I've set up a static website hosted on S3 and distributed via CloudFront. I'm using Cognito for authentication with a Lambda@Edge function to handle the redirection and token verification. The authentication flow is as follows:
Check if the request has a cookie and a query string parameter.
If neither is present, redirect to Cognito.
After login/signup, Cognito redirects back with a query string containing a code.
Use this code to generate an ID token, set it as a cookie, and redirect to the website.
Verify the cookie's validity (not expired and for the correct audience) using JWT and .well-known.json.
This setup works fine when:
Navigating directly to the root (my-website/).
Copying and pasting the root URL into a new tab.
However, when I:
Click on any href link on the website.
Paste a direct link to a subpath (like my-website/docs/getting-started).
It fails with an "Access Denied" error.
When the root path is accessed, the network tab shows successful requests (Status 200), but when a subpath is accessed directly, it shows "Access Denied" (Status 403) without any redirects occurring as per my Lambda@Edge function.
I've attached some screenshots from the browser's inspection results:
- Successful root path request
- Failed subpath request
- Response headers for the failed request
- Response headers for the failed request
Given this information and the behavior I'm observing, I suspect there might be an issue with the Lambda@Edge configuration for subpaths or perhaps with the cookie path scope. I've ensured the Lambda function is triggered for all viewer requests, and the authentication cookie is set for the root path (/).
Can someone help me understand why the Lambda@Edge function isn't handling the subpath requests as expected and suggest any potential solutions to ensure that the authentication flow works correctly for all paths?
Thank you for your assistance!
Links to images:
https://imgur.com/1P9b0P3
https://imgur.com/e3WS7WR
https://imgur.com/2pmJURD
https://imgur.com/xro3NhR