Correct auth header generation, log API access

ScottLogic · Aug 13, 2024 · d70d549 · d70d549
1 parent c303852
commit d70d549
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 14 deletions.
diff --git a/.github/workflows/cloud.yml b/.github/workflows/cloud.yml
@@ -15,7 +15,7 @@ defaults:
  working-directory: ./cloud
 
 jobs:
- code-checks:
+ lint-format:
  runs-on: ubuntu-latest
  strategy:
  matrix:

diff --git a/cloud/lib/auth-stack.ts b/cloud/lib/auth-stack.ts
@@ -10,6 +10,7 @@ import {
 import { StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { CfnOutput, Duration, RemovalPolicy, Stack, StackProps, Tags } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
+import { randomUUID } from 'node:crypto';
 
 import { appName, resourceId, stageName } from './resourceNamingUtils';
 
@@ -19,7 +20,7 @@ type AuthStackProps = StackProps & {
 
 export class AuthStack extends Stack {
  public readonly customAuthHeaderName = 'X-Origin-Verified';
- public readonly customAuthHeaderValue = 'todo-generate-uuid-in-pipeline';
+ public readonly customAuthHeaderValue: string;
  public readonly parameterNameUserPoolId: string;
  public readonly parameterNameUserPoolClient: string;
  public readonly userPoolId: CfnOutput;
@@ -37,6 +38,9 @@ export class AuthStack extends Stack {
  throw new Error('Region not defined in stack env, cannot continue!');
  }
 
+ // Regenerated each time we deploy the stacks:
+ this.customAuthHeaderValue = randomUUID();
+
  /*
  User Pool - including attribute claims and password policy
  */

diff --git a/cloud/lib/lambdas/verifyAuth/index.ts b/cloud/lib/lambdas/verifyAuth/index.ts
@@ -6,6 +6,7 @@ import type {
  CognitoVerifyProperties,
  CognitoJwtVerifierSingleUserPool,
 } from 'aws-jwt-verify/cognito-verifier';
+import type { CognitoAccessTokenPayload } from 'aws-jwt-verify/jwt-model';
 import type { CloudFrontRequestEvent, CloudFrontResponse } from 'aws-lambda';
 
 // Leave these alone! They are replaced verbatim by esbuild, see ui-stack
@@ -100,7 +101,10 @@ export const handler = async (event: CloudFrontRequestEvent) => {
  try {
  // Maybe change to using cookie for tokens?
  const accessToken = request.headers.authorization[0].value;
- await verifier.verify(accessToken, {} as CognitoVerifyProperties);
+ const jwt = (await verifier.verify(accessToken, {
+ tokenUse: 'access',
+ } as CognitoVerifyProperties)) as CognitoAccessTokenPayload;
+ console.log(`Access verified for [${jwt.username}]`);
  return request;
  } catch (err: unknown) {
  console.log('Unable to verify access token', err);

diff --git a/frontend/src/models/overlay.ts b/frontend/src/models/overlay.ts