chore: allowlist set-cookie and change expiry units

UKHSA-Internal · Feb 17, 2025 · 6f0da92 · 6f0da92
1 parent 012e96b
commit 6f0da92
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/terraform/20-app/cloud-front.front-end.tf b/terraform/20-app/cloud-front.front-end.tf
@@ -217,9 +217,11 @@ resource "aws_cloudfront_origin_request_policy" "front_end_auth" {
       items = [
         "Accept",
         "Content-Type",
+        "Set-Cookie",
       ]
     }
   }
+
   query_strings_config {
     query_string_behavior = "all"
   }

diff --git a/terraform/modules/cognito/main.tf b/terraform/modules/cognito/main.tf
@@ -38,9 +38,15 @@ resource "aws_cognito_user_pool_client" "user_pool_client" {
   allowed_oauth_flows_user_pool_client = true
   allowed_oauth_scopes = ["openid", "email", "profile", "aws.cognito.signin.user.admin"]
 
-  access_token_validity   = 1    # 1 hour
-  id_token_validity       = 1    # 1 hour
-  refresh_token_validity  = 720  # 720 hours (30 days)
+  access_token_validity   = 60    # 60 minutes
+  id_token_validity       = 60    # 60 minutes
+  refresh_token_validity  = 30    # 30 days
+
+  token_validity_units {
+    access_token  = "minutes"
+    id_token      = "minutes"
+    refresh_token = "days"
+  }
 
   prevent_user_existence_errors = "ENABLED"