chore(core): enforcing https on user and identity pools endpoinds

aws-amplify · Jan 14, 2025 · f358adf · f358adf
1 parent 50c0dd6
commit f358adf
Show file tree

Hide file tree

Showing 6 changed files with 105 additions and 50 deletions.
diff --git a/packages/core/__tests__/singleton/Auth/index.test.ts b/packages/core/__tests__/singleton/Auth/index.test.ts
@@ -1,51 +1,59 @@
-import { ConsoleLogger } from '../../../src/Logger';
 import { AuthClass } from '../../../src/singleton/Auth';
+import { isSecureServiceEndpoint } from '../../../src/utils';
 
-jest.mock('../../../src/Logger', () => {
-	const warn = jest.fn();
+jest.mock('../../../src/utils');
 
-	return {
-		ConsoleLogger: jest.fn(() => ({
-			warn,
-		})),
-	};
-});
+const mockIsSecureServiceEndpoint = jest.mocked(isSecureServiceEndpoint);
 
 describe('Auth', () => {
 	const auth = new AuthClass();
-	const logger = new ConsoleLogger('Auth');
-	const mockedWarn = logger.warn as jest.Mock;
+
+	const mockConfig = {
+		userPoolClientId: 'userPoolClientId',
+		userPoolId: 'userPoolId',
+		identityPoolId: 'identityPoolId',
+	};
+
+	const expectedErrorMatcher = /must use HTTPS protocol\.$/;
+
+	afterEach(() => {
+		mockIsSecureServiceEndpoint.mockClear();
+	});
 
 	describe('configure', () => {
-		const mockConfig = {
-			userPoolClientId: 'userPoolClientId',
-			userPoolId: 'userPoolId',
-		};
-
-		it('prints warning when use custom endpoint for Cognito User Pool', () => {
-			auth.configure({
-				Cognito: {
-					...mockConfig,
-					userPoolEndpoint: 'https://custom-endpoint.com',
-				},
-			});
-
-			expect(mockedWarn).toHaveBeenCalledWith(
-				expect.stringContaining('Amazon Cognito User Pool'),
+		it('throws when custom user pool endpoint is not secure', () => {
+			const nonSecureUserPoolEndpoint = 'http://example.com';
+			mockIsSecureServiceEndpoint.mockReturnValueOnce(false);
+
+			expect(() => {
+				auth.configure({
+					Cognito: {
+						...mockConfig,
+						userPoolEndpoint: nonSecureUserPoolEndpoint,
+					},
+				});
+			}).toThrow(expectedErrorMatcher);
+			expect(mockIsSecureServiceEndpoint).toHaveBeenCalledWith(
+				nonSecureUserPoolEndpoint,
 			);
 		});
 
-		it('prints warning when use custom endpoint for Cognito Identity Pool', () => {
-			auth.configure({
-				Cognito: {
-					...mockConfig,
-					identityPoolId: 'identityPoolId',
-					identityPoolEndpoint: 'https://custom-endpoint.com',
-				},
-			});
-
-			expect(mockedWarn).toHaveBeenCalledWith(
-				expect.stringContaining('Amazon Cognito Identity Pool'),
+		it('throws when custom identity pool endpoint is not secure', () => {
+			const nonSecureIdentityPoolEndpoint = 'http://example.com';
+			mockIsSecureServiceEndpoint.mockReturnValueOnce(true); // good user pool endpoint
+			mockIsSecureServiceEndpoint.mockReturnValueOnce(false); // bad identity pool endpoint
+
+			expect(() => {
+				auth.configure({
+					Cognito: {
+						...mockConfig,
+						userPoolClientId: 'https://example.com',
+						identityPoolEndpoint: nonSecureIdentityPoolEndpoint,
+					},
+				});
+			}).toThrow(expectedErrorMatcher);
+			expect(mockIsSecureServiceEndpoint).toHaveBeenCalledWith(
+				nonSecureIdentityPoolEndpoint,
 			);
 		});
 	});

diff --git a/packages/core/__tests__/singleton/Singleton.test.ts b/packages/core/__tests__/singleton/Singleton.test.ts
@@ -288,7 +288,14 @@ describe('Session tests', () => {
 			secretAccessKey: 'secretAccessKeyValue',
 		};
 		Amplify.configure(
-			{},
+			{
+				Auth: {
+					Cognito: {
+						userPoolId: 'userPoolId',
+						userPoolClientId: 'userPoolClientId',
+					},
+				},
+			},
 			{
 				Auth: {
 					credentialsProvider: {

diff --git a/packages/core/__tests__/utils/isSecureServiceEndpoint.test.ts b/packages/core/__tests__/utils/isSecureServiceEndpoint.test.ts
@@ -0,0 +1,15 @@
+import { isSecureServiceEndpoint } from '../../src/utils/isSecureServiceEndpoint';
+
+describe('isSecureServiceEndpoint', () => {
+	const a = isSecureServiceEndpoint;
+
+	test.each([
+		['not-a-url', false],
+		['http://example.com', false],
+		['https://example.com', true],
+		['http://localhost:3000', true],
+		['http://127.0.0.1:3000', true],
+	])('isSecureServiceEndpoint(%s) returns %s', (input, expected) => {
+		expect(a(input)).toBe(expected);
+	});
+});
diff --git a/packages/core/src/singleton/Auth/index.ts b/packages/core/src/singleton/Auth/index.ts
@@ -1,6 +1,6 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-import { ConsoleLogger } from '../../Logger';
+import { isSecureServiceEndpoint } from '../../utils';
 
 import {
 	AuthConfig,
@@ -11,7 +11,6 @@ import {
 	LibraryAuthOptions,
 } from './types';
 
-const logger = new ConsoleLogger('Auth');
 export class AuthClass {
 	private authConfig?: AuthConfig;
 	private authOptions?: LibraryAuthOptions;
@@ -30,21 +29,25 @@ export class AuthClass {
 		authResourcesConfig: AuthConfig,
 		authOptions?: LibraryAuthOptions,
 	): void {
-		this.authConfig = authResourcesConfig;
-		this.authOptions = authOptions;
+		const userPoolEndpoint = authResourcesConfig.Cognito?.userPoolEndpoint;
+		const identityPoolEndpoint =
+			authResourcesConfig.Cognito?.identityPoolEndpoint;
 
-		if (authResourcesConfig && authResourcesConfig.Cognito?.userPoolEndpoint) {
-			logger.warn(getCustomEndpointWarningMessage('Amazon Cognito User Pool'));
+		if (userPoolEndpoint && !isSecureServiceEndpoint(userPoolEndpoint)) {
+			throw new Error(getNonHttpsEndpointErrorMessage('`userPoolEndpoint`'));
 		}
 
 		if (
-			authResourcesConfig &&
-			authResourcesConfig.Cognito?.identityPoolEndpoint
+			identityPoolEndpoint &&
+			!isSecureServiceEndpoint(identityPoolEndpoint)
 		) {
-			logger.warn(
-				getCustomEndpointWarningMessage('Amazon Cognito Identity Pool'),
+			throw new Error(
+				getNonHttpsEndpointErrorMessage('`identityPoolEndpoint`'),
 			);
 		}
+
+		this.authConfig = authResourcesConfig;
+		this.authOptions = authOptions;
 	}
 
 	/**
@@ -111,5 +114,5 @@ export class AuthClass {
 	}
 }
 
-const getCustomEndpointWarningMessage = (target: string): string =>
-	`You are using a custom Amazon ${target} endpoint, ensure the endpoint is correct.`;
+const getNonHttpsEndpointErrorMessage = (target: string): string =>
+	`${target} must use HTTPS protocol.`;
diff --git a/packages/core/src/utils/index.ts b/packages/core/src/utils/index.ts
@@ -17,3 +17,4 @@ export { urlSafeEncode } from './urlSafeEncode';
 export { deepFreeze } from './deepFreeze';
 export { deDupeAsyncFunction } from './deDupeAsyncFunction';
 export { isTokenExpired } from './isTokenExpired';
+export { isSecureServiceEndpoint } from './isSecureServiceEndpoint';
diff --git a/packages/core/src/utils/isSecureServiceEndpoint.ts b/packages/core/src/utils/isSecureServiceEndpoint.ts
@@ -0,0 +1,21 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { AmplifyUrl } from './amplifyUrl';
+
+export const isSecureServiceEndpoint = (input: string): boolean => {
+	try {
+		const url = new AmplifyUrl(input);
+
+		if (url.protocol === 'http:' && !isLocalhost(url.hostname)) {
+			return false;
+		}
+
+		return true;
+	} catch {
+		return false;
+	}
+};
+
+const isLocalhost = (hostname: string): boolean =>
+	hostname === 'localhost' || hostname === '127.0.0.1';