Update infrastructure

infrastructure/lib/auth.ts

@@ -19,9 +19,13 @@ export class CognitoAuthConstruct extends Construct {
     super(scope, id);
     const userPool = new CfnUserPool(this, "UserPool", {
       userPoolName: "S3MediaPlayerUserPool-" + id,
+      deletionProtection: "INACTIVE",
+      userPoolAddOns: {
+        advancedSecurityMode: "ENFORCED"
+      },
       adminCreateUserConfig: {
         allowAdminCreateUserOnly: true,
-        unusedAccountValidityDays: 30,
+        unusedAccountValidityDays: 7,
         inviteMessageTemplate: {
           emailSubject: `S3 Media Player ${props.domain} - Invitation`,
           emailMessage: `Hi {username}!
@@ -42,9 +46,10 @@ If you have any questions, please contact ${props.contactEmailAddress}`
       },
       emailVerificationSubject: `S3 Media Player ${props.domain} - Email verification`,
       emailVerificationMessage: `Hi!
-To verify your email address at ${props.domain} please enter this code: {####}.
-If you have any questions, please contact ${props.contactEmailAddress}`,
+      To verify your email address at ${props.domain} please enter this code: {####}.
+      If you have any questions, please contact ${props.contactEmailAddress}`,
       mfaConfiguration: "OFF",
+      enabledMfas: [],
       policies: {
         passwordPolicy: {
           minimumLength: 6,
@@ -58,8 +63,21 @@ If you have any questions, please contact ${props.contactEmailAddress}`,
 
     const webClient = new CfnUserPoolClient(this, "Client", {
       generateSecret: false,
+      userPoolId: userPool.ref,
+      allowedOAuthFlowsUserPoolClient: false,
       refreshTokenValidity: 30, // days
-      userPoolId: userPool.ref
+      accessTokenValidity: 2, // hours
+      idTokenValidity: 2, // hours
+      tokenValidityUnits: {
+        refreshToken: "days",
+        accessToken: "hours",
+        idToken: "hours"
+      },
+      preventUserExistenceErrors: "ENABLED",
+      supportedIdentityProviders: ["COGNITO"],
+      authSessionValidity: 15, // minutes
+      readAttributes: ["preferred_username"],
+      writeAttributes: []
     });
 
     const identityPool = new CfnIdentityPool(this, "IdentityPool", {
@@ -72,7 +90,7 @@ If you have any questions, please contact ${props.contactEmailAddress}`,
     });
 
     this.userRole = new Role(this, "UserRole", {
-      maxSessionDuration: Duration.hours(1),
+      maxSessionDuration: Duration.hours(3),
       assumedBy: new FederatedPrincipal("cognito-identity.amazonaws.com", {
         "StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
         "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" }
@@ -83,7 +101,8 @@ If you have any questions, please contact ${props.contactEmailAddress}`,
       groupName: "Users",
       description: "Group for users",
       roleArn: this.userRole.roleArn,
-      userPoolId: userPool.ref
+      userPoolId: userPool.ref,
+      precedence: 10
     });
 
     new CfnIdentityPoolRoleAttachment(this, "RoleAttachment", {

infrastructure/lib/static-content.ts

@@ -1,6 +1,6 @@
 import { CfnOutput, RemovalPolicy } from 'aws-cdk-lib';
 import { Certificate } from 'aws-cdk-lib/aws-certificatemanager';
-import { CloudFrontWebDistribution, OriginAccessIdentity, PriceClass, SecurityPolicyProtocol, SSLMethod, ViewerCertificate, ViewerProtocolPolicy } from 'aws-cdk-lib/aws-cloudfront';
+import { CloudFrontWebDistribution, HttpVersion, OriginAccessIdentity, PriceClass, SecurityPolicyProtocol, SSLMethod, ViewerCertificate, ViewerProtocolPolicy } from 'aws-cdk-lib/aws-cloudfront';
 import { Effect, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { CfnRecordSetGroup } from 'aws-cdk-lib/aws-route53';
 import { BlockPublicAccess, Bucket, BucketPolicy } from 'aws-cdk-lib/aws-s3';
@@ -20,7 +20,8 @@ export class StaticContentConstruct extends Construct {
 
     const staticContentBucket = new Bucket(this, "Bucket", {
       removalPolicy: RemovalPolicy.DESTROY,
-      blockPublicAccess: BlockPublicAccess.BLOCK_ALL
+      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
+      websiteIndexDocument: "index.html"
     });
 
     const certificate = Certificate.fromCertificateArn(this, "Certificate", props.sslCertificateArn);
@@ -30,6 +31,7 @@ export class StaticContentConstruct extends Construct {
     });
 
     const cloudfrontDistribution = new CloudFrontWebDistribution(this, "CloudFrontDistribution", {
+      enabled: true,
       comment: `${props.domain}`,
       originConfigs: [{
         behaviors: [{ isDefaultBehavior: true }],
@@ -41,12 +43,13 @@ export class StaticContentConstruct extends Construct {
       defaultRootObject: "index.html",
       enableIpV6: true,
       viewerCertificate: ViewerCertificate.fromAcmCertificate(certificate, {
-        securityPolicy: SecurityPolicyProtocol.TLS_V1_2_2018,
+        securityPolicy: SecurityPolicyProtocol.TLS_V1_2_2021,
         sslMethod: SSLMethod.SNI,
         aliases: [props.domain]
       }),
       priceClass: PriceClass.PRICE_CLASS_100,
-      viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS
+      viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+      httpVersion: HttpVersion.HTTP2_AND_3,
     });
 
     const bucketPolicy = new BucketPolicy(this, "AllowReadAccessToCloudFront", { bucket: staticContentBucket });

infrastructure/package.json

@@ -13,15 +13,15 @@
   "devDependencies": {
     "@aws-cdk/assert": "^2.68.0",
     "@types/jest": "^29.5.12",
-    "@types/node": "20.11.25",
+    "@types/node": "20.12.4",
     "jest": "^29.7.0",
     "ts-jest": "^29.1.2",
     "ts-node": "^10.9.2",
-    "typescript": "~5.4.2"
+    "typescript": "~5.4.4"
   },
   "dependencies": {
-    "aws-cdk": "^2.132.0",
-    "aws-cdk-lib": "^2.132.0",
+    "aws-cdk": "^2.135.0",
+    "aws-cdk-lib": "^2.135.0",
     "constructs": "^10.3.0",
     "source-map-support": "^0.5.21"
   }