@liflig/cdk-cloudfront-auth 1.10.4 → 1.10.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/check-auth/index.js +1 -1
  2. package/dist/http-headers/index.js +1 -1
  3. package/dist/lambda-config-handler/index.js +14 -14
  4. package/dist/parse-auth/index.js +18 -18
  5. package/dist/refresh-auth/index.js +18 -18
  6. package/dist/sign-out/index.js +1 -1
  7. package/lib/handlers/util/config.js +2 -2
  8. package/lib/handlers/util/jwt.js +6 -1
  9. package/package.json +7 -7
package/dist/check-auth/index.js CHANGED
@@ -24,4 +24,4 @@ var VW=Object.create;var{getPrototypeOf:MW,defineProperty:Ft,getOwnPropertyNames
24
24
  </p>
25
25
  </body>
26
26
  </html>
27
- `;var qh=require("node:fs"),Dc=kt(require("node:path")),_h=require("node:url"),Kh=kt(vr(),1);var xr;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(xr||={});class Lr{logLevel;constructor(t){this.logLevel=t}jsonify(t){return t.map((c)=>{if(typeof c==="object")try{return JSON.stringify(c)}catch{return c}return c})}info(...t){if(this.logLevel>=30)console.log(...this.jsonify(t))}warn(...t){if(this.logLevel>=20)console.warn(...this.jsonify(t))}error(...t){if(this.logLevel>=10)console.error(...this.jsonify(t))}debug(...t){if(this.logLevel>=40)console.trace(...this.jsonify(t))}}var oW=_h.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),UW=Dc.dirname(oW);function sr(){let c=process.env.LAMBDA_TASK_ROOT||UW,u=Dc.join(c,"config.json");console.log("Loading config from",u);let r=JSON.parse(qh.readFileSync(u,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(r.userPoolId)[1]}.amazonaws.com/${r.userPoolId}`,d=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(Kh.parse(r.cookieSettings.nonce.toLowerCase())["max-age"],10)||86400,...r,tokenIssuer:f,tokenJwksUri:d,logger:new Lr(xr[r.logLevel])}}function lW(t){return Object.entries(t).reduce((c,[u,r])=>Object.assign(c,{[u.toLowerCase()]:[{key:u,value:r}]}),{})}function mr(t,c){let u=c?.cookies?{"set-cookie":c.cookies.map((r)=>({key:"set-cookie",value:r}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:t}],...u}}}function Wh(t){return{body:QW(t),status:t.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function QW(t){let c={...t,region:process.env.AWS_REGION};return rh.replace(/\${([^}]*)}/g,(u,r)=>c[r]||"")}function Jh(t,c){if(!c)throw Error("Expected response value");return{...c,headers:{...c.headers??{},...lW(t.httpHeaders)}}}function wh(t){let c;return async(u)=>{if(!c)c=sr();c.logger.debug("Handling event:",u);let r=Jh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}function GZ(t){let c;return async(u)=>{if(!c)c=sr();c.logger.debug("Handling event:",u);let r=Jh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}var ZW=kt(vr(),1);var Ud=kt(s6(),1),GW=kt(OW(),1),od;function nZ(t){return"rsaPublicKey"in t}async function fZ(t,c){if(!od)od=GW.default({cache:!0,rateLimit:!0,jwksUri:t});let u=await od.getSigningKey(c);return nZ(u)?u.rsaPublicKey:u.publicKey}async function IW(t,c,u,r){let n=Ud.default.decode(t,{complete:!0});if(!n||typeof n==="string")return{validationError:Error("Cannot parse JWT token")};let f=n.header.kid,d=await fZ(c,f);if(d instanceof Error)return{validationError:d};let h={audience:r,issuer:u,ignoreExpiration:!1};return new Promise((q)=>Ud.default.verify(t,d,h,(_)=>_?q({validationError:_}):q(void 0)))}function Nr(t){let u=t.split(".")[1].replace(/-/g,"+").replace(/_/g,"/");return JSON.parse(Buffer.from(u,"base64").toString())}function dZ(t){if(!t.cookie)return{};return t.cookie.reduce((u,r)=>({...u,...ZW.parse(r.value)}),{})}function Wt(t,c){if(c.toLowerCase().indexOf("domain")===-1)return`${c}; Domain=.${t}`;return c}function XW(t,c){let u=dZ(t);if(!u)return{};let r=`CognitoIdentityServiceProvider.${c}`,n=u[`${r}.LastAuthUser`];return{tokenUserName:n,idToken:u[`${r}.${n??""}.idToken`],accessToken:u[`${r}.${n??""}.accessToken`],refreshToken:u[`${r}.${n??""}.refreshToken`],scopes:u[`${r}.${n??""}.tokenScopesString`],nonce:u["spa-auth-edge-nonce"],nonceHmac:u["spa-auth-edge-nonce-hmac"],pkce:u["spa-auth-edge-pkce"]}}function cz(t){let c=Nr(t.tokens.idToken),u=c["cognito:username"],r=`CognitoIdentityServiceProvider.${t.clientId}`,n=`${r}.${u}.idToken`,f=`${r}.${u}.accessToken`,d=`${r}.${u}.refreshToken`,h=`${r}.LastAuthUser`,q=`${r}.${u}.tokenScopesString`,_=t.oauthScopes.join(" "),W=`${r}.${u}.userData`,J=JSON.stringify({UserAttributes:[{Name:"sub",Value:c.sub},{Name:"email",Value:c.email}],Username:u}),$={[n]:`${t.tokens.idToken}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,[f]:`${t.tokens.accessToken}; ${Wt(t.domainName,t.cookieSettings.accessToken)}`,[d]:`${t.tokens.refreshToken}; ${Wt(t.domainName,t.cookieSettings.refreshToken)}`,[h]:`${u}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,[q]:`${_}; ${Wt(t.domainName,t.cookieSettings.accessToken)}`,[W]:`${encodeURIComponent(J)}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,"amplify-signin-with-hostedUI":`true; ${Wt(t.domainName,t.cookieSettings.accessToken)}`};if(t.event==="signOut")Object.keys($).forEach((w)=>$[w]=ld($[w]));else if(t.event==="refreshFailed")$[d]=ld($[d]);return["spa-auth-edge-nonce","spa-auth-edge-nonce-hmac","spa-auth-edge-pkce"].forEach((w)=>{$[w]=ld($[w])}),Object.entries($).map(([w,P])=>`${w}=${P}`)}function ld(t=""){let c=t.split(";").map((r)=>r.trim()).filter((r)=>!r.toLowerCase().startsWith("max-age")).filter((r)=>!r.toLowerCase().startsWith("expires")),u=`Expires=${new Date(0).toUTCString()}`;return["",...c.slice(1),u].join("; ")}var Tr=require("node:crypto");function hZ(t,c){let u=Number.parseInt(t.slice(0,t.indexOf("T")),10);if(Number.isNaN(u))return{clientError:"Invalid nonce"};if(EW()-u>c)return{clientError:`Nonce is too old (nonce is from ${new Date(u*1000).toISOString()})`}}function rz(t,c,u){let r=hZ(t,u.nonceMaxAge);if(r)return r;let n=er(t,u);if(n!==c)return{clientError:`Nonce signature mismatch! Expected ${n} but got ${c}`}}function Qd(){let t=Tr.randomBytes(16).toString("hex");return`${EW()}T${t}`}function er(t,c){return Tr.createHmac("sha256",c.nonceSigningSecret).update(t).digest("hex")}function EW(){return Date.now()/1000|0}var qZ=wh(async(t,c)=>{let u=c.Records[0].cf.request,r=u.headers.host[0].value,n=`${u.uri}${u.querystring?`?${u.querystring}`:""}`,{idToken:f,refreshToken:d,nonce:h,nonceHmac:q}=XW(u.headers,t.clientId);if(t.logger.debug("Extracted cookies:",{idToken:f,refreshToken:d,nonce:h,nonceHmac:q}),!f)return YW({config:t,domainName:r,requestedUri:n});let _=Nr(f),{exp:W}=_;if(t.logger.debug("ID token exp:",W,new Date(W*1000).toISOString()),Date.now()/1000>W-600&&d)return _Z({config:t,domainName:r,requestedUri:n});t.logger.info("Validating JWT");let J=await IW(f,t.tokenJwksUri,t.tokenIssuer,t.clientId);if(J!==void 0)return t.logger.debug("ID token not valid:",J.validationError),YW({config:t,domainName:r,requestedUri:n});if(t.logger.info("JWT is valid"),!zW(t,_))return Wh({title:"Not authorized",statusCode:"403",message:"You are not authorized for this resource.",details:"Your sign in was successful, but your user is not allowed to access this resource.",linkHref:`https://${r}${t.signOutPath}`,linkText:"Sign out"});return u});function zW(t,c){if(t.requireGroupAnyOf){let u=c["cognito:groups"]||[];if(!t.requireGroupAnyOf.some((r)=>u.includes(r)))return!1}return!0}function _Z({config:t,domainName:c,requestedUri:u}){t.logger.info("Redirecting to refresh endpoint");let r=Qd(),n=new URLSearchParams({requestedUri:u,nonce:r}).toString();return mr(`https://${c}${t.refreshAuthPath}?${n}`,{cookies:[`spa-auth-edge-nonce=${encodeURIComponent(r)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-nonce-hmac=${encodeURIComponent(er(r,t))}; ${t.cookieSettings.nonce}`]})}function YW({config:t,domainName:c,requestedUri:u}){let r=Qd(),n={nonce:r,nonceHmac:er(r,t),...KZ(t)};t.logger.debug("Using new state:",n);let f=new URLSearchParams({redirect_uri:`https://${c}${t.callbackPath}`,response_type:"code",client_id:t.clientId,state:br(Buffer.from(JSON.stringify({nonce:n.nonce,requestedUri:u})).toString("base64")),scope:t.oauthScopes.join(" "),code_challenge_method:"S256",code_challenge:n.pkceHash}).toString();return mr(`https://${t.cognitoAuthDomain}/oauth2/authorize?${f}`,{cookies:[`spa-auth-edge-nonce=${encodeURIComponent(n.nonce)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-nonce-hmac=${encodeURIComponent(n.nonceHmac)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-pkce=${encodeURIComponent(n.pkce)}; ${t.cookieSettings.nonce}`]})}function KZ(t){let c=Dr.randomBytes(26).toString("hex"),u={pkce:c,pkceHash:br(Dr.createHash("sha256").update(c,"utf8").digest("base64"))};return t.logger.debug("Generated PKCE verifier:",u),u}
27
+ `;var qh=require("node:fs"),Dc=kt(require("node:path")),_h=require("node:url"),Kh=kt(vr(),1);var xr;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(xr||={});class Lr{logLevel;constructor(t){this.logLevel=t}jsonify(t){return t.map((c)=>{if(typeof c==="object")try{return JSON.stringify(c)}catch{return c}return c})}info(...t){if(this.logLevel>=30)console.log(...this.jsonify(t))}warn(...t){if(this.logLevel>=20)console.warn(...this.jsonify(t))}error(...t){if(this.logLevel>=10)console.error(...this.jsonify(t))}debug(...t){if(this.logLevel>=40)console.trace(...this.jsonify(t))}}var oW=_h.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),UW=Dc.dirname(oW);function sr(){let c=process.env.LAMBDA_TASK_ROOT||UW,u=Dc.join(c,"config.json");console.log("Loading config from",u);let r=JSON.parse(qh.readFileSync(u,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(r.userPoolId)[1]}.amazonaws.com/${r.userPoolId}`,d=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(Kh.parse(r.cookieSettings.nonce.toLowerCase())["max-age"]??"",10)||86400,...r,tokenIssuer:f,tokenJwksUri:d,logger:new Lr(xr[r.logLevel])}}function lW(t){return Object.entries(t).reduce((c,[u,r])=>Object.assign(c,{[u.toLowerCase()]:[{key:u,value:r}]}),{})}function mr(t,c){let u=c?.cookies?{"set-cookie":c.cookies.map((r)=>({key:"set-cookie",value:r}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:t}],...u}}}function Wh(t){return{body:QW(t),status:t.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function QW(t){let c={...t,region:process.env.AWS_REGION};return rh.replace(/\${([^}]*)}/g,(u,r)=>c[r]||"")}function Jh(t,c){if(!c)throw Error("Expected response value");return{...c,headers:{...c.headers??{},...lW(t.httpHeaders)}}}function wh(t){let c;return async(u)=>{if(!c)c=sr();c.logger.debug("Handling event:",u);let r=Jh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}function GZ(t){let c;return async(u)=>{if(!c)c=sr();c.logger.debug("Handling event:",u);let r=Jh(c,await t(c,u));return c.logger.debug("Returning response:",r),r}}var ZW=kt(vr(),1);var Ud=kt(s6(),1),GW=kt(OW(),1),od;function nZ(t){return"rsaPublicKey"in t}async function fZ(t,c){if(!od)od=GW.default({cache:!0,rateLimit:!0,jwksUri:t});let u=await od.getSigningKey(c);return nZ(u)?u.rsaPublicKey:u.publicKey}async function IW(t,c,u,r){let n=Ud.default.decode(t,{complete:!0});if(!n||typeof n==="string")return{validationError:Error("Cannot parse JWT token")};let f=n.header.kid;if(!f)return{validationError:Error("JWT header is missing 'kid' claim")};let d=await fZ(c,f);if(d instanceof Error)return{validationError:d};let h={audience:r,issuer:u,ignoreExpiration:!1};return new Promise((q)=>Ud.default.verify(t,d,h,(_)=>_?q({validationError:_}):q(void 0)))}function Nr(t){let u=t.split(".")[1].replace(/-/g,"+").replace(/_/g,"/");return JSON.parse(Buffer.from(u,"base64").toString())}function dZ(t){if(!t.cookie)return{};return t.cookie.reduce((u,r)=>({...u,...ZW.parse(r.value)}),{})}function Wt(t,c){if(c.toLowerCase().indexOf("domain")===-1)return`${c}; Domain=.${t}`;return c}function XW(t,c){let u=dZ(t);if(!u)return{};let r=`CognitoIdentityServiceProvider.${c}`,n=u[`${r}.LastAuthUser`];return{tokenUserName:n,idToken:u[`${r}.${n??""}.idToken`],accessToken:u[`${r}.${n??""}.accessToken`],refreshToken:u[`${r}.${n??""}.refreshToken`],scopes:u[`${r}.${n??""}.tokenScopesString`],nonce:u["spa-auth-edge-nonce"],nonceHmac:u["spa-auth-edge-nonce-hmac"],pkce:u["spa-auth-edge-pkce"]}}function cz(t){let c=Nr(t.tokens.idToken),u=c["cognito:username"],r=`CognitoIdentityServiceProvider.${t.clientId}`,n=`${r}.${u}.idToken`,f=`${r}.${u}.accessToken`,d=`${r}.${u}.refreshToken`,h=`${r}.LastAuthUser`,q=`${r}.${u}.tokenScopesString`,_=t.oauthScopes.join(" "),W=`${r}.${u}.userData`,J=JSON.stringify({UserAttributes:[{Name:"sub",Value:c.sub},{Name:"email",Value:c.email}],Username:u}),$={[n]:`${t.tokens.idToken}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,[f]:`${t.tokens.accessToken}; ${Wt(t.domainName,t.cookieSettings.accessToken)}`,[d]:`${t.tokens.refreshToken}; ${Wt(t.domainName,t.cookieSettings.refreshToken)}`,[h]:`${u}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,[q]:`${_}; ${Wt(t.domainName,t.cookieSettings.accessToken)}`,[W]:`${encodeURIComponent(J)}; ${Wt(t.domainName,t.cookieSettings.idToken)}`,"amplify-signin-with-hostedUI":`true; ${Wt(t.domainName,t.cookieSettings.accessToken)}`};if(t.event==="signOut")Object.keys($).forEach((w)=>$[w]=ld($[w]));else if(t.event==="refreshFailed")$[d]=ld($[d]);return["spa-auth-edge-nonce","spa-auth-edge-nonce-hmac","spa-auth-edge-pkce"].forEach((w)=>{$[w]=ld($[w])}),Object.entries($).map(([w,P])=>`${w}=${P}`)}function ld(t=""){let c=t.split(";").map((r)=>r.trim()).filter((r)=>!r.toLowerCase().startsWith("max-age")).filter((r)=>!r.toLowerCase().startsWith("expires")),u=`Expires=${new Date(0).toUTCString()}`;return["",...c.slice(1),u].join("; ")}var Tr=require("node:crypto");function hZ(t,c){let u=Number.parseInt(t.slice(0,t.indexOf("T")),10);if(Number.isNaN(u))return{clientError:"Invalid nonce"};if(EW()-u>c)return{clientError:`Nonce is too old (nonce is from ${new Date(u*1000).toISOString()})`}}function rz(t,c,u){let r=hZ(t,u.nonceMaxAge);if(r)return r;let n=er(t,u);if(n!==c)return{clientError:`Nonce signature mismatch! Expected ${n} but got ${c}`}}function Qd(){let t=Tr.randomBytes(16).toString("hex");return`${EW()}T${t}`}function er(t,c){return Tr.createHmac("sha256",c.nonceSigningSecret).update(t).digest("hex")}function EW(){return Date.now()/1000|0}var qZ=wh(async(t,c)=>{let u=c.Records[0].cf.request,r=u.headers.host[0].value,n=`${u.uri}${u.querystring?`?${u.querystring}`:""}`,{idToken:f,refreshToken:d,nonce:h,nonceHmac:q}=XW(u.headers,t.clientId);if(t.logger.debug("Extracted cookies:",{idToken:f,refreshToken:d,nonce:h,nonceHmac:q}),!f)return YW({config:t,domainName:r,requestedUri:n});let _=Nr(f),{exp:W}=_;if(t.logger.debug("ID token exp:",W,new Date(W*1000).toISOString()),Date.now()/1000>W-600&&d)return _Z({config:t,domainName:r,requestedUri:n});t.logger.info("Validating JWT");let J=await IW(f,t.tokenJwksUri,t.tokenIssuer,t.clientId);if(J!==void 0)return t.logger.debug("ID token not valid:",J.validationError),YW({config:t,domainName:r,requestedUri:n});if(t.logger.info("JWT is valid"),!zW(t,_))return Wh({title:"Not authorized",statusCode:"403",message:"You are not authorized for this resource.",details:"Your sign in was successful, but your user is not allowed to access this resource.",linkHref:`https://${r}${t.signOutPath}`,linkText:"Sign out"});return u});function zW(t,c){if(t.requireGroupAnyOf){let u=c["cognito:groups"]||[];if(!t.requireGroupAnyOf.some((r)=>u.includes(r)))return!1}return!0}function _Z({config:t,domainName:c,requestedUri:u}){t.logger.info("Redirecting to refresh endpoint");let r=Qd(),n=new URLSearchParams({requestedUri:u,nonce:r}).toString();return mr(`https://${c}${t.refreshAuthPath}?${n}`,{cookies:[`spa-auth-edge-nonce=${encodeURIComponent(r)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-nonce-hmac=${encodeURIComponent(er(r,t))}; ${t.cookieSettings.nonce}`]})}function YW({config:t,domainName:c,requestedUri:u}){let r=Qd(),n={nonce:r,nonceHmac:er(r,t),...KZ(t)};t.logger.debug("Using new state:",n);let f=new URLSearchParams({redirect_uri:`https://${c}${t.callbackPath}`,response_type:"code",client_id:t.clientId,state:br(Buffer.from(JSON.stringify({nonce:n.nonce,requestedUri:u})).toString("base64")),scope:t.oauthScopes.join(" "),code_challenge_method:"S256",code_challenge:n.pkceHash}).toString();return mr(`https://${t.cognitoAuthDomain}/oauth2/authorize?${f}`,{cookies:[`spa-auth-edge-nonce=${encodeURIComponent(n.nonce)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-nonce-hmac=${encodeURIComponent(n.nonceHmac)}; ${t.cookieSettings.nonce}`,`spa-auth-edge-pkce=${encodeURIComponent(n.pkce)}; ${t.cookieSettings.nonce}`]})}function KZ(t){let c=Dr.randomBytes(26).toString("hex"),u={pkce:c,pkceHash:br(Dr.createHash("sha256").update(c,"utf8").digest("base64"))};return t.logger.debug("Generated PKCE verifier:",u),u}
package/dist/http-headers/index.js CHANGED
@@ -18,4 +18,4 @@ var L=Object.create;var{getPrototypeOf:m,defineProperty:C,getOwnPropertyNames:W,
18
18
  </p>
19
19
  </body>
20
20
  </html>
21
- `;var A=require("node:fs"),$=B(require("node:path")),M=require("node:url"),N=B(Z(),1);var a;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(a||={});class j{logLevel;constructor(u){this.logLevel=u}jsonify(u){return u.map((t)=>{if(typeof t==="object")try{return JSON.stringify(t)}catch{return t}return t})}info(...u){if(this.logLevel>=30)console.log(...this.jsonify(u))}warn(...u){if(this.logLevel>=20)console.warn(...this.jsonify(u))}error(...u){if(this.logLevel>=10)console.error(...this.jsonify(u))}debug(...u){if(this.logLevel>=40)console.trace(...this.jsonify(u))}}var hu=M.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),Hu=$.dirname(hu);function E(){let t=process.env.LAMBDA_TASK_ROOT||Hu,r=$.join(t,"config.json");console.log("Loading config from",r);let n=JSON.parse(A.readFileSync(r,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(n.userPoolId)[1]}.amazonaws.com/${n.userPoolId}`,g=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(N.parse(n.cookieSettings.nonce.toLowerCase())["max-age"],10)||86400,...n,tokenIssuer:f,tokenJwksUri:g,logger:new j(a[n.logLevel])}}function Ru(u){return Object.entries(u).reduce((t,[r,n])=>Object.assign(t,{[r.toLowerCase()]:[{key:r,value:n}]}),{})}function au(u,t){let r=t?.cookies?{"set-cookie":t.cookies.map((n)=>({key:"set-cookie",value:n}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:u}],...r}}}function ju(u){return{body:Fu(u),status:u.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function Fu(u){let t={...u,region:process.env.AWS_REGION};return J.replace(/\${([^}]*)}/g,(r,n)=>t[n]||"")}function U(u,t){if(!t)throw Error("Expected response value");return{...t,headers:{...t.headers??{},...Ru(u.httpHeaders)}}}function Eu(u){let t;return async(r)=>{if(!t)t=E();t.logger.debug("Handling event:",r);let n=U(t,await u(t,r));return t.logger.debug("Returning response:",n),n}}function V(u){let t;return async(r)=>{if(!t)t=E();t.logger.debug("Handling event:",r);let n=U(t,await u(t,r));return t.logger.debug("Returning response:",n),n}}var yu=V(async(u,t)=>t.Records[0].cf.response);
21
+ `;var A=require("node:fs"),$=B(require("node:path")),M=require("node:url"),N=B(Z(),1);var a;((f)=>{f[f.none=0]="none";f[f.error=10]="error";f[f.warn=20]="warn";f[f.info=30]="info";f[f.debug=40]="debug"})(a||={});class j{logLevel;constructor(u){this.logLevel=u}jsonify(u){return u.map((t)=>{if(typeof t==="object")try{return JSON.stringify(t)}catch{return t}return t})}info(...u){if(this.logLevel>=30)console.log(...this.jsonify(u))}warn(...u){if(this.logLevel>=20)console.warn(...this.jsonify(u))}error(...u){if(this.logLevel>=10)console.error(...this.jsonify(u))}debug(...u){if(this.logLevel>=40)console.trace(...this.jsonify(u))}}var hu=M.fileURLToPath("file:///home/runner/work/cdk-cloudfront-auth/cdk-cloudfront-auth/src/handlers/util/config.ts"),Hu=$.dirname(hu);function E(){let t=process.env.LAMBDA_TASK_ROOT||Hu,r=$.join(t,"config.json");console.log("Loading config from",r);let n=JSON.parse(A.readFileSync(r,"utf-8")),f=`https://cognito-idp.${/^(\S+?)_\S+$/.exec(n.userPoolId)[1]}.amazonaws.com/${n.userPoolId}`,g=`${f}/.well-known/jwks.json`;return{nonceMaxAge:Number.parseInt(N.parse(n.cookieSettings.nonce.toLowerCase())["max-age"]??"",10)||86400,...n,tokenIssuer:f,tokenJwksUri:g,logger:new j(a[n.logLevel])}}function Ru(u){return Object.entries(u).reduce((t,[r,n])=>Object.assign(t,{[r.toLowerCase()]:[{key:r,value:n}]}),{})}function au(u,t){let r=t?.cookies?{"set-cookie":t.cookies.map((n)=>({key:"set-cookie",value:n}))}:{};return{status:"307",statusDescription:"Temporary Redirect",headers:{location:[{key:"location",value:u}],...r}}}function ju(u){return{body:Fu(u),status:u.statusCode??"500",headers:{"content-type":[{key:"Content-Type",value:"text/html; charset=UTF-8"}]}}}function Fu(u){let t={...u,region:process.env.AWS_REGION};return J.replace(/\${([^}]*)}/g,(r,n)=>t[n]||"")}function U(u,t){if(!t)throw Error("Expected response value");return{...t,headers:{...t.headers??{},...Ru(u.httpHeaders)}}}function Eu(u){let t;return async(r)=>{if(!t)t=E();t.logger.debug("Handling event:",r);let n=U(t,await u(t,r));return t.logger.debug("Returning response:",n),n}}function V(u){let t;return async(r)=>{if(!t)t=E();t.logger.debug("Handling event:",r);let n=U(t,await u(t,r));return t.logger.debug("Returning response:",n),n}}var yu=V(async(u,t)=>t.Records[0].cf.response);