Version 4: Resolution of security (pen test) findings, dependancy vulnerabilities and other small updates

.github/workflows/ci.yml

@@ -8,7 +8,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [14.x, 16.x]
+        node-version: [14.x, 16.x, 18.x]
 
     steps:
     - uses: actions/checkout@v2

README.md

@@ -163,7 +163,7 @@ Detailed instructions on testing your function can be found [in the Wiki](https:
 ## Build Requirements
 
 * [npm](https://www.npmjs.com/) ^7.20.0
-* [node](https://nodejs.org/en/) ^14.0
+* [node](https://nodejs.org/en/) ^18.0
 * [openssl](https://www.openssl.org)
 
 ## Building Generic Packages
@@ -179,7 +179,9 @@ The supported values of `package` are:
 * `okta_native` - builds a generic Lambda package for OKTA Native authentication
 * `rotate_key_pair` - builds a Lambda package for rotating the RSA keys in AWS Secrets Manager
 
-GitHub Actions automatically creates a new GitHub release when the repository owner pushes a tag that begins with `v`:
+GitHub Actions automatically creates a new GitHub release when the repository owner pushes a tag that begins with `v`.
+
+e.g.
 
 ```sh
 git tag -a -m "Target AWS Lambda Node.js 14.x runtime" v3.0.0

authn/github.index.js

@@ -64,22 +64,33 @@ function mainProcess(event, context, callback) {
                       "statusDescription": "Found",
                       "body": "ID token retrieved.",
                       "headers": {
+                        "content-type": [{
+                          "key": "Content-Type",
+                          "value": "text/plain;charset=UTF-8"
+                        }],
                         "location" : [{
                           "key": "Location",
                           "value": event.Records[0].cf.config.hasOwnProperty('test') ? (config.AUTH_REQUEST.redirect_uri + queryDict.state) : queryDict.state
                         }],
                         "set-cookie" : [{
                           "key": "Set-Cookie",
-                          "value" : cookie.serialize('TOKEN', jwt.sign(
-                            { },
-                            config.PRIVATE_KEY.trim(),
+                          "value" : cookie.serialize(
+                            'TOKEN',
+                            jwt.sign(
+                              { },
+                              config.PRIVATE_KEY.trim(),
+                              {
+                                audience: headers.host[0].value,
+                                subject: auth.getSubject(username),
+                                expiresIn: config.SESSION_DURATION,
+                                algorithm: 'RS256'
+                              } // Options
+                            ),
                             {
-                              audience: headers.host[0].value,
-                              subject: auth.getSubject(username),
-                              expiresIn: config.SESSION_DURATION,
-                              algorithm: 'RS256'
-                            } // Options
-                          ))
+                              sameSite: 'strict',
+                              secure: true
+                            }
+                          )
                         }],
                       },
                     };
@@ -140,6 +151,10 @@ function redirect(request, headers, callback) {
     statusDescription: "Found",
     body: "Redirecting to OAuth2 provider",
     headers: {
+      "content-type": [{
+        "key": "Content-Type",
+        "value": "text/plain;charset=UTF-8"
+      }],
       "location" : [{
         "key": "Location",
         "value": config.AUTHORIZATION_ENDPOINT + '?' + querystring
@@ -159,10 +174,14 @@ function unauthorized(body, callback) {
     "statusDescription": "Unauthorized",
     "body": body,
     "headers": {
-       "set-cookie" : [{
-         "key": "Set-Cookie",
-         "value" : cookie.serialize('TOKEN', '', { path: '/', expires: new Date(1970, 1, 1, 0, 0, 0, 0) })
-       }],
+      "content-type": [{
+        "key": "Content-Type",
+        "value": "text/plain;charset=UTF-8"
+      }],
+      "set-cookie" : [{
+        "key": "Set-Cookie",
+        "value" : cookie.serialize('TOKEN', '', { path: '/', expires: new Date(1970, 1, 1, 0, 0, 0, 0) })
+      }],
     },
   };
   callback(null, response);
@@ -173,6 +192,12 @@ function internalServerError(body, callback) {
     "status": "500",
     "statusDescription": "Internal Server Error",
     "body": body,
+    "headers": {
+      "content-type": [{
+        "key": "Content-Type",
+        "value": "text/plain;charset=UTF-8"
+      }]
+    }
   };
   callback(null, response);
 }

infra/terraform/README.md

@@ -13,7 +13,7 @@ The Terraform modules for each identity provider are in the [modules](./modules)
       source = "github.com/iress/cloudfront-auth//infra/terraform/modules/okta_native"
 
       # Lambda function version to deploy (see the Releases page of this GitHub repository)
-      release_version = "v3.0.0"
+      release_version = "v4.0.0"
 
       name        = "my-website-auth"
       org_url     = "https://my-org.okta.com/oauth2/default"

infra/terraform/examples/okta-native/main.tf

@@ -5,7 +5,7 @@ locals {
 module "auth" {
   source = "github.com/iress/cloudfront-auth//infra/terraform/modules/okta_native"
 
-  release_version = "v3.0.0"
+  release_version = "v4.0.0"
   name            = local.name
   org_url         = "https://my-org.okta.com/oauth2/default"
   client_id       = "Nf2qSD9wXKU9ph8an22T"

infra/terraform/modules/_lambda/main.tf

@@ -20,7 +20,7 @@ resource "aws_lambda_function" "main" {
   role             = aws_iam_role.lambda.arn
   handler          = "index.handler"
   source_code_hash = base64sha256(var.package_url)
-  runtime          = "nodejs14.x"
+  runtime          = "nodejs18.x"
   timeout          = var.timeout
   publish          = var.lambda_at_edge
   tags             = var.tags