Change Details

In order to deny request propagation that uses email associated with any domains of a `domain_denylist`, we need to create a WAF rule. **To do** [] Add a rule for the WAF of `auth` API service. The WAF should be able to inspect the json request body. A typical json request body looks like as follows: ``` { "email": "user@example.com", "username": "username", "password": "userpassword", "policy_version": "v1.1", "policy_date_accept": "2023-03-10T12:34:56.789Z", "marketing_emails": "false", "captcha_id": "somecaptcha_id", "captcha_solution": "somecaptcha_solution" } ``` If (for example) the `domain_denylist` is ["example.com", "abc.com"], the request above should not be forwarded. Note: Use the same `domain_denylist` variable from IaC that we will use dashboard and auth service. AWS docs: https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonBody.html **Acceptance criteria** [] On dev, set up a test `domain_denylist`. Send a request from dev dashboard using email with the domain from deny list. See that your request does not reach Auth service. [] Check cloudwatch logs for `auth` service. You should not see the `/create-user` log related to your request.

In order to deny request propagation that uses email associated with any domains of a `domain_denylist`, we need to create a WAF rule. **To do** [] Add a rule for the WAF of `auth` API service. The WAF should be able to inspect the json request body. A typical json request body looks like as follows: ``` { "email": "user@example.com", "username": "username", "password": "userpassword", "policy_version": "v1.1", "policy_date_accept": "2023-03-10T12:34:56.789Z", "marketing_emails": "false", "captcha_id": "somecaptcha_id", "captcha_solution": "somecaptcha_solution" } ``` If (for example) the `domain_denylist` is ["example.com", "abc.com"], the request above should not be forwarded. Note: Use the same `domain_denylist` variable from IaC that we will use dashboard and auth service. AWS docs: https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonBody.html Terraform docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl **Acceptance criteria** [] On dev, set up a test `domain_denylist`. Send a request from dev dashboard using email with the domain from deny list. See that your request does not reach Auth service. [] Check cloudwatch logs for `auth` service. You should not see the `/create-user` log related to your request.

In order to deny request propagation that uses email associated with any domains of a `domain_denylist`, we need to create a WAF rule. **To do** [] Add a rule for the WAF of `auth` API service. The WAF should be able to inspect the json request body. A typical json request body looks like as follows: ``` { "email": "user@example.com", "username": "username", "password": "userpassword", "policy_version": "v1.1", "policy_date_accept": "2023-03-10T12:34:56.789Z", "marketing_emails": "false", "captcha_id": "somecaptcha_id", "captcha_solution": "somecaptcha_solution" } ``` If (for example) the `domain_denylist` is ["example.com", "abc.com"], the request above should not be forwarded. Note: Use the same `domain_denylist` variable from IaC that we will use dashboard and auth service. AWS docs: https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonBody.html Terraform docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl **Acceptance criteria** [] On dev, set up a test `domain_denylist`. Send a request from dev dashboard using email with the domain from deny list. See that your request does not reach Auth service. [] Check cloudwatch logs for `auth` service. You should not see the `/create-user` log related to your request.