aws-cognito-srp 0.3.0.1 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 180b657b77c00d5651c02440ac1c269fcf0ff0c0cfed35deb13224ea225585dc
-  data.tar.gz: 776b06f5fced0c6c96d0fbc3a02810f11273ebc4e28e00199108dac461774cfd
+  metadata.gz: 929d703154eb252230b0ec365cf85bb59e632e62a335bcf63d81c0168f6fe3d3
+  data.tar.gz: 2b857f9bcf58f8363eae7ad056de998758bfaf6458ca478d41e4398b57d34a11
 SHA512:
-  metadata.gz: 56237ee2ed291d3a0a636f75ca9be3762444e8e18b989b75505d9d8a1c67ec1e3574e275ea83fb0b4d2fd873c524297a6280d03ffd93e19f88ddaaadef24f38b
-  data.tar.gz: de22d3f26a0e34adab3acafc37e8822601565aaef64bfeff9a39a29d69dfc67784421f5dc1458c8424cf78930bf92bf6ee7c0ae2c888e4f03bd8718b2a347520
+  metadata.gz: 5763f4fac8412527c21ecfb3ae0e283e4cf7be33fc5eadbc94325c83b1b0aa91d34cfc86ebad7895c9f1e1fad93e8c7f8f0f08180f4219d4f78e1ff63d9cf0c1
+  data.tar.gz: 13e4d566a91689460b4aca21d48b73a3655d336dfc3e07e0e8c505b107606489581b720d045c72e0ebc2aea27d59a79c76eeba5cb3be77965818b69cb259f10d

data/.github/workflows/ci.yml

@@ -7,14 +7,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: [2.3, 2.4, 2.5, 2.6, 2.7, '3.0']
+        os: [ubuntu-latest, macos-latest]
+        ruby: [2.4, 2.5, 2.6, 2.7, '3.0', 3.1, 3.2, jruby, truffleruby]
 
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
 
-    name: Test against Ruby ${{ matrix.ruby }}
+    name: Test against ${{ matrix.ruby }} on ${{ matrix.os }}
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## Changelog for aws-cognito-srp-ruby
 
+### 0.5.0 (February 14❤︎, 2023)
+
+* Added support for `client_secret`
+
+### 0.4.0 (October 1, 2021)
+
+* Added `refresh_tokens` method
+
 ### 0.3.0 (September 29, 2021)
 
 * Added support for Ruby 2.4 and 2.3

data/README.md

@@ -25,11 +25,12 @@ gem 'aws-cognito-srp'
 require "aws-cognito-srp"
 
 aws_srp = Aws::CognitoSrp.new(
-  username:   "username",
-  password:   "password",
-  pool_id:    "pool-id",
-  client_id:  "client-id",
-  aws_client: Aws::CognitoIdentityProvider::Client.new(region: "aws-region")
+  username:      "username",
+  password:      "password",
+  pool_id:       "pool-id",
+  client_id:     "client-id",
+  client_secret: "client-secret", # Optional
+  aws_client:    Aws::CognitoIdentityProvider::Client.new(region: "aws-region")
 )
 
 resp = aws_srp.authenticate
@@ -38,11 +39,29 @@ resp = aws_srp.authenticate
 resp.id_token
 resp.access_token
 resp.refresh_token
+
+# A few hours later ... ⌛️
+
+new_tokens = aws_srp.refresh_tokens(resp.refresh_token)
+```
+
+In case you need access to the `USER_ID_FOR_SRP` value from the auth response,
+you can do so by calling `aws_srp.user_id_for_srp` *after* the initial auth
+(`aws_srp` being the same as in the code example above).
+
+If you're using a `client_secret` and calling `#refresh_tokens` in a different
+instance than the one that performed the initial call to `#authenticate` you
+will have to pass the `USER_ID_FOR_SRP` value as a keyword argument:
+
+```ruby
+new_tokens = aws_srp.refresh_token(resp.refresh_token,
+                                   user_id_for_srp: your_user_id_for_srp)
 ```
 
 ## Supported rubies
 
-This gem is tested against and supports Ruby 2.3, 2.4, 2.5, 2.6, 2.7 and 3.0.
+This gem is tested against and supports Ruby 2.4 through 3.2, JRuby and
+TruffleRuby.
 
 ## Development
 

data/aws-cognito-srp.gemspec

@@ -20,11 +20,13 @@ Gem::Specification.new do |spec|
   end
   spec.require_paths = ["lib"]
 
+  spec.required_ruby_version = '>= 2.4.0'
+
   spec.add_dependency "aws-sdk-cognitoidentityprovider"
 
-  spec.add_development_dependency "bundler", "~> 2.2.0"
+  spec.add_development_dependency "bundler", "~> 2.2"
   spec.add_development_dependency "rake", "~> 13.0"
-  spec.add_development_dependency "ox", "~> 2.14.0"
+  spec.add_development_dependency "nokogiri", "~> 1.9"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "pry"
 

data/lib/aws/cognito_srp/version.rb

@@ -2,9 +2,6 @@
 
 module Aws
   class CognitoSrp
-    VERSION = "0.3.0.1"
-    #                ^
-    # NOTE: the fourth version number is just temporary to reflect an update to
-    # the gemspec (with no functional changes), remove it in next version bump
+    VERSION = "0.5.0"
   end
 end

data/lib/aws/cognito_srp.rb

@@ -24,19 +24,6 @@ if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5")
   using IntegerWithPow
 end
 
-if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.4")
-  module StringWithUnpack1
-    refine String do
-      # String#unpack1 was introduced in Ruby 2.4
-      def unpack1(fmt)
-        unpack(fmt)[0]
-      end
-    end
-  end
-
-  using StringWithUnpack1
-end
-
 module Aws
   # Client for AWS Cognito Identity Provider using Secure Remote Password (SRP).
   #
@@ -59,9 +46,10 @@ module Aws
   #   aws_srp.authenticate
   #
   class CognitoSrp
-    USER_SRP_AUTH = "USER_SRP_AUTH"
-    PASSWORD_VERIFIER = "PASSWORD_VERIFIER"
     NEW_PASSWORD_REQUIRED = "NEW_PASSWORD_REQUIRED"
+    PASSWORD_VERIFIER = "PASSWORD_VERIFIER"
+    REFRESH_TOKEN = "REFRESH_TOKEN"
+    USER_SRP_AUTH = "USER_SRP_AUTH"
 
     N_HEX = %w(
       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
@@ -84,12 +72,15 @@ module Aws
 
     INFO_BITS = 'Caldera Derived Key'
 
-    def initialize(username:, password:, pool_id:, client_id:, aws_client:)
+    attr_reader :user_id_for_srp
+
+    def initialize(username:, password:, pool_id:, client_id:, aws_client:, client_secret: nil)
       @username = username
       @password = password
       @pool_id = pool_id
       @client_id = client_id
       @aws_client = aws_client
+      @client_secret = client_secret
 
       @big_n = hex_to_long(N_HEX)
       @g = hex_to_long(G_HEX)
@@ -99,13 +90,16 @@ module Aws
     end
 
     def authenticate
+      auth_parameters = {
+        USERNAME: @username,
+        SRP_A: long_to_hex(@large_a_value),
+        SECRET_HASH: @client_secret && secret_hash(@username)
+      }.compact
+
       init_auth_response = @aws_client.initiate_auth(
         client_id: @client_id,
         auth_flow: USER_SRP_AUTH,
-        auth_parameters: {
-          USERNAME: @username,
-          SRP_A: long_to_hex(@large_a_value)
-        }
+        auth_parameters: auth_parameters
       )
 
       unless init_auth_response.challenge_name == PASSWORD_VERIFIER
@@ -113,12 +107,15 @@ module Aws
       end
 
       challenge_response = process_challenge(init_auth_response.challenge_parameters)
+      hash = @client_secret && secret_hash(@user_id_for_srp)
 
-      auth_response = @aws_client.respond_to_auth_challenge(
+      params = {
         client_id: @client_id,
         challenge_name: PASSWORD_VERIFIER,
-        challenge_responses: challenge_response
-      )
+        challenge_responses: challenge_response.merge(SECRET_HASH: hash).compact
+      }
+
+      auth_response = @aws_client.respond_to_auth_challenge(params)
 
       if auth_response.challenge_name == NEW_PASSWORD_REQUIRED
         raise NewPasswordRequired, "Cognito responded to password verifier with a #{NEW_PASSWORD_REQUIRED} challenge"
@@ -127,6 +124,22 @@ module Aws
       auth_response.authentication_result
     end
 
+    def refresh_tokens(refresh_token, user_id_for_srp: @user_id_for_srp)
+      auth_parameters = {
+        REFRESH_TOKEN: refresh_token,
+        SECRET_HASH: @client_secret && secret_hash(user_id_for_srp)
+      }.compact
+
+      resp = @aws_client.initiate_auth(
+        client_id: @client_id,
+        auth_flow: REFRESH_TOKEN,
+        auth_parameters: auth_parameters
+      )
+
+      resp.authentication_result
+    end
+    alias_method :refresh, :refresh_tokens
+
     private
 
     def generate_random_small_a
@@ -156,22 +169,22 @@ module Aws
     end
 
     def process_challenge(challenge_parameters)
-      user_id_for_srp = challenge_parameters.fetch("USER_ID_FOR_SRP")
+      @user_id_for_srp = challenge_parameters.fetch("USER_ID_FOR_SRP")
       salt_hex = challenge_parameters.fetch("SALT")
       srp_b_hex = challenge_parameters.fetch("SRP_B")
       secret_block_b64 = challenge_parameters.fetch("SECRET_BLOCK")
 
       timestamp = ::Time.now.utc.strftime("%a %b %-d %H:%M:%S %Z %Y")
 
-      hkdf = get_password_authentication_key(user_id_for_srp, @password, srp_b_hex.to_i(16), salt_hex)
+      hkdf = get_password_authentication_key(@user_id_for_srp, @password, srp_b_hex.to_i(16), salt_hex)
       secret_block_bytes = ::Base64.strict_decode64(secret_block_b64)
-      msg = @pool_id.split("_")[1] + user_id_for_srp + secret_block_bytes + timestamp
+      msg = @pool_id.split("_")[1] + @user_id_for_srp + secret_block_bytes + timestamp
       hmac_digest = ::OpenSSL::HMAC.digest(::OpenSSL::Digest::SHA256.new, hkdf, msg)
       signature_string = ::Base64.strict_encode64(hmac_digest).force_encoding('utf-8')
 
       {
         TIMESTAMP: timestamp,
-        USERNAME: user_id_for_srp,
+        USERNAME: @user_id_for_srp,
         PASSWORD_CLAIM_SECRET_BLOCK: secret_block_b64,
         PASSWORD_CLAIM_SIGNATURE: signature_string
       }
@@ -228,5 +241,9 @@ module Aws
       u_hex_hash = hex_hash(pad_hex(big_a) + pad_hex(big_b))
       hex_to_long(u_hex_hash)
     end
+
+    def secret_hash(username)
+      Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', @client_secret, username + @client_id))
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-cognito-srp
 version: !ruby/object:Gem::Version
-  version: 0.3.0.1
+  version: 0.5.0
 platform: ruby
 authors:
 - Jonathan Viney
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-01 00:00:00.000000000 Z
+date: 2023-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cognitoidentityprovider
@@ -32,14 +32,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -55,19 +55,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '13.0'
 - !ruby/object:Gem::Dependency
-  name: ox
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.14.0
+        version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.14.0
+        version: '1.9'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -132,14 +132,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: AWS Cognito SRP auth for Ruby