Skip to content

Commit

Permalink
fix(cognito): Allow retrieving FIPS-compliant URL
Browse files Browse the repository at this point in the history
This ensures that users in GovCloud can retrieve a URL that works in
their region and allows users in us-{east,west}-{1,2} to also use the
FIPs endpoints.
  • Loading branch information
laurelmay committed May 3, 2022
1 parent c58fa44 commit 439a0b9
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 4 deletions.
23 changes: 19 additions & 4 deletions packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts
Original file line number Diff line number Diff line change
Expand Up @@ -152,10 +152,13 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {

/**
* The URL to the hosted UI associated with this domain
*
* @param options options to customize the behaviour of this method
*/
public baseUrl(): string {
public baseUrl(options?: BaseUrlOptions): string {
if (this.isCognitoDomain) {
return `https://${this.domainName}.auth.${Stack.of(this).region}.amazoncognito.com`;
const authDomain = 'auth' + (options?.fips ? '-fips' : '');
return `https://${this.domainName}.${authDomain}.${Stack.of(this).region}.amazoncognito.com`;
}
return `https://${this.domainName}`;
}
Expand All @@ -175,14 +178,26 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
throw new Error('signInUrl is not supported for clients without authorizationCodeGrant or implicitCodeGrant flow enabled');
}
const path = options.signInPath ?? '/login';
return `${this.baseUrl()}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`;
return `${this.baseUrl(options)}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`;
}
}

/**
* Options to customize the behaviour of `baseUrl()`
*/
export interface BaseUrlOptions {
/**
* Whether to return the FIPS-compliant endpoint
*
* @default return the standard URL
*/
readonly fips?: boolean;
}

/**
* Options to customize the behaviour of `signInUrl()`
*/
export interface SignInUrlOptions {
export interface SignInUrlOptions extends BaseUrlOptions {
/**
* Where to redirect to after sign in
*/
Expand Down
56 changes: 56 additions & 0 deletions packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,62 @@ describe('User Pool Client', () => {
Template.fromStack(stack).resourceCountIs('AWS::Cognito::UserPoolDomain', 0);
});

describe('baseUrl', () => {
test('returns the expected standard URL', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');
const domain = pool.addDomain('Domain', {
cognitoDomain: {
domainPrefix: 'cognito-domain-prefix',
},
});

// WHEN
const baseUrl = domain.baseUrl();

// THEN
expect(stack.resolve(baseUrl)).toEqual({
'Fn::Join': [
'', [
'https://',
{ Ref: 'PoolDomainCFC71F56' },
'.auth.',
{ Ref: 'AWS::Region' },
'.amazoncognito.com',
],
],
});
});

test('returns the expected FIPS-compliant endpoint URL', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');
const domain = pool.addDomain('Domain', {
cognitoDomain: {
domainPrefix: 'cognito-domain-prefix',
},
});

// WHEN
const baseUrl = domain.baseUrl({ fips: true });

// THEN
expect(stack.resolve(baseUrl)).toEqual({
'Fn::Join': [
'', [
'https://',
{ Ref: 'PoolDomainCFC71F56' },
'.auth-fips.',
{ Ref: 'AWS::Region' },
'.amazoncognito.com',
],
],
});
});
});

describe('signInUrl', () => {
test('returns the expected URL', () => {
// GIVEN
Expand Down

0 comments on commit 439a0b9

Please sign in to comment.