Correct auth header generation, log API access

ScottLogic · Aug 9, 2024 · d0696d6 · d0696d6
1 parent c303852
commit d0696d6
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/cloud/lib/auth-stack.ts b/cloud/lib/auth-stack.ts
@@ -10,6 +10,7 @@ import {
 import { StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { CfnOutput, Duration, RemovalPolicy, Stack, StackProps, Tags } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
+import { randomUUID } from 'node:crypto';
 
 import { appName, resourceId, stageName } from './resourceNamingUtils';
 
@@ -19,7 +20,7 @@ type AuthStackProps = StackProps & {
 
 export class AuthStack extends Stack {
  public readonly customAuthHeaderName = 'X-Origin-Verified';
- public readonly customAuthHeaderValue = 'todo-generate-uuid-in-pipeline';
+ public readonly customAuthHeaderValue: string;
  public readonly parameterNameUserPoolId: string;
  public readonly parameterNameUserPoolClient: string;
  public readonly userPoolId: CfnOutput;
@@ -37,6 +38,9 @@ export class AuthStack extends Stack {
  throw new Error('Region not defined in stack env, cannot continue!');
  }
 
+ // Regenerated each time we deploy the stacks:
+ this.customAuthHeaderValue = randomUUID();
+
  /*
  User Pool - including attribute claims and password policy
  */

diff --git a/cloud/lib/lambdas/verifyAuth/index.ts b/cloud/lib/lambdas/verifyAuth/index.ts
@@ -100,7 +100,8 @@ export const handler = async (event: CloudFrontRequestEvent) => {
  try {
  // Maybe change to using cookie for tokens?
  const accessToken = request.headers.authorization[0].value;
- await verifier.verify(accessToken, {} as CognitoVerifyProperties);
+ const jwt = await verifier.verify(accessToken, {} as CognitoVerifyProperties);
+ console.log(`Access verified for [${jwt['username']}]`);
  return request;
  } catch (err: unknown) {
  console.log('Unable to verify access token', err);