aws-cognito-srp 0.1.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9d319dfe478786e4bda431aa7d660c10944737a7d66e95c8c253ab5ec75f691
-  data.tar.gz: 3741cfe9072feea72cc50d5c41ed5f5111cf9f28df32eaeefdd223908e00e880
+  metadata.gz: 6000777b1471345bf83ef454e2147786b46c8960218729c0ef9b33d05bc08634
+  data.tar.gz: 5b28a08b3614d6dbe6f05a1bc25fd54200a8c90bb6fe8e3a24f97e4afc1bbe80
 SHA512:
-  metadata.gz: f6f713236d8e76dd635dda2a2437393d7a2b0b009e1f148bf138e53791cf0a1d90e077ffedc7a880f0caf878ab4d493ace2194a43d84b5c96bffcab8c07c5ba2
-  data.tar.gz: d28cb221df9702987bf37c1f7b1c4fd12af4b74182834435e8ca7833ffc3ad7ba772b3564c883d26d069af167abfa955bc42703d622a794762050617c6077eaa
+  metadata.gz: d1e507ab4e5a8ce39647a2699ad1bac52a62352c6b2a04d2eb47b12954ae8c8a1f86f26c457583c13f84200064620cbf938381894d302a457b7a2c0468f5f26e
+  data.tar.gz: 3714f171b5527ed457d2c05e0ff5aece5f96d572e9f48e4fa6412b9cedad85d69ac54432b7e719f7afe0406aa7d135562b0f7446d705d0a4a494f22c48a45bd4

data/.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: CI
+
+on: [push,pull_request]
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [2.3, 2.4, 2.5, 2.6, 2.7, '3.0']
+
+    runs-on: ubuntu-latest
+
+    name: Test against Ruby ${{ matrix.ruby }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install --jobs 4 --retry 3
+    - name: Run specs
+      run: bundle exec rspec spec --backtrace

data/.rspec

@@ -0,0 +1 @@
+--require spec_helper

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 ## Changelog for aws-cognito-srp-ruby
 
-### [0.1.0] - 2021-09-17
+### 0.4.0 (October 1, 2021)
+
+* Added `refresh_tokens` method
+
+### 0.3.0 (September 29, 2021)
+
+* Added support for Ruby 2.4 and 2.3
+
+### 0.2.0 (September 20, 2021)
+
+* Added custom exception classes and better error messages
+
+### 0.1.0 (Septembre 17, 2021)
 
 * Initial release

data/README.md

@@ -1,5 +1,8 @@
 # Aws::CognitoSrp for Ruby
 
+[![Gem Version](https://badge.fury.io/rb/aws-cognito-srp.svg?style=flat)](https://rubygems.org/gems/aws-cognito-srp)
+![CI](https://github.com/beezwax/aws-cognito-srp-ruby/workflows/CI/badge.svg)
+
 An unofficial Ruby library implementing
 [AWS Cognito's SRP authentication flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow).
 
@@ -26,12 +29,25 @@ aws_srp = Aws::CognitoSrp.new(
   password:   "password",
   pool_id:    "pool-id",
   client_id:  "client-id",
-  aws_client: Aws::CognitoIdentityProvider::Client.new(region: "ap-southeast-2")
+  aws_client: Aws::CognitoIdentityProvider::Client.new(region: "aws-region")
 )
 
-aws_srp.authenticate
+resp = aws_srp.authenticate
+
+# Read tokens
+resp.id_token
+resp.access_token
+resp.refresh_token
+
+# A few hours later ... ⌛️
+
+new_tokens = aws_srp.refresh_tokens(resp.refresh_token)
 ```
 
+## Supported rubies
+
+This gem is tested against and supports Ruby 2.3, 2.4, 2.5, 2.6, 2.7 and 3.0.
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. You can
@@ -47,4 +63,11 @@ git commits and the created tag, and push the `.gem` file to
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at
-https://github.com/pilaf/aws-cognito-srp-ruby
+https://github.com/beezwax/aws-cognito-srp-ruby
+
+## Disclaimer
+
+This project is not sponsored by or otherwise affiliated with Amazon Web
+Services, Inc., an Amazon.com, Inc. subsidiary. AWS and Amazon Cognito are
+trademarks of Amazon.com, Inc., or its affiliates in the United States and/or
+other countries.

data/aws-cognito-srp.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
 
   spec.summary       = "AWS Cognito SRP auth for Ruby"
   spec.description   = "Unofficial Ruby library implementing AWS Cognito's SRP authentication flow"
-  spec.homepage      = "https://github.com/pilaf/aws-cognito-srp-ruby"
+  spec.homepage      = "https://github.com/beezwax/aws-cognito-srp-ruby"
   spec.license       = "MIT"
 
   # Specify which files should be added to the gem when it is released.
@@ -25,6 +25,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 2.2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "ox", "~> 2.14.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "pry"
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

data/lib/aws/cognito_srp/errors.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "aws/cognito_srp/errors"
+
+module Aws
+  class CognitoSrp
+    class Error < ::RuntimeError; end
+    class UnexpectedChallenge < Error; end
+    class NewPasswordRequired < Error; end
+    class ValueError < Error; end
+  end
+end

data/lib/aws/cognito_srp/version.rb

@@ -2,6 +2,6 @@
 
 module Aws
   class CognitoSrp
-    VERSION = "0.1.0"
+    VERSION = "0.4.0"
   end
 end

data/lib/aws/cognito_srp.rb

@@ -1,10 +1,41 @@
 # frozen_string_literal: true
 
 require "aws-sdk-cognitoidentityprovider"
-require "aws/cognito_srp/version"
 
 require "openssl"
 require "digest"
+require "securerandom"
+require "base64"
+
+require "aws/cognito_srp/version"
+require "aws/cognito_srp/errors"
+
+if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5")
+  module IntegerWithPow
+    refine Integer do
+      # Integer#pow was introduced in Ruby 2.5
+      # Use OpenSSL's modular exponentiation in older Rubies
+      def pow(b, m)
+        self.to_bn.mod_exp(b, m).to_i
+      end
+    end
+  end
+
+  using IntegerWithPow
+end
+
+if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.4")
+  module StringWithUnpack1
+    refine String do
+      # String#unpack1 was introduced in Ruby 2.4
+      def unpack1(fmt)
+        unpack(fmt)[0]
+      end
+    end
+  end
+
+  using StringWithUnpack1
+end
 
 module Aws
   # Client for AWS Cognito Identity Provider using Secure Remote Password (SRP).
@@ -28,9 +59,10 @@ module Aws
   #   aws_srp.authenticate
   #
   class CognitoSrp
-    USER_SRP_AUTH = "USER_SRP_AUTH"
-    PASSWORD_VERIFIER = "PASSWORD_VERIFIER"
     NEW_PASSWORD_REQUIRED = "NEW_PASSWORD_REQUIRED"
+    PASSWORD_VERIFIER = "PASSWORD_VERIFIER"
+    REFRESH_TOKEN = "REFRESH_TOKEN"
+    USER_SRP_AUTH = "USER_SRP_AUTH"
 
     N_HEX = %w(
       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
@@ -77,7 +109,9 @@ module Aws
         }
       )
 
-      raise unless init_auth_response.challenge_name == PASSWORD_VERIFIER
+      unless init_auth_response.challenge_name == PASSWORD_VERIFIER
+        raise UnexpectedChallenge, "Expected Cognito to respond with a #{PASSWORD_VERIFIER} challenge, got #{init_auth_response.challenge_name} instead"
+      end
 
       challenge_response = process_challenge(init_auth_response.challenge_parameters)
 
@@ -87,11 +121,26 @@ module Aws
         challenge_responses: challenge_response
       )
 
-      raise "new password required" if auth_response.challenge_name == NEW_PASSWORD_REQUIRED
+      if auth_response.challenge_name == NEW_PASSWORD_REQUIRED
+        raise NewPasswordRequired, "Cognito responded to password verifier with a #{NEW_PASSWORD_REQUIRED} challenge"
+      end
 
       auth_response.authentication_result
     end
 
+    def refresh_tokens(refresh_token)
+      resp = @aws_client.initiate_auth(
+        client_id: @client_id,
+        auth_flow: REFRESH_TOKEN,
+        auth_parameters: {
+          REFRESH_TOKEN: refresh_token
+        }
+      )
+
+      resp.authentication_result
+    end
+    alias_method :refresh, :refresh_tokens
+
     private
 
     def generate_random_small_a
@@ -101,18 +150,14 @@ module Aws
 
     def calculate_a
       big_a = @g.pow(@small_a_value, @big_n)
-      if big_a % @big_n == 0
-        raise "Safety check for A failed"
-      end
-
+      raise ValueError, "Safety check for A failed" if big_a % @big_n == 0
       big_a
     end
 
     def get_password_authentication_key(username, password, server_b_value, salt)
       u_value = calculate_u(@large_a_value, server_b_value)
-      if u_value == 0
-        raise "U cannot be zero."
-      end
+
+      raise ValueError, "U cannot be zero" if u_value == 0
 
       username_password = "#{@pool_id.split("_")[1]}#{username}:#{password}"
       username_password_hash = hash_sha256(username_password)
@@ -121,8 +166,7 @@ module Aws
       g_mod_pow_xn = @g.pow(x_value, @big_n)
       int_value2 = server_b_value - @k * g_mod_pow_xn
       s_value = int_value2.pow(@small_a_value + u_value * x_value, @big_n)
-      hkdf = compute_hkdf(hex_to_bytes(pad_hex(s_value)), hex_to_bytes(pad_hex(long_to_hex(u_value))))
-      hkdf
+      compute_hkdf(hex_to_bytes(pad_hex(s_value)), hex_to_bytes(pad_hex(long_to_hex(u_value))))
     end
 
     def process_challenge(challenge_parameters)
@@ -131,24 +175,24 @@ module Aws
       srp_b_hex = challenge_parameters.fetch("SRP_B")
       secret_block_b64 = challenge_parameters.fetch("SECRET_BLOCK")
 
-      timestamp = Time.now.utc.strftime("%a %b %-d %H:%M:%S %Z %Y")
+      timestamp = ::Time.now.utc.strftime("%a %b %-d %H:%M:%S %Z %Y")
 
       hkdf = get_password_authentication_key(user_id_for_srp, @password, srp_b_hex.to_i(16), salt_hex)
-      secret_block_bytes = Base64.strict_decode64(secret_block_b64)
+      secret_block_bytes = ::Base64.strict_decode64(secret_block_b64)
       msg = @pool_id.split("_")[1] + user_id_for_srp + secret_block_bytes + timestamp
-      hmac_digest = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), hkdf, msg)
-      signature_string = Base64.strict_encode64(hmac_digest).force_encoding('utf-8')
+      hmac_digest = ::OpenSSL::HMAC.digest(::OpenSSL::Digest::SHA256.new, hkdf, msg)
+      signature_string = ::Base64.strict_encode64(hmac_digest).force_encoding('utf-8')
 
       {
-        "TIMESTAMP" => timestamp,
-        "USERNAME" => user_id_for_srp,
-        "PASSWORD_CLAIM_SECRET_BLOCK" => secret_block_b64,
-        "PASSWORD_CLAIM_SIGNATURE" => signature_string
+        TIMESTAMP: timestamp,
+        USERNAME: user_id_for_srp,
+        PASSWORD_CLAIM_SECRET_BLOCK: secret_block_b64,
+        PASSWORD_CLAIM_SIGNATURE: signature_string
       }
     end
 
     def hash_sha256(buf)
-      Digest::SHA256.hexdigest(buf)
+      ::Digest::SHA256.hexdigest(buf)
     end
 
     def hex_hash(hex_string)
@@ -172,16 +216,11 @@ module Aws
     end
 
     def get_random(nbytes)
-      random_hex = bytes_to_hex(SecureRandom.bytes(nbytes))
-      hex_to_long(random_hex)
+      hex_to_long(bytes_to_hex(::SecureRandom.gen_random(nbytes)))
     end
 
     def pad_hex(long_int)
-      hash_str = if long_int.is_a?(String)
-        long_int
-      else
-        long_to_hex(long_int)
-      end
+      hash_str = long_int.is_a?(::String) ? long_int : long_to_hex(long_int)
 
       if hash_str.size % 2 == 1
         hash_str = "0#{hash_str}"
@@ -193,9 +232,9 @@ module Aws
     end
 
     def compute_hkdf(ikm, salt)
-      prk = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), salt, ikm)
+      prk = ::OpenSSL::HMAC.digest(::OpenSSL::Digest::SHA256.new, salt, ikm)
       info_bits_update = INFO_BITS + 1.chr.force_encoding('utf-8')
-      hmac_hash = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), prk, info_bits_update)
+      hmac_hash = ::OpenSSL::HMAC.digest(::OpenSSL::Digest::SHA256.new, prk, info_bits_update)
       hmac_hash[0, 16]
     end
 
@@ -205,4 +244,3 @@ module Aws
     end
   end
 end
-

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-cognito-srp
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Jonathan Viney
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-17 00:00:00.000000000 Z
+date: 2021-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cognitoidentityprovider
@@ -68,6 +68,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.14.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Unofficial Ruby library implementing AWS Cognito's SRP authentication
   flow
 email:
@@ -76,8 +104,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/workflows/main.yml"
+- ".github/workflows/ci.yml"
 - ".gitignore"
+- ".rspec"
 - CHANGELOG.md
 - Gemfile
 - LICENSE
@@ -88,9 +117,10 @@ files:
 - bin/setup
 - lib/aws-cognito-srp.rb
 - lib/aws/cognito_srp.rb
+- lib/aws/cognito_srp/errors.rb
 - lib/aws/cognito_srp/version.rb
 - lib/aws_cognito_srp.rb
-homepage: https://github.com/pilaf/aws-cognito-srp-ruby
+homepage: https://github.com/beezwax/aws-cognito-srp-ruby
 licenses:
 - MIT
 metadata: {}
@@ -109,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.0.6
 signing_key:
 specification_version: 4
 summary: AWS Cognito SRP auth for Ruby

data/.github/workflows/main.yml

@@ -1,16 +0,0 @@
-name: Ruby
-
-on: [push,pull_request]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: 3.0.0
-        bundler-cache: true
-    - name: Run the default task
-      run: bundle exec rake