aws-cognito-srp 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9d319dfe478786e4bda431aa7d660c10944737a7d66e95c8c253ab5ec75f691
-  data.tar.gz: 3741cfe9072feea72cc50d5c41ed5f5111cf9f28df32eaeefdd223908e00e880
+  metadata.gz: 9c65852b802463a1355306ddc14aa7d02050a5ff1d4ce2eecd438da11080750a
+  data.tar.gz: 1c411e617dc503d003aa87b0b0ad0df108a54956728e03cc7df59e3323f3fbfc
 SHA512:
-  metadata.gz: f6f713236d8e76dd635dda2a2437393d7a2b0b009e1f148bf138e53791cf0a1d90e077ffedc7a880f0caf878ab4d493ace2194a43d84b5c96bffcab8c07c5ba2
-  data.tar.gz: d28cb221df9702987bf37c1f7b1c4fd12af4b74182834435e8ca7833ffc3ad7ba772b3564c883d26d069af167abfa955bc42703d622a794762050617c6077eaa
+  metadata.gz: 738a3d93b4cbc91785e28de959f5c2d62db66aa38c896bff6364a5c4073d3d8e7af717974c075bf6f17ed133769d12c0d958a67e2ded67f58b183e1f6d8a3388
+  data.tar.gz: fe75c97fc0ad291d7503a9f8e8b4b494cdd724315fdaf8e8b244689d834394edc764dc625ddbdc30a5a88cc3cd52720645b58ac3a738b1ac8ae28613891e68cd

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Changelog for aws-cognito-srp-ruby
 
-### [0.1.0] - 2021-09-17
+### 0.2.0 (September 20, 2021)
+
+* Added custom exception classes and better error messages
+
+### 0.1.0 (Septembre 17, 2021)
 
 * Initial release

data/README.md

@@ -1,5 +1,8 @@
 # Aws::CognitoSrp for Ruby
 
+[![Gem Version](https://badge.fury.io/rb/aws-cognito-srp.svg?style=flat)](https://rubygems.org/gems/aws-cognito-srp)
+<!--![CI](https://github.com/pilaf/aws-cognito-srp-ruby/workflows/Ruby/badge.svg)-->
+
 An unofficial Ruby library implementing
 [AWS Cognito's SRP authentication flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow).
 
@@ -32,6 +35,10 @@ aws_srp = Aws::CognitoSrp.new(
 aws_srp.authenticate
 ```
 
+## TODO
+
+[ ] Add specs
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. You can

data/lib/aws/cognito_srp/errors.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "aws/cognito_srp/errors"
+
+module Aws
+  class CognitoSrp
+    class Error < ::RuntimeError; end
+    class UnexpectedChallenge < Error; end
+    class NewPasswordRequired < Error; end
+    class ValueError < Error; end
+  end
+end

data/lib/aws/cognito_srp/version.rb

@@ -2,6 +2,6 @@
 
 module Aws
   class CognitoSrp
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/lib/aws/cognito_srp.rb

@@ -1,10 +1,14 @@
 # frozen_string_literal: true
 
 require "aws-sdk-cognitoidentityprovider"
-require "aws/cognito_srp/version"
 
 require "openssl"
 require "digest"
+require "securerandom"
+require "base64"
+
+require "aws/cognito_srp/version"
+require "aws/cognito_srp/errors"
 
 module Aws
   # Client for AWS Cognito Identity Provider using Secure Remote Password (SRP).
@@ -77,7 +81,9 @@ module Aws
         }
       )
 
-      raise unless init_auth_response.challenge_name == PASSWORD_VERIFIER
+      unless init_auth_response.challenge_name == PASSWORD_VERIFIER
+        raise UnexpectedChallenge, "Expected Cognito to respond with a #{PASSWORD_VERIFIER} challenge, got #{init_auth_response.challenge_name} instead"
+      end
 
       challenge_response = process_challenge(init_auth_response.challenge_parameters)
 
@@ -87,7 +93,9 @@ module Aws
         challenge_responses: challenge_response
       )
 
-      raise "new password required" if auth_response.challenge_name == NEW_PASSWORD_REQUIRED
+      if auth_response.challenge_name == NEW_PASSWORD_REQUIRED
+        raise NewPasswordRequired, "Cognito responded to password verifier with a #{NEW_PASSWORD_REQUIRED} challenge"
+      end
 
       auth_response.authentication_result
     end
@@ -101,18 +109,14 @@ module Aws
 
     def calculate_a
       big_a = @g.pow(@small_a_value, @big_n)
-      if big_a % @big_n == 0
-        raise "Safety check for A failed"
-      end
-
+      raise ValueError, "Safety check for A failed" if big_a % @big_n == 0
       big_a
     end
 
     def get_password_authentication_key(username, password, server_b_value, salt)
       u_value = calculate_u(@large_a_value, server_b_value)
-      if u_value == 0
-        raise "U cannot be zero."
-      end
+
+      raise ValueError, "U cannot be zero" if u_value == 0
 
       username_password = "#{@pool_id.split("_")[1]}#{username}:#{password}"
       username_password_hash = hash_sha256(username_password)
@@ -121,8 +125,7 @@ module Aws
       g_mod_pow_xn = @g.pow(x_value, @big_n)
       int_value2 = server_b_value - @k * g_mod_pow_xn
       s_value = int_value2.pow(@small_a_value + u_value * x_value, @big_n)
-      hkdf = compute_hkdf(hex_to_bytes(pad_hex(s_value)), hex_to_bytes(pad_hex(long_to_hex(u_value))))
-      hkdf
+      compute_hkdf(hex_to_bytes(pad_hex(s_value)), hex_to_bytes(pad_hex(long_to_hex(u_value))))
     end
 
     def process_challenge(challenge_parameters)
@@ -131,24 +134,24 @@ module Aws
       srp_b_hex = challenge_parameters.fetch("SRP_B")
       secret_block_b64 = challenge_parameters.fetch("SECRET_BLOCK")
 
-      timestamp = Time.now.utc.strftime("%a %b %-d %H:%M:%S %Z %Y")
+      timestamp = ::Time.now.utc.strftime("%a %b %-d %H:%M:%S %Z %Y")
 
       hkdf = get_password_authentication_key(user_id_for_srp, @password, srp_b_hex.to_i(16), salt_hex)
-      secret_block_bytes = Base64.strict_decode64(secret_block_b64)
+      secret_block_bytes = ::Base64.strict_decode64(secret_block_b64)
       msg = @pool_id.split("_")[1] + user_id_for_srp + secret_block_bytes + timestamp
-      hmac_digest = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), hkdf, msg)
-      signature_string = Base64.strict_encode64(hmac_digest).force_encoding('utf-8')
+      hmac_digest = ::OpenSSL::HMAC.digest(::OpenSSL::Digest::SHA256.new, hkdf, msg)
+      signature_string = ::Base64.strict_encode64(hmac_digest).force_encoding('utf-8')
 
       {
-        "TIMESTAMP" => timestamp,
-        "USERNAME" => user_id_for_srp,
-        "PASSWORD_CLAIM_SECRET_BLOCK" => secret_block_b64,
-        "PASSWORD_CLAIM_SIGNATURE" => signature_string
+        TIMESTAMP: timestamp,
+        USERNAME: user_id_for_srp,
+        PASSWORD_CLAIM_SECRET_BLOCK: secret_block_b64,
+        PASSWORD_CLAIM_SIGNATURE: signature_string
       }
     end
 
     def hash_sha256(buf)
-      Digest::SHA256.hexdigest(buf)
+      ::Digest::SHA256.hexdigest(buf)
     end
 
     def hex_hash(hex_string)
@@ -172,16 +175,12 @@ module Aws
     end
 
     def get_random(nbytes)
-      random_hex = bytes_to_hex(SecureRandom.bytes(nbytes))
+      random_hex = bytes_to_hex(::SecureRandom.bytes(nbytes))
       hex_to_long(random_hex)
     end
 
     def pad_hex(long_int)
-      hash_str = if long_int.is_a?(String)
-        long_int
-      else
-        long_to_hex(long_int)
-      end
+      hash_str = long_int.is_a?(::String) ? long_int : long_to_hex(long_int)
 
       if hash_str.size % 2 == 1
         hash_str = "0#{hash_str}"
@@ -193,9 +192,9 @@ module Aws
     end
 
     def compute_hkdf(ikm, salt)
-      prk = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), salt, ikm)
+      prk = ::OpenSSL::HMAC.digest(::OpenSSL::Digest::SHA256.new, salt, ikm)
       info_bits_update = INFO_BITS + 1.chr.force_encoding('utf-8')
-      hmac_hash = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), prk, info_bits_update)
+      hmac_hash = ::OpenSSL::HMAC.digest(::OpenSSL::Digest::SHA256.new, prk, info_bits_update)
       hmac_hash[0, 16]
     end
 
@@ -205,4 +204,3 @@ module Aws
     end
   end
 end
-

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-cognito-srp
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Jonathan Viney
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-17 00:00:00.000000000 Z
+date: 2021-09-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cognitoidentityprovider
@@ -88,6 +88,7 @@ files:
 - bin/setup
 - lib/aws-cognito-srp.rb
 - lib/aws/cognito_srp.rb
+- lib/aws/cognito_srp/errors.rb
 - lib/aws/cognito_srp/version.rb
 - lib/aws_cognito_srp.rb
 homepage: https://github.com/pilaf/aws-cognito-srp-ruby