diff --git a/cloud/lib/auth-stack.ts b/cloud/lib/auth-stack.ts index 898981aa..0537bb09 100644 --- a/cloud/lib/auth-stack.ts +++ b/cloud/lib/auth-stack.ts @@ -10,6 +10,7 @@ import { import { StringParameter } from 'aws-cdk-lib/aws-ssm'; import { CfnOutput, Duration, RemovalPolicy, Stack, StackProps, Tags } from 'aws-cdk-lib/core'; import { Construct } from 'constructs'; +import { randomUUID } from 'node:crypto'; import { appName, resourceId, stageName } from './resourceNamingUtils'; @@ -19,7 +20,7 @@ type AuthStackProps = StackProps & { export class AuthStack extends Stack { public readonly customAuthHeaderName = 'X-Origin-Verified'; - public readonly customAuthHeaderValue = 'todo-generate-uuid-in-pipeline'; + public readonly customAuthHeaderValue: string; public readonly parameterNameUserPoolId: string; public readonly parameterNameUserPoolClient: string; public readonly userPoolId: CfnOutput; @@ -37,6 +38,9 @@ export class AuthStack extends Stack { throw new Error('Region not defined in stack env, cannot continue!'); } + // Regenerated each time we deploy the stacks: + this.customAuthHeaderValue = randomUUID(); + /* User Pool - including attribute claims and password policy */ diff --git a/cloud/lib/lambdas/verifyAuth/index.ts b/cloud/lib/lambdas/verifyAuth/index.ts index 6b55923b..fc7cf39a 100644 --- a/cloud/lib/lambdas/verifyAuth/index.ts +++ b/cloud/lib/lambdas/verifyAuth/index.ts @@ -6,6 +6,7 @@ import type { CognitoVerifyProperties, CognitoJwtVerifierSingleUserPool, } from 'aws-jwt-verify/cognito-verifier'; +import type { CognitoAccessTokenPayload } from 'aws-jwt-verify/jwt-model'; import type { CloudFrontRequestEvent, CloudFrontResponse } from 'aws-lambda'; // Leave these alone! They are replaced verbatim by esbuild, see ui-stack @@ -100,7 +101,10 @@ export const handler = async (event: CloudFrontRequestEvent) => { try { // Maybe change to using cookie for tokens? const accessToken = request.headers.authorization[0].value; - await verifier.verify(accessToken, {} as CognitoVerifyProperties); + const jwt = (await verifier.verify(accessToken, { + tokenUse: 'access', + } as CognitoVerifyProperties)) as CognitoAccessTokenPayload; + console.log(`Access verified for [${jwt.username}]`); return request; } catch (err: unknown) { console.log('Unable to verify access token', err); diff --git a/frontend/src/models/overlay.ts b/frontend/src/models/overlay.ts deleted file mode 100644 index 49b07db1..00000000 --- a/frontend/src/models/overlay.ts +++ /dev/null @@ -1,11 +0,0 @@ -enum OVERLAY_TYPE { - WELCOME, - HANDBOOK, - INFORMATION, - LEVELS_COMPLETE, - DOCUMENTS, - RESET_LEVEL, - RESET_PROGRESS, -} - -export { OVERLAY_TYPE };