I have been configuring a Cognito User Pool to block certain requests from reaching out to Cognito and fail with a 403 Forbidden error, for that I have enabled Cognito WAF and created a Web ACL with the following rule:
- Rule name: block-json-payload
- Type: regular rule
- If a request: matches the statement
- Inspect: body
- Content Type: JSON
- JSON Match Scope: Values
- How AWS WAF should treat invalid requests: match
- Content to inspect: Only Included Elements
- /AuthParameters/USERNAME
- Match Type: contains string
- String to match: mydomain.com
- Oversize handling: match
- Action: block
I also set the Web ACL default termination to be allow.
That should mean that whenever a request is made to Cognito containing the follow JSON body it should block.
{
"AuthFlow": "CUSTOM_AUTH",
"ClientId": "xxxxxxxx",
"AuthParameters": {
"USERNAME": "[email protected]",
"SRP_A": "abc...",
"CHALLENGE_NAME": "SRP_A"
},
"ClientMetadata": {}
}
Because this request goes via Cognito SDK and contains the following Headers, specially content-type: application/x-amz-json-1.1, I assume Web ACL can't handle that. Does that mean that if the content type is not application/json this Web ACL Rule will be skipped? Besides, how can I validate requests that are effectively JSON, like this one, but that don't come with the correct content-type?
Request:
fetch('https://cognito-idp.us-east-1.amazonaws.com/', {
'headers': {
'accept': '*/*',
'accept-language': 'en-US,en;q=0.9',
'cache-control': 'no-store',
'content-type': 'application/x-amz-json-1.1',
'sec-ch-ua': '"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"',
'sec-ch-ua-mobile': '?0',
'sec-ch-ua-platform': '"macOS"',
'sec-fetch-dest': 'empty',
'sec-fetch-mode': 'cors',
'sec-fetch-site': 'cross-site',
'x-amz-target': 'AWSCognitoIdentityProviderService.InitiateAuth',
'x-amz-user-agent': 'aws-amplify/5.0.4 js'
},
'referrer': 'https://xxxxxx.com/',
'referrerPolicy': 'strict-origin-when-cross-origin',
'body': '{"AuthFlow":"CUSTOM_AUTH","ClientId":"xxx","AuthParameters":{"USERNAME":"[email protected]","SRP_A":"abc...","CHALLENGE_NAME":"SRP_A"},"ClientMetadata":{}}',
'method': 'POST',
'mode': 'cors',
'credentials': 'omit'
});
Note:
Although AWS docs mentions the Content Type parameter configuration as JSON, is not clear if the HTTP Header Conten-Type must be application/json or it could be any other value as long as the body is parsable to JSON.