Closed trevorrea closed 2 years ago
Hi Trevor,
Thanks for your interest and for creating this issue/PR. I can see use cases where what you describe would be useful.
However, I am not entirely convinced whether it has its place inside this package. The logic you describe can be performed outside of the Authenticator.handle
function by implementing the Lambda@Edge function like so.
const { Authenticator } = require('cognito-at-edge');
// Put any IPs (or CIDR blocks) in this array
const IP_ALLOWLIST = [];
const authenticator = new Authenticator({
// Replace these parameter values with those of your own environment
region: 'us-east-1', // user pool region
userPoolId: 'us-east-1_tyo1a1FHH', // user pool ID
userPoolAppId: '63gcbm2jmskokurt5ku9fhejc6', // user pool app client ID
userPoolDomain: 'domain.auth.us-east-1.amazoncognito.com', // user pool domain
});
exports.handler = async (request) => {
if (IP_ALLOWLIST.length) {
// IP matching logic goes here
// return request if match is found
// otherwise continue
}
return authenticator.handle(request);
}
Still, I will be leaving this issue open for a while to evaluate if there is interest for it. +1s are welcome!
Regards, Jean
Hi Jean,
Yep you're right. I told you I wasn't a dev :)
I did try what you said originally and couldn't quite work it out. But based on what you've said I've put together:-
const { Authenticator } = require('cognito-at-edge');
const ipAllowList = [];
const authenticator = new Authenticator({
cookieExpirationDays: 365,
disableCookieDomain: false,
logLevel: 'debug',
region: 'eu-west-2',
userPoolAppId: '<placeholder>',
userPoolAppSecret: '<placeholder>',
userPoolDomain: '<placeholder>',
userPoolId: '<placeholder>'
});
exports.handler = async (request) => {
if (ipAllowList.length) {
const clientIP = request.Records[0].cf.request.clientIp;
for (let i = 0; i < ipAllowList.length; i++) {
if (clientIP == ipAllowList[i]) {
return request.Records[0].cf.request;
}
}
}
return authenticator.handle(request);
}
which works locally when testing with https://www.npmjs.com/package/lambda-local
Not 100% sure why I have to do return authenticator.handle(request); but without that the Lambda executes but doesn't return any result.
I'm off to actually test it in CloudFront now and will be back. Thanks for your help. I'll close this one and maybe open an MR with this added to the README
You are right, I forgot to the return authenticator.handle(request)
in the sample code I gave you. This is needed because the Lambda@Edge response replaces the original request. If the response is empty...
What would you like to be added:
Functionality to configure an allow list to bypass Cognito authentication
Why is this needed:
It's a useful feature :)
See https://github.com/awslabs/cognito-at-edge/pull/16