From 992fcc007d3caa259ba2d35f1500763dbab94775 Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Sun, 30 Jul 2023 21:46:40 +0100 Subject: [PATCH 1/6] fix(security): do not commit `aws-exports.js` file --- .env.example | 6 +++++- .github/workflows/cloudrun-deploy.yml | 4 ++++ src/aws-exports.js | 24 ------------------------ src/helpers/rekognition.ts | 5 +---- src/pages/_app.tsx | 4 ---- 5 files changed, 10 insertions(+), 33 deletions(-) delete mode 100644 src/aws-exports.js diff --git a/.env.example b/.env.example index 6793d35a..ab4d7e9b 100644 --- a/.env.example +++ b/.env.example @@ -1,3 +1,7 @@ +AWS_REGION= +AMPLIFY_IDENTITYPOOL_ID= +AMPLIFY_USERPOOL_ID= +AMPLIFY_WEBCLIENT_ID= ORY_SDK_URL= ORY_SDK_TOKEN= CEDULA_API= @@ -9,4 +13,4 @@ ENCRYPTION_KEY= RECAPTHA_API_KEY= RECAPTHA_PROJECT_ID= NEXT_PUBLIC_RECAPTCHA_SITE_KEY= -NEXT_PUBLIC_GOOGLE_ANALYTICS= \ No newline at end of file +NEXT_PUBLIC_GOOGLE_ANALYTICS= diff --git a/.github/workflows/cloudrun-deploy.yml b/.github/workflows/cloudrun-deploy.yml index c87876e1..6bf88cc9 100644 --- a/.github/workflows/cloudrun-deploy.yml +++ b/.github/workflows/cloudrun-deploy.yml @@ -66,6 +66,10 @@ jobs: service: ${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} region: ${{ inputs.region }} env_vars: | + AWS_REGION=${{ vars.AWS_REGION }}, + AMPLIFY_IDENTITYPOOL_ID=${{ vars.AMPLIFY_IDENTITYPOOL_ID }}, + AMPLIFY_USERPOOL_ID=${{ vars.AMPLIFY_USERPOOL_ID }}, + AMPLIFY_WEBCLIENT_ID=${{ secrets.AMPLIFY_WEBCLIENT_ID }}, ORY_SDK_URL=${{ secrets.ORY_SDK_URL }}, ORY_SDK_TOKEN=${{ secrets.ORY_SDK_TOKEN }}, CEDULA_API=${{ secrets.CEDULA_API }}, diff --git a/src/aws-exports.js b/src/aws-exports.js deleted file mode 100644 index 34fbb30a..00000000 --- a/src/aws-exports.js +++ /dev/null @@ -1,24 +0,0 @@ -/* eslint-disable */ -// WARNING: DO NOT EDIT. This file is automatically generated by AWS Amplify. It will be overwritten. - -const awsmobile = { - aws_project_region: "us-east-1", - aws_cognito_identity_pool_id: - "us-east-1:130f5045-62a9-46f0-ab8b-b6982a6b9873", - aws_cognito_region: "us-east-1", - aws_user_pools_id: "us-east-1_IHrG3D5tP", - aws_user_pools_web_client_id: "5ahfmvebapr9a0br0e304kl148", - oauth: {}, - aws_cognito_username_attributes: [], - aws_cognito_social_providers: [], - aws_cognito_signup_attributes: ["EMAIL"], - aws_cognito_mfa_configuration: "OFF", - aws_cognito_mfa_types: ["SMS"], - aws_cognito_password_protection_settings: { - passwordPolicyMinLength: 8, - passwordPolicyCharacters: [], - }, - aws_cognito_verification_mechanisms: ["PHONE_NUMBER"], -}; - -export default awsmobile; diff --git a/src/helpers/rekognition.ts b/src/helpers/rekognition.ts index 412164bb..5bc1f010 100644 --- a/src/helpers/rekognition.ts +++ b/src/helpers/rekognition.ts @@ -2,9 +2,7 @@ import { Amplify, withSSRContext } from 'aws-amplify'; import { Rekognition } from '@aws-sdk/client-rekognition'; import { NextApiRequest } from 'next/types'; -import awsExports from '../aws-exports'; - -Amplify.configure({ ...awsExports, ssr: true }); +Amplify.configure({ ssr: true }); export async function getRekognitionClient( req: NextApiRequest @@ -13,7 +11,6 @@ export async function getRekognitionClient( const credentials = await SSR.Credentials.get(); const rekognitionClient = new Rekognition({ - region: awsExports.aws_project_region, credentials, }); diff --git a/src/pages/_app.tsx b/src/pages/_app.tsx index 10b35f13..f71e93da 100644 --- a/src/pages/_app.tsx +++ b/src/pages/_app.tsx @@ -3,21 +3,17 @@ import CssBaseline from '@mui/material/CssBaseline'; import { ThemeProvider } from '@mui/material/styles'; import { useEffect } from 'react'; import type { AppProps } from 'next/app'; -import { Amplify } from 'aws-amplify'; import { ReCaptchaProvider } from 'next-recaptcha-v3'; import TagManager from 'react-gtm-module'; import { SnackbarProvider } from '../components/elements/alert'; import Layout from '../components/layout'; -import awsExports from '../aws-exports'; import { theme } from '../themes'; import '../../public/fonts/poppins_wght.css'; import '@aws-amplify/ui-react/styles.css'; import '@/styles/globals.css'; -Amplify.configure(awsExports); - export default function App({ Component, pageProps }: AppProps) { // Google Tag Manager useEffect(() => { From 0e7ef7e2d723c6dd6e7bad780706c41eb2b833c8 Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Sun, 30 Jul 2023 22:06:06 +0100 Subject: [PATCH 2/6] fix(rekognition): configure using environment variables --- ory.yml | 353 +++++++++++++++++++++++++++++++++++++ src/helpers/rekognition.ts | 11 +- 2 files changed, 363 insertions(+), 1 deletion(-) create mode 100644 ory.yml diff --git a/ory.yml b/ory.yml new file mode 100644 index 00000000..07c2c614 --- /dev/null +++ b/ory.yml @@ -0,0 +1,353 @@ +id: cc8ee210-f897-4c48-bb93-a69df6b918e9 +name: Plataforma única de autenticación +revision_id: 87ccd833-5ad8-4f62-a0dc-e46842d36ec3 +services: + identity: + config: + cookies: + domain: naughty-euclid-q27q8011k4.projects.oryapis.com + path: / + same_site: Lax + courier: + smtp: + connection_uri: smtp://OGTIC:md-1SvqeRSP1HU5Z2YQN60S8Q@smtp.mandrillapp.com:587 + from_address: noreply@ogtic.gob.do + from_name: Cuenta Unica Ciudadana + headers: + X-MC-Subaccount: Autenticacion + X-MC-Tags: ory + X-MC-Track: opens, clicks_htmlonly + X-MC-TrackingDomain: cuenta.digital.gob.do + templates: + recovery: + invalid: + email: + body: {} + valid: + email: + body: {} + recovery_code: + invalid: + email: + body: {} + valid: + email: + body: {} + verification: + invalid: + email: + body: {} + valid: + email: + body: {} + verification_code: + invalid: + email: + body: {} + valid: + email: + body: + html: https://storage.googleapis.com/bac-gcs-production/ad88737ddcd726137f7b28e56aec5815b69c17eaf44502a8ad083c580f3ea7f265be883e92548224f5f6a8a307db1d7650e142d7b5e99cc5cdb2b68bfba4e047.html + subject: https://storage.googleapis.com/bac-gcs-production/89fdebf7b70de240f81a032c83b81f65ee1e2536c94b384cbf49964c92a2e55b2351b8df8843a56ee11143493964121cce48c602312a8b14fbe189018596f17d.bin + feature_flags: + cacheable_sessions: false + identity: + default_schema_id: 8ec0d804ad6185b7657a689223f93702f76abcaa9396867021a97373f167a4f1fca26b1b8614184eba0c96b3039d254c28ecde2249dfdeed845042b864073d96 + schemas: + - id: preset://email + url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLm9yeS5zaC9wcmVzZXRzL2tyYXRvcy9pZGVudGl0eS5lbWFpbC5zY2hlbWEuanNvbiIsCiAgIiRzY2hlbWEiOiAiaHR0cDovL2pzb24tc2NoZW1hLm9yZy9kcmFmdC0wNy9zY2hlbWEjIiwKICAidGl0bGUiOiAiUGVyc29uIiwKICAidHlwZSI6ICJvYmplY3QiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkUtTWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogewogICAgICAgICAgICAgICJwYXNzd29yZCI6IHsKICAgICAgICAgICAgICAgICJpZGVudGlmaWVyIjogdHJ1ZQogICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgIndlYmF1dGhuIjogewogICAgICAgICAgICAgICAgImlkZW50aWZpZXIiOiB0cnVlCiAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAidG90cCI6IHsKICAgICAgICAgICAgICAgICJhY2NvdW50X25hbWUiOiB0cnVlCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9CiAgICAgICAgICB9LAogICAgICAgICAgIm1heExlbmd0aCI6IDMyMAogICAgICAgIH0KICAgICAgfSwKICAgICAgInJlcXVpcmVkIjogWwogICAgICAgICJlbWFpbCIKICAgICAgXSwKICAgICAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIjogZmFsc2UKICAgIH0KICB9Cn0K + - id: a7f1c9794d1acd3acd036f59de31a6251ad727e36ce174d6baee4417faee118ca9228fbc9da328e7c720b5ce314fd5d82048a7c085e227e1b6cd46235b75d429 + url: https://storage.googleapis.com/bac-gcs-production/a7f1c9794d1acd3acd036f59de31a6251ad727e36ce174d6baee4417faee118ca9228fbc9da328e7c720b5ce314fd5d82048a7c085e227e1b6cd46235b75d429.json + - id: a444027d062ddf88f4840e4621d0ec5f1adc3b313bb29c02e0ba1d362a711750dd436fed7755a766ba35f735207eae37907e8e1ecd4a7bec2cd44b5a8c8db48f + url: https://storage.googleapis.com/bac-gcs-production/a444027d062ddf88f4840e4621d0ec5f1adc3b313bb29c02e0ba1d362a711750dd436fed7755a766ba35f735207eae37907e8e1ecd4a7bec2cd44b5a8c8db48f.json + - id: ef11f162bbaab644a22ce839c89185ea2744145f019f8646cb584f22eb1794f8799525c61774cd56dfc3184c5cfeab6ec1e91ce22c729758bafae7613742035a + url: https://storage.googleapis.com/bac-gcs-production/ef11f162bbaab644a22ce839c89185ea2744145f019f8646cb584f22eb1794f8799525c61774cd56dfc3184c5cfeab6ec1e91ce22c729758bafae7613742035a.json + - id: 43fe52b3cdb99bbf3e7df0cfd65ceef014a5d3dc160de63d10ab71cf77b07517479e601a1801366dc9afe894f6dbf3edab767d4cfae6a685ec25b0697d400a7c + url: https://storage.googleapis.com/bac-gcs-production/43fe52b3cdb99bbf3e7df0cfd65ceef014a5d3dc160de63d10ab71cf77b07517479e601a1801366dc9afe894f6dbf3edab767d4cfae6a685ec25b0697d400a7c.json + - id: 2508d39b31df810dea5ad7b604c1a038d58792750b61bb1435025cc48d1c8b02e1e55b248a4e6b44acb6eae6eaaa9adcc62470864d934491fae2fb2e4700b7be + url: https://storage.googleapis.com/bac-gcs-production/2508d39b31df810dea5ad7b604c1a038d58792750b61bb1435025cc48d1c8b02e1e55b248a4e6b44acb6eae6eaaa9adcc62470864d934491fae2fb2e4700b7be.json + - id: 6e0d408dfedd4dac56bf9d059296ee687e0acef4d4330a2760534a916148a5ad37b366f0492e710b18c5e70abb971b985c8b033c1b922aaff90e66a950efb60a + url: https://storage.googleapis.com/bac-gcs-production/6e0d408dfedd4dac56bf9d059296ee687e0acef4d4330a2760534a916148a5ad37b366f0492e710b18c5e70abb971b985c8b033c1b922aaff90e66a950efb60a.json + - id: 7dd3aa65a6fd8785b80eefa2c7d8b93743b6f8ebad270d685b75c9a30969b59d0eeb5f295c3a164d49eb49287826b6131c50b65d22c2a909b52a7616424b04d4 + url: https://storage.googleapis.com/bac-gcs-production/7dd3aa65a6fd8785b80eefa2c7d8b93743b6f8ebad270d685b75c9a30969b59d0eeb5f295c3a164d49eb49287826b6131c50b65d22c2a909b52a7616424b04d4.json + - id: 03ade72b0c4783d62a2420f08917c978ca01bf45fbd733d810484b406354443134a121c9cec2bfd8212c9686dd4dd1a30144381a40271a795678f7d47f23196f + url: https://storage.googleapis.com/bac-gcs-production/03ade72b0c4783d62a2420f08917c978ca01bf45fbd733d810484b406354443134a121c9cec2bfd8212c9686dd4dd1a30144381a40271a795678f7d47f23196f.json + - id: 6d51d005e773af64fb177f93d462461a62a87464a03adcb898a91e6390799d20cbf8038fe7ad5ae276295fa0bd716579cc77ebea81c7a3e4d9ccb380ec763fde + url: https://storage.googleapis.com/bac-gcs-production/6d51d005e773af64fb177f93d462461a62a87464a03adcb898a91e6390799d20cbf8038fe7ad5ae276295fa0bd716579cc77ebea81c7a3e4d9ccb380ec763fde.json + - id: 78e4a8f312923348874a31ffba0b034dc5f2fa05abf09497045e55a29613967dc7370834c6c8da6eeaa0f3cc2c0edf21d452eadf8adabd70ede8f7a6d5dd0aaf + url: https://storage.googleapis.com/bac-gcs-production/78e4a8f312923348874a31ffba0b034dc5f2fa05abf09497045e55a29613967dc7370834c6c8da6eeaa0f3cc2c0edf21d452eadf8adabd70ede8f7a6d5dd0aaf.json + - id: 6ed79fe1e668e7b1d59b576f62a69d0ff734e05d02f2d531667236b7bc03ec7b01840422658ee2c598fea4cf25389bef849f7215ffbe4e2fd0ff47f1304440ed + url: https://storage.googleapis.com/bac-gcs-production/6ed79fe1e668e7b1d59b576f62a69d0ff734e05d02f2d531667236b7bc03ec7b01840422658ee2c598fea4cf25389bef849f7215ffbe4e2fd0ff47f1304440ed.json + - id: 725f5a5169ec99ed7c1a815eee58631600d2070e6f903ea13cf373fa83af13a3807a9fb405aeae2ad9fbdd27834b861208de0e110655ffec89cdbc12a112e162 + url: https://storage.googleapis.com/bac-gcs-production/725f5a5169ec99ed7c1a815eee58631600d2070e6f903ea13cf373fa83af13a3807a9fb405aeae2ad9fbdd27834b861208de0e110655ffec89cdbc12a112e162.json + - id: 06cad73797fc9c1c59ec358e304834ce260b872fe2e939eb05f89c009ae3349c912bbdf45f45aeda78b760692e87bf46b9e7b7ec05355b77cad05e2d175398e8 + url: https://storage.googleapis.com/bac-gcs-production/06cad73797fc9c1c59ec358e304834ce260b872fe2e939eb05f89c009ae3349c912bbdf45f45aeda78b760692e87bf46b9e7b7ec05355b77cad05e2d175398e8.json + - id: 28bb6c2344cefbe2325482b08c5803714c62e784bbb583c7ce538faa8f518c61c1268e75d7c87d725ac9db1a005f846a60964499a3863aea3d3705ad21ecaef2 + url: https://storage.googleapis.com/bac-gcs-production/28bb6c2344cefbe2325482b08c5803714c62e784bbb583c7ce538faa8f518c61c1268e75d7c87d725ac9db1a005f846a60964499a3863aea3d3705ad21ecaef2.json + - id: 31f76246cb99583df911e89d70fb99781a821f385bd9d362f089420526237055ee1de0b544a4f0e3964046e5212a6fc8533e18bb06d60170ad00f3ea20d2d23c + url: https://storage.googleapis.com/bac-gcs-production/31f76246cb99583df911e89d70fb99781a821f385bd9d362f089420526237055ee1de0b544a4f0e3964046e5212a6fc8533e18bb06d60170ad00f3ea20d2d23c.json + - id: 8ec0d804ad6185b7657a689223f93702f76abcaa9396867021a97373f167a4f1fca26b1b8614184eba0c96b3039d254c28ecde2249dfdeed845042b864073d96 + url: https://storage.googleapis.com/bac-gcs-production/8ec0d804ad6185b7657a689223f93702f76abcaa9396867021a97373f167a4f1fca26b1b8614184eba0c96b3039d254c28ecde2249dfdeed845042b864073d96.json + oauth2_provider: + override_return_to: true + selfservice: + allowed_return_urls: + - https://naughty-euclid-q27q8011k4.projects.oryapis.com + - https://cuenta.digital.gob.do + - http://localhost:3000/login/result + - https://cuenta.digital.gob.do/ + - https://beta.registro.digital.gob.do/ + - http://localhost:3000 + - /login/result + default_browser_return_url: /ui/settings + flows: + error: + ui_url: /ui/error + login: + after: + default_browser_return_url: https://cuenta.digita.gob.do/login/result + hooks: [] + oidc: + hooks: [] + password: + hooks: + - hook: require_verified_address + webauthn: + hooks: [] + before: + hooks: [] + ui_url: /ui/login + logout: + after: {} + recovery: + after: + hooks: [] + before: + hooks: [] + enabled: true + notify_unknown_recipients: false + ui_url: /ui/recovery + use: code + registration: + after: + hooks: [] + oidc: + hooks: + - hook: session + password: + hooks: + - hook: session + webauthn: + hooks: + - hook: session + before: + hooks: [] + enabled: true + ui_url: /ui/registration + settings: + after: + hooks: [] + password: + hooks: [] + profile: + hooks: [] + before: + hooks: [] + privileged_session_max_age: 15m0s + required_aal: highest_available + ui_url: /ui/settings + verification: + after: + hooks: [] + before: + hooks: [] + enabled: true + notify_unknown_recipients: false + ui_url: /ui/verification + use: code + methods: + code: + config: {} + link: + config: + base_url: https://cuenta.digital.gob.do/ + enabled: true + lookup_secret: + enabled: true + oidc: + config: + providers: [] + enabled: true + password: + config: {} + profile: + enabled: false + totp: + config: + issuer: Cuenta Única + enabled: true + webauthn: + config: + passwordless: true + rp: + display_name: Cuenta Única + id: cuenta.digital.gob.do + origin: https://cuenta.digital.gob.do + enabled: true + serve: + admin: + base_url: https://naughty-euclid-q27q8011k4.projects.oryapis.com/ + request_log: + disable_for_health: true + public: + base_url: https://naughty-euclid-q27q8011k4.projects.oryapis.com/ + cors: + enabled: false + request_log: + disable_for_health: true + session: + cookie: + domain: naughty-euclid-q27q8011k4.projects.oryapis.com + name: ory_session_naughtyeuclidq27q8011k4 + path: / + same_site: Lax + lifespan: 72h0m0s + whoami: + required_aal: highest_available + oauth2: + config: + clients: + http: + disallow_private_ip_ranges: true + dev: true + hsm: + enabled: false + oauth2: + client_credentials: + default_grant_allowed_scope: false + exclude_not_before_claim: false + expose_internal_errors: true + grant: + jwt: + iat_optional: false + jti_optional: false + max_ttl: 720h0m0s + hashers: + algorithm: pbkdf2 + pbkdf2: + iterations: 10000 + pkce: + enforced: false + enforced_for_public_clients: false + session: + encrypt_at_rest: true + oidc: + dynamic_client_registration: + enabled: false + subject_identifiers: {} + serve: + admin: + cors: + allow_credentials: true + allowed_headers: + - Accept + - Content-Type + - Content-Length + - Accept-Language + - Content-Language + - Authorization + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + - CONNECT + - HEAD + - OPTIONS + - TRACE + debug: false + enabled: false + exposed_headers: + - Cache-Control + - Expires + - Last-Modified + - Pragma + - Content-Length + - Content-Language + - Content-Type + max_age: 0 + tls: + enabled: false + cookies: + domain: naughty-euclid-q27q8011k4.projects.oryapis.com + names: + consent_csrf: ory_oauth2_consent_csrf_naughtyeuclidq27q8011k4 + login_csrf: ory_oauth2_login_csrf_naughtyeuclidq27q8011k4 + session_csrf: ory_oauth2_session_csrf_naughtyeuclidq27q8011k4 + same_site_legacy_workaround: false + same_site_mode: Lax + secure: true + public: + cors: + allow_credentials: true + allowed_headers: + - Accept + - Content-Type + - Content-Length + - Accept-Language + - Content-Language + - Authorization + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + - CONNECT + - HEAD + - OPTIONS + - TRACE + debug: false + enabled: false + exposed_headers: + - Cache-Control + - Expires + - Last-Modified + - Pragma + - Content-Length + - Content-Language + - Content-Type + max_age: 0 + tls: + enabled: false + tls: + enabled: false + strategies: + access_token: opaque + scope: wildcard + ttl: + access_token: 1h0m0s + auth_code: 30m0s + id_token: 1h0m0s + login_consent_request: 30m0s + refresh_token: 720h0m0s + urls: + consent: /ui/consent + error: /ui/error + login: /ui/login + logout: /ui/logout + post_logout_redirect: /oauth2/fallbacks/logout/callback + self: + admin: https://naughty-euclid-q27q8011k4.projects.oryapis.com/admin + issuer: https://naughty-euclid-q27q8011k4.projects.oryapis.com + public: https://naughty-euclid-q27q8011k4.projects.oryapis.com + webfinger: + jwks: {} + oidc_discovery: {} + permission: + config: + limit: {} + namespaces: [] +slug: naughty-euclid-q27q8011k4 +state: running \ No newline at end of file diff --git a/src/helpers/rekognition.ts b/src/helpers/rekognition.ts index 5bc1f010..acfd9a56 100644 --- a/src/helpers/rekognition.ts +++ b/src/helpers/rekognition.ts @@ -2,7 +2,15 @@ import { Amplify, withSSRContext } from 'aws-amplify'; import { Rekognition } from '@aws-sdk/client-rekognition'; import { NextApiRequest } from 'next/types'; -Amplify.configure({ ssr: true }); +const awsConfig = { + aws_project_region: process.env.AWS_REGION, + aws_cognito_identity_pool_id: process.env.AMPLIFY_IDENTITYPOOL_ID, + aws_cognito_region: process.env.AWS_REGION, // This could also be a separate environment variable if needed + aws_user_pools_id: process.env.AMPLIFY_USERPOOL_ID, + aws_user_pools_web_client_id: process.env.AMPLIFY_WEBCLIENT_ID, +}; + +Amplify.configure({ ...awsConfig, ssr: true }); export async function getRekognitionClient( req: NextApiRequest @@ -11,6 +19,7 @@ export async function getRekognitionClient( const credentials = await SSR.Credentials.get(); const rekognitionClient = new Rekognition({ + region: process.env.AWS_REGION, credentials, }); From 9b89cbc0e805f357aa9f6bdd0d5b05741dc1d122 Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Sun, 30 Jul 2023 22:07:11 +0100 Subject: [PATCH 3/6] chore: DRY --- src/helpers/rekognition.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helpers/rekognition.ts b/src/helpers/rekognition.ts index acfd9a56..dd9c3bcf 100644 --- a/src/helpers/rekognition.ts +++ b/src/helpers/rekognition.ts @@ -19,7 +19,7 @@ export async function getRekognitionClient( const credentials = await SSR.Credentials.get(); const rekognitionClient = new Rekognition({ - region: process.env.AWS_REGION, + region: awsConfig.aws_project_region, credentials, }); From 2d820508d0c10ca3008676ee3ad170b2e36012e5 Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Sun, 30 Jul 2023 22:28:00 +0100 Subject: [PATCH 4/6] fix(amplify): use on client-side --- src/pages/_app.tsx | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/pages/_app.tsx b/src/pages/_app.tsx index f71e93da..53778b8f 100644 --- a/src/pages/_app.tsx +++ b/src/pages/_app.tsx @@ -3,6 +3,7 @@ import CssBaseline from '@mui/material/CssBaseline'; import { ThemeProvider } from '@mui/material/styles'; import { useEffect } from 'react'; import type { AppProps } from 'next/app'; +import { Amplify } from 'aws-amplify'; import { ReCaptchaProvider } from 'next-recaptcha-v3'; import TagManager from 'react-gtm-module'; @@ -14,6 +15,16 @@ import '../../public/fonts/poppins_wght.css'; import '@aws-amplify/ui-react/styles.css'; import '@/styles/globals.css'; +const awsConfig = { + aws_project_region: process.env.AWS_REGION, + aws_cognito_identity_pool_id: process.env.AMPLIFY_IDENTITYPOOL_ID, + aws_cognito_region: process.env.AWS_REGION, // This could also be a separate environment variable if needed + aws_user_pools_id: process.env.AMPLIFY_USERPOOL_ID, + aws_user_pools_web_client_id: process.env.AMPLIFY_WEBCLIENT_ID, +}; + +Amplify.configure(awsConfig); + export default function App({ Component, pageProps }: AppProps) { // Google Tag Manager useEffect(() => { From fdcea4c305f4fb962024a6d663b6c3e272a02044 Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Sun, 30 Jul 2023 22:28:23 +0100 Subject: [PATCH 5/6] chore: remove extra file --- ory.yml | 353 -------------------------------------------------------- 1 file changed, 353 deletions(-) delete mode 100644 ory.yml diff --git a/ory.yml b/ory.yml deleted file mode 100644 index 07c2c614..00000000 --- a/ory.yml +++ /dev/null @@ -1,353 +0,0 @@ -id: cc8ee210-f897-4c48-bb93-a69df6b918e9 -name: Plataforma única de autenticación -revision_id: 87ccd833-5ad8-4f62-a0dc-e46842d36ec3 -services: - identity: - config: - cookies: - domain: naughty-euclid-q27q8011k4.projects.oryapis.com - path: / - same_site: Lax - courier: - smtp: - connection_uri: smtp://OGTIC:md-1SvqeRSP1HU5Z2YQN60S8Q@smtp.mandrillapp.com:587 - from_address: noreply@ogtic.gob.do - from_name: Cuenta Unica Ciudadana - headers: - X-MC-Subaccount: Autenticacion - X-MC-Tags: ory - X-MC-Track: opens, clicks_htmlonly - X-MC-TrackingDomain: cuenta.digital.gob.do - templates: - recovery: - invalid: - email: - body: {} - valid: - email: - body: {} - recovery_code: - invalid: - email: - body: {} - valid: - email: - body: {} - verification: - invalid: - email: - body: {} - valid: - email: - body: {} - verification_code: - invalid: - email: - body: {} - valid: - email: - body: - html: https://storage.googleapis.com/bac-gcs-production/ad88737ddcd726137f7b28e56aec5815b69c17eaf44502a8ad083c580f3ea7f265be883e92548224f5f6a8a307db1d7650e142d7b5e99cc5cdb2b68bfba4e047.html - subject: https://storage.googleapis.com/bac-gcs-production/89fdebf7b70de240f81a032c83b81f65ee1e2536c94b384cbf49964c92a2e55b2351b8df8843a56ee11143493964121cce48c602312a8b14fbe189018596f17d.bin - feature_flags: - cacheable_sessions: false - identity: - default_schema_id: 8ec0d804ad6185b7657a689223f93702f76abcaa9396867021a97373f167a4f1fca26b1b8614184eba0c96b3039d254c28ecde2249dfdeed845042b864073d96 - schemas: - - id: preset://email - url: base64://ewogICIkaWQiOiAiaHR0cHM6Ly9zY2hlbWFzLm9yeS5zaC9wcmVzZXRzL2tyYXRvcy9pZGVudGl0eS5lbWFpbC5zY2hlbWEuanNvbiIsCiAgIiRzY2hlbWEiOiAiaHR0cDovL2pzb24tc2NoZW1hLm9yZy9kcmFmdC0wNy9zY2hlbWEjIiwKICAidGl0bGUiOiAiUGVyc29uIiwKICAidHlwZSI6ICJvYmplY3QiLAogICJwcm9wZXJ0aWVzIjogewogICAgInRyYWl0cyI6IHsKICAgICAgInR5cGUiOiAib2JqZWN0IiwKICAgICAgInByb3BlcnRpZXMiOiB7CiAgICAgICAgImVtYWlsIjogewogICAgICAgICAgInR5cGUiOiAic3RyaW5nIiwKICAgICAgICAgICJmb3JtYXQiOiAiZW1haWwiLAogICAgICAgICAgInRpdGxlIjogIkUtTWFpbCIsCiAgICAgICAgICAib3J5LnNoL2tyYXRvcyI6IHsKICAgICAgICAgICAgImNyZWRlbnRpYWxzIjogewogICAgICAgICAgICAgICJwYXNzd29yZCI6IHsKICAgICAgICAgICAgICAgICJpZGVudGlmaWVyIjogdHJ1ZQogICAgICAgICAgICAgIH0sCiAgICAgICAgICAgICAgIndlYmF1dGhuIjogewogICAgICAgICAgICAgICAgImlkZW50aWZpZXIiOiB0cnVlCiAgICAgICAgICAgICAgfSwKICAgICAgICAgICAgICAidG90cCI6IHsKICAgICAgICAgICAgICAgICJhY2NvdW50X25hbWUiOiB0cnVlCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9LAogICAgICAgICAgICAicmVjb3ZlcnkiOiB7CiAgICAgICAgICAgICAgInZpYSI6ICJlbWFpbCIKICAgICAgICAgICAgfSwKICAgICAgICAgICAgInZlcmlmaWNhdGlvbiI6IHsKICAgICAgICAgICAgICAidmlhIjogImVtYWlsIgogICAgICAgICAgICB9CiAgICAgICAgICB9LAogICAgICAgICAgIm1heExlbmd0aCI6IDMyMAogICAgICAgIH0KICAgICAgfSwKICAgICAgInJlcXVpcmVkIjogWwogICAgICAgICJlbWFpbCIKICAgICAgXSwKICAgICAgImFkZGl0aW9uYWxQcm9wZXJ0aWVzIjogZmFsc2UKICAgIH0KICB9Cn0K - - id: a7f1c9794d1acd3acd036f59de31a6251ad727e36ce174d6baee4417faee118ca9228fbc9da328e7c720b5ce314fd5d82048a7c085e227e1b6cd46235b75d429 - url: https://storage.googleapis.com/bac-gcs-production/a7f1c9794d1acd3acd036f59de31a6251ad727e36ce174d6baee4417faee118ca9228fbc9da328e7c720b5ce314fd5d82048a7c085e227e1b6cd46235b75d429.json - - id: a444027d062ddf88f4840e4621d0ec5f1adc3b313bb29c02e0ba1d362a711750dd436fed7755a766ba35f735207eae37907e8e1ecd4a7bec2cd44b5a8c8db48f - url: https://storage.googleapis.com/bac-gcs-production/a444027d062ddf88f4840e4621d0ec5f1adc3b313bb29c02e0ba1d362a711750dd436fed7755a766ba35f735207eae37907e8e1ecd4a7bec2cd44b5a8c8db48f.json - - id: ef11f162bbaab644a22ce839c89185ea2744145f019f8646cb584f22eb1794f8799525c61774cd56dfc3184c5cfeab6ec1e91ce22c729758bafae7613742035a - url: https://storage.googleapis.com/bac-gcs-production/ef11f162bbaab644a22ce839c89185ea2744145f019f8646cb584f22eb1794f8799525c61774cd56dfc3184c5cfeab6ec1e91ce22c729758bafae7613742035a.json - - id: 43fe52b3cdb99bbf3e7df0cfd65ceef014a5d3dc160de63d10ab71cf77b07517479e601a1801366dc9afe894f6dbf3edab767d4cfae6a685ec25b0697d400a7c - url: https://storage.googleapis.com/bac-gcs-production/43fe52b3cdb99bbf3e7df0cfd65ceef014a5d3dc160de63d10ab71cf77b07517479e601a1801366dc9afe894f6dbf3edab767d4cfae6a685ec25b0697d400a7c.json - - id: 2508d39b31df810dea5ad7b604c1a038d58792750b61bb1435025cc48d1c8b02e1e55b248a4e6b44acb6eae6eaaa9adcc62470864d934491fae2fb2e4700b7be - url: https://storage.googleapis.com/bac-gcs-production/2508d39b31df810dea5ad7b604c1a038d58792750b61bb1435025cc48d1c8b02e1e55b248a4e6b44acb6eae6eaaa9adcc62470864d934491fae2fb2e4700b7be.json - - id: 6e0d408dfedd4dac56bf9d059296ee687e0acef4d4330a2760534a916148a5ad37b366f0492e710b18c5e70abb971b985c8b033c1b922aaff90e66a950efb60a - url: https://storage.googleapis.com/bac-gcs-production/6e0d408dfedd4dac56bf9d059296ee687e0acef4d4330a2760534a916148a5ad37b366f0492e710b18c5e70abb971b985c8b033c1b922aaff90e66a950efb60a.json - - id: 7dd3aa65a6fd8785b80eefa2c7d8b93743b6f8ebad270d685b75c9a30969b59d0eeb5f295c3a164d49eb49287826b6131c50b65d22c2a909b52a7616424b04d4 - url: https://storage.googleapis.com/bac-gcs-production/7dd3aa65a6fd8785b80eefa2c7d8b93743b6f8ebad270d685b75c9a30969b59d0eeb5f295c3a164d49eb49287826b6131c50b65d22c2a909b52a7616424b04d4.json - - id: 03ade72b0c4783d62a2420f08917c978ca01bf45fbd733d810484b406354443134a121c9cec2bfd8212c9686dd4dd1a30144381a40271a795678f7d47f23196f - url: https://storage.googleapis.com/bac-gcs-production/03ade72b0c4783d62a2420f08917c978ca01bf45fbd733d810484b406354443134a121c9cec2bfd8212c9686dd4dd1a30144381a40271a795678f7d47f23196f.json - - id: 6d51d005e773af64fb177f93d462461a62a87464a03adcb898a91e6390799d20cbf8038fe7ad5ae276295fa0bd716579cc77ebea81c7a3e4d9ccb380ec763fde - url: https://storage.googleapis.com/bac-gcs-production/6d51d005e773af64fb177f93d462461a62a87464a03adcb898a91e6390799d20cbf8038fe7ad5ae276295fa0bd716579cc77ebea81c7a3e4d9ccb380ec763fde.json - - id: 78e4a8f312923348874a31ffba0b034dc5f2fa05abf09497045e55a29613967dc7370834c6c8da6eeaa0f3cc2c0edf21d452eadf8adabd70ede8f7a6d5dd0aaf - url: https://storage.googleapis.com/bac-gcs-production/78e4a8f312923348874a31ffba0b034dc5f2fa05abf09497045e55a29613967dc7370834c6c8da6eeaa0f3cc2c0edf21d452eadf8adabd70ede8f7a6d5dd0aaf.json - - id: 6ed79fe1e668e7b1d59b576f62a69d0ff734e05d02f2d531667236b7bc03ec7b01840422658ee2c598fea4cf25389bef849f7215ffbe4e2fd0ff47f1304440ed - url: https://storage.googleapis.com/bac-gcs-production/6ed79fe1e668e7b1d59b576f62a69d0ff734e05d02f2d531667236b7bc03ec7b01840422658ee2c598fea4cf25389bef849f7215ffbe4e2fd0ff47f1304440ed.json - - id: 725f5a5169ec99ed7c1a815eee58631600d2070e6f903ea13cf373fa83af13a3807a9fb405aeae2ad9fbdd27834b861208de0e110655ffec89cdbc12a112e162 - url: https://storage.googleapis.com/bac-gcs-production/725f5a5169ec99ed7c1a815eee58631600d2070e6f903ea13cf373fa83af13a3807a9fb405aeae2ad9fbdd27834b861208de0e110655ffec89cdbc12a112e162.json - - id: 06cad73797fc9c1c59ec358e304834ce260b872fe2e939eb05f89c009ae3349c912bbdf45f45aeda78b760692e87bf46b9e7b7ec05355b77cad05e2d175398e8 - url: https://storage.googleapis.com/bac-gcs-production/06cad73797fc9c1c59ec358e304834ce260b872fe2e939eb05f89c009ae3349c912bbdf45f45aeda78b760692e87bf46b9e7b7ec05355b77cad05e2d175398e8.json - - id: 28bb6c2344cefbe2325482b08c5803714c62e784bbb583c7ce538faa8f518c61c1268e75d7c87d725ac9db1a005f846a60964499a3863aea3d3705ad21ecaef2 - url: https://storage.googleapis.com/bac-gcs-production/28bb6c2344cefbe2325482b08c5803714c62e784bbb583c7ce538faa8f518c61c1268e75d7c87d725ac9db1a005f846a60964499a3863aea3d3705ad21ecaef2.json - - id: 31f76246cb99583df911e89d70fb99781a821f385bd9d362f089420526237055ee1de0b544a4f0e3964046e5212a6fc8533e18bb06d60170ad00f3ea20d2d23c - url: https://storage.googleapis.com/bac-gcs-production/31f76246cb99583df911e89d70fb99781a821f385bd9d362f089420526237055ee1de0b544a4f0e3964046e5212a6fc8533e18bb06d60170ad00f3ea20d2d23c.json - - id: 8ec0d804ad6185b7657a689223f93702f76abcaa9396867021a97373f167a4f1fca26b1b8614184eba0c96b3039d254c28ecde2249dfdeed845042b864073d96 - url: https://storage.googleapis.com/bac-gcs-production/8ec0d804ad6185b7657a689223f93702f76abcaa9396867021a97373f167a4f1fca26b1b8614184eba0c96b3039d254c28ecde2249dfdeed845042b864073d96.json - oauth2_provider: - override_return_to: true - selfservice: - allowed_return_urls: - - https://naughty-euclid-q27q8011k4.projects.oryapis.com - - https://cuenta.digital.gob.do - - http://localhost:3000/login/result - - https://cuenta.digital.gob.do/ - - https://beta.registro.digital.gob.do/ - - http://localhost:3000 - - /login/result - default_browser_return_url: /ui/settings - flows: - error: - ui_url: /ui/error - login: - after: - default_browser_return_url: https://cuenta.digita.gob.do/login/result - hooks: [] - oidc: - hooks: [] - password: - hooks: - - hook: require_verified_address - webauthn: - hooks: [] - before: - hooks: [] - ui_url: /ui/login - logout: - after: {} - recovery: - after: - hooks: [] - before: - hooks: [] - enabled: true - notify_unknown_recipients: false - ui_url: /ui/recovery - use: code - registration: - after: - hooks: [] - oidc: - hooks: - - hook: session - password: - hooks: - - hook: session - webauthn: - hooks: - - hook: session - before: - hooks: [] - enabled: true - ui_url: /ui/registration - settings: - after: - hooks: [] - password: - hooks: [] - profile: - hooks: [] - before: - hooks: [] - privileged_session_max_age: 15m0s - required_aal: highest_available - ui_url: /ui/settings - verification: - after: - hooks: [] - before: - hooks: [] - enabled: true - notify_unknown_recipients: false - ui_url: /ui/verification - use: code - methods: - code: - config: {} - link: - config: - base_url: https://cuenta.digital.gob.do/ - enabled: true - lookup_secret: - enabled: true - oidc: - config: - providers: [] - enabled: true - password: - config: {} - profile: - enabled: false - totp: - config: - issuer: Cuenta Única - enabled: true - webauthn: - config: - passwordless: true - rp: - display_name: Cuenta Única - id: cuenta.digital.gob.do - origin: https://cuenta.digital.gob.do - enabled: true - serve: - admin: - base_url: https://naughty-euclid-q27q8011k4.projects.oryapis.com/ - request_log: - disable_for_health: true - public: - base_url: https://naughty-euclid-q27q8011k4.projects.oryapis.com/ - cors: - enabled: false - request_log: - disable_for_health: true - session: - cookie: - domain: naughty-euclid-q27q8011k4.projects.oryapis.com - name: ory_session_naughtyeuclidq27q8011k4 - path: / - same_site: Lax - lifespan: 72h0m0s - whoami: - required_aal: highest_available - oauth2: - config: - clients: - http: - disallow_private_ip_ranges: true - dev: true - hsm: - enabled: false - oauth2: - client_credentials: - default_grant_allowed_scope: false - exclude_not_before_claim: false - expose_internal_errors: true - grant: - jwt: - iat_optional: false - jti_optional: false - max_ttl: 720h0m0s - hashers: - algorithm: pbkdf2 - pbkdf2: - iterations: 10000 - pkce: - enforced: false - enforced_for_public_clients: false - session: - encrypt_at_rest: true - oidc: - dynamic_client_registration: - enabled: false - subject_identifiers: {} - serve: - admin: - cors: - allow_credentials: true - allowed_headers: - - Accept - - Content-Type - - Content-Length - - Accept-Language - - Content-Language - - Authorization - allowed_methods: - - POST - - GET - - PUT - - PATCH - - DELETE - - CONNECT - - HEAD - - OPTIONS - - TRACE - debug: false - enabled: false - exposed_headers: - - Cache-Control - - Expires - - Last-Modified - - Pragma - - Content-Length - - Content-Language - - Content-Type - max_age: 0 - tls: - enabled: false - cookies: - domain: naughty-euclid-q27q8011k4.projects.oryapis.com - names: - consent_csrf: ory_oauth2_consent_csrf_naughtyeuclidq27q8011k4 - login_csrf: ory_oauth2_login_csrf_naughtyeuclidq27q8011k4 - session_csrf: ory_oauth2_session_csrf_naughtyeuclidq27q8011k4 - same_site_legacy_workaround: false - same_site_mode: Lax - secure: true - public: - cors: - allow_credentials: true - allowed_headers: - - Accept - - Content-Type - - Content-Length - - Accept-Language - - Content-Language - - Authorization - allowed_methods: - - POST - - GET - - PUT - - PATCH - - DELETE - - CONNECT - - HEAD - - OPTIONS - - TRACE - debug: false - enabled: false - exposed_headers: - - Cache-Control - - Expires - - Last-Modified - - Pragma - - Content-Length - - Content-Language - - Content-Type - max_age: 0 - tls: - enabled: false - tls: - enabled: false - strategies: - access_token: opaque - scope: wildcard - ttl: - access_token: 1h0m0s - auth_code: 30m0s - id_token: 1h0m0s - login_consent_request: 30m0s - refresh_token: 720h0m0s - urls: - consent: /ui/consent - error: /ui/error - login: /ui/login - logout: /ui/logout - post_logout_redirect: /oauth2/fallbacks/logout/callback - self: - admin: https://naughty-euclid-q27q8011k4.projects.oryapis.com/admin - issuer: https://naughty-euclid-q27q8011k4.projects.oryapis.com - public: https://naughty-euclid-q27q8011k4.projects.oryapis.com - webfinger: - jwks: {} - oidc_discovery: {} - permission: - config: - limit: {} - namespaces: [] -slug: naughty-euclid-q27q8011k4 -state: running \ No newline at end of file From 95489664fb1544f87c2c633b8eb6eff5435ca23b Mon Sep 17 00:00:00 2001 From: Marluan Espiritusanto Date: Mon, 31 Jul 2023 15:57:30 +0200 Subject: [PATCH 6/6] rem: amplify initialization --- src/helpers/rekognition.ts | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/src/helpers/rekognition.ts b/src/helpers/rekognition.ts index dd9c3bcf..cd354739 100644 --- a/src/helpers/rekognition.ts +++ b/src/helpers/rekognition.ts @@ -1,17 +1,7 @@ -import { Amplify, withSSRContext } from 'aws-amplify'; import { Rekognition } from '@aws-sdk/client-rekognition'; +import { withSSRContext } from 'aws-amplify'; import { NextApiRequest } from 'next/types'; -const awsConfig = { - aws_project_region: process.env.AWS_REGION, - aws_cognito_identity_pool_id: process.env.AMPLIFY_IDENTITYPOOL_ID, - aws_cognito_region: process.env.AWS_REGION, // This could also be a separate environment variable if needed - aws_user_pools_id: process.env.AMPLIFY_USERPOOL_ID, - aws_user_pools_web_client_id: process.env.AMPLIFY_WEBCLIENT_ID, -}; - -Amplify.configure({ ...awsConfig, ssr: true }); - export async function getRekognitionClient( req: NextApiRequest ): Promise { @@ -19,7 +9,7 @@ export async function getRekognitionClient( const credentials = await SSR.Credentials.get(); const rekognitionClient = new Rekognition({ - region: awsConfig.aws_project_region, + region: process.env.AWS_REGION, credentials, });