@aws-amplify/adapter-nextjs 1.2.1-unstable.1a1a6ce.0 → 1.2.1

package/dist/cjs/utils/createRunWithAmplifyServerContext.js

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createRunWithAmplifyServerContext = void 0;
 const core_1 = require("@aws-amplify/core");
 const adapter_core_1 = require("aws-amplify/adapter-core");
+const createTokenValidator_1 = require("./createTokenValidator");
 const createCookieStorageAdapterFromNextServerContext_1 = require("./createCookieStorageAdapterFromNextServerContext");
 const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
     const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {
@@ -19,7 +20,10 @@ const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
             // static rendering uses the same unauthenticated role cross-sever.
             nextServerContext === null
                 ? core_1.sharedInMemoryStorage
-                : (0, adapter_core_1.createKeyValueStorageFromCookieStorageAdapter)((0, createCookieStorageAdapterFromNextServerContext_1.createCookieStorageAdapterFromNextServerContext)(nextServerContext));
+                : (0, adapter_core_1.createKeyValueStorageFromCookieStorageAdapter)((0, createCookieStorageAdapterFromNextServerContext_1.createCookieStorageAdapterFromNextServerContext)(nextServerContext), (0, createTokenValidator_1.createTokenValidator)({
+                    userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,
+                    userPoolClientId: resourcesConfig?.Auth.Cognito?.userPoolClientId,
+                }));
             const credentialsProvider = (0, adapter_core_1.createAWSCredentialsAndIdentityIdProvider)(resourcesConfig.Auth, keyValueStorage);
             const tokenProvider = (0, adapter_core_1.createUserPoolsTokenProvider)(resourcesConfig.Auth, keyValueStorage);
             return (0, adapter_core_1.runWithAmplifyServerContext)(resourcesConfig, {

package/dist/cjs/utils/createRunWithAmplifyServerContext.js.map

@@ -1 +1 @@
-{"version":3,"file":"createRunWithAmplifyServerContext.js","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createRunWithAmplifyServerContext = void 0;\nconst core_1 = require(\"@aws-amplify/core\");\nconst adapter_core_1 = require(\"aws-amplify/adapter-core\");\nconst createCookieStorageAdapterFromNextServerContext_1 = require(\"./createCookieStorageAdapterFromNextServerContext\");\nconst createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {\n    const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {\n        // When the Auth config is presented, attempt to create a Amplify server\n        // context with token and credentials provider.\n        if (resourcesConfig.Auth) {\n            const keyValueStorage = \n            // When `null` is passed as the value of `nextServerContext`, opt-in\n            // unauthenticated role (primarily for static rendering). It's\n            // safe to use the singleton `MemoryKeyValueStorage` here, as the\n            // static rendering uses the same unauthenticated role cross-sever.\n            nextServerContext === null\n                ? core_1.sharedInMemoryStorage\n                : (0, adapter_core_1.createKeyValueStorageFromCookieStorageAdapter)((0, createCookieStorageAdapterFromNextServerContext_1.createCookieStorageAdapterFromNextServerContext)(nextServerContext));\n            const credentialsProvider = (0, adapter_core_1.createAWSCredentialsAndIdentityIdProvider)(resourcesConfig.Auth, keyValueStorage);\n            const tokenProvider = (0, adapter_core_1.createUserPoolsTokenProvider)(resourcesConfig.Auth, keyValueStorage);\n            return (0, adapter_core_1.runWithAmplifyServerContext)(resourcesConfig, {\n                Auth: { credentialsProvider, tokenProvider },\n            }, operation);\n        }\n        // Otherwise it may be the case that auth is not used, e.g. API key.\n        // Omitting the `Auth` in the second parameter.\n        return (0, adapter_core_1.runWithAmplifyServerContext)(resourcesConfig, {}, operation);\n    };\n    return runWithAmplifyServerContext;\n};\nexports.createRunWithAmplifyServerContext = createRunWithAmplifyServerContext;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,iCAAiC,GAAG,KAAK,CAAC,CAAC;AACnD,MAAM,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;AAC5C,MAAM,cAAc,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAC;AAC3D,MAAM,iDAAiD,GAAG,OAAO,CAAC,mDAAmD,CAAC,CAAC;AACvH,MAAM,iCAAiC,GAAG,CAAC,EAAE,MAAM,EAAE,eAAe,GAAG,KAAK;AAC5E,IAAI,MAAM,2BAA2B,GAAG,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK;AACpF;AACA;AACA,QAAQ,IAAI,eAAe,CAAC,IAAI,EAAE;AAClC,YAAY,MAAM,eAAe;AACjC;AACA;AACA;AACA;AACA,YAAY,iBAAiB,KAAK,IAAI;AACtC,kBAAkB,MAAM,CAAC,qBAAqB;AAC9C,kBAAkB,IAAI,cAAc,CAAC,6CAA6C,EAAE,IAAI,iDAAiD,CAAC,+CAA+C,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAC/M,YAAY,MAAM,mBAAmB,GAAG,IAAI,cAAc,CAAC,yCAAyC,EAAE,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AAC7I,YAAY,MAAM,aAAa,GAAG,IAAI,cAAc,CAAC,4BAA4B,EAAE,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AAC1H,YAAY,OAAO,IAAI,cAAc,CAAC,2BAA2B,EAAE,eAAe,EAAE;AACpF,gBAAgB,IAAI,EAAE,EAAE,mBAAmB,EAAE,aAAa,EAAE;AAC5D,aAAa,EAAE,SAAS,CAAC,CAAC;AAC1B,SAAS;AACT;AACA;AACA,QAAQ,OAAO,IAAI,cAAc,CAAC,2BAA2B,EAAE,eAAe,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/F,KAAK,CAAC;AACN,IAAI,OAAO,2BAA2B,CAAC;AACvC,CAAC,CAAC;AACF,OAAO,CAAC,iCAAiC,GAAG,iCAAiC;;"}
+{"version":3,"file":"createRunWithAmplifyServerContext.js","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createRunWithAmplifyServerContext = void 0;\nconst core_1 = require(\"@aws-amplify/core\");\nconst adapter_core_1 = require(\"aws-amplify/adapter-core\");\nconst createTokenValidator_1 = require(\"./createTokenValidator\");\nconst createCookieStorageAdapterFromNextServerContext_1 = require(\"./createCookieStorageAdapterFromNextServerContext\");\nconst createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {\n    const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {\n        // When the Auth config is presented, attempt to create a Amplify server\n        // context with token and credentials provider.\n        if (resourcesConfig.Auth) {\n            const keyValueStorage = \n            // When `null` is passed as the value of `nextServerContext`, opt-in\n            // unauthenticated role (primarily for static rendering). It's\n            // safe to use the singleton `MemoryKeyValueStorage` here, as the\n            // static rendering uses the same unauthenticated role cross-sever.\n            nextServerContext === null\n                ? core_1.sharedInMemoryStorage\n                : (0, adapter_core_1.createKeyValueStorageFromCookieStorageAdapter)((0, createCookieStorageAdapterFromNextServerContext_1.createCookieStorageAdapterFromNextServerContext)(nextServerContext), (0, createTokenValidator_1.createTokenValidator)({\n                    userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,\n                    userPoolClientId: resourcesConfig?.Auth.Cognito?.userPoolClientId,\n                }));\n            const credentialsProvider = (0, adapter_core_1.createAWSCredentialsAndIdentityIdProvider)(resourcesConfig.Auth, keyValueStorage);\n            const tokenProvider = (0, adapter_core_1.createUserPoolsTokenProvider)(resourcesConfig.Auth, keyValueStorage);\n            return (0, adapter_core_1.runWithAmplifyServerContext)(resourcesConfig, {\n                Auth: { credentialsProvider, tokenProvider },\n            }, operation);\n        }\n        // Otherwise it may be the case that auth is not used, e.g. API key.\n        // Omitting the `Auth` in the second parameter.\n        return (0, adapter_core_1.runWithAmplifyServerContext)(resourcesConfig, {}, operation);\n    };\n    return runWithAmplifyServerContext;\n};\nexports.createRunWithAmplifyServerContext = createRunWithAmplifyServerContext;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,iCAAiC,GAAG,KAAK,CAAC,CAAC;AACnD,MAAM,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;AAC5C,MAAM,cAAc,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAC;AAC3D,MAAM,sBAAsB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;AACjE,MAAM,iDAAiD,GAAG,OAAO,CAAC,mDAAmD,CAAC,CAAC;AACvH,MAAM,iCAAiC,GAAG,CAAC,EAAE,MAAM,EAAE,eAAe,GAAG,KAAK;AAC5E,IAAI,MAAM,2BAA2B,GAAG,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK;AACpF;AACA;AACA,QAAQ,IAAI,eAAe,CAAC,IAAI,EAAE;AAClC,YAAY,MAAM,eAAe;AACjC;AACA;AACA;AACA;AACA,YAAY,iBAAiB,KAAK,IAAI;AACtC,kBAAkB,MAAM,CAAC,qBAAqB;AAC9C,kBAAkB,IAAI,cAAc,CAAC,6CAA6C,EAAE,IAAI,iDAAiD,CAAC,+CAA+C,EAAE,iBAAiB,CAAC,EAAE,IAAI,sBAAsB,CAAC,oBAAoB,EAAE;AAChQ,oBAAoB,UAAU,EAAE,eAAe,EAAE,IAAI,CAAC,OAAO,EAAE,UAAU;AACzE,oBAAoB,gBAAgB,EAAE,eAAe,EAAE,IAAI,CAAC,OAAO,EAAE,gBAAgB;AACrF,iBAAiB,CAAC,CAAC,CAAC;AACpB,YAAY,MAAM,mBAAmB,GAAG,IAAI,cAAc,CAAC,yCAAyC,EAAE,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AAC7I,YAAY,MAAM,aAAa,GAAG,IAAI,cAAc,CAAC,4BAA4B,EAAE,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AAC1H,YAAY,OAAO,IAAI,cAAc,CAAC,2BAA2B,EAAE,eAAe,EAAE;AACpF,gBAAgB,IAAI,EAAE,EAAE,mBAAmB,EAAE,aAAa,EAAE;AAC5D,aAAa,EAAE,SAAS,CAAC,CAAC;AAC1B,SAAS;AACT;AACA;AACA,QAAQ,OAAO,IAAI,cAAc,CAAC,2BAA2B,EAAE,eAAe,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/F,KAAK,CAAC;AACN,IAAI,OAAO,2BAA2B,CAAC;AACvC,CAAC,CAAC;AACF,OAAO,CAAC,iCAAiC,GAAG,iCAAiC;;"}

package/dist/cjs/utils/createTokenValidator.js

@@ -0,0 +1,34 @@
+'use strict';
+
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTokenValidator = void 0;
+const isValidCognitoToken_1 = require("./isValidCognitoToken");
+/**
+ * Creates a validator object for validating methods in a KeyValueStorage.
+ */
+const createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {
+    return {
+        // validate access, id tokens
+        getItem: async (key, value) => {
+            const tokenType = key.includes('.accessToken')
+                ? 'access'
+                : key.includes('.idToken')
+                    ? 'id'
+                    : null;
+            if (!tokenType)
+                return true;
+            if (!userPoolId || !clientId)
+                return false;
+            return (0, isValidCognitoToken_1.isValidCognitoToken)({
+                clientId,
+                userPoolId,
+                tokenType,
+                token: value,
+            });
+        },
+    };
+};
+exports.createTokenValidator = createTokenValidator;
+//# sourceMappingURL=createTokenValidator.js.map

package/dist/cjs/utils/createTokenValidator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createTokenValidator.js","sources":["../../../src/utils/createTokenValidator.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createTokenValidator = void 0;\nconst isValidCognitoToken_1 = require(\"./isValidCognitoToken\");\n/**\n * Creates a validator object for validating methods in a KeyValueStorage.\n */\nconst createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {\n    return {\n        // validate access, id tokens\n        getItem: async (key, value) => {\n            const tokenType = key.includes('.accessToken')\n                ? 'access'\n                : key.includes('.idToken')\n                    ? 'id'\n                    : null;\n            if (!tokenType)\n                return true;\n            if (!userPoolId || !clientId)\n                return false;\n            return (0, isValidCognitoToken_1.isValidCognitoToken)({\n                clientId,\n                userPoolId,\n                tokenType,\n                token: value,\n            });\n        },\n    };\n};\nexports.createTokenValidator = createTokenValidator;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,oBAAoB,GAAG,KAAK,CAAC,CAAC;AACtC,MAAM,qBAAqB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;AAC/D;AACA;AACA;AACA,MAAM,oBAAoB,GAAG,CAAC,EAAE,UAAU,EAAE,gBAAgB,EAAE,QAAQ,GAAG,KAAK;AAC9E,IAAI,OAAO;AACX;AACA,QAAQ,OAAO,EAAE,OAAO,GAAG,EAAE,KAAK,KAAK;AACvC,YAAY,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC;AAC1D,kBAAkB,QAAQ;AAC1B,kBAAkB,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;AAC1C,sBAAsB,IAAI;AAC1B,sBAAsB,IAAI,CAAC;AAC3B,YAAY,IAAI,CAAC,SAAS;AAC1B,gBAAgB,OAAO,IAAI,CAAC;AAC5B,YAAY,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ;AACxC,gBAAgB,OAAO,KAAK,CAAC;AAC7B,YAAY,OAAO,IAAI,qBAAqB,CAAC,mBAAmB,EAAE;AAClE,gBAAgB,QAAQ;AACxB,gBAAgB,UAAU;AAC1B,gBAAgB,SAAS;AACzB,gBAAgB,KAAK,EAAE,KAAK;AAC5B,aAAa,CAAC,CAAC;AACf,SAAS;AACT,KAAK,CAAC;AACN,CAAC,CAAC;AACF,OAAO,CAAC,oBAAoB,GAAG,oBAAoB;;"}

package/dist/cjs/utils/index.js

@@ -3,7 +3,9 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createRunWithAmplifyServerContext = void 0;
+exports.isValidCognitoToken = exports.createRunWithAmplifyServerContext = void 0;
 var createRunWithAmplifyServerContext_1 = require("./createRunWithAmplifyServerContext");
 Object.defineProperty(exports, "createRunWithAmplifyServerContext", { enumerable: true, get: function () { return createRunWithAmplifyServerContext_1.createRunWithAmplifyServerContext; } });
+var isValidCognitoToken_1 = require("./isValidCognitoToken");
+Object.defineProperty(exports, "isValidCognitoToken", { enumerable: true, get: function () { return isValidCognitoToken_1.isValidCognitoToken; } });
 //# sourceMappingURL=index.js.map

package/dist/cjs/utils/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sources":["../../../src/utils/index.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createRunWithAmplifyServerContext = void 0;\nvar createRunWithAmplifyServerContext_1 = require(\"./createRunWithAmplifyServerContext\");\nObject.defineProperty(exports, \"createRunWithAmplifyServerContext\", { enumerable: true, get: function () { return createRunWithAmplifyServerContext_1.createRunWithAmplifyServerContext; } });\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,iCAAiC,GAAG,KAAK,CAAC,CAAC;AACnD,IAAI,mCAAmC,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;AACzF,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,mCAAmC,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,mCAAmC,CAAC,iCAAiC,CAAC,EAAE,EAAE,CAAC;;"}
+{"version":3,"file":"index.js","sources":["../../../src/utils/index.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.isValidCognitoToken = exports.createRunWithAmplifyServerContext = void 0;\nvar createRunWithAmplifyServerContext_1 = require(\"./createRunWithAmplifyServerContext\");\nObject.defineProperty(exports, \"createRunWithAmplifyServerContext\", { enumerable: true, get: function () { return createRunWithAmplifyServerContext_1.createRunWithAmplifyServerContext; } });\nvar isValidCognitoToken_1 = require(\"./isValidCognitoToken\");\nObject.defineProperty(exports, \"isValidCognitoToken\", { enumerable: true, get: function () { return isValidCognitoToken_1.isValidCognitoToken; } });\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,mBAAmB,GAAG,OAAO,CAAC,iCAAiC,GAAG,KAAK,CAAC,CAAC;AACjF,IAAI,mCAAmC,GAAG,OAAO,CAAC,qCAAqC,CAAC,CAAC;AACzF,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,mCAAmC,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,mCAAmC,CAAC,iCAAiC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC9L,IAAI,qBAAqB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;AAC7D,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,qBAAqB,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,qBAAqB,CAAC,mBAAmB,CAAC,EAAE,EAAE,CAAC;;"}

package/dist/cjs/utils/isValidCognitoToken.js

@@ -0,0 +1,35 @@
+'use strict';
+
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isValidCognitoToken = void 0;
+const aws_jwt_verify_1 = require("aws-jwt-verify");
+/**
+ * Verifies a Cognito JWT token for its validity.
+ *
+ * @param input - An object containing:
+ *                - token: The JWT token as a string that needs to be verified.
+ *                - userPoolId: The ID of the AWS Cognito User Pool to which the token belongs.
+ *                - clientId: The Client ID associated with the Cognito User Pool.
+ * @internal
+ */
+const isValidCognitoToken = async (input) => {
+    const { userPoolId, clientId, tokenType, token } = input;
+    try {
+        const verifier = aws_jwt_verify_1.CognitoJwtVerifier.create({
+            userPoolId,
+            tokenUse: tokenType,
+            clientId,
+        });
+        await verifier.verify(token);
+        return true;
+    }
+    catch (error) {
+        // TODO (ashwinkumar6): surface invalid cognito token error to customer
+        // TODO: clear invalid tokens from Storage
+        return false;
+    }
+};
+exports.isValidCognitoToken = isValidCognitoToken;
+//# sourceMappingURL=isValidCognitoToken.js.map

package/dist/cjs/utils/isValidCognitoToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isValidCognitoToken.js","sources":["../../../src/utils/isValidCognitoToken.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.isValidCognitoToken = void 0;\nconst aws_jwt_verify_1 = require(\"aws-jwt-verify\");\n/**\n * Verifies a Cognito JWT token for its validity.\n *\n * @param input - An object containing:\n *                - token: The JWT token as a string that needs to be verified.\n *                - userPoolId: The ID of the AWS Cognito User Pool to which the token belongs.\n *                - clientId: The Client ID associated with the Cognito User Pool.\n * @internal\n */\nconst isValidCognitoToken = async (input) => {\n    const { userPoolId, clientId, tokenType, token } = input;\n    try {\n        const verifier = aws_jwt_verify_1.CognitoJwtVerifier.create({\n            userPoolId,\n            tokenUse: tokenType,\n            clientId,\n        });\n        await verifier.verify(token);\n        return true;\n    }\n    catch (error) {\n        // TODO (ashwinkumar6): surface invalid cognito token error to customer\n        // TODO: clear invalid tokens from Storage\n        return false;\n    }\n};\nexports.isValidCognitoToken = isValidCognitoToken;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,mBAAmB,GAAG,KAAK,CAAC,CAAC;AACrC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;AACnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAM,mBAAmB,GAAG,OAAO,KAAK,KAAK;AAC7C,IAAI,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;AAC7D,IAAI,IAAI;AACR,QAAQ,MAAM,QAAQ,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,MAAM,CAAC;AACpE,YAAY,UAAU;AACtB,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,QAAQ;AACpB,SAAS,CAAC,CAAC;AACX,QAAQ,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrC,QAAQ,OAAO,IAAI,CAAC;AACpB,KAAK;AACL,IAAI,OAAO,KAAK,EAAE;AAClB;AACA;AACA,QAAQ,OAAO,KAAK,CAAC;AACrB,KAAK;AACL,CAAC,CAAC;AACF,OAAO,CAAC,mBAAmB,GAAG,mBAAmB;;"}

package/dist/esm/api/createServerRunnerForAPI.mjs

@@ -1,5 +1,6 @@
 import { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';
 import { createRunWithAmplifyServerContext } from '../utils/createRunWithAmplifyServerContext.mjs';
+import 'aws-jwt-verify';
 
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

package/dist/esm/api/createServerRunnerForAPI.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"createServerRunnerForAPI.mjs","sources":["../../../src/api/createServerRunnerForAPI.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';\nimport { createRunWithAmplifyServerContext } from '../utils';\nexport const createServerRunnerForAPI = ({ config, }) => {\n    const amplifyConfig = parseAmplifyConfig(config);\n    return {\n        runWithAmplifyServerContext: createRunWithAmplifyServerContext({\n            config: amplifyConfig,\n        }),\n        resourcesConfig: amplifyConfig,\n    };\n};\n"],"names":[],"mappings":";;;AAAA;AACA;AAGY,MAAC,wBAAwB,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK;AACzD,IAAI,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;AACrD,IAAI,OAAO;AACX,QAAQ,2BAA2B,EAAE,iCAAiC,CAAC;AACvE,YAAY,MAAM,EAAE,aAAa;AACjC,SAAS,CAAC;AACV,QAAQ,eAAe,EAAE,aAAa;AACtC,KAAK,CAAC;AACN;;;;"}
+{"version":3,"file":"createServerRunnerForAPI.mjs","sources":["../../../src/api/createServerRunnerForAPI.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';\nimport { createRunWithAmplifyServerContext } from '../utils';\nexport const createServerRunnerForAPI = ({ config, }) => {\n    const amplifyConfig = parseAmplifyConfig(config);\n    return {\n        runWithAmplifyServerContext: createRunWithAmplifyServerContext({\n            config: amplifyConfig,\n        }),\n        resourcesConfig: amplifyConfig,\n    };\n};\n"],"names":[],"mappings":";;;;AAAA;AACA;AAGY,MAAC,wBAAwB,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK;AACzD,IAAI,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;AACrD,IAAI,OAAO;AACX,QAAQ,2BAA2B,EAAE,iCAAiC,CAAC;AACvE,YAAY,MAAM,EAAE,aAAa;AACjC,SAAS,CAAC;AACV,QAAQ,eAAe,EAAE,aAAa;AACtC,KAAK,CAAC;AACN;;;;"}

package/dist/esm/createServerRunner.mjs

@@ -1,5 +1,6 @@
 import { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';
 import { createRunWithAmplifyServerContext } from './utils/createRunWithAmplifyServerContext.mjs';
+import 'aws-jwt-verify';
 
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

package/dist/esm/createServerRunner.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"createServerRunner.mjs","sources":["../../src/createServerRunner.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';\nimport { createRunWithAmplifyServerContext } from './utils';\n/**\n * Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.\n *\n * @remarks\n * This function should be called only once; you can use the returned `runWithAmplifyServerContext` across\n * your codebase.\n *\n * @param input The input used to create the `runWithAmplifyServerContext` function.\n * @param input.config The {@link ResourcesConfig} imported from the `amplifyconfiguration.json` file or manually\n * created.\n * @returns An object that contains the `runWithAmplifyServerContext` function.\n *\n * @example\n * import { createServerRunner } from '@aws-amplify/adapter-nextjs';\n * import config from './amplifyconfiguration.json';\n *\n * export const { runWithAmplifyServerContext } = createServerRunner({ config })\n */\nexport const createServerRunner = ({ config, }) => {\n    const amplifyConfig = parseAmplifyConfig(config);\n    return {\n        runWithAmplifyServerContext: createRunWithAmplifyServerContext({\n            config: amplifyConfig,\n        }),\n    };\n};\n"],"names":[],"mappings":";;;AAAA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACY,MAAC,kBAAkB,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK;AACnD,IAAI,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;AACrD,IAAI,OAAO;AACX,QAAQ,2BAA2B,EAAE,iCAAiC,CAAC;AACvE,YAAY,MAAM,EAAE,aAAa;AACjC,SAAS,CAAC;AACV,KAAK,CAAC;AACN;;;;"}
+{"version":3,"file":"createServerRunner.mjs","sources":["../../src/createServerRunner.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';\nimport { createRunWithAmplifyServerContext } from './utils';\n/**\n * Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.\n *\n * @remarks\n * This function should be called only once; you can use the returned `runWithAmplifyServerContext` across\n * your codebase.\n *\n * @param input The input used to create the `runWithAmplifyServerContext` function.\n * @param input.config The {@link ResourcesConfig} imported from the `amplifyconfiguration.json` file or manually\n * created.\n * @returns An object that contains the `runWithAmplifyServerContext` function.\n *\n * @example\n * import { createServerRunner } from '@aws-amplify/adapter-nextjs';\n * import config from './amplifyconfiguration.json';\n *\n * export const { runWithAmplifyServerContext } = createServerRunner({ config })\n */\nexport const createServerRunner = ({ config, }) => {\n    const amplifyConfig = parseAmplifyConfig(config);\n    return {\n        runWithAmplifyServerContext: createRunWithAmplifyServerContext({\n            config: amplifyConfig,\n        }),\n    };\n};\n"],"names":[],"mappings":";;;;AAAA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACY,MAAC,kBAAkB,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK;AACnD,IAAI,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;AACrD,IAAI,OAAO;AACX,QAAQ,2BAA2B,EAAE,iCAAiC,CAAC;AACvE,YAAY,MAAM,EAAE,aAAa;AACjC,SAAS,CAAC;AACV,KAAK,CAAC;AACN;;;;"}

package/dist/esm/utils/createRunWithAmplifyServerContext.mjs

@@ -1,5 +1,6 @@
 import { sharedInMemoryStorage } from '@aws-amplify/core';
 import { createKeyValueStorageFromCookieStorageAdapter, createAWSCredentialsAndIdentityIdProvider, createUserPoolsTokenProvider, runWithAmplifyServerContext } from 'aws-amplify/adapter-core';
+import { createTokenValidator } from './createTokenValidator.mjs';
 import { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext.mjs';
 
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
@@ -16,7 +17,10 @@ const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
             // static rendering uses the same unauthenticated role cross-sever.
             nextServerContext === null
                 ? sharedInMemoryStorage
-                : createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext(nextServerContext));
+                : createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext(nextServerContext), createTokenValidator({
+                    userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,
+                    userPoolClientId: resourcesConfig?.Auth.Cognito?.userPoolClientId,
+                }));
             const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(resourcesConfig.Auth, keyValueStorage);
             const tokenProvider = createUserPoolsTokenProvider(resourcesConfig.Auth, keyValueStorage);
             return runWithAmplifyServerContext(resourcesConfig, {

package/dist/esm/utils/createRunWithAmplifyServerContext.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"createRunWithAmplifyServerContext.mjs","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { sharedInMemoryStorage } from '@aws-amplify/core';\nimport { createAWSCredentialsAndIdentityIdProvider, createKeyValueStorageFromCookieStorageAdapter, createUserPoolsTokenProvider, runWithAmplifyServerContext as runWithAmplifyServerContextCore, } from 'aws-amplify/adapter-core';\nimport { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext';\nexport const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {\n    const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {\n        // When the Auth config is presented, attempt to create a Amplify server\n        // context with token and credentials provider.\n        if (resourcesConfig.Auth) {\n            const keyValueStorage = \n            // When `null` is passed as the value of `nextServerContext`, opt-in\n            // unauthenticated role (primarily for static rendering). It's\n            // safe to use the singleton `MemoryKeyValueStorage` here, as the\n            // static rendering uses the same unauthenticated role cross-sever.\n            nextServerContext === null\n                ? sharedInMemoryStorage\n                : createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext(nextServerContext));\n            const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(resourcesConfig.Auth, keyValueStorage);\n            const tokenProvider = createUserPoolsTokenProvider(resourcesConfig.Auth, keyValueStorage);\n            return runWithAmplifyServerContextCore(resourcesConfig, {\n                Auth: { credentialsProvider, tokenProvider },\n            }, operation);\n        }\n        // Otherwise it may be the case that auth is not used, e.g. API key.\n        // Omitting the `Auth` in the second parameter.\n        return runWithAmplifyServerContextCore(resourcesConfig, {}, operation);\n    };\n    return runWithAmplifyServerContext;\n};\n"],"names":["runWithAmplifyServerContext","runWithAmplifyServerContextCore"],"mappings":";;;;AAAA;AACA;AAIY,MAAC,iCAAiC,GAAG,CAAC,EAAE,MAAM,EAAE,eAAe,GAAG,KAAK;AACnF,IAAI,MAAMA,6BAA2B,GAAG,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK;AACpF;AACA;AACA,QAAQ,IAAI,eAAe,CAAC,IAAI,EAAE;AAClC,YAAY,MAAM,eAAe;AACjC;AACA;AACA;AACA;AACA,YAAY,iBAAiB,KAAK,IAAI;AACtC,kBAAkB,qBAAqB;AACvC,kBAAkB,6CAA6C,CAAC,+CAA+C,CAAC,iBAAiB,CAAC,CAAC,CAAC;AACpI,YAAY,MAAM,mBAAmB,GAAG,yCAAyC,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACzH,YAAY,MAAM,aAAa,GAAG,4BAA4B,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACtG,YAAY,OAAOC,2BAA+B,CAAC,eAAe,EAAE;AACpE,gBAAgB,IAAI,EAAE,EAAE,mBAAmB,EAAE,aAAa,EAAE;AAC5D,aAAa,EAAE,SAAS,CAAC,CAAC;AAC1B,SAAS;AACT;AACA;AACA,QAAQ,OAAOA,2BAA+B,CAAC,eAAe,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/E,KAAK,CAAC;AACN,IAAI,OAAOD,6BAA2B,CAAC;AACvC;;;;"}
+{"version":3,"file":"createRunWithAmplifyServerContext.mjs","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { sharedInMemoryStorage } from '@aws-amplify/core';\nimport { createAWSCredentialsAndIdentityIdProvider, createKeyValueStorageFromCookieStorageAdapter, createUserPoolsTokenProvider, runWithAmplifyServerContext as runWithAmplifyServerContextCore, } from 'aws-amplify/adapter-core';\nimport { createTokenValidator } from './createTokenValidator';\nimport { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext';\nexport const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {\n    const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {\n        // When the Auth config is presented, attempt to create a Amplify server\n        // context with token and credentials provider.\n        if (resourcesConfig.Auth) {\n            const keyValueStorage = \n            // When `null` is passed as the value of `nextServerContext`, opt-in\n            // unauthenticated role (primarily for static rendering). It's\n            // safe to use the singleton `MemoryKeyValueStorage` here, as the\n            // static rendering uses the same unauthenticated role cross-sever.\n            nextServerContext === null\n                ? sharedInMemoryStorage\n                : createKeyValueStorageFromCookieStorageAdapter(createCookieStorageAdapterFromNextServerContext(nextServerContext), createTokenValidator({\n                    userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,\n                    userPoolClientId: resourcesConfig?.Auth.Cognito?.userPoolClientId,\n                }));\n            const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(resourcesConfig.Auth, keyValueStorage);\n            const tokenProvider = createUserPoolsTokenProvider(resourcesConfig.Auth, keyValueStorage);\n            return runWithAmplifyServerContextCore(resourcesConfig, {\n                Auth: { credentialsProvider, tokenProvider },\n            }, operation);\n        }\n        // Otherwise it may be the case that auth is not used, e.g. API key.\n        // Omitting the `Auth` in the second parameter.\n        return runWithAmplifyServerContextCore(resourcesConfig, {}, operation);\n    };\n    return runWithAmplifyServerContext;\n};\n"],"names":["runWithAmplifyServerContext","runWithAmplifyServerContextCore"],"mappings":";;;;;AAAA;AACA;AAKY,MAAC,iCAAiC,GAAG,CAAC,EAAE,MAAM,EAAE,eAAe,GAAG,KAAK;AACnF,IAAI,MAAMA,6BAA2B,GAAG,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK;AACpF;AACA;AACA,QAAQ,IAAI,eAAe,CAAC,IAAI,EAAE;AAClC,YAAY,MAAM,eAAe;AACjC;AACA;AACA;AACA;AACA,YAAY,iBAAiB,KAAK,IAAI;AACtC,kBAAkB,qBAAqB;AACvC,kBAAkB,6CAA6C,CAAC,+CAA+C,CAAC,iBAAiB,CAAC,EAAE,oBAAoB,CAAC;AACzJ,oBAAoB,UAAU,EAAE,eAAe,EAAE,IAAI,CAAC,OAAO,EAAE,UAAU;AACzE,oBAAoB,gBAAgB,EAAE,eAAe,EAAE,IAAI,CAAC,OAAO,EAAE,gBAAgB;AACrF,iBAAiB,CAAC,CAAC,CAAC;AACpB,YAAY,MAAM,mBAAmB,GAAG,yCAAyC,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACzH,YAAY,MAAM,aAAa,GAAG,4BAA4B,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACtG,YAAY,OAAOC,2BAA+B,CAAC,eAAe,EAAE;AACpE,gBAAgB,IAAI,EAAE,EAAE,mBAAmB,EAAE,aAAa,EAAE;AAC5D,aAAa,EAAE,SAAS,CAAC,CAAC;AAC1B,SAAS;AACT;AACA;AACA,QAAQ,OAAOA,2BAA+B,CAAC,eAAe,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/E,KAAK,CAAC;AACN,IAAI,OAAOD,6BAA2B,CAAC;AACvC;;;;"}

package/dist/esm/utils/createTokenValidator.d.ts

@@ -0,0 +1,10 @@
+import { KeyValueStorageMethodValidator } from '@aws-amplify/core/internals/adapter-core';
+interface CreateTokenValidatorInput {
+    userPoolId?: string;
+    userPoolClientId?: string;
+}
+/**
+ * Creates a validator object for validating methods in a KeyValueStorage.
+ */
+export declare const createTokenValidator: ({ userPoolId, userPoolClientId: clientId, }: CreateTokenValidatorInput) => KeyValueStorageMethodValidator;
+export {};

package/dist/esm/utils/createTokenValidator.mjs

@@ -0,0 +1,32 @@
+import { isValidCognitoToken } from './isValidCognitoToken.mjs';
+
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Creates a validator object for validating methods in a KeyValueStorage.
+ */
+const createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {
+    return {
+        // validate access, id tokens
+        getItem: async (key, value) => {
+            const tokenType = key.includes('.accessToken')
+                ? 'access'
+                : key.includes('.idToken')
+                    ? 'id'
+                    : null;
+            if (!tokenType)
+                return true;
+            if (!userPoolId || !clientId)
+                return false;
+            return isValidCognitoToken({
+                clientId,
+                userPoolId,
+                tokenType,
+                token: value,
+            });
+        },
+    };
+};
+
+export { createTokenValidator };
+//# sourceMappingURL=createTokenValidator.mjs.map

package/dist/esm/utils/createTokenValidator.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"createTokenValidator.mjs","sources":["../../../src/utils/createTokenValidator.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { isValidCognitoToken } from './isValidCognitoToken';\n/**\n * Creates a validator object for validating methods in a KeyValueStorage.\n */\nexport const createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {\n    return {\n        // validate access, id tokens\n        getItem: async (key, value) => {\n            const tokenType = key.includes('.accessToken')\n                ? 'access'\n                : key.includes('.idToken')\n                    ? 'id'\n                    : null;\n            if (!tokenType)\n                return true;\n            if (!userPoolId || !clientId)\n                return false;\n            return isValidCognitoToken({\n                clientId,\n                userPoolId,\n                tokenType,\n                token: value,\n            });\n        },\n    };\n};\n"],"names":[],"mappings":";;AAAA;AACA;AAEA;AACA;AACA;AACY,MAAC,oBAAoB,GAAG,CAAC,EAAE,UAAU,EAAE,gBAAgB,EAAE,QAAQ,GAAG,KAAK;AACrF,IAAI,OAAO;AACX;AACA,QAAQ,OAAO,EAAE,OAAO,GAAG,EAAE,KAAK,KAAK;AACvC,YAAY,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC;AAC1D,kBAAkB,QAAQ;AAC1B,kBAAkB,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;AAC1C,sBAAsB,IAAI;AAC1B,sBAAsB,IAAI,CAAC;AAC3B,YAAY,IAAI,CAAC,SAAS;AAC1B,gBAAgB,OAAO,IAAI,CAAC;AAC5B,YAAY,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ;AACxC,gBAAgB,OAAO,KAAK,CAAC;AAC7B,YAAY,OAAO,mBAAmB,CAAC;AACvC,gBAAgB,QAAQ;AACxB,gBAAgB,UAAU;AAC1B,gBAAgB,SAAS;AACzB,gBAAgB,KAAK,EAAE,KAAK;AAC5B,aAAa,CAAC,CAAC;AACf,SAAS;AACT,KAAK,CAAC;AACN;;;;"}

package/dist/esm/utils/index.d.ts

@@ -1 +1,2 @@
 export { createRunWithAmplifyServerContext } from './createRunWithAmplifyServerContext';
+export { isValidCognitoToken } from './isValidCognitoToken';

package/dist/esm/utils/index.mjs

@@ -1,2 +1,3 @@
 export { createRunWithAmplifyServerContext } from './createRunWithAmplifyServerContext.mjs';
+export { isValidCognitoToken } from './isValidCognitoToken.mjs';
 //# sourceMappingURL=index.mjs.map

package/dist/esm/utils/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":""}
+{"version":3,"file":"index.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";"}

package/dist/esm/utils/isValidCognitoToken.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Verifies a Cognito JWT token for its validity.
+ *
+ * @param input - An object containing:
+ *                - token: The JWT token as a string that needs to be verified.
+ *                - userPoolId: The ID of the AWS Cognito User Pool to which the token belongs.
+ *                - clientId: The Client ID associated with the Cognito User Pool.
+ * @internal
+ */
+export declare const isValidCognitoToken: (input: {
+    token: string;
+    userPoolId: string;
+    clientId: string;
+    tokenType: 'id' | 'access';
+}) => Promise<boolean>;

package/dist/esm/utils/isValidCognitoToken.mjs

@@ -0,0 +1,33 @@
+import { CognitoJwtVerifier } from 'aws-jwt-verify';
+
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * Verifies a Cognito JWT token for its validity.
+ *
+ * @param input - An object containing:
+ *                - token: The JWT token as a string that needs to be verified.
+ *                - userPoolId: The ID of the AWS Cognito User Pool to which the token belongs.
+ *                - clientId: The Client ID associated with the Cognito User Pool.
+ * @internal
+ */
+const isValidCognitoToken = async (input) => {
+    const { userPoolId, clientId, tokenType, token } = input;
+    try {
+        const verifier = CognitoJwtVerifier.create({
+            userPoolId,
+            tokenUse: tokenType,
+            clientId,
+        });
+        await verifier.verify(token);
+        return true;
+    }
+    catch (error) {
+        // TODO (ashwinkumar6): surface invalid cognito token error to customer
+        // TODO: clear invalid tokens from Storage
+        return false;
+    }
+};
+
+export { isValidCognitoToken };
+//# sourceMappingURL=isValidCognitoToken.mjs.map

package/dist/esm/utils/isValidCognitoToken.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"isValidCognitoToken.mjs","sources":["../../../src/utils/isValidCognitoToken.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { CognitoJwtVerifier } from 'aws-jwt-verify';\n/**\n * Verifies a Cognito JWT token for its validity.\n *\n * @param input - An object containing:\n *                - token: The JWT token as a string that needs to be verified.\n *                - userPoolId: The ID of the AWS Cognito User Pool to which the token belongs.\n *                - clientId: The Client ID associated with the Cognito User Pool.\n * @internal\n */\nexport const isValidCognitoToken = async (input) => {\n    const { userPoolId, clientId, tokenType, token } = input;\n    try {\n        const verifier = CognitoJwtVerifier.create({\n            userPoolId,\n            tokenUse: tokenType,\n            clientId,\n        });\n        await verifier.verify(token);\n        return true;\n    }\n    catch (error) {\n        // TODO (ashwinkumar6): surface invalid cognito token error to customer\n        // TODO: clear invalid tokens from Storage\n        return false;\n    }\n};\n"],"names":[],"mappings":";;AAAA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACY,MAAC,mBAAmB,GAAG,OAAO,KAAK,KAAK;AACpD,IAAI,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;AAC7D,IAAI,IAAI;AACR,QAAQ,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC;AACnD,YAAY,UAAU;AACtB,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,QAAQ;AACpB,SAAS,CAAC,CAAC;AACX,QAAQ,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrC,QAAQ,OAAO,IAAI,CAAC;AACpB,KAAK;AACL,IAAI,OAAO,KAAK,EAAE;AAClB;AACA;AACA,QAAQ,OAAO,KAAK,CAAC;AACrB,KAAK;AACL;;;;"}

package/package.json

@@ -1,74 +1,75 @@
 {
-  "author": "Amazon Web Services",
-  "name": "@aws-amplify/adapter-nextjs",
-  "version": "1.2.1-unstable.1a1a6ce.0+1a1a6ce",
-  "description": "The adapter for the supporting of using Amplify APIs in Next.js.",
-  "peerDependencies": {
-    "aws-amplify": "6.3.4-unstable.1a1a6ce.0+1a1a6ce",
-    "next": ">=13.5.0 <15.0.0"
-  },
-  "dependencies": {
-    "cookie": "0.5.0"
-  },
-  "devDependencies": {
-    "@types/cookie": "0.5.1",
-    "@types/node": "^20.3.1",
-    "@types/react": "^18.2.13",
-    "@types/react-dom": "^18.2.6",
-    "aws-amplify": "6.3.4-unstable.1a1a6ce.0+1a1a6ce",
-    "jest-fetch-mock": "3.0.3",
-    "next": ">= 13.5.0 < 15.0.0",
-    "typescript": "5.0.2"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "bugs": {
-    "url": "https://github.com/aws/aws-amplify/issues"
-  },
-  "exports": {
-    ".": {
-      "types": "./dist/esm/index.d.ts",
-      "import": "./dist/esm/index.mjs",
-      "require": "./dist/cjs/index.js"
-    },
-    "./api": {
-      "types": "./dist/esm/api/index.d.ts",
-      "import": "./dist/esm/api/index.mjs",
-      "require": "./dist/cjs/api/index.js"
-    },
-    "./data": {
-      "types": "./dist/esm/api/index.d.ts",
-      "import": "./dist/esm/api/index.mjs",
-      "require": "./dist/cjs/api/index.js"
-    },
-    "./package.json": "./package.json"
-  },
-  "files": [
-    "dist/cjs",
-    "dist/esm",
-    "src",
-    "api",
-    "data"
-  ],
-  "homepage": "https://aws-amplify.github.io/",
-  "license": "Apache-2.0",
-  "main": "./dist/cjs/index.js",
-  "module": "./dist/esm/index.mjs",
-  "typings": "./dist/esm/index.d.ts",
-  "sideEffects": false,
-  "scripts": {
-    "build": "npm run clean && npm run build:esm-cjs",
-    "build-with-test": "npm test && npm run build",
-    "build:esm-cjs": "rollup --forceExit -c rollup.config.mjs",
-    "build:watch": "npm run build:esm-cjs -- --watch",
-    "clean": "npm run clean:size && rimraf dist",
-    "clean:size": "rimraf dual-publish-tmp tmp*",
-    "format": "echo \"Not implemented\"",
-    "lint": "eslint '**/*.{ts,tsx}' && npm run ts-coverage",
-    "lint:fix": "eslint '**/*.{ts,tsx}' --fix",
-    "test": "npm run lint && jest -w 1 --coverage --logHeapUsage",
-    "ts-coverage": "typescript-coverage-report -p ./tsconfig.build.json -t 90.31"
-  },
-  "gitHead": "1a1a6ce60a331fe4910bd7fc3ca8ab7953a51c0e"
+	"author": "Amazon Web Services",
+	"name": "@aws-amplify/adapter-nextjs",
+	"version": "1.2.1",
+	"description": "The adapter for the supporting of using Amplify APIs in Next.js.",
+	"peerDependencies": {
+		"aws-amplify": "^6.0.7",
+		"next": ">=13.5.0 <15.0.0"
+	},
+	"dependencies": {
+		"aws-jwt-verify": "^4.0.1",
+		"cookie": "0.5.0"
+	},
+	"devDependencies": {
+		"@types/cookie": "0.5.1",
+		"@types/node": "^20.3.1",
+		"@types/react": "^18.2.13",
+		"@types/react-dom": "^18.2.6",
+		"aws-amplify": "6.3.4",
+		"jest-fetch-mock": "3.0.3",
+		"next": ">= 13.5.0 < 15.0.0",
+		"typescript": "5.0.2"
+	},
+	"publishConfig": {
+		"access": "public"
+	},
+	"bugs": {
+		"url": "https://github.com/aws/aws-amplify/issues"
+	},
+	"exports": {
+		".": {
+			"types": "./dist/esm/index.d.ts",
+			"import": "./dist/esm/index.mjs",
+			"require": "./dist/cjs/index.js"
+		},
+		"./api": {
+			"types": "./dist/esm/api/index.d.ts",
+			"import": "./dist/esm/api/index.mjs",
+			"require": "./dist/cjs/api/index.js"
+		},
+		"./data": {
+			"types": "./dist/esm/api/index.d.ts",
+			"import": "./dist/esm/api/index.mjs",
+			"require": "./dist/cjs/api/index.js"
+		},
+		"./package.json": "./package.json"
+	},
+	"files": [
+		"dist/cjs",
+		"dist/esm",
+		"src",
+		"api",
+		"data"
+	],
+	"homepage": "https://aws-amplify.github.io/",
+	"license": "Apache-2.0",
+	"main": "./dist/cjs/index.js",
+	"module": "./dist/esm/index.mjs",
+	"typings": "./dist/esm/index.d.ts",
+	"sideEffects": false,
+	"scripts": {
+		"build": "npm run clean && npm run build:esm-cjs",
+		"build-with-test": "npm test && npm run build",
+		"build:esm-cjs": "rollup --forceExit -c rollup.config.mjs",
+		"build:watch": "npm run build:esm-cjs -- --watch",
+		"clean": "npm run clean:size && rimraf dist",
+		"clean:size": "rimraf dual-publish-tmp tmp*",
+		"format": "echo \"Not implemented\"",
+		"lint": "eslint '**/*.{ts,tsx}' && npm run ts-coverage",
+		"lint:fix": "eslint '**/*.{ts,tsx}' --fix",
+		"test": "npm run lint && jest -w 1 --coverage --logHeapUsage",
+		"ts-coverage": "typescript-coverage-report -p ./tsconfig.build.json -t 90.31"
+	},
+	"gitHead": "181642fe6e2362316cbbdf944d770d98dbbe6e89"
 }

package/src/utils/createRunWithAmplifyServerContext.ts

@@ -11,6 +11,7 @@ import {
 
 import { NextServer } from '../types';
 
+import { createTokenValidator } from './createTokenValidator';
 import { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext';
 
 export const createRunWithAmplifyServerContext = ({
@@ -34,6 +35,11 @@ export const createRunWithAmplifyServerContext = ({
 								createCookieStorageAdapterFromNextServerContext(
 									nextServerContext,
 								),
+								createTokenValidator({
+									userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,
+									userPoolClientId:
+										resourcesConfig?.Auth.Cognito?.userPoolClientId,
+								}),
 							);
 				const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(
 					resourcesConfig.Auth,

package/src/utils/createTokenValidator.ts

@@ -0,0 +1,39 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { KeyValueStorageMethodValidator } from '@aws-amplify/core/internals/adapter-core';
+
+import { isValidCognitoToken } from './isValidCognitoToken';
+
+interface CreateTokenValidatorInput {
+	userPoolId?: string;
+	userPoolClientId?: string;
+}
+/**
+ * Creates a validator object for validating methods in a KeyValueStorage.
+ */
+export const createTokenValidator = ({
+	userPoolId,
+	userPoolClientId: clientId,
+}: CreateTokenValidatorInput): KeyValueStorageMethodValidator => {
+	return {
+		// validate access, id tokens
+		getItem: async (key: string, value: string): Promise<boolean> => {
+			const tokenType = key.includes('.accessToken')
+				? 'access'
+				: key.includes('.idToken')
+					? 'id'
+					: null;
+			if (!tokenType) return true;
+
+			if (!userPoolId || !clientId) return false;
+
+			return isValidCognitoToken({
+				clientId,
+				userPoolId,
+				tokenType,
+				token: value,
+			});
+		},
+	};
+};

package/src/utils/index.ts

@@ -2,3 +2,4 @@
 // SPDX-License-Identifier: Apache-2.0
 
 export { createRunWithAmplifyServerContext } from './createRunWithAmplifyServerContext';
+export { isValidCognitoToken } from './isValidCognitoToken';

package/src/utils/isValidCognitoToken.ts

@@ -0,0 +1,37 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { CognitoJwtVerifier } from 'aws-jwt-verify';
+
+/**
+ * Verifies a Cognito JWT token for its validity.
+ *
+ * @param input - An object containing:
+ *                - token: The JWT token as a string that needs to be verified.
+ *                - userPoolId: The ID of the AWS Cognito User Pool to which the token belongs.
+ *                - clientId: The Client ID associated with the Cognito User Pool.
+ * @internal
+ */
+export const isValidCognitoToken = async (input: {
+	token: string;
+	userPoolId: string;
+	clientId: string;
+	tokenType: 'id' | 'access';
+}): Promise<boolean> => {
+	const { userPoolId, clientId, tokenType, token } = input;
+
+	try {
+		const verifier = CognitoJwtVerifier.create({
+			userPoolId,
+			tokenUse: tokenType,
+			clientId,
+		});
+		await verifier.verify(token);
+
+		return true;
+	} catch (error) {
+		// TODO (ashwinkumar6): surface invalid cognito token error to customer
+		// TODO: clear invalid tokens from Storage
+		return false;
+	}
+};