Feat/runtime upgrades

.github/workflows/check-compact-connect-ui-app.yml

@@ -48,7 +48,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v1
         with:
-          node-version: '22.1.0'
+          node-version: '24.11.1'
 
       # Use any cached yarn dependencies (saves build time)
       - uses: actions/cache@v4
@@ -86,7 +86,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v1
         with:
-          node-version: '22.1.0'
+          node-version: '24.11.1'
 
       # Use any cached yarn dependencies (saves build time)
       - uses: actions/cache@v4

.github/workflows/check-compact-connect.yml

@@ -48,7 +48,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v1
         with:
-          node-version: '22.1.0'
+          node-version: '24.11.1'
 
       # Use any cached yarn dependencies (saves build time)
       - uses: actions/cache@v4
@@ -86,7 +86,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v1
         with:
-          node-version: '22.1.0'
+          node-version: '24.11.1'
 
       # Use any cached yarn dependencies (saves build time)
       - uses: actions/cache@v4

backend/compact-connect-ui-app/lambdas/nodejs/README.md

@@ -4,7 +4,7 @@ This folder contains all lambda runtimes that are written with NodeJS/JavaScript
 
 
 ## Prerequisites
-* **[Node](https://github.com/creationix/nvm#installation) `22.X`**
+* **[Node](https://github.com/creationix/nvm#installation) `24.X`**
 * **[Yarn](https://yarnpkg.com/en/) `1.22.22`**
     * `npm install --global yarn@1.22.22`
 

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/README.md

@@ -8,7 +8,7 @@
 
 ---
 ## Prerequisites
-* **[Node](https://github.com/creationix/nvm#installation) `22.X`**
+* **[Node](https://github.com/creationix/nvm#installation) `24.X`**
 * **[Yarn](https://yarnpkg.com/en/) `1.22.22`**
     * `npm install --global yarn@1.22.22`
 * **[Mocha](https://mochajs.org/) `10.x.x`+**

backend/compact-connect-ui-app/lambdas/nodejs/package.json

@@ -29,7 +29,6 @@
     "@aws-sdk/client-dynamodb": "^3.682.0",
     "@aws-sdk/client-s3": "^3.682.0",
     "@aws-sdk/util-dynamodb": "^3.682.0",
-    "aws-lambda": "1.0.7",
     "zod": "^3.23.8"
   }
 }

backend/compact-connect-ui-app/stacks/frontend_deployment_stack/distribution.py

@@ -124,7 +124,7 @@ def __init__(
             scope,
             'CSPFunction',
             code=Code.from_inline(csp_function_code),
-            runtime=Runtime.NODEJS_22_X,
+            runtime=Runtime.NODEJS_24_X,
             handler='index.handler',
         )
 

backend/compact-connect/README.md

@@ -23,9 +23,17 @@ This is an [AWS-CDK](https://aws.amazon.com/cdk/) based project for the backend
 
 To deploy this app, you will need:
 1) Access to an AWS account
-2) Python>=3.13 installed on your machine, preferably through a virtual environment management tool like
+2) Python>=3.14 installed on your machine, preferably through a virtual environment management tool like
    [pyenv](https://github.com/pyenv/pyenv), for clean management of virtual environments across multiple Python
    versions.
+   > Note: The [purchases lambda](./lambdas/python/purchases) depends on the
+   > [Authorize.Net python sdk](https://github.com/AuthorizeNet/sdk-python/issues/164), which is barely maintained at
+   > present, and is not yet compatible with Python 3.13. Due to that restriction, we have to hold back the python
+   > version of just this lambda, so that the entire project is not impacted. For local development, this means that,
+   > at least for this one lambda, developers will have to have a dedicated python environment, held back at Python
+   > 3.12. That environment and its dependencies will have to be maintained separately from those of the rest of the
+   > project, which can all share a common virtual environment and common dependencies, without excessive risk of
+   > version conflicts.
 3) Otherwise, follow the [Prerequisites section](https://cdkworkshop.com/15-prerequisites.html) of the CDK workshop to
    prepare your system to work with AWS-CDK, including a NodeJS install.
 4) Follow the steps in the [Installing Dependencies](#installing-dependencies) section.
@@ -70,6 +78,18 @@ For development work there are additional requirements in `requirements-dev.txt`
 To add additional dependencies, for example other CDK libraries, just add them to the `requirements.in` file and rerun
 `pip-compile requirements.in`, then `pip install -r requirements.txt` command.
 
+### Convenience scripts
+
+To simplify dependency installation in this project, which includes many runtimes with similar dependencies, maintain
+the dependency files with two convenience scripts, which manage the file contents for _most_ runtimes (See Note below),
+[compile_requirements.sh](./bin/compile_requirements.sh), and installs the defined dependencies,
+[sync_deps.sh](./bin/sync_deps.sh).
+
+> Note: Due to its dependency on the Authorize.Net python sdk, the [purchases lambda](./lambdas/python/purchases)
+> dependencies have to be maintained separately from the rest of the project. You can update the requirements files for
+> that lambda directly with the `pip-compile` command, and install dependencies into your python enviornment dedicated
+> to that lambda with the `pip-sync` command.
+
 ## Local Development
 [Back to top](#compact-connect---backend-developer-documentation)
 

backend/compact-connect/app_clients/.gitignore

@@ -0,0 +1,2 @@
+*.pem
+*.pub

backend/compact-connect/bin/compile_requirements.sh

@@ -16,8 +16,11 @@ pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/disas
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/disaster-recovery/requirements.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/provider-data-v1/requirements-dev.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/provider-data-v1/requirements.in
-pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/purchases/requirements-dev.in
-pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/purchases/requirements.in
+# The purchases lambda requires Python<=3.12, which is older than everything else in this project, so we have
+# to install that separately, if we want to be developing with Python>=3.13 for the rest of the project, to
+# avoid installation failures
+# pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/purchases/requirements-dev.in
+# pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/purchases/requirements.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/staff-user-pre-token/requirements-dev.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/staff-user-pre-token/requirements.in
 pip-compile --no-emit-index-url --upgrade --no-strip-extras lambdas/python/staff-users/requirements-dev.in

backend/compact-connect/bin/sync_deps.sh

@@ -20,9 +20,11 @@ pip-sync \
   lambdas/python/disaster-recovery/requirements.txt \
   lambdas/python/provider-data-v1/requirements-dev.txt \
   lambdas/python/provider-data-v1/requirements.txt \
-  lambdas/python/purchases/requirements-dev.txt \
-  lambdas/python/purchases/requirements.txt \
   lambdas/python/staff-user-pre-token/requirements-dev.txt \
   lambdas/python/staff-user-pre-token/requirements.txt \
   lambdas/python/staff-users/requirements-dev.txt \
   lambdas/python/staff-users/requirements.txt
+#   We have to manage the purchases lambda Python environment separately
+#   because it is held back to an older version than the rest of the project
+#   lambdas/python/purchases/requirements-dev.txt \
+#   lambdas/python/purchases/requirements.txt \

backend/compact-connect/common_constructs/nodejs_function.py

@@ -75,7 +75,7 @@ def __init__(
         super().__init__(
             scope,
             construct_id,
-            runtime=Runtime.NODEJS_22_X,
+            runtime=Runtime.NODEJS_24_X,
             entry=os.path.join(lambda_dir, 'handler.ts'),
             deps_lock_file_path=os.path.join(nodejs_dir, 'yarn.lock'),
             bundling=BundlingOptions(

backend/compact-connect/common_constructs/python_function.py

@@ -29,7 +29,7 @@ def __init__(
         construct_id: str,
         *,
         lambda_dir: str,
-        runtime: Runtime = Runtime.PYTHON_3_13,
+        runtime: Runtime = Runtime.PYTHON_3_14,
         log_retention: RetentionDays = RetentionDays.INFINITE,
         alarm_topic: ITopic = None,
         role: IRole = None,

backend/compact-connect/common_constructs/user_pool.py

@@ -220,6 +220,10 @@ def add_custom_app_client_domain(
             stack,
             f'{stack.node.path}/AWS679f53fac002430cb0da5b7982bd2287/Resource',
             suppressions=[
+                {
+                    'id': 'AwsSolutions-L1',
+                    'reason': 'We do not maintain this lambda runtime. It will be updated with future CDK versions'
+                },
                 {
                     'id': 'HIPAA.Security-LambdaDLQ',
                     'reason': 'This is an AWS-managed custom resource Lambda used only during deployment.'

backend/compact-connect/docs/client_signature_auth.md

@@ -139,11 +139,10 @@ for *both required and optional signature auth endpoints*).
 
 ### Example Signature Implementation
 
-#### Python Example
-
 We maintain an example implementation, which we use to test and validate our own authentication mechanism
-[here](../lambdas/python/common/common_test/sign_request.py). You can use this as a reference for your own
-implementation.
+[here](../lambdas/python/common/common_test/sign_request.py) and some example HTTP request data in a text file
+[here](./signature_auth_examples.txt). You can use this as a reference for your
+own implementation.
 
 ### Key Management
 

backend/compact-connect/docs/signature_auth_examples.txt

@@ -0,0 +1,149 @@
+================================================================================
+Signature Authentication Examples
+================================================================================
+
+This document provides example HTTP requests demonstrating the
+CompactConnect signature authentication scheme.
+
+Each example includes:
+  1. The raw HTTP request with signature headers
+  2. The plaintext string that was signed
+  3. The base64-encoded string that was signed
+
+================================================================================
+
+Example 1: GET /v1/compacts/aslp/jurisdictions/al/providers/query
+--------------------------------------------------------------------------------
+
+Raw HTTP Request:
+
+GET /v1/compacts/aslp/jurisdictions/al/providers/query?limit=10&offset=0&status=active HTTP/1.1
+Host: api.example.com
+Content-Type: application/json
+User-Agent: CompactConnect-Client/1.0
+Authorization: Bearer <token>
+X-Algorithm: ECDSA-SHA256
+X-Timestamp: 2025-11-19T21:21:21.242166Z
+X-Nonce: d34b90dd39e64c739f9b22070d0433bf
+X-Key-Id: test-key-001
+X-Signature: MEYCIQDxGk8KYQskZaiD2XCCvZJBlLz7TXPM8nW7BqcfTTO5ygIhAPtLd+oBgdMHfskhlCjFf/dc2fFzz9jcgaxsxXdA5Ddg
+
+
+Plaintext String to Sign:
+
+GET
+/v1/compacts/aslp/jurisdictions/al/providers/query
+limit=10&offset=0&status=active
+2025-11-19T21:21:21.242166Z
+d34b90dd39e64c739f9b22070d0433bf
+test-key-001
+
+
+Base64-Encoded String to Sign:
+
+R0VUCi92MS9jb21wYWN0cy9hc2xwL2p1cmlzZGljdGlvbnMvYWwvcHJvdmlkZXJzL3F1ZXJ5CmxpbWl0PTEwJm9mZnNldD0wJnN0YXR1cz1hY3RpdmUKMjAyNS0xMS0xOVQyMToyMToyMS4yNDIxNjZaCmQzNGI5MGRkMzllNjRjNzM5ZjliMjIwNzBkMDQzM2JmCnRlc3Qta2V5LTAwMQ==
+
+
+================================================================================
+
+Example 2: POST /v1/compacts/aslp/jurisdictions/al/providers
+--------------------------------------------------------------------------------
+
+Raw HTTP Request:
+
+POST /v1/compacts/aslp/jurisdictions/al/providers?validate=true HTTP/1.1
+Host: api.example.com
+Content-Type: application/json
+User-Agent: CompactConnect-Client/1.0
+Authorization: Bearer <token>
+X-Algorithm: ECDSA-SHA256
+X-Timestamp: 2025-11-19T21:21:21.245504Z
+X-Nonce: 26cd4a44b74f425d8630d1ea9c98127e
+X-Key-Id: test-key-002
+X-Signature: MEUCIQDoIo1XqJo6X6HTt2CbZTWN1RI5Jex0EFwb9MoLXrKVnQIgV883LXq3fKdiv1hwU98Kt7hBQKO+2hyt8D3bL6GJlDw=
+
+
+Plaintext String to Sign:
+
+POST
+/v1/compacts/aslp/jurisdictions/al/providers
+validate=true
+2025-11-19T21:21:21.245504Z
+26cd4a44b74f425d8630d1ea9c98127e
+test-key-002
+
+
+Base64-Encoded String to Sign:
+
+UE9TVAovdjEvY29tcGFjdHMvYXNscC9qdXJpc2RpY3Rpb25zL2FsL3Byb3ZpZGVycwp2YWxpZGF0ZT10cnVlCjIwMjUtMTEtMTlUMjE6MjE6MjEuMjQ1NTA0WgoyNmNkNGE0NGI3NGY0MjVkODYzMGQxZWE5Yzk4MTI3ZQp0ZXN0LWtleS0wMDI=
+
+
+================================================================================
+
+Example 3: GET /v1/compacts/aslp/jurisdictions/al/providers/12345
+--------------------------------------------------------------------------------
+
+Raw HTTP Request:
+
+GET /v1/compacts/aslp/jurisdictions/al/providers/12345 HTTP/1.1
+Host: api.example.com
+Content-Type: application/json
+User-Agent: CompactConnect-Client/1.0
+Authorization: Bearer <token>
+X-Algorithm: ECDSA-SHA256
+X-Timestamp: 2025-11-19T21:21:21.245591Z
+X-Nonce: 3e1aa862e0ee4c1e94e44f2ce35a89a7
+X-Key-Id: test-key-003
+X-Signature: MEYCIQChYjYNjARVQZx53V551i2x6acWcvOF7ipe8pu/tHYwKQIhAISUX+oxCtPBKLOc2tqpJg6FTKX7pR8ULWXSWKO2Ira5
+
+
+Plaintext String to Sign:
+
+GET
+/v1/compacts/aslp/jurisdictions/al/providers/12345
+
+2025-11-19T21:21:21.245591Z
+3e1aa862e0ee4c1e94e44f2ce35a89a7
+test-key-003
+
+
+Base64-Encoded String to Sign:
+
+R0VUCi92MS9jb21wYWN0cy9hc2xwL2p1cmlzZGljdGlvbnMvYWwvcHJvdmlkZXJzLzEyMzQ1CgoyMDI1LTExLTE5VDIxOjIxOjIxLjI0NTU5MVoKM2UxYWE4NjJlMGVlNGMxZTk0ZTQ0ZjJjZTM1YTg5YTcKdGVzdC1rZXktMDAz
+
+
+================================================================================
+
+Example 4: POST /path
+--------------------------------------------------------------------------------
+
+Raw HTTP Request:
+
+POST /path?a=1&b=value%20two HTTP/1.1
+Host: api.example.com
+Content-Type: application/json
+User-Agent: CompactConnect-Client/1.0
+Authorization: Bearer <token>
+X-Algorithm: ECDSA-SHA256
+X-Timestamp: 2025-11-11T19:09:53Z
+X-Nonce: 54ebdc56-4eae-4627-94e1-11ff27a3ec88
+X-Key-Id: eLicenseKey
+X-Signature: MEQCIFed8UTChmWcKS6yNtjn5KRNVXbRgwn3RC6NZBMUMKOoAiB2xtyQlPft8Dq24rjz28rK8D7hwsZ3BDy4SYQZrmeeTw==
+
+
+Plaintext String to Sign:
+
+POST
+/path
+a=1&b=value%20two
+2025-11-11T19:09:53Z
+54ebdc56-4eae-4627-94e1-11ff27a3ec88
+eLicenseKey
+
+
+Base64-Encoded String to Sign:
+
+UE9TVAovcGF0aAphPTEmYj12YWx1ZSUyMHR3bwoyMDI1LTExLTExVDE5OjA5OjUzWgo1NGViZGM1Ni00ZWFlLTQ2MjctOTRlMS0xMWZmMjdhM2VjODgKZUxpY2Vuc2VLZXk=
+
+
+================================================================================

backend/compact-connect/lambdas/nodejs/README.md

@@ -4,7 +4,7 @@ This folder contains all lambda runtimes that are written with NodeJS/TypeScript
 
 
 ## Prerequisites
-* **[Node](https://github.com/creationix/nvm#installation) `22.X`**
+* **[Node](https://github.com/creationix/nvm#installation) `24.X`**
 * **[Yarn](https://yarnpkg.com/en/) `1.22.22`**
     * `npm install --global yarn@1.22.22`