chore/added angular cognito cloudfront#39
Conversation
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary
This PR integrates AWS Cognito authentication with an Angular frontend and updates the backend to use Cognito User Pools Authorizer. The authentication architecture improvements are solid, but 3 critical defects block merge.
Critical Issues Requiring Fixes
Three blocking issues identified:
- DynamoDB attribute mapping error - Incorrect struct tag prevents user profile creation in post-confirmation trigger
- Conditional expression logic error - Prevents registration after first user due to incorrect PK-only check
- Hardcoded configuration exposure - Cognito User Pool IDs visible in client-side bundle (security risk)
Changes Overview
The PR successfully:
- Migrates from custom JWT to AWS Cognito authentication
- Implements Cognito User Pools Authorizer at API Gateway level
- Adds Angular frontend with AWS Amplify integration
- Creates CloudFront distribution for frontend hosting
- Implements post-confirmation Lambda trigger for user profile creation
Please address the critical issues before merging.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
| SignInOutput | ||
| } from 'aws-amplify/auth'; | ||
| import { CognitoUser, SignUpRequest, SignInRequest, ConfirmSignUpRequest } from '../models'; | ||
| import amplifyConfig from '../../../../amplify_outputs.json'; |
There was a problem hiding this comment.
🛑 Security Vulnerability: Configuration file import from static JSON exposes sensitive IDs in client-side code. The hardcoded import of amplify_outputs.json at line 15 makes Cognito User Pool IDs visible to attackers, enabling reconnaissance and targeted attacks.1
Footnotes
-
CWE-540: Inclusion of Sensitive Information in Source Code - https://cwe.mitre.org/data/definitions/540.html ↩
| TableName: aws.String(tableName), | ||
| Item: item, | ||
| // Use condition to prevent overwriting existing users | ||
| ConditionExpression: aws.String("attribute_not_exists(PK)"), |
There was a problem hiding this comment.
🛑 Logic Error: Incorrect condition expression blocks user profile creation. The expression attribute_not_exists(PK) will fail when any user exists because all users share PK="User". This prevents new user registration after the first user.
| ConditionExpression: aws.String("attribute_not_exists(PK)"), | |
| ConditionExpression: aws.String("attribute_not_exists(PK) AND attribute_not_exists(SK)"), |
| // UserProfile represents the DynamoDB user profile structure | ||
| type UserProfile struct { | ||
| PK string `dynamodbav:"PK"` | ||
| SK string `dynamodbav:"entity_id"` |
There was a problem hiding this comment.
🛑 Logic Error: Incorrect DynamoDB attribute tag causes data insertion failure. The struct field SK has tag dynamodbav:"entity_id" but DynamoDB operations expect SK as the sort key attribute name.
| SK string `dynamodbav:"entity_id"` | |
| SK string `dynamodbav:"SK"` |
1 participant
No description provided.