@infoxchange/make-it-so 2.10.0-internal-testing-vdt-199-add-oidc-auth.7 → 2.10.0-internal-testing-vdt-199-add-oidc-auth.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cdk-constructs/CloudWatchOidcAuth/auth-route.js +1 -1
- package/dist/cdk-constructs/CloudWatchOidcAuth/index.d.ts.map +1 -1
- package/dist/cdk-constructs/CloudWatchOidcAuth/index.js +7 -8
- package/package.json +1 -1
- package/src/cdk-constructs/CloudWatchOidcAuth/auth-route.ts +1 -1
- package/src/cdk-constructs/CloudWatchOidcAuth/index.ts +7 -13
|
@@ -25,7 +25,7 @@ export const handler = addRequiredContext(AuthHandler({
|
|
|
25
25
|
clientID: oidcClientId,
|
|
26
26
|
scope: oidcScope,
|
|
27
27
|
onSuccess: async (tokenset, client) => {
|
|
28
|
-
console.log("
|
|
28
|
+
console.log("🟣", client);
|
|
29
29
|
// Payload to include in the token
|
|
30
30
|
const payload = {
|
|
31
31
|
userID: tokenset.claims().sub,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudWatchOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAuC5E,OAAO,CAAC,sBAAsB;IAyH9B,OAAO,CAAC,sBAAsB;CA0E/B"}
|
|
@@ -22,7 +22,6 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
22
22
|
this.id = id;
|
|
23
23
|
}
|
|
24
24
|
addToDistributionDefinition(scope, { distributionDefinition, prefix = "/auth", }) {
|
|
25
|
-
console.log("------", import.meta.dirname, import.meta.url, import.meta.filename);
|
|
26
25
|
const updatedDistributionDefinition = { ...distributionDefinition };
|
|
27
26
|
const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
|
|
28
27
|
updatedDistributionDefinition.additionalBehaviors =
|
|
@@ -126,18 +125,18 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
126
125
|
throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
|
|
127
126
|
}
|
|
128
127
|
fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
|
|
129
|
-
const
|
|
128
|
+
const authCheckFunction = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
|
|
130
129
|
code: CloudFront.FunctionCode.fromInline(fs.readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8").replace("__placeholder-for-jwt-secret-key__", key)),
|
|
131
130
|
runtime: CloudFront.FunctionRuntime.JS_2_0,
|
|
132
131
|
keyValueStore: cfKeyValueStore,
|
|
133
132
|
});
|
|
134
133
|
return {
|
|
135
|
-
function:
|
|
134
|
+
function: authCheckFunction,
|
|
136
135
|
eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
|
|
137
136
|
};
|
|
138
137
|
}
|
|
139
138
|
getAuthBehaviorOptions(scope, jwtSecret, prefix) {
|
|
140
|
-
const
|
|
139
|
+
const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
|
|
141
140
|
runtime: "nodejs20.x",
|
|
142
141
|
handler: path.join(import.meta.dirname, "auth-route.handler"),
|
|
143
142
|
environment: {
|
|
@@ -147,7 +146,7 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
147
146
|
JWT_SECRET: jwtSecret.secretValue.toString(),
|
|
148
147
|
},
|
|
149
148
|
});
|
|
150
|
-
//
|
|
149
|
+
// authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
|
|
151
150
|
// created by SST's Auth construct. AuthHandler expects certain environment variables to be set
|
|
152
151
|
// by the Auth construct so we have to set them ourselves here to keep it happy.
|
|
153
152
|
const envVarName = SSTInternalConfig.envFor({
|
|
@@ -155,8 +154,8 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
155
154
|
id: "id", // It seems like the env var will still be found no matter what this value is
|
|
156
155
|
prop: "prefix",
|
|
157
156
|
});
|
|
158
|
-
|
|
159
|
-
const
|
|
157
|
+
authRouteFunction.addEnvironment(envVarName, prefix);
|
|
158
|
+
const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
|
|
160
159
|
authType: Lambda.FunctionUrlAuthType.NONE,
|
|
161
160
|
});
|
|
162
161
|
const forwardHostHeaderCfFunction = new CloudFront.Function(scope, `${this.id}ForwardHostHeaderFunction`, {
|
|
@@ -170,7 +169,7 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
170
169
|
runtime: CloudFront.FunctionRuntime.JS_2_0,
|
|
171
170
|
});
|
|
172
171
|
return {
|
|
173
|
-
origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(
|
|
172
|
+
origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(authRouteFunctionUrl.url)),
|
|
174
173
|
allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
|
|
175
174
|
cachePolicy: new CloudFront.CachePolicy(scope, `${this.id}AllowAllCookiesPolicy`, {
|
|
176
175
|
cachePolicyName: "AllowAllCookiesPolicy",
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@infoxchange/make-it-so",
|
|
3
|
-
"version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.
|
|
3
|
+
"version": "2.10.0-internal-testing-vdt-199-add-oidc-auth.8",
|
|
4
4
|
"description": "Makes deploying services to IX infra easy",
|
|
5
5
|
"repository": "github:infoxchange/make-it-so",
|
|
6
6
|
"type": "module",
|
|
@@ -31,7 +31,7 @@ export const handler = addRequiredContext(
|
|
|
31
31
|
clientID: oidcClientId,
|
|
32
32
|
scope: oidcScope,
|
|
33
33
|
onSuccess: async (tokenset, client) => {
|
|
34
|
-
console.log("
|
|
34
|
+
console.log("🟣", client);
|
|
35
35
|
// Payload to include in the token
|
|
36
36
|
const payload = {
|
|
37
37
|
userID: tokenset.claims().sub,
|
|
@@ -47,12 +47,6 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
47
47
|
prefix = "/auth",
|
|
48
48
|
}: { distributionDefinition: Mutable<DistributionProps>; prefix?: string },
|
|
49
49
|
) {
|
|
50
|
-
console.log(
|
|
51
|
-
"------",
|
|
52
|
-
import.meta.dirname,
|
|
53
|
-
import.meta.url,
|
|
54
|
-
import.meta.filename,
|
|
55
|
-
);
|
|
56
50
|
const updatedDistributionDefinition = { ...distributionDefinition };
|
|
57
51
|
const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
|
|
58
52
|
updatedDistributionDefinition.additionalBehaviors =
|
|
@@ -193,7 +187,7 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
193
187
|
}
|
|
194
188
|
fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
|
|
195
189
|
|
|
196
|
-
const
|
|
190
|
+
const authCheckFunction = new CloudFront.Function(
|
|
197
191
|
scope,
|
|
198
192
|
`${this.id}AuthCheckFunction`,
|
|
199
193
|
{
|
|
@@ -206,7 +200,7 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
206
200
|
);
|
|
207
201
|
|
|
208
202
|
return {
|
|
209
|
-
function:
|
|
203
|
+
function: authCheckFunction,
|
|
210
204
|
eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
|
|
211
205
|
};
|
|
212
206
|
}
|
|
@@ -216,7 +210,7 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
216
210
|
jwtSecret: SecretsManager.Secret,
|
|
217
211
|
prefix: string,
|
|
218
212
|
): CloudFront.BehaviorOptions {
|
|
219
|
-
const
|
|
213
|
+
const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
|
|
220
214
|
runtime: "nodejs20.x",
|
|
221
215
|
handler: path.join(import.meta.dirname, "auth-route.handler"),
|
|
222
216
|
environment: {
|
|
@@ -227,7 +221,7 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
227
221
|
},
|
|
228
222
|
});
|
|
229
223
|
|
|
230
|
-
//
|
|
224
|
+
// authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
|
|
231
225
|
// created by SST's Auth construct. AuthHandler expects certain environment variables to be set
|
|
232
226
|
// by the Auth construct so we have to set them ourselves here to keep it happy.
|
|
233
227
|
const envVarName = SSTInternalConfig.envFor({
|
|
@@ -235,9 +229,9 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
235
229
|
id: "id", // It seems like the env var will still be found no matter what this value is
|
|
236
230
|
prop: "prefix",
|
|
237
231
|
});
|
|
238
|
-
|
|
232
|
+
authRouteFunction.addEnvironment(envVarName, prefix);
|
|
239
233
|
|
|
240
|
-
const
|
|
234
|
+
const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
|
|
241
235
|
authType: Lambda.FunctionUrlAuthType.NONE,
|
|
242
236
|
});
|
|
243
237
|
const forwardHostHeaderCfFunction = new CloudFront.Function(
|
|
@@ -257,7 +251,7 @@ export class CloudWatchOidcAuth extends Construct {
|
|
|
257
251
|
|
|
258
252
|
return {
|
|
259
253
|
origin: new CloudFrontOrigins.HttpOrigin(
|
|
260
|
-
CDK.Fn.parseDomainName(
|
|
254
|
+
CDK.Fn.parseDomainName(authRouteFunctionUrl.url),
|
|
261
255
|
),
|
|
262
256
|
allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
|
|
263
257
|
cachePolicy: new CloudFront.CachePolicy(
|