amazon web services - nginx allow access to location only if request came from cognito

Question

I'm using AWS Cognito for auth, and have it redirect to a certain path at my nginx website

I want this path should only be reachable if the request comes from after the user logs in via cognito.

How do I block access to the path in nginx if someone just types that path into the address bar?

Let's say for example, the location I want locked down is:

http://localhost:3010/firstPath/

In Chrome devtools I don't see any referrer or anything like that in the request:

Request URL: http://localhost:3010/firstPath/?code=axxxxx-xxxx-xxx-9b18-df2832a401e9&state=N35vxxxxxJGnlJr5YEI5AVfFRPdbghFG

Request Method: GET

Status Code: 200 OK

Remote Address: 127.0.0.1:3010

Referrer Policy: strict-origin-when-cross-origin

Accept-Ranges: bytes

Connection: keep-alive

Content-Encoding: gzip

Content-Type: text/html; charset=UTF-8

Date: Thu, 28 Jan 2021 08:52:50 GMT

ETag: W/"868-KJFfIJ4iphNuyGJQRrz3NAqMbz4"

Transfer-Encoding: chunked

Vary: Accept-Encoding

X-Powered-By: Express

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Cache-Control: no-cache

Connection: keep-alive

DNT: 1

Host: localhost:3010

Pragma: no-cache

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: cross-site

Sec-Fetch-User: ?1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36

code: axxxxx-xxxx-xxx-9b18-df2832a401e9

state: N35vxxxxxJGnlJr5Y

In nginx I can block requests that didn't come from AWS ELB to my /health check path, like this:

  location /health {
set $block 1;
# Allow all the ELB health check agents.
if ($http_user_agent ~* '^ELB-HealthChecker/.*$') {
  set $block 0;
  access_log off;
}

# block invalid requests
if ($block = 1) { 
  return 444;
}

return 200;
add_header Content-Type text/plain;

}

Is there a way to do similar for this path, based on the request coming from aws cognito?

question from:https://stackoverflow.com/questions/65934266/nginx-allow-access-to-location-only-if-request-came-from-cognito

Answer 1

Waitting for answers