HDC Auth Proxy

Authentication and authorization proxy for the Humanitarian Data Cube (HDC) at WFP.

What it does

Protects access to S3 resources, HTTP endpoints and HDC applications, supporting:

• OAuth2/OIDC, API keys and JWT
• Human users (browser, session-based) and M2M services (stateless)
• Identity Providers: AWS Cognito and federated CIAM for partners

Architecture

The project follows a hexagonal architecture (ports & adapters):

src/hdc_auth_proxy/
├── domain/       # Pure domain models (dataclasses, no external dependencies)
├── ports/        # Protocols: input/output boundaries
├── adapters/     # Concrete implementations (Cognito, JWT, HTTP, Pydantic DTOs)
├── core/         # ABCs for internal plugin systems
└── services/     # Business logic

Documentation

• Domain Layer — Bounded contexts and domain models
• Ports and Services — Port Protocols and service layer
• Architectural Decisions — ADRs and design choices

Living Architecture Catalog

An interactive architecture catalog built with EventCatalog documents the DDD bounded contexts, services, port contracts, domain events, and flows.

cd docs/architecture/eventcatalog && npm run dev
# Opens at http://localhost:3100