Skip to content

feat(infra): BFF token-handler resources (Phase 1)#212

Merged
philmerrell merged 1 commit into
developfrom
feature/bff-phase-1-cdk-infra
May 2, 2026
Merged

feat(infra): BFF token-handler resources (Phase 1)#212
philmerrell merged 1 commit into
developfrom
feature/bff-phase-1-cdk-infra

Conversation

@philmerrell

Copy link
Copy Markdown
Contributor

Summary

Phase 1 of the Token Handler BFF migration — provisions the AWS resources the BFF needs without changing any application behavior. Subsequent phases (backend code, frontend cutover) consume what this PR sets up.

  • BFFSessionsTable (DynamoDB, ttl attribute, PITR) — server-side store for Cognito access/refresh/id tokens keyed by an opaque session id from an httpOnly cookie. 8h default lifetime.
  • BFFCookieSigningKey (KMS, rotation enabled) — used at app-api startup via GenerateDataKey; the cached plaintext data key seals session cookies with AES-GCM.
  • CognitoBFFAppClient (confidential, generateSecret: true) — server-side OAuth code exchange with client secret authentication, additional defense beyond PKCE. Existing public PKCE client (CognitoAppClient) stays in place through the migration cutover. Secret persisted in Secrets Manager via the standard CDK userPoolClientSecret custom-resource pattern.
  • App-api task wired with new env vars (BFF_*, COGNITO_BFF_*, INFERENCE_API_URL) and IAM grants (BFFSessionsTableAccess, BFFCookieSigningKeyAccess, CognitoBFFAppClientSecretAccess).

Side-fix worth flagging

INFERENCE_API_URL was never wired onto the app-api task before this PR. The existing api_converse_proxy in apps/app_api/chat/converse_routes.py was silently falling back to http://localhost:8001 in cloud — broken. This PR fixes that as a side effect; Phase 4's chat SSE proxy reuses the same env var.

Test plan

  • npm run build — clean
  • npx cdk synth — clean (only pre-existing deprecation/import warnings)
  • All 9 new resources verified in synth output (BFFSessionsTable*, BFFCookieSigningKey*, CognitoBFFAppClient*, CognitoBFFAppClientSecret*)
  • All 3 new IAM SIDs verified on app-api task role
  • userPoolClientSecret resolves via Fn::GetAtt against Custom::DescribeCognitoUserPoolClient (CDK's standard pattern)
  • Deploy to a non-prod environment to validate the Custom::DescribeCognitoUserPoolClient resource provisions and the BFF client secret reaches Secrets Manager
  • After deploy, confirm the new SSM parameters are populated:
    • /<projectPrefix>/auth/bff-sessions-table-name
    • /<projectPrefix>/auth/bff-sessions-table-arn
    • /<projectPrefix>/auth/bff-cookie-signing-key-arn
    • /<projectPrefix>/auth/cognito/bff-app-client-id
    • /<projectPrefix>/auth/cognito/bff-app-client-secret-arn

Notes

  • No backend or frontend changes — purely additive infra. Safe to deploy on its own; reverting is a clean rollback.
  • The new BFF Cognito client's callback URL is set to https://<domainName>/api/auth/callback, anticipating the CloudFront /api/* → ALB behavior added in Phase 6 (cutover). The URL is harmless until that behavior exists.
  • Phase 2 (backend dormant infra) will be opened on a fresh branch.

🤖 Generated with Claude Code

Adds the CDK foundation for the Token Handler BFF migration:

- BFFSessionsTable (DynamoDB, TTL on `ttl`) for server-side Cognito tokens
  keyed by opaque session id from an httpOnly cookie.
- BFFCookieSigningKey (KMS) for AES-GCM sealing of the session cookie via
  GenerateDataKey at app-api startup.
- CognitoBFFAppClient (confidential, with secret) for the server-side
  OAuth code exchange. The existing public PKCE client stays in place
  through the migration cutover. Secret is persisted in Secrets Manager.
- Wires app-api task with env vars, IAM grants, and INFERENCE_API_URL
  (the latter also fixes the converse proxy fallback to localhost:8001
  in cloud).

No behavioral change yet — Phase 2 wires the application code that
consumes these resources. See project_bff_migration memory for the
full phased plan.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@philmerrell philmerrell merged commit 7af2be8 into develop May 2, 2026
20 checks passed
@philmerrell philmerrell deleted the feature/bff-phase-1-cdk-infra branch May 2, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant