@liflig/cdk-cloudfront-auth 1.0.0

package/lib/handlers/util/jwt.js

@@ -0,0 +1,59 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decodeIdToken = exports.validate = void 0;
+const jsonwebtoken_1 = require("jsonwebtoken");
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+// jwks client is cached at this scope so it can be reused
+// across Lambda invocations.
+let jwksRsa;
+function isRsaSigningKey(key) {
+    return "rsaPublicKey" in key;
+}
+/**
+ * Retrieves the public key that corresponds to the private key with
+ * which the token was signed.
+ */
+async function getSigningKey(jwksUri, kid) {
+    if (!jwksRsa) {
+        jwksRsa = (0, jwks_rsa_1.default)({ cache: true, rateLimit: true, jwksUri });
+    }
+    const jwk = await jwksRsa.getSigningKey(kid);
+    return isRsaSigningKey(jwk) ? jwk.rsaPublicKey : jwk.publicKey;
+}
+async function validate(jwtToken, jwksUri, issuer, audience) {
+    const decodedToken = (0, jsonwebtoken_1.decode)(jwtToken, { complete: true });
+    if (!decodedToken || typeof decodedToken === "string") {
+        return {
+            validationError: new Error("Cannot parse JWT token"),
+        };
+    }
+    // The JWT contains a "kid" claim, key id, that tells which key
+    // was used to sign the token.
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+    const kid = decodedToken["header"]["kid"];
+    const jwk = await getSigningKey(jwksUri, kid);
+    if (jwk instanceof Error) {
+        return { validationError: jwk };
+    }
+    // Verify the JWT.
+    // This either rejects (JWT not valid), or resolves (JWT valid).
+    const verificationOptions = {
+        audience,
+        issuer,
+        ignoreExpiration: false,
+    };
+    return new Promise((resolve) => (0, jsonwebtoken_1.verify)(jwtToken, jwk, verificationOptions, (err) => err ? resolve({ validationError: err }) : resolve(undefined)));
+}
+exports.validate = validate;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function decodeIdToken(jwt) {
+    const tokenBody = jwt.split(".")[1];
+    const decodableTokenBody = tokenBody.replace(/-/g, "+").replace(/_/g, "/");
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-return
+    return JSON.parse(Buffer.from(decodableTokenBody, "base64").toString());
+}
+exports.decodeIdToken = decodeIdToken;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiand0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2hhbmRsZXJzL3V0aWwvand0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7OztBQUFBLCtDQUE2QztBQUM3Qyx3REFBZ0U7QUFnQmhFLDBEQUEwRDtBQUMxRCw2QkFBNkI7QUFDN0IsSUFBSSxPQUE4QixDQUFBO0FBRWxDLFNBQVMsZUFBZSxDQUFDLEdBQWU7SUFDdEMsT0FBTyxjQUFjLElBQUksR0FBRyxDQUFBO0FBQzlCLENBQUM7QUFFRDs7O0dBR0c7QUFDSCxLQUFLLFVBQVUsYUFBYSxDQUMxQixPQUFlLEVBQ2YsR0FBVztJQUVYLElBQUksQ0FBQyxPQUFPLEVBQUU7UUFDWixPQUFPLEdBQUcsSUFBQSxrQkFBVSxFQUFDLEVBQUUsS0FBSyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxDQUFDLENBQUE7S0FDaEU7SUFDRCxNQUFNLEdBQUcsR0FBRyxNQUFNLE9BQU8sQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUFDLENBQUE7SUFDNUMsT0FBTyxlQUFlLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxZQUFZLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxTQUFTLENBQUE7QUFDaEUsQ0FBQztBQUVNLEtBQUssVUFBVSxRQUFRLENBQzVCLFFBQWdCLEVBQ2hCLE9BQWUsRUFDZixNQUFjLEVBQ2QsUUFBZ0I7SUFFaEIsTUFBTSxZQUFZLEdBQUcsSUFBQSxxQkFBTSxFQUFDLFFBQVEsRUFBRSxFQUFFLFFBQVEsRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFBO0lBQ3pELElBQUksQ0FBQyxZQUFZLElBQUksT0FBTyxZQUFZLEtBQUssUUFBUSxFQUFFO1FBQ3JELE9BQU87WUFDTCxlQUFlLEVBQUUsSUFBSSxLQUFLLENBQUMsd0JBQXdCLENBQUM7U0FDckQsQ0FBQTtLQUNGO0lBRUQsK0RBQStEO0lBQy9ELDhCQUE4QjtJQUM5QixzRUFBc0U7SUFDdEUsTUFBTSxHQUFHLEdBQUcsWUFBWSxDQUFDLFFBQVEsQ0FBQyxDQUFDLEtBQUssQ0FBVyxDQUFBO0lBQ25ELE1BQU0sR0FBRyxHQUFHLE1BQU0sYUFBYSxDQUFDLE9BQU8sRUFBRSxHQUFHLENBQUMsQ0FBQTtJQUM3QyxJQUFJLEdBQUcsWUFBWSxLQUFLLEVBQUU7UUFDeEIsT0FBTyxFQUFFLGVBQWUsRUFBRSxHQUFHLEVBQUUsQ0FBQTtLQUNoQztJQUVELGtCQUFrQjtJQUNsQixnRUFBZ0U7SUFDaEUsTUFBTSxtQkFBbUIsR0FBRztRQUMxQixRQUFRO1FBQ1IsTUFBTTtRQUNOLGdCQUFnQixFQUFFLEtBQUs7S0FDeEIsQ0FBQTtJQUVELE9BQU8sSUFBSSxPQUFPLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUM3QixJQUFBLHFCQUFNLEVBQUMsUUFBUSxFQUFFLEdBQUcsRUFBRSxtQkFBbUIsRUFBRSxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQ2pELEdBQUcsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsZUFBZSxFQUFFLEdBQUcsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsQ0FDN0QsQ0FDRixDQUFBO0FBQ0gsQ0FBQztBQW5DRCw0QkFtQ0M7QUFFRCw4REFBOEQ7QUFDOUQsU0FBZ0IsYUFBYSxDQUFDLEdBQVc7SUFDdkMsTUFBTSxTQUFTLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQTtJQUNuQyxNQUFNLGtCQUFrQixHQUFHLFNBQVMsQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLEdBQUcsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUE7SUFDMUUsK0RBQStEO0lBQy9ELE9BQU8sSUFBSSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLGtCQUFrQixFQUFFLFFBQVEsQ0FBQyxDQUFDLFFBQVEsRUFBRSxDQUFDLENBQUE7QUFDekUsQ0FBQztBQUxELHNDQUtDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgZGVjb2RlLCB2ZXJpZnkgfSBmcm9tIFwianNvbndlYnRva2VuXCJcbmltcG9ydCBqd2tzQ2xpZW50LCB7IFJzYVNpZ25pbmdLZXksIFNpZ25pbmdLZXkgfSBmcm9tIFwiandrcy1yc2FcIlxuXG5leHBvcnQgaW50ZXJmYWNlIElkVG9rZW5QYXlsb2FkIHtcbiAgc3ViOiBzdHJpbmdcbiAgXCJjb2duaXRvOmdyb3Vwc1wiPzogc3RyaW5nW11cbiAgXCJjb2duaXRvOnVzZXJuYW1lXCI/OiBzdHJpbmdcbiAgZ2l2ZW5fbmFtZT86IHN0cmluZ1xuICBhdWQ6IHN0cmluZ1xuICB0b2tlbl91c2U6IFwiaWRcIlxuICBhdXRoX3RpbWU6IG51bWJlclxuICBuYW1lPzogc3RyaW5nXG4gIGV4cDogbnVtYmVyXG4gIGlhdDogbnVtYmVyXG4gIGVtYWlsPzogc3RyaW5nXG59XG5cbi8vIGp3a3MgY2xpZW50IGlzIGNhY2hlZCBhdCB0aGlzIHNjb3BlIHNvIGl0IGNhbiBiZSByZXVzZWRcbi8vIGFjcm9zcyBMYW1iZGEgaW52b2NhdGlvbnMuXG5sZXQgandrc1JzYTogandrc0NsaWVudC5Kd2tzQ2xpZW50XG5cbmZ1bmN0aW9uIGlzUnNhU2lnbmluZ0tleShrZXk6IFNpZ25pbmdLZXkpOiBrZXkgaXMgUnNhU2lnbmluZ0tleSB7XG4gIHJldHVybiBcInJzYVB1YmxpY0tleVwiIGluIGtleVxufVxuXG4vKipcbiAqIFJldHJpZXZlcyB0aGUgcHVibGljIGtleSB0aGF0IGNvcnJlc3BvbmRzIHRvIHRoZSBwcml2YXRlIGtleSB3aXRoXG4gKiB3aGljaCB0aGUgdG9rZW4gd2FzIHNpZ25lZC5cbiAqL1xuYXN5bmMgZnVuY3Rpb24gZ2V0U2lnbmluZ0tleShcbiAgandrc1VyaTogc3RyaW5nLFxuICBraWQ6IHN0cmluZyxcbik6IFByb21pc2U8c3RyaW5nIHwgRXJyb3I+IHtcbiAgaWYgKCFqd2tzUnNhKSB7XG4gICAgandrc1JzYSA9IGp3a3NDbGllbnQoeyBjYWNoZTogdHJ1ZSwgcmF0ZUxpbWl0OiB0cnVlLCBqd2tzVXJpIH0pXG4gIH1cbiAgY29uc3QgandrID0gYXdhaXQgandrc1JzYS5nZXRTaWduaW5nS2V5KGtpZClcbiAgcmV0dXJuIGlzUnNhU2lnbmluZ0tleShqd2spID8gandrLnJzYVB1YmxpY0tleSA6IGp3ay5wdWJsaWNLZXlcbn1cblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIHZhbGlkYXRlKFxuICBqd3RUb2tlbjogc3RyaW5nLFxuICBqd2tzVXJpOiBzdHJpbmcsXG4gIGlzc3Vlcjogc3RyaW5nLFxuICBhdWRpZW5jZTogc3RyaW5nLFxuKTogUHJvbWlzZTx7IHZhbGlkYXRpb25FcnJvcjogRXJyb3IgfSB8IHVuZGVmaW5lZD4ge1xuICBjb25zdCBkZWNvZGVkVG9rZW4gPSBkZWNvZGUoand0VG9rZW4sIHsgY29tcGxldGU6IHRydWUgfSlcbiAgaWYgKCFkZWNvZGVkVG9rZW4gfHwgdHlwZW9mIGRlY29kZWRUb2tlbiA9PT0gXCJzdHJpbmdcIikge1xuICAgIHJldHVybiB7XG4gICAgICB2YWxpZGF0aW9uRXJyb3I6IG5ldyBFcnJvcihcIkNhbm5vdCBwYXJzZSBKV1QgdG9rZW5cIiksXG4gICAgfVxuICB9XG5cbiAgLy8gVGhlIEpXVCBjb250YWlucyBhIFwia2lkXCIgY2xhaW0sIGtleSBpZCwgdGhhdCB0ZWxscyB3aGljaCBrZXlcbiAgLy8gd2FzIHVzZWQgdG8gc2lnbiB0aGUgdG9rZW4uXG4gIC8vIGVzbGludC1kaXNhYmxlLW5leHQtbGluZSBAdHlwZXNjcmlwdC1lc2xpbnQvbm8tdW5zYWZlLW1lbWJlci1hY2Nlc3NcbiAgY29uc3Qga2lkID0gZGVjb2RlZFRva2VuW1wiaGVhZGVyXCJdW1wia2lkXCJdIGFzIHN0cmluZ1xuICBjb25zdCBqd2sgPSBhd2FpdCBnZXRTaWduaW5nS2V5KGp3a3NVcmksIGtpZClcbiAgaWYgKGp3ayBpbnN0YW5jZW9mIEVycm9yKSB7XG4gICAgcmV0dXJuIHsgdmFsaWRhdGlvbkVycm9yOiBqd2sgfVxuICB9XG5cbiAgLy8gVmVyaWZ5IHRoZSBKV1QuXG4gIC8vIFRoaXMgZWl0aGVyIHJlamVjdHMgKEpXVCBub3QgdmFsaWQpLCBvciByZXNvbHZlcyAoSldUIHZhbGlkKS5cbiAgY29uc3QgdmVyaWZpY2F0aW9uT3B0aW9ucyA9IHtcbiAgICBhdWRpZW5jZSxcbiAgICBpc3N1ZXIsXG4gICAgaWdub3JlRXhwaXJhdGlvbjogZmFsc2UsXG4gIH1cblxuICByZXR1cm4gbmV3IFByb21pc2UoKHJlc29sdmUpID0+XG4gICAgdmVyaWZ5KGp3dFRva2VuLCBqd2ssIHZlcmlmaWNhdGlvbk9wdGlvbnMsIChlcnIpID0+XG4gICAgICBlcnIgPyByZXNvbHZlKHsgdmFsaWRhdGlvbkVycm9yOiBlcnIgfSkgOiByZXNvbHZlKHVuZGVmaW5lZCksXG4gICAgKSxcbiAgKVxufVxuXG4vLyBlc2xpbnQtZGlzYWJsZS1uZXh0LWxpbmUgQHR5cGVzY3JpcHQtZXNsaW50L25vLWV4cGxpY2l0LWFueVxuZXhwb3J0IGZ1bmN0aW9uIGRlY29kZUlkVG9rZW4oand0OiBzdHJpbmcpOiBJZFRva2VuUGF5bG9hZCB7XG4gIGNvbnN0IHRva2VuQm9keSA9IGp3dC5zcGxpdChcIi5cIilbMV1cbiAgY29uc3QgZGVjb2RhYmxlVG9rZW5Cb2R5ID0gdG9rZW5Cb2R5LnJlcGxhY2UoLy0vZywgXCIrXCIpLnJlcGxhY2UoL18vZywgXCIvXCIpXG4gIC8vIGVzbGludC1kaXNhYmxlLW5leHQtbGluZSBAdHlwZXNjcmlwdC1lc2xpbnQvbm8tdW5zYWZlLXJldHVyblxuICByZXR1cm4gSlNPTi5wYXJzZShCdWZmZXIuZnJvbShkZWNvZGFibGVUb2tlbkJvZHksIFwiYmFzZTY0XCIpLnRvU3RyaW5nKCkpXG59XG4iXX0=

package/lib/handlers/util/logger.d.ts

@@ -0,0 +1,16 @@
+export declare enum LogLevel {
+    "none" = 0,
+    "error" = 10,
+    "warn" = 20,
+    "info" = 30,
+    "debug" = 40
+}
+export declare class Logger {
+    private logLevel;
+    constructor(logLevel: LogLevel);
+    private jsonify;
+    info(...args: any): void;
+    warn(...args: any): void;
+    error(...args: any): void;
+    debug(...args: any): void;
+}

package/lib/handlers/util/logger.js

@@ -0,0 +1,55 @@
+"use strict";
+/* eslint-disable @typescript-eslint/no-unsafe-argument */
+/* eslint-disable @typescript-eslint/no-unsafe-return */
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Logger = exports.LogLevel = void 0;
+var LogLevel;
+(function (LogLevel) {
+    LogLevel[LogLevel["none"] = 0] = "none";
+    LogLevel[LogLevel["error"] = 10] = "error";
+    LogLevel[LogLevel["warn"] = 20] = "warn";
+    LogLevel[LogLevel["info"] = 30] = "info";
+    LogLevel[LogLevel["debug"] = 40] = "debug";
+})(LogLevel = exports.LogLevel || (exports.LogLevel = {}));
+class Logger {
+    constructor(logLevel) {
+        this.logLevel = logLevel;
+    }
+    jsonify(args) {
+        return args.map((arg) => {
+            if (typeof arg === "object") {
+                try {
+                    return JSON.stringify(arg);
+                }
+                catch (_a) {
+                    return arg;
+                }
+            }
+            return arg;
+        });
+    }
+    info(...args) {
+        if (this.logLevel >= LogLevel.info) {
+            console.log(...this.jsonify(args));
+        }
+    }
+    warn(...args) {
+        if (this.logLevel >= LogLevel.warn) {
+            console.warn(...this.jsonify(args));
+        }
+    }
+    error(...args) {
+        if (this.logLevel >= LogLevel.error) {
+            console.error(...this.jsonify(args));
+        }
+    }
+    debug(...args) {
+        if (this.logLevel >= LogLevel.debug) {
+            console.trace(...this.jsonify(args));
+        }
+    }
+}
+exports.Logger = Logger;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibG9nZ2VyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2hhbmRsZXJzL3V0aWwvbG9nZ2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUFBQSwwREFBMEQ7QUFDMUQsd0RBQXdEO0FBQ3hELHVEQUF1RDtBQUN2RCxzRUFBc0U7OztBQUV0RSxJQUFZLFFBTVg7QUFORCxXQUFZLFFBQVE7SUFDbEIsdUNBQVUsQ0FBQTtJQUNWLDBDQUFZLENBQUE7SUFDWix3Q0FBVyxDQUFBO0lBQ1gsd0NBQVcsQ0FBQTtJQUNYLDBDQUFZLENBQUE7QUFDZCxDQUFDLEVBTlcsUUFBUSxHQUFSLGdCQUFRLEtBQVIsZ0JBQVEsUUFNbkI7QUFFRCxNQUFhLE1BQU07SUFDakIsWUFBb0IsUUFBa0I7UUFBbEIsYUFBUSxHQUFSLFFBQVEsQ0FBVTtJQUFHLENBQUM7SUFFbEMsT0FBTyxDQUFDLElBQVc7UUFDekIsT0FBTyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsR0FBUSxFQUFPLEVBQUU7WUFDaEMsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUU7Z0JBQzNCLElBQUk7b0JBQ0YsT0FBTyxJQUFJLENBQUMsU0FBUyxDQUFDLEdBQUcsQ0FBQyxDQUFBO2lCQUMzQjtnQkFBQyxXQUFNO29CQUNOLE9BQU8sR0FBRyxDQUFBO2lCQUNYO2FBQ0Y7WUFDRCxPQUFPLEdBQUcsQ0FBQTtRQUNaLENBQUMsQ0FBQyxDQUFBO0lBQ0osQ0FBQztJQUNNLElBQUksQ0FBQyxHQUFHLElBQVM7UUFDdEIsSUFBSSxJQUFJLENBQUMsUUFBUSxJQUFJLFFBQVEsQ0FBQyxJQUFJLEVBQUU7WUFDbEMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQTtTQUNuQztJQUNILENBQUM7SUFDTSxJQUFJLENBQUMsR0FBRyxJQUFTO1FBQ3RCLElBQUksSUFBSSxDQUFDLFFBQVEsSUFBSSxRQUFRLENBQUMsSUFBSSxFQUFFO1lBQ2xDLE9BQU8sQ0FBQyxJQUFJLENBQUMsR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUE7U0FDcEM7SUFDSCxDQUFDO0lBQ00sS0FBSyxDQUFDLEdBQUcsSUFBUztRQUN2QixJQUFJLElBQUksQ0FBQyxRQUFRLElBQUksUUFBUSxDQUFDLEtBQUssRUFBRTtZQUNuQyxPQUFPLENBQUMsS0FBSyxDQUFDLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFBO1NBQ3JDO0lBQ0gsQ0FBQztJQUNNLEtBQUssQ0FBQyxHQUFHLElBQVM7UUFDdkIsSUFBSSxJQUFJLENBQUMsUUFBUSxJQUFJLFFBQVEsQ0FBQyxLQUFLLEVBQUU7WUFDbkMsT0FBTyxDQUFDLEtBQUssQ0FBQyxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQTtTQUNyQztJQUNILENBQUM7Q0FDRjtBQW5DRCx3QkFtQ0MiLCJzb3VyY2VzQ29udGVudCI6WyIvKiBlc2xpbnQtZGlzYWJsZSBAdHlwZXNjcmlwdC1lc2xpbnQvbm8tdW5zYWZlLWFyZ3VtZW50ICovXG4vKiBlc2xpbnQtZGlzYWJsZSBAdHlwZXNjcmlwdC1lc2xpbnQvbm8tdW5zYWZlLXJldHVybiAqL1xuLyogZXNsaW50LWRpc2FibGUgQHR5cGVzY3JpcHQtZXNsaW50L25vLWV4cGxpY2l0LWFueSAqL1xuLyogZXNsaW50LWRpc2FibGUgQHR5cGVzY3JpcHQtZXNsaW50L2V4cGxpY2l0LW1vZHVsZS1ib3VuZGFyeS10eXBlcyAqL1xuXG5leHBvcnQgZW51bSBMb2dMZXZlbCB7XG4gIFwibm9uZVwiID0gMCxcbiAgXCJlcnJvclwiID0gMTAsXG4gIFwid2FyblwiID0gMjAsXG4gIFwiaW5mb1wiID0gMzAsXG4gIFwiZGVidWdcIiA9IDQwLFxufVxuXG5leHBvcnQgY2xhc3MgTG9nZ2VyIHtcbiAgY29uc3RydWN0b3IocHJpdmF0ZSBsb2dMZXZlbDogTG9nTGV2ZWwpIHt9XG5cbiAgcHJpdmF0ZSBqc29uaWZ5KGFyZ3M6IGFueVtdKSB7XG4gICAgcmV0dXJuIGFyZ3MubWFwKChhcmc6IGFueSk6IGFueSA9PiB7XG4gICAgICBpZiAodHlwZW9mIGFyZyA9PT0gXCJvYmplY3RcIikge1xuICAgICAgICB0cnkge1xuICAgICAgICAgIHJldHVybiBKU09OLnN0cmluZ2lmeShhcmcpXG4gICAgICAgIH0gY2F0Y2gge1xuICAgICAgICAgIHJldHVybiBhcmdcbiAgICAgICAgfVxuICAgICAgfVxuICAgICAgcmV0dXJuIGFyZ1xuICAgIH0pXG4gIH1cbiAgcHVibGljIGluZm8oLi4uYXJnczogYW55KTogdm9pZCB7XG4gICAgaWYgKHRoaXMubG9nTGV2ZWwgPj0gTG9nTGV2ZWwuaW5mbykge1xuICAgICAgY29uc29sZS5sb2coLi4udGhpcy5qc29uaWZ5KGFyZ3MpKVxuICAgIH1cbiAgfVxuICBwdWJsaWMgd2FybiguLi5hcmdzOiBhbnkpOiB2b2lkIHtcbiAgICBpZiAodGhpcy5sb2dMZXZlbCA+PSBMb2dMZXZlbC53YXJuKSB7XG4gICAgICBjb25zb2xlLndhcm4oLi4udGhpcy5qc29uaWZ5KGFyZ3MpKVxuICAgIH1cbiAgfVxuICBwdWJsaWMgZXJyb3IoLi4uYXJnczogYW55KTogdm9pZCB7XG4gICAgaWYgKHRoaXMubG9nTGV2ZWwgPj0gTG9nTGV2ZWwuZXJyb3IpIHtcbiAgICAgIGNvbnNvbGUuZXJyb3IoLi4udGhpcy5qc29uaWZ5KGFyZ3MpKVxuICAgIH1cbiAgfVxuICBwdWJsaWMgZGVidWcoLi4uYXJnczogYW55KTogdm9pZCB7XG4gICAgaWYgKHRoaXMubG9nTGV2ZWwgPj0gTG9nTGV2ZWwuZGVidWcpIHtcbiAgICAgIGNvbnNvbGUudHJhY2UoLi4udGhpcy5qc29uaWZ5KGFyZ3MpKVxuICAgIH1cbiAgfVxufVxuIl19

package/lib/handlers/util/nonce.d.ts

@@ -0,0 +1,9 @@
+import { Config } from "./config";
+export declare function checkNonceAge(nonce: string, maxAge: number): {
+    clientError: string;
+} | undefined;
+export declare function validateNonce(nonce: string, providedHmac: string, config: Config): {
+    clientError: string;
+} | undefined;
+export declare function generateNonce(): string;
+export declare function createNonceHmac(nonce: string, config: Config): string;

package/lib/handlers/util/nonce.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createNonceHmac = exports.generateNonce = exports.validateNonce = exports.checkNonceAge = void 0;
+const crypto_1 = require("crypto");
+function checkNonceAge(nonce, maxAge) {
+    // Nonce should not be too old.
+    const timestamp = parseInt(nonce.slice(0, nonce.indexOf("T")));
+    if (isNaN(timestamp)) {
+        return {
+            clientError: "Invalid nonce",
+        };
+    }
+    if (timestampInSeconds() - timestamp > maxAge) {
+        return {
+            clientError: `Nonce is too old (nonce is from ${new Date(timestamp * 1000).toISOString()})`,
+        };
+    }
+}
+exports.checkNonceAge = checkNonceAge;
+function validateNonce(nonce, providedHmac, config) {
+    const res1 = checkNonceAge(nonce, config.nonceMaxAge);
+    if (res1) {
+        return res1;
+    }
+    const calculatedHmac = createNonceHmac(nonce, config);
+    if (calculatedHmac !== providedHmac) {
+        return {
+            clientError: `Nonce signature mismatch! Expected ${calculatedHmac} but got ${providedHmac}`,
+        };
+    }
+}
+exports.validateNonce = validateNonce;
+function generateNonce() {
+    const randomString = (0, crypto_1.randomBytes)(16).toString("hex");
+    return `${timestampInSeconds()}T${randomString}`;
+}
+exports.generateNonce = generateNonce;
+function createNonceHmac(nonce, config) {
+    return (0, crypto_1.createHmac)("sha256", config.nonceSigningSecret)
+        .update(nonce)
+        .digest("hex");
+}
+exports.createNonceHmac = createNonceHmac;
+function timestampInSeconds() {
+    return (Date.now() / 1000) | 0;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibm9uY2UuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvaGFuZGxlcnMvdXRpbC9ub25jZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSxtQ0FBZ0Q7QUFHaEQsU0FBZ0IsYUFBYSxDQUMzQixLQUFhLEVBQ2IsTUFBYztJQUVkLCtCQUErQjtJQUMvQixNQUFNLFNBQVMsR0FBRyxRQUFRLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsS0FBSyxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUE7SUFDOUQsSUFBSSxLQUFLLENBQUMsU0FBUyxDQUFDLEVBQUU7UUFDcEIsT0FBTztZQUNMLFdBQVcsRUFBRSxlQUFlO1NBQzdCLENBQUE7S0FDRjtJQUVELElBQUksa0JBQWtCLEVBQUUsR0FBRyxTQUFTLEdBQUcsTUFBTSxFQUFFO1FBQzdDLE9BQU87WUFDTCxXQUFXLEVBQUUsbUNBQW1DLElBQUksSUFBSSxDQUN0RCxTQUFTLEdBQUcsSUFBSSxDQUNqQixDQUFDLFdBQVcsRUFBRSxHQUFHO1NBQ25CLENBQUE7S0FDRjtBQUNILENBQUM7QUFuQkQsc0NBbUJDO0FBRUQsU0FBZ0IsYUFBYSxDQUMzQixLQUFhLEVBQ2IsWUFBb0IsRUFDcEIsTUFBYztJQUVkLE1BQU0sSUFBSSxHQUFHLGFBQWEsQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDLFdBQVcsQ0FBQyxDQUFBO0lBQ3JELElBQUksSUFBSSxFQUFFO1FBQ1IsT0FBTyxJQUFJLENBQUE7S0FDWjtJQUVELE1BQU0sY0FBYyxHQUFHLGVBQWUsQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDLENBQUE7SUFDckQsSUFBSSxjQUFjLEtBQUssWUFBWSxFQUFFO1FBQ25DLE9BQU87WUFDTCxXQUFXLEVBQUUsc0NBQXNDLGNBQWMsWUFBWSxZQUFZLEVBQUU7U0FDNUYsQ0FBQTtLQUNGO0FBQ0gsQ0FBQztBQWhCRCxzQ0FnQkM7QUFFRCxTQUFnQixhQUFhO0lBQzNCLE1BQU0sWUFBWSxHQUFHLElBQUEsb0JBQVcsRUFBQyxFQUFFLENBQUMsQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLENBQUE7SUFDcEQsT0FBTyxHQUFHLGtCQUFrQixFQUFFLElBQUksWUFBWSxFQUFFLENBQUE7QUFDbEQsQ0FBQztBQUhELHNDQUdDO0FBRUQsU0FBZ0IsZUFBZSxDQUFDLEtBQWEsRUFBRSxNQUFjO0lBQzNELE9BQU8sSUFBQSxtQkFBVSxFQUFDLFFBQVEsRUFBRSxNQUFNLENBQUMsa0JBQWtCLENBQUM7U0FDbkQsTUFBTSxDQUFDLEtBQUssQ0FBQztTQUNiLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQTtBQUNsQixDQUFDO0FBSkQsMENBSUM7QUFFRCxTQUFTLGtCQUFrQjtJQUN6QixPQUFPLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQTtBQUNoQyxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgY3JlYXRlSG1hYywgcmFuZG9tQnl0ZXMgfSBmcm9tIFwiY3J5cHRvXCJcbmltcG9ydCB7IENvbmZpZyB9IGZyb20gXCIuL2NvbmZpZ1wiXG5cbmV4cG9ydCBmdW5jdGlvbiBjaGVja05vbmNlQWdlKFxuICBub25jZTogc3RyaW5nLFxuICBtYXhBZ2U6IG51bWJlcixcbik6IHsgY2xpZW50RXJyb3I6IHN0cmluZyB9IHwgdW5kZWZpbmVkIHtcbiAgLy8gTm9uY2Ugc2hvdWxkIG5vdCBiZSB0b28gb2xkLlxuICBjb25zdCB0aW1lc3RhbXAgPSBwYXJzZUludChub25jZS5zbGljZSgwLCBub25jZS5pbmRleE9mKFwiVFwiKSkpXG4gIGlmIChpc05hTih0aW1lc3RhbXApKSB7XG4gICAgcmV0dXJuIHtcbiAgICAgIGNsaWVudEVycm9yOiBcIkludmFsaWQgbm9uY2VcIixcbiAgICB9XG4gIH1cblxuICBpZiAodGltZXN0YW1wSW5TZWNvbmRzKCkgLSB0aW1lc3RhbXAgPiBtYXhBZ2UpIHtcbiAgICByZXR1cm4ge1xuICAgICAgY2xpZW50RXJyb3I6IGBOb25jZSBpcyB0b28gb2xkIChub25jZSBpcyBmcm9tICR7bmV3IERhdGUoXG4gICAgICAgIHRpbWVzdGFtcCAqIDEwMDAsXG4gICAgICApLnRvSVNPU3RyaW5nKCl9KWAsXG4gICAgfVxuICB9XG59XG5cbmV4cG9ydCBmdW5jdGlvbiB2YWxpZGF0ZU5vbmNlKFxuICBub25jZTogc3RyaW5nLFxuICBwcm92aWRlZEhtYWM6IHN0cmluZyxcbiAgY29uZmlnOiBDb25maWcsXG4pOiB7IGNsaWVudEVycm9yOiBzdHJpbmcgfSB8IHVuZGVmaW5lZCB7XG4gIGNvbnN0IHJlczEgPSBjaGVja05vbmNlQWdlKG5vbmNlLCBjb25maWcubm9uY2VNYXhBZ2UpXG4gIGlmIChyZXMxKSB7XG4gICAgcmV0dXJuIHJlczFcbiAgfVxuXG4gIGNvbnN0IGNhbGN1bGF0ZWRIbWFjID0gY3JlYXRlTm9uY2VIbWFjKG5vbmNlLCBjb25maWcpXG4gIGlmIChjYWxjdWxhdGVkSG1hYyAhPT0gcHJvdmlkZWRIbWFjKSB7XG4gICAgcmV0dXJuIHtcbiAgICAgIGNsaWVudEVycm9yOiBgTm9uY2Ugc2lnbmF0dXJlIG1pc21hdGNoISBFeHBlY3RlZCAke2NhbGN1bGF0ZWRIbWFjfSBidXQgZ290ICR7cHJvdmlkZWRIbWFjfWAsXG4gICAgfVxuICB9XG59XG5cbmV4cG9ydCBmdW5jdGlvbiBnZW5lcmF0ZU5vbmNlKCk6IHN0cmluZyB7XG4gIGNvbnN0IHJhbmRvbVN0cmluZyA9IHJhbmRvbUJ5dGVzKDE2KS50b1N0cmluZyhcImhleFwiKVxuICByZXR1cm4gYCR7dGltZXN0YW1wSW5TZWNvbmRzKCl9VCR7cmFuZG9tU3RyaW5nfWBcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIGNyZWF0ZU5vbmNlSG1hYyhub25jZTogc3RyaW5nLCBjb25maWc6IENvbmZpZyk6IHN0cmluZyB7XG4gIHJldHVybiBjcmVhdGVIbWFjKFwic2hhMjU2XCIsIGNvbmZpZy5ub25jZVNpZ25pbmdTZWNyZXQpXG4gICAgLnVwZGF0ZShub25jZSlcbiAgICAuZGlnZXN0KFwiaGV4XCIpXG59XG5cbmZ1bmN0aW9uIHRpbWVzdGFtcEluU2Vjb25kcygpIHtcbiAgcmV0dXJuIChEYXRlLm5vdygpIC8gMTAwMCkgfCAwXG59XG4iXX0=

package/lib/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./cloudfront-auth";
+export * from "./lambdas";

package/lib/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./cloudfront-auth"), exports);
+__exportStar(require("./lambdas"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLG9EQUFpQztBQUNqQyw0Q0FBeUIiLCJzb3VyY2VzQ29udGVudCI6WyJleHBvcnQgKiBmcm9tIFwiLi9jbG91ZGZyb250LWF1dGhcIlxuZXhwb3J0ICogZnJvbSBcIi4vbGFtYmRhc1wiXG4iXX0=

package/lib/lambdas.d.ts

@@ -0,0 +1,33 @@
+import * as lambda from "aws-cdk-lib/aws-lambda";
+import { ParameterResource } from "@henrist/cdk-cross-region-params";
+import { Construct } from "constructs";
+interface AuthLambdasProps {
+    /**
+     * List of regions this can be used in. This should contain the region
+     * where the CloudFront distribution is deployed (the CloudFormation stack).
+     */
+    regions: string[];
+    /**
+     * A nonce value that can be used to force new lambda functions
+     * to allow new versions to be created.
+     */
+    nonce?: string;
+}
+/**
+ * Lambdas used for CloudFront. Must be deployed in us-east-1.
+ *
+ * This will provision SSM Parameters the region where the CloudFront
+ * distribution is deployed from, so that it can be used cross-region.
+ */
+export declare class AuthLambdas extends Construct {
+    readonly checkAuthFn: ParameterResource<lambda.IVersion>;
+    readonly httpHeadersFn: ParameterResource<lambda.IVersion>;
+    readonly parseAuthFn: ParameterResource<lambda.IVersion>;
+    readonly refreshAuthFn: ParameterResource<lambda.IVersion>;
+    readonly signOutFn: ParameterResource<lambda.IVersion>;
+    private readonly regions;
+    private readonly nonce;
+    constructor(scope: Construct, id: string, props: AuthLambdasProps);
+    private addFunction;
+}
+export {};

package/lib/lambdas.js

@@ -0,0 +1,88 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthLambdas = void 0;
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const lambda = __importStar(require("aws-cdk-lib/aws-lambda"));
+const cdk_cross_region_params_1 = require("@henrist/cdk-cross-region-params");
+const path = __importStar(require("path"));
+const constructs_1 = require("constructs");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const isSnapshot = process.env.IS_SNAPSHOT === "true";
+/**
+ * Lambdas used for CloudFront. Must be deployed in us-east-1.
+ *
+ * This will provision SSM Parameters the region where the CloudFront
+ * distribution is deployed from, so that it can be used cross-region.
+ */
+class AuthLambdas extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const region = aws_cdk_lib_1.Stack.of(this).region;
+        this.regions = props.regions;
+        this.nonce = props.nonce;
+        if (region !== "us-east-1") {
+            throw new Error("Region must be us-east-1 due to Lambda@edge");
+        }
+        const role = new iam.Role(this, "ServiceRole", {
+            assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal("lambda.amazonaws.com"), new iam.ServicePrincipal("edgelambda.amazonaws.com")),
+            managedPolicies: [
+                iam.ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole"),
+            ],
+        });
+        this.checkAuthFn = this.addFunction("CheckAuthFunction", "check-auth", role);
+        this.httpHeadersFn = this.addFunction("HttpHeadersFunction", "http-headers", role);
+        this.parseAuthFn = this.addFunction("ParseAuthFunction", "parse-auth", role);
+        this.refreshAuthFn = this.addFunction("RefreshAuthFunction", "refresh-auth", role);
+        this.signOutFn = this.addFunction("SignOutFunction", "sign-out", role);
+    }
+    addFunction(id, assetName, role) {
+        const region = aws_cdk_lib_1.Stack.of(this).region;
+        const stackName = aws_cdk_lib_1.Stack.of(this).stackName;
+        const fn = new lambda.Function(this, id, {
+            code: process.env.NODE_ENV === "test"
+                ? lambda.Code.fromInline("snapshot-value")
+                : lambda.Code.fromAsset(path.join(__dirname, `../dist/${assetName}`)),
+            handler: "index.handler",
+            runtime: lambda.Runtime.NODEJS_16_X,
+            timeout: aws_cdk_lib_1.Duration.seconds(5),
+            role,
+            description: this.nonce == null ? undefined : `Nonce value: ${this.nonce}`,
+        });
+        if (this.node.addr === undefined) {
+            throw new Error("node.addr not found - ensure aws-cdk is up-to-update");
+        }
+        return new cdk_cross_region_params_1.ParameterResource(this, `${id}VersionParam`, {
+            nonce: isSnapshot ? "snapshot" : undefined,
+            parameterName: `/cf/region/${region}/stack/${stackName}/${this.node.addr}-${id}-function-arn`,
+            referenceToResource: (scope, id, reference) => lambda.Version.fromVersionArn(scope, id, reference),
+            regions: this.regions,
+            resource: fn.currentVersion,
+            resourceToReference: (resource) => resource.functionArn,
+        });
+    }
+}
+exports.AuthLambdas = AuthLambdas;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibGFtYmRhcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy9sYW1iZGFzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEseURBQTBDO0FBQzFDLCtEQUFnRDtBQUNoRCw4RUFBb0U7QUFDcEUsMkNBQTRCO0FBQzVCLDJDQUFzQztBQUN0Qyw2Q0FBNkM7QUFFN0MsTUFBTSxVQUFVLEdBQUcsT0FBTyxDQUFDLEdBQUcsQ0FBQyxXQUFXLEtBQUssTUFBTSxDQUFBO0FBZXJEOzs7OztHQUtHO0FBQ0gsTUFBYSxXQUFZLFNBQVEsc0JBQVM7SUFVeEMsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUF1QjtRQUMvRCxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFBO1FBRWhCLE1BQU0sTUFBTSxHQUFHLG1CQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sQ0FBQTtRQUNwQyxJQUFJLENBQUMsT0FBTyxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUE7UUFFNUIsSUFBSSxDQUFDLEtBQUssR0FBRyxLQUFLLENBQUMsS0FBSyxDQUFBO1FBRXhCLElBQUksTUFBTSxLQUFLLFdBQVcsRUFBRTtZQUMxQixNQUFNLElBQUksS0FBSyxDQUFDLDZDQUE2QyxDQUFDLENBQUE7U0FDL0Q7UUFFRCxNQUFNLElBQUksR0FBRyxJQUFJLEdBQUcsQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFLGFBQWEsRUFBRTtZQUM3QyxTQUFTLEVBQUUsSUFBSSxHQUFHLENBQUMsa0JBQWtCLENBQ25DLElBQUksR0FBRyxDQUFDLGdCQUFnQixDQUFDLHNCQUFzQixDQUFDLEVBQ2hELElBQUksR0FBRyxDQUFDLGdCQUFnQixDQUFDLDBCQUEwQixDQUFDLENBQ3JEO1lBQ0QsZUFBZSxFQUFFO2dCQUNmLEdBQUcsQ0FBQyxhQUFhLENBQUMsd0JBQXdCLENBQ3hDLDBDQUEwQyxDQUMzQzthQUNGO1NBQ0YsQ0FBQyxDQUFBO1FBRUYsSUFBSSxDQUFDLFdBQVcsR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLG1CQUFtQixFQUFFLFlBQVksRUFBRSxJQUFJLENBQUMsQ0FBQTtRQUM1RSxJQUFJLENBQUMsYUFBYSxHQUFHLElBQUksQ0FBQyxXQUFXLENBQ25DLHFCQUFxQixFQUNyQixjQUFjLEVBQ2QsSUFBSSxDQUNMLENBQUE7UUFDRCxJQUFJLENBQUMsV0FBVyxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsbUJBQW1CLEVBQUUsWUFBWSxFQUFFLElBQUksQ0FBQyxDQUFBO1FBQzVFLElBQUksQ0FBQyxhQUFhLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FDbkMscUJBQXFCLEVBQ3JCLGNBQWMsRUFDZCxJQUFJLENBQ0wsQ0FBQTtRQUNELElBQUksQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxpQkFBaUIsRUFBRSxVQUFVLEVBQUUsSUFBSSxDQUFDLENBQUE7SUFDeEUsQ0FBQztJQUVPLFdBQVcsQ0FBQyxFQUFVLEVBQUUsU0FBaUIsRUFBRSxJQUFlO1FBQ2hFLE1BQU0sTUFBTSxHQUFHLG1CQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sQ0FBQTtRQUNwQyxNQUFNLFNBQVMsR0FBRyxtQkFBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxTQUFTLENBQUE7UUFFMUMsTUFBTSxFQUFFLEdBQUcsSUFBSSxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxFQUFFLEVBQUU7WUFDdkMsSUFBSSxFQUNGLE9BQU8sQ0FBQyxHQUFHLENBQUMsUUFBUSxLQUFLLE1BQU07Z0JBQzdCLENBQUMsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxnQkFBZ0IsQ0FBQztnQkFDMUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLFdBQVcsU0FBUyxFQUFFLENBQUMsQ0FBQztZQUN6RSxPQUFPLEVBQUUsZUFBZTtZQUN4QixPQUFPLEVBQUUsTUFBTSxDQUFDLE9BQU8sQ0FBQyxXQUFXO1lBQ25DLE9BQU8sRUFBRSxzQkFBUSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUM7WUFDNUIsSUFBSTtZQUNKLFdBQVcsRUFDVCxJQUFJLENBQUMsS0FBSyxJQUFJLElBQUksQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxnQkFBZ0IsSUFBSSxDQUFDLEtBQUssRUFBRTtTQUNoRSxDQUFDLENBQUE7UUFFRixJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxLQUFLLFNBQVMsRUFBRTtZQUNoQyxNQUFNLElBQUksS0FBSyxDQUFDLHNEQUFzRCxDQUFDLENBQUE7U0FDeEU7UUFFRCxPQUFPLElBQUksMkNBQWlCLENBQWtCLElBQUksRUFBRSxHQUFHLEVBQUUsY0FBYyxFQUFFO1lBQ3ZFLEtBQUssRUFBRSxVQUFVLENBQUMsQ0FBQyxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsU0FBUztZQUMxQyxhQUFhLEVBQUUsY0FBYyxNQUFNLFVBQVUsU0FBUyxJQUFJLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxJQUFJLEVBQUUsZUFBZTtZQUM3RixtQkFBbUIsRUFBRSxDQUFDLEtBQUssRUFBRSxFQUFFLEVBQUUsU0FBUyxFQUFFLEVBQUUsQ0FDNUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUMsS0FBSyxFQUFFLEVBQUUsRUFBRSxTQUFTLENBQUM7WUFDckQsT0FBTyxFQUFFLElBQUksQ0FBQyxPQUFPO1lBQ3JCLFFBQVEsRUFBRSxFQUFFLENBQUMsY0FBYztZQUMzQixtQkFBbUIsRUFBRSxDQUFDLFFBQVEsRUFBRSxFQUFFLENBQUMsUUFBUSxDQUFDLFdBQVc7U0FDeEQsQ0FBQyxDQUFBO0lBQ0osQ0FBQztDQUNGO0FBaEZELGtDQWdGQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIGlhbSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWlhbVwiXG5pbXBvcnQgKiBhcyBsYW1iZGEgZnJvbSBcImF3cy1jZGstbGliL2F3cy1sYW1iZGFcIlxuaW1wb3J0IHsgUGFyYW1ldGVyUmVzb3VyY2UgfSBmcm9tIFwiQGhlbnJpc3QvY2RrLWNyb3NzLXJlZ2lvbi1wYXJhbXNcIlxuaW1wb3J0ICogYXMgcGF0aCBmcm9tIFwicGF0aFwiXG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tIFwiY29uc3RydWN0c1wiXG5pbXBvcnQgeyBEdXJhdGlvbiwgU3RhY2sgfSBmcm9tIFwiYXdzLWNkay1saWJcIlxuXG5jb25zdCBpc1NuYXBzaG90ID0gcHJvY2Vzcy5lbnYuSVNfU05BUFNIT1QgPT09IFwidHJ1ZVwiXG5cbmludGVyZmFjZSBBdXRoTGFtYmRhc1Byb3BzIHtcbiAgLyoqXG4gICAqIExpc3Qgb2YgcmVnaW9ucyB0aGlzIGNhbiBiZSB1c2VkIGluLiBUaGlzIHNob3VsZCBjb250YWluIHRoZSByZWdpb25cbiAgICogd2hlcmUgdGhlIENsb3VkRnJvbnQgZGlzdHJpYnV0aW9uIGlzIGRlcGxveWVkICh0aGUgQ2xvdWRGb3JtYXRpb24gc3RhY2spLlxuICAgKi9cbiAgcmVnaW9uczogc3RyaW5nW11cbiAgLyoqXG4gICAqIEEgbm9uY2UgdmFsdWUgdGhhdCBjYW4gYmUgdXNlZCB0byBmb3JjZSBuZXcgbGFtYmRhIGZ1bmN0aW9uc1xuICAgKiB0byBhbGxvdyBuZXcgdmVyc2lvbnMgdG8gYmUgY3JlYXRlZC5cbiAgICovXG4gIG5vbmNlPzogc3RyaW5nXG59XG5cbi8qKlxuICogTGFtYmRhcyB1c2VkIGZvciBDbG91ZEZyb250LiBNdXN0IGJlIGRlcGxveWVkIGluIHVzLWVhc3QtMS5cbiAqXG4gKiBUaGlzIHdpbGwgcHJvdmlzaW9uIFNTTSBQYXJhbWV0ZXJzIHRoZSByZWdpb24gd2hlcmUgdGhlIENsb3VkRnJvbnRcbiAqIGRpc3RyaWJ1dGlvbiBpcyBkZXBsb3llZCBmcm9tLCBzbyB0aGF0IGl0IGNhbiBiZSB1c2VkIGNyb3NzLXJlZ2lvbi5cbiAqL1xuZXhwb3J0IGNsYXNzIEF1dGhMYW1iZGFzIGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgcHVibGljIHJlYWRvbmx5IGNoZWNrQXV0aEZuOiBQYXJhbWV0ZXJSZXNvdXJjZTxsYW1iZGEuSVZlcnNpb24+XG4gIHB1YmxpYyByZWFkb25seSBodHRwSGVhZGVyc0ZuOiBQYXJhbWV0ZXJSZXNvdXJjZTxsYW1iZGEuSVZlcnNpb24+XG4gIHB1YmxpYyByZWFkb25seSBwYXJzZUF1dGhGbjogUGFyYW1ldGVyUmVzb3VyY2U8bGFtYmRhLklWZXJzaW9uPlxuICBwdWJsaWMgcmVhZG9ubHkgcmVmcmVzaEF1dGhGbjogUGFyYW1ldGVyUmVzb3VyY2U8bGFtYmRhLklWZXJzaW9uPlxuICBwdWJsaWMgcmVhZG9ubHkgc2lnbk91dEZuOiBQYXJhbWV0ZXJSZXNvdXJjZTxsYW1iZGEuSVZlcnNpb24+XG5cbiAgcHJpdmF0ZSByZWFkb25seSByZWdpb25zOiBzdHJpbmdbXVxuICBwcml2YXRlIHJlYWRvbmx5IG5vbmNlOiBzdHJpbmcgfCB1bmRlZmluZWRcblxuICBjb25zdHJ1Y3RvcihzY29wZTogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogQXV0aExhbWJkYXNQcm9wcykge1xuICAgIHN1cGVyKHNjb3BlLCBpZClcblxuICAgIGNvbnN0IHJlZ2lvbiA9IFN0YWNrLm9mKHRoaXMpLnJlZ2lvblxuICAgIHRoaXMucmVnaW9ucyA9IHByb3BzLnJlZ2lvbnNcblxuICAgIHRoaXMubm9uY2UgPSBwcm9wcy5ub25jZVxuXG4gICAgaWYgKHJlZ2lvbiAhPT0gXCJ1cy1lYXN0LTFcIikge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKFwiUmVnaW9uIG11c3QgYmUgdXMtZWFzdC0xIGR1ZSB0byBMYW1iZGFAZWRnZVwiKVxuICAgIH1cblxuICAgIGNvbnN0IHJvbGUgPSBuZXcgaWFtLlJvbGUodGhpcywgXCJTZXJ2aWNlUm9sZVwiLCB7XG4gICAgICBhc3N1bWVkQnk6IG5ldyBpYW0uQ29tcG9zaXRlUHJpbmNpcGFsKFxuICAgICAgICBuZXcgaWFtLlNlcnZpY2VQcmluY2lwYWwoXCJsYW1iZGEuYW1hem9uYXdzLmNvbVwiKSxcbiAgICAgICAgbmV3IGlhbS5TZXJ2aWNlUHJpbmNpcGFsKFwiZWRnZWxhbWJkYS5hbWF6b25hd3MuY29tXCIpLFxuICAgICAgKSxcbiAgICAgIG1hbmFnZWRQb2xpY2llczogW1xuICAgICAgICBpYW0uTWFuYWdlZFBvbGljeS5mcm9tQXdzTWFuYWdlZFBvbGljeU5hbWUoXG4gICAgICAgICAgXCJzZXJ2aWNlLXJvbGUvQVdTTGFtYmRhQmFzaWNFeGVjdXRpb25Sb2xlXCIsXG4gICAgICAgICksXG4gICAgICBdLFxuICAgIH0pXG5cbiAgICB0aGlzLmNoZWNrQXV0aEZuID0gdGhpcy5hZGRGdW5jdGlvbihcIkNoZWNrQXV0aEZ1bmN0aW9uXCIsIFwiY2hlY2stYXV0aFwiLCByb2xlKVxuICAgIHRoaXMuaHR0cEhlYWRlcnNGbiA9IHRoaXMuYWRkRnVuY3Rpb24oXG4gICAgICBcIkh0dHBIZWFkZXJzRnVuY3Rpb25cIixcbiAgICAgIFwiaHR0cC1oZWFkZXJzXCIsXG4gICAgICByb2xlLFxuICAgIClcbiAgICB0aGlzLnBhcnNlQXV0aEZuID0gdGhpcy5hZGRGdW5jdGlvbihcIlBhcnNlQXV0aEZ1bmN0aW9uXCIsIFwicGFyc2UtYXV0aFwiLCByb2xlKVxuICAgIHRoaXMucmVmcmVzaEF1dGhGbiA9IHRoaXMuYWRkRnVuY3Rpb24oXG4gICAgICBcIlJlZnJlc2hBdXRoRnVuY3Rpb25cIixcbiAgICAgIFwicmVmcmVzaC1hdXRoXCIsXG4gICAgICByb2xlLFxuICAgIClcbiAgICB0aGlzLnNpZ25PdXRGbiA9IHRoaXMuYWRkRnVuY3Rpb24oXCJTaWduT3V0RnVuY3Rpb25cIiwgXCJzaWduLW91dFwiLCByb2xlKVxuICB9XG5cbiAgcHJpdmF0ZSBhZGRGdW5jdGlvbihpZDogc3RyaW5nLCBhc3NldE5hbWU6IHN0cmluZywgcm9sZTogaWFtLklSb2xlKSB7XG4gICAgY29uc3QgcmVnaW9uID0gU3RhY2sub2YodGhpcykucmVnaW9uXG4gICAgY29uc3Qgc3RhY2tOYW1lID0gU3RhY2sub2YodGhpcykuc3RhY2tOYW1lXG5cbiAgICBjb25zdCBmbiA9IG5ldyBsYW1iZGEuRnVuY3Rpb24odGhpcywgaWQsIHtcbiAgICAgIGNvZGU6XG4gICAgICAgIHByb2Nlc3MuZW52Lk5PREVfRU5WID09PSBcInRlc3RcIlxuICAgICAgICAgID8gbGFtYmRhLkNvZGUuZnJvbUlubGluZShcInNuYXBzaG90LXZhbHVlXCIpXG4gICAgICAgICAgOiBsYW1iZGEuQ29kZS5mcm9tQXNzZXQocGF0aC5qb2luKF9fZGlybmFtZSwgYC4uL2Rpc3QvJHthc3NldE5hbWV9YCkpLFxuICAgICAgaGFuZGxlcjogXCJpbmRleC5oYW5kbGVyXCIsXG4gICAgICBydW50aW1lOiBsYW1iZGEuUnVudGltZS5OT0RFSlNfMTZfWCxcbiAgICAgIHRpbWVvdXQ6IER1cmF0aW9uLnNlY29uZHMoNSksXG4gICAgICByb2xlLFxuICAgICAgZGVzY3JpcHRpb246XG4gICAgICAgIHRoaXMubm9uY2UgPT0gbnVsbCA/IHVuZGVmaW5lZCA6IGBOb25jZSB2YWx1ZTogJHt0aGlzLm5vbmNlfWAsXG4gICAgfSlcblxuICAgIGlmICh0aGlzLm5vZGUuYWRkciA9PT0gdW5kZWZpbmVkKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoXCJub2RlLmFkZHIgbm90IGZvdW5kIC0gZW5zdXJlIGF3cy1jZGsgaXMgdXAtdG8tdXBkYXRlXCIpXG4gICAgfVxuXG4gICAgcmV0dXJuIG5ldyBQYXJhbWV0ZXJSZXNvdXJjZTxsYW1iZGEuSVZlcnNpb24+KHRoaXMsIGAke2lkfVZlcnNpb25QYXJhbWAsIHtcbiAgICAgIG5vbmNlOiBpc1NuYXBzaG90ID8gXCJzbmFwc2hvdFwiIDogdW5kZWZpbmVkLFxuICAgICAgcGFyYW1ldGVyTmFtZTogYC9jZi9yZWdpb24vJHtyZWdpb259L3N0YWNrLyR7c3RhY2tOYW1lfS8ke3RoaXMubm9kZS5hZGRyfS0ke2lkfS1mdW5jdGlvbi1hcm5gLFxuICAgICAgcmVmZXJlbmNlVG9SZXNvdXJjZTogKHNjb3BlLCBpZCwgcmVmZXJlbmNlKSA9PlxuICAgICAgICBsYW1iZGEuVmVyc2lvbi5mcm9tVmVyc2lvbkFybihzY29wZSwgaWQsIHJlZmVyZW5jZSksXG4gICAgICByZWdpb25zOiB0aGlzLnJlZ2lvbnMsXG4gICAgICByZXNvdXJjZTogZm4uY3VycmVudFZlcnNpb24sXG4gICAgICByZXNvdXJjZVRvUmVmZXJlbmNlOiAocmVzb3VyY2UpID0+IHJlc291cmNlLmZ1bmN0aW9uQXJuLFxuICAgIH0pXG4gIH1cbn1cbiJdfQ==

package/package.json

@@ -0,0 +1,75 @@
+{
+  "name": "@liflig/cdk-cloudfront-auth",
+  "version": "1.0.0",
+  "description": "CDK Constructs for adding authentication for a CloudFront Distribution",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/capralifecycle/cdk-cloudfront-auth"
+  },
+  "scripts": {
+    "build": "rimraf dist && webpack && tsc",
+    "watch": "tsc -w",
+    "test": "jest",
+    "lint": "eslint .",
+    "lint:fix": "eslint --fix .",
+    "prepare": "npm run build && husky install",
+    "semantic-release": "semantic-release"
+  },
+  "keywords": [
+    "cdk",
+    "cloudfront",
+    "authentication"
+  ],
+  "license": "MIT",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "files": [
+    "dist/**/*",
+    "lib/**/*"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "@aws-cdk/assert": "2.68.0",
+    "@commitlint/cli": "17.6.7",
+    "@commitlint/config-conventional": "17.6.7",
+    "@types/aws-lambda": "8.10.136",
+    "@types/cookie": "0.5.1",
+    "@types/jest": "29.5.3",
+    "@types/jsonwebtoken": "8.5.9",
+    "@types/node": "18.17.3",
+    "@typescript-eslint/eslint-plugin": "5.62.0",
+    "@typescript-eslint/parser": "5.62.0",
+    "aws-cdk-lib": "2.76.0",
+    "aws-sdk": "2.1430.0",
+    "axios": "1.6.0",
+    "constructs": "10.2.69",
+    "cookie": "0.5.0",
+    "eslint": "8.46.0",
+    "eslint-config-prettier": "8.10.0",
+    "eslint-plugin-prettier": "4.2.1",
+    "html-loader": "4.2.0",
+    "husky": "8.0.3",
+    "jest": "29.6.2",
+    "jest-cdk-snapshot": "2.0.1",
+    "jsonwebtoken": "9.0.0",
+    "jwks-rsa": "3.0.1",
+    "prettier": "2.8.8",
+    "rimraf": "3.0.2",
+    "semantic-release": "19.0.5",
+    "ts-jest": "29.1.1",
+    "ts-loader": "9.4.4",
+    "ts-node": "10.9.1",
+    "typescript": "4.9.5",
+    "webpack": "5.88.2",
+    "webpack-cli": "4.10.0"
+  },
+  "dependencies": {
+    "@henrist/cdk-cross-region-params": "^2.0.0",
+    "@liflig/cdk-lambda-config": "1.1.1"
+  },
+  "peerDependencies": {
+    "aws-cdk-lib": "^2.0.0"
+  }
+}