MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · dropthejase/louis · this thread

dropthejase rips out Supabase auth for Cognito

A full identity rebuild on AWS, with optional multi-factor login and a delete flow built for compliance.

securitycompliance

The team has swapped Supabase - the all-in-one backend service that handled login - for Amazon Cognito, AWS's native identity system. Sign-up now requires email verification, login can be protected with an authenticator-app code, and every request to the backend is checked against AWS's own gatekeeper rather than custom code.

The more interesting move is around account deletion. When a user closes their account, the fork purges all of their data first, then removes the identity record - in that order, synchronously. That sequencing matters for anyone fielding right-to-be-forgotten requests, because it means there is no window where the login is gone but the underlying data still lingers.

So what Worth a look for any legal-tech team on AWS that needs a defensible answer to 'what happens when a client asks us to delete their account?'

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

25 commits from dropthejase/louis, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
0ae592f4 feat(infra): add AuthStack with Identity Pool, Lambda authorizer, per-user S3 policy Jason Lee 2026-05-06 ↗ GitHub
2d294a87 feat(infra): add pre-token-gen Lambda for Cognito role claim injection Jason Lee 2026-05-07 ↗ GitHub
810abdef feat(infra): Cognito User Pool (TOTP MFA, strong passwords, required attrs); native API Gateway Cognito authorizer Jason Lee 2026-05-07 ↗ GitHub
d6dbb5ef chore(infra): delete unused Lambda Token authorizer Jason Lee 2026-05-07 ↗ GitHub
c95ee849 feat(backend): read userId from Cognito authorizer claims instead of Lambda context Jason Lee 2026-05-07 ↗ GitHub
dfd69c1b feat(frontend): Amplify Auth module; update Identity Pool to use Cognito id token Jason Lee 2026-05-08 ↗ GitHub
559f50b7 feat(frontend): rewrite AuthContext and AwsContext to use Amplify Auth instead of supabase.auth Jason Lee 2026-05-08 ↗ GitHub
358951f9 feat(frontend): replace supabase.auth.getSession() with getIdToken() across all callers Jason Lee 2026-05-08 ↗ GitHub
99aa05a4 feat(frontend): signup page with email verification and TOTP MFA setup flow Jason Lee 2026-05-08 ↗ GitHub
67850660 feat(frontend): login page using Amplify signIn Jason Lee 2026-05-08 ↗ GitHub
28290d3c feat(task-13): env vars, replace supabase direct query with backend session-id endpoint Jason Lee 2026-05-08 ↗ GitHub
f99ecb08 docs: update README and ARCHITECTURE for Cognito User Pool auth migration Jason Lee 2026-05-08 ↗ GitHub
396019f8 docs: redraw architecture diagram to show Cognito User Pool, Pre-Token Gen Lambda, Identity Pool Jason Lee 2026-05-08 ↗ GitHub
fe40ca91 feat(auth): post-confirmation and post-deletion lambdas, move supabase secret to AuthStack Jason Lee 2026-05-08 ↗ GitHub
ce910c1e feat: replace Supabase deleteUser with Cognito AdminDeleteUser Jason Lee 2026-05-08 ↗ GitHub 
DELETE /user/account now calls AdminDeleteUserCommand. Lambda role gets
cognito-idp:AdminDeleteUser on the user pool ARN. USER_POOL_ID injected
as Lambda env var from CDK.
5e6962d9 Remove pre-token-gen Lambda (Supabase RLS role claim, unused on Aurora) Jason Lee 2026-05-08 ↗ GitHub
2847ef2b fix(backend): cascade delete user data before Cognito AdminDeleteUser Jason Lee 2026-05-08 ↗ GitHub
30088221 feat(infra): store email in user_profiles on Cognito post-confirmation Jason Lee 2026-05-08 ↗ GitHub
7b649fc4 Remove post-deletion Lambda (redundant - DELETE /user/account already cascades synchronously) Jason Lee 2026-05-08 ↗ GitHub
0a1d1a51 Merge feature/cognito-auth: AWS migration complete (Aurora, AgentCore, Cognito) Jason Lee 2026-05-09 ↗ GitHub
943914bd chore: disable TOTP MFA on Cognito User Pool Jason Lee 2026-05-09 ↗ GitHub
95d538d8 fix: use access token for AgentCore calls (id token missing client_id claim) Jason Lee 2026-05-11 ↗ GitHub
ecc808c6 fix: remove allowedAudience from AgentCore JWT authorizer config Jason Lee 2026-05-11 ↗ GitHub
fdffba97 docs(readme): add MFA configuration note Jason Lee 2026-05-15 ↗ GitHub
7d621a00 feat(auth): enable optional TOTP MFA on Cognito User Pool Jason Lee 2026-05-15 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-336.md from inside the repo you want the changes in.

⬇ Download capture-thread-336.md