DO-1530: move esbuild to own package

* upgrade basic-auth construct
* upgrade cloudfront-security-headers construct

packages/basic-auth/.gitignore

@@ -0,0 +1,58 @@
+# These are some examples of commonly ignored file patterns.
+# You should customize this list as applicable to your project.
+# Learn more about .gitignore:
+#     https://www.atlassian.com/git/tutorials/saving-changes/gitignore
+
+# Node artifact files
+node_modules/
+dist/
+
+# Compiled Java class files
+*.class
+
+# Compiled Python bytecode
+*.py[cod]
+
+# Log files
+*.log
+
+# Package files
+*.jar
+
+# Maven
+target/
+dist/
+
+# JetBrains IDE
+.idea/
+
+# Unit test reports
+TEST*.xml
+
+# Generated by MacOS
+.DS_Store
+
+# Generated by Windows
+Thumbs.db
+
+# Applications
+*.app
+*.exe
+*.war
+
+# Large media files
+*.mp4
+*.tiff
+*.avi
+*.flv
+*.mov
+*.wmv
+
+!jest.config.js
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+*.d.ts
+*.js

packages/basic-auth/.npmignore

@@ -0,0 +1,11 @@
+*.ts
+!lib/handlers/*.ts
+!*.d.ts
+!*.js
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+# Samples
+sample/

packages/basic-auth/.npmrc

@@ -0,0 +1 @@
+10.1.0

packages/basic-auth/.nvmrc

@@ -0,0 +1 @@
+20.7.0

packages/basic-auth/README.md

@@ -0,0 +1,4 @@
+# Basic Auth
+This library provides a construct which creates a Lambda@Edge functions to perform basic auth validation.
+
+These functions are intended to be added to an existing Cloudfront distribution

packages/basic-auth/index.ts

@@ -0,0 +1,3 @@
+import { BasicAuthFunction } from "./lib/basic-auth-construct";
+
+export { BasicAuthFunction };

packages/basic-auth/lib/basic-auth-construct.ts

@@ -0,0 +1,52 @@
+import { Construct } from "constructs";
+import { EdgeFunction } from "aws-cdk-lib/aws-cloudfront/lib/experimental";
+import { Esbuild } from "@aligent/esbuild";
+import { AssetHashType, DockerImage } from "aws-cdk-lib";
+import { Code, IVersion, Runtime, Version } from "aws-cdk-lib/aws-lambda";
+import { join } from "path";
+
+export interface BasicAuthFunctionOptions {
+  username: string;
+  password: string;
+}
+
+export class BasicAuthFunction extends Construct {
+  readonly edgeFunction: EdgeFunction;
+
+  constructor(scope: Construct, id: string, options: BasicAuthFunctionOptions) {
+    super(scope, id);
+
+    const command = [
+      "sh",
+      "-c",
+      'echo "Docker build not supported. Please install esbuild."',
+    ];
+
+    this.edgeFunction = new EdgeFunction(this, `${id}-basic-auth-fn`, {
+      code: Code.fromAsset(join(__dirname, "handlers"), {
+        assetHashType: AssetHashType.OUTPUT,
+        bundling: {
+          command,
+          image: DockerImage.fromRegistry("busybox"),
+          local: new Esbuild({
+            entryPoints: [join(__dirname, "handlers/basic-auth.ts")],
+            define: {
+              "process.env.AUTH_USERNAME": options.username,
+              "process.env.AUTH_PASSWORD": options.password,
+            },
+          }),
+        },
+      }),
+      runtime: Runtime.NODEJS_18_X,
+      handler: "basic-auth.handler",
+    });
+  }
+
+  public getFunctionVersion(): IVersion {
+    return Version.fromVersionArn(
+      this,
+      "basic-auth-function-version",
+      this.edgeFunction.currentVersion.edgeArn
+    );
+  }
+}

packages/basic-auth/lib/handlers/basic-auth.ts

@@ -0,0 +1,38 @@
+import "source-map-support/register";
+import {
+  CloudFrontRequestEvent,
+  CloudFrontResponse,
+  CloudFrontRequest,
+} from "aws-lambda";
+
+const AUTH_USERNAME = process.env.AUTH_USERNAME;
+const AUTH_PASSWORD = process.env.AUTH_PASSWORD;
+const authString =
+  "Basic " +
+  Buffer.from(AUTH_USERNAME + ":" + AUTH_PASSWORD, "binary").toString("base64");
+
+export const handler = async (
+  event: CloudFrontRequestEvent
+): Promise<CloudFrontRequest | CloudFrontResponse> => {
+  const request = event.Records[0].cf.request;
+  const headers = request.headers;
+
+  // Require Basic authentication
+  if (
+    typeof headers.authorization == "undefined" ||
+    headers.authorization[0].value != authString
+  ) {
+    const body = "Unauthorized";
+    const response = {
+      status: "401",
+      statusDescription: "Unauthorized",
+      body: body,
+      headers: {
+        "www-authenticate": [{ key: "WWW-Authenticate", value: "Basic" }],
+      },
+    };
+    return response;
+  }
+
+  return request;
+};

packages/basic-auth/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@aligent/cdk-basic-auth",
+  "version": "2.0.0",
+  "description": "A Cloudfront Lambda@Edge stack for performing basic auth protection",
+  "main": "index.js",
+  "scripts": {
+    "build": "tsc && cd ./lib/handlers && npm ci",
+    "prepublish": "tsc && cd ./lib/handlers && npm ci"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/aligent/aws-cdk-prerender-proxy-stack.git"
+  },
+  "license": "GPL-3.0-only",
+  "bugs": {
+    "url": "https://github.com/aligent/aws-cdk-prerender-proxy-stack/issues"
+  },
+  "homepage": "https://github.com/aligent/aws-cdk-prerender-proxy-stack#readme",
+  "devDependencies": {
+    "@types/jest": "^29.5.5",
+    "@types/node": "20.6.3",
+    "aws-cdk": "2.97.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.1",
+    "ts-node": "^10.9.1",
+    "typescript": "~5.2.2"
+  },
+  "dependencies": {
+    "@types/aws-lambda": "^8.10.122",
+    "aws-cdk-lib": "2.97.0",
+    "constructs": "^10.0.0",
+    "esbuild": "^0.17.0",
+    "source-map-support": "^0.5.21"
+  }
+}

packages/basic-auth/tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}

packages/cloudfront-security-headers/.gitignore

@@ -0,0 +1,8 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

packages/cloudfront-security-headers/.npmignore

@@ -0,0 +1,11 @@
+*.ts
+!lib/handlers/*.ts
+!*.d.ts
+!*.js
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+# Samples
+sample/

packages/cloudfront-security-headers/.npmrc

@@ -0,0 +1 @@
+10.1.0

packages/cloudfront-security-headers/.nvmrc

@@ -0,0 +1 @@
+20.7.0

packages/cloudfront-security-headers/README.md

@@ -0,0 +1,8 @@
+# AWS CDK CloudFront Security Headers
+This package contains a Lambda@Edge function for cloudfront to add security headers to the origin response of all requests.
+
+## Useful commands
+
+ * `npm run build`   compile typescript to js
+ * `npm run watch`   watch for changes and compile
+ * `npm run test`    perform the jest unit tests

packages/cloudfront-security-headers/lib/handlers/security-header.ts

@@ -0,0 +1,25 @@
+import { CloudFrontResponse, CloudFrontResponseEvent } from "aws-lambda";
+
+export const handler = async (
+  event: CloudFrontResponseEvent
+): Promise<CloudFrontResponse> => {
+  const response = event.Records[0].cf.response;
+  const headers = response.headers;
+
+  // Add in security headers
+  headers["strict-transport-security"] = [
+    {
+      key: "Strict-Transport-Security",
+      value: "max-age=108000; includeSubdomains; preload",
+    },
+  ];
+  headers["content-security-policy"] = [
+    { key: "Content-Security-Policy", value: __CONTENT_SECURITY_POLICY__ },
+  ];
+  headers["x-content-type-options"] = [
+    { key: "X-Content-Type-Options", value: "nosniff" },
+  ];
+  headers["x-frame-options"] = [{ key: "X-Frame-Options", value: "DENY" }];
+
+  return response;
+};