This work adds authentication to the backend. Rather more complex than the simple authorization function you can use with API Gateway, this instead uses:
CloudFront edge function to validate the auth token in a request, and add a custom header to the origin request to the load balancer only if valid (else return a fixed 401 response)
Filter on load balancer to allow requests to continue only if the custom header is present (else return a fixed 403 response)
Additional prefix list to allow only traffic from CloudFront to reach the load balancer
Also fixes a case-sensitivity problem that caused React DocViewer to invoke a HEAD request even though file type is already known, for our documents.
Resolves #808
Concerns
Lambda@Edge Functions have no free tier, so every request is going to cost us (though only a fraction of a cent). The limiting factor meaning we cannot use a cheaper, lightweight Cloudfront Function is the time it takes to fetch the JWKS on first usage (cold start). If we can run deployment via CodePipeline, we might be able to download the JWKS from cognito in the build, and inject that into a Cloudfront Function, for a super-fast verification process.
Description
This work adds authentication to the backend. Rather more complex than the simple authorization function you can use with API Gateway, this instead uses:
Also fixes a case-sensitivity problem that caused React DocViewer to invoke a HEAD request even though file type is already known, for our documents.
Resolves #808
Concerns
Lambda@Edge Functions have no free tier, so every request is going to cost us (though only a fraction of a cent). The limiting factor meaning we cannot use a cheaper, lightweight Cloudfront Function is the time it takes to fetch the JWKS on first usage (cold start). If we can run deployment via CodePipeline, we might be able to download the JWKS from cognito in the build, and inject that into a Cloudfront Function, for a super-fast verification process.
Checklist
Have you done the following?