feat: add expiring JWT to enforce frontend login

[patheard]

Summary

Add a JWT with a 5 minute expiry to prevent login replay attacks and prevent direct API requests to login through fuzzing attacks.

This will force all login requests to come through the frontend and ensure they only have a 5 minute window to enter their email address.

[github-actions[bot]]

Staging: backup_plan

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|---------------------------------------| | update | `aws_backup_plan.backup_plan_default` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_backup_plan.backup_plan_default will be updated in-place ~ resource "aws_backup_plan" "backup_plan_default" { id = "b2961664-b64d-4963-b30e-35cfe6e6c8af" name = "backup_plan_default" tags = { "CostCentre" = "url-shortener-staging" "Terraform" = "true" } # (3 unchanged attributes hidden) - rule { - completion_window = 180 -> null - enable_continuous_backup = false -> null - recovery_point_tags = {} -> null - rule_name = "backup_rule_default" -> null - schedule = "cron(0 12 * * ? *)" -> null - start_window = 60 -> null - target_vault_name = "vault" -> null - lifecycle { - cold_storage_after = 30 -> null - delete_after = 120 -> null } } + rule { + completion_window = 180 + enable_continuous_backup = false + rule_name = "backup_rule_default" + schedule = "cron(0 12 * * ? *)" + start_window = 60 + target_vault_name = "vault" + lifecycle { + cold_storage_after = 7 + delete_after = 14 } } } Plan: 0 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```

Show Conftest results

```sh 18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions ```

[github-actions[bot]]

Staging: api

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 1 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|----------------------------------------------------------| | update | `module.url_shortener_lambda.aws_iam_policy.policies[0]` | | add | `aws_ssm_parameter.login_token_salt` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create ~ update in-place <= read (data resources) Terraform will perform the following actions: # data.aws_iam_policy_document.api_policies will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "api_policies" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "dynamodb:DeleteItem", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:UpdateItem", ] + effect = "Allow" + resources = [ + "arn:aws:dynamodb:ca-central-1:843973686572:table/url_shortener", + "arn:aws:dynamodb:ca-central-1:843973686572:table/url_shortener/index/emailIndex", ] } + statement { + actions = [ + "ssm:GetParameters", ] + effect = "Allow" + resources = [ + "arn:aws:ssm:ca-central-1:843973686572:parameter/auth_token_app", + "arn:aws:ssm:ca-central-1:843973686572:parameter/auth_token_notify", + "arn:aws:ssm:ca-central-1:843973686572:parameter/cloudfront_header", + "arn:aws:ssm:ca-central-1:843973686572:parameter/hashing_peppers", + "arn:aws:ssm:ca-central-1:843973686572:parameter/notify_api_key", + "arn:aws:ssm:ca-central-1:843973686572:parameter/notify_contact_email", + (known after apply), ] } } # aws_ssm_parameter.login_token_salt will be created + resource "aws_ssm_parameter" "login_token_salt" { + arn = (known after apply) + data_type = (known after apply) + id = (known after apply) + insecure_value = (known after apply) + key_id = (known after apply) + name = "login_token_salt" + tags = { + "CostCentre" = "url-shortener-staging" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "url-shortener-staging" + "Terraform" = "true" } + tier = (known after apply) + type = "SecureString" + value = (sensitive value) + version = (known after apply) } # module.url_shortener_lambda.aws_iam_policy.policies[0] will be updated in-place ~ resource "aws_iam_policy" "policies" { id = "arn:aws:iam::843973686572:policy/url-shortener-api-0" name = "url-shortener-api-0" ~ policy = jsonencode( { - Statement = [ - { - Action = [ - "dynamodb:UpdateItem", - "dynamodb:Query", - "dynamodb:PutItem", - "dynamodb:GetItem", - "dynamodb:DescribeTable", - "dynamodb:DeleteItem", ] - Effect = "Allow" - Resource = [ - "arn:aws:dynamodb:ca-central-1:843973686572:table/url_shortener/index/emailIndex", - "arn:aws:dynamodb:ca-central-1:843973686572:table/url_shortener", ] - Sid = "" }, - { - Action = "ssm:GetParameters" - Effect = "Allow" - Resource = [ - "arn:aws:ssm:ca-central-1:843973686572:parameter/notify_contact_email", - "arn:aws:ssm:ca-central-1:843973686572:parameter/notify_api_key", - "arn:aws:ssm:ca-central-1:843973686572:parameter/hashing_peppers", - "arn:aws:ssm:ca-central-1:843973686572:parameter/cloudfront_header", - "arn:aws:ssm:ca-central-1:843973686572:parameter/auth_token_notify", - "arn:aws:ssm:ca-central-1:843973686572:parameter/auth_token_app", ] - Sid = "" }, ] - Version = "2012-10-17" } ) -> (known after apply) tags = { "CostCentre" = "url-shortener-staging" "Terraform" = "true" } # (4 unchanged attributes hidden) } Plan: 1 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_cloudwatch_log_group.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_policy.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_role.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder"] 21 tests, 17 passed, 4 warnings, 0 failures, 0 exceptions ```