feat(auth): Implement secure httpOnly cookie authentication for Okta

[arjunp99]

Summary

Replace localStorage token storage with httpOnly cookies to prevent XSS attacks for Okta authentication. This implements a custom PKCE flow while maintaining existing Cognito/Amplify behavior unchanged.

Security Improvements

• Tokens stored in httpOnly cookies (not accessible via JavaScript - prevents XSS token theft)
• SameSite=Lax prevents CSRF while allowing OAuth redirects from Okta
• Secure flag ensures HTTPS-only transmission

Changes

Frontend

• frontend/src/utils/pkce.js - PKCE utility for secure OAuth code exchange
• frontend/src/authentication/views/Callback.js - OAuth callback handler
• frontend/src/authentication/contexts/GenericAuthContext.js - Cookie-based auth for Okta
• frontend/src/services/hooks/useClient.js - Relative URLs + credentials for cookies
• frontend/src/routes.js - Added /callback route

Backend

• backend/auth_handler.py - Token exchange, userinfo, logout endpoints
• deploy/stacks/lambda_api.py - Auth handler Lambda + API routes
• deploy/stacks/cloudfront.py - Proxy /auth/, /graphql/, /search/* to API Gateway
• deploy/custom_resources/custom_authorizer/custom_authorizer_lambda.py - Read tokens from Cookie header

How It Works

1. User clicks login → redirected to Okta with PKCE challenge
2. Okta redirects back to /callback with authorization code
3. Frontend calls /auth/token-exchange with code + PKCE verifier
4. Backend exchanges code for tokens, sets httpOnly cookies
5. All subsequent API calls include cookies automatically (same-origin via CloudFront proxy)
6. Custom authorizer reads access_token from Cookie header

Backward Compatibility

• Cognito users: No changes - continues using Amplify with Authorization header

[TejasRGitHub]

Should we also logout from okta. Here we are deleting those cookies but that doesn't mean we will be logging out of Okta. Should we make a call to the okta endpoint to let Okta know that we want to logout ?

[arjunp99]

Yes, good point! I'll implement Okta logout by redirecting to Okta's /v1/logout endpoint from the frontend after clearing cookies. This fully ends the Okta session so the user must re-authenticate on next login.

The flow will be:

Frontend calls /auth/logout to clear cookies
Frontend redirects to {okta_url}/v1/logout?id_token_hint=...&post_logout_redirect_uri=...
This is handled on the frontend side since it requires a browser redirect.

[TejasRGitHub]

Instead of 'Not Found' can we say something more descriptive like Incorrect route for authentication etc ?

[arjunp99]

Changed to: 'Auth endpoint not found. Valid routes: /auth/token-exchange, /auth/logout, /auth/userinfo'

[TejasRGitHub]

does the headers change between browsers. Asking this since you are fetching both Cookie and cookie key

[arjunp99]

Yes, HTTP header names can be passed with different casing depending on the proxy/gateway configuration. API Gateway sometimes normalizes headers to lowercase (cookie) while the HTTP spec uses Cookie. Checking both ensures we handle all cases reliably.

[TejasRGitHub]

Can you please add a comment and document what you are trying to do here

[arjunp99]

Added comments on this logic.

        # JWT format: header.payload.signature (base64url encoded)
        payload = parts[1]

        # Base64 requires padding to be multiple of 4 characters
        # URL-safe base64 in JWTs often omits padding, so we add it back
        padding = 4 - len(payload) % 4
        if padding != 4:
            payload += '=' * padding

[TejasRGitHub]

If there are any specific exception raised by base64.urlsafe_b64decode or other package you are using . Catch the important ones

[arjunp99]

Added specific exception handling:

binascii.Error, ValueError - for base64 decode failures
json.JSONDecodeError - for invalid JSON in JWT payload
Generic Exception kept as fallback for unexpected errors

All errors are logged with details but return generic messages to clients.

[TejasRGitHub]

what's the backend region check for ?

[arjunp99]

The backend_region check is redundant - looking at pipeline.py, it's always set via backend_region=target_env.get('region', self.region), so it will never be None. Removed the unnecessary check.

[TejasRGitHub]

Is this the typical behaviour for auth endpoints to not have caching ?

[arjunp99]

Yes, this is standard practice. Auth endpoints should never be cached - each request is unique (one-time auth codes, session-specific cookies, user-specific data). Caching would return stale data and break login/logout.

[TejasRGitHub]

We didn't have any cloudfront dist behaviour for graphql or search. What's the benefit of adding it here ?

[arjunp99]

This is required for httpOnly cookies to work. Browsers only send cookies to same-origin requests. Before, tokens were in localStorage and sent via Authorization header (works cross-origin). Now with httpOnly cookies, the browser won't send them to a different origin (API Gateway). Routing through CloudFront makes frontend and API same-origin, so cookies are sent automatically.

[TejasRGitHub]

Are these needed ?

[TejasRGitHub]

Are these needed ?

[TejasRGitHub]

Does this set timeout for the AWS lambda ?

[TejasRGitHub]

Why are we not using the config defined python runtime - PYTHON_LAMBDA_RUNTIME

[TejasRGitHub]

nit: the comment could be extended
This enables cookie-based auth where tokens come from Cookie header and also auth with Authorization header

[TejasRGitHub]

If custom domain is not present then should we default to the domain URL provided by Cloudfront and add it here ?

[TejasRGitHub]

Can you include this file into the index.js and then import this file over here - frontend/src/authentication/contexts/GenericAuthContext.js

[TejasRGitHub]

I don't understand why we need the cloudfront URL vs the API Gateway URL . Can you explain on why we created the cloufront distribution ?

[TejasRGitHub]

After this - https://github.com/data-dot-all/dataall/pull/1920/changes#r2886370803
you can import it like import { generatePKCE, generateState } from 'utils/pkce';

[TejasRGitHub]

Can you let me know if you tested the ReAuth flow ?

[TejasRGitHub]

Hey @arjunp99 , The changes made by you look very solid. I have added comments some of which are for clarification and some cosmetic. But mostly everything looks solid

There are a few things which I think are missing,

1. What happens when the user token expires, in the current implementation, the webapp automatically resets to the login page. There is an internal event set when the token reaches expiration. I think if possible we should mimick that.
2. The logout flow currently only clears the cookies but it should also logout from okta if such an endpoint is present to invalid the tokens in okta at the same time user logouts