Background
Cognito authentication has been implemented independently on all C4C projects, requiring significant ramp-up time on each project. A pre-built Cognito module in scaffolding would give new tech leads working auth from day one that activates only when they're ready for it.
Tasks
Frontend (apps/frontend/src/auth/):
auth.config.ts — calls Amplify.configure() with VITE_COGNITO_USER_POOL_ID and VITE_COGNITO_CLIENT_ID; only runs if both env vars are present- Update
main.tsx to import auth.config.ts and conditionally wrap the app in Authenticator if VITE_COGNITO_USER_POOL_ID is set, otherwise render unwrapped
Backend (apps/backend/src/aws/cognito/):
-
cognito.module.ts — NestJS module that registers the guard and exports CognitoService
-
cognito.guard.ts — global JWT guard that validates Cognito tokens against the user pool's JWKS endpoint; short-circuits to true (allows all requests) if COGNITO_USER_POOL_ID is unset
-
cognito.decorator.ts — @Public() decorator to opt individual routes out of the guard when auth is active
-
cognito.service.ts — exposes a getUser() helper that extracts the decoded token payload from the request, returning null if auth is inactive
-
cognito.types.ts — interface for the decoded Cognito JWT payload (sub, email, groups, etc.)
-
Register CognitoModule in the root AppModule so the global guard is active without any per-module setup
-
Add required env vars to example.env: COGNITO_USER_POOL_ID, COGNITO_CLIENT_ID, COGNITO_REGION (backend), VITE_COGNITO_USER_POOL_ID, VITE_COGNITO_CLIENT_ID (frontend), with a comment on each indicating that leaving them unset disables auth entirely
-
Add a README.md inside the module directory documenting: how to enable auth (set env vars), how to protect all routes by default, how to use @Public() for unauthenticated routes.
-
Set default env vars in .example.env to the scaffolding user pool
Definition of done
With env vars unset: app starts, all routes are accessible, frontend renders without Authenticator. With env vars set: frontend renders behind Authenticator, all backend routes reject requests without a valid Cognito JWT except those decorated with @Public(). Unit tests cover the guard for the active/inactive env var states and the valid/invalid token cases.
Background
Cognito authentication has been implemented independently on all C4C projects, requiring significant ramp-up time on each project. A pre-built Cognito module in scaffolding would give new tech leads working auth from day one that activates only when they're ready for it.
Tasks
Frontend (
apps/frontend/src/auth/):auth.config.ts— callsAmplify.configure()withVITE_COGNITO_USER_POOL_IDandVITE_COGNITO_CLIENT_ID; only runs if both env vars are presentmain.tsxto importauth.config.tsand conditionally wrap the app inAuthenticatorifVITE_COGNITO_USER_POOL_IDis set, otherwise render unwrappedBackend (
apps/backend/src/aws/cognito/):cognito.module.ts— NestJS module that registers the guard and exportsCognitoServicecognito.guard.ts— global JWT guard that validates Cognito tokens against the user pool's JWKS endpoint; short-circuits to true (allows all requests) ifCOGNITO_USER_POOL_IDis unsetcognito.decorator.ts—@Public()decorator to opt individual routes out of the guard when auth is activecognito.service.ts— exposes agetUser()helper that extracts the decoded token payload from the request, returningnullif auth is inactivecognito.types.ts— interface for the decoded Cognito JWT payload (sub, email, groups, etc.)Register
CognitoModulein the rootAppModuleso the global guard is active without any per-module setupAdd required env vars to example.env:
COGNITO_USER_POOL_ID,COGNITO_CLIENT_ID,COGNITO_REGION(backend),VITE_COGNITO_USER_POOL_ID,VITE_COGNITO_CLIENT_ID(frontend), with a comment on each indicating that leaving them unset disables auth entirelyAdd a
README.mdinside the module directory documenting: how to enable auth (set env vars), how to protect all routes by default, how to use@Public()for unauthenticated routes.Set default env vars in
.example.envto the scaffolding user poolDefinition of done
With env vars unset: app starts, all routes are accessible, frontend renders without
Authenticator. With env vars set: frontend renders behindAuthenticator, all backend routes reject requests without a valid Cognito JWT except those decorated with@Public(). Unit tests cover the guard for the active/inactive env var states and the valid/invalid token cases.