@infoxchange/make-it-so 2.11.0-internal-testing-vdt-199-add-ix-oidc-auth.1 → 2.11.0-internal-testing-vdt-199-add-auth-token-verify-function.2

package/README.md

@@ -304,7 +304,7 @@ const auth = new CloudFrontOidcAuth(stack, "CloudFrontOidcAuth", {
 });
 
 // Then you apply it to the a CloudFront backed site when it's created
-new IxStaticSite(stack, "IxStaticSite", {
+const site = new IxStaticSite(stack, "IxStaticSite", {
   path: "path/to/site/files",
   cdk: {
     distribution: auth.addToDistributionDefinition(stack, {
@@ -314,29 +314,6 @@ new IxStaticSite(stack, "IxStaticSite", {
 });
 ```
 
-<details>
-<summary><strong>ApiGatewayOidcAuth</strong> - Adds OIDC authentication to a API Gateway instance.</summary>
-
-This is an instance of SST v2's [Auth construct](https://v2.sst.dev/auth) that is preconfigured for OIDC.
-
-```typescript
-import { ApiGatewayOidcAuth } from "@infoxchange/make-it-so/cdk-constructs";
-
-// You first create an instance of ApiGatewayOidcAuth
-const auth = new ApiGatewayOidcAuth(stack, "ApiGatewayOidcAuth", {
-  oidcIssuerUrl: "https://your-oidc-server.com/path/",
-  oidcClientId: "your-client-id",
-  oidcScope: "email",
-});
-
-// Then you attach it to an API instance
-const api = new Api(stack, "api", {});
-auth.attach(stack, {
-  api,
-  prefix: "/auth", // optional
-});
-```
-
 ## Full Example
 
 To deploy a Next.js based site you would include a `sst.config.ts` file at the root of repo with contents like this:

package/dist/cdk-constructs/CloudFrontOidcAuth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAwC5E,OAAO,CAAC,sBAAsB;IAgI9B,OAAO,CAAC,sBAAsB;CA8E/B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAuC5E,OAAO,CAAC,sBAAsB;IA8H9B,OAAO,CAAC,sBAAsB;CA8E/B"}

package/dist/cdk-constructs/CloudFrontOidcAuth/index.js

@@ -54,7 +54,6 @@ export class CloudFrontOidcAuth extends Construct {
             this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
         return updatedDistributionDefinition;
     }
-    // This deals with the infra required for checking if requests are authenticated and redirecting to the auth route if not
     getFunctionAssociation(scope, jwtSecret) {
         const cfKeyValueStore = new CloudFront.KeyValueStore(scope, `${this.id}CFKeyValueStore`);
         const kvStoreId = cfKeyValueStore.keyValueStoreId; // Your KV store ID
@@ -138,8 +137,6 @@ export class CloudFrontOidcAuth extends Construct {
             eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
         };
     }
-    // This deals with the infra required for handling the OIDC authorisation process for requests that aren't yet
-    // authenticated but want to become authenticated.
     getAuthBehaviorOptions(scope, jwtSecret, prefix) {
         const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
             runtime: "nodejs20.x",

package/dist/cdk-constructs/index.d.ts

@@ -7,5 +7,4 @@ export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
 export * from "./CloudFrontOidcAuth/index.js";
-export * from "./ApiGatewayOidcAuth/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,+BAA+B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cdk-constructs/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,+BAA+B,CAAC"}

package/dist/cdk-constructs/index.js

@@ -7,4 +7,3 @@ export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
 export * from "./CloudFrontOidcAuth/index.js";
-export * from "./ApiGatewayOidcAuth/index.js";

package/dist/lib/auth/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./oidc.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}

package/dist/lib/auth/index.js

@@ -0,0 +1 @@
+export * from "./oidc.js";

package/dist/lib/auth/oidc.d.ts

@@ -0,0 +1,26 @@
+import { JWTPayload } from "jose";
+type VerifyAccessTokenParams<SafeVerify extends boolean = false> = {
+    token: string;
+    issuerUrl: string;
+    audience: string;
+    safeVerify?: SafeVerify;
+};
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export declare function verifyAccessToken<SafeVerify extends boolean = false>({ token, issuerUrl, audience, safeVerify, }: VerifyAccessTokenParams<SafeVerify>): Promise<SafeVerify extends true ? {
+    error: Error | unknown;
+    payload: null;
+} | {
+    error: null;
+    payload: JWTPayload;
+} : JWTPayload>;
+export {};
+//# sourceMappingURL=oidc.d.ts.map

package/dist/lib/auth/oidc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/oidc.ts"],"names":[],"mappings":"AACA,OAAO,EAAsB,UAAU,EAAa,MAAM,MAAM,CAAC;AAEjE,KAAK,uBAAuB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,IAAI;IACjE,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,SAAS,OAAO,GAAG,KAAK,EAAE,EAC1E,KAAK,EACL,SAAS,EACT,QAAQ,EACR,UAAU,GACX,EAAE,uBAAuB,CAAC,UAAU,CAAC,GAAG,OAAO,CAC9C,UAAU,SAAS,IAAI,GAEf;IAAE,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC;IAAC,OAAO,EAAE,IAAI,CAAA;CAAE,GACzC;IAAE,KAAK,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,GACxC,UAAU,CACf,CAyCA"}

package/dist/lib/auth/oidc.js

@@ -0,0 +1,48 @@
+import { Issuer } from "openid-client";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export async function verifyAccessToken({ token, issuerUrl, audience, safeVerify, }) {
+    try {
+        const issuer = await Issuer.discover(issuerUrl);
+        const jwksUri = issuer.metadata.jwks_uri;
+        if (!jwksUri) {
+            throw new Error("JWKS URI not found in issuer metadata");
+        }
+        const JWKS = createRemoteJWKSet(new URL(jwksUri));
+        // Verify the signature and basic claims
+        const { payload } = await jwtVerify(token, JWKS, {
+            issuer: issuer.metadata.issuer,
+        });
+        const tokenAud = payload.aud ?? payload.client_id;
+        let audienceMatches = false;
+        for (const aud of Array.isArray(tokenAud) ? tokenAud : [tokenAud]) {
+            if (aud === audience) {
+                audienceMatches = true;
+                break;
+            }
+        }
+        if (!audienceMatches) {
+            console.info("Token data:", payload);
+            throw new Error(`Token audience does not match expected audience ${audience}`);
+        }
+        if (safeVerify) {
+            return { payload, error: null };
+        }
+        return payload;
+    }
+    catch (err) {
+        if (safeVerify) {
+            return { error: err, payload: null };
+        }
+        throw err;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@infoxchange/make-it-so",
-  "version": "2.11.0-internal-testing-vdt-199-add-ix-oidc-auth.1",
+  "version": "2.11.0-internal-testing-vdt-199-add-auth-token-verify-function.2",
   "description": "Makes deploying services to IX infra easy",
   "repository": "github:infoxchange/make-it-so",
   "type": "module",
@@ -16,7 +16,8 @@
   "license": "MIT",
   "exports": {
     "./cdk-constructs": "./dist/cdk-constructs/index.js",
-    "./deployConfig": "./dist/deployConfig.js"
+    "./deployConfig": "./dist/deployConfig.js",
+    "./auth": "./dist/lib/auth.js"
   },
   "lint-staged": {
     "**/*": [

package/src/cdk-constructs/CloudFrontOidcAuth/index.ts

@@ -84,7 +84,6 @@ export class CloudFrontOidcAuth extends Construct {
     return updatedDistributionDefinition;
   }
 
-  // This deals with the infra required for checking if requests are authenticated and redirecting to the auth route if not
   private getFunctionAssociation(
     scope: ConstructScope,
     jwtSecret: SecretsManager.Secret,
@@ -211,8 +210,6 @@ export class CloudFrontOidcAuth extends Construct {
     };
   }
 
-  // This deals with the infra required for handling the OIDC authorisation process for requests that aren't yet
-  // authenticated but want to become authenticated.
   private getAuthBehaviorOptions(
     scope: ConstructScope,
     jwtSecret: SecretsManager.Secret,

package/src/cdk-constructs/index.ts

@@ -7,4 +7,3 @@ export * from "./IxElasticache.js";
 export * from "./IxApi.js";
 export * from "./IxQuicksightWorkspace.js";
 export * from "./CloudFrontOidcAuth/index.js";
-export * from "./ApiGatewayOidcAuth/index.js";

package/src/lib/auth/index.ts

@@ -0,0 +1 @@
+export * from "./oidc.js";

package/src/lib/auth/oidc.ts

@@ -0,0 +1,73 @@
+import { Issuer } from "openid-client";
+import { createRemoteJWKSet, JWTPayload, jwtVerify } from "jose";
+
+type VerifyAccessTokenParams<SafeVerify extends boolean = false> = {
+  token: string;
+  issuerUrl: string;
+  audience: string;
+  safeVerify?: SafeVerify;
+};
+
+/**
+ * Checks an OIDC access token against the issuer's details to determine if it's valid.
+ *
+ * @param params - The parameters for verifying the access token.
+ * @param params.token - The JWT access token to verify.
+ * @param params.issuerUrl - The OIDC issuer URL to discover JWKS and metadata.
+ * @param params.audience - The expected audience value to match against the token's claims.
+ * @param params.safeVerify - If true, returns a result object with error and payload fields instead of throwing on error.
+ * @returns If `safeVerify` is true, returns an object with either the verified payload or an error. Otherwise, returns the verified JWT payload or throws an error.
+ */
+export async function verifyAccessToken<SafeVerify extends boolean = false>({
+  token,
+  issuerUrl,
+  audience,
+  safeVerify,
+}: VerifyAccessTokenParams<SafeVerify>): Promise<
+  SafeVerify extends true
+    ?
+        | { error: Error | unknown; payload: null }
+        | { error: null; payload: JWTPayload }
+    : JWTPayload
+> {
+  try {
+    const issuer = await Issuer.discover(issuerUrl);
+    const jwksUri = issuer.metadata.jwks_uri;
+    if (!jwksUri) {
+      throw new Error("JWKS URI not found in issuer metadata");
+    }
+    const JWKS = createRemoteJWKSet(new URL(jwksUri));
+
+    // Verify the signature and basic claims
+    const { payload } = await jwtVerify(token, JWKS, {
+      issuer: issuer.metadata.issuer,
+    });
+
+    const tokenAud = payload.aud ?? payload.client_id;
+    let audienceMatches = false;
+    for (const aud of Array.isArray(tokenAud) ? tokenAud : [tokenAud]) {
+      if (aud === audience) {
+        audienceMatches = true;
+        break;
+      }
+    }
+    if (!audienceMatches) {
+      console.info("Token data:", payload);
+      throw new Error(
+        `Token audience does not match expected audience ${audience}`,
+      );
+    }
+
+    if (safeVerify) {
+      return { payload, error: null };
+    }
+    return payload as SafeVerify extends true
+      ? { error: null; payload: JWTPayload }
+      : JWTPayload;
+  } catch (err) {
+    if (safeVerify) {
+      return { error: err, payload: null };
+    }
+    throw err;
+  }
+}

package/dist/cdk-constructs/ApiGatewayOidcAuth/auth-route.d.ts

@@ -1,9 +0,0 @@
-declare module "sst/node/auth" {
-    interface SessionTypes {
-        user: {
-            userID: string;
-        };
-    }
-}
-export declare const handler: (event: any, context: any) => Promise<any>;
-//# sourceMappingURL=auth-route.d.ts.map

package/dist/cdk-constructs/ApiGatewayOidcAuth/auth-route.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/ApiGatewayOidcAuth/auth-route.ts"],"names":[],"mappings":"AAoBA,OAAO,QAAQ,eAAe,CAAC;IAC7B,UAAiB,YAAY;QAC3B,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM,CAAC;SAChB,CAAC;KACH;CACF;AAED,eAAO,MAAM,OAAO,4CAiBlB,CAAC"}

package/dist/cdk-constructs/ApiGatewayOidcAuth/auth-route.js

@@ -1,33 +0,0 @@
-import { AuthHandler, OidcAdapter, Session } from "sst/node/auth";
-import { Issuer } from "openid-client";
-const oidcClientId = process.env.OIDC_CLIENT_ID;
-if (!oidcClientId) {
-    throw new Error("OIDC_CLIENT_ID not set");
-}
-const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
-if (!oidcIssuerUrl) {
-    throw new Error("OIDC_ISSUER_URL not set");
-}
-const oidcScope = process.env.OIDC_SCOPE;
-if (!oidcScope) {
-    throw new Error("OIDC_SCOPE not set");
-}
-const oidcIssuerConfigUrl = new URL(`${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`);
-export const handler = AuthHandler({
-    providers: {
-        oidc: OidcAdapter({
-            issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
-            clientID: oidcClientId,
-            scope: oidcScope,
-            onSuccess: async (tokenset) => {
-                return Session.cookie({
-                    redirect: "/",
-                    type: "user",
-                    properties: {
-                        userID: tokenset.claims().sub,
-                    },
-                });
-            },
-        }),
-    },
-});

package/dist/cdk-constructs/ApiGatewayOidcAuth/index.d.ts

@@ -1,13 +0,0 @@
-import * as SST from "sst/constructs";
-type ConstructScope = ConstructorParameters<typeof SST.Auth>[0];
-type ConstructId = ConstructorParameters<typeof SST.Auth>[1];
-type Props = Omit<SST.AuthProps, "authenticator"> & {
-    oidcIssuerUrl: string;
-    oidcClientId: string;
-    oidcScope: string;
-};
-export declare class ApiGatewayOidcAuth extends SST.Auth {
-    constructor(scope: ConstructScope, id: ConstructId, props: Props);
-}
-export {};
-//# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/ApiGatewayOidcAuth/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/ApiGatewayOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AAGtC,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAChE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAE7D,KAAK,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,eAAe,CAAC,GAAG;IAClD,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,GAAG,CAAC,IAAI;gBAClC,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;CAajE"}

package/dist/cdk-constructs/ApiGatewayOidcAuth/index.js

@@ -1,17 +0,0 @@
-import * as SST from "sst/constructs";
-import path from "node:path";
-export class ApiGatewayOidcAuth extends SST.Auth {
-    constructor(scope, id, props) {
-        super(scope, id, {
-            ...props,
-            authenticator: {
-                handler: path.join(import.meta.dirname, "auth-route.handler"),
-                environment: {
-                    OIDC_ISSUER_URL: props.oidcIssuerUrl,
-                    OIDC_CLIENT_ID: props.oidcClientId,
-                    OIDC_SCOPE: props.oidcScope,
-                },
-            },
-        });
-    }
-}

package/src/cdk-constructs/ApiGatewayOidcAuth/auth-route.ts

@@ -1,46 +0,0 @@
-import { AuthHandler, OidcAdapter, Session } from "sst/node/auth";
-import { Issuer } from "openid-client";
-
-const oidcClientId = process.env.OIDC_CLIENT_ID;
-if (!oidcClientId) {
-  throw new Error("OIDC_CLIENT_ID not set");
-}
-const oidcIssuerUrl = process.env.OIDC_ISSUER_URL;
-if (!oidcIssuerUrl) {
-  throw new Error("OIDC_ISSUER_URL not set");
-}
-const oidcScope = process.env.OIDC_SCOPE;
-if (!oidcScope) {
-  throw new Error("OIDC_SCOPE not set");
-}
-
-const oidcIssuerConfigUrl = new URL(
-  `${process.env.OIDC_ISSUER_URL?.replace(/\/$/, "")}/.well-known/openid-configuration`,
-);
-
-declare module "sst/node/auth" {
-  export interface SessionTypes {
-    user: {
-      userID: string;
-    };
-  }
-}
-
-export const handler = AuthHandler({
-  providers: {
-    oidc: OidcAdapter({
-      issuer: await Issuer.discover(oidcIssuerConfigUrl.href),
-      clientID: oidcClientId,
-      scope: oidcScope,
-      onSuccess: async (tokenset) => {
-        return Session.cookie({
-          redirect: "/",
-          type: "user",
-          properties: {
-            userID: tokenset.claims().sub,
-          },
-        });
-      },
-    }),
-  },
-});

package/src/cdk-constructs/ApiGatewayOidcAuth/index.ts

@@ -1,27 +0,0 @@
-import * as SST from "sst/constructs";
-import path from "node:path";
-
-type ConstructScope = ConstructorParameters<typeof SST.Auth>[0];
-type ConstructId = ConstructorParameters<typeof SST.Auth>[1];
-
-type Props = Omit<SST.AuthProps, "authenticator"> & {
-  oidcIssuerUrl: string;
-  oidcClientId: string;
-  oidcScope: string;
-};
-
-export class ApiGatewayOidcAuth extends SST.Auth {
-  constructor(scope: ConstructScope, id: ConstructId, props: Props) {
-    super(scope, id, {
-      ...props,
-      authenticator: {
-        handler: path.join(import.meta.dirname, "auth-route.handler"),
-        environment: {
-          OIDC_ISSUER_URL: props.oidcIssuerUrl,
-          OIDC_CLIENT_ID: props.oidcClientId,
-          OIDC_SCOPE: props.oidcScope,
-        },
-      },
-    });
-  }
-}