Added Token Validations

[noah-paige]

Feature or Bugfix

• Bugfix

Detail

• This PR does the following w.r.t Cognito IdP and Auth Flow
  • Changes Authorizer from built-in Cognito Authorizer to Custom Authorizer to validate token signature, issuer, and expiry time, etc.
  • Adds aditional step to execute GET API on Cognito's /oauth/userInfo/ endpoint to ensure access Token validity

Allows data.all API request to execute if the above criteria are met

Relates

Security

Please answer the questions below briefly where applicable, or write N/A. Based on OWASP 10.

• Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)?
  • Is the input sanitized?
  • What precautions are you taking before deserializing the data you consume?
  • Is injection prevented by parametrizing queries?
  • Have you ensured no eval or similar functions are used?
• Does this PR introduce any functionality or component that requires authorization?
  • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  • Are you logging failed auth attempts?
• Are you using or adding any cryptographic features?
  • Do you use a standard proven implementations?
  • Are the used keys controlled by the customer? Where are they stored?
• Are you introducing any new policies/roles/users?
  • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[noah-paige]

Testing Completed:

• [x] CodePipeline Deploys Successfully (for Cognito Auth with already existing data.all instance - i.e. UPDATE)
• [x] Login + Store Access Token
• [x] Run data.all Operation (GraphQL endpoint)
• [x] Run Catalog Search (ESProxy endpoint)
• [x] SignOut (clear tokens)
• [x] ReAuth Workflow Successfuly (for query)
• [x] ReAuth Workflow Successfuly (for mutation)
• [x] User removed (or disabled) from Cognito IdP --> User no longer can perform actions on data.all UI immediately (note: at most have additional access up to TTL of cached custom authorizer response)

Custom Auth Checks:

• [x] Proper Access and Id JWT - Checks Pass (Cognito)

• [x] Exceptions Raised and Request Denied For

  • [x] Malformed JWT
  • [x] No JWT Provided
  • [x] Wrong Issuer
  • [x] Wrong Audience
  • [x] User Disabled

• [x] Proper Access and Id JWT - Checks Pass (Okta)

• [x] Exceptions Raised and Request Denied For

  • [x] Malformed JWT
  • [x] No JWT Provided
  • [x] Wrong Issuer
  • [x] Wrong Audience
  • [x] User Deactivated