almamedia / il-auth-at-edge Goto Github PK

Instead (or in addition to) of S3-distributed html page, provide a Lambda function that can be attached to Cloudfront (or later, ALB)

The Lambda function should:

• Be able to handle both cloudfront's and ALB's requests and responses
• Deliver to viewer's browser a simple page that parses Cognito's tokens from browser's location bar (they're coded to fragment part of the login return url which is not available server side)
  • The page should redirect to requested website's root OR arbitrary path if it can be somehow provided.

Changes to existing auth lambda function:

• Somehow find out which redirect url to pass to Cognito (hardcoded to https:///il-auth-at-edge/signin/index.html ATM). This must be URL recognized by Cognito User pool (maybe dig out a list from there and decide based on request hostname?)
• Somehow pass the original requested URL through Cognito to token capture function for redirect after token capture

Cookie parsing in Lambda is ugly, use some library

The last cloudformation template fails with the following error:
UserPoolAndClient CREATE_FAILED Custom Resource failed to stabilize in expected time

Here is the log:

il-auth-at-edge
20 May 2019 14:26:06 CognitoUserPool CREATE_FAILED Embedded stack arn:aws:cloudformation:us-east-1:AWS_ACCOUNTID:stack/il-auth-at-edge-CognitoUserPool-14B6JQSBZT49N/56e94530-7b02-11e9-8f85-0a33c80c982c was not successfully created: The following resource(s) failed to create: [UserPoolAndClient].

il-auth-at-edge-CognitoUserPool-14B6JQSBZT49N
20 May 2019 14:23:31 il-auth-at-edge-CognitoUserPool-14B6JQSBZT49N CREATE_FAILED The following resource(s) failed to create: [UserPoolAndClient].
20 May 2019 14:23:27 UserPoolAndClient CREATE_FAILED Custom Resource failed to stabilize in expected time

Include a file containing texts for Cognito's emails and SMSs (account verification etc.) in lambda deploy package and read them tehre when creating / updating userpool.

Capture also refresh token in token capture page and store it clientside (localstorage?).

Check access token expiration in auth lambda, redirect to a new page that refreshes tokens an sets new cookies & local storage.

Cognito's keys and client id are hardcoded to auth lambda deployment package by extracting the package, modifying the source code and repackaging, which is hideous.

Make Lambda fetch these on startup using AWS SDK. Make sure it has suitable policy to do this.

Application's Cloudformation stacks rely heavily on lambda-backed custom resources. These should be fixed to be properly updatable so that:

• Lambda functions are updated, not recreated when code or resource properties change.
• Cognito userpool, client and domain are updated, not recreated, when properties are changed