npm - @aws-amplify/adapter-nextjs - Versions diffs - 1.1.6 → 1.1.7-s-auth.30d0cd2.0 - Mend

@aws-amplify/adapter-nextjs 1.1.6 → 1.1.7-s-auth.30d0cd2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/src/oauth/utils/completeOAuthFlow.ts ADDED Viewed

@@ -0,0 +1,176 @@
+import {
+	CognitoUserPoolConfig,
+	OAuthConfig,
+	decodeJWT,
+} from '@aws-amplify/core';
+import { NextRequest, NextResponse } from 'next/server.js';
+import {
+	createKeyValueStorageFromCookieStorageAdapter,
+	validateState,
+} from 'aws-amplify/adapter-core';
+import {
+	AuthenticationResultType,
+	CognitoAuthSignInDetails,
+	DefaultOAuthStore,
+	DefaultTokenStore,
+	DeviceMetadata,
+	TokenOrchestrator,
+} from '@aws-amplify/auth/cognito';
+import { NextServer } from '../../types';
+import { createCookieStorageAdapterFromNextServerContext } from '../../utils/createCookieStorageAdapterFromNextServerContext';
+import { getRedirectUrl } from './getRedirectUrl';
+export const completeOAuthFlow = async ({
+	origin,
+	request,
+	redirectOnComplete,
+	cognitoUserPoolConfig,
+	oAuthConfig,
+	setAuthCookieOptions,
+}: {
+	origin: string;
+	request: NextRequest;
+	customState: string | undefined;
+	redirectOnComplete: string;
+	cognitoUserPoolConfig: CognitoUserPoolConfig;
+	oAuthConfig: OAuthConfig;
+	setAuthCookieOptions?: NextServer.SetCookieOptions;
+}): Promise<Response> => {
+	const { searchParams } = request.nextUrl;
+	const code = searchParams.get('code')!;
+	const state = searchParams.get('state')!;
+	const oAuthTokenEndpoint = `https://${oAuthConfig.domain}/oauth2/token`;
+	const response = NextResponse.redirect(
+		new URL(redirectOnComplete, request.url),
+	);
+	const keyValueStorage = createKeyValueStorageFromCookieStorageAdapter(
+		createCookieStorageAdapterFromNextServerContext({
+			request,
+			response,
+		}),
+		setAuthCookieOptions,
+	);
+	const oAuthStore = new DefaultOAuthStore(keyValueStorage);
+	oAuthStore.setAuthConfig(cognitoUserPoolConfig);
+	await validateState(oAuthStore, state);
+	const authTokenStore = new DefaultTokenStore();
+	authTokenStore.setAuthConfig({ Cognito: cognitoUserPoolConfig });
+	authTokenStore.setKeyValueStorage(keyValueStorage);
+	const tokenOrchestrator = new TokenOrchestrator();
+	tokenOrchestrator.setAuthConfig({ Cognito: cognitoUserPoolConfig });
+	tokenOrchestrator.setAuthTokenStore(authTokenStore);
+	const codeVerifier = await oAuthStore.loadPKCE();
+	const oAuthTokenBody = {
+		grant_type: 'authorization_code',
+		code,
+		client_id: cognitoUserPoolConfig.userPoolClientId,
+		// TODO(Hui): request.nextUrl.origin should be generic and not use Next specifics
+		redirect_uri: getRedirectUrl(origin, oAuthConfig),
+		...(codeVerifier ? { code_verifier: codeVerifier } : {}),
+	};
+	const body = Object.entries(oAuthTokenBody)
+		.map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`)
+		.join('&');
+	const tokenExchangeResponse = await fetch(oAuthTokenEndpoint, {
+		method: 'POST',
+		headers: {
+			'Content-Type': 'application/x-www-form-urlencoded',
+		},
+		body,
+	});
+	const {
+		access_token,
+		refresh_token: refreshToken,
+		id_token,
+		error,
+		error_message: errorMessage,
+		token_type,
+		expires_in,
+	} = await tokenExchangeResponse.json();
+	if (error) {
+		throw new Error(errorMessage ?? error);
+	}
+	const username =
+		(access_token && decodeJWT(access_token).payload.username) ?? 'username';
+	await writeTokensToStorage(
+		{
+			username,
+			AccessToken: access_token,
+			IdToken: id_token,
+			RefreshToken: refreshToken,
+			TokenType: token_type,
+			ExpiresIn: expires_in,
+		},
+		tokenOrchestrator,
+	);
+	await oAuthStore.clearOAuthData();
+	return response;
+};
+const writeTokensToStorage = async (
+	payload: AuthenticationResultType & {
+		NewDeviceMetadata?: DeviceMetadata;
+		username: string;
+		signInDetails?: CognitoAuthSignInDetails;
+	},
+	tokenOrchestrator: TokenOrchestrator,
+) => {
+	if (!payload.AccessToken) {
+		return;
+	}
+	const accessToken = decodeJWT(payload.AccessToken);
+	const accessTokenIssuedAtInMillis = (accessToken.payload.iat || 0) * 1000;
+	const currentTime = new Date().getTime();
+	const clockDrift =
+		accessTokenIssuedAtInMillis > 0
+			? accessTokenIssuedAtInMillis - currentTime
+			: 0;
+	let idToken;
+	let refreshToken: string | undefined;
+	let deviceMetadata;
+	if (payload.RefreshToken) {
+		refreshToken = payload.RefreshToken;
+	}
+	if (payload.IdToken) {
+		idToken = decodeJWT(payload.IdToken);
+	}
+	if (payload?.NewDeviceMetadata) {
+		deviceMetadata = payload.NewDeviceMetadata;
+	}
+	const tokens: any = {
+		accessToken,
+		idToken,
+		refreshToken,
+		clockDrift,
+		deviceMetadata,
+		username: payload.username,
+	};
+	if (payload?.signInDetails) {
+		tokens.signInDetails = payload.signInDetails;
+	}
+	await tokenOrchestrator.setTokens({ tokens });
+};

package/src/oauth/utils/getRedirectUrl.ts ADDED Viewed

@@ -0,0 +1,23 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+import { AuthError } from '@aws-amplify/auth';
+import { OAuthConfig } from '@aws-amplify/core';
+export const getRedirectUrl = (origin: string, oAuthConfig: OAuthConfig) => {
+	const redirectUrl = oAuthConfig.redirectSignIn.find(url =>
+		url.startsWith(origin),
+	);
+	if (!redirectUrl) {
+		throw new AuthError({
+			name: 'InvalidRedirectException',
+			message:
+				'signInRedirect or signOutRedirect had an invalid format or was not found.',
+			recoverySuggestion:
+				'Please make sure the signIn/Out redirect in your oauth config is valid.',
+		});
+	}
+	return redirectUrl;
+};

package/src/oauth/utils/initOAuthFlow.ts ADDED Viewed

@@ -0,0 +1,109 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+import {
+	AuthProvider,
+	cognitoHostedUIIdentityProviderMap,
+	createKeyValueStorageFromCookieStorageAdapter,
+	generateCodeVerifier,
+	generateState,
+} from 'aws-amplify/adapter-core';
+import { NextRequest, NextResponse } from 'next/server.js';
+import { urlSafeEncode } from '@aws-amplify/core/internals/utils';
+import { CognitoUserPoolConfig, OAuthConfig } from '@aws-amplify/core';
+import { DefaultOAuthStore } from '@aws-amplify/auth/cognito';
+import { createCookieStorageAdapterFromNextServerContext } from '../../utils/createCookieStorageAdapterFromNextServerContext';
+import { NextServer } from '../../types';
+import { getRedirectUrl } from './getRedirectUrl';
+export const initOAuthFlow = async ({
+	request,
+	customState,
+	cognitoUserPoolConfig,
+	oAuthConfig,
+	setAuthCookieOptions,
+}: {
+	origin: string;
+	request: NextRequest;
+	customState: string | undefined;
+	cognitoUserPoolConfig: CognitoUserPoolConfig;
+	oAuthConfig: OAuthConfig;
+	setAuthCookieOptions?: NextServer.SetCookieOptions;
+}): Promise<Response> => {
+	const { searchParams } = request.nextUrl;
+	const specifiedProvider = searchParams.get('provider');
+	const provider = getProvider(specifiedProvider);
+	const randomState = generateState();
+	const state = customState
+		? `${randomState}-${urlSafeEncode(customState)}`
+		: randomState;
+	const scope = oAuthConfig.scopes.join(' ');
+	const redirectUrlSearchParams = new URLSearchParams({
+		redirect_uri: getRedirectUrl(origin, oAuthConfig),
+		response_type: oAuthConfig.responseType,
+		client_id: cognitoUserPoolConfig.userPoolClientId!,
+		identity_provider: provider,
+		scope,
+		state,
+	});
+	let peckKey: string | undefined;
+	if (oAuthConfig.responseType === 'code') {
+		const { value, method, toCodeChallenge } = generateCodeVerifier(128);
+		peckKey = value;
+		redirectUrlSearchParams.append('code_challenge', toCodeChallenge());
+		redirectUrlSearchParams.append('code_challenge_method', method);
+	}
+	const redirectUrl = new URL(
+		`https://${
+			oAuthConfig.domain
+		}/oauth2/authorize?${redirectUrlSearchParams.toString()}`,
+	);
+	const response = NextResponse.redirect(redirectUrl);
+	const keyValueStorage = createKeyValueStorageFromCookieStorageAdapter(
+		createCookieStorageAdapterFromNextServerContext({
+			request,
+			response,
+		}),
+		setAuthCookieOptions,
+	);
+	const oauthStore = new DefaultOAuthStore(keyValueStorage);
+	oauthStore.setAuthConfig(cognitoUserPoolConfig);
+	oauthStore.storeOAuthState(state);
+	peckKey && oauthStore.storePKCE(peckKey);
+	return response;
+};
+const getProvider = (provider: string | null): string => {
+	if (typeof provider === 'string') {
+		return resolveProvider(provider);
+	}
+	return 'COGNITO';
+};
+const resolveProvider = (provider: string): string => {
+	try {
+		assertAuthProvider(provider);
+		return cognitoHostedUIIdentityProviderMap[provider];
+	} catch (_) {
+		return provider;
+	}
+};
+function assertAuthProvider(
+	provider: string,
+): asserts provider is AuthProvider {
+	if (!['Amazon', 'Apple', 'Facebook', 'Google'].includes(provider)) {
+		throw new Error('No valid provider specified.');
+	}
+}

package/src/types/NextServer.ts CHANGED Viewed

@@ -4,11 +4,22 @@
 import { GetServerSidePropsContext as NextGetServerSidePropsContext } from 'next';
 import { NextRequest, NextResponse } from 'next/server.js';
 import { cookies } from 'next/headers.js';
-import { AmplifyOutputs, LegacyConfig } from 'aws-amplify/adapter-core';
+import {
+	AmplifyOutputs,
+	CookieStorage,
+	LegacyConfig,
+} from 'aws-amplify/adapter-core';
 import { AmplifyServer } from '@aws-amplify/core/internals/adapter-core';
 import { ResourcesConfig } from '@aws-amplify/core';
+import {
+	CreateOAuthRouteHandler,
+	GetOAuthInitiationRoute,
+} from '../oauth/types';
+import { CreateTokenExchangeRouteHandler } from '../auth/types';
 export declare namespace NextServer {
+	export type SetCookieOptions = CookieStorage.SetCookieOptions;
 	/**
 	 * This context is normally available in the following:
 	 *   - Next App Router [middleware](https://nextjs.org/docs/app/building-your-application/routing/middleware)
@@ -74,11 +85,26 @@ export declare namespace NextServer {
 	) => Promise<OperationResult>;
 	export interface CreateServerRunnerInput {
+		/**
+		 * The Amplify resources config. Typically imported from `amplify_outputs.json` (Gen2)
+		 * or `amplifyconfiguration.json` (Gen1).
+		 */
 		config: ResourcesConfig | LegacyConfig | AmplifyOutputs;
+		/**
+		 * The origin of your Next app.
+		 */
+		origin?: string;
+		/**
+		 * Configures attributes of Set-Cookie.
+		 */
+		setAuthCookieOptions?: SetCookieOptions;
 	}
 	export interface CreateServerRunnerOutput {
 		runWithAmplifyServerContext: RunOperationWithContext;
+		createOAuthRouteHandler: CreateOAuthRouteHandler;
+		getOAuthInitiationRoute: GetOAuthInitiationRoute;
+		createTokenExchangeRouteHandler: CreateTokenExchangeRouteHandler;
 	}
 	export type CreateServerRunner = (

package/src/utils/createRunWithAmplifyServerContext.ts CHANGED Viewed

@@ -15,8 +15,10 @@ import { createCookieStorageAdapterFromNextServerContext } from './createCookieS
 export const createRunWithAmplifyServerContext = ({
 	config: resourcesConfig,
+	setAuthCookieOptions,
 }: {
 	config: ResourcesConfig;
+	setAuthCookieOptions?: NextServer.SetCookieOptions;
 }) => {
 	const runWithAmplifyServerContext: NextServer.RunOperationWithContext =
 		async ({ nextServerContext, operation }) => {
@@ -34,6 +36,7 @@ export const createRunWithAmplifyServerContext = ({
 								createCookieStorageAdapterFromNextServerContext(
 									nextServerContext,
 								),
+								setAuthCookieOptions,
 							);
 				const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(
 					resourcesConfig.Auth,