Skip to content

Commit b375cd8

Browse files
alexnuttallalexnuttall
authored
CCM-11220: fix download authorizer cis2 (#568)
1 parent 0ffd3b8 commit b375cd8

File tree

2 files changed

+49
-16
lines changed

2 files changed

+49
-16
lines changed

lambdas/download-authorizer/src/__tests__/index.test.ts

Lines changed: 38 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -61,14 +61,18 @@ function makeEvent(
6161
describe('download authorizer handler', () => {
6262
test('returns request, when request is valid', async () => {
6363
const subject = 'F3FE88F4-4E9E-41EB-BF1E-DC299911968B';
64+
const userName = 'CIS2_555555555555';
6465

6566
lambdaCognitoAuthorizer.authorize.mockResolvedValue({
6667
success: true,
6768
subject,
6869
});
6970

7071
const uri = `/${subject}/template-id/proof1.pdf`;
71-
const cookie = `CognitoIdentityServiceProvider.${userPoolClientId}.${subject}.accessToken=jwt`;
72+
const cookie = [
73+
`CognitoIdentityServiceProvider.${userPoolClientId}.${userName}.accessToken=jwt`,
74+
`CognitoIdentityServiceProvider.${userPoolClientId}.LastAuthUser=${userName}`,
75+
].join('; ');
7276

7377
const event = mock<CloudFrontRequestEvent>(makeEvent(uri, cookie));
7478

@@ -86,10 +90,35 @@ describe('download authorizer handler', () => {
8690
);
8791
});
8892

93+
test('returns denial if no access token is available for the LastAuthUser', async () => {
94+
const subject = 'F3FE88F4-4E9E-41EB-BF1E-DC299911968B';
95+
const userName = 'CIS2_555555555555';
96+
97+
lambdaCognitoAuthorizer.authorize.mockResolvedValue({
98+
success: true,
99+
subject,
100+
});
101+
102+
const uri = `/${subject}/template-id/proof1.pdf`;
103+
const cookie = [
104+
`CognitoIdentityServiceProvider.${userPoolClientId}.anotheruser.accessToken=jwt`,
105+
`CognitoIdentityServiceProvider.${userPoolClientId}.LastAuthUser=${userName}`,
106+
].join('; ');
107+
108+
const event = mock<CloudFrontRequestEvent>(makeEvent(uri, cookie));
109+
110+
const res = await handler(event);
111+
112+
expect(res).toEqual(denial);
113+
expect(mockLogger.warn).toHaveBeenCalledWith('Cookie is missing');
114+
115+
expect(lambdaCognitoAuthorizer.authorize).not.toHaveBeenCalled();
116+
});
117+
89118
test('returns denial if cognito configuration is not present in custom headers', async () => {
90119
const uri = '/subject/template-id/proof1.pdf';
91120
const cookie =
92-
'CognitoIdentityServiceProvider.user-pool-client-id.subject.accessToken=jwt';
121+
'CognitoIdentityServiceProvider.pool.username.accessToken=jwt; CognitoIdentityServiceProvider.pool.LastAuthUser=username;';
93122

94123
const event = mock<CloudFrontRequestEvent>(
95124
makeEvent(uri, cookie, {
@@ -122,7 +151,12 @@ describe('download authorizer handler', () => {
122151

123152
test('returns denial if authorization fails', async () => {
124153
const uri = '/subject/template-id/proof1.pdf';
125-
const cookie = `CognitoIdentityServiceProvider.${userPoolClientId}.subject.accessToken=jwt`;
154+
const userName = 'CIS2-int_555555555555';
155+
156+
const cookie = [
157+
`CognitoIdentityServiceProvider.${userPoolClientId}.${userName}.accessToken=jwt`,
158+
`CognitoIdentityServiceProvider.${userPoolClientId}.LastAuthUser=${userName}`,
159+
].join('; ');
126160

127161
lambdaCognitoAuthorizer.authorize.mockResolvedValue({
128162
success: false,
@@ -151,6 +185,6 @@ describe('parseRequest', () => {
151185
makeEvent('/subject/file.txt', undefined).Records[0].cf.request
152186
);
153187

154-
expect(parseRequest(request).authorizationToken).toBe(undefined);
188+
expect(parseRequest(request).accessToken).toBe(undefined);
155189
});
156190
});

lambdas/download-authorizer/src/index.ts

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -21,35 +21,34 @@ export function parseRequest(request: CloudFrontRequest) {
2121
const userPoolId = customHeaders?.['x-user-pool-id']?.[0]?.value;
2222
const userPoolClientId = customHeaders?.['x-user-pool-client-id']?.[0]?.value;
2323

24-
const accessTokenKey = `CognitoIdentityServiceProvider.${userPoolClientId}.${ownerPathComponent}.accessToken`;
25-
2624
const cookies = parseCookie(request.headers.cookie?.[0]?.value ?? '');
27-
const authorizationToken = cookies[accessTokenKey];
25+
26+
const poolScope = `CognitoIdentityServiceProvider.${userPoolClientId}`;
27+
28+
const lastAuthUser = cookies[`${poolScope}.LastAuthUser`];
29+
30+
const accessToken = cookies[`${poolScope}.${lastAuthUser}.accessToken`];
2831

2932
return {
3033
userPoolId,
3134
userPoolClientId,
32-
authorizationToken,
35+
accessToken,
3336
ownerPathComponent,
3437
};
3538
}
3639

3740
export const handler = async (event: CloudFrontRequestEvent) => {
3841
const { request } = event.Records[0].cf;
3942

40-
const {
41-
userPoolId,
42-
userPoolClientId,
43-
authorizationToken,
44-
ownerPathComponent,
45-
} = parseRequest(request);
43+
const { userPoolId, userPoolClientId, accessToken, ownerPathComponent } =
44+
parseRequest(request);
4645

4746
if (!userPoolId || !userPoolClientId) {
4847
logger.error('Lambda misconfiguration');
4948
return denial;
5049
}
5150

52-
if (!authorizationToken) {
51+
if (!accessToken) {
5352
logger.warn('Cookie is missing');
5453
return denial;
5554
}
@@ -59,7 +58,7 @@ export const handler = async (event: CloudFrontRequestEvent) => {
5958
const authResult = await authorizer.authorize(
6059
userPoolId,
6160
userPoolClientId,
62-
authorizationToken,
61+
accessToken,
6362
ownerPathComponent
6463
);
6564

0 commit comments

Comments
 (0)