aws-cognito-srp 0.5.0 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 929d703154eb252230b0ec365cf85bb59e632e62a335bcf63d81c0168f6fe3d3
-  data.tar.gz: 2b857f9bcf58f8363eae7ad056de998758bfaf6458ca478d41e4398b57d34a11
+  metadata.gz: d81eb83dd2ed629567bb1e88d4dc7773b40ffb2c1f79d642fc6a983f4b891014
+  data.tar.gz: 6bda9f469ee01ede2134e21a5e306e9d2449940b7d285268499cdb61ca792268
 SHA512:
-  metadata.gz: 5763f4fac8412527c21ecfb3ae0e283e4cf7be33fc5eadbc94325c83b1b0aa91d34cfc86ebad7895c9f1e1fad93e8c7f8f0f08180f4219d4f78e1ff63d9cf0c1
-  data.tar.gz: 13e4d566a91689460b4aca21d48b73a3655d336dfc3e07e0e8c505b107606489581b720d045c72e0ebc2aea27d59a79c76eeba5cb3be77965818b69cb259f10d
+  metadata.gz: cff01bee87b3db73b83108c8cb38151ca8c821b3e31f8dfbfacca54fdec026fa89710313efcf1c109f7f9f1102169da4365427d0d48e12c3e822f7b86b18059c
+  data.tar.gz: b04204c2db0b581272a6379f4947ee7c504a7cd23daa02a64de9f048a550260b42e8e45484ee0cc371848f071fa05764315f13fcb2bf3ae9d89b2653f711ecb0

data/.github/workflows/ci.yml

@@ -8,14 +8,14 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest]
-        ruby: [2.4, 2.5, 2.6, 2.7, '3.0', 3.1, 3.2, jruby, truffleruby]
+        ruby: [2.7, '3.0', 3.1, 3.2, 3.3, 3.4, jruby, truffleruby]
 
     runs-on: ${{ matrix.os }}
 
     name: Test against ${{ matrix.ruby }} on ${{ matrix.os }}
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:

data/CHANGELOG.md

@@ -1,8 +1,16 @@
 ## Changelog for aws-cognito-srp-ruby
 
+### 0.6.1 (December 25, 2024)
+
+* Added support for Ruby 3.4
+
+### 0.6.0 (June 20, 2023)
+
+* Added support for MFA (@suketa)
+
 ### 0.5.0 (February 14❤︎, 2023)
 
-* Added support for `client_secret`
+* Added support for `client_secret` (@suketa)
 
 ### 0.4.0 (October 1, 2021)
 
@@ -16,6 +24,6 @@
 
 * Added custom exception classes and better error messages
 
-### 0.1.0 (Septembre 17, 2021)
+### 0.1.0 (September 17, 2021)
 
 * Initial release

data/README.md

@@ -45,6 +45,8 @@ resp.refresh_token
 new_tokens = aws_srp.refresh_tokens(resp.refresh_token)
 ```
 
+### `USER_ID_FOR_SRP`
+
 In case you need access to the `USER_ID_FOR_SRP` value from the auth response,
 you can do so by calling `aws_srp.user_id_for_srp` *after* the initial auth
 (`aws_srp` being the same as in the code example above).
@@ -58,9 +60,50 @@ new_tokens = aws_srp.refresh_token(resp.refresh_token,
                                    user_id_for_srp: your_user_id_for_srp)
 ```
 
+### MFA (multi-factor authentication)
+
+If you're using MFA you should check for the challenge after calling
+`#authenticate` and respond accordingly with `#respond_to_mfa_challenge`.
+
+```ruby
+resp = aws_srp.authenticate
+
+if resp.respond_to?(:challenge_name) && resp.mfa_challenge?
+  user_code = get.chomp # Get MFA code from user
+
+  resp = aws_srp.respond_to_mfa_challenge(
+    user_code,
+    auth_response: resp
+  )
+end
+
+resp.id_token
+resp.access_token
+resp.refresh_token
+```
+
+Note that when `#authenticate` results in a successful authentication it
+returns a `AuthenticationResultType`
+([AWS SDK docs](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/AuthenticationResultType.html)),
+i.e. an object that responds to `#id_token`, `#access_token`, etc.
+
+However, when a MFA challenge step occurs, `#authenticate` instead returns a
+`RespondToAuthChallengeResponse` ([AWS SDK docs](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/RespondToAuthChallengeResponse.html#authentication_result-instance_method)),
+which you can check for with `.respond_to?(:challenge_name)` as in the above
+example. The `RespondToAuthChallengeResponse` object will be extended with the
+convenience methods `#mfa_challenge?`, `#software_token_mfa?` and `#sms_mfa?`.
+
+The `#respond_to_mfa_challenge` method can be called with the following
+signatures:
+
+```
+#respond_to_mfa_challenge(user_code, auth_response: [, user_id_for_srp:])
+#respond_to_mfa_challenge(user_code, challenge_name:, session: [, user_id_for_srp:])
+```
+
 ## Supported rubies
 
-This gem is tested against and supports Ruby 2.4 through 3.2, JRuby and
+This gem is tested against and supports Ruby 2.7 through 3.3, JRuby and
 TruffleRuby.
 
 ## Development

data/aws-cognito-srp.gemspec

@@ -20,9 +20,10 @@ Gem::Specification.new do |spec|
   end
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = '>= 2.4.0'
+  spec.required_ruby_version = '>= 2.7.0'
 
   spec.add_dependency "aws-sdk-cognitoidentityprovider"
+  spec.add_dependency "base64"
 
   spec.add_development_dependency "bundler", "~> 2.2"
   spec.add_development_dependency "rake", "~> 13.0"

data/lib/aws/cognito_srp/challenge_response_helper.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "aws/cognito_srp/errors"
+
+module Aws
+  class CognitoSrp
+    module ChallengeResponseHelper
+      def mfa_challenge?
+        software_token_mfa? || sms_mfa?
+      end
+
+      def software_token_mfa?
+        challenge_name == SOFTWARE_TOKEN_MFA
+      end
+
+      def sms_mfa?
+        challenge_name == SMS_MFA
+      end
+    end
+  end
+end

data/lib/aws/cognito_srp/version.rb

@@ -2,6 +2,6 @@
 
 module Aws
   class CognitoSrp
-    VERSION = "0.5.0"
+    VERSION = "0.6.1"
   end
 end

data/lib/aws/cognito_srp.rb

@@ -9,6 +9,7 @@ require "base64"
 
 require "aws/cognito_srp/version"
 require "aws/cognito_srp/errors"
+require "aws/cognito_srp/challenge_response_helper"
 
 if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5")
   module IntegerWithPow
@@ -50,6 +51,8 @@ module Aws
     PASSWORD_VERIFIER = "PASSWORD_VERIFIER"
     REFRESH_TOKEN = "REFRESH_TOKEN"
     USER_SRP_AUTH = "USER_SRP_AUTH"
+    SOFTWARE_TOKEN_MFA = "SOFTWARE_TOKEN_MFA"
+    SMS_MFA = "SMS_MFA"
 
     N_HEX = %w(
       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
@@ -117,6 +120,12 @@ module Aws
 
       auth_response = @aws_client.respond_to_auth_challenge(params)
 
+      if auth_response.challenge_name == SOFTWARE_TOKEN_MFA || auth_response.challenge_name == SMS_MFA
+        auth_response.extend(ChallengeResponseHelper)
+
+        return auth_response
+      end
+
       if auth_response.challenge_name == NEW_PASSWORD_REQUIRED
         raise NewPasswordRequired, "Cognito responded to password verifier with a #{NEW_PASSWORD_REQUIRED} challenge"
       end
@@ -140,6 +149,34 @@ module Aws
     end
     alias_method :refresh, :refresh_tokens
 
+    def respond_to_mfa_challenge(user_code, auth_response: nil, challenge_name: auth_response&.challenge_name, session: auth_response&.session, user_id_for_srp: @user_id_for_srp)
+      unless auth_response || (challenge_name && session)
+        raise ArgumentError, "Either `auth_response' or `challenge_name'+`session' keyword arguments should be given"
+      end
+
+      hash = @client_secret && secret_hash(user_id_for_srp)
+
+      challenge_responses = {
+        USERNAME: user_id_for_srp,
+        SECRET_HASH: hash
+      }
+      if challenge_name == SOFTWARE_TOKEN_MFA
+        challenge_responses[:SOFTWARE_TOKEN_MFA_CODE] = user_code
+      elsif challenge_name == SMS_MFA
+        challenge_responses[:SMS_MFA_CODE] = user_code
+      end
+
+      params = {
+        challenge_name: challenge_name,
+        session: session,
+        client_id: @client_id,
+        challenge_responses: challenge_responses.compact
+      }.compact
+
+      resp = @aws_client.respond_to_auth_challenge(params)
+      resp.authentication_result
+    end
+
     private
 
     def generate_random_small_a

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-cognito-srp
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.1
 platform: ruby
 authors:
 - Jonathan Viney
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-14 00:00:00.000000000 Z
+date: 2024-12-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cognitoidentityprovider
@@ -26,6 +26,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -117,6 +131,7 @@ files:
 - bin/setup
 - lib/aws-cognito-srp.rb
 - lib/aws/cognito_srp.rb
+- lib/aws/cognito_srp/challenge_response_helper.rb
 - lib/aws/cognito_srp/errors.rb
 - lib/aws/cognito_srp/version.rb
 - lib/aws_cognito_srp.rb
@@ -132,14 +147,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.3
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: AWS Cognito SRP auth for Ruby