npm - @infoxchange/make-it-so - Versions diffs - 2.10.0 → 2.11.0-internal-testing-vdt-199-add-ix-oidc-auth.1 - Mend

@infoxchange/make-it-so 2.10.0 → 2.11.0-internal-testing-vdt-199-add-ix-oidc-auth.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md CHANGED Viewed

@@ -304,7 +304,7 @@ const auth = new CloudFrontOidcAuth(stack, "CloudFrontOidcAuth", {
 });
 // Then you apply it to the a CloudFront backed site when it's created
-const site = new IxStaticSite(stack, "IxStaticSite", {
+new IxStaticSite(stack, "IxStaticSite", {
   path: "path/to/site/files",
   cdk: {
     distribution: auth.addToDistributionDefinition(stack, {
@@ -314,6 +314,29 @@ const site = new IxStaticSite(stack, "IxStaticSite", {
 });
 ```
+<details>
+<summary><strong>ApiGatewayOidcAuth</strong> - Adds OIDC authentication to a API Gateway instance.</summary>
+This is an instance of SST v2's [Auth construct](https://v2.sst.dev/auth) that is preconfigured for OIDC.
+```typescript
+import { ApiGatewayOidcAuth } from "@infoxchange/make-it-so/cdk-constructs";
+// You first create an instance of ApiGatewayOidcAuth
+const auth = new ApiGatewayOidcAuth(stack, "ApiGatewayOidcAuth", {
+  oidcIssuerUrl: "https://your-oidc-server.com/path/",
+  oidcClientId: "your-client-id",
+  oidcScope: "email",
+});
+// Then you attach it to an API instance
+const api = new Api(stack, "api", {});
+auth.attach(stack, {
+  api,
+  prefix: "/auth", // optional
+});
+```
 ## Full Example
 To deploy a Next.js based site you would include a `sst.config.ts` file at the root of repo with contents like this:

package/dist/cdk-constructs/ApiGatewayOidcAuth/auth-route.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+declare module "sst/node/auth" {
+    interface SessionTypes {
+        user: {
+            userID: string;
+        };
+    }
+}
+export declare const handler: (event: any, context: any) => Promise<any>;
+//# sourceMappingURL=auth-route.d.ts.map

package/dist/cdk-constructs/ApiGatewayOidcAuth/auth-route.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/ApiGatewayOidcAuth/auth-route.ts"],"names":[],"mappings":"AAoBA,OAAO,QAAQ,eAAe,CAAC;IAC7B,UAAiB,YAAY;QAC3B,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM,CAAC;SAChB,CAAC;KACH;CACF;AAED,eAAO,MAAM,OAAO,4CAiBlB,CAAC"}

package/dist/cdk-constructs/ApiGatewayOidcAuth/auth-route.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { AuthHandler, OidcAdapter, Session } from "sst/node/auth";
+import { Issuer } from "openid-client";
+const oidcClientId = process.env.OIDC_CLIENT_ID;
+if (!oidcClientId) {
+    throw new Error("OIDC_CLIENT_ID not set");
+}
+const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
+if (!oidcIssuerUrl) {
+    throw new Error("OIDC_ISSUER_URL not set");
+}
+const oidcScope = process.env.OIDC_SCOPE;
+if (!oidcScope) {
+    throw new Error("OIDC_SCOPE not set");
+}
+const oidcIssuerConfigUrl = new URL(`${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`);
+export const handler = AuthHandler({
+    providers: {
+        oidc: OidcAdapter({
+            issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
+            clientID: oidcClientId,
+            scope: oidcScope,
+            onSuccess: async (tokenset) => {
+                return Session.cookie({
+                    redirect: "/",
+                    type: "user",
+                    properties: {
+                        userID: tokenset.claims().sub,
+                    },
+                });
+            },
+        }),
+    },
+});

package/dist/cdk-constructs/ApiGatewayOidcAuth/index.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import * as SST from "sst/constructs";
+type ConstructScope = ConstructorParameters<typeof SST.Auth>[0];
+type ConstructId = ConstructorParameters<typeof SST.Auth>[1];
+type Props = Omit<SST.AuthProps, "authenticator"> & {
+    oidcIssuerUrl: string;
+    oidcClientId: string;
+    oidcScope: string;
+};
+export declare class ApiGatewayOidcAuth extends SST.Auth {
+    constructor(scope: ConstructScope, id: ConstructId, props: Props);
+}
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/ApiGatewayOidcAuth/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/ApiGatewayOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AAGtC,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAChE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAE7D,KAAK,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,eAAe,CAAC,GAAG;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,GAAG,CAAC,IAAI;gBAClC,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;CAajE"}

package/dist/cdk-constructs/ApiGatewayOidcAuth/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+import * as SST from "sst/constructs";
+import path from "node:path";
+export class ApiGatewayOidcAuth extends SST.Auth {
+    constructor(scope, id, props) {
+        super(scope, id, {
+            ...props,
+            authenticator: {
+                handler: path.join(import.meta.dirname, "auth-route.handler"),
+                environment: {
+                    OIDC_ISSUER_URL: props.oidcIssuerUrl,
+                    OIDC_CLIENT_ID: props.oidcClientId,
+                    OIDC_SCOPE: props.oidcScope,
+                },
+            },
+        });
+    }
+}

package/dist/cdk-constructs/CloudFrontOidcAuth/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;~~IAuC5E~~,OAAO,CAAC,sBAAsB;~~IA8H9B~~,OAAO,CAAC,sBAAsB;CA8E/B"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAwC5E,OAAO,CAAC,sBAAsB;IAgI9B,OAAO,CAAC,sBAAsB;CA8E/B"}

package/dist/cdk-constructs/CloudFrontOidcAuth/index.js CHANGED Viewed

@@ -54,6 +54,7 @@ export class CloudFrontOidcAuth extends Construct {
             this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
         return updatedDistributionDefinition;
     }
+    // This deals with the infra required for checking if requests are authenticated and redirecting to the auth route if not
     getFunctionAssociation(scope, jwtSecret) {
         const cfKeyValueStore = new CloudFront.KeyValueStore(scope, `${this.id}CFKeyValueStore`);
         const kvStoreId = cfKeyValueStore.keyValueStoreId; // Your KV store ID
@@ -137,6 +138,8 @@ export class CloudFrontOidcAuth extends Construct {
             eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
         };
     }
+    // This deals with the infra required for handling the OIDC authorisation process for requests that aren't yet
+    // authenticated but want to become authenticated.
     getAuthBehaviorOptions(scope, jwtSecret, prefix) {
         const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
             runtime: "nodejs20.x",

package/dist/cdk-constructs/index.d.ts CHANGED Viewed

@@ -7,4 +7,5 @@ export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
 export * from "./CloudFrontOidcAuth/index.js";
+export * from "./ApiGatewayOidcAuth/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC"}

package/dist/cdk-constructs/index.js CHANGED Viewed

@@ -7,3 +7,4 @@ export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
 export * from "./CloudFrontOidcAuth/index.js";
+export * from "./ApiGatewayOidcAuth/index.js";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.10.0",
+  "version": "2.11.0-internal-testing-vdt-199-add-ix-oidc-auth.1",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",

package/src/cdk-constructs/ApiGatewayOidcAuth/auth-route.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import { AuthHandler, OidcAdapter, Session } from "sst/node/auth";
+import { Issuer } from "openid-client";
+const oidcClientId = process.env.OIDC_CLIENT_ID;
+if (!oidcClientId) {
+  throw new Error("OIDC_CLIENT_ID not set");
+}
+const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
+if (!oidcIssuerUrl) {
+  throw new Error("OIDC_ISSUER_URL not set");
+}
+const oidcScope = process.env.OIDC_SCOPE;
+if (!oidcScope) {
+  throw new Error("OIDC_SCOPE not set");
+}
+const oidcIssuerConfigUrl = new URL(
+  `${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`,
+);
+declare module "sst/node/auth" {
+  export interface SessionTypes {
+    user: {
+      userID: string;
+    };
+  }
+}
+export const handler = AuthHandler({
+  providers: {
+    oidc: OidcAdapter({
+      issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
+      clientID: oidcClientId,
+      scope: oidcScope,
+      onSuccess: async (tokenset) => {
+        return Session.cookie({
+          redirect: "/",
+          type: "user",
+          properties: {
+            userID: tokenset.claims().sub,
+          },
+        });
+      },
+    }),
+  },
+});

package/src/cdk-constructs/ApiGatewayOidcAuth/index.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import * as SST from "sst/constructs";
+import path from "node:path";
+type ConstructScope = ConstructorParameters<typeof SST.Auth>[0];
+type ConstructId = ConstructorParameters<typeof SST.Auth>[1];
+type Props = Omit<SST.AuthProps, "authenticator"> & {
+  oidcIssuerUrl: string;
+  oidcClientId: string;
+  oidcScope: string;
+};
+export class ApiGatewayOidcAuth extends SST.Auth {
+  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
+    super(scope, id, {
+      ...props,
+      authenticator: {
+        handler: path.join(import.meta.dirname, "auth-route.handler"),
+        environment: {
+          OIDC_ISSUER_URL: props.oidcIssuerUrl,
+          OIDC_CLIENT_ID: props.oidcClientId,
+          OIDC_SCOPE: props.oidcScope,
+        },
+      },
+    });
+  }
+}

package/src/cdk-constructs/CloudFrontOidcAuth/index.ts CHANGED Viewed

@@ -84,6 +84,7 @@ export class CloudFrontOidcAuth extends Construct {
     return updatedDistributionDefinition;
   }
+  // This deals with the infra required for checking if requests are authenticated and redirecting to the auth route if not
   private getFunctionAssociation(
     scope: ConstructScope,
     jwtSecret: SecretsManager.Secret,
@@ -210,6 +211,8 @@ export class CloudFrontOidcAuth extends Construct {
     };
   }
+  // This deals with the infra required for handling the OIDC authorisation process for requests that aren't yet
+  // authenticated but want to become authenticated.
   private getAuthBehaviorOptions(
     scope: ConstructScope,
     jwtSecret: SecretsManager.Secret,

package/src/cdk-constructs/index.ts CHANGED Viewed

@@ -7,3 +7,4 @@ export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
 export * from "./CloudFrontOidcAuth/index.js";
+export * from "./ApiGatewayOidcAuth/index.js";