From d5d5e774e68616874ee4a35c42b77800b9b0b391 Mon Sep 17 00:00:00 2001
From: Liam Driscoll <liamur.driscoll@hotmail.com>
Date: Thu, 16 Nov 2023 13:33:24 -0800
Subject: [PATCH] Update cdk stack Add api resource Add cognito authorizer to
 new api resource Add SRP authentication flow to user pool client Output user
 pool ID

---
 cdk/lib/cdk-stack.ts | 89 +++++++++++++++++++++++++-------------------
 1 file changed, 50 insertions(+), 39 deletions(-)

diff --git a/cdk/lib/cdk-stack.ts b/cdk/lib/cdk-stack.ts
index cbb7846..a02fbd5 100644
--- a/cdk/lib/cdk-stack.ts
+++ b/cdk/lib/cdk-stack.ts
@@ -70,6 +70,45 @@ export class CdkStack extends cdk.Stack {
       environment: {'EMAIL_ADDRESS': ''}
     });
 
+    // Cognito
+    const adminPool = new cognito.UserPool(this, 'adminuserpool', {
+      userPoolName: 'harmreduction-adminpool',
+      signInCaseSensitive: false,
+      selfSignUpEnabled: false,
+      mfa: cognito.Mfa.OFF,
+      passwordPolicy: {
+        minLength: 8,
+        requireLowercase: true,
+        requireUppercase: true,
+        requireDigits: true,
+        requireSymbols: true,
+        tempPasswordValidity: cdk.Duration.days(3),
+      },
+      accountRecovery: cognito.AccountRecovery.NONE,
+      deviceTracking: {
+        challengeRequiredOnNewDevice: false,
+        deviceOnlyRememberedOnUserPrompt: false
+      },
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+    });
+
+    const adminPoolClient = adminPool.addClient('adminpoolclient', {
+      authFlows: {
+        userPassword: true,
+        userSrp: true,
+      }
+    });
+
+    new cdk.CfnOutput(this, 'CognitoClientID', {
+      value: adminPoolClient.userPoolClientId,
+      description: 'Cognito user pool Client ID'
+    });
+
+    new cdk.CfnOutput(this, 'CognitoUserPoolID', {
+      value: adminPool.userPoolId,
+      description: 'Cognito user pool ID'
+    });
+    
     const prdLogGroup = new logs.LogGroup(this, "PrdLogs");
 
     const OTPapi = new apigateway.RestApi(this, 'OTPapi', {
@@ -106,8 +145,14 @@ export class CdkStack extends cdk.Stack {
       },
     });
 
+    const cognitoAuthorizer = new apigateway.CognitoUserPoolsAuthorizer(this, 'CognitoAuthorizer', {
+      cognitoUserPools: [adminPool],
+      identitySource: 'method.request.header.Authorization',
+    });
+
     const DBSample = DBapi.root.addResource('samples');
     const DBUser = DBapi.root.addResource('users');
+    const DBAdmin = DBapi.root.addResource('admin');
 
     DBSample.addMethod('POST', new apigateway.LambdaIntegration(DBApiHandler, {proxy: true}), {apiKeyRequired: true});
     DBSample.addMethod('GET', new apigateway.LambdaIntegration(DBApiHandler, {proxy: true}), {apiKeyRequired: true});
@@ -122,6 +167,11 @@ export class CdkStack extends cdk.Stack {
     DBUser.addMethod('PUT', new apigateway.LambdaIntegration(DBApiHandler, {proxy: true}), {apiKeyRequired: true});
     DBUser.addMethod('DELETE', new apigateway.LambdaIntegration(DBApiHandler, {proxy: true}), {apiKeyRequired: true});
     // DBUser.addMethod('OPTIONS', new apigateway.LambdaIntegration(DBApiHandler, {proxy: true}));
+    DBAdmin.addMethod('GET', new apigateway.LambdaIntegration(DBApiHandler, {proxy: true}), {
+      authorizationType: apigateway.AuthorizationType.COGNITO,
+      authorizer: cognitoAuthorizer,
+      apiKeyRequired: true
+    });
 
     const methodSettingProperty: apigateway.CfnDeployment.MethodSettingProperty = {
       cacheDataEncrypted: false,
@@ -203,45 +253,6 @@ export class CdkStack extends cdk.Stack {
       batchSize: 1,
     }))
 
-    // Cognito
-    const adminPool = new cognito.UserPool(this, 'adminuserpool', {
-      userPoolName: 'harmreduction-adminpool',
-      signInCaseSensitive: false,
-      selfSignUpEnabled: false,
-      mfa: cognito.Mfa.OFF,
-      passwordPolicy: {
-        minLength: 8,
-        requireLowercase: true,
-        requireUppercase: true,
-        requireDigits: true,
-        requireSymbols: true,
-        tempPasswordValidity: cdk.Duration.days(3),
-      },
-      accountRecovery: cognito.AccountRecovery.NONE,
-      deviceTracking: {
-        challengeRequiredOnNewDevice: false,
-        deviceOnlyRememberedOnUserPrompt: false
-      },
-      removalPolicy: cdk.RemovalPolicy.DESTROY,
-    });
-
-    const adminPoolClient = adminPool.addClient('adminpoolclient', {
-      authFlows: {
-        userPassword: true,
-        userSrp: true,
-      }
-    });
-
-    new cdk.CfnOutput(this, 'CognitoClientID', {
-      value: adminPoolClient.userPoolClientId,
-      description: 'Cognito user pool Client ID'
-    });
-
-    new cdk.CfnOutput(this, 'CognitoUserPoolID', {
-      value: adminPool.userPoolId,
-      description: 'Cognito user pool ID'
-    });
-
     // Store the gateway ARN for use with our WAF stack 
     const apiGatewayARN = `arn:aws:apigateway:${Stack.of(this).region}::/restapis/${DBapi.restApiId}/stages/${DBapi.deploymentStage.stageName}`