@liflig/cdk-cloudfront-auth 1.10.4 → 1.10.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/check-auth/index.js +1 -1
- package/dist/http-headers/index.js +1 -1
- package/dist/parse-auth/index.js +1 -1
- package/dist/refresh-auth/index.js +1 -1
- package/dist/sign-out/index.js +1 -1
- package/lib/handlers/util/config.js +2 -2
- package/lib/handlers/util/jwt.js +6 -1
- package/package.json +3 -3
package/dist/check-auth/index.js
CHANGED
|
@@ -24,4 +24,4 @@ var VW=Object.create;var{getPrototypeOf:MW,defineProperty:Ft,getOwnPropertyNames
|
|
|
24
24
|
</p>
|
|
25
25
|
</body>
|
|
26
26
|
</html>
|
|
27
|
-
`;var qh=require("node:fs"),Dc=kt(require("node:path")),_h=require("node:url"),Kh=kt(vr(),1);var xr;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(xr||={});class Lr{logLevel;constructor(t){this.logLevel=t}jsonify(t){return t.map((c)=>{if(typeof c==="object")try{return JSON.stringify(c)}catch{return c}return c})}info(...t){if(this.logLevel>=30)console.log(...this.jsonify(t))}warn(...t){if(this.logLevel>=20)console.warn(...this.jsonify(t))}error(...t){if(this.logLevel>=10)console.error(...this.jsonify(t))}debug(...t){if(this.logLevel>=40)console.trace(...this.jsonify(t))}}var oW=_h.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),UW=Dc.dirname(oW);function sr(){let c=process.env.LAMBDA_TASK_ROOT||UW,u=Dc.join(c,"config.json");console.log("Loading config from",u);let r=JSON.parse(qh.readFileSync(u,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(r.userPoolId)[1]}.amazonaws.com/${r.userPoolId}`,d=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(Kh.parse(r.cookieSettings.nonce.toLowerCase())["max-age"],10)||86400,...r,tokenIssuer:f,tokenJwksUri:d,logger:new Lr(xr[r.logLevel])}}function lW(t){return Object.entries(t).reduce((c,[u,r])=>Object.assign(c,{[u.toLowerCase()]:[{key:u,value:r}]}),{})}function mr(t,c){let u=c?.cookies?{"set-cookie":c.cookies.map((r)=>({key:"set-cookie",value:r}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:t}],...u}}}function Wh(t){return{body:QW(t),status:t.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function QW(t){let c={...t,region:process.env.AWS_REGION};return rh.replace(/\${([^}]*)}/g,(u,r)=>c[r]||"")}function Jh(t,c){if(!c)throw Error("Expected response value");return{...c,headers:{...c.headers??{},...lW(t.httpHeaders)}}}function wh(t){let c;return async(u)=>{if(!c)c=sr();c.logger.debug("Handling event:",u);let r=Jh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}function GZ(t){let c;return async(u)=>{if(!c)c=sr();c.logger.debug("Handling event:",u);let r=Jh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}var ZW=kt(vr(),1);var Ud=kt(s6(),1),GW=kt(OW(),1),od;function nZ(t){return"rsaPublicKey"in t}async function fZ(t,c){if(!od)od=GW.default({cache:!0,rateLimit:!0,jwksUri:t});let u=await od.getSigningKey(c);return nZ(u)?u.rsaPublicKey:u.publicKey}async function IW(t,c,u,r){let n=Ud.default.decode(t,{complete:!0});if(!n||typeof n==="string")return{validationError:Error("Cannot parse JWT token")};let f=n.header.kid
|
|
27
|
+
`;var qh=require("node:fs"),Dc=kt(require("node:path")),_h=require("node:url"),Kh=kt(vr(),1);var xr;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(xr||={});class Lr{logLevel;constructor(t){this.logLevel=t}jsonify(t){return t.map((c)=>{if(typeof c==="object")try{return JSON.stringify(c)}catch{return c}return c})}info(...t){if(this.logLevel>=30)console.log(...this.jsonify(t))}warn(...t){if(this.logLevel>=20)console.warn(...this.jsonify(t))}error(...t){if(this.logLevel>=10)console.error(...this.jsonify(t))}debug(...t){if(this.logLevel>=40)console.trace(...this.jsonify(t))}}var oW=_h.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),UW=Dc.dirname(oW);function sr(){let c=process.env.LAMBDA_TASK_ROOT||UW,u=Dc.join(c,"config.json");console.log("Loading config from",u);let r=JSON.parse(qh.readFileSync(u,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(r.userPoolId)[1]}.amazonaws.com/${r.userPoolId}`,d=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(Kh.parse(r.cookieSettings.nonce.toLowerCase())["max-age"]??"",10)||86400,...r,tokenIssuer:f,tokenJwksUri:d,logger:new Lr(xr[r.logLevel])}}function lW(t){return Object.entries(t).reduce((c,[u,r])=>Object.assign(c,{[u.toLowerCase()]:[{key:u,value:r}]}),{})}function mr(t,c){let u=c?.cookies?{"set-cookie":c.cookies.map((r)=>({key:"set-cookie",value:r}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:t}],...u}}}function Wh(t){return{body:QW(t),status:t.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function QW(t){let c={...t,region:process.env.AWS_REGION};return rh.replace(/\${([^}]*)}/g,(u,r)=>c[r]||"")}function Jh(t,c){if(!c)throw Error("Expected response value");return{...c,headers:{...c.headers??{},...lW(t.httpHeaders)}}}function wh(t){let c;return async(u)=>{if(!c)c=sr();c.logger.debug("Handling event:",u);let r=Jh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}function GZ(t){let c;return async(u)=>{if(!c)c=sr();c.logger.debug("Handling event:",u);let r=Jh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}var ZW=kt(vr(),1);var Ud=kt(s6(),1),GW=kt(OW(),1),od;function nZ(t){return"rsaPublicKey"in t}async function fZ(t,c){if(!od)od=GW.default({cache:!0,rateLimit:!0,jwksUri:t});let u=await od.getSigningKey(c);return nZ(u)?u.rsaPublicKey:u.publicKey}async function IW(t,c,u,r){let n=Ud.default.decode(t,{complete:!0});if(!n||typeof n==="string")return{validationError:Error("Cannot parse JWT token")};let f=n.header.kid;if(!f)return{validationError:Error("JWT header is missing 'kid' claim")};let d=await fZ(c,f);if(d instanceof Error)return{validationError:d};let h={audience:r,issuer:u,ignoreExpiration:!1};return new Promise((q)=>Ud.default.verify(t,d,h,(_)=>_?q({validationError:_}):q(void 0)))}function Nr(t){let u=t.split(".")[1].replace(/-/g,"+").replace(/_/g,"/");return JSON.parse(Buffer.from(u,"base64").toString())}function dZ(t){if(!t.cookie)return{};return t.cookie.reduce((u,r)=>({...u,...ZW.parse(r.value)}),{})}function Wt(t,c){if(c.toLowerCase().indexOf("domain")===-1)return`${c}; Domain=.${t}`;return c}function XW(t,c){let u=dZ(t);if(!u)return{};let r=`CognitoIdentityServiceProvider.${c}`,n=u[`${r}.LastAuthUser`];return{tokenUserName:n,idToken:u[`${r}.${n??""}.idToken`],accessToken:u[`${r}.${n??""}.accessToken`],refreshToken:u[`${r}.${n??""}.refreshToken`],scopes:u[`${r}.${n??""}.tokenScopesString`],nonce:u["spa-auth-edge-nonce"],nonceHmac:u["spa-auth-edge-nonce-hmac"],pkce:u["spa-auth-edge-pkce"]}}function cz(t){let c=Nr(t.tokens.idToken),u=c["cognito:username"],r=`CognitoIdentityServiceProvider.${t.clientId}`,n=`${r}.${u}.idToken`,f=`${r}.${u}.accessToken`,d=`${r}.${u}.refreshToken`,h=`${r}.LastAuthUser`,q=`${r}.${u}.tokenScopesString`,_=t.oauthScopes.join(" "),W=`${r}.${u}.userData`,J=JSON.stringify({UserAttributes:[{Name:"sub",Value:c.sub},{Name:"email",Value:c.email}],Username:u}),$={[n]:`${t.tokens.idToken}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,[f]:`${t.tokens.accessToken}; ${Wt(t.domainName,t.cookieSettings.accessToken)}`,[d]:`${t.tokens.refreshToken}; ${Wt(t.domainName,t.cookieSettings.refreshToken)}`,[h]:`${u}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,[q]:`${_}; ${Wt(t.domainName,t.cookieSettings.accessToken)}`,[W]:`${encodeURIComponent(J)}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,"amplify-signin-with-hostedUI":`true; ${Wt(t.domainName,t.cookieSettings.accessToken)}`};if(t.event==="signOut")Object.keys($).forEach((w)=>$[w]=ld($[w]));else if(t.event==="refreshFailed")$[d]=ld($[d]);return["spa-auth-edge-nonce","spa-auth-edge-nonce-hmac","spa-auth-edge-pkce"].forEach((w)=>{$[w]=ld($[w])}),Object.entries($).map(([w,P])=>`${w}=${P}`)}function ld(t=""){let c=t.split(";").map((r)=>r.trim()).filter((r)=>!r.toLowerCase().startsWith("max-age")).filter((r)=>!r.toLowerCase().startsWith("expires")),u=`Expires=${new Date(0).toUTCString()}`;return["",...c.slice(1),u].join("; ")}var Tr=require("node:crypto");function hZ(t,c){let u=Number.parseInt(t.slice(0,t.indexOf("T")),10);if(Number.isNaN(u))return{clientError:"Invalid nonce"};if(EW()-u>c)return{clientError:`Nonce is too old (nonce is from ${new Date(u*1000).toISOString()})`}}function rz(t,c,u){let r=hZ(t,u.nonceMaxAge);if(r)return r;let n=er(t,u);if(n!==c)return{clientError:`Nonce signature mismatch! Expected ${n} but got ${c}`}}function Qd(){let t=Tr.randomBytes(16).toString("hex");return`${EW()}T${t}`}function er(t,c){return Tr.createHmac("sha256",c.nonceSigningSecret).update(t).digest("hex")}function EW(){return Date.now()/1000|0}var qZ=wh(async(t,c)=>{let u=c.Records[0].cf.request,r=u.headers.host[0].value,n=`${u.uri}${u.querystring?`?${u.querystring}`:""}`,{idToken:f,refreshToken:d,nonce:h,nonceHmac:q}=XW(u.headers,t.clientId);if(t.logger.debug("Extracted cookies:",{idToken:f,refreshToken:d,nonce:h,nonceHmac:q}),!f)return YW({config:t,domainName:r,requestedUri:n});let _=Nr(f),{exp:W}=_;if(t.logger.debug("ID token exp:",W,new Date(W*1000).toISOString()),Date.now()/1000>W-600&&d)return _Z({config:t,domainName:r,requestedUri:n});t.logger.info("Validating JWT");let J=await IW(f,t.tokenJwksUri,t.tokenIssuer,t.clientId);if(J!==void 0)return t.logger.debug("ID token not valid:",J.validationError),YW({config:t,domainName:r,requestedUri:n});if(t.logger.info("JWT is valid"),!zW(t,_))return Wh({title:"Not authorized",statusCode:"403",message:"You are not authorized for this resource.",details:"Your sign in was successful, but your user is not allowed to access this resource.",linkHref:`https://${r}${t.signOutPath}`,linkText:"Sign out"});return u});function zW(t,c){if(t.requireGroupAnyOf){let u=c["cognito:groups"]||[];if(!t.requireGroupAnyOf.some((r)=>u.includes(r)))return!1}return!0}function _Z({config:t,domainName:c,requestedUri:u}){t.logger.info("Redirecting to refresh endpoint");let r=Qd(),n=new URLSearchParams({requestedUri:u,nonce:r}).toString();return mr(`https://${c}${t.refreshAuthPath}?${n}`,{cookies:[`spa-auth-edge-nonce=${encodeURIComponent(r)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-nonce-hmac=${encodeURIComponent(er(r,t))}; ${t.cookieSettings.nonce}`]})}function YW({config:t,domainName:c,requestedUri:u}){let r=Qd(),n={nonce:r,nonceHmac:er(r,t),...KZ(t)};t.logger.debug("Using new state:",n);let f=new URLSearchParams({redirect_uri:`https://${c}${t.callbackPath}`,response_type:"code",client_id:t.clientId,state:br(Buffer.from(JSON.stringify({nonce:n.nonce,requestedUri:u})).toString("base64")),scope:t.oauthScopes.join(" "),code_challenge_method:"S256",code_challenge:n.pkceHash}).toString();return mr(`https://${t.cognitoAuthDomain}/oauth2/authorize?${f}`,{cookies:[`spa-auth-edge-nonce=${encodeURIComponent(n.nonce)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-nonce-hmac=${encodeURIComponent(n.nonceHmac)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-pkce=${encodeURIComponent(n.pkce)}; ${t.cookieSettings.nonce}`]})}function KZ(t){let c=Dr.randomBytes(26).toString("hex"),u={pkce:c,pkceHash:br(Dr.createHash("sha256").update(c,"utf8").digest("base64"))};return t.logger.debug("Generated PKCE verifier:",u),u}
|
|
@@ -18,4 +18,4 @@ var L=Object.create;var{getPrototypeOf:m,defineProperty:C,getOwnPropertyNames:W,
|
|
|
18
18
|
</p>
|
|
19
19
|
</body>
|
|
20
20
|
</html>
|
|
21
|
-
`;var A=require("node:fs"),$=B(require("node:path")),M=require("node:url"),N=B(Z(),1);var a;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(a||={});class j{logLevel;constructor(u){this.logLevel=u}jsonify(u){return u.map((t)=>{if(typeof t==="object")try{return JSON.stringify(t)}catch{return t}return t})}info(...u){if(this.logLevel>=30)console.log(...this.jsonify(u))}warn(...u){if(this.logLevel>=20)console.warn(...this.jsonify(u))}error(...u){if(this.logLevel>=10)console.error(...this.jsonify(u))}debug(...u){if(this.logLevel>=40)console.trace(...this.jsonify(u))}}var hu=M.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),Hu=$.dirname(hu);function E(){let t=process.env.LAMBDA_TASK_ROOT||Hu,r=$.join(t,"config.json");console.log("Loading config from",r);let n=JSON.parse(A.readFileSync(r,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(n.userPoolId)[1]}.amazonaws.com/${n.userPoolId}`,g=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(N.parse(n.cookieSettings.nonce.toLowerCase())["max-age"],10)||86400,...n,tokenIssuer:f,tokenJwksUri:g,logger:new j(a[n.logLevel])}}function Ru(u){return Object.entries(u).reduce((t,[r,n])=>Object.assign(t,{[r.toLowerCase()]:[{key:r,value:n}]}),{})}function au(u,t){let r=t?.cookies?{"set-cookie":t.cookies.map((n)=>({key:"set-cookie",value:n}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:u}],...r}}}function ju(u){return{body:Fu(u),status:u.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function Fu(u){let t={...u,region:process.env.AWS_REGION};return J.replace(/\${([^}]*)}/g,(r,n)=>t[n]||"")}function U(u,t){if(!t)throw Error("Expected response value");return{...t,headers:{...t.headers??{},...Ru(u.httpHeaders)}}}function Eu(u){let t;return async(r)=>{if(!t)t=E();t.logger.debug("Handling event:",r);let n=U(t,await u(t,r));return t.logger.debug("Returning response:",n),n}}function V(u){let t;return async(r)=>{if(!t)t=E();t.logger.debug("Handling event:",r);let n=U(t,await u(t,r));return t.logger.debug("Returning response:",n),n}}var yu=V(async(u,t)=>t.Records[0].cf.response);
|
|
21
|
+
`;var A=require("node:fs"),$=B(require("node:path")),M=require("node:url"),N=B(Z(),1);var a;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(a||={});class j{logLevel;constructor(u){this.logLevel=u}jsonify(u){return u.map((t)=>{if(typeof t==="object")try{return JSON.stringify(t)}catch{return t}return t})}info(...u){if(this.logLevel>=30)console.log(...this.jsonify(u))}warn(...u){if(this.logLevel>=20)console.warn(...this.jsonify(u))}error(...u){if(this.logLevel>=10)console.error(...this.jsonify(u))}debug(...u){if(this.logLevel>=40)console.trace(...this.jsonify(u))}}var hu=M.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),Hu=$.dirname(hu);function E(){let t=process.env.LAMBDA_TASK_ROOT||Hu,r=$.join(t,"config.json");console.log("Loading config from",r);let n=JSON.parse(A.readFileSync(r,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(n.userPoolId)[1]}.amazonaws.com/${n.userPoolId}`,g=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(N.parse(n.cookieSettings.nonce.toLowerCase())["max-age"]??"",10)||86400,...n,tokenIssuer:f,tokenJwksUri:g,logger:new j(a[n.logLevel])}}function Ru(u){return Object.entries(u).reduce((t,[r,n])=>Object.assign(t,{[r.toLowerCase()]:[{key:r,value:n}]}),{})}function au(u,t){let r=t?.cookies?{"set-cookie":t.cookies.map((n)=>({key:"set-cookie",value:n}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:u}],...r}}}function ju(u){return{body:Fu(u),status:u.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function Fu(u){let t={...u,region:process.env.AWS_REGION};return J.replace(/\${([^}]*)}/g,(r,n)=>t[n]||"")}function U(u,t){if(!t)throw Error("Expected response value");return{...t,headers:{...t.headers??{},...Ru(u.httpHeaders)}}}function Eu(u){let t;return async(r)=>{if(!t)t=E();t.logger.debug("Handling event:",r);let n=U(t,await u(t,r));return t.logger.debug("Returning response:",n),n}}function V(u){let t;return async(r)=>{if(!t)t=E();t.logger.debug("Handling event:",r);let n=U(t,await u(t,r));return t.logger.debug("Returning response:",n),n}}var yu=V(async(u,t)=>t.Records[0].cf.response);
|
package/dist/parse-auth/index.js
CHANGED
|
@@ -44,4 +44,4 @@ var x6=Object.create;var{getPrototypeOf:f6,defineProperty:ta,getOwnPropertyNames
|
|
|
44
44
|
</p>
|
|
45
45
|
</body>
|
|
46
46
|
</html>
|
|
47
|
-
`;var n1=require("node:fs"),je=ei(require("node:path")),c1=require("node:url"),a1=ei(Qt(),1);var io;((s)=>{s[s.none=0]="none";s[s.error=10]="error";s[s.warn=20]="warn";s[s.info=30]="info";s[s.debug=40]="debug"})(io||={});class no{logLevel;constructor(i){this.logLevel=i}jsonify(i){return i.map((n)=>{if(typeof n==="object")try{return JSON.stringify(n)}catch{return n}return n})}info(...i){if(this.logLevel>=30)console.log(...this.jsonify(i))}warn(...i){if(this.logLevel>=20)console.warn(...this.jsonify(i))}error(...i){if(this.logLevel>=10)console.error(...this.jsonify(i))}debug(...i){if(this.logLevel>=40)console.trace(...this.jsonify(i))}}var jW=c1.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),DW=je.dirname(jW);function co(){let n=process.env.LAMBDA_TASK_ROOT||DW,c=je.join(n,"config.json");console.log("Loading config from",c);let a=JSON.parse(n1.readFileSync(c,"utf-8")),s=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(a.userPoolId)[1]}.amazonaws.com/${a.userPoolId}`,p=`${s}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(a1.parse(a.cookieSettings.nonce.toLowerCase())["max-age"],10)||86400,...a,tokenIssuer:s,tokenJwksUri:p,logger:new no(io[a.logLevel])}}function TW(i){return Object.entries(i).reduce((n,[c,a])=>Object.assign(n,{[c.toLowerCase()]:[{key:c,value:a}]}),{})}function ao(i,n){let c=n?.cookies?{"set-cookie":n.cookies.map((a)=>({key:"set-cookie",value:a}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:i}],...c}}}function e1(i){return{body:LW(i),status:i.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function LW(i){let n={...i,region:process.env.AWS_REGION};return Fx.replace(/\${([^}]*)}/g,(c,a)=>n[a]||"")}function s1(i,n){if(!n)throw Error("Expected response value");return{...n,headers:{...n.headers??{},...TW(i.httpHeaders)}}}function p1(i){let n;return async(c)=>{if(!n)n=co();n.logger.debug("Handling event:",c);let a=s1(n,await i(n,c));return n.logger.debug("Returning response:",a),a}}function VC(i){let n;return async(c)=>{if(!n)n=co();n.logger.debug("Handling event:",c);let a=s1(n,await i(n,c));return n.logger.debug("Returning response:",a),a}}var u6=ei(Qt(),1);var ad=ei(Ah(),1),p6=ei(s6(),1),cd;function YH(i){return"rsaPublicKey"in i}async function IH(i,n){if(!cd)cd=p6.default({cache:!0,rateLimit:!0,jwksUri:i});let c=await cd.getSigningKey(n);return YH(c)?c.rsaPublicKey:c.publicKey}async function t6(i,n,c,a){let e=ad.default.decode(i,{complete:!0});if(!e||typeof e==="string")return{validationError:Error("Cannot parse JWT token")};let s=e.header.kid
|
|
47
|
+
`;var n1=require("node:fs"),je=ei(require("node:path")),c1=require("node:url"),a1=ei(Qt(),1);var io;((s)=>{s[s.none=0]="none";s[s.error=10]="error";s[s.warn=20]="warn";s[s.info=30]="info";s[s.debug=40]="debug"})(io||={});class no{logLevel;constructor(i){this.logLevel=i}jsonify(i){return i.map((n)=>{if(typeof n==="object")try{return JSON.stringify(n)}catch{return n}return n})}info(...i){if(this.logLevel>=30)console.log(...this.jsonify(i))}warn(...i){if(this.logLevel>=20)console.warn(...this.jsonify(i))}error(...i){if(this.logLevel>=10)console.error(...this.jsonify(i))}debug(...i){if(this.logLevel>=40)console.trace(...this.jsonify(i))}}var jW=c1.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),DW=je.dirname(jW);function co(){let n=process.env.LAMBDA_TASK_ROOT||DW,c=je.join(n,"config.json");console.log("Loading config from",c);let a=JSON.parse(n1.readFileSync(c,"utf-8")),s=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(a.userPoolId)[1]}.amazonaws.com/${a.userPoolId}`,p=`${s}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(a1.parse(a.cookieSettings.nonce.toLowerCase())["max-age"]??"",10)||86400,...a,tokenIssuer:s,tokenJwksUri:p,logger:new no(io[a.logLevel])}}function TW(i){return Object.entries(i).reduce((n,[c,a])=>Object.assign(n,{[c.toLowerCase()]:[{key:c,value:a}]}),{})}function ao(i,n){let c=n?.cookies?{"set-cookie":n.cookies.map((a)=>({key:"set-cookie",value:a}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:i}],...c}}}function e1(i){return{body:LW(i),status:i.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function LW(i){let n={...i,region:process.env.AWS_REGION};return Fx.replace(/\${([^}]*)}/g,(c,a)=>n[a]||"")}function s1(i,n){if(!n)throw Error("Expected response value");return{...n,headers:{...n.headers??{},...TW(i.httpHeaders)}}}function p1(i){let n;return async(c)=>{if(!n)n=co();n.logger.debug("Handling event:",c);let a=s1(n,await i(n,c));return n.logger.debug("Returning response:",a),a}}function VC(i){let n;return async(c)=>{if(!n)n=co();n.logger.debug("Handling event:",c);let a=s1(n,await i(n,c));return n.logger.debug("Returning response:",a),a}}var u6=ei(Qt(),1);var ad=ei(Ah(),1),p6=ei(s6(),1),cd;function YH(i){return"rsaPublicKey"in i}async function IH(i,n){if(!cd)cd=p6.default({cache:!0,rateLimit:!0,jwksUri:i});let c=await cd.getSigningKey(n);return YH(c)?c.rsaPublicKey:c.publicKey}async function t6(i,n,c,a){let e=ad.default.decode(i,{complete:!0});if(!e||typeof e==="string")return{validationError:Error("Cannot parse JWT token")};let s=e.header.kid;if(!s)return{validationError:Error("JWT header is missing 'kid' claim")};let p=await IH(n,s);if(p instanceof Error)return{validationError:p};let t={audience:a,issuer:c,ignoreExpiration:!1};return new Promise((o)=>ad.default.verify(i,p,t,(u)=>u?o({validationError:u}):o(void 0)))}function o6(i){let c=i.split(".")[1].replace(/-/g,"+").replace(/_/g,"/");return JSON.parse(Buffer.from(c,"base64").toString())}function PH(i){if(!i.cookie)return{};return i.cookie.reduce((c,a)=>({...c,...u6.parse(a.value)}),{})}function mc(i,n){if(n.toLowerCase().indexOf("domain")===-1)return`${n}; Domain=.${i}`;return n}function r6(i,n){let c=PH(i);if(!c)return{};let a=`CognitoIdentityServiceProvider.${n}`,e=c[`${a}.LastAuthUser`];return{tokenUserName:e,idToken:c[`${a}.${e??""}.idToken`],accessToken:c[`${a}.${e??""}.accessToken`],refreshToken:c[`${a}.${e??""}.refreshToken`],scopes:c[`${a}.${e??""}.tokenScopesString`],nonce:c["spa-auth-edge-nonce"],nonceHmac:c["spa-auth-edge-nonce-hmac"],pkce:c["spa-auth-edge-pkce"]}}function d6(i){let n=o6(i.tokens.idToken),c=n["cognito:username"],a=`CognitoIdentityServiceProvider.${i.clientId}`,e=`${a}.${c}.idToken`,s=`${a}.${c}.accessToken`,p=`${a}.${c}.refreshToken`,t=`${a}.LastAuthUser`,o=`${a}.${c}.tokenScopesString`,u=i.oauthScopes.join(" "),r=`${a}.${c}.userData`,m=JSON.stringify({UserAttributes:[{Name:"sub",Value:n.sub},{Name:"email",Value:n.email}],Username:c}),f={[e]:`${i.tokens.idToken}; ${mc(i.domainName,i.cookieSettings.idToken)}`,[s]:`${i.tokens.accessToken}; ${mc(i.domainName,i.cookieSettings.accessToken)}`,[p]:`${i.tokens.refreshToken}; ${mc(i.domainName,i.cookieSettings.refreshToken)}`,[t]:`${c}; ${mc(i.domainName,i.cookieSettings.idToken)}`,[o]:`${u}; ${mc(i.domainName,i.cookieSettings.accessToken)}`,[r]:`${encodeURIComponent(m)}; ${mc(i.domainName,i.cookieSettings.idToken)}`,"amplify-signin-with-hostedUI":`true; ${mc(i.domainName,i.cookieSettings.accessToken)}`};if(i.event==="signOut")Object.keys(f).forEach((x)=>f[x]=ed(f[x]));else if(i.event==="refreshFailed")f[p]=ed(f[p]);return["spa-auth-edge-nonce","spa-auth-edge-nonce-hmac","spa-auth-edge-pkce"].forEach((x)=>{f[x]=ed(f[x])}),Object.entries(f).map(([x,v])=>`${x}=${v}`)}function ed(i=""){let n=i.split(";").map((a)=>a.trim()).filter((a)=>!a.toLowerCase().startsWith("max-age")).filter((a)=>!a.toLowerCase().startsWith("expires")),c=`Expires=${new Date(0).toUTCString()}`;return["",...n.slice(1),c].join("; ")}var Ap=require("node:crypto");function HH(i,n){let c=Number.parseInt(i.slice(0,i.indexOf("T")),10);if(Number.isNaN(c))return{clientError:"Invalid nonce"};if(l6()-c>n)return{clientError:`Nonce is too old (nonce is from ${new Date(c*1000).toISOString()})`}}function m6(i,n,c){let a=HH(i,c.nonceMaxAge);if(a)return a;let e=yH(i,c);if(e!==n)return{clientError:`Nonce signature mismatch! Expected ${e} but got ${n}`}}function xE(){let i=Ap.randomBytes(16).toString("hex");return`${l6()}T${i}`}function yH(i,n){return Ap.createHmac("sha256",n.nonceSigningSecret).update(i).digest("hex")}function l6(){return Date.now()/1000|0}var AH=p1(async(i,n)=>{let c=n.Records[0].cf.request,a=c.headers.host[0].value,e=`https://${a}`,s,p=r6(c.headers,i.clientId);s=p.idToken;let t=OH({config:i,querystring:c.querystring,cookies:p});if("clientError"in t)return sd({error:t.clientError,errorType:"client",config:i,redirectedFromUri:e,idToken:s});if("technicalError"in t)return sd({error:t.technicalError,errorType:"server",config:i,redirectedFromUri:e,idToken:s});let{code:o,pkce:u,requestedUri:r}=t;i.logger.debug("Query string and cookies are valid"),e+=r;let m=await CH({config:i,domainName:a,code:o,pkce:u});if("error"in m)return sd({error:m.error,errorType:"server",config:i,redirectedFromUri:e,idToken:s});return ao(e,{cookies:d6({event:"newTokens",tokens:m,domainName:a,...i})})});async function sd({error:i,errorType:n,config:c,idToken:a,redirectedFromUri:e}){if(n==="client")c.logger.warn(i);else c.logger.error(i);if(a){c.logger.debug("ID token found, will check if it is valid"),c.logger.info("Validating JWT ...");let s=await t6(a,c.tokenJwksUri,c.tokenIssuer,c.clientId);if(s!==void 0)c.logger.debug("ID token not valid:",s.validationError);return c.logger.info("JWT is valid"),ao(e)}return e1({title:"Sign-in issue",message:"We can't sign you in because of a technical problem",details:n==="client"?i:"Contact administrator",linkHref:e,linkText:"Retry",statusCode:"503"})}async function CH({config:i,domainName:n,code:c,pkce:a}){let e=`https://${i.cognitoAuthDomain}/oauth2/token`,s=new URLSearchParams({grant_type:"authorization_code",client_id:i.clientId,redirect_uri:`https://${n}${i.callbackPath}`,code:c,code_verifier:a}).toString(),p={headers:{"Content-Type":"application/x-www-form-urlencoded"}};if(i.clientSecret){let m=Buffer.from(`${i.clientId}:${i.clientSecret}`).toString("base64");p.headers.Authorization=`Basic ${m}`}i.logger.debug("HTTP POST to Cognito token endpoint:",{uri:e,body:s,requestConfig:p});let t;try{t=await gx(e,s,p,i.logger)}catch(m){return{error:`Failed to exchange authorization code for tokens: ${m}`}}let{status:o,headers:u,data:r}=t;return i.logger.info("Successfully exchanged authorization code for tokens"),i.logger.debug("Response from Cognito token endpoint:",{status:o,headers:u,tokens:r}),{idToken:r.id_token,accessToken:r.access_token,refreshToken:r.refresh_token}}function OH(i){let{code:n,state:c,error:a,error_description:e}=Object.fromEntries(new URLSearchParams(i.querystring).entries());if(a)return{clientError:`[Cognito] ${a}: ${e}`};if(!n||!c||typeof n!=="string"||typeof c!=="string")return{clientError:['Invalid query string. Your query string does not include parameters "state" and "code".',"This can happen if your authentication attempt did not originate from this site."].join(" ")};let s;try{s=JSON.parse(Bx(c))}catch{return{clientError:'Invalid query string. Your query string does not include a valid "state" parameter'}}if(!s.requestedUri||!s.nonce)return{clientError:'Invalid query string. Your query string does not include a valid "state" parameter'};let{nonce:p,pkce:t,nonceHmac:o}=i.cookies;if(!p)return{clientError:"Your browser didn't send the nonce cookie along, but it is required for security (prevent CSRF)."};if(!t)return{clientError:"Your browser didn't send the pkce cookie along, but it is required for security (prevent CSRF)."};if(s.nonce!==p)return{clientError:"Nonce mismatch. This can happen if you start multiple authentication attempts in parallel (e.g. in separate tabs)"};let u=m6(s.nonce,o??"UNKNOWN",i.config);if(u)return u;return{code:n,pkce:t,requestedUri:s.requestedUri||""}}
|
|
@@ -44,4 +44,4 @@ var o6=Object.create;var{getPrototypeOf:u6,defineProperty:ta,getOwnPropertyNames
|
|
|
44
44
|
</p>
|
|
45
45
|
</body>
|
|
46
46
|
</html>
|
|
47
|
-
`;var Qx=require("node:fs"),je=ei(require("node:path")),i1=require("node:url"),n1=ei(Ut(),1);var Qt;((s)=>{s[s.none=0]="none";s[s.error=10]="error";s[s.warn=20]="warn";s[s.info=30]="info";s[s.debug=40]="debug"})(Qt||={});class io{logLevel;constructor(i){this.logLevel=i}jsonify(i){return i.map((n)=>{if(typeof n==="object")try{return JSON.stringify(n)}catch{return n}return n})}info(...i){if(this.logLevel>=30)console.log(...this.jsonify(i))}warn(...i){if(this.logLevel>=20)console.warn(...this.jsonify(i))}error(...i){if(this.logLevel>=10)console.error(...this.jsonify(i))}debug(...i){if(this.logLevel>=40)console.trace(...this.jsonify(i))}}var OW=i1.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),VW=je.dirname(OW);function no(){let n=process.env.LAMBDA_TASK_ROOT||VW,c=je.join(n,"config.json");console.log("Loading config from",c);let a=JSON.parse(Qx.readFileSync(c,"utf-8")),s=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(a.userPoolId)[1]}.amazonaws.com/${a.userPoolId}`,p=`${s}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(n1.parse(a.cookieSettings.nonce.toLowerCase())["max-age"],10)||86400,...a,tokenIssuer:s,tokenJwksUri:p,logger:new io(Qt[a.logLevel])}}function MW(i){return Object.entries(i).reduce((n,[c,a])=>Object.assign(n,{[c.toLowerCase()]:[{key:c,value:a}]}),{})}function co(i,n){let c=n?.cookies?{"set-cookie":n.cookies.map((a)=>({key:"set-cookie",value:a}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:i}],...c}}}function c1(i){return{body:EW(i),status:i.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function EW(i){let n={...i,region:process.env.AWS_REGION};return gx.replace(/\${([^}]*)}/g,(c,a)=>n[a]||"")}function a1(i,n){if(!n)throw Error("Expected response value");return{...n,headers:{...n.headers??{},...MW(i.httpHeaders)}}}function e1(i){let n;return async(c)=>{if(!n)n=no();n.logger.debug("Handling event:",c);let a=a1(n,await i(n,c));return n.logger.debug("Returning response:",a),a}}function GC(i){let n;return async(c)=>{if(!n)n=no();n.logger.debug("Handling event:",c);let a=a1(n,await i(n,c));return n.logger.debug("Returning response:",a),a}}var p6=ei(Ut(),1);var cd=ei(Ph(),1),e6=ei(a6(),1),nd;function $P(i){return"rsaPublicKey"in i}async function zP(i,n){if(!nd)nd=e6.default({cache:!0,rateLimit:!0,jwksUri:i});let c=await nd.getSigningKey(n);return $P(c)?c.rsaPublicKey:c.publicKey}async function iE(i,n,c,a){let e=cd.default.decode(i,{complete:!0});if(!e||typeof e==="string")return{validationError:Error("Cannot parse JWT token")};let s=e.header.kid
|
|
47
|
+
`;var Qx=require("node:fs"),je=ei(require("node:path")),i1=require("node:url"),n1=ei(Ut(),1);var Qt;((s)=>{s[s.none=0]="none";s[s.error=10]="error";s[s.warn=20]="warn";s[s.info=30]="info";s[s.debug=40]="debug"})(Qt||={});class io{logLevel;constructor(i){this.logLevel=i}jsonify(i){return i.map((n)=>{if(typeof n==="object")try{return JSON.stringify(n)}catch{return n}return n})}info(...i){if(this.logLevel>=30)console.log(...this.jsonify(i))}warn(...i){if(this.logLevel>=20)console.warn(...this.jsonify(i))}error(...i){if(this.logLevel>=10)console.error(...this.jsonify(i))}debug(...i){if(this.logLevel>=40)console.trace(...this.jsonify(i))}}var OW=i1.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),VW=je.dirname(OW);function no(){let n=process.env.LAMBDA_TASK_ROOT||VW,c=je.join(n,"config.json");console.log("Loading config from",c);let a=JSON.parse(Qx.readFileSync(c,"utf-8")),s=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(a.userPoolId)[1]}.amazonaws.com/${a.userPoolId}`,p=`${s}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(n1.parse(a.cookieSettings.nonce.toLowerCase())["max-age"]??"",10)||86400,...a,tokenIssuer:s,tokenJwksUri:p,logger:new io(Qt[a.logLevel])}}function MW(i){return Object.entries(i).reduce((n,[c,a])=>Object.assign(n,{[c.toLowerCase()]:[{key:c,value:a}]}),{})}function co(i,n){let c=n?.cookies?{"set-cookie":n.cookies.map((a)=>({key:"set-cookie",value:a}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:i}],...c}}}function c1(i){return{body:EW(i),status:i.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function EW(i){let n={...i,region:process.env.AWS_REGION};return gx.replace(/\${([^}]*)}/g,(c,a)=>n[a]||"")}function a1(i,n){if(!n)throw Error("Expected response value");return{...n,headers:{...n.headers??{},...MW(i.httpHeaders)}}}function e1(i){let n;return async(c)=>{if(!n)n=no();n.logger.debug("Handling event:",c);let a=a1(n,await i(n,c));return n.logger.debug("Returning response:",a),a}}function GC(i){let n;return async(c)=>{if(!n)n=no();n.logger.debug("Handling event:",c);let a=a1(n,await i(n,c));return n.logger.debug("Returning response:",a),a}}var p6=ei(Ut(),1);var cd=ei(Ph(),1),e6=ei(a6(),1),nd;function $P(i){return"rsaPublicKey"in i}async function zP(i,n){if(!nd)nd=e6.default({cache:!0,rateLimit:!0,jwksUri:i});let c=await nd.getSigningKey(n);return $P(c)?c.rsaPublicKey:c.publicKey}async function iE(i,n,c,a){let e=cd.default.decode(i,{complete:!0});if(!e||typeof e==="string")return{validationError:Error("Cannot parse JWT token")};let s=e.header.kid;if(!s)return{validationError:Error("JWT header is missing 'kid' claim")};let p=await zP(n,s);if(p instanceof Error)return{validationError:p};let t={audience:a,issuer:c,ignoreExpiration:!1};return new Promise((o)=>cd.default.verify(i,p,t,(u)=>u?o({validationError:u}):o(void 0)))}function s6(i){let c=i.split(".")[1].replace(/-/g,"+").replace(/_/g,"/");return JSON.parse(Buffer.from(c,"base64").toString())}function SP(i){if(!i.cookie)return{};return i.cookie.reduce((c,a)=>({...c,...p6.parse(a.value)}),{})}function mc(i,n){if(n.toLowerCase().indexOf("domain")===-1)return`${n}; Domain=.${i}`;return n}function t6(i,n){let c=SP(i);if(!c)return{};let a=`CognitoIdentityServiceProvider.${n}`,e=c[`${a}.LastAuthUser`];return{tokenUserName:e,idToken:c[`${a}.${e??""}.idToken`],accessToken:c[`${a}.${e??""}.accessToken`],refreshToken:c[`${a}.${e??""}.refreshToken`],scopes:c[`${a}.${e??""}.tokenScopesString`],nonce:c["spa-auth-edge-nonce"],nonceHmac:c["spa-auth-edge-nonce-hmac"],pkce:c["spa-auth-edge-pkce"]}}function ed(i){let n=s6(i.tokens.idToken),c=n["cognito:username"],a=`CognitoIdentityServiceProvider.${i.clientId}`,e=`${a}.${c}.idToken`,s=`${a}.${c}.accessToken`,p=`${a}.${c}.refreshToken`,t=`${a}.LastAuthUser`,o=`${a}.${c}.tokenScopesString`,u=i.oauthScopes.join(" "),r=`${a}.${c}.userData`,m=JSON.stringify({UserAttributes:[{Name:"sub",Value:n.sub},{Name:"email",Value:n.email}],Username:c}),f={[e]:`${i.tokens.idToken}; ${mc(i.domainName,i.cookieSettings.idToken)}`,[s]:`${i.tokens.accessToken}; ${mc(i.domainName,i.cookieSettings.accessToken)}`,[p]:`${i.tokens.refreshToken}; ${mc(i.domainName,i.cookieSettings.refreshToken)}`,[t]:`${c}; ${mc(i.domainName,i.cookieSettings.idToken)}`,[o]:`${u}; ${mc(i.domainName,i.cookieSettings.accessToken)}`,[r]:`${encodeURIComponent(m)}; ${mc(i.domainName,i.cookieSettings.idToken)}`,"amplify-signin-with-hostedUI":`true; ${mc(i.domainName,i.cookieSettings.accessToken)}`};if(i.event==="signOut")Object.keys(f).forEach((l)=>f[l]=ad(f[l]));else if(i.event==="refreshFailed")f[p]=ad(f[p]);return["spa-auth-edge-nonce","spa-auth-edge-nonce-hmac","spa-auth-edge-pkce"].forEach((l)=>{f[l]=ad(f[l])}),Object.entries(f).map(([l,v])=>`${l}=${v}`)}function ad(i=""){let n=i.split(";").map((a)=>a.trim()).filter((a)=>!a.toLowerCase().startsWith("max-age")).filter((a)=>!a.toLowerCase().startsWith("expires")),c=`Expires=${new Date(0).toUTCString()}`;return["",...n.slice(1),c].join("; ")}var GP=e1(async(i,n)=>{let c=n.Records[0].cf.request,a=c.headers.host[0].value,e=`https://${a}`;function s(h){return c1({title:"Refresh issue",message:"We can't refresh your sign-in because of a technical problem.",details:h,linkHref:e,linkText:"Try again",statusCode:"400"})}let{requestedUri:p,nonce:t}=Object.fromEntries(new URLSearchParams(c.querystring).entries());e+=p??"";let{idToken:o,accessToken:u,refreshToken:r,nonce:m}=t6(c.headers,i.clientId);if(!o||!u||!r)return s("Some of idToken, accessToken and/or refreshToken was not found");try{ZP(t,m,o,u,r)}catch(h){return s(`Failed to refresh tokens: ${h}`)}let f={"Content-Type":"application/x-www-form-urlencoded"};if(i.clientSecret!==""){let h=Buffer.from(`${i.clientId}:${i.clientSecret}`).toString("base64");f.Authorization=`Basic ${h}`}let l;try{l=await Lx(`https://${i.cognitoAuthDomain}/oauth2/token`,new URLSearchParams({grant_type:"refresh_token",client_id:i.clientId,refresh_token:r}).toString(),{headers:f},i.logger)}catch(h){return co(e,{cookies:ed({event:"refreshFailed",tokens:{idToken:o,accessToken:u,refreshToken:r},domainName:a,...i})})}let v={idToken:l.data.id_token,accessToken:l.data.access_token,refreshToken:r};return co(e,{cookies:ed({event:"newTokens",tokens:v,domainName:a,...i})})});function ZP(i,n,c,a,e){if(!n)throw Error("Your browser didn't send the nonce cookie along, but it is required for security (prevent CSRF).");if(i!==n)throw Error("Nonce mismatch");Object.entries({idToken:c,accessToken:a,refreshToken:e}).forEach(([s,p])=>{if(!p)throw Error(`Missing ${s}`)})}
|
package/dist/sign-out/index.js
CHANGED
|
@@ -24,4 +24,4 @@ var OW=Object.create;var{getPrototypeOf:GW,defineProperty:Ft,getOwnPropertyNames
|
|
|
24
24
|
</p>
|
|
25
25
|
</body>
|
|
26
26
|
</html>
|
|
27
|
-
`;var uh=require("node:fs"),Dc=kt(require("node:path")),rh=require("node:url"),nh=kt(Nr(),1);var Dr;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(Dr||={});class br{logLevel;constructor(t){this.logLevel=t}jsonify(t){return t.map((c)=>{if(typeof c==="object")try{return JSON.stringify(c)}catch{return c}return c})}info(...t){if(this.logLevel>=30)console.log(...this.jsonify(t))}warn(...t){if(this.logLevel>=20)console.warn(...this.jsonify(t))}error(...t){if(this.logLevel>=10)console.error(...this.jsonify(t))}debug(...t){if(this.logLevel>=40)console.trace(...this.jsonify(t))}}var vW=rh.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),sW=Dc.dirname(vW);function jr(){let c=process.env.LAMBDA_TASK_ROOT||sW,u=Dc.join(c,"config.json");console.log("Loading config from",u);let r=JSON.parse(uh.readFileSync(u,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(r.userPoolId)[1]}.amazonaws.com/${r.userPoolId}`,d=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(nh.parse(r.cookieSettings.nonce.toLowerCase())["max-age"],10)||86400,...r,tokenIssuer:f,tokenJwksUri:d,logger:new br(Dr[r.logLevel])}}function xW(t){return Object.entries(t).reduce((c,[u,r])=>Object.assign(c,{[u.toLowerCase()]:[{key:u,value:r}]}),{})}function pr(t,c){let u=c?.cookies?{"set-cookie":c.cookies.map((r)=>({key:"set-cookie",value:r}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:t}],...u}}}function qI(t){return{body:LW(t),status:t.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function LW(t){let c={...t,region:process.env.AWS_REGION};return ld.replace(/\${([^}]*)}/g,(u,r)=>c[r]||"")}function fh(t,c){if(!c)throw Error("Expected response value");return{...c,headers:{...c.headers??{},...xW(t.httpHeaders)}}}function dh(t){let c;return async(u)=>{if(!c)c=jr();c.logger.debug("Handling event:",u);let r=fh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}function _I(t){let c;return async(u)=>{if(!c)c=jr();c.logger.debug("Handling event:",u);let r=fh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}var yW=kt(Nr(),1);var md=kt(D6(),1),PW=kt($W(),1),gd;function oG(t){return"rsaPublicKey"in t}async function UG(t,c){if(!gd)gd=PW.default({cache:!0,rateLimit:!0,jwksUri:t});let u=await gd.getSigningKey(c);return oG(u)?u.rsaPublicKey:u.publicKey}async function vE(t,c,u,r){let n=md.default.decode(t,{complete:!0});if(!n||typeof n==="string")return{validationError:Error("Cannot parse JWT token")};let f=n.header.kid
|
|
27
|
+
`;var uh=require("node:fs"),Dc=kt(require("node:path")),rh=require("node:url"),nh=kt(Nr(),1);var Dr;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(Dr||={});class br{logLevel;constructor(t){this.logLevel=t}jsonify(t){return t.map((c)=>{if(typeof c==="object")try{return JSON.stringify(c)}catch{return c}return c})}info(...t){if(this.logLevel>=30)console.log(...this.jsonify(t))}warn(...t){if(this.logLevel>=20)console.warn(...this.jsonify(t))}error(...t){if(this.logLevel>=10)console.error(...this.jsonify(t))}debug(...t){if(this.logLevel>=40)console.trace(...this.jsonify(t))}}var vW=rh.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),sW=Dc.dirname(vW);function jr(){let c=process.env.LAMBDA_TASK_ROOT||sW,u=Dc.join(c,"config.json");console.log("Loading config from",u);let r=JSON.parse(uh.readFileSync(u,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(r.userPoolId)[1]}.amazonaws.com/${r.userPoolId}`,d=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(nh.parse(r.cookieSettings.nonce.toLowerCase())["max-age"]??"",10)||86400,...r,tokenIssuer:f,tokenJwksUri:d,logger:new br(Dr[r.logLevel])}}function xW(t){return Object.entries(t).reduce((c,[u,r])=>Object.assign(c,{[u.toLowerCase()]:[{key:u,value:r}]}),{})}function pr(t,c){let u=c?.cookies?{"set-cookie":c.cookies.map((r)=>({key:"set-cookie",value:r}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:t}],...u}}}function qI(t){return{body:LW(t),status:t.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function LW(t){let c={...t,region:process.env.AWS_REGION};return ld.replace(/\${([^}]*)}/g,(u,r)=>c[r]||"")}function fh(t,c){if(!c)throw Error("Expected response value");return{...c,headers:{...c.headers??{},...xW(t.httpHeaders)}}}function dh(t){let c;return async(u)=>{if(!c)c=jr();c.logger.debug("Handling event:",u);let r=fh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}function _I(t){let c;return async(u)=>{if(!c)c=jr();c.logger.debug("Handling event:",u);let r=fh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}var yW=kt(Nr(),1);var md=kt(D6(),1),PW=kt($W(),1),gd;function oG(t){return"rsaPublicKey"in t}async function UG(t,c){if(!gd)gd=PW.default({cache:!0,rateLimit:!0,jwksUri:t});let u=await gd.getSigningKey(c);return oG(u)?u.rsaPublicKey:u.publicKey}async function vE(t,c,u,r){let n=md.default.decode(t,{complete:!0});if(!n||typeof n==="string")return{validationError:Error("Cannot parse JWT token")};let f=n.header.kid;if(!f)return{validationError:Error("JWT header is missing 'kid' claim")};let d=await UG(c,f);if(d instanceof Error)return{validationError:d};let h={audience:r,issuer:u,ignoreExpiration:!1};return new Promise((q)=>md.default.verify(t,d,h,(_)=>_?q({validationError:_}):q(void 0)))}function AW(t){let u=t.split(".")[1].replace(/-/g,"+").replace(/_/g,"/");return JSON.parse(Buffer.from(u,"base64").toString())}function lG(t){if(!t.cookie)return{};return t.cookie.reduce((u,r)=>({...u,...yW.parse(r.value)}),{})}function Wt(t,c){if(c.toLowerCase().indexOf("domain")===-1)return`${c}; Domain=.${t}`;return c}function SW(t,c){let u=lG(t);if(!u)return{};let r=`CognitoIdentityServiceProvider.${c}`,n=u[`${r}.LastAuthUser`];return{tokenUserName:n,idToken:u[`${r}.${n??""}.idToken`],accessToken:u[`${r}.${n??""}.accessToken`],refreshToken:u[`${r}.${n??""}.refreshToken`],scopes:u[`${r}.${n??""}.tokenScopesString`],nonce:u["spa-auth-edge-nonce"],nonceHmac:u["spa-auth-edge-nonce-hmac"],pkce:u["spa-auth-edge-pkce"]}}function HW(t){let c=AW(t.tokens.idToken),u=c["cognito:username"],r=`CognitoIdentityServiceProvider.${t.clientId}`,n=`${r}.${u}.idToken`,f=`${r}.${u}.accessToken`,d=`${r}.${u}.refreshToken`,h=`${r}.LastAuthUser`,q=`${r}.${u}.tokenScopesString`,_=t.oauthScopes.join(" "),W=`${r}.${u}.userData`,J=JSON.stringify({UserAttributes:[{Name:"sub",Value:c.sub},{Name:"email",Value:c.email}],Username:u}),$={[n]:`${t.tokens.idToken}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,[f]:`${t.tokens.accessToken}; ${Wt(t.domainName,t.cookieSettings.accessToken)}`,[d]:`${t.tokens.refreshToken}; ${Wt(t.domainName,t.cookieSettings.refreshToken)}`,[h]:`${u}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,[q]:`${_}; ${Wt(t.domainName,t.cookieSettings.accessToken)}`,[W]:`${encodeURIComponent(J)}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,"amplify-signin-with-hostedUI":`true; ${Wt(t.domainName,t.cookieSettings.accessToken)}`};if(t.event==="signOut")Object.keys($).forEach((w)=>$[w]=Bd($[w]));else if(t.event==="refreshFailed")$[d]=Bd($[d]);return["spa-auth-edge-nonce","spa-auth-edge-nonce-hmac","spa-auth-edge-pkce"].forEach((w)=>{$[w]=Bd($[w])}),Object.entries($).map(([w,P])=>`${w}=${P}`)}function Bd(t=""){let c=t.split(";").map((r)=>r.trim()).filter((r)=>!r.toLowerCase().startsWith("max-age")).filter((r)=>!r.toLowerCase().startsWith("expires")),u=`Expires=${new Date(0).toUTCString()}`;return["",...c.slice(1),u].join("; ")}var QG=dh(async(t,c)=>{let u=c.Records[0].cf.request,r=u.headers.host[0].value,{idToken:n,accessToken:f,refreshToken:d}=SW(u.headers,t.clientId);if(!n)return pr(`https://${r}${t.signOutRedirectTo}`);let h=new URLSearchParams({logout_uri:`https://${r}${t.signOutRedirectTo}`,client_id:t.clientId}).toString();return pr(`https://${t.cognitoAuthDomain}/logout?${h}`,{cookies:HW({event:"signOut",tokens:{idToken:n,accessToken:f??"",refreshToken:d??""},domainName:r,...t})})});
|
|
@@ -18,11 +18,11 @@ export function getConfig() {
|
|
|
18
18
|
const tokenIssuer = `https://cognito-idp.${userPoolRegion}.amazonaws.com/${config.userPoolId}`;
|
|
19
19
|
const tokenJwksUri = `${tokenIssuer}/.well-known/jwks.json`;
|
|
20
20
|
return {
|
|
21
|
-
nonceMaxAge: Number.parseInt(parse(config.cookieSettings.nonce.toLowerCase())["max-age"], 10) || 60 * 60 * 24,
|
|
21
|
+
nonceMaxAge: Number.parseInt(parse(config.cookieSettings.nonce.toLowerCase())["max-age"] ?? "", 10) || 60 * 60 * 24,
|
|
22
22
|
...config,
|
|
23
23
|
tokenIssuer,
|
|
24
24
|
tokenJwksUri,
|
|
25
25
|
logger: new Logger(LogLevel[config.logLevel]),
|
|
26
26
|
};
|
|
27
27
|
}
|
|
28
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
28
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2hhbmRsZXJzL3V0aWwvY29uZmlnLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxZQUFZLEVBQUUsTUFBTSxTQUFTLENBQUE7QUFDdEMsT0FBTyxLQUFLLElBQUksTUFBTSxXQUFXLENBQUE7QUFDakMsT0FBTyxFQUFFLGFBQWEsRUFBRSxNQUFNLFVBQVUsQ0FBQTtBQUN4QyxPQUFPLEVBQUUsS0FBSyxFQUFFLE1BQU0sUUFBUSxDQUFBO0FBRzlCLE9BQU8sRUFBRSxNQUFNLEVBQUUsUUFBUSxFQUFFLE1BQU0sVUFBVSxDQUFBO0FBRTNDLE1BQU0sVUFBVSxHQUFHLGFBQWEsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFBO0FBQ2pELE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsVUFBVSxDQUFDLENBQUE7QUEwQjFDLE1BQU0sVUFBVSxTQUFTO0lBQ3ZCLE1BQU0sUUFBUSxHQUFHLGFBQWEsQ0FBQTtJQUM5QixNQUFNLE9BQU8sR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLGdCQUFnQixJQUFJLFNBQVMsQ0FBQTtJQUN6RCxNQUFNLGNBQWMsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDLE9BQU8sRUFBRSxRQUFRLENBQUMsQ0FBQTtJQUNuRCxPQUFPLENBQUMsR0FBRyxDQUFDLHFCQUFxQixFQUFFLGNBQWMsQ0FBQyxDQUFBO0lBQ2xELE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQ3ZCLFlBQVksQ0FBQyxjQUFjLEVBQUUsT0FBTyxDQUFDLENBQ3RCLENBQUE7SUFFakIsb0VBQW9FO0lBQ3BFLGlDQUFpQztJQUNqQyxtRkFBbUY7SUFDbkYsTUFBTSxjQUFjLEdBQUcsY0FBYyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsVUFBVSxDQUFFLENBQUMsQ0FBQyxDQUFDLENBQUE7SUFDakUsTUFBTSxXQUFXLEdBQUcsdUJBQXVCLGNBQWMsa0JBQWtCLE1BQU0sQ0FBQyxVQUFVLEVBQUUsQ0FBQTtJQUM5RixNQUFNLFlBQVksR0FBRyxHQUFHLFdBQVcsd0JBQXdCLENBQUE7SUFFM0QsT0FBTztRQUNMLFdBQVcsRUFDVCxNQUFNLENBQUMsUUFBUSxDQUNiLEtBQUssQ0FBQyxNQUFNLENBQUMsY0FBYyxDQUFDLEtBQUssQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxJQUFJLEVBQUUsRUFDakUsRUFBRSxDQUNILElBQUksRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFO1FBQ25CLEdBQUcsTUFBTTtRQUNULFdBQVc7UUFDWCxZQUFZO1FBQ1osTUFBTSxFQUFFLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLENBQUM7S0FDOUMsQ0FBQTtBQUNILENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyByZWFkRmlsZVN5bmMgfSBmcm9tIFwibm9kZTpmc1wiXG5pbXBvcnQgKiBhcyBwYXRoIGZyb20gXCJub2RlOnBhdGhcIlxuaW1wb3J0IHsgZmlsZVVSTFRvUGF0aCB9IGZyb20gXCJub2RlOnVybFwiXG5pbXBvcnQgeyBwYXJzZSB9IGZyb20gXCJjb29raWVcIlxuaW1wb3J0IHR5cGUgeyBIdHRwSGVhZGVycyB9IGZyb20gXCIuL2Nsb3VkZnJvbnRcIlxuaW1wb3J0IHR5cGUgeyBDb29raWVTZXR0aW5ncyB9IGZyb20gXCIuL2Nvb2tpZXNcIlxuaW1wb3J0IHsgTG9nZ2VyLCBMb2dMZXZlbCB9IGZyb20gXCIuL2xvZ2dlclwiXG5cbmNvbnN0IF9fZmlsZW5hbWUgPSBmaWxlVVJMVG9QYXRoKGltcG9ydC5tZXRhLnVybClcbmNvbnN0IF9fZGlybmFtZSA9IHBhdGguZGlybmFtZShfX2ZpbGVuYW1lKVxuXG5leHBvcnQgaW50ZXJmYWNlIFN0b3JlZENvbmZpZyB7XG4gIHVzZXJQb29sSWQ6IHN0cmluZ1xuICBjbGllbnRJZDogc3RyaW5nXG4gIG9hdXRoU2NvcGVzOiBzdHJpbmdbXVxuICBjb2duaXRvQXV0aERvbWFpbjogc3RyaW5nXG4gIGNhbGxiYWNrUGF0aDogc3RyaW5nXG4gIHNpZ25PdXRSZWRpcmVjdFRvOiBzdHJpbmdcbiAgc2lnbk91dFBhdGg6IHN0cmluZ1xuICByZWZyZXNoQXV0aFBhdGg6IHN0cmluZ1xuICBjb29raWVTZXR0aW5nczogQ29va2llU2V0dGluZ3NcbiAgaHR0cEhlYWRlcnM6IEh0dHBIZWFkZXJzXG4gIGNsaWVudFNlY3JldDogc3RyaW5nXG4gIG5vbmNlU2lnbmluZ1NlY3JldDogc3RyaW5nXG4gIGxvZ0xldmVsOiBrZXlvZiB0eXBlb2YgTG9nTGV2ZWxcbiAgcmVxdWlyZUdyb3VwQW55T2Y/OiBzdHJpbmdbXSB8IG51bGxcbn1cblxuZXhwb3J0IGludGVyZmFjZSBDb25maWcgZXh0ZW5kcyBTdG9yZWRDb25maWcge1xuICB0b2tlbklzc3Vlcjogc3RyaW5nXG4gIHRva2VuSndrc1VyaTogc3RyaW5nXG4gIGxvZ2dlcjogTG9nZ2VyXG4gIG5vbmNlTWF4QWdlOiBudW1iZXJcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIGdldENvbmZpZygpOiBDb25maWcge1xuICBjb25zdCBmaWxlbmFtZSA9IFwiY29uZmlnLmpzb25cIlxuICBjb25zdCBkaXJuYW1lID0gcHJvY2Vzcy5lbnYuTEFNQkRBX1RBU0tfUk9PVCB8fCBfX2Rpcm5hbWVcbiAgY29uc3QgY29uZmlnRmlsZVBhdGggPSBwYXRoLmpvaW4oZGlybmFtZSwgZmlsZW5hbWUpXG4gIGNvbnNvbGUubG9nKFwiTG9hZGluZyBjb25maWcgZnJvbVwiLCBjb25maWdGaWxlUGF0aClcbiAgY29uc3QgY29uZmlnID0gSlNPTi5wYXJzZShcbiAgICByZWFkRmlsZVN5bmMoY29uZmlnRmlsZVBhdGgsIFwidXRmLThcIiksXG4gICkgYXMgU3RvcmVkQ29uZmlnXG5cbiAgLy8gRGVyaXZlIHRoZSBpc3N1ZXIgYW5kIEpXS1MgdXJpIGFsbCBKV1QncyB3aWxsIGJlIHNpZ25lZCB3aXRoIGZyb21cbiAgLy8gdGhlIFVzZXIgUG9vbCdzIElEIGFuZCByZWdpb24uXG4gIC8vIGJpb21lLWlnbm9yZSBsaW50L3N0eWxlL25vTm9uTnVsbEFzc2VydGlvbjogU3VwcHJlc3Npb24gY2FycmllZCBvdmVyIGZyb20gZXNsaW50XG4gIGNvbnN0IHVzZXJQb29sUmVnaW9uID0gL14oXFxTKz8pX1xcUyskLy5leGVjKGNvbmZpZy51c2VyUG9vbElkKSFbMV1cbiAgY29uc3QgdG9rZW5Jc3N1ZXIgPSBgaHR0cHM6Ly9jb2duaXRvLWlkcC4ke3VzZXJQb29sUmVnaW9ufS5hbWF6b25hd3MuY29tLyR7Y29uZmlnLnVzZXJQb29sSWR9YFxuICBjb25zdCB0b2tlbkp3a3NVcmkgPSBgJHt0b2tlbklzc3Vlcn0vLndlbGwta25vd24vandrcy5qc29uYFxuXG4gIHJldHVybiB7XG4gICAgbm9uY2VNYXhBZ2U6XG4gICAgICBOdW1iZXIucGFyc2VJbnQoXG4gICAgICAgIHBhcnNlKGNvbmZpZy5jb29raWVTZXR0aW5ncy5ub25jZS50b0xvd2VyQ2FzZSgpKVtcIm1heC1hZ2VcIl0gPz8gXCJcIixcbiAgICAgICAgMTAsXG4gICAgICApIHx8IDYwICogNjAgKiAyNCxcbiAgICAuLi5jb25maWcsXG4gICAgdG9rZW5Jc3N1ZXIsXG4gICAgdG9rZW5Kd2tzVXJpLFxuICAgIGxvZ2dlcjogbmV3IExvZ2dlcihMb2dMZXZlbFtjb25maWcubG9nTGV2ZWxdKSxcbiAgfVxufVxuIl19
|
package/lib/handlers/util/jwt.js
CHANGED
|
@@ -27,6 +27,11 @@ export async function validate(jwtToken, jwksUri, issuer, audience) {
|
|
|
27
27
|
// The JWT contains a "kid" claim, key id, that tells which key
|
|
28
28
|
// was used to sign the token.
|
|
29
29
|
const kid = decodedToken.header.kid;
|
|
30
|
+
if (!kid) {
|
|
31
|
+
return {
|
|
32
|
+
validationError: new Error("JWT header is missing 'kid' claim"),
|
|
33
|
+
};
|
|
34
|
+
}
|
|
30
35
|
const jwk = await getSigningKey(jwksUri, kid);
|
|
31
36
|
if (jwk instanceof Error) {
|
|
32
37
|
return { validationError: jwk };
|
|
@@ -45,4 +50,4 @@ export function decodeIdToken(jwt) {
|
|
|
45
50
|
const decodableTokenBody = tokenBody.replace(/-/g, "+").replace(/_/g, "/");
|
|
46
51
|
return JSON.parse(Buffer.from(decodableTokenBody, "base64").toString());
|
|
47
52
|
}
|
|
48
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
53
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiand0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2hhbmRsZXJzL3V0aWwvand0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sR0FBRyxNQUFNLGNBQWMsQ0FBQTtBQUM5QixPQUFPLFVBQW1ELE1BQU0sVUFBVSxDQUFBO0FBZ0IxRSwwREFBMEQ7QUFDMUQsNkJBQTZCO0FBQzdCLElBQUksT0FBOEIsQ0FBQTtBQUVsQyxTQUFTLGVBQWUsQ0FBQyxHQUFlO0lBQ3RDLE9BQU8sY0FBYyxJQUFJLEdBQUcsQ0FBQTtBQUM5QixDQUFDO0FBRUQ7OztHQUdHO0FBQ0gsS0FBSyxVQUFVLGFBQWEsQ0FDMUIsT0FBZSxFQUNmLEdBQVc7SUFFWCxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7UUFDYixPQUFPLEdBQUcsVUFBVSxDQUFDLEVBQUUsS0FBSyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxDQUFDLENBQUE7SUFDakUsQ0FBQztJQUNELE1BQU0sR0FBRyxHQUFHLE1BQU0sT0FBTyxDQUFDLGFBQWEsQ0FBQyxHQUFHLENBQUMsQ0FBQTtJQUM1QyxPQUFPLGVBQWUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLFNBQVMsQ0FBQTtBQUNoRSxDQUFDO0FBRUQsTUFBTSxDQUFDLEtBQUssVUFBVSxRQUFRLENBQzVCLFFBQWdCLEVBQ2hCLE9BQWUsRUFDZixNQUFjLEVBQ2QsUUFBZ0I7SUFFaEIsTUFBTSxZQUFZLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLEVBQUUsRUFBRSxRQUFRLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQTtJQUM3RCxJQUFJLENBQUMsWUFBWSxJQUFJLE9BQU8sWUFBWSxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQ3RELE9BQU87WUFDTCxlQUFlLEVBQUUsSUFBSSxLQUFLLENBQUMsd0JBQXdCLENBQUM7U0FDckQsQ0FBQTtJQUNILENBQUM7SUFFRCwrREFBK0Q7SUFDL0QsOEJBQThCO0lBQzlCLE1BQU0sR0FBRyxHQUFHLFlBQVksQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFBO0lBQ25DLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUNULE9BQU87WUFDTCxlQUFlLEVBQUUsSUFBSSxLQUFLLENBQUMsbUNBQW1DLENBQUM7U0FDaEUsQ0FBQTtJQUNILENBQUM7SUFDRCxNQUFNLEdBQUcsR0FBRyxNQUFNLGFBQWEsQ0FBQyxPQUFPLEVBQUUsR0FBRyxDQUFDLENBQUE7SUFDN0MsSUFBSSxHQUFHLFlBQVksS0FBSyxFQUFFLENBQUM7UUFDekIsT0FBTyxFQUFFLGVBQWUsRUFBRSxHQUFHLEVBQUUsQ0FBQTtJQUNqQyxDQUFDO0lBRUQsa0JBQWtCO0lBQ2xCLGdFQUFnRTtJQUNoRSxNQUFNLG1CQUFtQixHQUFHO1FBQzFCLFFBQVE7UUFDUixNQUFNO1FBQ04sZ0JBQWdCLEVBQUUsS0FBSztLQUN4QixDQUFBO0lBRUQsT0FBTyxJQUFJLE9BQU8sQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQzdCLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLEdBQUcsRUFBRSxtQkFBbUIsRUFBRSxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQ3JELEdBQUcsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsZUFBZSxFQUFFLEdBQUcsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsQ0FDN0QsQ0FDRixDQUFBO0FBQ0gsQ0FBQztBQUVELE1BQU0sVUFBVSxhQUFhLENBQUMsR0FBVztJQUN2QyxNQUFNLFNBQVMsR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFBO0lBQ25DLE1BQU0sa0JBQWtCLEdBQUcsU0FBUyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsQ0FBQTtJQUMxRSxPQUFPLElBQUksQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxRQUFRLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxDQUFBO0FBQ3pFLENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgand0IGZyb20gXCJqc29ud2VidG9rZW5cIlxuaW1wb3J0IGp3a3NDbGllbnQsIHsgdHlwZSBSc2FTaWduaW5nS2V5LCB0eXBlIFNpZ25pbmdLZXkgfSBmcm9tIFwiandrcy1yc2FcIlxuXG5leHBvcnQgaW50ZXJmYWNlIElkVG9rZW5QYXlsb2FkIHtcbiAgc3ViOiBzdHJpbmdcbiAgXCJjb2duaXRvOmdyb3Vwc1wiPzogc3RyaW5nW11cbiAgXCJjb2duaXRvOnVzZXJuYW1lXCI/OiBzdHJpbmdcbiAgZ2l2ZW5fbmFtZT86IHN0cmluZ1xuICBhdWQ6IHN0cmluZ1xuICB0b2tlbl91c2U6IFwiaWRcIlxuICBhdXRoX3RpbWU6IG51bWJlclxuICBuYW1lPzogc3RyaW5nXG4gIGV4cDogbnVtYmVyXG4gIGlhdDogbnVtYmVyXG4gIGVtYWlsPzogc3RyaW5nXG59XG5cbi8vIGp3a3MgY2xpZW50IGlzIGNhY2hlZCBhdCB0aGlzIHNjb3BlIHNvIGl0IGNhbiBiZSByZXVzZWRcbi8vIGFjcm9zcyBMYW1iZGEgaW52b2NhdGlvbnMuXG5sZXQgandrc1JzYTogandrc0NsaWVudC5Kd2tzQ2xpZW50XG5cbmZ1bmN0aW9uIGlzUnNhU2lnbmluZ0tleShrZXk6IFNpZ25pbmdLZXkpOiBrZXkgaXMgUnNhU2lnbmluZ0tleSB7XG4gIHJldHVybiBcInJzYVB1YmxpY0tleVwiIGluIGtleVxufVxuXG4vKipcbiAqIFJldHJpZXZlcyB0aGUgcHVibGljIGtleSB0aGF0IGNvcnJlc3BvbmRzIHRvIHRoZSBwcml2YXRlIGtleSB3aXRoXG4gKiB3aGljaCB0aGUgdG9rZW4gd2FzIHNpZ25lZC5cbiAqL1xuYXN5bmMgZnVuY3Rpb24gZ2V0U2lnbmluZ0tleShcbiAgandrc1VyaTogc3RyaW5nLFxuICBraWQ6IHN0cmluZyxcbik6IFByb21pc2U8c3RyaW5nIHwgRXJyb3I+IHtcbiAgaWYgKCFqd2tzUnNhKSB7XG4gICAgandrc1JzYSA9IGp3a3NDbGllbnQoeyBjYWNoZTogdHJ1ZSwgcmF0ZUxpbWl0OiB0cnVlLCBqd2tzVXJpIH0pXG4gIH1cbiAgY29uc3QgandrID0gYXdhaXQgandrc1JzYS5nZXRTaWduaW5nS2V5KGtpZClcbiAgcmV0dXJuIGlzUnNhU2lnbmluZ0tleShqd2spID8gandrLnJzYVB1YmxpY0tleSA6IGp3ay5wdWJsaWNLZXlcbn1cblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIHZhbGlkYXRlKFxuICBqd3RUb2tlbjogc3RyaW5nLFxuICBqd2tzVXJpOiBzdHJpbmcsXG4gIGlzc3Vlcjogc3RyaW5nLFxuICBhdWRpZW5jZTogc3RyaW5nLFxuKTogUHJvbWlzZTx7IHZhbGlkYXRpb25FcnJvcjogRXJyb3IgfSB8IHVuZGVmaW5lZD4ge1xuICBjb25zdCBkZWNvZGVkVG9rZW4gPSBqd3QuZGVjb2RlKGp3dFRva2VuLCB7IGNvbXBsZXRlOiB0cnVlIH0pXG4gIGlmICghZGVjb2RlZFRva2VuIHx8IHR5cGVvZiBkZWNvZGVkVG9rZW4gPT09IFwic3RyaW5nXCIpIHtcbiAgICByZXR1cm4ge1xuICAgICAgdmFsaWRhdGlvbkVycm9yOiBuZXcgRXJyb3IoXCJDYW5ub3QgcGFyc2UgSldUIHRva2VuXCIpLFxuICAgIH1cbiAgfVxuXG4gIC8vIFRoZSBKV1QgY29udGFpbnMgYSBcImtpZFwiIGNsYWltLCBrZXkgaWQsIHRoYXQgdGVsbHMgd2hpY2gga2V5XG4gIC8vIHdhcyB1c2VkIHRvIHNpZ24gdGhlIHRva2VuLlxuICBjb25zdCBraWQgPSBkZWNvZGVkVG9rZW4uaGVhZGVyLmtpZFxuICBpZiAoIWtpZCkge1xuICAgIHJldHVybiB7XG4gICAgICB2YWxpZGF0aW9uRXJyb3I6IG5ldyBFcnJvcihcIkpXVCBoZWFkZXIgaXMgbWlzc2luZyAna2lkJyBjbGFpbVwiKSxcbiAgICB9XG4gIH1cbiAgY29uc3QgandrID0gYXdhaXQgZ2V0U2lnbmluZ0tleShqd2tzVXJpLCBraWQpXG4gIGlmIChqd2sgaW5zdGFuY2VvZiBFcnJvcikge1xuICAgIHJldHVybiB7IHZhbGlkYXRpb25FcnJvcjogandrIH1cbiAgfVxuXG4gIC8vIFZlcmlmeSB0aGUgSldULlxuICAvLyBUaGlzIGVpdGhlciByZWplY3RzIChKV1Qgbm90IHZhbGlkKSwgb3IgcmVzb2x2ZXMgKEpXVCB2YWxpZCkuXG4gIGNvbnN0IHZlcmlmaWNhdGlvbk9wdGlvbnMgPSB7XG4gICAgYXVkaWVuY2UsXG4gICAgaXNzdWVyLFxuICAgIGlnbm9yZUV4cGlyYXRpb246IGZhbHNlLFxuICB9XG5cbiAgcmV0dXJuIG5ldyBQcm9taXNlKChyZXNvbHZlKSA9PlxuICAgIGp3dC52ZXJpZnkoand0VG9rZW4sIGp3aywgdmVyaWZpY2F0aW9uT3B0aW9ucywgKGVycikgPT5cbiAgICAgIGVyciA/IHJlc29sdmUoeyB2YWxpZGF0aW9uRXJyb3I6IGVyciB9KSA6IHJlc29sdmUodW5kZWZpbmVkKSxcbiAgICApLFxuICApXG59XG5cbmV4cG9ydCBmdW5jdGlvbiBkZWNvZGVJZFRva2VuKGp3dDogc3RyaW5nKTogSWRUb2tlblBheWxvYWQge1xuICBjb25zdCB0b2tlbkJvZHkgPSBqd3Quc3BsaXQoXCIuXCIpWzFdXG4gIGNvbnN0IGRlY29kYWJsZVRva2VuQm9keSA9IHRva2VuQm9keS5yZXBsYWNlKC8tL2csIFwiK1wiKS5yZXBsYWNlKC9fL2csIFwiL1wiKVxuICByZXR1cm4gSlNPTi5wYXJzZShCdWZmZXIuZnJvbShkZWNvZGFibGVUb2tlbkJvZHksIFwiYmFzZTY0XCIpLnRvU3RyaW5nKCkpXG59XG4iXX0=
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@liflig/cdk-cloudfront-auth",
|
|
3
|
-
"version": "1.10.
|
|
3
|
+
"version": "1.10.5",
|
|
4
4
|
"description": "CDK Constructs for adding authentication for a CloudFront Distribution",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"repository": {
|
|
@@ -36,7 +36,7 @@
|
|
|
36
36
|
},
|
|
37
37
|
"devDependencies": {
|
|
38
38
|
"@aws-sdk/client-lambda": "^3.1005.0",
|
|
39
|
-
"@biomejs/biome": "2.4.
|
|
39
|
+
"@biomejs/biome": "2.4.13",
|
|
40
40
|
"@commitlint/cli": "20.5.0",
|
|
41
41
|
"@commitlint/config-conventional": "20.5.0",
|
|
42
42
|
"@types/adm-zip": "^0.5.7",
|
|
@@ -56,7 +56,7 @@
|
|
|
56
56
|
"jwks-rsa": "3.2.2",
|
|
57
57
|
"semantic-release": "25.0.3",
|
|
58
58
|
"ts-jest": "29.4.9",
|
|
59
|
-
"typescript": "
|
|
59
|
+
"typescript": "6.0.3"
|
|
60
60
|
},
|
|
61
61
|
"dependencies": {},
|
|
62
62
|
"peerDependencies": {
|