aws-cognito-srp 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 929d703154eb252230b0ec365cf85bb59e632e62a335bcf63d81c0168f6fe3d3
-  data.tar.gz: 2b857f9bcf58f8363eae7ad056de998758bfaf6458ca478d41e4398b57d34a11
+  metadata.gz: 5b685bf22d6f5a6dd977e1b637f84b30fa5630b1f0e14c9e0dfb46c74273be9d
+  data.tar.gz: 1e2db6df2d70acb710906b75c119506df3608b52fd78b34e56233af2e480a6c7
 SHA512:
-  metadata.gz: 5763f4fac8412527c21ecfb3ae0e283e4cf7be33fc5eadbc94325c83b1b0aa91d34cfc86ebad7895c9f1e1fad93e8c7f8f0f08180f4219d4f78e1ff63d9cf0c1
-  data.tar.gz: 13e4d566a91689460b4aca21d48b73a3655d336dfc3e07e0e8c505b107606489581b720d045c72e0ebc2aea27d59a79c76eeba5cb3be77965818b69cb259f10d
+  metadata.gz: 75e86769e7198362a6e12f05b0e5a137dd62ef3886e122eeb2a7d638169f6dfa856bc12bb13a12616f2663c6b78cf36bf368d615ff617e003446eca7e08372e7
+  data.tar.gz: b24ed5925052eae4de68b27ee5fe57dc14bff611576e33748362224b85929ea08a29290919e6d494a2b0ca76cd4ac4db4b073d96de86a6c1a8a51b3496b7187c

data/CHANGELOG.md

@@ -1,8 +1,12 @@
 ## Changelog for aws-cognito-srp-ruby
 
+### 0.6.0 (June 20, 2023)
+
+* Added support for MFA (@suketa)
+
 ### 0.5.0 (February 14❤︎, 2023)
 
-* Added support for `client_secret`
+* Added support for `client_secret` (@suketa)
 
 ### 0.4.0 (October 1, 2021)
 
@@ -16,6 +20,6 @@
 
 * Added custom exception classes and better error messages
 
-### 0.1.0 (Septembre 17, 2021)
+### 0.1.0 (September 17, 2021)
 
 * Initial release

data/README.md

@@ -45,6 +45,8 @@ resp.refresh_token
 new_tokens = aws_srp.refresh_tokens(resp.refresh_token)
 ```
 
+### `USER_ID_FOR_SRP`
+
 In case you need access to the `USER_ID_FOR_SRP` value from the auth response,
 you can do so by calling `aws_srp.user_id_for_srp` *after* the initial auth
 (`aws_srp` being the same as in the code example above).
@@ -58,6 +60,47 @@ new_tokens = aws_srp.refresh_token(resp.refresh_token,
                                    user_id_for_srp: your_user_id_for_srp)
 ```
 
+### MFA (multi-factor authentication)
+
+If you're using MFA you should check for the challenge after calling
+`#authenticate` and respond accordingly with `#respond_to_mfa_challenge`.
+
+```ruby
+resp = aws_srp.authenticate
+
+if resp.respond_to?(:challenge_name) && resp.mfa_challenge?
+  user_code = get.chomp # Get MFA code from user
+
+  resp = aws_srp.respond_to_mfa_challenge(
+    user_code,
+    auth_response: resp
+  )
+end
+
+resp.id_token
+resp.access_token
+resp.refresh_token
+```
+
+Note that when `#authenticate` results in a successful authentication it
+returns a `AuthenticationResultType`
+([AWS SDK docs](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/AuthenticationResultType.html)),
+i.e. an object that responds to `#id_token`, `#access_token`, etc.
+
+However, when a MFA challenge step occurs, `#authenticate` instead returns a
+`RespondToAuthChallengeResponse` ([AWS SDK docs](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/RespondToAuthChallengeResponse.html#authentication_result-instance_method)),
+which you can check for with `.respond_to?(:challenge_name)` as in the above
+example. The `RespondToAuthChallengeResponse` object will be extended with the
+convenience methods `#mfa_challenge?`, `#software_token_mfa?` and `#sms_mfa?`.
+
+The `#respond_to_mfa_challenge` method can be called with the following
+signatures:
+
+```
+#respond_to_mfa_challenge(user_code, auth_response: [, user_id_for_srp:])
+#respond_to_mfa_challenge(user_code, challenge_name:, session: [, user_id_for_srp:])
+```
+
 ## Supported rubies
 
 This gem is tested against and supports Ruby 2.4 through 3.2, JRuby and

data/lib/aws/cognito_srp/challenge_response_helper.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "aws/cognito_srp/errors"
+
+module Aws
+  class CognitoSrp
+    module ChallengeResponseHelper
+      def mfa_challenge?
+        software_token_mfa? || sms_mfa?
+      end
+
+      def software_token_mfa?
+        challenge_name == SOFTWARE_TOKEN_MFA
+      end
+
+      def sms_mfa?
+        challenge_name == SMS_MFA
+      end
+    end
+  end
+end

data/lib/aws/cognito_srp/version.rb

@@ -2,6 +2,6 @@
 
 module Aws
   class CognitoSrp
-    VERSION = "0.5.0"
+    VERSION = "0.6.0"
   end
 end

data/lib/aws/cognito_srp.rb

@@ -9,6 +9,7 @@ require "base64"
 
 require "aws/cognito_srp/version"
 require "aws/cognito_srp/errors"
+require "aws/cognito_srp/challenge_response_helper"
 
 if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.5")
   module IntegerWithPow
@@ -50,6 +51,8 @@ module Aws
     PASSWORD_VERIFIER = "PASSWORD_VERIFIER"
     REFRESH_TOKEN = "REFRESH_TOKEN"
     USER_SRP_AUTH = "USER_SRP_AUTH"
+    SOFTWARE_TOKEN_MFA = "SOFTWARE_TOKEN_MFA"
+    SMS_MFA = "SMS_MFA"
 
     N_HEX = %w(
       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08
@@ -117,6 +120,12 @@ module Aws
 
       auth_response = @aws_client.respond_to_auth_challenge(params)
 
+      if auth_response.challenge_name == SOFTWARE_TOKEN_MFA || auth_response.challenge_name == SMS_MFA
+        auth_response.extend(ChallengeResponseHelper)
+
+        return auth_response
+      end
+
       if auth_response.challenge_name == NEW_PASSWORD_REQUIRED
         raise NewPasswordRequired, "Cognito responded to password verifier with a #{NEW_PASSWORD_REQUIRED} challenge"
       end
@@ -140,6 +149,34 @@ module Aws
     end
     alias_method :refresh, :refresh_tokens
 
+    def respond_to_mfa_challenge(user_code, auth_response: nil, challenge_name: auth_response&.challenge_name, session: auth_response&.session, user_id_for_srp: @user_id_for_srp)
+      unless auth_response || (challenge_name && session)
+        raise ArgumentError, "Either `auth_response' or `challenge_name'+`session' keyword arguments should be given"
+      end
+
+      hash = @client_secret && secret_hash(user_id_for_srp)
+
+      challenge_responses = {
+        USERNAME: user_id_for_srp,
+        SECRET_HASH: hash
+      }
+      if challenge_name == SOFTWARE_TOKEN_MFA
+        challenge_responses[:SOFTWARE_TOKEN_MFA_CODE] = user_code
+      elsif challenge_name == SMS_MFA
+        challenge_responses[:SMS_MFA_CODE] = user_code
+      end
+
+      params = {
+        challenge_name: challenge_name,
+        session: session,
+        client_id: @client_id,
+        challenge_responses: challenge_responses.compact
+      }.compact
+
+      resp = @aws_client.respond_to_auth_challenge(params)
+      resp.authentication_result
+    end
+
     private
 
     def generate_random_small_a

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-cognito-srp
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Jonathan Viney
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-14 00:00:00.000000000 Z
+date: 2023-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-cognitoidentityprovider
@@ -117,6 +117,7 @@ files:
 - bin/setup
 - lib/aws-cognito-srp.rb
 - lib/aws/cognito_srp.rb
+- lib/aws/cognito_srp/challenge_response_helper.rb
 - lib/aws/cognito_srp/errors.rb
 - lib/aws/cognito_srp/version.rb
 - lib/aws_cognito_srp.rb