Implement ingest-api auth login from swagger

[anayeaye]

What

Currently administrators must manually post username and password to a token endpoint and copy paste the token from the response for ingest operations. Update this auth flow to follow the more standard redirect to auth provider for a secure username and password form entry and redirect to the swagger docs.

AC

• [x] token auth urls are configurable by veda environment
• [x] cognito user pool updated to allow callback to veda ingest api docs
• [x] admins in the cognito user pool associated with backend stack can login via swagger docs
• [x] whoami response demonstrates the token is valid
• [x] token endpoint removed if no longer functional

[anayeaye]

UPDATE

Working The feature/ingest_api/docs-auth-flow branch now

1. collects the cognito domain from the environment (this is the pattern expected for veda-deploy which reads the cognito programmatic client secret and exports to the runner environment)
2. The ingest api now infers the authorization and token urls from that cognito domain
3. If the user pool is manually updated with the ingest API url, then when a user clicks the authorize button in the swagger docs they are redirected temporarily to the cognito hosted UI to provide username and password and the directed back to the docs.

Needs work I put some time into programmatically updating the user pool client's hosted UI to add the ingest-api docs callback url using a custom resource + AwsSdkCall. I have backed these changes out to reconsider the approach.

Issue comment that inspired the spike AWS Custom Resources SdkCall Update user pool client docs

This snippet adds the desired callback url but stomps the rest of the hosted ui configuration including existing callback urls

from aws_cdk import custom_resources as cr
# Append api to cognito client allowed callback urls with an AwsSdkCall
        stack_name = Stack.of(self).stack_name
        oauth_redirect_url = f"{self.api.url.rstrip('/')}/docs/oauth2-redirect"
        callback_urls = [oauth_redirect_url]
        cr.AwsCustomResource(
            self,
            id="UpdateClientCallbackUrls",
            function_name=f"{stack_name}-UpdateClientCallbackUrls",
            policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
                resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE
            ),
            on_create=cr.AwsSdkCall(
                service="@aws-sdk/client-cognito-identity-provider",
                action="UpdateUserPoolClientCommand",
                parameters={
                    "UserPoolId": config.userpool_id,
                    "ClientId": config.client_id,
                    "CallbackURLs": callback_urls,
                },
                physical_resource_id=cr.PhysicalResourceId.from_response("UserPoolClient.ClientId"),
            ),
            on_update=cr.AwsSdkCall(
                service="@aws-sdk/client-cognito-identity-provider",
                action="UpdateUserPoolClientCommand",
                parameters={
                    "UserPoolId": config.userpool_id,
                    "ClientId": config.client_id,
                    "CallbackURLs": callback_urls,
                },
                physical_resource_id=cr.PhysicalResourceId.from_response("UserPoolClient.ClientId"),
            ),
        )

These important configs for the Hosted UI get wiped out by the above AwsSdkCall Identity providers Cognito user pool directory OAuth grant types Authorization code grant OpenID Connect scopes aws.cognito.signin.user.admin email openid phone profile

[anayeaye]

https://github.com/NASA-IMPACT/veda-backend/pull/356