Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

808: Authenticate backend via cloudfront function #904

Merged
merged 16 commits into from
Apr 25, 2024
Merged

808: Authenticate backend via cloudfront function #904

merged 16 commits into from
Apr 25, 2024

Conversation

chriswilty
Copy link
Member

@chriswilty chriswilty commented Apr 24, 2024
edited
Loading

Description

This work adds authentication to the backend. Rather more complex than the simple authorization function you can use with API Gateway, this instead uses:

  • CloudFront edge function to validate the auth token in a request, and add a custom header to the origin request to the load balancer only if valid (else return a fixed 401 response)
  • Filter on load balancer to allow requests to continue only if the custom header is present (else return a fixed 403 response)
  • Additional prefix list to allow only traffic from CloudFront to reach the load balancer

Also fixes a case-sensitivity problem that caused React DocViewer to invoke a HEAD request even though file type is already known, for our documents.

Resolves #808

Concerns

Lambda@Edge Functions have no free tier, so every request is going to cost us (though only a fraction of a cent). The limiting factor meaning we cannot use a cheaper, lightweight Cloudfront Function is the time it takes to fetch the JWKS on first usage (cold start). If we can run deployment via CodePipeline, we might be able to download the JWKS from cognito in the build, and inject that into a Cloudfront Function, for a super-fast verification process.

Checklist

Have you done the following?

  • Linked the relevant Issue
  • Added tests
  • Ensured the workflow steps are passing

@chriswilty chriswilty self-assigned this Apr 24, 2024
@chriswilty chriswilty force-pushed the 808-authenticate-backend branch 2 times, most recently from b558eea to 296cead Compare April 25, 2024 12:58
@chriswilty chriswilty merged commit 673d4fe into feature/aws-cloud-infrastructure Apr 25, 2024
5 checks passed
@chriswilty chriswilty deleted the 808-authenticate-backend branch April 25, 2024 13:32
chriswilty added a commit that referenced this pull request Apr 25, 2024
@chriswilty
808: Authenticate backend via cloudfront function (#904)
42ff87e 
* Prevent unauthorized API access using a CloudFront proxy
* Make UI auth opt-in
* Correct document loading and cache control
chriswilty added a commit that referenced this pull request Apr 29, 2024
@chriswilty
808: Authenticate backend via cloudfront function (#904)
f1218ef 
* Prevent unauthorized API access using a CloudFront proxy
* Make UI auth opt-in
* Correct document loading and cache control
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@chriswilty chriswilty

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@chriswilty