fix(cognito): expire access tokens on first-party operations#1928
Merged
Conversation
GetUser, ChangePassword, the MFA ops, branding, GlobalSignOut and the other first-party Cognito operations validated the bearer token with a bare access_tokens map lookup that never checked expiry, so an expired-but-not- revoked access token kept authorizing those operations indefinitely (the API-Gateway authorizer path already fails closed on exp+sig; this was the service's own ops, bug-hunt 2026-06-24, 5.3). Adds CognitoState::valid_access_token, which returns the token only if it exists AND was issued within the 1-hour TTL (the ExpiresIn: 3600 minted at sign-in), and routes all ~22 first-party handler lookups through it. Unit test covers fresh/expired/unknown.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary (5.3, auth-when-enabled)
GetUser, ChangePassword, the MFA ops, branding, GlobalSignOut and the other first-party Cognito operations validated the bearer token with a bare
access_tokensmap lookup that never checked expiry — so an expired-but-not-revoked access token kept authorizing those operations indefinitely. (The API-Gateway authorizer path already fails closed on exp+sig; this was Cognito's own ops.)Adds
CognitoState::valid_access_token, which returns the token only if it exists AND was issued within the 1-hour TTL (theExpiresIn: 3600minted at sign-in), and routes all ~22 first-party handler lookups through it.Non-code surface
No new API surface — enforcement correctness. No SDK/docs/metadata change applies (checked).
Test plan
valid_access_token_rejects_expired(fresh accepted, >1h-old rejected, unknown rejected). Expiry is time-based so a unit test is the right level (an E2E would need a 1-hour wait).cargo test -p fakecloud-cognito --lib(337) passes; clippy clean.Summary by cubic
Expire Cognito access tokens for first-party operations. Tokens older than 1 hour are now rejected for GetUser, ChangePassword, MFA, branding, and GlobalSignOut.
ExpiresIn: 3600) to replace raw access token lookups.Written for commit b526edc. Summary will update on new commits.