC"}
+{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAsCnB,CAAC"}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.js

@@ -24,28 +24,26 @@ export const handler = addRequiredContext(AuthHandler({
             issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
             clientID: oidcClientId,
             scope: oidcScope,
-            onSuccess: async (tokenset) => {
-                console.log("tokenset", tokenset, tokenset.claims());
-                // console.log("Config.jwtSecret:", jwtSecret);
+            onSuccess: async (tokenset, client) => {
+                console.log("🟢", client);
                 // Payload to include in the token
                 const payload = {
                     userID: tokenset.claims().sub,
                 };
-                // Options (optional)
-                const options = {
-                    algorithm: "HS256",
-                    expiresIn: "1h",
-                };
+                const expiresInMs = 1000 * 60 * 60;
                 // Create the token
-                const token = jwt.sign(payload, jwtSecret, options);
-                const expires = new Date(Date.now() + 1000 * 60 * 60 * 24 * 7);
+                const token = jwt.sign(payload, jwtSecret, {
+                    algorithm: "HS256",
+                    expiresIn: expiresInMs / 1000,
+                });
+                const expiryDate = new Date(Date.now() + expiresInMs);
                 return {
                     statusCode: 302,
                     headers: {
                         location: "/",
                     },
                     cookies: [
-                        `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
+                        `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expiryDate}`,
                     ],
                 };
             },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.6",
+  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.7",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",

package/src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts

@@ -1,8 +1,6 @@
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
 // Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function.
 // For example, no external libraries can be used, and the runtime is more limited.
-
-
 import crypto from "crypto";
 import cf from "cloudfront";
 
@@ -15,14 +13,10 @@ const redirectResponse = {
 };
 
 const kvsKey = "__placeholder-for-jwt-secret-key__";
-// set to true to enable console logging
-const loggingEnabled = true;
+// Set to true to enable console logging
+const loggingEnabled = false;
 
 function jwtDecode(token: string, key: string, noVerify?: boolean) {
-  // check token
-  if (!token) {
-    throw new Error("No token supplied");
-  }
   // check segments
   const segments = token.split(".");
   if (segments.length !== 3) {
@@ -64,8 +58,7 @@ function jwtDecode(token: string, key: string, noVerify?: boolean) {
   return payload;
 }
 
-//Function to ensure a constant time comparison to prevent
-//timing side channels.
+// Function to ensure a constant time comparison to prevent timing side channels.
 function _constantTimeEquals(a: string, b: string) {
   if (a.length != b.length) {
     return false;
@@ -95,25 +88,17 @@ function _base64urlDecode(str: string) {
   return Buffer.from(str, "base64url").toString();
 }
 
-async function handler(event: AWSCloudFrontFunction.Event, context: AWSCloudFrontFunction.Context) {
-  console.log("🟢 Auth check event:", event);
-  console.log("🔵 Auth check context:", context);
+async function handler(event: AWSCloudFrontFunction.Event) {
   const request = event.request;
   const secret_key = await getSecret();
 
   if (!secret_key) {
-    return redirectResponse;
+    // It's not possible for us to validate requests without the secret key so we have no choice but to block all requests.
+    throw new Error("Error retrieving JWT secret key");
   }
 
-  // console.log(request);
-  // console.log(request.cookies);
-  // console.log(request.cookies["auth-token"]);
-  // console.log(Object.keys(request.cookies));
   const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
-  console.log("jwtToken:", jwtToken);
-  // console.log(Object.keys(request.cookies));
 
-  // If no JWT token, then generate HTTP redirect 401 response.
   if (!jwtToken) {
     log("Error: No JWT in the cookies");
     return redirectResponse;
@@ -125,8 +110,6 @@ async function handler(event: AWSCloudFrontFunction.Event, context: AWSCloudFron
     return redirectResponse;
   }
 
-  // //Remove the JWT from the query string if valid and return.
-  // delete request.querystring.jwt;
   log("Valid JWT token");
   return request;
 }
@@ -143,11 +126,21 @@ async function getSecret() {
 }
 
 const log: typeof console.log = function () {
-  if (loggingEnabled) {
-    // @ts-expect-error We can't use spread or rest parameters in CloudFront Functions
-    // eslint-disable-next-line prefer-spread, prefer-rest-params
-    console.log.apply(console, arguments);
+  if (!loggingEnabled) return;
+
+  // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+  // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+  let message = arguments[0]
+  if (arguments.length > 1) {
+    const otherArgs = [];
+    for (let i = 1; i < arguments.length; i++) {
+      // eslint-disable-next-line prefer-rest-params
+      otherArgs[i-1] = arguments[i];
+    }
+
+    message += " - additional args: " + JSON.stringify(otherArgs);
   }
+  console.log(message);
 }
 
 // This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't

package/src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts

@@ -30,34 +30,31 @@ export const handler = addRequiredContext(
         issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
         clientID: oidcClientId,
         scope: oidcScope,
-        onSuccess: async (tokenset) => {
-          console.log("tokenset", tokenset, tokenset.claims());
-
-          // console.log("Config.jwtSecret:", jwtSecret);
-
+        onSuccess: async (tokenset, client) => {
+          console.log("🟢", client);
           // Payload to include in the token
           const payload = {
             userID: tokenset.claims().sub,
           };
-
-          // Options (optional)
-          const options = {
-            algorithm: "HS256",
-            expiresIn: "1h",
-          } as const;
+          const expiresInMs = 1000 * 60 * 60;
 
           // Create the token
-          const token = jwt.sign(payload, jwtSecret, options);
-          const expires = new Date(
-            Date.now() + 1000 * 60 * 60 * 24 * 7,
+          const token = jwt.sign(
+            payload,
+            jwtSecret,
+            {
+              algorithm: "HS256",
+              expiresIn: expiresInMs / 1000,
+            }
           );
+          const expiryDate = new Date(Date.now() + expiresInMs);
           return {
             statusCode: 302,
             headers: {
               location: "/",
             },
             cookies: [
-              `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
+              `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expiryDate}`,
             ],
           };
         },