@aws-amplify/adapter-nextjs 1.3.1-unstable.4b3b13d.0 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/createServerRunner.js +10 -0
- package/dist/cjs/createServerRunner.js.map +1 -1
- package/dist/cjs/utils/createRunWithAmplifyServerContext.js +2 -6
- package/dist/cjs/utils/createRunWithAmplifyServerContext.js.map +1 -1
- package/dist/cjs/utils/createTokenValidator.js +24 -10
- package/dist/cjs/utils/createTokenValidator.js.map +1 -1
- package/dist/cjs/utils/isValidCognitoToken.js +2 -9
- package/dist/cjs/utils/isValidCognitoToken.js.map +1 -1
- package/dist/esm/api/createServerRunnerForAPI.mjs +0 -1
- package/dist/esm/api/createServerRunnerForAPI.mjs.map +1 -1
- package/dist/esm/createServerRunner.mjs +10 -1
- package/dist/esm/createServerRunner.mjs.map +1 -1
- package/dist/esm/types/index.d.ts +2 -0
- package/dist/esm/utils/createRunWithAmplifyServerContext.d.ts +3 -1
- package/dist/esm/utils/createRunWithAmplifyServerContext.mjs +2 -6
- package/dist/esm/utils/createRunWithAmplifyServerContext.mjs.map +1 -1
- package/dist/esm/utils/createTokenValidator.mjs +24 -10
- package/dist/esm/utils/createTokenValidator.mjs.map +1 -1
- package/dist/esm/utils/isValidCognitoToken.d.ts +3 -5
- package/dist/esm/utils/isValidCognitoToken.mjs +2 -9
- package/dist/esm/utils/isValidCognitoToken.mjs.map +1 -1
- package/package.json +73 -73
- package/src/createServerRunner.ts +12 -0
- package/src/types/index.ts +4 -0
- package/src/utils/createRunWithAmplifyServerContext.ts +4 -6
- package/src/utils/createTokenValidator.ts +33 -10
- package/src/utils/isValidCognitoToken.ts +5 -12
|
@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
exports.createServerRunner = void 0;
|
|
7
7
|
const utils_1 = require("@aws-amplify/core/internals/utils");
|
|
8
8
|
const utils_2 = require("./utils");
|
|
9
|
+
const createTokenValidator_1 = require("./utils/createTokenValidator");
|
|
9
10
|
/**
|
|
10
11
|
* Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.
|
|
11
12
|
*
|
|
@@ -26,9 +27,18 @@ const utils_2 = require("./utils");
|
|
|
26
27
|
*/
|
|
27
28
|
const createServerRunner = ({ config, }) => {
|
|
28
29
|
const amplifyConfig = (0, utils_1.parseAmplifyConfig)(config);
|
|
30
|
+
let tokenValidator;
|
|
31
|
+
if (amplifyConfig?.Auth) {
|
|
32
|
+
const { Cognito } = amplifyConfig.Auth;
|
|
33
|
+
tokenValidator = (0, createTokenValidator_1.createTokenValidator)({
|
|
34
|
+
userPoolId: Cognito?.userPoolId,
|
|
35
|
+
userPoolClientId: Cognito?.userPoolClientId,
|
|
36
|
+
});
|
|
37
|
+
}
|
|
29
38
|
return {
|
|
30
39
|
runWithAmplifyServerContext: (0, utils_2.createRunWithAmplifyServerContext)({
|
|
31
40
|
config: amplifyConfig,
|
|
41
|
+
tokenValidator,
|
|
32
42
|
}),
|
|
33
43
|
};
|
|
34
44
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createServerRunner.js","sources":["../../src/createServerRunner.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createServerRunner = void 0;\nconst utils_1 = require(\"@aws-amplify/core/internals/utils\");\nconst utils_2 = require(\"./utils\");\n/**\n * Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.\n *\n * @remarks\n * This function should be called only once; you can use the returned `runWithAmplifyServerContext` across\n * your codebase.\n *\n * @param input The input used to create the `runWithAmplifyServerContext` function.\n * @param input.config The {@link ResourcesConfig} imported from the `amplifyconfiguration.json` file or manually\n * created.\n * @returns An object that contains the `runWithAmplifyServerContext` function.\n *\n * @example\n * import { createServerRunner } from '@aws-amplify/adapter-nextjs';\n * import config from './amplifyconfiguration.json';\n *\n * export const { runWithAmplifyServerContext } = createServerRunner({ config })\n */\nconst createServerRunner = ({ config, }) => {\n const amplifyConfig = (0, utils_1.parseAmplifyConfig)(config);\n return {\n runWithAmplifyServerContext: (0, utils_2.createRunWithAmplifyServerContext)({\n config: amplifyConfig,\n }),\n };\n};\nexports.createServerRunner = createServerRunner;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,kBAAkB,GAAG,KAAK,CAAC,CAAC;AACpC,MAAM,OAAO,GAAG,OAAO,CAAC,mCAAmC,CAAC,CAAC;AAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;AACnC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAM,kBAAkB,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK;AAC5C,IAAI,MAAM,aAAa,GAAG,IAAI,OAAO,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;AAClE,IAAI,OAAO;AACX,QAAQ,2BAA2B,EAAE,IAAI,OAAO,CAAC,iCAAiC,EAAE;AACpF,YAAY,MAAM,EAAE,aAAa;AACjC,SAAS,CAAC;AACV,KAAK,CAAC;AACN,CAAC,CAAC;AACF,OAAO,CAAC,kBAAkB,GAAG,kBAAkB;;"}
|
|
1
|
+
{"version":3,"file":"createServerRunner.js","sources":["../../src/createServerRunner.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createServerRunner = void 0;\nconst utils_1 = require(\"@aws-amplify/core/internals/utils\");\nconst utils_2 = require(\"./utils\");\nconst createTokenValidator_1 = require(\"./utils/createTokenValidator\");\n/**\n * Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.\n *\n * @remarks\n * This function should be called only once; you can use the returned `runWithAmplifyServerContext` across\n * your codebase.\n *\n * @param input The input used to create the `runWithAmplifyServerContext` function.\n * @param input.config The {@link ResourcesConfig} imported from the `amplifyconfiguration.json` file or manually\n * created.\n * @returns An object that contains the `runWithAmplifyServerContext` function.\n *\n * @example\n * import { createServerRunner } from '@aws-amplify/adapter-nextjs';\n * import config from './amplifyconfiguration.json';\n *\n * export const { runWithAmplifyServerContext } = createServerRunner({ config })\n */\nconst createServerRunner = ({ config, }) => {\n const amplifyConfig = (0, utils_1.parseAmplifyConfig)(config);\n let tokenValidator;\n if (amplifyConfig?.Auth) {\n const { Cognito } = amplifyConfig.Auth;\n tokenValidator = (0, createTokenValidator_1.createTokenValidator)({\n userPoolId: Cognito?.userPoolId,\n userPoolClientId: Cognito?.userPoolClientId,\n });\n }\n return {\n runWithAmplifyServerContext: (0, utils_2.createRunWithAmplifyServerContext)({\n config: amplifyConfig,\n tokenValidator,\n }),\n };\n};\nexports.createServerRunner = createServerRunner;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,kBAAkB,GAAG,KAAK,CAAC,CAAC;AACpC,MAAM,OAAO,GAAG,OAAO,CAAC,mCAAmC,CAAC,CAAC;AAC7D,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;AACnC,MAAM,sBAAsB,GAAG,OAAO,CAAC,8BAA8B,CAAC,CAAC;AACvE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAM,kBAAkB,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK;AAC5C,IAAI,MAAM,aAAa,GAAG,IAAI,OAAO,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;AAClE,IAAI,IAAI,cAAc,CAAC;AACvB,IAAI,IAAI,aAAa,EAAE,IAAI,EAAE;AAC7B,QAAQ,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,IAAI,CAAC;AAC/C,QAAQ,cAAc,GAAG,IAAI,sBAAsB,CAAC,oBAAoB,EAAE;AAC1E,YAAY,UAAU,EAAE,OAAO,EAAE,UAAU;AAC3C,YAAY,gBAAgB,EAAE,OAAO,EAAE,gBAAgB;AACvD,SAAS,CAAC,CAAC;AACX,KAAK;AACL,IAAI,OAAO;AACX,QAAQ,2BAA2B,EAAE,IAAI,OAAO,CAAC,iCAAiC,EAAE;AACpF,YAAY,MAAM,EAAE,aAAa;AACjC,YAAY,cAAc;AAC1B,SAAS,CAAC;AACV,KAAK,CAAC;AACN,CAAC,CAAC;AACF,OAAO,CAAC,kBAAkB,GAAG,kBAAkB;;"}
|
|
@@ -6,9 +6,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
exports.createRunWithAmplifyServerContext = void 0;
|
|
7
7
|
const core_1 = require("@aws-amplify/core");
|
|
8
8
|
const adapter_core_1 = require("aws-amplify/adapter-core");
|
|
9
|
-
const createTokenValidator_1 = require("./createTokenValidator");
|
|
10
9
|
const createCookieStorageAdapterFromNextServerContext_1 = require("./createCookieStorageAdapterFromNextServerContext");
|
|
11
|
-
const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
|
|
10
|
+
const createRunWithAmplifyServerContext = ({ config: resourcesConfig, tokenValidator, }) => {
|
|
12
11
|
const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {
|
|
13
12
|
// When the Auth config is presented, attempt to create a Amplify server
|
|
14
13
|
// context with token and credentials provider.
|
|
@@ -20,10 +19,7 @@ const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
|
|
|
20
19
|
// static rendering uses the same unauthenticated role cross-sever.
|
|
21
20
|
nextServerContext === null
|
|
22
21
|
? core_1.sharedInMemoryStorage
|
|
23
|
-
: (0, adapter_core_1.createKeyValueStorageFromCookieStorageAdapter)(await (0, createCookieStorageAdapterFromNextServerContext_1.createCookieStorageAdapterFromNextServerContext)(nextServerContext),
|
|
24
|
-
userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,
|
|
25
|
-
userPoolClientId: resourcesConfig?.Auth.Cognito?.userPoolClientId,
|
|
26
|
-
}));
|
|
22
|
+
: (0, adapter_core_1.createKeyValueStorageFromCookieStorageAdapter)(await (0, createCookieStorageAdapterFromNextServerContext_1.createCookieStorageAdapterFromNextServerContext)(nextServerContext), tokenValidator);
|
|
27
23
|
const credentialsProvider = (0, adapter_core_1.createAWSCredentialsAndIdentityIdProvider)(resourcesConfig.Auth, keyValueStorage);
|
|
28
24
|
const tokenProvider = (0, adapter_core_1.createUserPoolsTokenProvider)(resourcesConfig.Auth, keyValueStorage);
|
|
29
25
|
return (0, adapter_core_1.runWithAmplifyServerContext)(resourcesConfig, {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createRunWithAmplifyServerContext.js","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createRunWithAmplifyServerContext = void 0;\nconst core_1 = require(\"@aws-amplify/core\");\nconst adapter_core_1 = require(\"aws-amplify/adapter-core\");\nconst
|
|
1
|
+
{"version":3,"file":"createRunWithAmplifyServerContext.js","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createRunWithAmplifyServerContext = void 0;\nconst core_1 = require(\"@aws-amplify/core\");\nconst adapter_core_1 = require(\"aws-amplify/adapter-core\");\nconst createCookieStorageAdapterFromNextServerContext_1 = require(\"./createCookieStorageAdapterFromNextServerContext\");\nconst createRunWithAmplifyServerContext = ({ config: resourcesConfig, tokenValidator, }) => {\n const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {\n // When the Auth config is presented, attempt to create a Amplify server\n // context with token and credentials provider.\n if (resourcesConfig.Auth) {\n const keyValueStorage = \n // When `null` is passed as the value of `nextServerContext`, opt-in\n // unauthenticated role (primarily for static rendering). It's\n // safe to use the singleton `MemoryKeyValueStorage` here, as the\n // static rendering uses the same unauthenticated role cross-sever.\n nextServerContext === null\n ? core_1.sharedInMemoryStorage\n : (0, adapter_core_1.createKeyValueStorageFromCookieStorageAdapter)(await (0, createCookieStorageAdapterFromNextServerContext_1.createCookieStorageAdapterFromNextServerContext)(nextServerContext), tokenValidator);\n const credentialsProvider = (0, adapter_core_1.createAWSCredentialsAndIdentityIdProvider)(resourcesConfig.Auth, keyValueStorage);\n const tokenProvider = (0, adapter_core_1.createUserPoolsTokenProvider)(resourcesConfig.Auth, keyValueStorage);\n return (0, adapter_core_1.runWithAmplifyServerContext)(resourcesConfig, {\n Auth: { credentialsProvider, tokenProvider },\n }, operation);\n }\n // Otherwise it may be the case that auth is not used, e.g. API key.\n // Omitting the `Auth` in the second parameter.\n return (0, adapter_core_1.runWithAmplifyServerContext)(resourcesConfig, {}, operation);\n };\n return runWithAmplifyServerContext;\n};\nexports.createRunWithAmplifyServerContext = createRunWithAmplifyServerContext;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,iCAAiC,GAAG,KAAK,CAAC,CAAC;AACnD,MAAM,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;AAC5C,MAAM,cAAc,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAC;AAC3D,MAAM,iDAAiD,GAAG,OAAO,CAAC,mDAAmD,CAAC,CAAC;AACvH,MAAM,iCAAiC,GAAG,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,cAAc,GAAG,KAAK;AAC5F,IAAI,MAAM,2BAA2B,GAAG,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK;AACpF;AACA;AACA,QAAQ,IAAI,eAAe,CAAC,IAAI,EAAE;AAClC,YAAY,MAAM,eAAe;AACjC;AACA;AACA;AACA;AACA,YAAY,iBAAiB,KAAK,IAAI;AACtC,kBAAkB,MAAM,CAAC,qBAAqB;AAC9C,kBAAkB,IAAI,cAAc,CAAC,6CAA6C,EAAE,MAAM,IAAI,iDAAiD,CAAC,+CAA+C,EAAE,iBAAiB,CAAC,EAAE,cAAc,CAAC,CAAC;AACrO,YAAY,MAAM,mBAAmB,GAAG,IAAI,cAAc,CAAC,yCAAyC,EAAE,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AAC7I,YAAY,MAAM,aAAa,GAAG,IAAI,cAAc,CAAC,4BAA4B,EAAE,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AAC1H,YAAY,OAAO,IAAI,cAAc,CAAC,2BAA2B,EAAE,eAAe,EAAE;AACpF,gBAAgB,IAAI,EAAE,EAAE,mBAAmB,EAAE,aAAa,EAAE;AAC5D,aAAa,EAAE,SAAS,CAAC,CAAC;AAC1B,SAAS;AACT;AACA;AACA,QAAQ,OAAO,IAAI,cAAc,CAAC,2BAA2B,EAAE,eAAe,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/F,KAAK,CAAC;AACN,IAAI,OAAO,2BAA2B,CAAC;AACvC,CAAC,CAAC;AACF,OAAO,CAAC,iCAAiC,GAAG,iCAAiC;;"}
|
|
@@ -4,28 +4,42 @@
|
|
|
4
4
|
// SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
exports.createTokenValidator = void 0;
|
|
7
|
+
const aws_jwt_verify_1 = require("aws-jwt-verify");
|
|
7
8
|
const isValidCognitoToken_1 = require("./isValidCognitoToken");
|
|
8
9
|
/**
|
|
9
10
|
* Creates a validator object for validating methods in a KeyValueStorage.
|
|
10
11
|
*/
|
|
11
12
|
const createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {
|
|
13
|
+
let idTokenVerifier;
|
|
14
|
+
let accessTokenVerifier;
|
|
12
15
|
return {
|
|
13
16
|
// validate access, id tokens
|
|
14
17
|
getItem: async (key, value) => {
|
|
15
|
-
const
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
? 'id'
|
|
19
|
-
: null;
|
|
20
|
-
if (!tokenType)
|
|
18
|
+
const isAccessToken = key.includes('.accessToken');
|
|
19
|
+
const isIdToken = key.includes('.idToken');
|
|
20
|
+
if (!isAccessToken && !isIdToken) {
|
|
21
21
|
return true;
|
|
22
|
-
|
|
22
|
+
}
|
|
23
|
+
if (!userPoolId || !clientId) {
|
|
23
24
|
return false;
|
|
25
|
+
}
|
|
26
|
+
if (isAccessToken && !accessTokenVerifier) {
|
|
27
|
+
accessTokenVerifier = aws_jwt_verify_1.CognitoJwtVerifier.create({
|
|
28
|
+
userPoolId,
|
|
29
|
+
tokenUse: 'access',
|
|
30
|
+
clientId,
|
|
31
|
+
});
|
|
32
|
+
}
|
|
33
|
+
if (isIdToken && !idTokenVerifier) {
|
|
34
|
+
idTokenVerifier = aws_jwt_verify_1.CognitoJwtVerifier.create({
|
|
35
|
+
userPoolId,
|
|
36
|
+
tokenUse: 'id',
|
|
37
|
+
clientId,
|
|
38
|
+
});
|
|
39
|
+
}
|
|
24
40
|
return (0, isValidCognitoToken_1.isValidCognitoToken)({
|
|
25
|
-
clientId,
|
|
26
|
-
userPoolId,
|
|
27
|
-
tokenType,
|
|
28
41
|
token: value,
|
|
42
|
+
verifier: isAccessToken ? accessTokenVerifier : idTokenVerifier,
|
|
29
43
|
});
|
|
30
44
|
},
|
|
31
45
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createTokenValidator.js","sources":["../../../src/utils/createTokenValidator.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createTokenValidator = void 0;\nconst isValidCognitoToken_1 = require(\"./isValidCognitoToken\");\n/**\n * Creates a validator object for validating methods in a KeyValueStorage.\n */\nconst createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {\n return {\n // validate access, id tokens\n getItem: async (key, value) => {\n const
|
|
1
|
+
{"version":3,"file":"createTokenValidator.js","sources":["../../../src/utils/createTokenValidator.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.createTokenValidator = void 0;\nconst aws_jwt_verify_1 = require(\"aws-jwt-verify\");\nconst isValidCognitoToken_1 = require(\"./isValidCognitoToken\");\n/**\n * Creates a validator object for validating methods in a KeyValueStorage.\n */\nconst createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {\n let idTokenVerifier;\n let accessTokenVerifier;\n return {\n // validate access, id tokens\n getItem: async (key, value) => {\n const isAccessToken = key.includes('.accessToken');\n const isIdToken = key.includes('.idToken');\n if (!isAccessToken && !isIdToken) {\n return true;\n }\n if (!userPoolId || !clientId) {\n return false;\n }\n if (isAccessToken && !accessTokenVerifier) {\n accessTokenVerifier = aws_jwt_verify_1.CognitoJwtVerifier.create({\n userPoolId,\n tokenUse: 'access',\n clientId,\n });\n }\n if (isIdToken && !idTokenVerifier) {\n idTokenVerifier = aws_jwt_verify_1.CognitoJwtVerifier.create({\n userPoolId,\n tokenUse: 'id',\n clientId,\n });\n }\n return (0, isValidCognitoToken_1.isValidCognitoToken)({\n token: value,\n verifier: isAccessToken ? accessTokenVerifier : idTokenVerifier,\n });\n },\n };\n};\nexports.createTokenValidator = createTokenValidator;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,oBAAoB,GAAG,KAAK,CAAC,CAAC;AACtC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;AACnD,MAAM,qBAAqB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;AAC/D;AACA;AACA;AACA,MAAM,oBAAoB,GAAG,CAAC,EAAE,UAAU,EAAE,gBAAgB,EAAE,QAAQ,GAAG,KAAK;AAC9E,IAAI,IAAI,eAAe,CAAC;AACxB,IAAI,IAAI,mBAAmB,CAAC;AAC5B,IAAI,OAAO;AACX;AACA,QAAQ,OAAO,EAAE,OAAO,GAAG,EAAE,KAAK,KAAK;AACvC,YAAY,MAAM,aAAa,GAAG,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;AAC/D,YAAY,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACvD,YAAY,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS,EAAE;AAC9C,gBAAgB,OAAO,IAAI,CAAC;AAC5B,aAAa;AACb,YAAY,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,EAAE;AAC1C,gBAAgB,OAAO,KAAK,CAAC;AAC7B,aAAa;AACb,YAAY,IAAI,aAAa,IAAI,CAAC,mBAAmB,EAAE;AACvD,gBAAgB,mBAAmB,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,MAAM,CAAC;AACjF,oBAAoB,UAAU;AAC9B,oBAAoB,QAAQ,EAAE,QAAQ;AACtC,oBAAoB,QAAQ;AAC5B,iBAAiB,CAAC,CAAC;AACnB,aAAa;AACb,YAAY,IAAI,SAAS,IAAI,CAAC,eAAe,EAAE;AAC/C,gBAAgB,eAAe,GAAG,gBAAgB,CAAC,kBAAkB,CAAC,MAAM,CAAC;AAC7E,oBAAoB,UAAU;AAC9B,oBAAoB,QAAQ,EAAE,IAAI;AAClC,oBAAoB,QAAQ;AAC5B,iBAAiB,CAAC,CAAC;AACnB,aAAa;AACb,YAAY,OAAO,IAAI,qBAAqB,CAAC,mBAAmB,EAAE;AAClE,gBAAgB,KAAK,EAAE,KAAK;AAC5B,gBAAgB,QAAQ,EAAE,aAAa,GAAG,mBAAmB,GAAG,eAAe;AAC/E,aAAa,CAAC,CAAC;AACf,SAAS;AACT,KAAK,CAAC;AACN,CAAC,CAAC;AACF,OAAO,CAAC,oBAAoB,GAAG,oBAAoB;;"}
|
|
@@ -4,25 +4,18 @@
|
|
|
4
4
|
// SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
exports.isValidCognitoToken = void 0;
|
|
7
|
-
const aws_jwt_verify_1 = require("aws-jwt-verify");
|
|
8
7
|
const error_1 = require("aws-jwt-verify/error");
|
|
9
8
|
/**
|
|
10
9
|
* Verifies a Cognito JWT token for its validity.
|
|
11
10
|
*
|
|
12
11
|
* @param input - An object containing:
|
|
13
12
|
* - token: The JWT token as a string that needs to be verified.
|
|
14
|
-
* -
|
|
15
|
-
* - clientId: The Client ID associated with the Cognito User Pool.
|
|
13
|
+
* - verifier: The JWT verifier which will verify the token.
|
|
16
14
|
* @internal
|
|
17
15
|
*/
|
|
18
16
|
const isValidCognitoToken = async (input) => {
|
|
19
|
-
const {
|
|
17
|
+
const { token, verifier } = input;
|
|
20
18
|
try {
|
|
21
|
-
const verifier = aws_jwt_verify_1.CognitoJwtVerifier.create({
|
|
22
|
-
userPoolId,
|
|
23
|
-
tokenUse: tokenType,
|
|
24
|
-
clientId,
|
|
25
|
-
});
|
|
26
19
|
await verifier.verify(token);
|
|
27
20
|
return true;
|
|
28
21
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isValidCognitoToken.js","sources":["../../../src/utils/isValidCognitoToken.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.isValidCognitoToken = void 0;\nconst
|
|
1
|
+
{"version":3,"file":"isValidCognitoToken.js","sources":["../../../src/utils/isValidCognitoToken.ts"],"sourcesContent":["\"use strict\";\n// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.isValidCognitoToken = void 0;\nconst error_1 = require(\"aws-jwt-verify/error\");\n/**\n * Verifies a Cognito JWT token for its validity.\n *\n * @param input - An object containing:\n * - token: The JWT token as a string that needs to be verified.\n * - verifier: The JWT verifier which will verify the token.\n * @internal\n */\nconst isValidCognitoToken = async (input) => {\n const { token, verifier } = input;\n try {\n await verifier.verify(token);\n return true;\n }\n catch (error) {\n // When `JwtExpiredError` is thrown, the token should have valid signature\n // but expired. So, we can consider it as a valid token.\n // Reference https://github.com/awslabs/aws-jwt-verify/blob/8d8f714d7281913ecd660147f5c30311479601c1/src/jwt-rsa.ts#L290-L301\n if (error instanceof error_1.JwtExpiredError) {\n return true;\n }\n // TODO (ashwinkumar6): surface invalid cognito token error to customer\n // TODO: clear invalid tokens from Storage\n return false;\n }\n};\nexports.isValidCognitoToken = isValidCognitoToken;\n"],"names":[],"mappings":";;AACA;AACA;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,mBAAmB,GAAG,KAAK,CAAC,CAAC;AACrC,MAAM,OAAO,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAC;AAChD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAM,mBAAmB,GAAG,OAAO,KAAK,KAAK;AAC7C,IAAI,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC;AACtC,IAAI,IAAI;AACR,QAAQ,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrC,QAAQ,OAAO,IAAI,CAAC;AACpB,KAAK;AACL,IAAI,OAAO,KAAK,EAAE;AAClB;AACA;AACA;AACA,QAAQ,IAAI,KAAK,YAAY,OAAO,CAAC,eAAe,EAAE;AACtD,YAAY,OAAO,IAAI,CAAC;AACxB,SAAS;AACT;AACA;AACA,QAAQ,OAAO,KAAK,CAAC;AACrB,KAAK;AACL,CAAC,CAAC;AACF,OAAO,CAAC,mBAAmB,GAAG,mBAAmB;;"}
|
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
import { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';
|
|
2
2
|
import { createRunWithAmplifyServerContext } from '../utils/createRunWithAmplifyServerContext.mjs';
|
|
3
|
-
import 'aws-jwt-verify';
|
|
4
3
|
import 'aws-jwt-verify/error';
|
|
5
4
|
|
|
6
5
|
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createServerRunnerForAPI.mjs","sources":["../../../src/api/createServerRunnerForAPI.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';\nimport { createRunWithAmplifyServerContext } from '../utils';\nexport const createServerRunnerForAPI = ({ config, }) => {\n const amplifyConfig = parseAmplifyConfig(config);\n return {\n runWithAmplifyServerContext: createRunWithAmplifyServerContext({\n config: amplifyConfig,\n }),\n resourcesConfig: amplifyConfig,\n };\n};\n"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"createServerRunnerForAPI.mjs","sources":["../../../src/api/createServerRunnerForAPI.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';\nimport { createRunWithAmplifyServerContext } from '../utils';\nexport const createServerRunnerForAPI = ({ config, }) => {\n const amplifyConfig = parseAmplifyConfig(config);\n return {\n runWithAmplifyServerContext: createRunWithAmplifyServerContext({\n config: amplifyConfig,\n }),\n resourcesConfig: amplifyConfig,\n };\n};\n"],"names":[],"mappings":";;;;AAAA;AACA;AAGY,MAAC,wBAAwB,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK;AACzD,IAAI,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;AACrD,IAAI,OAAO;AACX,QAAQ,2BAA2B,EAAE,iCAAiC,CAAC;AACvE,YAAY,MAAM,EAAE,aAAa;AACjC,SAAS,CAAC;AACV,QAAQ,eAAe,EAAE,aAAa;AACtC,KAAK,CAAC;AACN;;;;"}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';
|
|
2
2
|
import { createRunWithAmplifyServerContext } from './utils/createRunWithAmplifyServerContext.mjs';
|
|
3
|
-
import 'aws-jwt-verify';
|
|
4
3
|
import 'aws-jwt-verify/error';
|
|
4
|
+
import { createTokenValidator } from './utils/createTokenValidator.mjs';
|
|
5
5
|
|
|
6
6
|
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
7
7
|
// SPDX-License-Identifier: Apache-2.0
|
|
@@ -25,9 +25,18 @@ import 'aws-jwt-verify/error';
|
|
|
25
25
|
*/
|
|
26
26
|
const createServerRunner = ({ config, }) => {
|
|
27
27
|
const amplifyConfig = parseAmplifyConfig(config);
|
|
28
|
+
let tokenValidator;
|
|
29
|
+
if (amplifyConfig?.Auth) {
|
|
30
|
+
const { Cognito } = amplifyConfig.Auth;
|
|
31
|
+
tokenValidator = createTokenValidator({
|
|
32
|
+
userPoolId: Cognito?.userPoolId,
|
|
33
|
+
userPoolClientId: Cognito?.userPoolClientId,
|
|
34
|
+
});
|
|
35
|
+
}
|
|
28
36
|
return {
|
|
29
37
|
runWithAmplifyServerContext: createRunWithAmplifyServerContext({
|
|
30
38
|
config: amplifyConfig,
|
|
39
|
+
tokenValidator,
|
|
31
40
|
}),
|
|
32
41
|
};
|
|
33
42
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createServerRunner.mjs","sources":["../../src/createServerRunner.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';\nimport { createRunWithAmplifyServerContext } from './utils';\n/**\n * Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.\n *\n * @remarks\n * This function should be called only once; you can use the returned `runWithAmplifyServerContext` across\n * your codebase.\n *\n * @param input The input used to create the `runWithAmplifyServerContext` function.\n * @param input.config The {@link ResourcesConfig} imported from the `amplifyconfiguration.json` file or manually\n * created.\n * @returns An object that contains the `runWithAmplifyServerContext` function.\n *\n * @example\n * import { createServerRunner } from '@aws-amplify/adapter-nextjs';\n * import config from './amplifyconfiguration.json';\n *\n * export const { runWithAmplifyServerContext } = createServerRunner({ config })\n */\nexport const createServerRunner = ({ config, }) => {\n const amplifyConfig = parseAmplifyConfig(config);\n return {\n runWithAmplifyServerContext: createRunWithAmplifyServerContext({\n config: amplifyConfig,\n }),\n };\n};\n"],"names":[],"mappings":";;;;;AAAA;AACA;
|
|
1
|
+
{"version":3,"file":"createServerRunner.mjs","sources":["../../src/createServerRunner.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';\nimport { createRunWithAmplifyServerContext } from './utils';\nimport { createTokenValidator } from './utils/createTokenValidator';\n/**\n * Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.\n *\n * @remarks\n * This function should be called only once; you can use the returned `runWithAmplifyServerContext` across\n * your codebase.\n *\n * @param input The input used to create the `runWithAmplifyServerContext` function.\n * @param input.config The {@link ResourcesConfig} imported from the `amplifyconfiguration.json` file or manually\n * created.\n * @returns An object that contains the `runWithAmplifyServerContext` function.\n *\n * @example\n * import { createServerRunner } from '@aws-amplify/adapter-nextjs';\n * import config from './amplifyconfiguration.json';\n *\n * export const { runWithAmplifyServerContext } = createServerRunner({ config })\n */\nexport const createServerRunner = ({ config, }) => {\n const amplifyConfig = parseAmplifyConfig(config);\n let tokenValidator;\n if (amplifyConfig?.Auth) {\n const { Cognito } = amplifyConfig.Auth;\n tokenValidator = createTokenValidator({\n userPoolId: Cognito?.userPoolId,\n userPoolClientId: Cognito?.userPoolClientId,\n });\n }\n return {\n runWithAmplifyServerContext: createRunWithAmplifyServerContext({\n config: amplifyConfig,\n tokenValidator,\n }),\n };\n};\n"],"names":[],"mappings":";;;;;AAAA;AACA;AAIA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACY,MAAC,kBAAkB,GAAG,CAAC,EAAE,MAAM,GAAG,KAAK;AACnD,IAAI,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;AACrD,IAAI,IAAI,cAAc,CAAC;AACvB,IAAI,IAAI,aAAa,EAAE,IAAI,EAAE;AAC7B,QAAQ,MAAM,EAAE,OAAO,EAAE,GAAG,aAAa,CAAC,IAAI,CAAC;AAC/C,QAAQ,cAAc,GAAG,oBAAoB,CAAC;AAC9C,YAAY,UAAU,EAAE,OAAO,EAAE,UAAU;AAC3C,YAAY,gBAAgB,EAAE,OAAO,EAAE,gBAAgB;AACvD,SAAS,CAAC,CAAC;AACX,KAAK;AACL,IAAI,OAAO;AACX,QAAQ,2BAA2B,EAAE,iCAAiC,CAAC;AACvE,YAAY,MAAM,EAAE,aAAa;AACjC,YAAY,cAAc;AAC1B,SAAS,CAAC;AACV,KAAK,CAAC;AACN;;;;"}
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
import { ResourcesConfig } from '@aws-amplify/core';
|
|
2
|
+
import { KeyValueStorageMethodValidator } from '@aws-amplify/core/internals/adapter-core';
|
|
2
3
|
import { NextServer } from '../types';
|
|
3
|
-
export declare const createRunWithAmplifyServerContext: ({ config: resourcesConfig, }: {
|
|
4
|
+
export declare const createRunWithAmplifyServerContext: ({ config: resourcesConfig, tokenValidator, }: {
|
|
4
5
|
config: ResourcesConfig;
|
|
6
|
+
tokenValidator?: Partial<Record<keyof import("@aws-amplify/core").KeyValueStorageInterface, (...args: any[]) => Promise<boolean>>> | undefined;
|
|
5
7
|
}) => NextServer.RunOperationWithContext;
|
|
@@ -1,11 +1,10 @@
|
|
|
1
1
|
import { sharedInMemoryStorage } from '@aws-amplify/core';
|
|
2
2
|
import { createKeyValueStorageFromCookieStorageAdapter, createAWSCredentialsAndIdentityIdProvider, createUserPoolsTokenProvider, runWithAmplifyServerContext } from 'aws-amplify/adapter-core';
|
|
3
|
-
import { createTokenValidator } from './createTokenValidator.mjs';
|
|
4
3
|
import { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext.mjs';
|
|
5
4
|
|
|
6
5
|
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
7
6
|
// SPDX-License-Identifier: Apache-2.0
|
|
8
|
-
const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
|
|
7
|
+
const createRunWithAmplifyServerContext = ({ config: resourcesConfig, tokenValidator, }) => {
|
|
9
8
|
const runWithAmplifyServerContext$1 = async ({ nextServerContext, operation }) => {
|
|
10
9
|
// When the Auth config is presented, attempt to create a Amplify server
|
|
11
10
|
// context with token and credentials provider.
|
|
@@ -17,10 +16,7 @@ const createRunWithAmplifyServerContext = ({ config: resourcesConfig, }) => {
|
|
|
17
16
|
// static rendering uses the same unauthenticated role cross-sever.
|
|
18
17
|
nextServerContext === null
|
|
19
18
|
? sharedInMemoryStorage
|
|
20
|
-
: createKeyValueStorageFromCookieStorageAdapter(await createCookieStorageAdapterFromNextServerContext(nextServerContext),
|
|
21
|
-
userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,
|
|
22
|
-
userPoolClientId: resourcesConfig?.Auth.Cognito?.userPoolClientId,
|
|
23
|
-
}));
|
|
19
|
+
: createKeyValueStorageFromCookieStorageAdapter(await createCookieStorageAdapterFromNextServerContext(nextServerContext), tokenValidator);
|
|
24
20
|
const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(resourcesConfig.Auth, keyValueStorage);
|
|
25
21
|
const tokenProvider = createUserPoolsTokenProvider(resourcesConfig.Auth, keyValueStorage);
|
|
26
22
|
return runWithAmplifyServerContext(resourcesConfig, {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createRunWithAmplifyServerContext.mjs","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { sharedInMemoryStorage } from '@aws-amplify/core';\nimport { createAWSCredentialsAndIdentityIdProvider, createKeyValueStorageFromCookieStorageAdapter, createUserPoolsTokenProvider, runWithAmplifyServerContext as runWithAmplifyServerContextCore, } from 'aws-amplify/adapter-core';\nimport {
|
|
1
|
+
{"version":3,"file":"createRunWithAmplifyServerContext.mjs","sources":["../../../src/utils/createRunWithAmplifyServerContext.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { sharedInMemoryStorage } from '@aws-amplify/core';\nimport { createAWSCredentialsAndIdentityIdProvider, createKeyValueStorageFromCookieStorageAdapter, createUserPoolsTokenProvider, runWithAmplifyServerContext as runWithAmplifyServerContextCore, } from 'aws-amplify/adapter-core';\nimport { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext';\nexport const createRunWithAmplifyServerContext = ({ config: resourcesConfig, tokenValidator, }) => {\n const runWithAmplifyServerContext = async ({ nextServerContext, operation }) => {\n // When the Auth config is presented, attempt to create a Amplify server\n // context with token and credentials provider.\n if (resourcesConfig.Auth) {\n const keyValueStorage = \n // When `null` is passed as the value of `nextServerContext`, opt-in\n // unauthenticated role (primarily for static rendering). It's\n // safe to use the singleton `MemoryKeyValueStorage` here, as the\n // static rendering uses the same unauthenticated role cross-sever.\n nextServerContext === null\n ? sharedInMemoryStorage\n : createKeyValueStorageFromCookieStorageAdapter(await createCookieStorageAdapterFromNextServerContext(nextServerContext), tokenValidator);\n const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(resourcesConfig.Auth, keyValueStorage);\n const tokenProvider = createUserPoolsTokenProvider(resourcesConfig.Auth, keyValueStorage);\n return runWithAmplifyServerContextCore(resourcesConfig, {\n Auth: { credentialsProvider, tokenProvider },\n }, operation);\n }\n // Otherwise it may be the case that auth is not used, e.g. API key.\n // Omitting the `Auth` in the second parameter.\n return runWithAmplifyServerContextCore(resourcesConfig, {}, operation);\n };\n return runWithAmplifyServerContext;\n};\n"],"names":["runWithAmplifyServerContext","runWithAmplifyServerContextCore"],"mappings":";;;;AAAA;AACA;AAIY,MAAC,iCAAiC,GAAG,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,cAAc,GAAG,KAAK;AACnG,IAAI,MAAMA,6BAA2B,GAAG,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,KAAK;AACpF;AACA;AACA,QAAQ,IAAI,eAAe,CAAC,IAAI,EAAE;AAClC,YAAY,MAAM,eAAe;AACjC;AACA;AACA;AACA;AACA,YAAY,iBAAiB,KAAK,IAAI;AACtC,kBAAkB,qBAAqB;AACvC,kBAAkB,6CAA6C,CAAC,MAAM,+CAA+C,CAAC,iBAAiB,CAAC,EAAE,cAAc,CAAC,CAAC;AAC1J,YAAY,MAAM,mBAAmB,GAAG,yCAAyC,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACzH,YAAY,MAAM,aAAa,GAAG,4BAA4B,CAAC,eAAe,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACtG,YAAY,OAAOC,2BAA+B,CAAC,eAAe,EAAE;AACpE,gBAAgB,IAAI,EAAE,EAAE,mBAAmB,EAAE,aAAa,EAAE;AAC5D,aAAa,EAAE,SAAS,CAAC,CAAC;AAC1B,SAAS;AACT;AACA;AACA,QAAQ,OAAOA,2BAA+B,CAAC,eAAe,EAAE,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/E,KAAK,CAAC;AACN,IAAI,OAAOD,6BAA2B,CAAC;AACvC;;;;"}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { CognitoJwtVerifier } from 'aws-jwt-verify';
|
|
1
2
|
import { isValidCognitoToken } from './isValidCognitoToken.mjs';
|
|
2
3
|
|
|
3
4
|
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
@@ -6,23 +7,36 @@ import { isValidCognitoToken } from './isValidCognitoToken.mjs';
|
|
|
6
7
|
* Creates a validator object for validating methods in a KeyValueStorage.
|
|
7
8
|
*/
|
|
8
9
|
const createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {
|
|
10
|
+
let idTokenVerifier;
|
|
11
|
+
let accessTokenVerifier;
|
|
9
12
|
return {
|
|
10
13
|
// validate access, id tokens
|
|
11
14
|
getItem: async (key, value) => {
|
|
12
|
-
const
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
? 'id'
|
|
16
|
-
: null;
|
|
17
|
-
if (!tokenType)
|
|
15
|
+
const isAccessToken = key.includes('.accessToken');
|
|
16
|
+
const isIdToken = key.includes('.idToken');
|
|
17
|
+
if (!isAccessToken && !isIdToken) {
|
|
18
18
|
return true;
|
|
19
|
-
|
|
19
|
+
}
|
|
20
|
+
if (!userPoolId || !clientId) {
|
|
20
21
|
return false;
|
|
22
|
+
}
|
|
23
|
+
if (isAccessToken && !accessTokenVerifier) {
|
|
24
|
+
accessTokenVerifier = CognitoJwtVerifier.create({
|
|
25
|
+
userPoolId,
|
|
26
|
+
tokenUse: 'access',
|
|
27
|
+
clientId,
|
|
28
|
+
});
|
|
29
|
+
}
|
|
30
|
+
if (isIdToken && !idTokenVerifier) {
|
|
31
|
+
idTokenVerifier = CognitoJwtVerifier.create({
|
|
32
|
+
userPoolId,
|
|
33
|
+
tokenUse: 'id',
|
|
34
|
+
clientId,
|
|
35
|
+
});
|
|
36
|
+
}
|
|
21
37
|
return isValidCognitoToken({
|
|
22
|
-
clientId,
|
|
23
|
-
userPoolId,
|
|
24
|
-
tokenType,
|
|
25
38
|
token: value,
|
|
39
|
+
verifier: isAccessToken ? accessTokenVerifier : idTokenVerifier,
|
|
26
40
|
});
|
|
27
41
|
},
|
|
28
42
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"createTokenValidator.mjs","sources":["../../../src/utils/createTokenValidator.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { isValidCognitoToken } from './isValidCognitoToken';\n/**\n * Creates a validator object for validating methods in a KeyValueStorage.\n */\nexport const createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {\n return {\n // validate access, id tokens\n getItem: async (key, value) => {\n const
|
|
1
|
+
{"version":3,"file":"createTokenValidator.mjs","sources":["../../../src/utils/createTokenValidator.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { CognitoJwtVerifier } from 'aws-jwt-verify';\nimport { isValidCognitoToken } from './isValidCognitoToken';\n/**\n * Creates a validator object for validating methods in a KeyValueStorage.\n */\nexport const createTokenValidator = ({ userPoolId, userPoolClientId: clientId, }) => {\n let idTokenVerifier;\n let accessTokenVerifier;\n return {\n // validate access, id tokens\n getItem: async (key, value) => {\n const isAccessToken = key.includes('.accessToken');\n const isIdToken = key.includes('.idToken');\n if (!isAccessToken && !isIdToken) {\n return true;\n }\n if (!userPoolId || !clientId) {\n return false;\n }\n if (isAccessToken && !accessTokenVerifier) {\n accessTokenVerifier = CognitoJwtVerifier.create({\n userPoolId,\n tokenUse: 'access',\n clientId,\n });\n }\n if (isIdToken && !idTokenVerifier) {\n idTokenVerifier = CognitoJwtVerifier.create({\n userPoolId,\n tokenUse: 'id',\n clientId,\n });\n }\n return isValidCognitoToken({\n token: value,\n verifier: isAccessToken ? accessTokenVerifier : idTokenVerifier,\n });\n },\n };\n};\n"],"names":[],"mappings":";;;AAAA;AACA;AAGA;AACA;AACA;AACY,MAAC,oBAAoB,GAAG,CAAC,EAAE,UAAU,EAAE,gBAAgB,EAAE,QAAQ,GAAG,KAAK;AACrF,IAAI,IAAI,eAAe,CAAC;AACxB,IAAI,IAAI,mBAAmB,CAAC;AAC5B,IAAI,OAAO;AACX;AACA,QAAQ,OAAO,EAAE,OAAO,GAAG,EAAE,KAAK,KAAK;AACvC,YAAY,MAAM,aAAa,GAAG,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;AAC/D,YAAY,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AACvD,YAAY,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS,EAAE;AAC9C,gBAAgB,OAAO,IAAI,CAAC;AAC5B,aAAa;AACb,YAAY,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,EAAE;AAC1C,gBAAgB,OAAO,KAAK,CAAC;AAC7B,aAAa;AACb,YAAY,IAAI,aAAa,IAAI,CAAC,mBAAmB,EAAE;AACvD,gBAAgB,mBAAmB,GAAG,kBAAkB,CAAC,MAAM,CAAC;AAChE,oBAAoB,UAAU;AAC9B,oBAAoB,QAAQ,EAAE,QAAQ;AACtC,oBAAoB,QAAQ;AAC5B,iBAAiB,CAAC,CAAC;AACnB,aAAa;AACb,YAAY,IAAI,SAAS,IAAI,CAAC,eAAe,EAAE;AAC/C,gBAAgB,eAAe,GAAG,kBAAkB,CAAC,MAAM,CAAC;AAC5D,oBAAoB,UAAU;AAC9B,oBAAoB,QAAQ,EAAE,IAAI;AAClC,oBAAoB,QAAQ;AAC5B,iBAAiB,CAAC,CAAC;AACnB,aAAa;AACb,YAAY,OAAO,mBAAmB,CAAC;AACvC,gBAAgB,KAAK,EAAE,KAAK;AAC5B,gBAAgB,QAAQ,EAAE,aAAa,GAAG,mBAAmB,GAAG,eAAe;AAC/E,aAAa,CAAC,CAAC;AACf,SAAS;AACT,KAAK,CAAC;AACN;;;;"}
|
|
@@ -1,15 +1,13 @@
|
|
|
1
|
+
import { JwtVerifier } from '../types';
|
|
1
2
|
/**
|
|
2
3
|
* Verifies a Cognito JWT token for its validity.
|
|
3
4
|
*
|
|
4
5
|
* @param input - An object containing:
|
|
5
6
|
* - token: The JWT token as a string that needs to be verified.
|
|
6
|
-
* -
|
|
7
|
-
* - clientId: The Client ID associated with the Cognito User Pool.
|
|
7
|
+
* - verifier: The JWT verifier which will verify the token.
|
|
8
8
|
* @internal
|
|
9
9
|
*/
|
|
10
10
|
export declare const isValidCognitoToken: (input: {
|
|
11
11
|
token: string;
|
|
12
|
-
|
|
13
|
-
clientId: string;
|
|
14
|
-
tokenType: 'id' | 'access';
|
|
12
|
+
verifier: JwtVerifier;
|
|
15
13
|
}) => Promise<boolean>;
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
import { CognitoJwtVerifier } from 'aws-jwt-verify';
|
|
2
1
|
import { JwtExpiredError } from 'aws-jwt-verify/error';
|
|
3
2
|
|
|
4
3
|
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
@@ -8,18 +7,12 @@ import { JwtExpiredError } from 'aws-jwt-verify/error';
|
|
|
8
7
|
*
|
|
9
8
|
* @param input - An object containing:
|
|
10
9
|
* - token: The JWT token as a string that needs to be verified.
|
|
11
|
-
* -
|
|
12
|
-
* - clientId: The Client ID associated with the Cognito User Pool.
|
|
10
|
+
* - verifier: The JWT verifier which will verify the token.
|
|
13
11
|
* @internal
|
|
14
12
|
*/
|
|
15
13
|
const isValidCognitoToken = async (input) => {
|
|
16
|
-
const {
|
|
14
|
+
const { token, verifier } = input;
|
|
17
15
|
try {
|
|
18
|
-
const verifier = CognitoJwtVerifier.create({
|
|
19
|
-
userPoolId,
|
|
20
|
-
tokenUse: tokenType,
|
|
21
|
-
clientId,
|
|
22
|
-
});
|
|
23
16
|
await verifier.verify(token);
|
|
24
17
|
return true;
|
|
25
18
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"isValidCognitoToken.mjs","sources":["../../../src/utils/isValidCognitoToken.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport {
|
|
1
|
+
{"version":3,"file":"isValidCognitoToken.mjs","sources":["../../../src/utils/isValidCognitoToken.ts"],"sourcesContent":["// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n// SPDX-License-Identifier: Apache-2.0\nimport { JwtExpiredError } from 'aws-jwt-verify/error';\n/**\n * Verifies a Cognito JWT token for its validity.\n *\n * @param input - An object containing:\n * - token: The JWT token as a string that needs to be verified.\n * - verifier: The JWT verifier which will verify the token.\n * @internal\n */\nexport const isValidCognitoToken = async (input) => {\n const { token, verifier } = input;\n try {\n await verifier.verify(token);\n return true;\n }\n catch (error) {\n // When `JwtExpiredError` is thrown, the token should have valid signature\n // but expired. So, we can consider it as a valid token.\n // Reference https://github.com/awslabs/aws-jwt-verify/blob/8d8f714d7281913ecd660147f5c30311479601c1/src/jwt-rsa.ts#L290-L301\n if (error instanceof JwtExpiredError) {\n return true;\n }\n // TODO (ashwinkumar6): surface invalid cognito token error to customer\n // TODO: clear invalid tokens from Storage\n return false;\n }\n};\n"],"names":[],"mappings":";;AAAA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACY,MAAC,mBAAmB,GAAG,OAAO,KAAK,KAAK;AACpD,IAAI,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC;AACtC,IAAI,IAAI;AACR,QAAQ,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrC,QAAQ,OAAO,IAAI,CAAC;AACpB,KAAK;AACL,IAAI,OAAO,KAAK,EAAE;AAClB;AACA;AACA;AACA,QAAQ,IAAI,KAAK,YAAY,eAAe,EAAE;AAC9C,YAAY,OAAO,IAAI,CAAC;AACxB,SAAS;AACT;AACA;AACA,QAAQ,OAAO,KAAK,CAAC;AACrB,KAAK;AACL;;;;"}
|
package/package.json
CHANGED
|
@@ -1,75 +1,75 @@
|
|
|
1
1
|
{
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
2
|
+
"author": "Amazon Web Services",
|
|
3
|
+
"name": "@aws-amplify/adapter-nextjs",
|
|
4
|
+
"version": "1.3.1",
|
|
5
|
+
"description": "The adapter for the supporting of using Amplify APIs in Next.js.",
|
|
6
|
+
"peerDependencies": {
|
|
7
|
+
"aws-amplify": "^6.0.7",
|
|
8
|
+
"next": ">=13.5.0 <16.0.0"
|
|
9
|
+
},
|
|
10
|
+
"dependencies": {
|
|
11
|
+
"aws-jwt-verify": "^4.0.1",
|
|
12
|
+
"cookie": "^0.7.0"
|
|
13
|
+
},
|
|
14
|
+
"devDependencies": {
|
|
15
|
+
"@types/cookie": "^0.5.1",
|
|
16
|
+
"@types/node": "^20.3.1",
|
|
17
|
+
"@types/react": "^18.2.13",
|
|
18
|
+
"@types/react-dom": "^18.2.6",
|
|
19
|
+
"aws-amplify": "6.11.0",
|
|
20
|
+
"jest-fetch-mock": "3.0.3",
|
|
21
|
+
"next": ">= 13.5.0 < 15.0.0",
|
|
22
|
+
"typescript": "5.0.2"
|
|
23
|
+
},
|
|
24
|
+
"publishConfig": {
|
|
25
|
+
"access": "public"
|
|
26
|
+
},
|
|
27
|
+
"bugs": {
|
|
28
|
+
"url": "https://github.com/aws/aws-amplify/issues"
|
|
29
|
+
},
|
|
30
|
+
"exports": {
|
|
31
|
+
".": {
|
|
32
|
+
"types": "./dist/esm/index.d.ts",
|
|
33
|
+
"import": "./dist/esm/index.mjs",
|
|
34
|
+
"require": "./dist/cjs/index.js"
|
|
35
|
+
},
|
|
36
|
+
"./api": {
|
|
37
|
+
"types": "./dist/esm/api/index.d.ts",
|
|
38
|
+
"import": "./dist/esm/api/index.mjs",
|
|
39
|
+
"require": "./dist/cjs/api/index.js"
|
|
40
|
+
},
|
|
41
|
+
"./data": {
|
|
42
|
+
"types": "./dist/esm/api/index.d.ts",
|
|
43
|
+
"import": "./dist/esm/api/index.mjs",
|
|
44
|
+
"require": "./dist/cjs/api/index.js"
|
|
45
|
+
},
|
|
46
|
+
"./package.json": "./package.json"
|
|
47
|
+
},
|
|
48
|
+
"files": [
|
|
49
|
+
"dist/cjs",
|
|
50
|
+
"dist/esm",
|
|
51
|
+
"src",
|
|
52
|
+
"api",
|
|
53
|
+
"data"
|
|
54
|
+
],
|
|
55
|
+
"homepage": "https://aws-amplify.github.io/",
|
|
56
|
+
"license": "Apache-2.0",
|
|
57
|
+
"main": "./dist/cjs/index.js",
|
|
58
|
+
"module": "./dist/esm/index.mjs",
|
|
59
|
+
"typings": "./dist/esm/index.d.ts",
|
|
60
|
+
"sideEffects": false,
|
|
61
|
+
"scripts": {
|
|
62
|
+
"build": "npm run clean && npm run build:esm-cjs",
|
|
63
|
+
"build-with-test": "npm test && npm run build",
|
|
64
|
+
"build:esm-cjs": "rollup --forceExit -c rollup.config.mjs",
|
|
65
|
+
"build:watch": "npm run build:esm-cjs -- --watch",
|
|
66
|
+
"clean": "npm run clean:size && rimraf dist",
|
|
67
|
+
"clean:size": "rimraf dual-publish-tmp tmp*",
|
|
68
|
+
"format": "echo \"Not implemented\"",
|
|
69
|
+
"lint": "eslint '**/*.{ts,tsx}' && npm run ts-coverage",
|
|
70
|
+
"lint:fix": "eslint '**/*.{ts,tsx}' --fix",
|
|
71
|
+
"test": "npm run lint && jest -w 1 --coverage --logHeapUsage",
|
|
72
|
+
"ts-coverage": "typescript-coverage-report -p ./tsconfig.build.json -t 90.31"
|
|
73
|
+
},
|
|
74
|
+
"gitHead": "71558b702db117a4deba51cd23a5a9c455e88bf3"
|
|
75
75
|
}
|
|
@@ -2,10 +2,12 @@
|
|
|
2
2
|
// SPDX-License-Identifier: Apache-2.0
|
|
3
3
|
|
|
4
4
|
import { ResourcesConfig } from 'aws-amplify';
|
|
5
|
+
import { KeyValueStorageMethodValidator } from '@aws-amplify/core/internals/adapter-core';
|
|
5
6
|
import { parseAmplifyConfig } from '@aws-amplify/core/internals/utils';
|
|
6
7
|
|
|
7
8
|
import { createRunWithAmplifyServerContext } from './utils';
|
|
8
9
|
import { NextServer } from './types';
|
|
10
|
+
import { createTokenValidator } from './utils/createTokenValidator';
|
|
9
11
|
|
|
10
12
|
/**
|
|
11
13
|
* Creates the `runWithAmplifyServerContext` function to run Amplify server side APIs in an isolated request context.
|
|
@@ -30,9 +32,19 @@ export const createServerRunner: NextServer.CreateServerRunner = ({
|
|
|
30
32
|
}) => {
|
|
31
33
|
const amplifyConfig = parseAmplifyConfig(config);
|
|
32
34
|
|
|
35
|
+
let tokenValidator: KeyValueStorageMethodValidator | undefined;
|
|
36
|
+
if (amplifyConfig?.Auth) {
|
|
37
|
+
const { Cognito } = amplifyConfig.Auth;
|
|
38
|
+
tokenValidator = createTokenValidator({
|
|
39
|
+
userPoolId: Cognito?.userPoolId,
|
|
40
|
+
userPoolClientId: Cognito?.userPoolClientId,
|
|
41
|
+
});
|
|
42
|
+
}
|
|
43
|
+
|
|
33
44
|
return {
|
|
34
45
|
runWithAmplifyServerContext: createRunWithAmplifyServerContext({
|
|
35
46
|
config: amplifyConfig,
|
|
47
|
+
tokenValidator,
|
|
36
48
|
}),
|
|
37
49
|
};
|
|
38
50
|
};
|
package/src/types/index.ts
CHANGED
|
@@ -1,4 +1,8 @@
|
|
|
1
1
|
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
2
2
|
// SPDX-License-Identifier: Apache-2.0
|
|
3
3
|
|
|
4
|
+
import { CognitoJwtVerifier } from 'aws-jwt-verify';
|
|
5
|
+
|
|
4
6
|
export { NextServer } from './NextServer';
|
|
7
|
+
|
|
8
|
+
export type JwtVerifier = ReturnType<typeof CognitoJwtVerifier.create>;
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
// SPDX-License-Identifier: Apache-2.0
|
|
3
3
|
|
|
4
4
|
import { ResourcesConfig, sharedInMemoryStorage } from '@aws-amplify/core';
|
|
5
|
+
import { KeyValueStorageMethodValidator } from '@aws-amplify/core/internals/adapter-core';
|
|
5
6
|
import {
|
|
6
7
|
createAWSCredentialsAndIdentityIdProvider,
|
|
7
8
|
createKeyValueStorageFromCookieStorageAdapter,
|
|
@@ -11,13 +12,14 @@ import {
|
|
|
11
12
|
|
|
12
13
|
import { NextServer } from '../types';
|
|
13
14
|
|
|
14
|
-
import { createTokenValidator } from './createTokenValidator';
|
|
15
15
|
import { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext';
|
|
16
16
|
|
|
17
17
|
export const createRunWithAmplifyServerContext = ({
|
|
18
18
|
config: resourcesConfig,
|
|
19
|
+
tokenValidator,
|
|
19
20
|
}: {
|
|
20
21
|
config: ResourcesConfig;
|
|
22
|
+
tokenValidator?: KeyValueStorageMethodValidator;
|
|
21
23
|
}) => {
|
|
22
24
|
const runWithAmplifyServerContext: NextServer.RunOperationWithContext =
|
|
23
25
|
async ({ nextServerContext, operation }) => {
|
|
@@ -35,11 +37,7 @@ export const createRunWithAmplifyServerContext = ({
|
|
|
35
37
|
await createCookieStorageAdapterFromNextServerContext(
|
|
36
38
|
nextServerContext,
|
|
37
39
|
),
|
|
38
|
-
|
|
39
|
-
userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,
|
|
40
|
-
userPoolClientId:
|
|
41
|
-
resourcesConfig?.Auth.Cognito?.userPoolClientId,
|
|
42
|
-
}),
|
|
40
|
+
tokenValidator,
|
|
43
41
|
);
|
|
44
42
|
const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(
|
|
45
43
|
resourcesConfig.Auth,
|
|
@@ -2,6 +2,9 @@
|
|
|
2
2
|
// SPDX-License-Identifier: Apache-2.0
|
|
3
3
|
|
|
4
4
|
import { KeyValueStorageMethodValidator } from '@aws-amplify/core/internals/adapter-core';
|
|
5
|
+
import { CognitoJwtVerifier } from 'aws-jwt-verify';
|
|
6
|
+
|
|
7
|
+
import { JwtVerifier } from '../types';
|
|
5
8
|
|
|
6
9
|
import { isValidCognitoToken } from './isValidCognitoToken';
|
|
7
10
|
|
|
@@ -9,6 +12,7 @@ interface CreateTokenValidatorInput {
|
|
|
9
12
|
userPoolId?: string;
|
|
10
13
|
userPoolClientId?: string;
|
|
11
14
|
}
|
|
15
|
+
|
|
12
16
|
/**
|
|
13
17
|
* Creates a validator object for validating methods in a KeyValueStorage.
|
|
14
18
|
*/
|
|
@@ -16,23 +20,42 @@ export const createTokenValidator = ({
|
|
|
16
20
|
userPoolId,
|
|
17
21
|
userPoolClientId: clientId,
|
|
18
22
|
}: CreateTokenValidatorInput): KeyValueStorageMethodValidator => {
|
|
23
|
+
let idTokenVerifier: JwtVerifier;
|
|
24
|
+
let accessTokenVerifier: JwtVerifier;
|
|
25
|
+
|
|
19
26
|
return {
|
|
20
27
|
// validate access, id tokens
|
|
21
28
|
getItem: async (key: string, value: string): Promise<boolean> => {
|
|
22
|
-
const
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
29
|
+
const isAccessToken = key.includes('.accessToken');
|
|
30
|
+
const isIdToken = key.includes('.idToken');
|
|
31
|
+
|
|
32
|
+
if (!isAccessToken && !isIdToken) {
|
|
33
|
+
return true;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
if (!userPoolId || !clientId) {
|
|
37
|
+
return false;
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
if (isAccessToken && !accessTokenVerifier) {
|
|
41
|
+
accessTokenVerifier = CognitoJwtVerifier.create({
|
|
42
|
+
userPoolId,
|
|
43
|
+
tokenUse: 'access',
|
|
44
|
+
clientId,
|
|
45
|
+
});
|
|
46
|
+
}
|
|
28
47
|
|
|
29
|
-
if (
|
|
48
|
+
if (isIdToken && !idTokenVerifier) {
|
|
49
|
+
idTokenVerifier = CognitoJwtVerifier.create({
|
|
50
|
+
userPoolId,
|
|
51
|
+
tokenUse: 'id',
|
|
52
|
+
clientId,
|
|
53
|
+
});
|
|
54
|
+
}
|
|
30
55
|
|
|
31
56
|
return isValidCognitoToken({
|
|
32
|
-
clientId,
|
|
33
|
-
userPoolId,
|
|
34
|
-
tokenType,
|
|
35
57
|
token: value,
|
|
58
|
+
verifier: isAccessToken ? accessTokenVerifier : idTokenVerifier,
|
|
36
59
|
});
|
|
37
60
|
},
|
|
38
61
|
};
|
|
@@ -1,32 +1,25 @@
|
|
|
1
1
|
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
2
2
|
// SPDX-License-Identifier: Apache-2.0
|
|
3
3
|
|
|
4
|
-
import { CognitoJwtVerifier } from 'aws-jwt-verify';
|
|
5
4
|
import { JwtExpiredError } from 'aws-jwt-verify/error';
|
|
6
5
|
|
|
6
|
+
import { JwtVerifier } from '../types';
|
|
7
|
+
|
|
7
8
|
/**
|
|
8
9
|
* Verifies a Cognito JWT token for its validity.
|
|
9
10
|
*
|
|
10
11
|
* @param input - An object containing:
|
|
11
12
|
* - token: The JWT token as a string that needs to be verified.
|
|
12
|
-
* -
|
|
13
|
-
* - clientId: The Client ID associated with the Cognito User Pool.
|
|
13
|
+
* - verifier: The JWT verifier which will verify the token.
|
|
14
14
|
* @internal
|
|
15
15
|
*/
|
|
16
16
|
export const isValidCognitoToken = async (input: {
|
|
17
17
|
token: string;
|
|
18
|
-
|
|
19
|
-
clientId: string;
|
|
20
|
-
tokenType: 'id' | 'access';
|
|
18
|
+
verifier: JwtVerifier;
|
|
21
19
|
}): Promise<boolean> => {
|
|
22
|
-
const {
|
|
20
|
+
const { token, verifier } = input;
|
|
23
21
|
|
|
24
22
|
try {
|
|
25
|
-
const verifier = CognitoJwtVerifier.create({
|
|
26
|
-
userPoolId,
|
|
27
|
-
tokenUse: tokenType,
|
|
28
|
-
clientId,
|
|
29
|
-
});
|
|
30
23
|
await verifier.verify(token);
|
|
31
24
|
|
|
32
25
|
return true;
|