cognito_rails 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d013a998e0deb672975845d617ee6e7bd98985e9776005574edddc60efea303
-  data.tar.gz: ddf9787f8bb69aff3ffcff50464fda787b9097875d9d8da165ef9074138ac4b6
+  metadata.gz: 0e26720020fe66850fb2c51baf995cbb22e1bb0713fa84714b18c7c69ba7eeca
+  data.tar.gz: f0fdfbdf0375fb7a8dcd1d3c4d44393947f785a58e33579d4907d97010ea2b40
 SHA512:
-  metadata.gz: b943c7b79fc60f473b99bd93b52319a4f7abe01f78266ed587f94ca9daf0c74d13ed0c8d72cb44d77c14813a7509b805adb96e929d43d7f22c5ba2b127a3a55b
-  data.tar.gz: 7a65fadd47485c198d6a70696c9e79d52da01130b35d2fd9479e86de64784f15786b4956d4329a873335bec7db794673f86f5971c938e3a234f7f72ad06d7969
+  metadata.gz: ca4c17f11c1e0c9b2619385ae7019632d83505838ef957760a349ccb21dc55e27be8c61c797af9b45db0a93fa17bf0ee6569dd86f8e5275269cab299d991ec96
+  data.tar.gz: b66d984895beb150302232cb7efa59528fd46cd9c61ea3193458fea3a93fc772db27f83af2020879e0c1ca9bb11b861e944570433fcee3222dbc217beaeef4e6

data/lib/cognito_rails/config.rb

@@ -50,9 +50,42 @@ module CognitoRails
         @default_user_class || (raise 'Missing config default_user_class')
       end
 
+      # @param user_class [String,Symbol,Class,nil]
+      # @param options [Hash]
+      # @return [void]
+      def register_user_scope(user_class, options = {})
+        user_class = CognitoRails::Utils.resolve_model_class(user_class)
+        return if user_class.nil?
+
+        options = options.with_indifferent_access
+
+        user_scopes[user_class.name] = {
+          user_pool_id: options[:user_pool_id],
+          aws_region: options[:aws_region],
+          access_key_id: options[:access_key_id],
+          secret_access_key: options[:secret_access_key]
+        }.compact.with_indifferent_access
+      end
+
+      # @param user_class [String,Symbol,Class,nil]
+      # @return [Hash]
+      def user_scope_for(user_class)
+        user_class = CognitoRails::Utils.resolve_model_class(user_class)
+        return {} if user_class.nil?
+
+        (user_scopes[user_class.name] || {}).dup.with_indifferent_access
+      end
+
       def password_generator
         @password_generator || CognitoRails::PasswordGenerator.method(:generate)
       end
+
+      private
+
+      # @return [Hash{String => Hash}]
+      def user_scopes
+        @user_scopes ||= {}
+      end
     end
   end
 end

data/lib/cognito_rails/controller.rb

@@ -5,33 +5,76 @@ module CognitoRails
     extend ActiveSupport::Concern
 
     # @scope class
-    # @!attribute _cognito_user_class [rw]
-    #   @return [String,nil] class name of user model
+    # @!attribute _cognito_user_classes [rw]
+    #   @return [Hash{Symbol => String,Class,nil}] user class by attribute
 
     included do
-      class_attribute :_cognito_user_class
+      class_attribute :_cognito_user_classes
+      self._cognito_user_classes = {}
     end
 
     # @return [ActiveRecord::Base,nil]
     def current_user
-      @current_user ||= cognito_user_klass.find_by_cognito(external_cognito_id) if external_cognito_id
+      cognito_user_for(:current_user)
+    end
+
+    # @param attribute [Symbol]
+    # @return [ActiveRecord::Base,nil]
+    def cognito_user_for(attribute)
+      attribute = attribute.to_sym
+      external_id = external_cognito_id(attribute)
+      return unless external_id
+
+      user_klass = cognito_user_klass(attribute)
+      return unless user_klass
+
+      ivar = "@#{attribute}"
+      var = instance_variable_get(ivar)
+      return var if var
+
+      user = user_klass.find_by_cognito(external_id)
+      instance_variable_set(ivar, user)
     end
 
     private
 
+    # Get the useer from the specified attribute, or from the default :current_user if not found
+    module ClassMethods
+      # @param attribute [Symbol]
+      # @return [void]
+      def _cognito_define_user_reader(attribute)
+        return if method_defined?(attribute)
+
+        define_method(attribute) do
+          cognito_user_for(attribute)
+        end
+      end
+    end
+
     # @return [#find_by_cognito]
-    def cognito_user_klass
-      @cognito_user_klass ||= (self.class._cognito_user_class || CognitoRails::Config.default_user_class)&.constantize
+    def cognito_user_klass(attribute = :current_user)
+      attribute = attribute.to_sym
+      @cognito_user_klasses ||= {}
+      @cognito_user_klasses[attribute] ||= begin
+        user_class = self.class._cognito_user_classes[attribute]
+        user_class ||= CognitoRails::Config.default_user_class
+        CognitoRails::Utils.resolve_model_class(user_class)
+      end
     end
 
     # @return [String,nil] cognito user id
-    def external_cognito_id
+    def external_cognito_id(attribute = :current_user)
       # @type [String,nil]
       token = request.headers['Authorization']&.split(' ')&.last
 
       return unless token
 
-      CognitoRails::JWT.decode(token)&.dig(0, 'sub')
+      user_class = cognito_user_klass(attribute)
+      scope = CognitoRails::User.with_credentials(user_class)
+      user_pool_id = scope.user_pool_id
+      aws_region = scope.aws_region
+      jwt_payload = CognitoRails::JWT.decode(token, user_pool_id: user_pool_id, aws_region: aws_region)
+      jwt_payload&.dig(0, 'sub')
     end
   end
 end

data/lib/cognito_rails/jwt.rb

@@ -8,9 +8,12 @@ module CognitoRails
   class JWT
     class << self
       # @param token [String] JWT token
+      # @param user_pool_id [String,nil] AWS Cognito User Pool ID
+      # @param aws_region [String,nil] AWS region
       # @return [Array<Hash>,nil]
-      def decode(token)
-        aws_idp = with_cache { URI.open(jwks_url).read }
+      def decode(token, user_pool_id: nil, aws_region: nil)
+        url = jwks_url(user_pool_id: user_pool_id, aws_region: aws_region)
+        aws_idp = with_cache(url) { URI.open(url).read }
         jwt_config = JSON.parse(aws_idp, symbolize_names: true)
 
         ::JWT.decode(token, nil, true, { jwks: jwt_config, algorithms: ['RS256'] })
@@ -21,17 +24,20 @@ module CognitoRails
 
       private
 
-      def jwks_url
-        "https://cognito-idp.#{Config.aws_region}.amazonaws.com/#{Config.aws_user_pool_id}/.well-known/jwks.json"
+      def jwks_url(user_pool_id: nil, aws_region: nil)
+        user_pool_id ||= Config.aws_user_pool_id
+        aws_region ||= Config.aws_region
+        "https://cognito-idp.#{aws_region}.amazonaws.com/#{user_pool_id}/.well-known/jwks.json"
       end
 
+      # @param cache_key [String]
       # @param block [Proc]
       # @yield [String] to be cached
       # @return [String] cached block
-      def with_cache(&block)
+      def with_cache(cache_key, &block)
         return yield unless Config.cache_adapter.respond_to?(:fetch)
 
-        Config.cache_adapter.fetch('aws_idp', expires_in: 4.hours, &block)
+        Config.cache_adapter.fetch("aws_idp:#{cache_key}", expires_in: 4.hours, &block)
       end
     end
   end

data/lib/cognito_rails/model.rb

@@ -13,6 +13,8 @@ module CognitoRails
       class_attribute :_cognito_custom_attributes
       class_attribute :_cognito_attribute_name
       class_attribute :_cognito_password_policy
+      class_attribute :_cognito_aws_user_pool_id
+      class_attribute :_cognito_aws_client_credentials
       self._cognito_custom_attributes = []
 
       before_create do
@@ -24,14 +26,13 @@ module CognitoRails
       end
     end
 
-    # rubocop:disable Metrics/BlockLength
     class_methods do
       # @return [Array<ActiveRecord::Base>] all users
       # @raise [CognitoRails::Error] if failed to fetch users
       # @raise [ActiveRecord::RecordInvalid] if failed to save user
       # @yield [user, user_data] yields user and user_data just before saving
       def sync_from_cognito!
-        response = User.all
+        response = User.with_credentials(self).all
         response.users.map do |user_data|
           sync_user!(user_data) do |user|
             yield user, user_data if block_given?
@@ -90,7 +91,7 @@ module CognitoRails
     end
 
     def cognito_user
-      @cognito_user ||= User.find(cognito_external_id, user_class: self.class)
+      @cognito_user ||= cognito_scope.find(cognito_external_id)
     end
 
     protected
@@ -98,16 +99,19 @@ module CognitoRails
     def init_cognito_user
       return if cognito_external_id.present?
 
-      cognito_user = User.new(init_attributes)
+      cognito_user = cognito_scope.new(init_attributes)
       cognito_user.save!
       self.cognito_external_id = cognito_user.id
     end
 
     def init_attributes
-      attrs = { email: email, user_class: self.class }
+      attrs = { email: email }
       attrs[:phone] = phone if respond_to?(:phone)
       attrs[:password] = password if respond_to?(:password)
       attrs[:custom_attributes] = instance_custom_attributes
+      attrs[:verify_email] = self.class._cognito_verify_email
+      attrs[:verify_phone] = self.class._cognito_verify_phone
+      attrs[:password_policy] = self.class._cognito_password_policy
       attrs
     end
 
@@ -128,6 +132,11 @@ module CognitoRails
       cognito_user&.destroy!
     end
 
+    def cognito_scope
+      @cognito_scope ||= User.with_credentials(self.class)
+
+    end
+
     class_methods do
       # @param name [String] attribute name
       # @return [ActiveRecord::Base] model class

data/lib/cognito_rails/user.rb

@@ -2,7 +2,6 @@
 
 require 'active_record'
 require 'active_model/validations'
-require 'securerandom'
 require 'aws-sdk-cognitoidentityprovider'
 
 module CognitoRails
@@ -20,9 +19,13 @@ module CognitoRails
   #   @return [Array<Hash>,nil]
   # @!attribute user_class [rw]
   #   @return [Class,nil]
-  # rubocop:disable Metrics/ClassLength
   class User
-    # rubocop:enable Metrics/ClassLength
+    SCOPE_KEYS = %i[
+      user_pool_id
+      aws_region
+      access_key_id
+      secret_access_key
+    ].freeze
 
     include ActiveModel::Validations
 
@@ -30,48 +33,143 @@ module CognitoRails
 
     validates :email, presence: true
 
+    # Helper bound to a specific Cognito configuration.
+    class CredentialsScope
+      def initialize(scope = {})
+        @scope = User.scope_from(scope)
+      end
+
+      # @param id [String]
+      # @return [OpenStruct]
+      def find_raw(id)
+        cognito_client.admin_get_user(user_pool_id: user_pool_id, username: id)
+      end
+
+      # @param id [String]
+      # @return [CognitoRails::User]
+      def find(id)
+        response = find_raw(id)
+
+        new.tap do |user|
+          user.id = response.username
+          user.email = User.extract_cognito_attribute(response.user_attributes, :email)
+          user.phone = User.extract_cognito_attribute(response.user_attributes, :phone_number)
+        end
+      end
+
+      # @return [OpenStruct]
+      def all
+        cognito_client.list_users(user_pool_id: user_pool_id)
+      end
+
+      # @param attributes [Hash]
+      # @return [CognitoRails::User]
+      def create!(attributes = {})
+        user = new(attributes)
+        user.save!
+        user
+      end
+
+      # @param attributes [Hash]
+      # @return [CognitoRails::User]
+      def create(attributes = {})
+        user = new(attributes)
+        user.save
+        user
+      end
+
+      # @param attributes [Hash]
+      # @return [CognitoRails::User]
+      def new(attributes = {})
+        attrs = attributes.with_indifferent_access
+        User.new(attrs.merge(scope: @scope))
+      end
+
+      # @return [String]
+      def user_pool_id
+        @scope[:user_pool_id] || Config.aws_user_pool_id
+      end
+
+      # @return [String]
+      def aws_region
+        @scope[:aws_region] || config_credentials[:region] || Config.aws_region
+      end
+
+      # @return [Aws::CognitoIdentityProvider::Client]
+      def cognito_client
+        return User.cognito_client if use_default_client?
+
+        credentials = {
+          access_key_id: @scope[:access_key_id],
+          secret_access_key: @scope[:secret_access_key]
+        }.compact
+
+        User.cognito_client_for_credentials(credentials, aws_region: aws_region)
+      end
+
+      private
+
+      def use_default_client?
+        @scope[:aws_region].nil? && @scope[:access_key_id].nil? && @scope[:secret_access_key].nil?
+      end
+
+      def config_credentials
+        Config.aws_client_credentials.with_indifferent_access
+      end
+    end
+
     # @param attributes [Hash]
     # @option attributes [String] :email
     # @option attributes [String, nil] :password
     # @option attributes [String, nil] :phone
     # @option attributes [Array<Hash>, nil] :custom_attributes
-    # @option attributes [Class, nil] :user_class
+    # @option attributes [String, nil] :user_pool_id
+    # @option attributes [String, nil] :aws_region
+    # @option attributes [String, nil] :access_key_id
+    # @option attributes [String, nil] :secret_access_key
+    # @option attributes [Boolean, nil] :verify_email
+    # @option attributes [Boolean, nil] :verify_phone
+    # @option attributes [Symbol, nil] :password_policy
+    # @option attributes [String,Symbol,Class,nil] :user_class
     def initialize(attributes = {})
       attributes = attributes.with_indifferent_access
+
+      @scope = self.class.extract_scope(attributes)
+      @verify_email = attributes[:verify_email]
+      @verify_phone = attributes[:verify_phone]
+      @password_policy = attributes[:password_policy]
+
+      self.user_class = resolve_instance_user_class(attributes)
       self.email = attributes[:email]
       self.password = attributes[:password] || Config.password_generator.call
       self.phone = attributes[:phone]
-      self.user_class = attributes[:user_class] || Config.default_user_class.constantize
       self.custom_attributes = attributes[:custom_attributes]
     end
 
+    # @param credentials [Hash]
+    # @return [CredentialsScope]
+    def self.with_credentials(credentials = {})
+      CredentialsScope.new(credentials)
+    end
+
+    # @param id [String]
+    # @return [OpenStruct]
+    def self.find_raw(id)
+      resolve_scope(nil).find_raw(id)
+    end
+
     # @param id [String]
-    # @param user_class [nil,Object]
     # @return [CognitoRails::User]
-    def self.find(id, user_class = nil)
-      result = cognito_client.admin_get_user(
-        {
-          user_pool_id: CognitoRails::Config.aws_user_pool_id, # required
-          username: id # required
-        }
-      )
-      user = new(user_class: user_class)
-      user.id = result.username
-      user.email = extract_cognito_attribute(result.user_attributes, :email)
-      user.phone = extract_cognito_attribute(result.user_attributes, :phone_number)
-      user
+    def self.find(id)
+      resolve_scope(nil).find(id)
     end
 
+    # @return [OpenStruct]
     def self.all
-      cognito_client.list_users(user_pool_id: CognitoRails::Config.aws_user_pool_id)
+      resolve_scope(nil).all
     end
 
     # @param attributes [Hash]
-    # @option attributes [String] :email
-    # @option attributes [String] :password
-    # @option attributes [String, nil] :phone
-    # @option attributes [Array<Hash>, nil] :custom_attributes
-    # @option attributes [Class, nil] :user_class
     # @return [CognitoRails::User]
     def self.create!(attributes = {})
       user = new(attributes)
@@ -80,11 +178,6 @@ module CognitoRails
     end
 
     # @param attributes [Hash]
-    # @option attributes [String] :email
-    # @option attributes [String] :password
-    # @option attributes [String, nil] :phone
-    # @option attributes [Array<Hash>, nil] :custom_attributes
-    # @option attributes [Class, nil] :user_class
     # @return [CognitoRails::User]
     def self.create(attributes = {})
       user = new(attributes)
@@ -92,6 +185,59 @@ module CognitoRails
       user
     end
 
+    # @return [Aws::CognitoIdentityProvider::Client]
+    def self.cognito_client
+      cognito_client_for_credentials(Config.aws_client_credentials)
+    end
+
+    # @param credentials [Hash]
+    # @param aws_region [String,nil]
+    # @return [Aws::CognitoIdentityProvider::Client]
+    def self.cognito_client_for_credentials(credentials, aws_region: nil)
+      client_options = cognito_client_options(credentials, aws_region: aws_region)
+      cache_key = client_options.sort_by { |key, _| key.to_s }
+
+      @cognito_clients ||= {}
+      @cognito_clients[cache_key] ||= Aws::CognitoIdentityProvider::Client.new(client_options)
+    end
+
+    # @param attributes [Array<Hash,OpenStruct>]
+    # @param column [String,Symbol]
+    # @return [String,nil]
+    def self.extract_cognito_attribute(attributes, column)
+      attribute = attributes.find { |entry| read_attribute_name(entry) == column.to_s }
+      return unless attribute
+
+      read_attribute_value(attribute)
+    end
+
+    # @param credentials [Hash]
+    # @param aws_region [String,nil]
+    # @return [Hash]
+    def self.cognito_client_options(credentials, aws_region: nil)
+      credentials = (credentials || {}).with_indifferent_access
+      region = aws_region || credentials[:region] || Config.aws_region
+
+      {
+        region: region,
+        access_key_id: credentials[:access_key_id],
+        secret_access_key: credentials[:secret_access_key]
+      }.compact.with_indifferent_access
+    end
+
+    def self.scope_from(scope)
+      case scope
+      when nil
+        {}.with_indifferent_access
+      when Hash
+        normalize_scope_hash(scope)
+      when Class
+        CognitoRails::Config.user_scope_for(scope)
+      else
+        raise ArgumentError, 'scope must be a Hash'
+      end
+    end
+
     # @return [Boolean]
     def new_record?
       !persisted?
@@ -127,7 +273,7 @@ module CognitoRails
 
       cognito_client.admin_delete_user(
         {
-          user_pool_id: CognitoRails::Config.aws_user_pool_id,
+          user_pool_id: user_pool_id,
           username: id
         }
       )
@@ -142,38 +288,76 @@ module CognitoRails
       destroy || (raise ActiveRecord::RecordInvalid, self)
     end
 
-    # @return [Aws::CognitoIdentityProvider::Client]
-    # @raise [RuntimeError]
-    def self.cognito_client
-      @cognito_client ||= Aws::CognitoIdentityProvider::Client.new(
-        { region: CognitoRails::Config.aws_region }.merge(CognitoRails::Config.aws_client_credentials)
-      )
+    private
+
+    def self.resolve_scope(scope = nil)
+      with_credentials(scope_from(scope))
     end
 
-    def self.extract_cognito_attribute(attributes, column)
-      attributes.find { |attribute| attribute[:name] == column.to_s }&.dig(:value)
+    def self.extract_scope(attributes)
+      inline_scope = attributes.slice(*SCOPE_KEYS).with_indifferent_access
+      raw_scope = attributes.delete(:scope)
+      raw_scope = raw_scope.nil? ? {} : raw_scope
+
+      merged_scope = raw_scope.with_indifferent_access.merge(inline_scope)
+
+      scope_from(merged_scope)
     end
 
-    private
+    def self.normalize_scope_hash(scope)
+      scope = scope.with_indifferent_access
+
+      {
+        user_pool_id: scope[:user_pool_id],
+        aws_region: scope[:aws_region],
+        access_key_id: scope[:access_key_id],
+        secret_access_key: scope[:secret_access_key]
+      }.compact.with_indifferent_access
+    end
+
+    def self.read_attribute_name(attribute)
+      attribute.respond_to?(:name) ? attribute.name.to_s : attribute[:name].to_s
+    end
+
+    def self.read_attribute_value(attribute)
+      attribute.respond_to?(:value) ? attribute.value : attribute[:value]
+    end
+
+    def resolve_instance_user_class(attributes)
+      resolved = CognitoRails::Utils.resolve_model_class(attributes[:user_class])
+      resolved || Config.default_user_class.constantize
+    end
+
+    def user_pool_id
+      credentials_scope.user_pool_id
+    end
+
+    def aws_region
+      credentials_scope.aws_region
+    end
 
     # @return [Aws::CognitoIdentityProvider::Client]
     def cognito_client
-      self.class.cognito_client
+      credentials_scope.cognito_client
     end
 
     # @return [Boolean]
     def verify_email?
+      return @verify_email unless @verify_email.nil?
+
       user_class._cognito_verify_email
     end
 
     # @return [Boolean]
     def verify_phone?
+      return @verify_phone unless @verify_phone.nil?
+
       user_class._cognito_verify_phone
     end
 
     # @return [Symbol] :temporary | :user_provided
     def cognito_password_policy
-      user_class._cognito_password_policy || :temporary
+      @password_policy || user_class._cognito_password_policy || :temporary
     end
 
     # @return [Array<Hash>]
@@ -181,7 +365,7 @@ module CognitoRails
       [
         *([{ name: 'email', value: email }] if email),
         *([{ name: 'phone_number', value: phone }] if phone),
-        *custom_attributes
+        *Array(custom_attributes)
       ]
     end
 
@@ -193,7 +377,7 @@ module CognitoRails
       ]
     end
 
-    # @return [Array<Hash>]
+    # @return [Hash]
     def password_attributes
       if cognito_password_policy == :user_provided
         { message_action: 'SUPPRESS' }
@@ -204,43 +388,37 @@ module CognitoRails
 
     def set_user_provided_password
       cognito_client.admin_set_user_password(
-        {
-          user_pool_id: CognitoRails::Config.aws_user_pool_id,
-          username: email,
-          password: password,
-          permanent: true
-        }
+        user_pool_id: user_pool_id,
+        username: email,
+        password: password,
+        permanent: true
       )
     end
 
     def save_for_create
-      resp = cognito_client.admin_create_user(
+      response = cognito_client.admin_create_user(
         {
-          user_pool_id: CognitoRails::Config.aws_user_pool_id,
+          user_pool_id: user_pool_id,
           username: email,
-          user_attributes: [
-            *general_user_attributes,
-            *verify_user_attributes
-          ],
+          user_attributes: [*general_user_attributes, *verify_user_attributes],
           **password_attributes
         }
       )
 
       set_user_provided_password if cognito_password_policy == :user_provided
-
-      self.id = resp.user.attributes.find { |a| a[:name] == 'sub' }[:value]
+      self.id = self.class.extract_cognito_attribute(response.user.attributes, :sub)
     end
 
     def save_for_update
       cognito_client.admin_update_user_attributes(
-        {
-          user_pool_id: CognitoRails::Config.aws_user_pool_id,
-          username: id,
-          user_attributes: [
-            *general_user_attributes
-          ]
-        }
+        user_pool_id: user_pool_id,
+        username: id,
+        user_attributes: [*general_user_attributes]
       )
     end
+
+    def credentials_scope
+      @credentials_scope ||= self.class.with_credentials(@scope)
+    end
   end
 end

data/lib/cognito_rails/utils.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module CognitoRails
+  module Utils
+    class << self
+      # @param model_class [String,Symbol,Class,nil]
+      # @return [Class,nil]
+      def resolve_model_class(model_class)
+        case model_class
+        when nil
+          nil
+        when String, Symbol
+          model_class.to_s.constantize
+        else
+          model_class
+        end
+      end
+    end
+  end
+end

data/lib/cognito_rails/version.rb

@@ -2,5 +2,5 @@
 
 module CognitoRails
   # @return [String] gem version
-  VERSION = '1.4.0'
+  VERSION = '1.5.0'
 end

data/lib/cognito_rails.rb

@@ -17,29 +17,48 @@ module CognitoRails
   autoload :User
   autoload :JWT
   autoload :PasswordGenerator
+  autoload :Utils
 
   # @private
   module ModelInitializer
     # @param attribute_name [String]
+    # @param user_pool_id [String]
+    # @param aws_credentials [Hash,nil]
     # @return [void]
-    def as_cognito_user(attribute_name: 'external_id')
+    def as_cognito_user(attribute_name: 'external_id', user_pool_id: nil, aws_credentials: nil)
       send :include, CognitoRails::Model
       self._cognito_attribute_name = attribute_name
+      self._cognito_aws_user_pool_id = user_pool_id
+      self._cognito_aws_client_credentials = aws_credentials
+
+      credentials = (aws_credentials || {}).with_indifferent_access
+
+      CognitoRails::Config.register_user_scope(
+        self,
+        {
+          user_pool_id: user_pool_id,
+          aws_region: credentials[:region],
+          access_key_id: credentials[:access_key_id],
+          secret_access_key: credentials[:secret_access_key]
+        }
+      )
     end
   end
 
   # @private
   module ControllerInitializer
     # @param user_class [Class,nil]
+    # @param attribute_name [String,Symbol]
     # @return [void]
-    def cognito_authentication(user_class: nil)
+    def cognito_authentication(user_class: nil, attribute_name: :current_user)
       send :include, CognitoRails::Controller
-      self._cognito_user_class = user_class
+
+      attribute = attribute_name.to_sym
+      self._cognito_user_classes = _cognito_user_classes.merge(attribute => user_class)
+      _cognito_define_user_reader(attribute)
     end
   end
 end
 
-# rubocop:disable Lint/SendWithMixinArgument
-ActiveRecord::Base.send(:extend, CognitoRails::ModelInitializer)
-ActionController::Metal.send(:extend, CognitoRails::ControllerInitializer)
-# rubocop:enable Lint/SendWithMixinArgument
+ActiveRecord::Base.extend CognitoRails::ModelInitializer
+ActionController::Metal.extend CognitoRails::ControllerInitializer

data/spec/cognito_rails/controller_spec.rb

@@ -48,4 +48,52 @@ RSpec.describe CognitoRails::Controller, type: :model do
       expect(controller.current_user).to eq(user)
     end
   end
+
+  context 'with a custom controller attribute' do
+    class AdminController < ActionController::Base
+      cognito_authentication user_class: 'Admin', attribute_name: :admin_user
+
+      def request
+        @request ||= OpenStruct.new({ headers: { 'Authorization' => 'Bearer aaaaa' } })
+      end
+    end
+
+    let(:controller) { AdminController.new }
+
+    it 'returns a user through the configured attribute' do
+      user = Admin.create!(email: sample_cognito_email, phone: sample_cognito_phone, cognito_id: '123123123')
+
+      expect(CognitoRails::JWT).to receive(:decode).at_least(:once).and_return([{ 'sub' => '123123123' }])
+      expect(controller.admin_user).to eq(user)
+    end
+
+    it 'keeps current_user retrocompatible with the default class' do
+      user = User.create!(email: sample_cognito_email, external_id: '123123123')
+
+      expect(CognitoRails::JWT).to receive(:decode).at_least(:once).and_return([{ 'sub' => '123123123' }])
+      expect(controller.current_user).to eq(user)
+    end
+  end
+
+  context 'with multiple cognito_authentication declarations' do
+    class DualAuthController < ActionController::Base
+      cognito_authentication
+      cognito_authentication user_class: 'Admin', attribute_name: :admin_user
+
+      def request
+        @request ||= OpenStruct.new({ headers: { 'Authorization' => 'Bearer aaaaa' } })
+      end
+    end
+
+    let(:controller) { DualAuthController.new }
+
+    it 'resolves both configured user readers' do
+      user = User.create!(email: sample_cognito_email, external_id: '123123123')
+      admin = Admin.create!(email: sample_cognito_email, phone: sample_cognito_phone, cognito_id: '123123123')
+
+      expect(CognitoRails::JWT).to receive(:decode).at_least(:once).and_return([{ 'sub' => '123123123' }])
+      expect(controller.current_user).to eq(user)
+      expect(controller.admin_user).to eq(admin)
+    end
+  end
 end

data/spec/cognito_rails/user_spec.rb

@@ -25,11 +25,13 @@ RSpec.describe CognitoRails::User, type: :model do
     expect(record.user_class).to eq(User)
   end
 
-  it 'finds a user with admin class' do
-    expect(described_class).to receive(:cognito_client).and_return(fake_cognito_client)
+  it 'finds a user with explicit credentials scope' do
+    allow(Aws::CognitoIdentityProvider::Client).to receive(:new).and_return(fake_cognito_client)
+    described_class.instance_variable_set(:@cognito_clients, nil)
+
+    record = described_class.with_credentials(Admin).find(sample_cognito_id)
 
-    record = described_class.find(sample_cognito_id, Admin)
-    expect(record.user_class).to eq(Admin)
+    expect(record.id).to eq(sample_cognito_id)
   end
 
   it 'finds a user with default class' do
@@ -208,7 +210,27 @@ RSpec.describe CognitoRails::User, type: :model do
 
   context 'admin' do
     before do
-      expect(CognitoRails::User).to receive(:cognito_client).at_least(:once).and_return(fake_cognito_client)
+      allow(CognitoRails::User).to receive(:cognito_client).and_return(fake_cognito_client)
+      allow(Aws::CognitoIdentityProvider::Client).to receive(:new).and_return(fake_cognito_client)
+      CognitoRails::User.instance_variable_set(:@cognito_clients, nil)
+    end
+
+    it 'uses model aws_credentials if present' do
+      Admin.create!(email: sample_cognito_email, phone: '12345678')
+
+      expect(Aws::CognitoIdentityProvider::Client).to have_received(:new).with(
+        hash_including(
+          region: 'admin-region',
+          access_key_id: 'admin_access_key_id',
+          secret_access_key: 'admin_secret_access_key'
+        )
+      )
+    end
+
+    it 'caches clients by region and credentials' do
+      expect(Aws::CognitoIdentityProvider::Client).to receive(:new).once.and_return(fake_cognito_client)
+
+      2.times { Admin.create!(email: "#{SecureRandom.uuid}@mail.com", phone: SecureRandom.hex(5)) }
     end
 
     it '#find_by_cognito' do

data/spec/support/schema.rb

@@ -36,7 +36,14 @@ class Admin < ActiveRecord::Base
   validates :phone, presence: true
   validates :phone, uniqueness: true
 
-  as_cognito_user attribute_name: 'cognito_id'
+  as_cognito_user(
+    attribute_name: 'cognito_id',
+    aws_credentials: {
+      region: 'admin-region',
+      access_key_id: 'admin_access_key_id',
+      secret_access_key: 'admin_secret_access_key'
+    }
+  )
   cognito_verify_email
   cognito_verify_phone
   define_cognito_attribute 'role', 'admin'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cognito_rails
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Mònade
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-01-20 00:00:00.000000000 Z
+date: 2026-03-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -113,6 +113,7 @@ files:
 - lib/cognito_rails/model.rb
 - lib/cognito_rails/password_generator.rb
 - lib/cognito_rails/user.rb
+- lib/cognito_rails/utils.rb
 - lib/cognito_rails/version.rb
 - spec/cognito_rails/controller_spec.rb
 - spec/cognito_rails/jwt_spec.rb