cognito_rails 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 48fe70f5578d90db88e1a7546f12a16a3b24941bf20a2e8bb4a37b24b3678adc
+  data.tar.gz: 5463df9f063b8b986ca1ef49d0f9a8efce22862854e7e74cb4aee77a8f101fea
+SHA512:
+  metadata.gz: '058bb0a9820ee032ca2d56f7c3954c5acb434543d599ddf3aedb029e2c8b6e06b9d93445a9989248c0a9223cc5038a91cd680313d7d1735837c18826a3008999'
+  data.tar.gz: 5fa75f4e6109b4144a33759340672eee19253d33ba8e9c167b0c4187b85f7b736d8129cfd22221188119c793f8250d550b36ba49b55742d47133ec9fd7d4ec14

data/lib/cognito_rails/config.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+module CognitoRails
+  class Config
+    class << self
+      # @raise [RuntimeError] if not set
+      # @return [String] AWS access key id
+      def aws_access_key_id
+        # @type [String,nil]
+        @aws_access_key_id || (raise 'Missing config aws_access_key_id')
+      end
+
+      # @!attribute aws_access_key_id [w]
+      #   @return [String]
+      # @!attribute aws_region [w]
+      #   @return [String]
+      # @!attribute aws_secret_access_key [w]
+      #   @return [String]
+      # @!attribute aws_user_pool_id [w]
+      #   @return [String]
+      # @!attribute default_user_class [w]
+      #   @return [String,nil]
+      attr_writer :aws_access_key_id, :skip_model_hooks, :aws_region,
+                  :aws_secret_access_key, :aws_user_pool_id,
+                  :default_user_class
+
+      # @return [Boolean] skip model hooks
+      def skip_model_hooks
+        !!@skip_model_hooks
+      end
+
+      # @!attribute logger [rw]
+      #   @return [Logger]
+      # @!attribute cache_adapter [rw]
+      #   @return [#fetch,nil]
+      attr_accessor :logger, :cache_adapter
+
+      # @return [String] AWS region
+      # @raise [RuntimeError] if not set
+      def aws_region
+        @aws_region || (raise 'Missing config aws_region')
+      end
+
+      # @return [String] AWS secret access key
+      # @raise [RuntimeError] if not set
+      def aws_secret_access_key
+        @aws_secret_access_key || (raise 'Missing config aws_secret_access_key')
+      end
+
+      # @return [String] AWS user pool id
+      # @raise [RuntimeError] if not set
+      def aws_user_pool_id
+        @aws_user_pool_id || (raise 'Missing config aws_user_pool_id')
+      end
+
+      # @return [String] default user class
+      # @raise [RuntimeError] if not set
+      def default_user_class
+        @default_user_class || (raise 'Missing config default_user_class')
+      end
+    end
+  end
+end

data/lib/cognito_rails/controller.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module CognitoRails
+  module Controller
+    extend ActiveSupport::Concern
+
+    # @scope class
+    # @!attribute _cognito_user_class [rw]
+    #   @return [String,nil] class name of user model
+
+    included do
+      class_attribute :_cognito_user_class
+    end
+
+    # @return [ActiveRecord::Base,nil]
+    def current_user
+      @current_user ||= cognito_user_klass.find_by_cognito(external_cognito_id) if external_cognito_id
+    end
+
+    private
+
+    # @return [#find_by_cognito]
+    def cognito_user_klass
+      @cognito_user_klass ||= (self.class._cognito_user_class || CognitoRails::Config.default_user_class)&.constantize
+    end
+
+    # @return [String,nil] cognito user id
+    def external_cognito_id
+      # @type [String,nil]
+      token = request.headers['Authorization']&.split(' ')&.last
+
+      return unless token
+
+      CognitoRails::JWT.decode(token)&.dig(0, 'sub')
+    end
+  end
+end

data/lib/cognito_rails/jwt.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'open-uri'
+require 'json'
+
+module CognitoRails
+  class JWT
+    class << self
+      # @param token [String] JWT token
+      # @return [Array<Hash>,nil]
+      def decode(token)
+        aws_idp = with_cache { URI.open(jwks_url).read }
+        jwt_config = JSON.parse(aws_idp, symbolize_names: true)
+
+        ::JWT.decode(token, nil, true, { jwks: jwt_config, algorithms: ['RS256'] })
+      rescue ::JWT::ExpiredSignature, ::JWT::VerificationError, ::JWT::DecodeError => e
+        Config.logger&.error e.message
+        nil
+      end
+
+      private
+
+      def jwks_url
+        "https://cognito-idp.#{Config.aws_region}.amazonaws.com/#{Config.aws_user_pool_id}/.well-known/jwks.json"
+      end
+
+      # @param block [Proc]
+      # @yield [String] to be cached
+      # @return [String] cached block
+      def with_cache(&block)
+        return yield unless Config.cache_adapter.respond_to?(:fetch)
+
+        Config.cache_adapter.fetch('aws_idp', expires_in: 4.hours, &block)
+      end
+    end
+  end
+end

data/lib/cognito_rails/model.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'active_record'
+
+module CognitoRails
+  # ActiveRecord model extension
+  module Model
+    extend ActiveSupport::Concern
+
+    included do
+      class_attribute :_cognito_verify_email
+      class_attribute :_cognito_verify_phone
+      class_attribute :_cognito_custom_attributes
+      class_attribute :_cognito_attribute_name
+      self._cognito_custom_attributes = []
+
+      before_create do
+        init_cognito_user unless CognitoRails::Config.skip_model_hooks
+      end
+
+      after_destroy do
+        destroy_cognito_user unless CognitoRails::Config.skip_model_hooks
+      end
+    end
+
+    # @return [String]
+    def cognito_external_id
+      self[self.class._cognito_attribute_name]
+    end
+
+    # @param value [String]
+    # @return [String]
+    def cognito_external_id=(value)
+      self[self.class._cognito_attribute_name] = value
+    end
+
+    def cognito_user
+      @cognito_user ||= User.find(cognito_external_id, user_class: self.class)
+    end
+
+    protected
+
+    def init_cognito_user
+      return if cognito_external_id.present?
+
+      attrs = { email: email, user_class: self.class }
+      attrs[:phone] = phone if respond_to?(:phone)
+      attrs[:custom_attributes] = instance_custom_attributes
+      cognito_user = User.new(attrs)
+      cognito_user.save!
+      self.cognito_external_id = cognito_user.id
+    end
+
+    # @return [Array<Hash>]
+    def instance_custom_attributes
+      _cognito_custom_attributes.map { |e| { name: e[:name], value: parse_custom_attribute_value(e[:value]) } }
+    end
+
+    def parse_custom_attribute_value(value)
+      if value.is_a? Symbol
+        self[value]
+      else
+        value
+      end
+    end
+
+    def destroy_cognito_user
+      cognito_user&.destroy!
+    end
+
+    class_methods do
+      # @param name [String] attribute name
+      # @return [ActiveRecord::Base] model class
+      def find_by_cognito(external_id)
+        find_by({ _cognito_attribute_name => external_id })
+      end
+
+      def cognito_verify_email
+        self._cognito_verify_email = true
+      end
+
+      def cognito_verify_phone
+        self._cognito_verify_phone = true
+      end
+
+      # @param name [String] attribute name
+      # @param value [String] attribute name
+      def define_cognito_attribute(name, value)
+        _cognito_custom_attributes << { name: "custom:#{name}", value: value }
+      end
+    end
+  end
+end

data/lib/cognito_rails/user.rb

@@ -0,0 +1,214 @@
+# frozen_string_literal: true
+
+require 'active_record'
+require 'active_model/validations'
+require 'securerandom'
+require 'aws-sdk-cognitoidentityprovider'
+
+module CognitoRails
+  # A class to map the cognito user to a model-like object
+  #
+  # @!attribute id [rw]
+  #   @return [String]
+  # @!attribute email [rw]
+  #   @return [String]
+  # @!attribute password [rw]
+  #   @return [String,nil]
+  # @!attribute phone [rw]
+  #   @return [String,nil]
+  # @!attribute custom_attributes [rw]
+  #   @return [Array<Hash>,nil]
+  # @!attribute user_class [rw]
+  #   @return [Class,nil]
+  # rubocop:disable Metrics/ClassLength
+  class User
+    # rubocop:enable Metrics/ClassLength
+
+    include ActiveModel::Validations
+
+    attr_accessor :id, :email, :password, :phone, :custom_attributes, :user_class
+
+    validates :email, presence: true
+
+    # @param attributes [Hash]
+    # @option attributes [String] :email
+    # @option attributes [String, nil] :password
+    # @option attributes [String, nil] :phone
+    # @option attributes [Array<Hash>, nil] :custom_attributes
+    # @option attributes [Class, nil] :user_class
+    def initialize(attributes = {})
+      attributes = attributes.with_indifferent_access
+      self.email = attributes[:email]
+      self.password = SecureRandom.urlsafe_base64 || attributes[:password]
+      self.phone = attributes[:phone]
+      self.user_class = attributes[:user_class] || Config.default_user_class.constantize
+      self.custom_attributes = attributes[:custom_attributes]
+    end
+
+    # @param id [String]
+    # @param user_class [nil,Object]
+    # @return [CognitoRails::User]
+    def self.find(id, user_class = nil)
+      result = cognito_client.admin_get_user(
+        {
+          user_pool_id: CognitoRails::Config.aws_user_pool_id, # required
+          username: id # required
+        }
+      )
+      user = new(user_class: user_class)
+      user.id = result.username
+      user.email = result.user_attributes.find { |attribute| attribute[:name] == 'email' }[:value]
+      user.phone = result.user_attributes.find { |attribute| attribute[:name] == 'phone_number' }&.dig(:value)
+      user
+    end
+
+    # @param attributes [Hash]
+    # @option attributes [String] :email
+    # @option attributes [String] :password
+    # @option attributes [String, nil] :phone
+    # @option attributes [Array<Hash>, nil] :custom_attributes
+    # @option attributes [Class, nil] :user_class
+    # @return [CognitoRails::User]
+    def self.create!(attributes = {})
+      user = new(attributes)
+      user.save!
+      user
+    end
+
+    # @param attributes [Hash]
+    # @option attributes [String] :email
+    # @option attributes [String] :password
+    # @option attributes [String, nil] :phone
+    # @option attributes [Array<Hash>, nil] :custom_attributes
+    # @option attributes [Class, nil] :user_class
+    # @return [CognitoRails::User]
+    def self.create(attributes = {})
+      user = new(attributes)
+      user.save
+      user
+    end
+
+    # @return [Boolean]
+    def new_record?
+      !persisted?
+    end
+
+    # @return [Boolean]
+    def persisted?
+      id.present?
+    end
+
+    # @return [Boolean]
+    # @raise [ActiveRecord::RecordInvalid]
+    def save!
+      save || (raise ActiveRecord::RecordInvalid, self)
+    end
+
+    # @return [Boolean]
+    def save
+      return false unless validate
+
+      if persisted?
+        save_for_update
+      else
+        save_for_create
+      end
+
+      true
+    end
+
+    # @return [Boolean]
+    def destroy
+      return false if new_record?
+
+      cognito_client.admin_delete_user(
+        {
+          user_pool_id: CognitoRails::Config.aws_user_pool_id,
+          username: id
+        }
+      )
+      self.id = nil
+
+      true
+    end
+
+    # @return [Boolean]
+    # @raise [ActiveRecord::RecordInvalid]
+    def destroy!
+      destroy || (raise ActiveRecord::RecordInvalid, self)
+    end
+
+    private
+
+    # @return [Aws::CognitoIdentityProvider::Client]
+    def cognito_client
+      self.class.cognito_client
+    end
+
+    # @return [Boolean]
+    def verify_email?
+      user_class._cognito_verify_email
+    end
+
+    # @return [Boolean]
+    def verify_phone?
+      user_class._cognito_verify_phone
+    end
+
+    # @return [Aws::CognitoIdentityProvider::Client]
+    # @raise [RuntimeError]
+    def self.cognito_client
+      raise 'Can\'t create user in test mode' if Rails.env.test?
+
+      @cognito_client ||= Aws::CognitoIdentityProvider::Client.new(
+        access_key_id: CognitoRails::Config.aws_access_key_id,
+        secret_access_key: CognitoRails::Config.aws_secret_access_key,
+        region: CognitoRails::Config.aws_region
+      )
+    end
+
+    # @return [Array<Hash>]
+    def general_user_attributes
+      [
+        *([{ name: 'email', value: email }] if email),
+        *([{ name: 'phone_number', value: phone }] if phone),
+        *custom_attributes
+      ]
+    end
+
+    # @return [Array<Hash>]
+    def verify_user_attributes
+      [
+        *([{ name: 'email_verified', value: 'True' }] if verify_email?),
+        *([{ name: 'phone_number_verified', value: 'True' }] if verify_phone?)
+      ]
+    end
+
+    def save_for_create
+      resp = cognito_client.admin_create_user(
+        {
+          user_pool_id: CognitoRails::Config.aws_user_pool_id,
+          username: email,
+          temporary_password: password,
+          user_attributes: [
+            *general_user_attributes,
+            *verify_user_attributes
+          ]
+        }
+      )
+      self.id = resp.user.attributes.find { |a| a[:name] == 'sub' }[:value]
+    end
+
+    def save_for_update
+      cognito_client.admin_update_user_attributes(
+        {
+          user_pool_id: CognitoRails::Config.aws_user_pool_id,
+          username: id,
+          user_attributes: [
+            *general_user_attributes
+          ]
+        }
+      )
+    end
+  end
+end

data/lib/cognito_rails/version.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module CognitoRails
+  # @return [String] gem version
+  VERSION = '0.1.0'
+end

data/lib/cognito_rails.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'active_support/concern'
+require 'active_support/dependencies/autoload'
+require 'active_record'
+require 'action_controller/metal'
+
+# Provides a set of tools to integrate AWS Cognito in your Rails app
+module CognitoRails
+  extend ActiveSupport::Concern
+  extend ActiveSupport::Autoload
+
+  autoload :Config
+  autoload :Controller
+  autoload :Model
+  autoload :User
+  autoload :JWT
+
+  # @private
+  module ModelInitializer
+    # @param attribute_name [String]
+    # @return [void]
+    def as_cognito_user(attribute_name: 'external_id')
+      send :include, CognitoRails::Model
+      self._cognito_attribute_name = attribute_name
+    end
+  end
+
+  # @private
+  module ControllerInitializer
+    # @param user_class [Class,nil]
+    # @return [void]
+    def cognito_authentication(user_class: nil)
+      send :include, CognitoRails::Controller
+      self._cognito_user_class = user_class
+    end
+  end
+end
+
+# rubocop:disable Lint/SendWithMixinArgument
+ActiveRecord::Base.send(:extend, CognitoRails::ModelInitializer)
+ActionController::Metal.send(:extend, CognitoRails::ControllerInitializer)
+# rubocop:enable Lint/SendWithMixinArgument

data/spec/cognito_rails/controller_spec.rb

@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+# rubocop:disable Metrics/BlockLength
+RSpec.describe CognitoRails::Controller, type: :model do
+  # rubocop:enable Metrics/BlockLength
+  include CognitoRails::Helpers
+
+  context 'with an API controller' do
+    class MyApiController < ActionController::API
+      cognito_authentication
+
+      def request
+        @request ||= OpenStruct.new({ headers: { 'Authorization' => 'Bearer aaaaa' } })
+      end
+    end
+    let(:controller) { MyApiController.new }
+
+    it 'returns no user if the bearer is invalid' do
+      expect(CognitoRails::JWT).to receive(:decode).at_least(:once).and_return([{ 'sub' => '123123123' }])
+      expect(controller.current_user).to eq(nil)
+    end
+
+    it 'returns a user if the token is correct' do
+      user = User.create!(email: sample_cognito_email, external_id: '123123123')
+
+      expect(CognitoRails::JWT).to receive(:decode).at_least(:once).and_return([{ 'sub' => '123123123' }])
+      expect(controller.current_user).to eq(user)
+    end
+  end
+
+  context 'with a standard controller' do
+    class MyController < ActionController::Base
+      cognito_authentication user_class: 'Admin'
+
+      def request
+        @request ||= OpenStruct.new({ headers: { 'Authorization' => 'Bearer aaaaa' } })
+      end
+    end
+    let(:controller) { MyController.new }
+
+    it 'returns no user if the bearer is invalid' do
+      expect(CognitoRails::JWT).to receive(:decode).at_least(:once).and_return([{ 'sub' => '123123123' }])
+      expect(controller.current_user).to eq(nil)
+    end
+
+    it 'returns a user if the token is correct' do
+      user = Admin.create!(email: sample_cognito_email, phone: sample_cognito_phone, cognito_id: '123123123')
+
+      expect(CognitoRails::JWT).to receive(:decode).at_least(:once).and_return([{ 'sub' => '123123123' }])
+      expect(controller.current_user).to eq(user)
+    end
+  end
+end

data/spec/cognito_rails/jwt_spec.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# rubocop:disable Metrics/BlockLength
+RSpec.describe CognitoRails::JWT, type: :model do
+  # rubocop:enable Metrics/BlockLength
+  before do
+    allow(URI).to receive(:open).and_return(double(read: jwks))
+  end
+
+  context 'with an invalid jwtk' do
+    let(:jwks) { '{}' }
+
+    it 'decode returns nil' do
+      expect(described_class.decode('aaaa')).to be_nil
+    end
+  end
+
+  context 'with a valid jwtk' do
+    let(:jwk) { JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), 'optional-kid') }
+    let(:jwks) { { keys: [jwk.export] }.to_json }
+    let(:payload) { { 'data' => 'data' } }
+    let(:token) do
+      headers = { kid: jwk.kid }
+
+      JWT.encode(payload, jwk.keypair, 'RS256', headers)
+    end
+
+    it 'decodes a token correctly' do
+      expect(described_class.decode(token)[0]).to eq({
+                                                       'data' => 'data'
+                                                     })
+    end
+
+    it 'fails to decode if the token is invalid' do
+      expect(described_class.decode('aaaa')).to be_nil
+    end
+  end
+end

data/spec/cognito_rails/user_spec.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# rubocop:disable Metrics/BlockLength
+RSpec.describe CognitoRails::User, type: :model do
+  include CognitoRails::Helpers
+
+  let(:sample_cognito_email) { 'some@mail.com' }
+  let(:sample_cognito_phone) { '123456789' }
+
+  it 'validates email presence' do
+    expect(subject).to have(1).error_on(:email)
+    subject.email = sample_cognito_email
+    expect(subject).to have(0).error_on(:email)
+  end
+
+  it 'finds an user by id' do
+    expect(described_class).to receive(:cognito_client).and_return(fake_cognito_client)
+
+    record = described_class.find(sample_cognito_id)
+    expect(record).to be_a(described_class)
+    expect(record.id).to eq(sample_cognito_id)
+    expect(record.email).to eq(sample_cognito_email)
+    expect(record.user_class).to eq(User)
+  end
+
+  it 'finds a user with admin class' do
+    expect(described_class).to receive(:cognito_client).and_return(fake_cognito_client)
+
+    record = described_class.find(sample_cognito_id, Admin)
+    expect(record.user_class).to eq(Admin)
+  end
+
+  it 'finds a user with default class' do
+    expect(described_class).to receive(:cognito_client).and_return(fake_cognito_client)
+
+    record = described_class.find(sample_cognito_id)
+    expect(record.user_class).to eq(CognitoRails::Config.default_user_class.constantize)
+  end
+
+  context 'persistence' do
+    it 'saves a new user' do
+      expect_any_instance_of(described_class).to receive(:cognito_client).and_return(fake_cognito_client)
+      subject.email = sample_cognito_email
+      subject.save!
+      expect(subject.id).to eq(sample_cognito_id)
+    end
+
+    it 'fails save on invalid record' do
+      expect { subject.save! }.to raise_error ActiveRecord::RecordInvalid
+    end
+  end
+
+  context 'deletion' do
+    it 'deletes a new user' do
+      allow_any_instance_of(described_class).to receive(:cognito_client).and_return(fake_cognito_client)
+      subject.email = sample_cognito_email
+      subject.save!
+
+      subject.destroy!
+    end
+
+    it 'fails save on invalid record' do
+      expect { subject.destroy! }.to raise_error ActiveRecord::RecordInvalid
+    end
+  end
+
+  context 'user' do
+    it 'creates a cognito user once created a new user' do
+      expect_any_instance_of(CognitoRails::User).to receive(:cognito_client).and_return(fake_cognito_client)
+
+      user = User.create!(email: sample_cognito_email)
+
+      expect(user.external_id).to eq(sample_cognito_id)
+    end
+
+    it 'destroys the cognito user once destroyed the user' do
+      expect(CognitoRails::User).to receive(:cognito_client).at_least(:once).and_return(fake_cognito_client)
+
+      user = User.create!(email: sample_cognito_email)
+
+      user.destroy!
+    end
+
+    it 'saves custom attributes in cognito' do
+      expect(CognitoRails::User).to receive(:cognito_client).at_least(:once).and_return(fake_cognito_client)
+
+      expect(fake_cognito_client).to receive(:admin_create_user).with(
+        hash_including(
+          user_attributes: array_including(
+            [
+              {
+                name: 'email_verified', value: 'True'
+              },
+              {
+                name: 'email', value: sample_cognito_email
+              },
+              {
+                name: 'custom:role', value: 'user'
+              },
+              {
+                name: 'custom:name', value: 'TestName'
+              }
+            ]
+          )
+        )
+      )
+
+      User.create!(email: sample_cognito_email, name: 'TestName')
+    end
+  end
+
+  context 'admin' do
+    before do
+      expect(CognitoRails::User).to receive(:cognito_client).at_least(:once).and_return(fake_cognito_client)
+    end
+
+    it '#find_by_cognito' do
+      admin = Admin.create!(email: sample_cognito_email, phone: '12345678')
+
+      expect(Admin.find_by_cognito(sample_cognito_id)).to eq(admin)
+    end
+
+    it 'creates a cognito user once created a new admin' do
+      admin = Admin.create!(email: sample_cognito_email, phone: '12345678')
+
+      expect(admin.cognito_external_id).to eq(sample_cognito_id)
+    end
+
+    it 'destroys the cognito user once destroyed the admin' do
+      admin = Admin.create!(email: sample_cognito_email, phone: '12345678')
+
+      admin.destroy!
+    end
+
+    it 'saves custom attributes in cognito' do
+      expect(fake_cognito_client).to receive(:admin_create_user).with(
+        hash_including(
+          user_attributes: array_including(
+            [
+              {
+                name: 'phone_number_verified', value: 'True'
+              },
+              {
+                name: 'email_verified', value: 'True'
+              },
+              {
+                name: 'phone_number', value: '12345678'
+              },
+              {
+                name: 'email', value: sample_cognito_email
+              },
+              {
+                name: 'custom:role', value: 'admin'
+              }
+            ]
+          )
+        )
+      )
+
+      Admin.create!(email: sample_cognito_email, phone: '12345678')
+    end
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,7 @@
+FactoryBot.define do
+  factory :user do
+    sequence(:email) { |i| "email#{i}@cognito.com" }
+    sequence(:name) { |i| "TestName" }
+    sequence(:external_id) { |k| "extenralid-#{k}" }
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,36 @@
+require 'active_support'
+require 'rails'
+require 'rspec'
+require 'active_record'
+require 'action_controller'
+require 'cognito_rails'
+require 'factory_bot_rails'
+require 'rspec/collection_matchers'
+require 'factories/user'
+
+I18n.enforce_available_locales = false
+RSpec::Expectations.configuration.warn_about_potential_false_positives = false
+
+Dir[File.expand_path('../support/*.rb', __FILE__)].each { |f| require f }
+
+CognitoRails::Config.aws_access_key_id = 'access_key_id'
+CognitoRails::Config.aws_region = 'region'
+CognitoRails::Config.aws_secret_access_key = 'secret_access_key'
+CognitoRails::Config.aws_user_pool_id = 'user_pool_id'
+CognitoRails::Config.default_user_class = 'User'
+
+RSpec.configure do |config|
+
+  config.include FactoryBot::Syntax::Methods
+
+  config.before(:suite) do
+    Schema.create
+  end
+
+  config.around(:each) do |example|
+    ActiveRecord::Base.transaction do
+      example.run
+      raise ActiveRecord::Rollback
+    end
+  end
+end

data/spec/support/cognito_helpers.rb

@@ -0,0 +1,43 @@
+module CognitoRails::Helpers
+  extend ActiveSupport::Concern
+
+  included do
+    let(:sample_cognito_id) { SecureRandom.uuid }
+    let(:sample_cognito_email) { 'some@mail.com' }
+    let(:sample_cognito_phone) { '123456789' }
+    let(:fake_cognito_client) do
+      client = double
+      allow(client).to receive(:admin_create_user) do |params|
+        expect(params).to match_structure(
+          user_pool_id: one_of(String, nil),
+          username: String,
+          temporary_password: String,
+          user_attributes: a_list_of(name: String, value: one_of(String, nil))
+        )
+        OpenStruct.new(user: OpenStruct.new(attributes: [{ name: 'sub', value: sample_cognito_id }]))
+      end
+
+      allow(client).to receive(:admin_delete_user) do |params|
+        expect(params).to match_structure(
+          user_pool_id: one_of(String, nil),
+          username: String
+        )
+        OpenStruct.new
+      end
+      allow(client).to receive(:admin_get_user).and_return(
+        OpenStruct.new(
+          {
+            username: sample_cognito_id,
+            user_attributes: [
+              { name: 'sub', value: sample_cognito_id },
+              { name: 'email', value: sample_cognito_email },
+              { name: 'phone', value: sample_cognito_phone },
+              { name: 'custom:name', value: "TestName" }
+            ]
+          }
+        )
+      )
+      client
+    end
+  end
+end

data/spec/support/match_structure.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require 'pp'
+
+module Structure
+  module Type
+    class Error < ::StandardError; end
+    class SizeError < Error; end
+    class MatchError < Error; end
+
+    class Single
+      attr_reader :classes
+      def initialize(classes)
+        @classes = classes
+      end
+
+      def class?
+        @classes.all? { |c| c.is_a?(Class) || c.is_a?(Module) }
+      end
+
+      def matches?(json)
+        result = classes.any? do |s|
+          yield s, json
+        rescue Structure::Type::Error
+          false
+        end
+        raise MatchError, "#{json}\n is not one of #{inspect}" unless result
+
+        true
+      end
+
+      def inspect
+        "one_of(#{@classes})"
+      end
+    end
+
+    class Array < Single
+      def initialize(classes)
+        super(classes)
+        @max = 999_999
+        @min = 0
+      end
+
+      def between(min, max)
+        @min = min
+        @max = max
+        self
+      end
+
+      def at_least(number)
+        between(number, Float::INFINITY)
+      end
+
+      def with(number)
+        @number = number
+        self
+      end
+
+      def elements
+        @min = @number
+        @max = @number
+        self
+      end
+
+      def items
+        elements
+      end
+
+      def elements_at_most
+        raise 'Wrong use of at_most' unless @number
+
+        @max = @number
+        @number = nil
+        self
+      end
+
+      def elements_at_least
+        raise 'Wrong use of at_least' unless @number
+
+        @min = @number
+        @number = nil
+        self
+      end
+
+      def matches?(json)
+        raise SizeError, "Size Error: #{inspect} size (#{json.size}) is not between #{@min} and #{@max}." unless json.size.between?(@min, @max)
+
+        json.all? { |j| classes.any? { |s| yield s, j } }
+      end
+
+      def inspect
+        if class?
+          "a_list_of(#{@classes.inspect})"
+        else
+          "a_list_of(\n#{@classes.pretty_inspect})"
+        end
+      end
+    end
+
+    module Methods
+      def a_list_of(*class_list)
+        Structure::Type::Array.new(class_list)
+      end
+
+      def one_of(*class_list)
+        Structure::Type::Single.new(class_list)
+      end
+    end
+  end
+end
+
+include Structure::Type::Methods
+
+RSpec::Matchers.define :match_structure do |structure|
+  match do |json|
+    @key = 'root'
+    begin
+      explore_structure(structure, json)
+    rescue Structure::Type::SizeError => e
+      @message = e.message
+      false
+    rescue Structure::Type::MatchError => e
+      @message = e.message
+      false
+    end
+  end
+
+  def size_fail(structure, json)
+    raise Structure::Type::SizeError,
+          "Wrong size at #{@key}: #{json.size} != #{structure.size}"
+  end
+
+  def structure_fail(structure, json)
+    raise Structure::Type::MatchError,
+          "Structure:\n#{structure.pretty_inspect}\nGiven:\n#{json.pretty_inspect}"
+  end
+
+  def explore_structure(struc, json)
+    # example: 1 ~= Integer
+    if struc.is_a? Class
+      structure_fail(struc, json) unless json.is_a?(struc)
+    # example: "foobar" ~= /f[o]+bar/
+    elsif struc.is_a?(Regexp) && json.is_a?(String)
+      structure_fail(struc, json) unless json.match?(struc)
+    # example: [1, 2, 3] ~= a_list_of(Integer)
+    elsif struc.is_a? Structure::Type::Array
+      struc.matches?(json) { |j, s| explore_structure(j, s) }
+    # example: 1 ~= one_of(Integer, String)
+    elsif struc.is_a? Structure::Type::Single
+      struc.matches?(json) { |j, s| explore_structure(j, s) }
+    # example: {a: b, c: d} ~= {a: Integer, b: String}
+    elsif json.is_a?(Hash)
+      structure_fail(struc, json) unless struc.is_a? Hash
+      struc = struc.with_indifferent_access
+      json = json.with_indifferent_access
+      struc.all? do |k, v|
+        @key = k
+        structure_fail(struc, json) unless json.key?(k)
+        explore_structure(v, json[k])
+      end
+    # example: [1, 2, 3] ~= [1, 2, 3]
+    elsif json.is_a?(Array)
+      structure_fail(struc, json) unless struc.is_a? Array
+      size_fail(struc, json) if struc.size != json.size
+      return struc.zip(json).all? do |s, j|
+        @key = s
+        explore_structure(s, j)
+      end
+    # example: 3 ~= 3
+    else
+      structure_fail(struc, json) unless json == struc
+    end
+    true
+  end
+
+  failure_message do |json|
+    "#{json.pretty_inspect}\ndoes not match structure\n#{structure.pretty_inspect}\n\n#{@message}"
+  end
+
+  failure_message_when_negated do |json|
+    "#{json.pretty_inspect}\nis matching structure\n#{structure.pretty_inspect}"
+  end
+end

data/spec/support/schema.rb

@@ -0,0 +1,51 @@
+require 'active_record'
+
+ActiveRecord::Base.establish_connection(
+  adapter: 'sqlite3',
+  database: ':memory:'
+)
+
+class User < ActiveRecord::Base
+  validates :email, presence: true
+  validates :email, uniqueness: true
+
+  as_cognito_user
+  cognito_verify_email
+  define_cognito_attribute 'role', 'user'
+  define_cognito_attribute 'name', :name
+end
+
+class Admin < ActiveRecord::Base
+  validates :email, presence: true
+  validates :email, uniqueness: true
+  validates :phone, presence: true
+  validates :phone, uniqueness: true
+
+  as_cognito_user attribute_name: 'cognito_id'
+  cognito_verify_email
+  cognito_verify_phone
+  define_cognito_attribute 'role', 'admin'
+end
+
+module Schema
+  def self.create
+    ActiveRecord::Migration.verbose = false
+
+    ActiveRecord::Schema.define do
+      create_table :users, force: true do |t|
+        t.string "email", null: false
+        t.string "name"
+        t.string "external_id", null: false
+        t.timestamps null: false
+      end
+
+      create_table :admins, force: true do |t|
+        t.string "email", null: false
+        t.string "phone", null: false
+        t.string "cognito_id", null: false
+        t.timestamps null: false
+      end
+    end
+
+  end
+end

metadata

@@ -0,0 +1,141 @@
+--- !ruby/object:Gem::Specification
+name: cognito_rails
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Mònade
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2023-03-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-cognitoidentityprovider
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Add Cognito authentication to your Rails API
+email: team@monade.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/cognito_rails.rb
+- lib/cognito_rails/config.rb
+- lib/cognito_rails/controller.rb
+- lib/cognito_rails/jwt.rb
+- lib/cognito_rails/model.rb
+- lib/cognito_rails/user.rb
+- lib/cognito_rails/version.rb
+- spec/cognito_rails/controller_spec.rb
+- spec/cognito_rails/jwt_spec.rb
+- spec/cognito_rails/user_spec.rb
+- spec/factories/user.rb
+- spec/spec_helper.rb
+- spec/support/cognito_helpers.rb
+- spec/support/match_structure.rb
+- spec/support/schema.rb
+homepage: https://rubygems.org/gems/cognito_rails
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.6
+signing_key: 
+specification_version: 4
+summary: Add Cognito authentication to your Rails API
+test_files:
+- spec/cognito_rails/controller_spec.rb
+- spec/cognito_rails/jwt_spec.rb
+- spec/cognito_rails/user_spec.rb
+- spec/factories/user.rb
+- spec/spec_helper.rb
+- spec/support/cognito_helpers.rb
+- spec/support/match_structure.rb
+- spec/support/schema.rb