@infoxchange/make-it-so 2.10.0-internal-testing-vdt-199-add-oidc-auth.6 → 2.10.0-internal-testing-vdt-199-add-oidc-auth.8

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-check.js

@@ -11,13 +11,9 @@ const redirectResponse = {
     },
 };
 const kvsKey = "__placeholder-for-jwt-secret-key__";
-// set to true to enable console logging
-const loggingEnabled = true;
+// Set to true to enable console logging
+const loggingEnabled = false;
 function jwtDecode(token, key, noVerify) {
-    // check token
-    if (!token) {
-        throw new Error("No token supplied");
-    }
     // check segments
     const segments = token.split(".");
     if (segments.length !== 3) {
@@ -49,8 +45,7 @@ function jwtDecode(token, key, noVerify) {
     }
     return payload;
 }
-//Function to ensure a constant time comparison to prevent
-//timing side channels.
+// Function to ensure a constant time comparison to prevent timing side channels.
 function _constantTimeEquals(a, b) {
     if (a.length != b.length) {
         return false;
@@ -75,22 +70,14 @@ function _sign(input, key, method) {
 function _base64urlDecode(str) {
     return Buffer.from(str, "base64url").toString();
 }
-async function handler(event, context) {
-    console.log("🟢 Auth check event:", event);
-    console.log("🔵 Auth check context:", context);
+async function handler(event) {
     const request = event.request;
     const secret_key = await getSecret();
     if (!secret_key) {
-        return redirectResponse;
+        // It's not possible for us to validate requests without the secret key so we have no choice but to block all requests.
+        throw new Error("Error retrieving JWT secret key");
     }
-    // console.log(request);
-    // console.log(request.cookies);
-    // console.log(request.cookies["auth-token"]);
-    // console.log(Object.keys(request.cookies));
     const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
-    console.log("jwtToken:", jwtToken);
-    // console.log(Object.keys(request.cookies));
-    // If no JWT token, then generate HTTP redirect 401 response.
     if (!jwtToken) {
         log("Error: No JWT in the cookies");
         return redirectResponse;
@@ -102,8 +89,6 @@ async function handler(event, context) {
         log(e);
         return redirectResponse;
     }
-    // //Remove the JWT from the query string if valid and return.
-    // delete request.querystring.jwt;
     log("Valid JWT token");
     return request;
 }
@@ -119,11 +104,20 @@ async function getSecret() {
     }
 }
 const log = function () {
-    if (loggingEnabled) {
-        // @ts-expect-error We can't use spread or rest parameters in CloudFront Functions
-        // eslint-disable-next-line prefer-spread, prefer-rest-params
-        console.log.apply(console, arguments);
-    }
+    if (!loggingEnabled)
+        return;
+    // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+    // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+    let message = arguments[0];
+    if (arguments.length > 1) {
+        const otherArgs = [];
+        for (let i = 1; i < arguments.length; i++) {
+            // eslint-disable-next-line prefer-rest-params
+            otherArgs[i - 1] = arguments[i];
+        }
+        message += " - additional args: " + JSON.stringify(otherArgs);
+    }
+    console.log(message);
 };
 // This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't
 // export handler as an alterative because CloudFront Functions don't support exports.

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAyCnB,CAAC"}
+{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAsCnB,CAAC"}

package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.js

@@ -24,28 +24,26 @@ export const handler = addRequiredContext(AuthHandler({
             issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
             clientID: oidcClientId,
             scope: oidcScope,
-            onSuccess: async (tokenset) => {
-                console.log("tokenset", tokenset, tokenset.claims());
-                // console.log("Config.jwtSecret:", jwtSecret);
+            onSuccess: async (tokenset, client) => {
+                console.log("🟣", client);
                 // Payload to include in the token
                 const payload = {
                     userID: tokenset.claims().sub,
                 };
-                // Options (optional)
-                const options = {
-                    algorithm: "HS256",
-                    expiresIn: "1h",
-                };
+                const expiresInMs = 1000 * 60 * 60;
                 // Create the token
-                const token = jwt.sign(payload, jwtSecret, options);
-                const expires = new Date(Date.now() + 1000 * 60 * 60 * 24 * 7);
+                const token = jwt.sign(payload, jwtSecret, {
+                    algorithm: "HS256",
+                    expiresIn: expiresInMs / 1000,
+                });
+                const expiryDate = new Date(Date.now() + expiresInMs);
                 return {
                     statusCode: 302,
                     headers: {
                         location: "/",
                     },
                     cookies: [
-                        `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
+                        `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expiryDate}`,
                     ],
                 };
             },

package/dist/cdk-constructs/CloudWatchOidcAuth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IA6C5E,OAAO,CAAC,sBAAsB;IAyH9B,OAAO,CAAC,sBAAsB;CA0E/B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAuC5E,OAAO,CAAC,sBAAsB;IAyH9B,OAAO,CAAC,sBAAsB;CA0E/B"}

package/dist/cdk-constructs/CloudWatchOidcAuth/index.js

@@ -22,7 +22,6 @@ export class CloudWatchOidcAuth extends Construct {
         this.id = id;
     }
     addToDistributionDefinition(scope, { distributionDefinition, prefix = "/auth", }) {
-        console.log("------", import.meta.dirname, import.meta.url, import.meta.filename);
         const updatedDistributionDefinition = { ...distributionDefinition };
         const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
         updatedDistributionDefinition.additionalBehaviors =
@@ -126,18 +125,18 @@ export class CloudWatchOidcAuth extends Construct {
             throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
         }
         fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
-        const edgeFuncAuthCheck = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
+        const authCheckFunction = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
             code: CloudFront.FunctionCode.fromInline(fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key)),
             runtime: CloudFront.FunctionRuntime.JS_2_0,
             keyValueStore: cfKeyValueStore,
         });
         return {
-            function: edgeFuncAuthCheck,
+            function: authCheckFunction,
             eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
         };
     }
     getAuthBehaviorOptions(scope, jwtSecret, prefix) {
-        const edgeFuncAuth = new SST.Function(scope, `${this.id}EdgeFunctionAuth`, {
+        const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
             runtime: "nodejs20.x",
             handler: path.join(import.meta.dirname, "auth-route.handler"),
             environment: {
@@ -147,7 +146,7 @@ export class CloudWatchOidcAuth extends Construct {
                 JWT_SECRET: jwtSecret.secretValue.toString(),
             },
         });
-        // edgeFuncAuth uses SST's AuthHandler construct which is normally run inside a lambda that's
+        // authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
         // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
         // by the Auth construct so we have to set them ourselves here to keep it happy.
         const envVarName = SSTInternalConfig.envFor({
@@ -155,8 +154,8 @@ export class CloudWatchOidcAuth extends Construct {
             id: "id", // It seems like the env var will still be found no matter what this value is
             prop: "prefix",
         });
-        edgeFuncAuth.addEnvironment(envVarName, prefix);
-        const edgeFuncAuthUrl = edgeFuncAuth.addFunctionUrl({
+        authRouteFunction.addEnvironment(envVarName, prefix);
+        const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
             authType: Lambda.FunctionUrlAuthType.NONE,
         });
         const forwardHostHeaderCfFunction = new CloudFront.Function(scope, `${this.id}ForwardHostHeaderFunction`, {
@@ -170,7 +169,7 @@ export class CloudWatchOidcAuth extends Construct {
             runtime: CloudFront.FunctionRuntime.JS_2_0,
         });
         return {
-            origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(edgeFuncAuthUrl.url)),
+            origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(authRouteFunctionUrl.url)),
             allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
             cachePolicy: new CloudFront.CachePolicy(scope, `${this.id}AllowAllCookiesPolicy`, {
                 cachePolicyName: "AllowAllCookiesPolicy",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.6",
+  "version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.8",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",

package/src/cdk-constructs/CloudWatchOidcAuth/auth-check.ts

@@ -1,8 +1,6 @@
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
 // Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function.
 // For example, no external libraries can be used, and the runtime is more limited.
-
-
 import crypto from "crypto";
 import cf from "cloudfront";
 
@@ -15,14 +13,10 @@ const redirectResponse = {
 };
 
 const kvsKey = "__placeholder-for-jwt-secret-key__";
-// set to true to enable console logging
-const loggingEnabled = true;
+// Set to true to enable console logging
+const loggingEnabled = false;
 
 function jwtDecode(token: string, key: string, noVerify?: boolean) {
-  // check token
-  if (!token) {
-    throw new Error("No token supplied");
-  }
   // check segments
   const segments = token.split(".");
   if (segments.length !== 3) {
@@ -64,8 +58,7 @@ function jwtDecode(token: string, key: string, noVerify?: boolean) {
   return payload;
 }
 
-//Function to ensure a constant time comparison to prevent
-//timing side channels.
+// Function to ensure a constant time comparison to prevent timing side channels.
 function _constantTimeEquals(a: string, b: string) {
   if (a.length != b.length) {
     return false;
@@ -95,25 +88,17 @@ function _base64urlDecode(str: string) {
   return Buffer.from(str, "base64url").toString();
 }
 
-async function handler(event: AWSCloudFrontFunction.Event, context: AWSCloudFrontFunction.Context) {
-  console.log("🟢 Auth check event:", event);
-  console.log("🔵 Auth check context:", context);
+async function handler(event: AWSCloudFrontFunction.Event) {
   const request = event.request;
   const secret_key = await getSecret();
 
   if (!secret_key) {
-    return redirectResponse;
+    // It's not possible for us to validate requests without the secret key so we have no choice but to block all requests.
+    throw new Error("Error retrieving JWT secret key");
   }
 
-  // console.log(request);
-  // console.log(request.cookies);
-  // console.log(request.cookies["auth-token"]);
-  // console.log(Object.keys(request.cookies));
   const jwtToken = request.cookies["auth-token"] && request.cookies["auth-token"].value;
-  console.log("jwtToken:", jwtToken);
-  // console.log(Object.keys(request.cookies));
 
-  // If no JWT token, then generate HTTP redirect 401 response.
   if (!jwtToken) {
     log("Error: No JWT in the cookies");
     return redirectResponse;
@@ -125,8 +110,6 @@ async function handler(event: AWSCloudFrontFunction.Event, context: AWSCloudFron
     return redirectResponse;
   }
 
-  // //Remove the JWT from the query string if valid and return.
-  // delete request.querystring.jwt;
   log("Valid JWT token");
   return request;
 }
@@ -143,11 +126,21 @@ async function getSecret() {
 }
 
 const log: typeof console.log = function () {
-  if (loggingEnabled) {
-    // @ts-expect-error We can't use spread or rest parameters in CloudFront Functions
-    // eslint-disable-next-line prefer-spread, prefer-rest-params
-    console.log.apply(console, arguments);
+  if (!loggingEnabled) return;
+
+  // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+  // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+  let message = arguments[0]
+  if (arguments.length > 1) {
+    const otherArgs = [];
+    for (let i = 1; i < arguments.length; i++) {
+      // eslint-disable-next-line prefer-rest-params
+      otherArgs[i-1] = arguments[i];
+    }
+
+    message += " - additional args: " + JSON.stringify(otherArgs);
   }
+  console.log(message);
 }
 
 // This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't

package/src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts

@@ -30,34 +30,31 @@ export const handler = addRequiredContext(
         issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
         clientID: oidcClientId,
         scope: oidcScope,
-        onSuccess: async (tokenset) => {
-          console.log("tokenset", tokenset, tokenset.claims());
-
-          // console.log("Config.jwtSecret:", jwtSecret);
-
+        onSuccess: async (tokenset, client) => {
+          console.log("🟣", client);
           // Payload to include in the token
           const payload = {
             userID: tokenset.claims().sub,
           };
-
-          // Options (optional)
-          const options = {
-            algorithm: "HS256",
-            expiresIn: "1h",
-          } as const;
+          const expiresInMs = 1000 * 60 * 60;
 
           // Create the token
-          const token = jwt.sign(payload, jwtSecret, options);
-          const expires = new Date(
-            Date.now() + 1000 * 60 * 60 * 24 * 7,
+          const token = jwt.sign(
+            payload,
+            jwtSecret,
+            {
+              algorithm: "HS256",
+              expiresIn: expiresInMs / 1000,
+            }
           );
+          const expiryDate = new Date(Date.now() + expiresInMs);
           return {
             statusCode: 302,
             headers: {
               location: "/",
             },
             cookies: [
-              `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expires}`,
+              `auth-token=${token}; HttpOnly; SameSite=None; Secure; Path=/; Expires=${expiryDate}`,
             ],
           };
         },

package/src/cdk-constructs/CloudWatchOidcAuth/index.ts

@@ -47,12 +47,6 @@ export class CloudWatchOidcAuth extends Construct {
       prefix = "/auth",
     }: { distributionDefinition: Mutable<DistributionProps>; prefix?: string },
   ) {
-    console.log(
-      "------",
-      import.meta.dirname,
-      import.meta.url,
-      import.meta.filename,
-    );
     const updatedDistributionDefinition = { ...distributionDefinition };
     const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
     updatedDistributionDefinition.additionalBehaviors =
@@ -193,7 +187,7 @@ export class CloudWatchOidcAuth extends Construct {
     }
     fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
 
-    const edgeFuncAuthCheck = new CloudFront.Function(
+    const authCheckFunction = new CloudFront.Function(
       scope,
       `${this.id}AuthCheckFunction`,
       {
@@ -206,7 +200,7 @@ export class CloudWatchOidcAuth extends Construct {
     );
 
     return {
-      function: edgeFuncAuthCheck,
+      function: authCheckFunction,
       eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
     };
   }
@@ -216,7 +210,7 @@ export class CloudWatchOidcAuth extends Construct {
     jwtSecret: SecretsManager.Secret,
     prefix: string,
   ): CloudFront.BehaviorOptions {
-    const edgeFuncAuth = new SST.Function(scope, `${this.id}EdgeFunctionAuth`, {
+    const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
       runtime: "nodejs20.x",
       handler: path.join(import.meta.dirname, "auth-route.handler"),
       environment: {
@@ -227,7 +221,7 @@ export class CloudWatchOidcAuth extends Construct {
       },
     });
 
-    // edgeFuncAuth uses SST's AuthHandler construct which is normally run inside a lambda that's
+    // authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
     // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
     // by the Auth construct so we have to set them ourselves here to keep it happy.
     const envVarName = SSTInternalConfig.envFor({
@@ -235,9 +229,9 @@ export class CloudWatchOidcAuth extends Construct {
       id: "id", // It seems like the env var will still be found no matter what this value is
       prop: "prefix",
     });
-    edgeFuncAuth.addEnvironment(envVarName, prefix);
+    authRouteFunction.addEnvironment(envVarName, prefix);
 
-    const edgeFuncAuthUrl = edgeFuncAuth.addFunctionUrl({
+    const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
       authType: Lambda.FunctionUrlAuthType.NONE,
     });
     const forwardHostHeaderCfFunction = new CloudFront.Function(
@@ -257,7 +251,7 @@ export class CloudWatchOidcAuth extends Construct {
 
     return {
       origin: new CloudFrontOrigins.HttpOrigin(
-        CDK.Fn.parseDomainName(edgeFuncAuthUrl.url),
+        CDK.Fn.parseDomainName(authRouteFunctionUrl.url),
       ),
       allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
       cachePolicy: new CloudFront.CachePolicy(