fix(auth): clean up Cognito client config and fix protocol detection

- Remove unnecessary callback/logout URLs from Cognito User Pool client
- Remove unused UserPoolUserClientId output from security stack
- Use X-Forwarded-Proto header for correct protocol detection behind load balancers

Author: Jon Slominski

source/cdk/ecs-and-lambda/lib/stacks/security-stack.ts

@@ -118,25 +118,11 @@ export class SecurityStack extends cdk.Stack {
         ],
         callbackUrls: [
           "http://localhost:2299/callback", // for local development/testing with sample-auth-python server
-          "http://localhost:2299", // for local development/testing with sample-auth-python server
-          "https://${this.region}.console.aws.amazon.com/cognito/oauth2/idpresponse",
-        ],
-        logoutUrls: [
-          "http://localhost:2299/callback", // for local development/testing with sample-auth-python server
-          "http://localhost:2299", // for local development/testing with sample-auth-python server
-          "https://${this.region}.console.aws.amazon.com/cognito/oauth2",
         ],
       },
       preventUserExistenceErrors: true,
     });
 
-    // Output user client ID
-    new cdk.CfnOutput(this, "UserPoolUserClientId", {
-      value: this.appClientUser.userPoolClientId,
-      description:
-        "The Client ID for the Cognito User Pool Client (User Authentication)",
-    });
-
     // Create WAF Web ACL
     this.webAcl = new wafv2.CfnWebACL(this, "MCPServerWAF", {
       name: "mcp-server-waf",

source/cdk/ecs-and-lambda/servers/sample-ecs-weather-streamablehttp-stateless-nodejs-express/src/index.ts

@@ -249,8 +249,8 @@ app.use(express.json());
  * Get WWW-Authenticate header for 401 responses.
  */
 function getWWWAuthenticateHeader(req: Request): string {
-  const baseUrl =
-    process.env.BASE_URL || `${req.protocol}://${req.get("host")}`;
+  const protocol = req.get("X-Forwarded-Proto") || req.protocol;
+  const baseUrl = process.env.BASE_URL || `${protocol}://${req.get("host")}`;
   const val = `Bearer realm="mcp-server", resource_metadata="${baseUrl}/weather-nodejs/.well-known/oauth-protected-resource"`;
   console.log(val);
   return val;
@@ -314,8 +314,8 @@ app.get(
   (req: Request, res: Response) => {
     const region = process.env.AWS_REGION || "us-west-2";
     const user_pool_id = process.env.COGNITO_USER_POOL_ID;
-    const baseUrl =
-      process.env.BASE_URL || `${req.protocol}://${req.get("host")}`;
+    const protocol = req.get("X-Forwarded-Proto") || req.protocol;
+    const baseUrl = process.env.BASE_URL || `${protocol}://${req.get("host")}`;
 
     res.json({
       resource: `${baseUrl}/weather-nodejs/mcp`,

source/cdk/ecs-and-lambda/servers/sample-lambda-weather-streamablehttp-stateless-nodejs-express/src/index.ts

@@ -249,8 +249,9 @@ app.use(express.json());
  * Get WWW-Authenticate header for 401 responses.
  */
 function getWWWAuthenticateHeader(req: Request): string {
-  const baseUrl =
-    process.env.BASE_URL || `${req.protocol}://${req.get("host")}`;
+  // Check X-Forwarded-Proto from ALB/CloudFront, fallback to req.protocol for local testing
+  const protocol = req.get("X-Forwarded-Proto") || req.protocol;
+  const baseUrl = process.env.BASE_URL || `${protocol}://${req.get("host")}`;
   const val = `Bearer realm="mcp-server", resource_metadata="${baseUrl}/weather-nodejs-lambda/.well-known/oauth-protected-resource"`;
   console.log(val);
   return val;
@@ -314,8 +315,7 @@ app.get(
   (req: Request, res: Response) => {
     const region = process.env.AWS_REGION || "us-west-2";
     const user_pool_id = process.env.COGNITO_USER_POOL_ID;
-    const baseUrl =
-      process.env.BASE_URL || `${req.protocol}://${req.get("host")}`;
+    const baseUrl = process.env.BASE_URL || `https://${req.get("host")}`;
 
     res.json({
       resource: `${baseUrl}/weather-nodejs-lambda/mcp`,