Use proxied auth endpoint for Cognito (#11387)

- Close https://github.com/enso-org/cloud-v2/issues/1552 - Switch to proxied endpoint for Cognito to enforce account lockout rate limits # Important Notes None
2025-01-03 14:04:44 +03:00 · 2024-11-21 01:54:48 +10:00 · 2024-11-21 01:54:48 +10:00 · d8330c9bc5
commit d8330c9bc5
parent b3588490db
4 changed files with 9 additions and 1 deletions
--- a/app/.example.env
+++ b/app/.example.env
@ -4,9 +4,10 @@ ENSO_CLOUD_API_URL=https://aaaaaaaaaa.execute-api.mars.amazonaws.com
 ENSO_CLOUD_CHAT_URL=wss://chat.example.com
 ENSO_CLOUD_SENTRY_DSN=https://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@o0000000000000000.ingest.sentry.io/0000000000000000
 ENSO_CLOUD_STRIPE_KEY=pk_test_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ENSO_CLOUD_AUTH_ENDPOINT=https://aaaaaaaaaa.execute-api.mars.amazonaws.com/path/to/auth/endpoint
 ENSO_CLOUD_AMPLIFY_USER_POOL_ID=mars_AAAAAAAAA
 ENSO_CLOUD_AMPLIFY_USER_POOL_WEB_CLIENT_ID=zzzzzzzzzzzzzzzzzzzzzzzzzz
 ENSO_CLOUD_AMPLIFY_DOMAIN=somewhere.auth.mars.amazoncognito.com
 ENSO_CLOUD_AMPLIFY_REGION=mars
 ENSO_POLYGLOT_YDOC_SERVER=false
-ENSO_YDOC_LS_DEBUG=false
+ENSO_YDOC_LS_DEBUG=false
--- a/app/common/src/appConfig.js
+++ b/app/common/src/appConfig.js
@ -94,6 +94,7 @@ export function getDefines() {
    'process.env.ENSO_CLOUD_SENTRY_DSN': stringify(process.env.ENSO_CLOUD_SENTRY_DSN),
    'process.env.ENSO_CLOUD_STRIPE_KEY': stringify(process.env.ENSO_CLOUD_STRIPE_KEY),
    'process.env.ENSO_CLOUD_CHAT_URL': stringify(process.env.ENSO_CLOUD_CHAT_URL),
+    'process.env.ENSO_CLOUD_AUTH_ENDPOINT': stringify(process.env.ENSO_CLOUD_AUTH_ENDPOINT),
    'process.env.ENSO_CLOUD_COGNITO_USER_POOL_ID': stringify(
      process.env.ENSO_CLOUD_COGNITO_USER_POOL_ID,
    ),
--- a/app/gui/env.d.ts
+++ b/app/gui/env.d.ts
@ -218,6 +218,8 @@ declare global {
      // @ts-expect-error The index signature is intentional to disallow unknown env vars.
      readonly ENSO_CLOUD_STRIPE_KEY?: string
      // @ts-expect-error The index signature is intentional to disallow unknown env vars.
+      readonly ENSO_CLOUD_AUTH_ENDPOINT: string
+      // @ts-expect-error The index signature is intentional to disallow unknown env vars.
      readonly ENSO_CLOUD_COGNITO_USER_POOL_ID: string
      // @ts-expect-error The index signature is intentional to disallow unknown env vars.
      readonly ENSO_CLOUD_COGNITO_USER_POOL_WEB_CLIENT_ID: string
--- a/app/gui/src/dashboard/authentication/service.ts
+++ b/app/gui/src/dashboard/authentication/service.ts
@ -33,6 +33,7 @@ import * as listen from '#/authentication/listen'
 */
 export interface AmplifyConfig {
  readonly region: string
+  readonly endpoint: string
  readonly userPoolId: string
  readonly userPoolWebClientId: string
  readonly urlOpener: ((url: string, redirectUrl: string) => void) | null
@ -66,6 +67,7 @@ interface OauthAmplifyConfig {
 /** Same as {@link AmplifyConfig}, but in a format recognized by the AWS Amplify library. */
 export interface NestedAmplifyConfig {
  readonly region: string
+  readonly endpoint: string
  readonly userPoolId: string
  readonly userPoolWebClientId: string
  readonly oauth: OauthAmplifyConfig
@ -80,6 +82,7 @@ export interface NestedAmplifyConfig {
 export function toNestedAmplifyConfig(config: AmplifyConfig): NestedAmplifyConfig {
  return {
    region: config.region,
+    endpoint: config.endpoint,
    userPoolId: config.userPoolId,
    userPoolWebClientId: config.userPoolWebClientId,
    oauth: {
@ -183,6 +186,7 @@ function loadAmplifyConfig(
  /** Load the platform-specific Amplify configuration. */
  const signInOutRedirect = supportsDeepLinks ? `${common.DEEP_LINK_SCHEME}://auth` : redirectUrl
  return {
+    endpoint: process.env.ENSO_CLOUD_AUTH_ENDPOINT,
    userPoolId: process.env.ENSO_CLOUD_COGNITO_USER_POOL_ID,
    userPoolWebClientId: process.env.ENSO_CLOUD_COGNITO_USER_POOL_WEB_CLIENT_ID,
    domain: process.env.ENSO_CLOUD_COGNITO_DOMAIN,