aws-cognito-srp 0.4.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6000777b1471345bf83ef454e2147786b46c8960218729c0ef9b33d05bc08634
-  data.tar.gz: 5b28a08b3614d6dbe6f05a1bc25fd54200a8c90bb6fe8e3a24f97e4afc1bbe80
+  metadata.gz: 5b685bf22d6f5a6dd977e1b637f84b30fa5630b1f0e14c9e0dfb46c74273be9d
+  data.tar.gz: 1e2db6df2d70acb710906b75c119506df3608b52fd78b34e56233af2e480a6c7
 SHA512:
-  metadata.gz: d1e507ab4e5a8ce39647a2699ad1bac52a62352c6b2a04d2eb47b12954ae8c8a1f86f26c457583c13f84200064620cbf938381894d302a457b7a2c0468f5f26e
-  data.tar.gz: 3714f171b5527ed457d2c05e0ff5aece5f96d572e9f48e4fa6412b9cedad85d69ac54432b7e719f7afe0406aa7d135562b0f7446d705d0a4a494f22c48a45bd4
+  metadata.gz: 75e86769e7198362a6e12f05b0e5a137dd62ef3886e122eeb2a7d638169f6dfa856bc12bb13a12616f2663c6b78cf36bf368d615ff617e003446eca7e08372e7
+  data.tar.gz: b24ed5925052eae4de68b27ee5fe57dc14bff611576e33748362224b85929ea08a29290919e6d494a2b0ca76cd4ac4db4b073d96de86a6c1a8a51b3496b7187c

data/.github/workflows/ci.yml

@@ -7,14 +7,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: [2.3, 2.4, 2.5, 2.6, 2.7, '3.0']
+        os: [ubuntu-latest, macos-latest]
+        ruby: [2.4, 2.5, 2.6, 2.7, '3.0', 3.1, 3.2, jruby, truffleruby]
 
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
 
-    name: Test against Ruby ${{ matrix.ruby }}
+    name: Test against ${{ matrix.ruby }} on ${{ matrix.os }}
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## Changelog for aws-cognito-srp-ruby
 
+### 0.6.0 (June 20, 2023)
+
+* Added support for MFA (@suketa)
+
+### 0.5.0 (February 14❤︎, 2023)
+
+* Added support for `client_secret` (@suketa)
+
 ### 0.4.0 (October 1, 2021)
 
 * Added `refresh_tokens` method
@@ -12,6 +20,6 @@
 
 * Added custom exception classes and better error messages
 
-### 0.1.0 (Septembre 17, 2021)
+### 0.1.0 (September 17, 2021)
 
 * Initial release

data/README.md

@@ -25,11 +25,12 @@ gem 'aws-cognito-srp'
 require "aws-cognito-srp"
 
 aws_srp = Aws::CognitoSrp.new(
-  username:   "username",
-  password:   "password",
-  pool_id:    "pool-id",
-  client_id:  "client-id",
-  aws_client: Aws::CognitoIdentityProvider::Client.new(region: "aws-region")
+  username:      "username",
+  password:      "password",
+  pool_id:       "pool-id",
+  client_id:     "client-id",
+  client_secret: "client-secret", # Optional
+  aws_client:    Aws::CognitoIdentityProvider::Client.new(region: "aws-region")
 )
 
 resp = aws_srp.authenticate
@@ -44,9 +45,66 @@ resp.refresh_token
 new_tokens = aws_srp.refresh_tokens(resp.refresh_token)
 ```
 
+### `USER_ID_FOR_SRP`
+
+In case you need access to the `USER_ID_FOR_SRP` value from the auth response,
+you can do so by calling `aws_srp.user_id_for_srp` *after* the initial auth
+(`aws_srp` being the same as in the code example above).
+
+If you're using a `client_secret` and calling `#refresh_tokens` in a different
+instance than the one that performed the initial call to `#authenticate` you
+will have to pass the `USER_ID_FOR_SRP` value as a keyword argument:
+
+```ruby
+new_tokens = aws_srp.refresh_token(resp.refresh_token,
+                                   user_id_for_srp: your_user_id_for_srp)
+```
+
+### MFA (multi-factor authentication)
+
+If you're using MFA you should check for the challenge after calling
+`#authenticate` and respond accordingly with `#respond_to_mfa_challenge`.
+
+```ruby
+resp = aws_srp.authenticate
+
+if resp.respond_to?(:challenge_name) && resp.mfa_challenge?
+  user_code = get.chomp # Get MFA code from user
+
+  resp = aws_srp.respond_to_mfa_challenge(
+    user_code,
+    auth_response: resp
+  )
+end
+
+resp.id_token
+resp.access_token
+resp.refresh_token
+```
+
+Note that when `#authenticate` results in a successful authentication it
+returns a `AuthenticationResultType`
+([AWS SDK docs](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/AuthenticationResultType.html)),
+i.e. an object that responds to `#id_token`, `#access_token`, etc.
+
+However, when a MFA challenge step occurs, `#authenticate` instead returns a
+`RespondToAuthChallengeResponse` ([AWS SDK docs](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/RespondToAuthChallengeResponse.html#authentication_result-instance_method)),
+which you can check for with `.respond_to?(:challenge_name)` as in the above
+example. The `RespondToAuthChallengeResponse` object will be extended with the
+convenience methods `#mfa_challenge?`, `#software_token_mfa?` and `#sms_mfa?`.
+
+The `#respond_to_mfa_challenge` method can be called with the following
+signatures:
+
+```
+#respond_to_mfa_challenge(user_code, auth_response: [, user_id_for_srp:])
+#respond_to_mfa_challenge(user_code, challenge_name:, session: [, user_id_for_srp:])
+```
+
 ## Supported rubies
 
-This gem is tested against and supports Ruby 2.3, 2.4, 2.5, 2.6, 2.7 and 3.0.
+This gem is tested against and supports Ruby 2.4 through 3.2, JRuby and
+TruffleRuby.
 
 ## Development
 

data/aws-cognito-srp.gemspec

@@ -20,11 +20,13 @@ Gem::Specification.new do |spec|
   end
   spec.require_paths = ["lib"]
 
+  spec.required_ruby_version = '>= 2.4.0'
+
   spec.add_dependency "aws-sdk-cognitoidentityprovider"
 
-  spec.add_development_dependency "bundler", "~> 2.2.0"
+  spec.add_development_dependency "bundler", "~> 2.2"
   spec.add_development_dependency "rake", "~> 13.0"
-  spec.add_development_dependency "ox", "~> 2.14.0"
+  spec.add_development_dependency "nokogiri", "~> 1.9"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "pry"
 

data/lib/aws/cognito_srp/challenge_response_helper.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "aws/cognito_srp/errors"
+
+module Aws
+  class CognitoSrp
+    module ChallengeResponseHelper
+      def mfa_challenge?
+        software_token_mfa? || sms_mfa?
+      end
+
+      def software_token_mfa?
+        challenge_name == SOFTWARE_TOKEN_MFA
+      end
+
+      def sms_mfa?
+        challenge_name == SMS_MFA
+      end
+    end
+  end
+end

data/lib/aws/cognito_srp/version.rb

@@ -2,6 +2,6 @@
 
 module Aws
   class CognitoSrp
-    VERSION = "0.4.0"
+    VERSION = "0.6.0"
   end
 end

data/lib/aws/cognito_srp.rb

@@ -9,6 +9,7 @@ require "base64"
 
 require "aws/cognito_srp/version"
 require "aws/cognito_srp/errors"
+require "aws/cognito_srp/challenge_response_helper"
 
 if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5")
   module IntegerWithPow
@@ -24,19 +25,6 @@ if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5")
   using IntegerWithPow
 end
 
-if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.4")
-  module StringWithUnpack1
-    refine String do
-      # String#unpack1 was introduced in Ruby 2.4
-      def unpack1(fmt)
-        unpack(fmt)[0]
-      end
-    end
-  end
-
-  using StringWithUnpack1
-end
-
 module Aws
   # Client for AWS Cognito Identity Provider using Secure Remote Password (SRP).
   #
@@ -63,6 +51,8 @@ module Aws
     PASSWORD_VERIFIER = "PASSWORD_VERIFIER"
     REFRESH_TOKEN = "REFRESH_TOKEN"
     USER_SRP_AUTH = "USER_SRP_AUTH"
+    SOFTWARE_TOKEN_MFA = "SOFTWARE_TOKEN_MFA"
+    SMS_MFA = "SMS_MFA"
 
     N_HEX = %w(
       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
@@ -85,12 +75,15 @@ module Aws
 
     INFO_BITS = 'Caldera Derived Key'
 
-    def initialize(username:, password:, pool_id:, client_id:, aws_client:)
+    attr_reader :user_id_for_srp
+
+    def initialize(username:, password:, pool_id:, client_id:, aws_client:, client_secret: nil)
       @username = username
       @password = password
       @pool_id = pool_id
       @client_id = client_id
       @aws_client = aws_client
+      @client_secret = client_secret
 
       @big_n = hex_to_long(N_HEX)
       @g = hex_to_long(G_HEX)
@@ -100,13 +93,16 @@ module Aws
     end
 
     def authenticate
+      auth_parameters = {
+        USERNAME: @username,
+        SRP_A: long_to_hex(@large_a_value),
+        SECRET_HASH: @client_secret && secret_hash(@username)
+      }.compact
+
       init_auth_response = @aws_client.initiate_auth(
         client_id: @client_id,
         auth_flow: USER_SRP_AUTH,
-        auth_parameters: {
-          USERNAME: @username,
-          SRP_A: long_to_hex(@large_a_value)
-        }
+        auth_parameters: auth_parameters
       )
 
       unless init_auth_response.challenge_name == PASSWORD_VERIFIER
@@ -114,12 +110,21 @@ module Aws
       end
 
       challenge_response = process_challenge(init_auth_response.challenge_parameters)
+      hash = @client_secret && secret_hash(@user_id_for_srp)
 
-      auth_response = @aws_client.respond_to_auth_challenge(
+      params = {
         client_id: @client_id,
         challenge_name: PASSWORD_VERIFIER,
-        challenge_responses: challenge_response
-      )
+        challenge_responses: challenge_response.merge(SECRET_HASH: hash).compact
+      }
+
+      auth_response = @aws_client.respond_to_auth_challenge(params)
+
+      if auth_response.challenge_name == SOFTWARE_TOKEN_MFA || auth_response.challenge_name == SMS_MFA
+        auth_response.extend(ChallengeResponseHelper)
+
+        return auth_response
+      end
 
       if auth_response.challenge_name == NEW_PASSWORD_REQUIRED
         raise NewPasswordRequired, "Cognito responded to password verifier with a #{NEW_PASSWORD_REQUIRED} challenge"
@@ -128,19 +133,50 @@ module Aws
       auth_response.authentication_result
     end
 
-    def refresh_tokens(refresh_token)
+    def refresh_tokens(refresh_token, user_id_for_srp: @user_id_for_srp)
+      auth_parameters = {
+        REFRESH_TOKEN: refresh_token,
+        SECRET_HASH: @client_secret && secret_hash(user_id_for_srp)
+      }.compact
+
       resp = @aws_client.initiate_auth(
         client_id: @client_id,
         auth_flow: REFRESH_TOKEN,
-        auth_parameters: {
-          REFRESH_TOKEN: refresh_token
-        }
+        auth_parameters: auth_parameters
       )
 
       resp.authentication_result
     end
     alias_method :refresh, :refresh_tokens
 
+    def respond_to_mfa_challenge(user_code, auth_response: nil, challenge_name: auth_response&.challenge_name, session: auth_response&.session, user_id_for_srp: @user_id_for_srp)
+      unless auth_response || (challenge_name && session)
+        raise ArgumentError, "Either `auth_response' or `challenge_name'+`session' keyword arguments should be given"
+      end
+
+      hash = @client_secret && secret_hash(user_id_for_srp)
+
+      challenge_responses = {
+        USERNAME: user_id_for_srp,
+        SECRET_HASH: hash
+      }
+      if challenge_name == SOFTWARE_TOKEN_MFA
+        challenge_responses[:SOFTWARE_TOKEN_MFA_CODE] = user_code
+      elsif challenge_name == SMS_MFA
+        challenge_responses[:SMS_MFA_CODE] = user_code
+      end
+
+      params = {
+        challenge_name: challenge_name,
+        session: session,
+        client_id: @client_id,
+        challenge_responses: challenge_responses.compact
+      }.compact
+
+      resp = @aws_client.respond_to_auth_challenge(params)
+      resp.authentication_result
+    end
+
     private
 
     def generate_random_small_a
@@ -170,22 +206,22 @@ module Aws
     end
 
     def process_challenge(challenge_parameters)
-      user_id_for_srp = challenge_parameters.fetch("USER_ID_FOR_SRP")
+      @user_id_for_srp = challenge_parameters.fetch("USER_ID_FOR_SRP")
       salt_hex = challenge_parameters.fetch("SALT")
       srp_b_hex = challenge_parameters.fetch("SRP_B")
       secret_block_b64 = challenge_parameters.fetch("SECRET_BLOCK")
 
       timestamp = ::Time.now.utc.strftime("%a %b %-d %H:%M:%S %Z %Y")
 
-      hkdf = get_password_authentication_key(user_id_for_srp, @password, srp_b_hex.to_i(16), salt_hex)
+      hkdf = get_password_authentication_key(@user_id_for_srp, @password, srp_b_hex.to_i(16), salt_hex)
       secret_block_bytes = ::Base64.strict_decode64(secret_block_b64)
-      msg = @pool_id.split("_")[1] + user_id_for_srp + secret_block_bytes + timestamp
+      msg = @pool_id.split("_")[1] + @user_id_for_srp + secret_block_bytes + timestamp
       hmac_digest = ::OpenSSL::HMAC.digest(::OpenSSL::Digest::SHA256.new, hkdf, msg)
       signature_string = ::Base64.strict_encode64(hmac_digest).force_encoding('utf-8')
 
       {
         TIMESTAMP: timestamp,
-        USERNAME: user_id_for_srp,
+        USERNAME: @user_id_for_srp,
         PASSWORD_CLAIM_SECRET_BLOCK: secret_block_b64,
         PASSWORD_CLAIM_SIGNATURE: signature_string
       }
@@ -242,5 +278,9 @@ module Aws
       u_hex_hash = hex_hash(pad_hex(big_a) + pad_hex(big_b))
       hex_to_long(u_hex_hash)
     end
+
+    def secret_hash(username)
+      Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', @client_secret, username + @client_id))
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-cognito-srp
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Jonathan Viney
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-01 00:00:00.000000000 Z
+date: 2023-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cognitoidentityprovider
@@ -32,14 +32,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -55,19 +55,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '13.0'
 - !ruby/object:Gem::Dependency
-  name: ox
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.14.0
+        version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.14.0
+        version: '1.9'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -117,6 +117,7 @@ files:
 - bin/setup
 - lib/aws-cognito-srp.rb
 - lib/aws/cognito_srp.rb
+- lib/aws/cognito_srp/challenge_response_helper.rb
 - lib/aws/cognito_srp/errors.rb
 - lib/aws/cognito_srp/version.rb
 - lib/aws_cognito_srp.rb
@@ -132,14 +133,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: AWS Cognito SRP auth for Ruby