Instead of 'Not Found' can we say something more descriptive like Incorrect route for authentication etc ?

Changed to: 'Auth endpoint not found. Valid routes: /auth/token-exchange, /auth/logout, /auth/userinfo'

Should we also logout from okta. Here we are deleting those cookies but that doesn't mean we will be logging out of Okta. Should we make a call to the okta endpoint to let Okta know that we want to logout ?

Yes, good point! I'll implement Okta logout by redirecting to Okta's /v1/logout endpoint from the frontend after clearing cookies. This fully ends the Okta session so the user must re-authenticate on next login.

The flow will be:

Frontend calls /auth/logout to clear cookies
Frontend redirects to {okta_url}/v1/logout?id_token_hint=...&post_logout_redirect_uri=...
This is handled on the frontend side since it requires a browser redirect.

does the headers change between browsers. Asking this since you are fetching both Cookie and cookie key

Yes, HTTP header names can be passed with different casing depending on the proxy/gateway configuration. API Gateway sometimes normalizes headers to lowercase (cookie) while the HTTP spec uses Cookie. Checking both ensures we handle all cases reliably.

Can you please add a comment and document what you are trying to do here

Added comments on this logic.

        # JWT format: header.payload.signature (base64url encoded)
        payload = parts[1]

        # Base64 requires padding to be multiple of 4 characters
        # URL-safe base64 in JWTs often omits padding, so we add it back
        padding = 4 - len(payload) % 4
        if padding != 4:
            payload += '=' * padding

If there are any specific exception raised by base64.urlsafe_b64decode or other package you are using . Catch the important ones

Added specific exception handling:

binascii.Error, ValueError - for base64 decode failures
json.JSONDecodeError - for invalid JSON in JWT payload
Generic Exception kept as fallback for unexpected errors

All errors are logged with details but return generic messages to clients.

what's the backend region check for ?

The backend_region check is redundant - looking at pipeline.py, it's always set via backend_region=target_env.get('region', self.region), so it will never be None. Removed the unnecessary check.

Is this the typical behaviour for auth endpoints to not have caching ?

Yes, this is standard practice. Auth endpoints should never be cached - each request is unique (one-time auth codes, session-specific cookies, user-specific data). Caching would return stale data and break login/logout.

We didn't have any cloudfront dist behaviour for graphql or search. What's the benefit of adding it here ?

This is required for httpOnly cookies to work. Browsers only send cookies to same-origin requests. Before, tokens were in localStorage and sent via Authorization header (works cross-origin). Now with httpOnly cookies, the browser won't send them to a different origin (API Gateway). Routing through CloudFront makes frontend and API same-origin, so cookies are sent automatically.