Correct auth header generation, log API access

Author: chriswilty

.github/workflows/cloud.yml

@@ -15,7 +15,7 @@ defaults:
     working-directory: ./cloud
 
 jobs:
-  code-checks:
+  lint-format:
     runs-on: ubuntu-latest
     strategy:
       matrix:

cloud/.eslintrc.cjs

@@ -16,7 +16,7 @@ module.exports = {
 	},
 	plugins: ['@typescript-eslint'],
 	root: true,
-	ignorePatterns: ['node_modules', 'cdk.out'],
+	ignorePatterns: ['node_modules', 'cdk*.out'],
 	rules: {
 		eqeqeq: 'error',
 		'func-style': ['error', 'expression', { allowArrowFunctions: true }],

cloud/.gitignore

@@ -5,4 +5,4 @@ node_modules
 
 # CDK asset staging directory
 .cdk.staging
-cdk.out
+cdk*.out

cloud/cdk.context.json

@@ -5,5 +5,13 @@
 		"eu-north-1b",
 		"eu-north-1c"
 	],
-	"ami:account=992382568770:filters.image-type.0=machine:filters.name.0=fck-nat-al2023-*-x86_64-ebs:filters.state.0=available:owners.0=568608671756:region=eu-north-1": "ami-0acc1d35233e84277"
+	"ami:account=992382568770:filters.image-type.0=machine:filters.name.0=fck-nat-al2023-*-x86_64-ebs:filters.state.0=available:owners.0=568608671756:region=eu-north-1": "ami-0acc1d35233e84277",
+	"cloudfront-prefix-list:account=992382568770:region=eu-north-1": "pl-fab65393",
+	"availability-zones:account=992382568770:region=eu-west-1": [
+		"eu-west-1a",
+		"eu-west-1b",
+		"eu-west-1c"
+	],
+	"ami:account=992382568770:filters.image-type.0=machine:filters.name.0=fck-nat-al2023-*-x86_64-ebs:filters.state.0=available:owners.0=568608671756:region=eu-west-1": "ami-085252d6cf1b51097",
+	"cloudfront-prefix-list:account=992382568770:region=eu-west-1": "pl-4fa04526"
 }

cloud/lib/api-stack.ts

@@ -70,9 +70,11 @@ export class ApiStack extends Stack {
 			directory: join(__dirname, '../../backend/'),
 		});
 
-		// TODO Look into IPv6 Routing, so no need for NAT Gateway or Instance!
+		// Look into IPv6 Routing, so no need for NAT Instance:
 		// https://www.turbogeek.co.uk/aws-cdk-ipv6-v/
 		// https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html
+		// NOTE: api.openai.com does not have an IPv6 address yet :(
+		// https://community.openai.com/t/ipv6-address-for-api-openai-com/339025
 
 		// AMI courtesy of fck-nat: https://fck-nat.dev/stable/deploying/#cdk
 		const natGatewayProvider = NatInstanceProviderV2.instanceV2({
@@ -175,7 +177,11 @@ export class ApiStack extends Stack {
 			priority: 1,
 		});
 		listener.connections.allowDefaultPortFrom(
-			Peer.prefixList('pl-fab65393'),
+			Peer.prefixList(
+				this.node.tryGetContext(
+					`cloudfront-prefix-list:account=${env.account}:region=${region}`
+				) as string
+			),
 			'Allow incoming traffic only from CloudFront'
 		);
 

cloud/lib/auth-stack.ts

@@ -10,6 +10,7 @@ import {
 import { StringParameter } from 'aws-cdk-lib/aws-ssm';
 import { CfnOutput, Duration, RemovalPolicy, Stack, StackProps, Tags } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
+import { randomUUID } from 'node:crypto';
 
 import { appName, resourceId, stageName } from './resourceNamingUtils';
 
@@ -19,7 +20,7 @@ type AuthStackProps = StackProps & {
 
 export class AuthStack extends Stack {
 	public readonly customAuthHeaderName = 'X-Origin-Verified';
-	public readonly customAuthHeaderValue = 'todo-generate-uuid-in-pipeline';
+	public readonly customAuthHeaderValue: string;
 	public readonly parameterNameUserPoolId: string;
 	public readonly parameterNameUserPoolClient: string;
 	public readonly userPoolId: CfnOutput;
@@ -37,6 +38,9 @@ export class AuthStack extends Stack {
 			throw new Error('Region not defined in stack env, cannot continue!');
 		}
 
+		// Regenerated each time we deploy the stacks:
+		this.customAuthHeaderValue = randomUUID();
+
 		/*
 		User Pool - including attribute claims and password policy
 		*/

cloud/lib/lambdas/verifyAuth/index.ts

@@ -6,6 +6,7 @@ import type {
 	CognitoVerifyProperties,
 	CognitoJwtVerifierSingleUserPool,
 } from 'aws-jwt-verify/cognito-verifier';
+import type { CognitoAccessTokenPayload } from 'aws-jwt-verify/jwt-model';
 import type { CloudFrontRequestEvent, CloudFrontResponse } from 'aws-lambda';
 
 // Leave these alone! They are replaced verbatim by esbuild, see ui-stack
@@ -98,9 +99,16 @@ export const handler = async (event: CloudFrontRequestEvent) => {
 	}
 
 	try {
-		// Maybe change to using cookie for tokens?
-		const accessToken = request.headers.authorization[0].value;
-		await verifier.verify(accessToken, {} as CognitoVerifyProperties);
+		const accessToken = request.headers.authorization[0]?.value;
+		if (!accessToken) return unauthorizedResponse;
+
+		const jwt = (await verifier.verify(accessToken, {
+			tokenUse: 'access',
+		} as CognitoVerifyProperties)) as CognitoAccessTokenPayload;
+		// Maybe insert custom header for username? We could then log that at ALB,
+		// and generate metrics for user access.
+		console.log(`Access verified for [${jwt.username}]`);
+
 		return request;
 	} catch (err: unknown) {
 		console.log('Unable to verify access token', err);

cloud/package.json

@@ -6,16 +6,18 @@
 	},
 	"scripts": {
 		"cdk:synth": "cdk synth -q \"*\"",
-		"cdk:synth:prod": "cdk synth --context STAGE=prod -q \"*\"",
+		"cdk:synth:prod": "cdk synth --context STAGE=prod",
 		"cdk:diff": "cdk diff --app cdk.out",
 		"cdk:deploy": "cdk deploy --app cdk.out",
 		"cdk:deploy:all": "cdk deploy --app cdk.out --all",
 		"cdk:destroy": "cdk destroy --app cdk.out",
 		"cdk:destroy:all": "cdk destroy --app cdk.out --all",
 		"cdk:clean": "rimraf cdk.out",
 		"cdk:test:synth": "cdk synth -o cdk.test.out -a \"npx ts-node --prefer-ts-exts -r dotenv/config bin/application.ts\"",
-		"cdk:test:deploy": "cdk deploy --app cdk.test.out --all",
-		"cdk:test:destroy": "cdk destroy --app cdk.test.out --all",
+		"cdk:test:deploy": "cdk deploy --app cdk.test.out",
+		"cdk:test:deploy:all": "cdk deploy --app cdk.test.out --all",
+		"cdk:test:destroy": "cdk destroy --app cdk.test.out",
+		"cdk:test:destroy:all": "cdk destroy --app cdk.test.out --all",
 		"cdk:test:clean": "rimraf cdk.test.out",
 		"codecheck": "concurrently \"npm run lint:check\" \"npm run format:check\"",
 		"format": "prettier . --write",