Amplify-js: Feature Request: Let users enable FIPS mode instead of default AWS endpoints for API calls

Hi @defionscode, we already have service endpoints with FIPS deployed to all regions. Exactly as you mentioned, you can try:
cognito-sync-fips.us-east-1.amazonaws.com

cognito-identity-fips.us-east-1.amazonaws.com

cognito-idp-fips.us-east-1.amazonaws.com

.auth-fips.us-east-1.amazoncognito.com

well yes, but how do you ensure that aws-amplify leverages those endpoints

@mlabieniec, does aws-amplify Auth leverage these endpoints?

To clarify my request, while my desire is for Auth, this enhancement should ideally be implemented for the other things like Storage, etc. Any amplify _thing_ that also has FIPS endpoints available under the hood.

@yuntuowang it is not currently implemented since amplify just uses the implicit default endpoint for aws APIs. For example, take a look here:
https://github.com/aws/aws-amplify/blob/393ca50/packages/aws-amplify/src/Auth/Auth.ts#L81-L120

Notice how it calls theCognitoUserPool constructor. It creates the object by passing in userPoolData which is defined as

            const userPoolData: ICognitoUserPoolData = {
                UserPoolId: userPoolId,
                ClientId: userPoolWebClientId,
            };
            if (cookieStorage) {
                userPoolData.Storage = new CookieStorage(cookieStorage);
}

Now take a look at the actual definition of that constructor here https://github.com/aws/aws-amplify/blob/297c0b5c286d095d895a9a14191cfe7b2fee44c8/packages/amazon-cognito-identity-js/es/CognitoUserPool.js#L38-L58

Notice how endpoint is an attribute that is configurable, however, amplify's api currently doesn't facilitate modifying how userPoolData is created so using FIPS endpoints is not currently possible.

I hope this helps. Like I said, I'm happy to contribute this feature. The two design paths can be to make simple boolean flag in config which would automatically setup fips endpoints OR a bit more complex would be to allow for fully customizable endpoints for all underlying api calls might make for some ugly mapping for users that wish to leverage it.

I suppose both things could be implemented independent of each other too.

oh and to be clear, no aws does not implicitly use endpoints with fips validated encryption

@defionscode I think what you are proposing makes sense, i.e. make a simple boolean flag in config which would automatically setup fips endpoints. I think it would be good to add this to the url generation within the section you outlined there that generates the URL. It looks like we can similarly use the region generated and the prefixes. Feel free to submit the pr for review and thank you.

Just to clarify, we're going the fips boolean flag route as opposed to
completely customizable endpoint selection, right?
On Tue, Apr 3, 2018 at 6:02 PM Michael Labieniec notifications@github.com
wrote:

@defionscode https://github.com/defionscode I think what you are
proposing makes sense. I think it would be good to add this to the url
generation within the section you outlined there that generates the URL. It
looks like we can similarly use the region generated and the prefixes. Feel
free to submit the pr for review and thank you.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aws/aws-amplify/issues/583#issuecomment-378413634,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEcrYhWODgJlggu8XZOmQdwCK2g1wBkTks5tk_FGgaJpZM4TFkCv
.

I think that's the simplest way to start here and support the feature without needing to do to much refactoring on the existing functionality. Only thing I'd note is that the config values are generally camelCased so instead of fips_enabled perhaps just fipsEnabled or fipsEndpointsEnabled

I agree. I'll get started on this soon. Thanks for the feedback.
On Tue, Apr 3, 2018 at 6:27 PM Michael Labieniec notifications@github.com
wrote:

I think that's the simplest way to start here and support the feature
without needing to do to much refactoring on the existing functionality.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aws/aws-amplify/issues/583#issuecomment-378419392,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEcrYj1WulOdN4zMixWDTmjkrW38aA5Mks5tk_dogaJpZM4TFkCv
.

Just an update. This is still on our roadmap to tackle but it's taken a backseat for the time being. I still plan to have this contributed.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@defionscode I am going to close this FR since the last update from yourself was April of 2018. We are still open to a PR! Please feel free to reopen once a PR is created for this or you are still looking for this use case. Thanks ahead of time

I'm still looking for this use case. :)

Updating here for the changes I would like to contribute, following the suggested approach above, to have a fips flag set so that the cognito-idp-fips endpoint is called. Use case is that through a security check, the man-in-the-middle attack could possibly downgrade the call to cognito-idp endpoint as cognito still allows version TLS 1.0 protocol.

Suggested changes would be as follows:

• packages/amazon-cognito-identity-js/index.d.ts: add fipsEnabled boolean
  export interface ICognitoUserPoolData { UserPoolId: string; ClientId: string; endpoint?: string; fipsEnabled?: boolean; Storage?: ICognitoStorage; }

• packages/amazon-cognito-identity-js/src/Client.js: client accept fipsEnabled value
  constructor(region, endpoint, fipsEnabled) { if (fipsEnabled) { this.endpoint =https://cognito-idp-fips.${region}.amazonaws.com/; } else { this.endpoint = endpoint ||https://cognito-idp.${region}.amazonaws.com/; }

• packages/amazon-cognito-identity-js/src/CognitoUserPool.js: constructor has fipsEnabled variable and passes fipsEnabled value to client
  const { UserPoolId, ClientId, endpoint, fipEnabled, AdvancedSecurityDataCollectionFlag, } = data || {};
  .......
  this.client = new Client(region, endpoint, fipEnabled);

• packages/auth/src/Auth.ts: auth interface for cognito user pool sets config value for fipsEnabled
  const userPoolData: ICognitoUserPoolData = { UserPoolId: userPoolId, ClientId: userPoolWebClientId, fipsEnabled: this._config.fipsEnabled, };

• packages/auth/src/types/Auth.ts: auth types authOptions has fipsEnabled variable
  export interface AuthOptions { authenticationFlowType?: string; identityPoolRegion?: string; clientMetadata?: any; fipsEnabled?: boolean; }

I have tested the above changes locally and was able to see that by setting the fipsEnabled to true via the config options in a project, that the FIPS endpoint was called.
A couple of questions:

1. Does more need to be done to be able to set the cognito-idp endpoint to FIPS?
2. If a call is made to the cognito-idp-fips endpoint, is there somewhere that a modification needs to happen to make sure the cognito-identity endpoint is also being made to reflect the FIPS endpoint (cognito-identity-fips)?

@sammartinez Is there any update planned to properly integrate GovCloud support across the platform?