feat(infra): BFF token-handler resources (Phase 1)#212
Merged
Conversation
Adds the CDK foundation for the Token Handler BFF migration: - BFFSessionsTable (DynamoDB, TTL on `ttl`) for server-side Cognito tokens keyed by opaque session id from an httpOnly cookie. - BFFCookieSigningKey (KMS) for AES-GCM sealing of the session cookie via GenerateDataKey at app-api startup. - CognitoBFFAppClient (confidential, with secret) for the server-side OAuth code exchange. The existing public PKCE client stays in place through the migration cutover. Secret is persisted in Secrets Manager. - Wires app-api task with env vars, IAM grants, and INFERENCE_API_URL (the latter also fixes the converse proxy fallback to localhost:8001 in cloud). No behavioral change yet — Phase 2 wires the application code that consumes these resources. See project_bff_migration memory for the full phased plan. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 1 of the Token Handler BFF migration — provisions the AWS resources the BFF needs without changing any application behavior. Subsequent phases (backend code, frontend cutover) consume what this PR sets up.
BFFSessionsTable(DynamoDB,ttlattribute, PITR) — server-side store for Cognito access/refresh/id tokens keyed by an opaque session id from an httpOnly cookie. 8h default lifetime.BFFCookieSigningKey(KMS, rotation enabled) — used at app-api startup viaGenerateDataKey; the cached plaintext data key seals session cookies with AES-GCM.CognitoBFFAppClient(confidential,generateSecret: true) — server-side OAuth code exchange with client secret authentication, additional defense beyond PKCE. Existing public PKCE client (CognitoAppClient) stays in place through the migration cutover. Secret persisted in Secrets Manager via the standard CDKuserPoolClientSecretcustom-resource pattern.BFF_*,COGNITO_BFF_*,INFERENCE_API_URL) and IAM grants (BFFSessionsTableAccess,BFFCookieSigningKeyAccess,CognitoBFFAppClientSecretAccess).Side-fix worth flagging
INFERENCE_API_URLwas never wired onto the app-api task before this PR. The existingapi_converse_proxyinapps/app_api/chat/converse_routes.pywas silently falling back tohttp://localhost:8001in cloud — broken. This PR fixes that as a side effect; Phase 4's chat SSE proxy reuses the same env var.Test plan
npm run build— cleannpx cdk synth— clean (only pre-existing deprecation/import warnings)BFFSessionsTable*,BFFCookieSigningKey*,CognitoBFFAppClient*,CognitoBFFAppClientSecret*)userPoolClientSecretresolves viaFn::GetAttagainstCustom::DescribeCognitoUserPoolClient(CDK's standard pattern)Custom::DescribeCognitoUserPoolClientresource provisions and the BFF client secret reaches Secrets Manager/<projectPrefix>/auth/bff-sessions-table-name/<projectPrefix>/auth/bff-sessions-table-arn/<projectPrefix>/auth/bff-cookie-signing-key-arn/<projectPrefix>/auth/cognito/bff-app-client-id/<projectPrefix>/auth/cognito/bff-app-client-secret-arnNotes
https://<domainName>/api/auth/callback, anticipating the CloudFront/api/*→ ALB behavior added in Phase 6 (cutover). The URL is harmless until that behavior exists.🤖 Generated with Claude Code