Add the GitHub OpenID Connect proxy for Cognito

Author: poad

.gitignore

@@ -1,104 +1,10 @@
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-node_modules/
-jspm_packages/
-
-# TypeScript v1 declaration files
-typings/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Microbundle cache
-.rpt2_cache/
-.rts2_cache_cjs/
-.rts2_cache_es/
-.rts2_cache_umd/
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
-# dotenv environment variables file
-.env
-.env.test
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# Next.js build output
-.next
-
-# Nuxt.js build / generate output
-.nuxt
-dist
-
-# Gatsby files
-.cache/
-# Comment in the public line in if your project uses Gatsby and *not* Next.js
-# https://nextjs.org/blog/next-9-1#public-directory-support
-# public
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
-
-# TernJS port file
-.tern-port
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+yarn-error.log
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+*.pem

.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

.vscode/settings.json

@@ -0,0 +1,11 @@
+{
+  "files.exclude": {
+    "amplify/.config": true,
+    "amplify/**/*-parameters.json": true,
+    "amplify/**/amplify.state": true,
+    "amplify/**/transform.conf.json": true,
+    "amplify/#current-cloud-backend": true,
+    "amplify/backend/amplify-meta.json": true,
+    "amplify/backend/awscloudformation": true
+  }
+}

bin/github-cognito-oidc-proxy.ts

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { GithubCognitoOidcProxyStack } from '../lib/github-cognito-oidc-proxy-stack';
+import { EnvironmentFile } from 'aws-cdk-lib/aws-ecs';
+
+const app = new cdk.App();
+const env = app.node.tryGetContext('env') as string;
+
+new GithubCognitoOidcProxyStack(app, `${env}-github-cognito-oidc-proxy-stack`, {
+  environment: env
+});

cdk.json

@@ -0,0 +1,43 @@
+{
+  "app": "rm -rf *.pem && yarn run -p create-keypair --bits 4096 jwtRS256 && npx ts-node --prefer-ts-exts bin/github-cognito-oidc-proxy.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "requireApproval": "never",
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}

lambda/authorize/index.ts

@@ -0,0 +1,12 @@
+import { Handler, APIGatewayProxyEventV2, APIGatewayProxyResultV2 } from 'aws-lambda';
+
+export const handler: Handler<APIGatewayProxyEventV2, APIGatewayProxyResultV2> = async (event, _context, _callback) => {
+  const { client_id, scope, state, response_type } = event.queryStringParameters || {};
+  const redirectUri = `https://github.com?client_id=${client_id}&scope=${encodeURIComponent(scope!)}&state=${state}&response_type=${response_type}`;
+
+  return {
+    cookies: [],
+    statusCode: 200,
+    headers: { Location: redirectUri },
+  };
+}

lambda/jwks/index.ts

@@ -0,0 +1,16 @@
+import { Handler, APIGatewayProxyEventV2, APIGatewayProxyResultV2 } from 'aws-lambda';
+import { pem2jwk } from 'pem-jwk';
+import * as fs from 'fs';
+
+export const handler: Handler<APIGatewayProxyEventV2, APIGatewayProxyResultV2> = async (event, _context, _callback) => {
+  const pem = fs.readFileSync('/var/task/jwtRS256.private.pem', 'ascii');
+  const jwk = pem2jwk(pem, {
+    alg: 'RS256',
+    kid: 'jwtRS256',
+  });
+  return {
+    cookies: [],
+    statusCode: 200,
+    body: JSON.stringify(jwk),
+  };
+}

lambda/token/index.ts

@@ -0,0 +1,55 @@
+import { Handler, APIGatewayProxyEventV2, APIGatewayProxyResultV2 } from 'aws-lambda';
+import fetch from 'cross-fetch';
+import { left, right, isRight } from 'fp-ts/Either'
+
+
+const eventToRequest = (source: string) => {
+  const bodyString = Buffer.from(source, 'base64').toString('ascii');
+  const body = new URLSearchParams(bodyString);
+  const paramNames =[ 'grant_type', 'redirect_uri', 'client_id', 'client_secret', 'code' ];
+
+  const invalidParams = paramNames.filter(name => !body.has(name));
+  if (invalidParams.length > 0) {
+    return right(() => `token request body ${invalidParams}`);
+  }
+
+  return left(() => ({
+    grant_type: body.get('grant_type')!,
+    redirect_uri: body.get('redirect_uri')!,
+    client_id: body.get('client_id')!,
+    client_secret: body.get('client_secret')!,
+    code: body.get('code')!,
+    state: body.get('state') ?? undefined,
+  }));
+}
+
+export const handler: Handler<APIGatewayProxyEventV2, APIGatewayProxyResultV2> = async (event, _context, _callback) => {
+  if (!event.body) {
+    return {
+      cookies: [],
+      statusCode: 400,
+    };
+  }
+  const result = eventToRequest(event.body);
+  if (isRight(result)) {
+    return {
+      cookies: [],
+      statusCode: 400,
+      body: result.right(),
+    };
+  }
+  const body = JSON.stringify(result.left());
+  const response = await fetch('https://github.com/login/oauth/access_token', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8',
+      'Accept': 'application/json'
+    },
+    body
+  });
+  return {
+    cookies: [],
+    statusCode: 200,
+    body: JSON.stringify(await response.json()),
+  };
+}

lambda/userinfo/index.ts

@@ -0,0 +1,109 @@
+import { Handler, APIGatewayProxyEventV2, APIGatewayProxyResultV2 } from 'aws-lambda';
+import fetch from 'cross-fetch';
+import { left, right, isRight, Either } from 'fp-ts/Either';
+
+interface Email {
+  email: string,
+  primary: boolean,
+  verified: boolean,
+  visibility?: 'private' | 'public'
+}
+
+const getUserId = async (token: string): Promise<Either<number, string>> => {
+  const response = await fetch('https://api.github.com/user', {
+    method: 'GET',
+    headers: {
+      'Accept': 'application/vnd.github+json',
+      'Authorization': `Bearer ${token}`
+    }
+  });
+  if (response.status !== 200) {
+    return right(`Cannot get user ID. status: ${response.statusText}. ${response.text()}`);
+  }
+  const id = ((await response.json()) as {
+    id: number,
+  }).id;
+
+  return left(id);
+}
+
+const getValidEmail = async (token: string): Promise<Either<Email, string>> => {
+  const response = await fetch('https://api.github.com/user/emails', {
+    method: 'GET',
+    headers: {
+      'Accept': 'application/vnd.github+json',
+      'Authorization': `Bearer ${token}`
+    }
+  });
+  if (response.status !== 200) {
+    return right(`Cannot get mails. status: ${response.statusText}. ${response.text()}`);
+  }
+  const emails = (await response.json()) as {
+    email: string,
+    primary: boolean,
+    verified: boolean,
+    visibility?: 'private' | 'public'
+  }[];
+
+  const email = emails.find(it => it.primary && it.verified && it.email.trim().endsWith('noreply.github.com'));
+  return email ? left(email) : right('/user/emails returned no valid emails');
+}
+
+export const handler: Handler<APIGatewayProxyEventV2, APIGatewayProxyResultV2> = async (event, _context, _callback) => {
+  const headers = event.headers;
+  const authHeader = headers['authorization'] || headers['Authorization'];
+  if (!authHeader) {
+    return {
+      cookies: [],
+      statusCode: 400,
+      body: '/userinfo request contained no accessToken',
+    };
+  }
+  const authHeaderPrefix = authHeader.slice(0, 'bearer '.length);
+  if (authHeaderPrefix.toLowerCase() !== 'bearer ') {
+    return {
+      cookies: [],
+      statusCode: 400,
+      body: 'authorization header does not contain bearer token',
+    };
+  }
+  const token = authHeader.slice('bearer '.length).trim();
+  if (!token) {
+    return {
+      cookies: [],
+      statusCode: 400,
+      body: 'authorization header does not contain bearer token',
+    };
+  }
+
+  const [idResult, emailResult] = await Promise.all([
+    getUserId(token),
+    getValidEmail(token)
+  ]);
+  if (isRight(idResult)) {
+    return {
+      cookies: [],
+      statusCode: 400,
+      body: `/userinfo ${idResult.right}`,
+    };
+  }
+  if (isRight(emailResult)) {
+    return {
+      cookies: [],
+      statusCode: 400,
+      body: `/userinfo ${emailResult.right}`,
+    };
+  }
+
+  const id = idResult.left;
+  const email = emailResult.left;
+  return {
+    cookies: [],
+    statusCode: 200,
+    body: JSON.stringify({
+      sub: id.toString(),
+      email: email.email,
+      email_verified: email.verified,
+    }),
+  }
+}