lambda-edge-auth/viewerRequest.js at master · crespowang/lambda-edge-auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
"use strict";
const jwt = require("jsonwebtoken");
const aws = require("aws-sdk");
const ssm = new aws.SSM({ region: "us-east-1" });
let secret;
const getSecret = async () => {
  const params = {
    Name: "/lambdaedge/jwt-secret",
    WithDecryption: true,
  };
  const secret = await ssm.getParameter(params).promise();
  return secret && secret.Parameter && secret.Parameter.Value;
};

exports.handler = async (event, context, callback) => {
  const request = event.Records[0].cf.request;
  const querystring = request.querystring;
  if (querystring) {
    const tokenMatch = querystring.match("token=([^&]+)");
    const token = tokenMatch[1];
    if (token) {
      try {
        if (!secret) {
          secret = await getSecret();
        }

        const { key } = jwt.verify(token, secret);
        request.uri = `/${key}`;
        callback(null, request);
      } catch (error) {
        console.error("Invalid JWT token");
        const response = {
          status: "401",
          statusDescription: "Unauthorized JWT",
          headers: {
            location: [
              {
                key: "Location",
                value: "www.mianio.com/401",
              },
            ],
          },
        };
        callback(null, response);
      }
    }
  }

  const unauthorizedResponse = {
    status: "403",
    statusDescription: "Forbidden",
    headers: {
      location: [
        {
          key: "Location",
          value: "www.mianio.com/403",
        },
      ],
    },
  };

  callback(null, unauthorizedResponse);
};