This is a basic jwt authentication flow for interfacing with WS2.
Created a JWT secret and stored on AWS secrets manager.
User enters orderId, dob and postcode -> hits our new /authenticate endpoint -> this (fake) sends a request to whatever third party endpoint. If successful, we generate a JWT which encodes the user's orderId, sign with the above secret and return it to user to store in cookies.
All subsequent requests hit our authorizer lambda, which verifes the token and extracts the principal (order) Id and passes it to our other functions.
NOTE: Currently the mock WS2 endpoint will always return a successful authentication.
Still to do: Handle unauthorized errors / expired tokens, add throttling or max attempts to login (preference would be throttling).
This is a basic jwt authentication flow for interfacing with WS2.
Created a JWT secret and stored on AWS secrets manager. User enters orderId, dob and postcode -> hits our new /authenticate endpoint -> this (fake) sends a request to whatever third party endpoint. If successful, we generate a JWT which encodes the user's orderId, sign with the above secret and return it to user to store in cookies. All subsequent requests hit our authorizer lambda, which verifes the token and extracts the principal (order) Id and passes it to our other functions.
NOTE: Currently the mock WS2 endpoint will always return a successful authentication.
Still to do: Handle unauthorized errors / expired tokens, add throttling or max attempts to login (preference would be throttling).