From d9e32aa64e956593c0bfee5a194f1736a792288a Mon Sep 17 00:00:00 2001
From: Simon Coe <simon.coe@iress.com>
Date: Fri, 22 Sep 2023 17:34:35 +0100
Subject: [PATCH 1/3] NONCE and CV cookies as `secure` for pkce

---
 authn/pkce.index.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/authn/pkce.index.js b/authn/pkce.index.js
index 253636f..6862646 100755
--- a/authn/pkce.index.js
+++ b/authn/pkce.index.js
@@ -328,14 +328,16 @@ function redirect(request, headers, callback) {
           "key": "Set-Cookie",
           "value" : cookie.serialize('NONCE', n[1], {
             path: '/',
-            httpOnly: true
+            httpOnly: true,
+            secure: true
           })
         },
         {
           "key": "Set-Cookie",
           "value" : cookie.serialize('CV', challenge[0], {
             path: '/',
-            httpOnly: true
+            httpOnly: true,
+            secure: true
           })
         }
       ],

From 801f50dc6018b368e9a219144253c854dff57f4e Mon Sep 17 00:00:00 2001
From: Simon Coe <simon.coe@iress.com>
Date: Mon, 25 Sep 2023 17:08:50 +0000
Subject: [PATCH 2/3] include nodejs18.x in build targets

---
 .github/workflows/ci.yml                | 2 +-
 README.md                               | 6 ++++--
 infra/terraform/modules/_lambda/main.tf | 2 +-
 template.yaml                           | 2 +-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4453818..ec7ddd7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,7 +8,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [14.x, 16.x]
+        node-version: [14.x, 16.x, 18.x]
 
     steps:
     - uses: actions/checkout@v2
diff --git a/README.md b/README.md
index c42a3bc..56f2ab0 100755
--- a/README.md
+++ b/README.md
@@ -163,7 +163,7 @@ Detailed instructions on testing your function can be found [in the Wiki](https:
 ## Build Requirements
 
 * [npm](https://www.npmjs.com/) ^7.20.0
-* [node](https://nodejs.org/en/) ^14.0
+* [node](https://nodejs.org/en/) ^18.0
 * [openssl](https://www.openssl.org)
 
 ## Building Generic Packages
@@ -179,7 +179,9 @@ The supported values of `package` are:
 * `okta_native` - builds a generic Lambda package for OKTA Native authentication
 * `rotate_key_pair` - builds a Lambda package for rotating the RSA keys in AWS Secrets Manager
 
-GitHub Actions automatically creates a new GitHub release when the repository owner pushes a tag that begins with `v`:
+GitHub Actions automatically creates a new GitHub release when the repository owner pushes a tag that begins with `v`.
+
+e.g.
 
 ```sh
 git tag -a -m "Target AWS Lambda Node.js 14.x runtime" v3.0.0
diff --git a/infra/terraform/modules/_lambda/main.tf b/infra/terraform/modules/_lambda/main.tf
index b4b5823..2afa1bb 100644
--- a/infra/terraform/modules/_lambda/main.tf
+++ b/infra/terraform/modules/_lambda/main.tf
@@ -20,7 +20,7 @@ resource "aws_lambda_function" "main" {
   role             = aws_iam_role.lambda.arn
   handler          = "index.handler"
   source_code_hash = base64sha256(var.package_url)
-  runtime          = "nodejs14.x"
+  runtime          = "nodejs18.x"
   timeout          = var.timeout
   publish          = var.lambda_at_edge
   tags             = var.tags
diff --git a/template.yaml b/template.yaml
index 4bef796..c500e25 100644
--- a/template.yaml
+++ b/template.yaml
@@ -8,7 +8,7 @@ Resources:
         Properties:
           CodeUri: distributions/{distribution_name}/{distribution_name}.zip
           Role: !GetAtt LambdaEdgeFunctionRole.Arn
-          Runtime: nodejs14.x
+          Runtime: nodejs18.x
           Handler: index.handler
           Timeout: 5
           AutoPublishAlias: LIVE

From 7d0c091b079de54c1c22fa73ae98c9596d27aa0c Mon Sep 17 00:00:00 2001
From: Simon Coe <simon.coe@iress.com>
Date: Mon, 25 Sep 2023 17:21:48 +0000
Subject: [PATCH 3/3] reference version 4 in docs and examples

---
 infra/terraform/README.md                    | 2 +-
 infra/terraform/examples/okta-native/main.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/infra/terraform/README.md b/infra/terraform/README.md
index b99832d..606da90 100644
--- a/infra/terraform/README.md
+++ b/infra/terraform/README.md
@@ -13,7 +13,7 @@ The Terraform modules for each identity provider are in the [modules](./modules)
       source = "github.com/iress/cloudfront-auth//infra/terraform/modules/okta_native"
 
       # Lambda function version to deploy (see the Releases page of this GitHub repository)
-      release_version = "v3.0.0"
+      release_version = "v4.0.0"
 
       name        = "my-website-auth"
       org_url     = "https://my-org.okta.com/oauth2/default"
diff --git a/infra/terraform/examples/okta-native/main.tf b/infra/terraform/examples/okta-native/main.tf
index 929f14a..1dcdd2a 100644
--- a/infra/terraform/examples/okta-native/main.tf
+++ b/infra/terraform/examples/okta-native/main.tf
@@ -5,7 +5,7 @@ locals {
 module "auth" {
   source = "github.com/iress/cloudfront-auth//infra/terraform/modules/okta_native"
 
-  release_version = "v3.0.0"
+  release_version = "v4.0.0"
   name            = local.name
   org_url         = "https://my-org.okta.com/oauth2/default"
   client_id       = "Nf2qSD9wXKU9ph8an22T"