CORS locked to CloudFront domain; Identity Pool server-side token check enabled
Two small hardening commits: CORS on the S3 docs bucket and API Gateway is tightened from `*` to the actual CloudFront distribution domain, and `serverSideTokenCheck` on the Cognito Identity Pool is flipped to `true`. Small changes, but CORS wildcards are the kind of default that survives indefinitely if not addressed explicitly.
The docs bucket CORS was initially set to allowedOrigins: ['*'] with a comment saying it would be tightened post-deploy. 685c7ad does that tightening: the CORS rule is moved off the Bucket constructor (which runs before the CloudFront distribution exists) and applied via CDK's L1 escape hatch (cfnDocsBucket.corsConfiguration) so it can reference this.distribution.distributionDomainName as a CloudFormation token resolved at deploy time.
The frontendUrl prop on ApiStack is made required (non-optional string) and defaultCorsPreflightOptions.allowOrigins is set to [props.frontendUrl] rather than Cors.ALL_ORIGINS. A separate commit (54937c3) catches a regression where allowOrigins had reverted to ALL_ORIGINS after an unrelated change.
serverSideTokenCheck: true on the Identity Pool means Cognito validates the token against its own token revocation list. The Identity Pool itself is removed in a later commit when uploads switch to backend-issued presigned URLs, so this setting becomes moot - but the pattern of enabling server-side checks is still the right default.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?