From 9fee899e5d311eba49107ea0142dbb9d28e36619 Mon Sep 17 00:00:00 2001
From: Chris Wilton-Magras <chriswilty@zoho.com>
Date: Fri, 9 Aug 2024 16:59:11 +0100
Subject: [PATCH] Correct auth header generation, log API access

---
 cloud/lib/auth-stack.ts               |  6 +++++-
 cloud/lib/lambdas/verifyAuth/index.ts |  6 +++++-
 frontend/src/models/overlay.ts        | 11 -----------
 3 files changed, 10 insertions(+), 13 deletions(-)
 delete mode 100644 frontend/src/models/overlay.ts

diff --git a/cloud/lib/auth-stack.ts b/cloud/lib/auth-stack.ts
index 898981aa9..0537bb095 100644
--- a/cloud/lib/auth-stack.ts
+++ b/cloud/lib/auth-stack.ts
@@ -10,6 +10,7 @@ import {
 import { StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { CfnOutput, Duration, RemovalPolicy, Stack, StackProps, Tags } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
+import { randomUUID } from 'node:crypto';
 
 import { appName, resourceId, stageName } from './resourceNamingUtils';
 
@@ -19,7 +20,7 @@ type AuthStackProps = StackProps & {
 
 export class AuthStack extends Stack {
 	public readonly customAuthHeaderName = 'X-Origin-Verified';
-	public readonly customAuthHeaderValue = 'todo-generate-uuid-in-pipeline';
+	public readonly customAuthHeaderValue: string;
 	public readonly parameterNameUserPoolId: string;
 	public readonly parameterNameUserPoolClient: string;
 	public readonly userPoolId: CfnOutput;
@@ -37,6 +38,9 @@ export class AuthStack extends Stack {
 			throw new Error('Region not defined in stack env, cannot continue!');
 		}
 
+		// Regenerated each time we deploy the stacks:
+		this.customAuthHeaderValue = randomUUID();
+
 		/*
 		User Pool - including attribute claims and password policy
 		*/
diff --git a/cloud/lib/lambdas/verifyAuth/index.ts b/cloud/lib/lambdas/verifyAuth/index.ts
index 6b55923b3..fc7cf39ae 100644
--- a/cloud/lib/lambdas/verifyAuth/index.ts
+++ b/cloud/lib/lambdas/verifyAuth/index.ts
@@ -6,6 +6,7 @@ import type {
 	CognitoVerifyProperties,
 	CognitoJwtVerifierSingleUserPool,
 } from 'aws-jwt-verify/cognito-verifier';
+import type { CognitoAccessTokenPayload } from 'aws-jwt-verify/jwt-model';
 import type { CloudFrontRequestEvent, CloudFrontResponse } from 'aws-lambda';
 
 // Leave these alone! They are replaced verbatim by esbuild, see ui-stack
@@ -100,7 +101,10 @@ export const handler = async (event: CloudFrontRequestEvent) => {
 	try {
 		// Maybe change to using cookie for tokens?
 		const accessToken = request.headers.authorization[0].value;
-		await verifier.verify(accessToken, {} as CognitoVerifyProperties);
+		const jwt = (await verifier.verify(accessToken, {
+			tokenUse: 'access',
+		} as CognitoVerifyProperties)) as CognitoAccessTokenPayload;
+		console.log(`Access verified for [${jwt.username}]`);
 		return request;
 	} catch (err: unknown) {
 		console.log('Unable to verify access token', err);
diff --git a/frontend/src/models/overlay.ts b/frontend/src/models/overlay.ts
deleted file mode 100644
index 49b07db1a..000000000
--- a/frontend/src/models/overlay.ts
+++ /dev/null
@@ -1,11 +0,0 @@
-enum OVERLAY_TYPE {
-	WELCOME,
-	HANDBOOK,
-	INFORMATION,
-	LEVELS_COMPLETE,
-	DOCUMENTS,
-	RESET_LEVEL,
-	RESET_PROGRESS,
-}
-
-export { OVERLAY_TYPE };