In order to deny request propagation that uses email associated with any domains of a domain_denylist, we need to create a WAF rule.
To do
- Add a rule for the WAF of auth API service. The WAF should be able to inspect the json request body. A typical json request body looks like as follows:
{ "email": "user@example.com", "username": "username", "password": "userpassword", "policy_version": "v1.1", "policy_date_accept": "2023-03-10T12:34:56.789Z", "marketing_emails": "false", "captcha_id": "somecaptcha_id", "captcha_solution": "somecaptcha_solution" }
If (for example) the domain_denylist is ["example.com", "abc.com"], the request above should not be forwarded.
Note: Use the same domain_denylist variable from IaC that we will use dashboard and auth service.
AWS docs: https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonBody.html
Terraform docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl
Acceptance criteria
- On dev, set up a test domain_denylist. Send a request from dev dashboard using email with the domain from deny list. See that your request does not reach Auth service.
- Check cloudwatch logs for auth service. You should not see the /create-user log related to your request.