feat(auth): Implement secure httpOnly cookie authentication for Okta (#1920)

## Summary
Replace localStorage token storage with httpOnly cookies to prevent XSS
attacks for Okta authentication. This implements a custom PKCE flow
while maintaining existing Cognito/Amplify behavior unchanged.

## Security Improvements
- Tokens stored in httpOnly cookies (not accessible via JavaScript -
prevents XSS token theft)
- SameSite=Lax prevents CSRF while allowing OAuth redirects from Okta
- Secure flag ensures HTTPS-only transmission

## Changes
### Frontend
- `frontend/src/utils/pkce.js` - PKCE utility for secure OAuth code
exchange
- `frontend/src/authentication/views/Callback.js` - OAuth callback
handler
- `frontend/src/authentication/contexts/GenericAuthContext.js` -
Cookie-based auth for Okta
- `frontend/src/services/hooks/useClient.js` - Relative URLs +
credentials for cookies
- `frontend/src/routes.js` - Added /callback route

### Backend
- `backend/auth_handler.py` - Token exchange, userinfo, logout endpoints
- `deploy/stacks/lambda_api.py` - Auth handler Lambda + API routes
- `deploy/stacks/cloudfront.py` - Proxy /auth/*, /graphql/*, /search/*
to API Gateway
-
`deploy/custom_resources/custom_authorizer/custom_authorizer_lambda.py`
- Read tokens from Cookie header

## How It Works
1. User clicks login → redirected to Okta with PKCE challenge
2. Okta redirects back to /callback with authorization code
3. Frontend calls /auth/token-exchange with code + PKCE verifier
4. Backend exchanges code for tokens, sets httpOnly cookies
5. All subsequent API calls include cookies automatically (same-origin
via CloudFront proxy)
6. Custom authorizer reads access_token from Cookie header

## Backward Compatibility
- Cognito users: No changes - continues using Amplify with Authorization
header

Author: arjunp99

.checkov.baseline

@@ -192,6 +192,43 @@
                         "CKV_AWS_120"
                     ]
                 },
+                {
+                    "resource": "AWS::ApiGateway::Method.dataalldevapiauthtokenexchangePOSTD92E005E",
+                    "check_ids": [
+                        "CKV_AWS_59"
+                    ]
+                },
+                {
+                    "resource": "AWS::ApiGateway::Method.dataalldevapiauthlogoutPOST5A8B3C2D",
+                    "check_ids": [
+                        "CKV_AWS_59"
+                    ]
+                },
+                {
+                    "resource": "AWS::ApiGateway::Method.dataalldevapiauthlogoutPOST89141B56",
+                    "check_ids": [
+                        "CKV_AWS_59"
+                    ]
+                },
+                {
+                    "resource": "AWS::ApiGateway::Method.dataalldevapiauthuserinfoGET9388EE8D",
+                    "check_ids": [
+                        "CKV_AWS_59"
+                    ]
+                },
+                {
+                    "resource": "AWS::Lambda::Function.AuthHandler9DC767B7",
+                    "check_ids": [
+                        "CKV_AWS_115",
+                        "CKV_AWS_116"
+                    ]
+                },
+                {
+                    "resource": "AWS::Logs::LogGroup.authhandlerloggroup",
+                    "check_ids": [
+                        "CKV_AWS_158"
+                    ]
+                },
                 {
                     "resource": "AWS::Lambda::Function.AWSWorkerAA1523CA",
                     "check_ids": [

backend/auth_handler.py

@@ -0,0 +1,262 @@
+import json
+import logging
+import os
+import urllib.request
+import urllib.parse
+import base64
+import binascii
+from http.cookies import SimpleCookie
+
+logger = logging.getLogger(__name__)
+logger.setLevel(os.environ.get('LOG_LEVEL', 'INFO'))
+
+
+def handler(event, context):
+    """Main Lambda handler - routes requests to appropriate function"""
+    path = event.get('path', '')
+    method = event.get('httpMethod', '')
+
+    if path == '/auth/token-exchange' and method == 'POST':
+        return token_exchange_handler(event)
+    elif path == '/auth/logout' and method == 'POST':
+        return logout_handler(event)
+    elif path == '/auth/userinfo' and method == 'GET':
+        return userinfo_handler(event)
+    else:
+        return error_response(
+            404, 'Auth endpoint not found. Valid routes: /auth/token-exchange, /auth/logout, /auth/userinfo', event
+        )
+
+
+def error_response(status_code, message, event=None):
+    """Return error response with CORS headers"""
+    response = {
+        'statusCode': status_code,
+        'headers': get_cors_headers(event) if event else {'Content-Type': 'application/json'},
+        'body': json.dumps({'error': message}),
+    }
+    return response
+
+
+def get_cors_headers(event):
+    """Get CORS headers for response"""
+    cloudfront_url = os.environ.get('CLOUDFRONT_URL', '')
+    if not cloudfront_url:
+        logger.debug('CLOUDFRONT_URL not set - authentication endpoints will reject cross-origin requests')
+
+    return {
+        'Content-Type': 'application/json',
+        'Access-Control-Allow-Origin': cloudfront_url,
+        'Access-Control-Allow-Credentials': 'true',
+        'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+        'Access-Control-Allow-Headers': 'Content-Type',
+    }
+
+
+def token_exchange_handler(event):
+    """Exchange authorization code for tokens and set httpOnly cookies"""
+    try:
+        body = json.loads(event.get('body', '{}'))
+        code = body.get('code')
+        code_verifier = body.get('code_verifier')
+
+        if not code or not code_verifier:
+            return error_response(400, 'Missing code or code_verifier', event)
+
+        okta_url = os.environ.get('CUSTOM_AUTH_URL', '')
+        client_id = os.environ.get('CUSTOM_AUTH_CLIENT_ID', '')
+        redirect_uri = os.environ.get('CUSTOM_AUTH_REDIRECT_URL', '')
+
+        if not okta_url or not client_id:
+            return error_response(500, 'Missing Okta configuration', event)
+
+        # Validate URL scheme to prevent file:// or other dangerous schemes
+        if not okta_url.startswith('https://'):
+            logger.error(f'Invalid CUSTOM_AUTH_URL scheme: {okta_url}')
+            return error_response(500, 'Invalid authentication configuration', event)
+
+        # Call Okta token endpoint
+        token_url = f'{okta_url}/v1/token'
+        token_data = {
+            'grant_type': 'authorization_code',
+            'code': code,
+            'code_verifier': code_verifier,
+            'client_id': client_id,
+            'redirect_uri': redirect_uri,
+        }
+
+        data = urllib.parse.urlencode(token_data).encode('utf-8')
+        req = urllib.request.Request(
+            token_url,
+            data=data,
+            headers={'Content-Type': 'application/x-www-form-urlencoded'},
+        )
+
+        try:
+            # nosemgrep: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
+            with urllib.request.urlopen(req, timeout=10) as response:
+                tokens = json.loads(response.read().decode('utf-8'))
+        except urllib.error.HTTPError as e:
+            error_body = e.read().decode('utf-8')
+            logger.error(f'Token exchange failed: {error_body}')
+            return error_response(401, 'Authentication failed. Please try again.', event)
+
+        cookies = build_cookies(tokens)
+
+        return {
+            'statusCode': 200,
+            'headers': get_cors_headers(event),
+            'multiValueHeaders': {'Set-Cookie': cookies},
+            'body': json.dumps({'success': True}),
+        }
+
+    except Exception as e:
+        logger.error(f'Token exchange error: {str(e)}')
+        return error_response(500, 'Internal server error', event)
+
+
+def get_token_expiry(token):
+    """Extract exp claim from JWT token"""
+    import time
+
+    try:
+        parts = token.split('.')
+        if len(parts) != 3:
+            return None
+        payload = parts[1]
+        padding = 4 - len(payload) % 4
+        if padding != 4:
+            payload += '=' * padding
+        decoded = base64.urlsafe_b64decode(payload)
+        claims = json.loads(decoded)
+        exp = claims.get('exp')
+        if exp:
+            # Return seconds until expiration
+            return max(0, int(exp) - int(time.time()))
+    except Exception:
+        pass
+    return None
+
+
+def build_cookies(tokens):
+    """Build httpOnly cookies for tokens"""
+    cookies = []
+    secure = True
+    httponly = True
+    samesite = 'Lax'
+
+    # Get max_age from token's exp claim, fallback to 1 hour
+    max_age = 3600
+    id_token = tokens.get('id_token')
+    if id_token:
+        token_ttl = get_token_expiry(id_token)
+        if token_ttl:
+            max_age = token_ttl
+
+    for token_name in ['access_token', 'id_token']:
+        if tokens.get(token_name):
+            cookie = SimpleCookie()
+            cookie[token_name] = tokens[token_name]
+            cookie[token_name]['path'] = '/'
+            cookie[token_name]['secure'] = secure
+            cookie[token_name]['httponly'] = httponly
+            cookie[token_name]['samesite'] = samesite
+            cookie[token_name]['max-age'] = max_age
+            cookies.append(cookie[token_name].OutputString())
+
+    return cookies
+
+
+def logout_handler(event):
+    """Clear all auth cookies (silent logout - does not end Okta SSO session)"""
+    # Clear all auth cookies
+    cookies = []
+    for cookie_name in ['access_token', 'id_token', 'refresh_token']:
+        cookie = SimpleCookie()
+        cookie[cookie_name] = ''
+        cookie[cookie_name]['path'] = '/'
+        cookie[cookie_name]['max-age'] = 0
+        cookies.append(cookie[cookie_name].OutputString())
+
+    # Note: We intentionally do NOT redirect to Okta's logout endpoint.
+    # This matches the previous behavior using react-oidc-context's signoutSilent(),
+    # which clears local tokens but keeps the Okta SSO session active.
+    # This allows users to re-login seamlessly without re-entering credentials
+    # if their Okta session is still valid.
+
+    return {
+        'statusCode': 200,
+        'headers': get_cors_headers(event),
+        'multiValueHeaders': {'Set-Cookie': cookies},
+        'body': json.dumps({'success': True}),
+    }
+
+
+def userinfo_handler(event):
+    """Return user info from id_token cookie"""
+    try:
+        # Check both 'Cookie' and 'cookie' - API Gateway may normalize header casing
+        cookie_header = event.get('headers', {}).get('Cookie') or event.get('headers', {}).get('cookie', '')
+
+        cookies = SimpleCookie()
+        cookies.load(cookie_header)
+
+        id_token_cookie = cookies.get('id_token')
+        if not id_token_cookie:
+            return error_response(401, 'Not authenticated', event)
+
+        id_token = id_token_cookie.value
+
+        # Decode JWT payload (middle part of token)
+        # JWT format: header.payload.signature (base64url encoded)
+        parts = id_token.split('.')
+        if len(parts) != 3:
+            return error_response(401, 'Invalid token format', event)
+
+        payload = parts[1]
+
+        # Base64 requires padding to be multiple of 4 characters
+        # URL-safe base64 in JWTs often omits padding, so we add it back
+        padding = 4 - len(payload) % 4
+        if padding != 4:
+            payload += '=' * padding
+
+        decoded = base64.urlsafe_b64decode(payload)
+        claims = json.loads(decoded)
+
+        # Check if token is expired
+        import time
+
+        exp = claims.get('exp')
+        if exp and int(exp) < int(time.time()):
+            return error_response(401, 'Token expired', event)
+
+        email_claim = os.environ.get('CLAIMS_MAPPING_EMAIL', 'email')
+        user_id_claim = os.environ.get('CLAIMS_MAPPING_USER_ID', 'sub')
+
+        email = claims.get(email_claim, claims.get('email', claims.get('sub', '')))
+        user_id = claims.get(user_id_claim, claims.get('sub', ''))
+
+        return {
+            'statusCode': 200,
+            'headers': get_cors_headers(event),
+            'body': json.dumps(
+                {
+                    'email': email,
+                    'name': claims.get('name', email),
+                    'sub': user_id,
+                    'exp': exp,  # Include expiration time for frontend to set up timer
+                    'auth_time': claims.get('auth_time'),  # Include auth_time for reauth detection
+                }
+            ),
+        }
+
+    except (binascii.Error, ValueError) as e:
+        logger.error(f'Failed to decode JWT payload: {str(e)}')
+        return error_response(401, 'Invalid token', event)
+    except json.JSONDecodeError as e:
+        logger.error(f'Failed to parse JWT claims: {str(e)}')
+        return error_response(401, 'Invalid token', event)
+    except Exception as e:
+        logger.error(f'Userinfo error: {str(e)}')
+        return error_response(500, 'Internal server error', event)

deploy/custom_resources/custom_authorizer/custom_authorizer_lambda.py

@@ -1,5 +1,6 @@
 import logging
 import os
+from http.cookies import SimpleCookie
 
 from requests import HTTPError
 
@@ -23,10 +24,32 @@
 
 
 def lambda_handler(incoming_event, context):
-    # Get the Token which is sent in the Authorization Header
+    # Get the Token - first try Cookie header, then Authorization header
     logger.debug(incoming_event)
-    auth_token = incoming_event['headers']['Authorization']
+    headers = incoming_event.get('headers', {})
+
+    # Try to get access_token from Cookie header first (for cookie-based auth)
+    auth_token = None
+    cookie_header = headers.get('Cookie') or headers.get('cookie', '')
+
+    if cookie_header:
+        # Parse cookies to find access_token
+        cookies = SimpleCookie()
+        cookies.load(cookie_header)
+        access_token_cookie = cookies.get('access_token')
+        if access_token_cookie:
+            # Add Bearer prefix for consistency with existing validation
+            auth_token = f'Bearer {access_token_cookie.value}'
+            logger.debug('Using access_token from Cookie header')
+
+    # Fallback to Authorization header (for backward compatibility)
+    if not auth_token:
+        auth_token = headers.get('Authorization') or headers.get('authorization')
+        if auth_token:
+            logger.debug('Using token from Authorization header')
+
     if not auth_token:
+        logger.warning('No authentication token found in Cookie or Authorization header')
         return AuthServices.generate_deny_policy(incoming_event['methodArn'])
 
     # Validate User is Active with Proper Access Token