fix download authgorizer cis2

alexnuttall · alexnuttall · commit 0ba2f80f4b75 · 2025-07-16T17:34:46.000+01:00
diff --git a/lambdas/download-authorizer/src/__tests__/index.test.ts b/lambdas/download-authorizer/src/__tests__/index.test.ts
@@ -68,7 +68,7 @@ describe('download authorizer handler', () => {
     });
 
     const uri = `/${subject}/template-id/proof1.pdf`;
-    const cookie = `CognitoIdentityServiceProvider.${userPoolClientId}.${subject}.accessToken=jwt`;
+    const cookie = `CognitoIdentityServiceProvider.${userPoolClientId}.CIS2_555328794105.accessToken=jwt`;
 
     const event = mock<CloudFrontRequestEvent>(makeEvent(uri, cookie));
 
@@ -89,7 +89,7 @@ describe('download authorizer handler', () => {
   test('returns denial if cognito configuration is not present in custom headers', async () => {
     const uri = '/subject/template-id/proof1.pdf';
     const cookie =
-      'CognitoIdentityServiceProvider.user-pool-client-id.subject.accessToken=jwt';
+      'CognitoIdentityServiceProvider.user-pool-client-id.CIS2-int_555328794105.accessToken=jwt';
 
     const event = mock<CloudFrontRequestEvent>(
       makeEvent(uri, cookie, {
@@ -122,7 +122,7 @@ describe('download authorizer handler', () => {
 
   test('returns denial if authorization fails', async () => {
     const uri = '/subject/template-id/proof1.pdf';
-    const cookie = `CognitoIdentityServiceProvider.${userPoolClientId}.subject.accessToken=jwt`;
+    const cookie = `CognitoIdentityServiceProvider.${userPoolClientId}.CIS2-int_555328794105.accessToken=jwt`;
 
     lambdaCognitoAuthorizer.authorize.mockResolvedValue({
       success: false,
diff --git a/lambdas/download-authorizer/src/index.ts b/lambdas/download-authorizer/src/index.ts
@@ -21,10 +21,19 @@ export function parseRequest(request: CloudFrontRequest) {
   const userPoolId = customHeaders?.['x-user-pool-id']?.[0]?.value;
   const userPoolClientId = customHeaders?.['x-user-pool-client-id']?.[0]?.value;
 
-  const accessTokenKey = `CognitoIdentityServiceProvider.${userPoolClientId}.${ownerPathComponent}.accessToken`;
-
   const cookies = parseCookie(request.headers.cookie?.[0]?.value ?? '');
-  const authorizationToken = cookies[accessTokenKey];
+
+  const authorizationTokenEntry = Object.entries(cookies).find(([k]) => {
+    const [serviceKey, userPoolClientIdKey, , credentialType] = k.split('.');
+
+    return (
+      serviceKey === 'CognitoIdentityServiceProvider' &&
+      userPoolClientIdKey === userPoolClientId &&
+      credentialType === 'accessToken'
+    );
+  });
+
+  const authorizationToken = authorizationTokenEntry?.[1];
 
   return {
     userPoolId,
