@infoxchange/make-it-so 2.11.0-internal-testing-vdt-199-add-auth-token-verify-function.4 → 2.11.0-internal-testing-vdt-199-add-auth-token-verify-function-2.2

package/dist/cdk-constructs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC"}

package/dist/cdk-constructs/index.js

@@ -6,4 +6,4 @@ export * from "./IxStaticSite.js";
 export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
-export * from "./CloudFrontOidcAuth/index.js";
+export * from "./SiteOidcAuth/index.js";

package/dist/lib/site/support.d.ts

@@ -1,12 +1,22 @@
 import { Construct } from "constructs";
 import { NextjsSite, NextjsSiteProps, Stack, StaticSite, StaticSiteProps } from "sst/constructs";
 import { type DistributionDomainProps } from "sst/constructs/Distribution.js";
+import { type AddToSiteProps as SiteOidcAuthAddToSiteProps } from "../../cdk-constructs/SiteOidcAuth/index.js";
+type SharedExtendedSiteProps = {
+    customDomain?: string | ExtendedCustomDomains;
+    auth?: {
+        oidc: {
+            issuerUrl: string;
+            clientId: string;
+            scope: string;
+        };
+    } & SiteOidcAuthAddToSiteProps;
+};
 export type ExtendedCustomDomains = DistributionDomainProps & {
     isIxManagedDomain?: boolean;
     additionalDomainAliases?: string[];
 };
-export type ExtendedNextjsSiteProps = Omit<NextjsSiteProps, "customDomain" | "environment"> & {
-    customDomain?: string | ExtendedCustomDomains;
+export type ExtendedNextjsSiteProps = Omit<NextjsSiteProps, "customDomain" | "environment"> & SharedExtendedSiteProps & {
     /**
      * An object with the key being the environment variable name. The value can either be the environment variable value
      * as a string or as an object with `buildtime` and/or `runtime` properties where the values of `buildtime` and
@@ -31,9 +41,7 @@ export type ExtendedNextjsSiteProps = Omit<NextjsSiteProps, "customDomain" | "en
         runtime?: string;
     }>;
 };
-export type ExtendedStaticSiteProps = Omit<StaticSiteProps, "customDomain"> & {
-    customDomain?: string | ExtendedCustomDomains;
-};
+export type ExtendedStaticSiteProps = Omit<StaticSiteProps, "customDomain"> & SharedExtendedSiteProps;
 export declare function setupCustomDomain<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(scope: Construct, id: string, props: Readonly<Props>): Props;
 export declare function setupCertificate<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(scope: Construct, id: string, props: Readonly<Props>): Props;
 export declare function setupDomainAliasRedirect<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(scope: Construct, id: string, props: Readonly<Props>): Props;
@@ -58,4 +66,6 @@ export declare function getPrimaryOrigin<Instance extends NextjsSite | StaticSit
 export declare function getPrimaryCustomDomain<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(props: Readonly<Props>): string | null;
 export declare function getAliasDomain<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(props: Readonly<Props>): string | null;
 export declare function getAlternativeDomains<Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps>(props: Readonly<Props>): string[];
+export declare function processAuthProps<SiteType extends "StaticSite" | "SsrSite", Props extends SiteType extends "StaticSite" ? ExtendedStaticSiteProps : ExtendedNextjsSiteProps>(scope: Construct, id: string, siteType: SiteType, props: Readonly<Props>): Props;
+export {};
 //# sourceMappingURL=support.d.ts.map

package/dist/lib/site/support.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"support.d.ts","sourceRoot":"","sources":["../../../src/lib/site/support.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EACL,UAAU,EACV,eAAe,EACf,KAAK,EACL,UAAU,EACV,eAAe,EAChB,MAAM,gBAAgB,CAAC;AAQxB,OAAO,EAAE,KAAK,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAG9E,MAAM,MAAM,qBAAqB,GAAG,uBAAuB,GAAG;IAC5D,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC,CAAC;AACF,MAAM,MAAM,uBAAuB,GAAG,IAAI,CACxC,eAAe,EACf,cAAc,GAAG,aAAa,CAC/B,GAAG;IACF,YAAY,CAAC,EAAE,MAAM,GAAG,qBAAqB,CAAC;IAC9C;;;;;;;;;;;;;;;;;;OAkBG;IACH,WAAW,CAAC,EAAE,MAAM,CAClB,MAAM,EACN,MAAM,GAAG;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAClD,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG,IAAI,CAAC,eAAe,EAAE,cAAc,CAAC,GAAG;IAC5E,YAAY,CAAC,EAAE,MAAM,GAAG,qBAAqB,CAAC;CAC/C,CAAC;AAEF,wBAAgB,iBAAiB,CAC/B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAiB7D;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAyB7D;AAED,wBAAgB,wBAAwB,CACtC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CA2B7D;AAED,wBAAgB,eAAe,CAAC,KAAK,SAAS,uBAAuB,EACnE,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,KAAK,CAwCP;AAED;;;GAGG;AACH,wBAAgB,oCAAoC,CAClD,KAAK,SAAS,uBAAuB,EACrC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAiE7D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,SAAS,uBAAuB,EACrC,WAAW,GAAG,IAAI,CAAC,KAAK,EAAE,aAAa,CAAC,GAAG;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC,EACD,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,WAAW,CASrC;AAED,wBAAgB,mBAAmB,CAAC,KAAK,SAAS,uBAAuB,EACvE,KAAK,EAAE,SAAS,GAAG,KAAK,EACxB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,KAAK,CAeP;AAED,wBAAgB,eAAe,CAC7B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAE/D,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,IAAI,CAmBN;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE,CAWlC;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAM3D;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAG3D;AAED,wBAAgB,sBAAsB,CACpC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAOvC;AAED,wBAAgB,cAAc,CAC5B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAKvC;AAED,wBAAgB,qBAAqB,CACnC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE,CAKlC"}
+{"version":3,"file":"support.d.ts","sourceRoot":"","sources":["../../../src/lib/site/support.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EACL,UAAU,EACV,eAAe,EACf,KAAK,EACL,UAAU,EACV,eAAe,EAChB,MAAM,gBAAgB,CAAC;AAQxB,OAAO,EAAE,KAAK,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAE9E,OAAO,EAEL,KAAK,cAAc,IAAI,0BAA0B,EAClD,MAAM,4CAA4C,CAAC;AAEpD,KAAK,uBAAuB,GAAG;IAC7B,YAAY,CAAC,EAAE,MAAM,GAAG,qBAAqB,CAAC;IAC9C,IAAI,CAAC,EAAE;QACL,IAAI,EAAE;YACJ,SAAS,EAAE,MAAM,CAAC;YAClB,QAAQ,EAAE,MAAM,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;SACf,CAAC;KACH,GAAG,0BAA0B,CAAC;CAChC,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG,uBAAuB,GAAG;IAC5D,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC,CAAC;AACF,MAAM,MAAM,uBAAuB,GAAG,IAAI,CACxC,eAAe,EACf,cAAc,GAAG,aAAa,CAC/B,GACC,uBAAuB,GAAG;IACxB;;;;;;;;;;;;;;;;;;OAkBG;IACH,WAAW,CAAC,EAAE,MAAM,CAClB,MAAM,EACN,MAAM,GAAG;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAClD,CAAC;CACH,CAAC;AAEJ,MAAM,MAAM,uBAAuB,GAAG,IAAI,CAAC,eAAe,EAAE,cAAc,CAAC,GACzE,uBAAuB,CAAC;AAE1B,wBAAgB,iBAAiB,CAC/B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAiB7D;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAyB7D;AAED,wBAAgB,wBAAwB,CACtC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CA2B7D;AAED,wBAAgB,eAAe,CAAC,KAAK,SAAS,uBAAuB,EACnE,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,KAAK,CAwCP;AAED;;;GAGG;AACH,wBAAgB,oCAAoC,CAClD,KAAK,SAAS,uBAAuB,EACrC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,KAAK,CAiE7D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,SAAS,uBAAuB,EACrC,WAAW,GAAG,IAAI,CAAC,KAAK,EAAE,aAAa,CAAC,GAAG;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC,EACD,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,WAAW,CASrC;AAED,wBAAgB,mBAAmB,CAAC,KAAK,SAAS,uBAAuB,EACvE,KAAK,EAAE,SAAS,GAAG,KAAK,EACxB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,KAAK,CAeP;AAED,wBAAgB,eAAe,CAC7B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAE/D,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,IAAI,CAmBN;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE,CAWlC;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAM3D;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,UAAU,GAAG,UAAU,EACxC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAG3D;AAED,wBAAgB,sBAAsB,CACpC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAOvC;AAED,wBAAgB,cAAc,CAC5B,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,GAAG,IAAI,CAKvC;AAED,wBAAgB,qBAAqB,CACnC,KAAK,SAAS,uBAAuB,GAAG,uBAAuB,EAC/D,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,MAAM,EAAE,CAKlC;AAED,wBAAgB,gBAAgB,CAC9B,QAAQ,SAAS,YAAY,GAAG,SAAS,EACzC,KAAK,SAAS,QAAQ,SAAS,YAAY,GACvC,uBAAuB,GACvB,uBAAuB,EAE3B,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,GACrB,KAAK,CAyBP"}

package/dist/lib/site/support.js

@@ -5,6 +5,7 @@ import { IxVpcDetails } from "../../cdk-constructs/IxVpcDetails.js";
 import { IxDnsRecord } from "../../cdk-constructs/IxDnsRecord.js";
 import { CloudFrontTarget } from "aws-cdk-lib/aws-route53-targets";
 import { convertToBase62Hash } from "../utils/hash.js";
+import { SiteOidcAuth, } from "../../cdk-constructs/SiteOidcAuth/index.js";
 export function setupCustomDomain(scope, id, props) {
     let updatedProps = props;
     // Default to using domains names passed in by the pipeline as the custom domain
@@ -241,3 +242,21 @@ export function getAlternativeDomains(props) {
     }
     return [];
 }
+export function processAuthProps(scope, id, siteType, props) {
+    if (!props.auth)
+        return props;
+    const { oidc, ...otherAuthProps } = props.auth;
+    const auth = new SiteOidcAuth(scope, `${id}-SiteOidcAuth`, {
+        oidcIssuerUrl: oidc.issuerUrl,
+        oidcClientId: oidc.clientId,
+        oidcScope: oidc.scope,
+    });
+    if (siteType === "StaticSite") {
+        return auth.addToStaticSiteProps(scope, props, otherAuthProps);
+    }
+    else if (siteType === "SsrSite") {
+        return auth.addToSsrSiteProps(scope, props, otherAuthProps);
+    }
+    siteType;
+    throw new Error(`Unsupported site type ${siteType} when processing auth prop.`);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.11.0-internal-testing-vdt-199-add-auth-token-verify-function.4",
+  "version": "2.11.0-internal-testing-vdt-199-add-auth-token-verify-function-2.2",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",

package/src/cdk-constructs/IxNextjsSite.ts

@@ -16,6 +16,7 @@ import {
   setupDefaultEnvVars,
   applyConditionalEnvironmentVariables,
   parentCompatibleSsrProps,
+  processAuthProps,
 } from "../lib/site/support.js";
 
 type ConstructScope = ConstructorParameters<typeof NextjsSite>[0];
@@ -34,6 +35,7 @@ export class IxNextjsSite extends NextjsSite {
       props = setupCertificate(scope, id, props);
       props = setupDomainAliasRedirect(scope, id, props);
     }
+    props = processAuthProps(scope, id, "SsrSite", props);
     props = setupDefaultEnvVars(scope, id, props);
     props = applyConditionalEnvironmentVariables(scope, id, props);
 

package/src/cdk-constructs/IxStaticSite.ts

@@ -8,6 +8,7 @@ import {
   getPrimaryCustomDomain,
   getPrimaryDomain,
   getPrimaryOrigin,
+  processAuthProps,
   setupCertificate,
   setupCustomDomain,
   setupDnsRecords,
@@ -32,6 +33,7 @@ export class IxStaticSite extends StaticSite {
       props = setupCertificate(scope, id, props);
       props = setupDomainAliasRedirect(scope, id, props);
     }
+    props = processAuthProps(scope, id, "StaticSite", props);
 
     super(scope, id, props);
     this.propsExtended = props;

package/src/cdk-constructs/{CloudFrontOidcAuth/auth-check.ts → SiteOidcAuth/auth-check-handler-body.ts}

@@ -1,12 +1,38 @@
 // Based off: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_kvs_jwt_verify_section.html
-// Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function.
-// For example, no external libraries can be used, and the runtime is more limited.
-import crypto from "crypto";
-import cf from "cloudfront";
+// Note that as a CloudFront Function, this code has limitations compared to a Lambda@Edge function. For example, no
+// external libraries can be used, and the runtime is more limited. Because SST v2's SsrSite construct uses JS v1.0
+// runtime for CloudFront Functions, this code must also be compatible with that runtime. Also this is used in the body
+// of a function where the variables event and request are already defined.
 
-const kvsKey = "__placeholder-for-jwt-secret-key__";
+declare const request: AWSCloudFrontFunction.Request;
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires -- v1 runtime for CloudFront Functions do not support import statements
+const crypto: typeof import("crypto") = require("crypto");
+
+const jwtSecret = "__placeholder-for-jwt-secret__";
 const authRoutePrefix = "__placeholder-for-auth-route-prefix__";
 
+// Set to true to enable console logging
+const loggingEnabled = false;
+
+const log: typeof console.log = function () {
+  if (!loggingEnabled) return;
+
+  // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
+  // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
+  let message = arguments[0];
+  if (arguments.length > 1) {
+    const otherArgs = [];
+    for (let i = 1; i < arguments.length; i++) {
+      // eslint-disable-next-line prefer-rest-params
+      otherArgs[i - 1] = arguments[i];
+    }
+
+    message += " - additional args: " + JSON.stringify(otherArgs);
+  }
+  console.log(message);
+};
+
 //Response when JWT is not valid.
 const redirectResponse = {
   statusCode: 302,
@@ -15,9 +41,6 @@ const redirectResponse = {
   },
 };
 
-// Set to true to enable console logging
-const loggingEnabled = false;
-
 function jwtDecode(token: string, key: string, noVerify?: boolean) {
   // check segments
   const segments = token.split(".");
@@ -96,62 +119,20 @@ function _base64urlDecode(str: string) {
   return Buffer.from(str, "base64url").toString();
 }
 
-async function handler(event: AWSCloudFrontFunction.Event) {
-  const request = event.request;
-  const secret_key = await getSecret();
+const jwtToken =
+  request.cookies["auth-token"] && request.cookies["auth-token"].value;
 
-  if (!secret_key) {
-    // It's not possible for us to validate requests without the secret key so we have no choice but to block all requests.
-    throw new Error("Error retrieving JWT secret key");
-  }
-
-  const jwtToken =
-    request.cookies["auth-token"] && request.cookies["auth-token"].value;
-
-  if (!jwtToken) {
-    log("Error: No JWT in the cookies");
-    return redirectResponse;
-  }
-  try {
-    jwtDecode(jwtToken, secret_key);
-  } catch (e) {
-    log(e);
-    return redirectResponse;
-  }
-
-  log("Valid JWT token");
-  return request;
+if (!jwtToken) {
+  log("Error: No JWT in the cookies");
+  // @ts-expect-error -- This code is added to a function body so we can use return here but typescript doesn't know that.
+  return redirectResponse;
 }
-
-// Get secret from key value store
-async function getSecret() {
-  try {
-    const kvsHandle = cf.kvs();
-    return await kvsHandle.get(kvsKey);
-  } catch (err) {
-    log(`Error reading value for key: ${kvsKey}, error: ${err}`);
-    return null;
-  }
+try {
+  jwtDecode(jwtToken, jwtSecret);
+} catch (e) {
+  log(e);
+  // @ts-expect-error -- This code is added to a function body so we can use return here but typescript doesn't know that.
+  return redirectResponse;
 }
 
-const log: typeof console.log = function () {
-  if (!loggingEnabled) return;
-
-  // CloudFront Function runtime only prints first argument passed to console.log so add other args to the first one if given.
-  // eslint-disable-next-line prefer-rest-params -- We can't use spread or rest parameters in CloudFront Functions
-  let message = arguments[0];
-  if (arguments.length > 1) {
-    const otherArgs = [];
-    for (let i = 1; i < arguments.length; i++) {
-      // eslint-disable-next-line prefer-rest-params
-      otherArgs[i - 1] = arguments[i];
-    }
-
-    message += " - additional args: " + JSON.stringify(otherArgs);
-  }
-  console.log(message);
-};
-
-// This serves no purpose other than to make TypeScript and eslint happy by showing that that handler is used. We can't
-// export handler as an alterative because CloudFront Functions don't support exports.
-handler;
+log("Valid JWT token");

package/src/cdk-constructs/SiteOidcAuth/index.ts

@@ -0,0 +1,288 @@
+import { Construct } from "constructs";
+import SecretsManager from "aws-cdk-lib/aws-secretsmanager";
+import CloudFront from "aws-cdk-lib/aws-cloudfront";
+import CDK from "aws-cdk-lib";
+import Lambda from "aws-cdk-lib/aws-lambda";
+import * as SST from "sst/constructs";
+import { isCDKConstruct } from "sst/constructs/Construct.js";
+import { Config as SSTInternalConfig } from "sst/config.js";
+import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
+import path from "node:path";
+import fs from "node:fs";
+import { transformSync } from "esbuild";
+import type {
+  ExtendedNextjsSiteProps,
+  ExtendedStaticSiteProps,
+} from "../../lib/site/support.js";
+
+type ConstructScope = ConstructorParameters<typeof Construct>[0];
+type ConstructId = ConstructorParameters<typeof Construct>[1];
+
+export type Props = {
+  oidcIssuerUrl: string;
+  oidcClientId: string;
+  oidcScope: string;
+};
+export type AddToSiteProps = { prefix?: string };
+
+const defaultAuthRoutePrefix = "/auth";
+
+export class SiteOidcAuth extends Construct {
+  readonly oidcIssuerUrl: string;
+  readonly oidcClientId: string;
+  readonly oidcScope: string;
+  readonly id: string;
+
+  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
+    super(scope, id);
+    this.oidcIssuerUrl = props.oidcIssuerUrl;
+    this.oidcClientId = props.oidcClientId;
+    this.oidcScope = props.oidcScope;
+    this.id = id;
+  }
+
+  addToStaticSiteProps<SiteProps extends ExtendedStaticSiteProps>(
+    scope: ConstructScope,
+    siteProps: SiteProps,
+    { prefix = defaultAuthRoutePrefix }: AddToSiteProps = {},
+  ) {
+    prefix = prefix.replace(/\/$/, ""); // Remove trailing slash from prefix if it has one
+    const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+    const distribution = siteProps.cdk?.distribution;
+    if (isCDKConstruct(distribution)) {
+      throw new Error(
+        `CDK Construct for distribution is not supported when adding CloudFront OIDC Auth behavior for prefix ${prefix}`,
+      );
+    }
+
+    const updatedSiteProps = {
+      ...siteProps,
+      cdk: {
+        ...siteProps.cdk,
+        distribution: {
+          ...siteProps.cdk?.distribution,
+          additionalBehaviors: distribution?.additionalBehaviors ?? {},
+          defaultBehavior: {
+            ...distribution?.defaultBehavior,
+            functionAssociations:
+              distribution?.defaultBehavior?.functionAssociations ?? [],
+          },
+        },
+      },
+    };
+
+    if (updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName]) {
+      throw new Error(
+        `Behavior for prefix ${prefix} already exists in distribution definition`,
+      );
+    }
+
+    const jwtSecret = this.createJwtSecret();
+
+    updatedSiteProps.cdk.distribution.defaultBehavior.functionAssociations.push(
+      this.getFunctionAssociation(scope, jwtSecret, prefix),
+    );
+    updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName] =
+      this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+
+    return updatedSiteProps;
+  }
+
+  addToSsrSiteProps<SiteProps extends ExtendedNextjsSiteProps>(
+    scope: ConstructScope,
+    siteProps: SiteProps,
+    { prefix = defaultAuthRoutePrefix }: AddToSiteProps = {},
+  ) {
+    prefix = prefix.replace(/\/$/, ""); // Remove trailing slash from prefix if it has one
+    const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
+    const updatedSiteProps = {
+      ...siteProps,
+      cdk: {
+        ...siteProps.cdk,
+        distribution: {
+          ...siteProps.cdk?.distribution,
+          additionalBehaviors:
+            siteProps.cdk?.distribution?.additionalBehaviors ?? {},
+        },
+      },
+    };
+    if (updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName]) {
+      throw new Error(
+        `Behavior for prefix ${prefix} already exists in distribution definition`,
+      );
+    }
+
+    const jwtSecret = this.createJwtSecret();
+
+    updatedSiteProps.cdk.transform = (plan) => {
+      siteProps?.cdk?.transform?.(plan);
+
+      plan.cloudFrontFunctions?.serverCfFunction.injections.push(
+        this.getAuthCheckHandlerBodyCode(jwtSecret, prefix),
+      );
+    };
+
+    updatedSiteProps.cdk.distribution.additionalBehaviors[behaviourName] =
+      this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
+
+    return updatedSiteProps;
+  }
+
+  private createJwtSecret() {
+    return new SecretsManager.Secret(this, `${this.id}JwtSecret`, {
+      description: "JWT Signing Secret",
+      generateSecretString: {
+        passwordLength: 32,
+        excludePunctuation: true,
+        includeSpace: false,
+        requireEachIncludedType: true,
+      },
+      // Secret is only used for sessions so it's safe to delete on stack removal
+      removalPolicy: CDK.RemovalPolicy.DESTROY,
+    });
+  }
+
+  // Get the CloudFront Function Association for auth checking
+  // Roughly based off https://github.com/sst/v2/blob/4283d706f251724308b397996ff307929bf3a976/packages/sst/src/constructs/SsrSite.ts#L941
+  private getFunctionAssociation(
+    scope: ConstructScope,
+    jwtSecret: SecretsManager.Secret,
+    authRoutePrefix: string,
+  ): CloudFront.FunctionAssociation {
+    const authCheckFunction = new CloudFront.Function(
+      scope,
+      `${this.id}AuthCheckFunction`,
+      {
+        code: CloudFront.FunctionCode.fromInline(
+          this.convertToCloudFrontFunctionCompatibleCode(
+            `function handler(event) {
+              var request = event.request;
+              ${this.getAuthCheckHandlerBodyCode(jwtSecret, authRoutePrefix)}
+              return request;
+            }`,
+          ),
+        ),
+        // We could specify the JS v2.0 runtime here but for SSR sites SST does the function creation and that currently
+        // uses JS v1.0 so no point using v2.0 here as the code has to be compatible with v1.0 anyway.
+      },
+    );
+
+    return {
+      function: authCheckFunction,
+      eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+    };
+  }
+
+  private getAuthCheckHandlerBodyCode(
+    jwtSecret: SecretsManager.Secret,
+    authRoutePrefix: string,
+  ): string {
+    return fs
+      .readFileSync(
+        path.join(import.meta.dirname, "auth-check-handler-body.js"),
+        "utf8",
+      )
+      .replace(
+        "__placeholder-for-jwt-secret__",
+        jwtSecret.secretValue.toString(),
+      )
+      .replace("__placeholder-for-auth-route-prefix__", authRoutePrefix);
+  }
+
+  private convertToCloudFrontFunctionCompatibleCode(
+    sourceCode: string,
+  ): string {
+    // ESBuild doesn't currently support transforming const/let to var, which is required for CloudFront Functions
+    // JS runtime 1.0.
+    sourceCode = sourceCode
+      .replaceAll(/const /g, "var ")
+      .replaceAll(/let /g, "var ");
+    return transformSync(sourceCode, {
+      minify: true,
+      target: "es5",
+    }).code;
+  }
+
+  // Get the behavior options for the auth route
+  private getAuthBehaviorOptions(
+    scope: ConstructScope,
+    jwtSecret: SecretsManager.Secret,
+    prefix: string,
+  ): CloudFront.BehaviorOptions {
+    const authRouteFunction = new SST.Function(
+      scope,
+      `${this.id}AuthRouteFunction`,
+      {
+        runtime: "nodejs20.x",
+        handler: path.join(import.meta.dirname, "auth-route.handler"),
+        environment: {
+          OIDC_ISSUER_URL: this.oidcIssuerUrl,
+          OIDC_CLIENT_ID: this.oidcClientId,
+          OIDC_SCOPE: this.oidcScope,
+          JWT_SECRET: jwtSecret.secretValue.toString(),
+        },
+      },
+    );
+
+    // authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
+    // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
+    // by the Auth construct so we have to set them ourselves here to keep it happy.
+    const envVarName = SSTInternalConfig.envFor({
+      type: "Auth",
+      id: "id", // It seems like the env var will still be found no matter what this value is
+      prop: "prefix",
+    });
+    authRouteFunction.addEnvironment(envVarName, prefix);
+
+    const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
+      authType: Lambda.FunctionUrlAuthType.NONE,
+    });
+    const forwardHostHeaderCfFunction = new CloudFront.Function(
+      scope,
+      `${this.id}ForwardHostHeaderFunction`,
+      {
+        code: CloudFront.FunctionCode.fromInline(
+          this.convertToCloudFrontFunctionCompatibleCode(
+            `function handler(event) {
+              const request = event.request;
+              request.headers["x-forwarded-host"] = { value: request.headers.host.value };
+              return request;
+            }`,
+          ),
+        ),
+        runtime: CloudFront.FunctionRuntime.JS_2_0,
+      },
+    );
+
+    return {
+      origin: new CloudFrontOrigins.HttpOrigin(
+        CDK.Fn.parseDomainName(authRouteFunctionUrl.url),
+      ),
+      allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
+      cachePolicy: new CloudFront.CachePolicy(
+        scope,
+        `${this.id}AllowAllCookiesPolicy`,
+        {
+          cachePolicyName: `${this.id}-AllowAllCookiesPolicy`,
+          comment: "Cache policy that forwards all cookies",
+          defaultTtl: CDK.Duration.seconds(1),
+          minTtl: CDK.Duration.seconds(1),
+          maxTtl: CDK.Duration.seconds(1),
+          cookieBehavior: CloudFront.CacheCookieBehavior.all(),
+          headerBehavior:
+            CloudFront.CacheHeaderBehavior.allowList("X-Forwarded-Host"),
+          queryStringBehavior: CloudFront.CacheQueryStringBehavior.all(),
+          enableAcceptEncodingGzip: true,
+          enableAcceptEncodingBrotli: true,
+        },
+      ),
+      viewerProtocolPolicy: CloudFront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+      functionAssociations: [
+        {
+          function: forwardHostHeaderCfFunction,
+          eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
+        },
+      ],
+    };
+  }
+}

package/src/cdk-constructs/index.ts

@@ -6,4 +6,4 @@ export * from "./IxStaticSite.js";
 export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
-export * from "./CloudFrontOidcAuth/index.js";
+export * from "./SiteOidcAuth/index.js";