sst 2.23.11 → 2.23.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -90,25 +90,21 @@ export const bind = (program) => program
90
90
  function isInSsrSite() {
91
91
  const cwd = process.cwd();
92
92
  return useSsrSites().all.find(({ props }) => {
93
- console.log(path.resolve(project.paths.root, props.path));
94
93
  return path.resolve(project.paths.root, props.path) === cwd;
95
94
  });
96
95
  }
97
96
  function isInStaticSite() {
98
97
  const cwd = process.cwd();
99
98
  return (useStaticSites().all.find(({ props }) => {
100
- console.log(path.resolve(project.paths.root, props.path));
101
99
  return path.resolve(project.paths.root, props.path) === cwd;
102
100
  }) ||
103
101
  useSlsNextjsSites().all.find(({ props }) => {
104
- console.log(path.resolve(project.paths.root, props.path));
105
102
  return path.resolve(project.paths.root, props.path) === cwd;
106
103
  }));
107
104
  }
108
105
  function isInService() {
109
106
  const cwd = process.cwd();
110
107
  return useServices().all.find(({ props }) => {
111
- console.log(path.resolve(project.paths.root, props.path));
112
108
  return path.resolve(project.paths.root, props.path) === cwd;
113
109
  });
114
110
  }
@@ -22,15 +22,14 @@ export declare class EdgeFunction extends Construct {
22
22
  role: Role;
23
23
  functionArn: string;
24
24
  function: CdkIFunction;
25
+ currentVersion: IVersion;
25
26
  private functionCR;
26
27
  private assetReplacer;
27
28
  private assetReplacerPolicy;
28
29
  private scope;
29
- private versionId;
30
30
  private bindingEnvs;
31
31
  private props;
32
32
  constructor(scope: Construct, id: string, props: EdgeFunctionProps);
33
- get currentVersion(): IVersion;
34
33
  build(): Promise<void>;
35
34
  attachPermissions(permissions: Permissions): void;
36
35
  addEnvironment(key: string, value: string): void;
@@ -24,11 +24,11 @@ export class EdgeFunction extends Construct {
24
24
  role;
25
25
  functionArn;
26
26
  function;
27
+ currentVersion;
27
28
  functionCR;
28
29
  assetReplacer;
29
30
  assetReplacerPolicy;
30
31
  scope;
31
- versionId;
32
32
  bindingEnvs;
33
33
  props;
34
34
  constructor(scope, id, props) {
@@ -64,13 +64,10 @@ export class EdgeFunction extends Construct {
64
64
  });
65
65
  this.functionCR = fn;
66
66
  this.functionArn = fnArn;
67
- this.versionId = versionId;
67
+ this.currentVersion = Version.fromVersionArn(this, `${id}FunctionVersion`, `${fnArn}:${versionId}`);
68
68
  this.assetReplacer = assetReplacer;
69
69
  this.assetReplacerPolicy = assetReplacerPolicy;
70
70
  }
71
- get currentVersion() {
72
- return Version.fromVersionArn(this, `${this.node.id}FunctionVersion`, `${this.functionArn}:${this.versionId}`);
73
- }
74
71
  async build() {
75
72
  const { bundle, handler } = this.props;
76
73
  const { asset, handlerFilename } = bundle
@@ -4,7 +4,7 @@ import { Fn, Duration as CdkDuration, RemovalPolicy, CustomResource, } from "aws
4
4
  import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
5
5
  import { RetentionDays } from "aws-cdk-lib/aws-logs";
6
6
  import { Code, Runtime, Architecture, Function as CdkFunction, FunctionUrlAuthType, } from "aws-cdk-lib/aws-lambda";
7
- import { ViewerProtocolPolicy, AllowedMethods, CachedMethods, } from "aws-cdk-lib/aws-cloudfront";
7
+ import { ViewerProtocolPolicy, AllowedMethods, CachedMethods, LambdaEdgeEventType, } from "aws-cdk-lib/aws-cloudfront";
8
8
  import { HttpOrigin } from "aws-cdk-lib/aws-cloudfront-origins";
9
9
  import { Rule, Schedule } from "aws-cdk-lib/aws-events";
10
10
  import { LambdaFunction } from "aws-cdk-lib/aws-events-targets";
@@ -314,10 +314,12 @@ export class NextjsSite extends SsrSite {
314
314
  ]);
315
315
  }
316
316
  buildImageBehavior(cachePolicy) {
317
- const { cdk } = this.props;
317
+ const { cdk, regional } = this.props;
318
318
  const imageFn = this.createImageOptimizationFunction();
319
319
  const imageFnUrl = imageFn.addFunctionUrl({
320
- authType: FunctionUrlAuthType.NONE,
320
+ authType: regional?.enableServerUrlIamAuth
321
+ ? FunctionUrlAuthType.AWS_IAM
322
+ : FunctionUrlAuthType.NONE,
321
323
  });
322
324
  return {
323
325
  viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
@@ -327,6 +329,24 @@ export class NextjsSite extends SsrSite {
327
329
  compress: true,
328
330
  cachePolicy,
329
331
  responseHeadersPolicy: cdk?.responseHeadersPolicy,
332
+ edgeLambdas: regional?.enableServerUrlIamAuth
333
+ ? [
334
+ (() => {
335
+ const fn = this.useServerUrlSigningFunction();
336
+ fn.attachPermissions([
337
+ new PolicyStatement({
338
+ actions: ["lambda:InvokeFunctionUrl"],
339
+ resources: [imageFn.functionArn],
340
+ }),
341
+ ]);
342
+ return {
343
+ includeBody: true,
344
+ eventType: LambdaEdgeEventType.ORIGIN_REQUEST,
345
+ functionVersion: fn.currentVersion,
346
+ };
347
+ })(),
348
+ ]
349
+ : [],
330
350
  };
331
351
  }
332
352
  generateBuildId() {
@@ -1,6 +1,6 @@
1
1
  import { Construct } from "constructs";
2
2
  import { Bucket, BucketProps, IBucket } from "aws-cdk-lib/aws-s3";
3
- import { IFunction as ICdkFunction, FunctionProps } from "aws-cdk-lib/aws-lambda";
3
+ import { FunctionProps } from "aws-cdk-lib/aws-lambda";
4
4
  import { ICachePolicy, IResponseHeadersPolicy, BehaviorOptions, CachePolicy, Function as CfFunction, FunctionEventType as CfFunctionEventType } from "aws-cdk-lib/aws-cloudfront";
5
5
  import { Distribution, DistributionDomainProps } from "./Distribution.js";
6
6
  import { SSTConstruct } from "./Construct.js";
@@ -136,6 +136,13 @@ export interface SsrSiteProps {
136
136
  * ```
137
137
  */
138
138
  environment?: Record<string, string>;
139
+ regional?: {
140
+ /**
141
+ * Secure the server function URL using AWS IAM authentication. By default, the server function URL is publicly accessible. When this flag is enabled, the server function URL will require IAM authorization, and a Lambda@Edge function will sign the requests. Be aware that this introduces added latency to the requests.
142
+ * @default false
143
+ */
144
+ enableServerUrlIamAuth?: boolean;
145
+ };
139
146
  dev?: {
140
147
  /**
141
148
  * When running `sst dev, site is not deployed. This is to ensure `sst dev` can start up quickly.
@@ -275,6 +282,7 @@ export declare abstract class SsrSite extends Construct implements SSTConstruct
275
282
  protected serverLambdaForEdge?: EdgeFunction;
276
283
  protected serverLambdaForRegional?: SsrFunction;
277
284
  private serverLambdaForDev?;
285
+ private serverUrlSigningFunction?;
278
286
  protected bucket: Bucket;
279
287
  private cfFunction;
280
288
  private s3Origin;
@@ -293,7 +301,7 @@ export declare abstract class SsrSite extends Construct implements SSTConstruct
293
301
  * The internally created CDK resources.
294
302
  */
295
303
  get cdk(): {
296
- function: ICdkFunction | undefined;
304
+ function: import("aws-cdk-lib/aws-lambda").IFunction | undefined;
297
305
  bucket: Bucket;
298
306
  distribution: import("aws-cdk-lib/aws-cloudfront").IDistribution;
299
307
  hostedZone: import("aws-cdk-lib/aws-route53").IHostedZone | undefined;
@@ -343,6 +351,7 @@ export declare abstract class SsrSite extends Construct implements SSTConstruct
343
351
  protected createCloudFrontDistributionForRegional(): Distribution;
344
352
  protected createCloudFrontDistributionForEdge(): Distribution;
345
353
  protected buildDefaultBehaviorForRegional(cachePolicy: ICachePolicy): BehaviorOptions;
354
+ protected useServerUrlSigningFunction(): EdgeFunction;
346
355
  protected buildDefaultBehaviorForEdge(cachePolicy: ICachePolicy): BehaviorOptions;
347
356
  protected buildBehaviorFunctionAssociations(): {
348
357
  eventType: CfFunctionEventType;
@@ -21,6 +21,7 @@ import { createAppContext } from "./context.js";
21
21
  import { isCDKConstruct } from "./Construct.js";
22
22
  import { Secret } from "./Secret.js";
23
23
  import { SsrFunction } from "./SsrFunction.js";
24
+ import { EdgeFunction } from "./EdgeFunction.js";
24
25
  import { getBuildCmdEnvironment, } from "./BaseSite.js";
25
26
  import { useDeferredTasks } from "./deferred_task.js";
26
27
  import { toCdkDuration } from "./util/duration.js";
@@ -48,6 +49,7 @@ export class SsrSite extends Construct {
48
49
  serverLambdaForEdge;
49
50
  serverLambdaForRegional;
50
51
  serverLambdaForDev;
52
+ serverUrlSigningFunction;
51
53
  bucket;
52
54
  cfFunction;
53
55
  s3Origin;
@@ -101,6 +103,7 @@ export class SsrSite extends Construct {
101
103
  // Build server functions
102
104
  await this.serverLambdaForEdge?.build();
103
105
  await this.serverLambdaForRegional?.build();
106
+ await this.serverUrlSigningFunction?.build();
104
107
  // Create S3 Deployment
105
108
  const cliLayer = new AwsCliLayer(this, "AwsCliLayer");
106
109
  const assets = this.createS3Assets();
@@ -539,10 +542,12 @@ function handler(event) {
539
542
  });
540
543
  }
541
544
  buildDefaultBehaviorForRegional(cachePolicy) {
542
- const { timeout, cdk } = this.props;
545
+ const { timeout, regional, cdk } = this.props;
543
546
  const cfDistributionProps = cdk?.distribution || {};
544
547
  const fnUrl = this.serverLambdaForRegional.addFunctionUrl({
545
- authType: FunctionUrlAuthType.NONE,
548
+ authType: regional?.enableServerUrlIamAuth
549
+ ? FunctionUrlAuthType.AWS_IAM
550
+ : FunctionUrlAuthType.NONE,
546
551
  invokeMode: this.supportsStreaming()
547
552
  ? InvokeMode.RESPONSE_STREAM
548
553
  : undefined,
@@ -565,8 +570,38 @@ function handler(event) {
565
570
  ...this.buildBehaviorFunctionAssociations(),
566
571
  ...(cfDistributionProps.defaultBehavior?.functionAssociations || []),
567
572
  ],
573
+ edgeLambdas: [
574
+ ...(regional?.enableServerUrlIamAuth
575
+ ? [
576
+ {
577
+ includeBody: true,
578
+ eventType: LambdaEdgeEventType.ORIGIN_REQUEST,
579
+ functionVersion: this.useServerUrlSigningFunction().currentVersion,
580
+ },
581
+ ]
582
+ : []),
583
+ ...(cfDistributionProps.defaultBehavior?.edgeLambdas || []),
584
+ ],
568
585
  };
569
586
  }
587
+ useServerUrlSigningFunction() {
588
+ this.serverUrlSigningFunction =
589
+ this.serverUrlSigningFunction ??
590
+ new EdgeFunction(this, "ServerUrlSigningFunction", {
591
+ bundle: path.join(__dirname, "../support/signing-function"),
592
+ runtime: "nodejs18.x",
593
+ handler: "index.handler",
594
+ timeout: 10,
595
+ memorySize: 128,
596
+ permissions: [
597
+ new PolicyStatement({
598
+ actions: ["lambda:InvokeFunctionUrl"],
599
+ resources: [this.serverLambdaForRegional?.functionArn],
600
+ }),
601
+ ],
602
+ });
603
+ return this.serverUrlSigningFunction;
604
+ }
570
605
  buildDefaultBehaviorForEdge(cachePolicy) {
571
606
  const { cdk } = this.props;
572
607
  const cfDistributionProps = cdk?.distribution || {};
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "sideEffects": false,
3
3
  "name": "sst",
4
- "version": "2.23.11",
4
+ "version": "2.23.12",
5
5
  "bin": {
6
6
  "sst": "cli/sst.js"
7
7
  },
@@ -31,6 +31,7 @@
31
31
  "@aws-cdk/cloud-assembly-schema": "2.84.0",
32
32
  "@aws-cdk/cloudformation-diff": "2.84.0",
33
33
  "@aws-cdk/cx-api": "2.84.0",
34
+ "@aws-crypto/sha256-js": "^5.0.0",
34
35
  "@aws-sdk/client-cloudformation": "^3.279.0",
35
36
  "@aws-sdk/client-ecs": "^3.279.0",
36
37
  "@aws-sdk/client-eventbridge": "^3.342.0",
@@ -51,6 +52,7 @@
51
52
  "@babel/core": "^7.0.0-0",
52
53
  "@babel/generator": "^7.20.5",
53
54
  "@babel/plugin-syntax-typescript": "^7.21.4",
55
+ "@smithy/signature-v4": "^2.0.1",
54
56
  "@trpc/server": "9.16.0",
55
57
  "adm-zip": "^0.5.10",
56
58
  "aws-cdk-lib": "2.84.0",
@@ -113935,7 +113935,7 @@ var require_dist_cjs109 = __commonJS({
113935
113935
  "../../node_modules/.pnpm/@aws-sdk+types@3.208.0/node_modules/@aws-sdk/types/dist-cjs/index.js"(exports) {
113936
113936
  "use strict";
113937
113937
  Object.defineProperty(exports, "__esModule", { value: true });
113938
- var tslib_1 = (init_tslib_es6(), __toCommonJS(tslib_es6_exports));
113938
+ var tslib_1 = (init_tslib_es62(), __toCommonJS(tslib_es6_exports2));
113939
113939
  tslib_1.__exportStar(require_abort2(), exports);
113940
113940
  tslib_1.__exportStar(require_auth3(), exports);
113941
113941
  tslib_1.__exportStar(require_client4(), exports);