@indigoai-us/hq-cloud 5.8.3 → 5.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cognito-auth.d.ts +14 -0
- package/dist/cognito-auth.d.ts.map +1 -1
- package/dist/cognito-auth.js +43 -1
- package/dist/cognito-auth.js.map +1 -1
- package/dist/cognito-auth.test.js +83 -0
- package/dist/cognito-auth.test.js.map +1 -1
- package/package.json +1 -1
- package/src/cognito-auth.test.ts +99 -0
- package/src/cognito-auth.ts +43 -1
package/dist/cognito-auth.d.ts
CHANGED
|
@@ -55,6 +55,20 @@ export declare function saveCachedTokens(tokens: CognitoTokens): void;
|
|
|
55
55
|
export declare function clearCachedTokens(): void;
|
|
56
56
|
/** True when the token expires within the given buffer (default 60s). */
|
|
57
57
|
export declare function isExpiring(tokens: CognitoTokens, bufferSeconds?: number): boolean;
|
|
58
|
+
/**
|
|
59
|
+
* Decode the `client_id` claim from a Cognito access token (no signature
|
|
60
|
+
* verification — we only need to identify which App Client minted it).
|
|
61
|
+
* Returns null when the token can't be parsed.
|
|
62
|
+
*
|
|
63
|
+
* Used by `getValidAccessToken` to detect stale cached sessions that target
|
|
64
|
+
* a different Cognito App Client. The canonical case is a pre-2026-04-25
|
|
65
|
+
* cache file holding a `hq-vault-dev` token after the user upgraded to a
|
|
66
|
+
* post-cutover CLI: the access token stays "non-expiring" for an hour but
|
|
67
|
+
* the prod vault API rejects it with 401, and the dev refresh token can't
|
|
68
|
+
* be exchanged at the prod token endpoint. Detecting the mismatch and
|
|
69
|
+
* forcing a re-login is the only safe self-heal.
|
|
70
|
+
*/
|
|
71
|
+
export declare function decodeAccessTokenClientId(accessToken: string): string | null;
|
|
58
72
|
/**
|
|
59
73
|
* Open the Cognito Hosted UI in the user's browser, wait for the redirect
|
|
60
74
|
* back to localhost, and exchange the auth code for tokens.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cognito-auth.d.ts","sourceRoot":"","sources":["../src/cognito-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAaH,MAAM,WAAW,iBAAiB;IAChC,4DAA4D;IAC5D,MAAM,EAAE,MAAM,CAAC;IACf,oEAAoE;IACpE,cAAc,EAAE,MAAM,CAAC;IACvB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;IACjB,gDAAgD;IAChD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,+KAA+K;IAC/K,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,SAAS,EAAE,QAAQ,CAAC;CACrB;AAED,qFAAqF;AACrF,qBAAa,gBAAiB,SAAQ,KAAK;gBAC7B,OAAO,EAAE,MAAM;CAI5B;AASD,wBAAgB,gBAAgB,IAAI,aAAa,GAAG,IAAI,CAQvD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAO5D;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAiBD,yEAAyE;AACzE,wBAAgB,UAAU,CAAC,MAAM,EAAE,aAAa,EAAE,aAAa,SAAK,GAAG,OAAO,CAI7E;AAsCD;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,aAAa,CAAC,CA2GxB;AAsDD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,iBAAiB,EACzB,mBAAmB,EAAE,MAAM,GAC1B,OAAO,CAAC,aAAa,CAAC,CA4BxB;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,iBAAiB,EACzB,OAAO,GAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAA;CAAO,GACtC,OAAO,CAAC,MAAM,CAAC,
|
|
1
|
+
{"version":3,"file":"cognito-auth.d.ts","sourceRoot":"","sources":["../src/cognito-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAaH,MAAM,WAAW,iBAAiB;IAChC,4DAA4D;IAC5D,MAAM,EAAE,MAAM,CAAC;IACf,oEAAoE;IACpE,cAAc,EAAE,MAAM,CAAC;IACvB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;IACjB,gDAAgD;IAChD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,+KAA+K;IAC/K,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,SAAS,EAAE,QAAQ,CAAC;CACrB;AAED,qFAAqF;AACrF,qBAAa,gBAAiB,SAAQ,KAAK;gBAC7B,OAAO,EAAE,MAAM;CAI5B;AASD,wBAAgB,gBAAgB,IAAI,aAAa,GAAG,IAAI,CAQvD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAO5D;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAiBD,yEAAyE;AACzE,wBAAgB,UAAU,CAAC,MAAM,EAAE,aAAa,EAAE,aAAa,SAAK,GAAG,OAAO,CAI7E;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAY5E;AAsCD;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,aAAa,CAAC,CA2GxB;AAsDD;;;;GAIG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,iBAAiB,EACzB,mBAAmB,EAAE,MAAM,GAC1B,OAAO,CAAC,aAAa,CAAC,CA4BxB;AAED;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,iBAAiB,EACzB,OAAO,GAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAA;CAAO,GACtC,OAAO,CAAC,MAAM,CAAC,CAsCjB"}
|
package/dist/cognito-auth.js
CHANGED
|
@@ -78,6 +78,34 @@ export function isExpiring(tokens, bufferSeconds = 60) {
|
|
|
78
78
|
return true;
|
|
79
79
|
return expiresAt - Date.now() < bufferSeconds * 1000;
|
|
80
80
|
}
|
|
81
|
+
/**
|
|
82
|
+
* Decode the `client_id` claim from a Cognito access token (no signature
|
|
83
|
+
* verification — we only need to identify which App Client minted it).
|
|
84
|
+
* Returns null when the token can't be parsed.
|
|
85
|
+
*
|
|
86
|
+
* Used by `getValidAccessToken` to detect stale cached sessions that target
|
|
87
|
+
* a different Cognito App Client. The canonical case is a pre-2026-04-25
|
|
88
|
+
* cache file holding a `hq-vault-dev` token after the user upgraded to a
|
|
89
|
+
* post-cutover CLI: the access token stays "non-expiring" for an hour but
|
|
90
|
+
* the prod vault API rejects it with 401, and the dev refresh token can't
|
|
91
|
+
* be exchanged at the prod token endpoint. Detecting the mismatch and
|
|
92
|
+
* forcing a re-login is the only safe self-heal.
|
|
93
|
+
*/
|
|
94
|
+
export function decodeAccessTokenClientId(accessToken) {
|
|
95
|
+
try {
|
|
96
|
+
const parts = accessToken.split(".");
|
|
97
|
+
if (parts.length < 2)
|
|
98
|
+
return null;
|
|
99
|
+
const payloadB64 = parts[1];
|
|
100
|
+
const padded = payloadB64 + "=".repeat((4 - (payloadB64.length % 4)) % 4);
|
|
101
|
+
const json = Buffer.from(padded, "base64").toString("utf-8");
|
|
102
|
+
const claims = JSON.parse(json);
|
|
103
|
+
return typeof claims.client_id === "string" ? claims.client_id : null;
|
|
104
|
+
}
|
|
105
|
+
catch {
|
|
106
|
+
return null;
|
|
107
|
+
}
|
|
108
|
+
}
|
|
81
109
|
// ---------------------------------------------------------------------------
|
|
82
110
|
// PKCE
|
|
83
111
|
// ---------------------------------------------------------------------------
|
|
@@ -275,7 +303,21 @@ export async function refreshTokens(config, currentRefreshToken) {
|
|
|
275
303
|
*/
|
|
276
304
|
export async function getValidAccessToken(config, options = {}) {
|
|
277
305
|
const interactive = options.interactive ?? true;
|
|
278
|
-
|
|
306
|
+
let cached = loadCachedTokens();
|
|
307
|
+
// Stale-pool detection: if the cached access token was issued by a
|
|
308
|
+
// different Cognito App Client than the one we're talking to now, drop the
|
|
309
|
+
// cache and re-authenticate. Without this, a user holding a pre-cutover
|
|
310
|
+
// dev-pool token would either keep using a token the prod API rejects
|
|
311
|
+
// with 401, or attempt a refresh against the prod token endpoint with a
|
|
312
|
+
// dev refresh token (InvalidGrant). See `decodeAccessTokenClientId` for
|
|
313
|
+
// the full rationale.
|
|
314
|
+
if (cached) {
|
|
315
|
+
const cachedClientId = decodeAccessTokenClientId(cached.accessToken);
|
|
316
|
+
if (cachedClientId !== null && cachedClientId !== config.clientId) {
|
|
317
|
+
clearCachedTokens();
|
|
318
|
+
cached = null;
|
|
319
|
+
}
|
|
320
|
+
}
|
|
279
321
|
if (cached && !isExpiring(cached))
|
|
280
322
|
return cached.accessToken;
|
|
281
323
|
if (cached) {
|
package/dist/cognito-auth.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cognito-auth.js","sourceRoot":"","sources":["../src/cognito-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,IAAI,MAAM,MAAM,CAAC;AAuCxB,qFAAqF;AACrF,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,KAAK,CAAC,CAAC;AAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;AAE5D,MAAM,UAAU,gBAAgB;IAC9B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAqB;IACpD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,4BAA4B,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7E,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5E,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AAC3D,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,GAAY;IACpC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;IACtE,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,UAAU,CAAC,MAAqB,EAAE,aAAa,GAAG,EAAE;IAClE,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI,CAAC;AACvD,CAAC;AAED,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,GAAG;SACP,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,eAAe,CAC/B,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CACtD,CAAC;IACF,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,WAAW,CAAC,MAAyB;IAC5C,OAAO,WAAW,MAAM,CAAC,cAAc,SAAS,MAAM,CAAC,MAAM,oBAAoB,CAAC;AACpF,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,oBAAoB,IAAI,WAAW,CAAC;AAC7C,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAyB;IAEzB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC;IACjC,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3E,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,EAAE,CAAC;IAC/C,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAEtD,2EAA2E;IAC3E,8EAA8E;IAC9E,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACnE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC5B,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IACzE,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC;IAEd,2EAA2E;IAC3E,SAAS,eAAe,CAAC,IAAY,EAAE,aAAqB;QAC1D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,uEAAuE;YACvE,mEAAmE;YACnE,mEAAmE;YACnE,oEAAoE;YACpE,mDAAmD;YACnD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBAC5C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,oBAAoB,IAAI,EAAE,CAAC,CAAC;gBAChE,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;oBACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;oBACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;oBACrB,OAAO;gBACT,CAAC;gBACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE5C,IAAI,KAAK,EAAE,CAAC;oBACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,oCAAoC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;oBACrE,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,gBAAgB,CAAC,2BAA2B,KAAK,EAAE,CAAC,CAAC,CAAC;oBACjE,OAAO;gBACT,CAAC;gBACD,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;oBAC5B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;oBACpE,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,gBAAgB,CAAC,kCAAkC,CAAC,CAAC,CAAC;oBACjE,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;oBACjC,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,gBAAgB,CAAC,+BAA+B,CAAC,CAAC,CAAC;oBAC9D,OAAO;gBACT,CAAC;gBAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CACL;;;;yBAIe,CAChB,CAAC;gBACF,OAAO,EAAE,CAAC;gBACV,OAAO,CAAC,IAAI,CAAC,CAAC;YAChB,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACzB,OAAO,EAAE,CAAC;gBACV,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE;gBACpC,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,6CAA6C,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;gBACjF,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;oBAClC,qCAAqC;gBACvC,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,MAAM,UAAU,GAAG,UAAU,CAC3B,GAAG,EAAE;gBACH,OAAO,EAAE,CAAC;gBACV,MAAM,CAAC,IAAI,gBAAgB,CAAC,kCAAkC,CAAC,CAAC,CAAC;YACnE,CAAC,EACD,EAAE,GAAG,EAAE,GAAG,IAAI,CACf,CAAC;YAEF,SAAS,OAAO;gBACd,YAAY,CAAC,UAAU,CAAC,CAAC;gBACzB,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAcD,KAAK,UAAU,qBAAqB,CAClC,MAAyB,EACzB,IAAY,EACZ,QAAgB,EAChB,IAAY;IAEZ,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,IAAI;QACJ,aAAa,EAAE,QAAQ;QACvB,YAAY,EAAE,WAAW,CAAC,IAAI,CAAC;KAChC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,eAAe,EAAE;QAC7D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,gBAAgB,CACxB,0BAA0B,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CACjD,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;IACxD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QACxB,MAAM,IAAI,gBAAgB,CACxB,8FAA8F,CAC/F,CAAC;IACJ,CAAC;IACD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,OAAO,EAAE,IAAI,CAAC,QAAQ;QACtB,YAAY,EAAE,IAAI,CAAC,aAAa;QAChC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;QAC9C,SAAS,EAAE,QAAQ;KACpB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAyB,EACzB,mBAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,mBAAmB;KACnC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,eAAe,EAAE;QAC7D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,gBAAgB,CACxB,mBAAmB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAC1C,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;IACxD,MAAM,MAAM,GAAkB;QAC5B,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,OAAO,EAAE,IAAI,CAAC,QAAQ;QACtB,YAAY,EAAE,IAAI,CAAC,aAAa,IAAI,mBAAmB;QACvD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;QAC9C,SAAS,EAAE,QAAQ;KACpB,CAAC;IACF,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAyB,EACzB,UAAqC,EAAE;IAEvC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;IAChD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAElC,IAAI,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC,WAAW,CAAC;IAE7D,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;YACnE,OAAO,SAAS,CAAC,WAAW,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,oCAAoC;QACtC,CAAC;IACH,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,gBAAgB,CACxB,8EAA8E,CAC/E,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC,WAAW,CAAC;AAC3B,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC;SACL,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC"}
|
|
1
|
+
{"version":3,"file":"cognito-auth.js","sourceRoot":"","sources":["../src/cognito-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,IAAI,MAAM,MAAM,CAAC;AAuCxB,qFAAqF;AACrF,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,KAAK,CAAC,CAAC;AAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;AAE5D,MAAM,UAAU,gBAAgB;IAC9B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAqB;IACpD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,4BAA4B,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC7E,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5E,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;AAC3D,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,GAAY;IACpC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;IACtE,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,UAAU,CAAC,MAAqB,EAAE,aAAa,GAAG,EAAE;IAClE,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI,CAAC;AACvD,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,yBAAyB,CAAC,WAAmB;IAC3D,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAClC,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,MAAM,GAAG,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1E,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;QAC3D,OAAO,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,OAAO;AACP,8EAA8E;AAE9E,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,GAAG;SACP,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,eAAe,CAC/B,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CACtD,CAAC;IACF,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,WAAW,CAAC,MAAyB;IAC5C,OAAO,WAAW,MAAM,CAAC,cAAc,SAAS,MAAM,CAAC,MAAM,oBAAoB,CAAC;AACpF,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,oBAAoB,IAAI,WAAW,CAAC;AAC7C,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAyB;IAEzB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC;IACjC,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3E,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,YAAY,EAAE,CAAC;IAC/C,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IAEtD,2EAA2E;IAC3E,8EAA8E;IAC9E,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACnE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACvD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC5B,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IACzE,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC;IAEd,2EAA2E;IAC3E,SAAS,eAAe,CAAC,IAAY,EAAE,aAAqB;QAC1D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,uEAAuE;YACvE,mEAAmE;YACnE,mEAAmE;YACnE,oEAAoE;YACpE,mDAAmD;YACnD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBAC5C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,oBAAoB,IAAI,EAAE,CAAC,CAAC;gBAChE,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;oBACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;oBACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;oBACrB,OAAO;gBACT,CAAC;gBACD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE5C,IAAI,KAAK,EAAE,CAAC;oBACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,oCAAoC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;oBACrE,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,gBAAgB,CAAC,2BAA2B,KAAK,EAAE,CAAC,CAAC,CAAC;oBACjE,OAAO;gBACT,CAAC;gBACD,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;oBAC5B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAC;oBACpE,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,gBAAgB,CAAC,kCAAkC,CAAC,CAAC,CAAC;oBACjE,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;oBACpD,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;oBACjC,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,gBAAgB,CAAC,+BAA+B,CAAC,CAAC,CAAC;oBAC9D,OAAO;gBACT,CAAC;gBAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CACL;;;;yBAIe,CAChB,CAAC;gBACF,OAAO,EAAE,CAAC;gBACV,OAAO,CAAC,IAAI,CAAC,CAAC;YAChB,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACzB,OAAO,EAAE,CAAC;gBACV,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE;gBACpC,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,6CAA6C,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;gBACjF,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;oBAClC,qCAAqC;gBACvC,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,MAAM,UAAU,GAAG,UAAU,CAC3B,GAAG,EAAE;gBACH,OAAO,EAAE,CAAC;gBACV,MAAM,CAAC,IAAI,gBAAgB,CAAC,kCAAkC,CAAC,CAAC,CAAC;YACnE,CAAC,EACD,EAAE,GAAG,EAAE,GAAG,IAAI,CACf,CAAC;YAEF,SAAS,OAAO;gBACd,YAAY,CAAC,UAAU,CAAC,CAAC;gBACzB,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAcD,KAAK,UAAU,qBAAqB,CAClC,MAAyB,EACzB,IAAY,EACZ,QAAgB,EAChB,IAAY;IAEZ,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,IAAI;QACJ,aAAa,EAAE,QAAQ;QACvB,YAAY,EAAE,WAAW,CAAC,IAAI,CAAC;KAChC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,eAAe,EAAE;QAC7D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,gBAAgB,CACxB,0BAA0B,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CACjD,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;IACxD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QACxB,MAAM,IAAI,gBAAgB,CACxB,8FAA8F,CAC/F,CAAC;IACJ,CAAC;IACD,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,OAAO,EAAE,IAAI,CAAC,QAAQ;QACtB,YAAY,EAAE,IAAI,CAAC,aAAa;QAChC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;QAC9C,SAAS,EAAE,QAAQ;KACpB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAyB,EACzB,mBAA2B;IAE3B,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,eAAe;QAC3B,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,aAAa,EAAE,mBAAmB;KACnC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,eAAe,EAAE;QAC7D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,gBAAgB,CACxB,mBAAmB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAC1C,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;IACxD,MAAM,MAAM,GAAkB;QAC5B,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,OAAO,EAAE,IAAI,CAAC,QAAQ;QACtB,YAAY,EAAE,IAAI,CAAC,aAAa,IAAI,mBAAmB;QACvD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI;QAC9C,SAAS,EAAE,QAAQ;KACpB,CAAC;IACF,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAyB,EACzB,UAAqC,EAAE;IAEvC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC;IAChD,IAAI,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAEhC,mEAAmE;IACnE,2EAA2E;IAC3E,wEAAwE;IACxE,sEAAsE;IACtE,wEAAwE;IACxE,wEAAwE;IACxE,sBAAsB;IACtB,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,cAAc,GAAG,yBAAyB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACrE,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClE,iBAAiB,EAAE,CAAC;YACpB,MAAM,GAAG,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED,IAAI,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC,WAAW,CAAC;IAE7D,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;YACnE,OAAO,SAAS,CAAC,WAAW,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,oCAAoC;QACtC,CAAC;IACH,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,gBAAgB,CACxB,8EAA8E,CAC/E,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC,WAAW,CAAC;AAC3B,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC;SACL,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC"}
|
|
@@ -76,6 +76,89 @@ describe("isExpiring — expiresAt shape tolerance", () => {
|
|
|
76
76
|
});
|
|
77
77
|
});
|
|
78
78
|
// ---------------------------------------------------------------------------
|
|
79
|
+
// Stale-pool detection — decodeAccessTokenClientId + getValidAccessToken
|
|
80
|
+
// self-evicts cached tokens minted by a different App Client (e.g. dev pool
|
|
81
|
+
// tokens left over from before the 2026-04-25 cutover).
|
|
82
|
+
// ---------------------------------------------------------------------------
|
|
83
|
+
/** Build a minimal unsigned JWT carrying the given claims. Cognito's real */
|
|
84
|
+
/** tokens are RS256-signed; we don't verify here so the signature can be */
|
|
85
|
+
/** anything — only the base64url-encoded payload matters. */
|
|
86
|
+
function makeAccessToken(claims) {
|
|
87
|
+
const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" }))
|
|
88
|
+
.toString("base64")
|
|
89
|
+
.replace(/=+$/, "");
|
|
90
|
+
const payload = Buffer.from(JSON.stringify(claims))
|
|
91
|
+
.toString("base64")
|
|
92
|
+
.replace(/=+$/, "");
|
|
93
|
+
return `${header}.${payload}.signature`;
|
|
94
|
+
}
|
|
95
|
+
const DEV_CLIENT = "4mmujmjq3srakdueg656b9m0mp";
|
|
96
|
+
const PROD_CLIENT = "7acei2c8v870enheptb1j5foln";
|
|
97
|
+
const baseConfig = {
|
|
98
|
+
region: "us-east-1",
|
|
99
|
+
userPoolDomain: "vault-indigo-hq-prod",
|
|
100
|
+
clientId: PROD_CLIENT,
|
|
101
|
+
};
|
|
102
|
+
describe("decodeAccessTokenClientId", () => {
|
|
103
|
+
it("returns the client_id claim from a well-formed JWT", async () => {
|
|
104
|
+
const { decodeAccessTokenClientId } = await importModule();
|
|
105
|
+
const token = makeAccessToken({ client_id: DEV_CLIENT, sub: "abc" });
|
|
106
|
+
expect(decodeAccessTokenClientId(token)).toBe(DEV_CLIENT);
|
|
107
|
+
});
|
|
108
|
+
it("returns null when client_id is absent", async () => {
|
|
109
|
+
const { decodeAccessTokenClientId } = await importModule();
|
|
110
|
+
const token = makeAccessToken({ sub: "abc" });
|
|
111
|
+
expect(decodeAccessTokenClientId(token)).toBeNull();
|
|
112
|
+
});
|
|
113
|
+
it("returns null when the token has fewer than two segments", async () => {
|
|
114
|
+
const { decodeAccessTokenClientId } = await importModule();
|
|
115
|
+
expect(decodeAccessTokenClientId("not-a-jwt")).toBeNull();
|
|
116
|
+
});
|
|
117
|
+
it("returns null when the payload isn't valid JSON", async () => {
|
|
118
|
+
const { decodeAccessTokenClientId } = await importModule();
|
|
119
|
+
expect(decodeAccessTokenClientId("aaa.bbb.ccc")).toBeNull();
|
|
120
|
+
});
|
|
121
|
+
});
|
|
122
|
+
describe("getValidAccessToken stale-pool detection", () => {
|
|
123
|
+
it("evicts a cached token whose client_id mismatches the current config", async () => {
|
|
124
|
+
const { saveCachedTokens, loadCachedTokens, getValidAccessToken } = await importModule();
|
|
125
|
+
const devToken = makeAccessToken({ client_id: DEV_CLIENT, sub: "abc" });
|
|
126
|
+
saveCachedTokens({
|
|
127
|
+
...baseTokens,
|
|
128
|
+
accessToken: devToken,
|
|
129
|
+
expiresAt: Date.now() + 60 * 60 * 1000,
|
|
130
|
+
});
|
|
131
|
+
expect(loadCachedTokens()).not.toBeNull();
|
|
132
|
+
await expect(getValidAccessToken(baseConfig, { interactive: false })).rejects.toThrow(/No valid HQ session/);
|
|
133
|
+
expect(loadCachedTokens()).toBeNull();
|
|
134
|
+
});
|
|
135
|
+
it("keeps a cached token whose client_id matches", async () => {
|
|
136
|
+
const { saveCachedTokens, getValidAccessToken } = await importModule();
|
|
137
|
+
const prodToken = makeAccessToken({ client_id: PROD_CLIENT, sub: "abc" });
|
|
138
|
+
saveCachedTokens({
|
|
139
|
+
...baseTokens,
|
|
140
|
+
accessToken: prodToken,
|
|
141
|
+
expiresAt: Date.now() + 60 * 60 * 1000,
|
|
142
|
+
});
|
|
143
|
+
const access = await getValidAccessToken(baseConfig, {
|
|
144
|
+
interactive: false,
|
|
145
|
+
});
|
|
146
|
+
expect(access).toBe(prodToken);
|
|
147
|
+
});
|
|
148
|
+
it("keeps a cached token when client_id can't be decoded (back-compat)", async () => {
|
|
149
|
+
const { saveCachedTokens, getValidAccessToken } = await importModule();
|
|
150
|
+
saveCachedTokens({
|
|
151
|
+
...baseTokens,
|
|
152
|
+
accessToken: "opaque-non-jwt",
|
|
153
|
+
expiresAt: Date.now() + 60 * 60 * 1000,
|
|
154
|
+
});
|
|
155
|
+
const access = await getValidAccessToken(baseConfig, {
|
|
156
|
+
interactive: false,
|
|
157
|
+
});
|
|
158
|
+
expect(access).toBe("opaque-non-jwt");
|
|
159
|
+
});
|
|
160
|
+
});
|
|
161
|
+
// ---------------------------------------------------------------------------
|
|
79
162
|
// Round-trip: writers emit epoch-ms, readers read epoch-ms
|
|
80
163
|
// ---------------------------------------------------------------------------
|
|
81
164
|
describe("expiresAt shape round-trip", () => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cognito-auth.test.js","sourceRoot":"","sources":["../src/cognito-auth.test.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAEzE,6EAA6E;AAC7E,uCAAuC;AACvC,IAAI,YAAgC,CAAC;AACrC,IAAI,OAAe,CAAC;AAEpB,UAAU,CAAC,GAAG,EAAE;IACd,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;IAChC,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;IAC3B,EAAE,CAAC,YAAY,EAAE,CAAC;AACpB,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,GAAG,EAAE;IACb,IAAI,YAAY,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;;QACnD,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC;IACrC,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,EAAE,CAAC,gBAAgB,EAAE,CAAC;IACtB,EAAE,CAAC,eAAe,EAAE,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,YAAY;IACzB,OAAO,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,GAAG;IACjB,WAAW,EAAE,QAAQ;IACrB,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,SAAS;IACvB,SAAS,EAAE,QAAiB;CAC7B,CAAC;AAEF,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E,QAAQ,CAAC,wCAAwC,EAAE,GAAG,EAAE;IACtD,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QACnE,MAAM,CAAC,UAAU,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC5D,MAAM,CAAC,UAAU,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC3C,qEAAqE;QACrE,MAAM,CACJ,UAAU,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,MAA2B,EAAE,CAAC,CACtE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACpC,MAAM,CACJ,UAAU,CACR,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,IAAyB,EAAE,EACvD,EAAE,CACH,CACF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,CACJ,UAAU,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CACvD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,MAAM,CACJ,UAAU,CAAC;YACT,GAAG,UAAU;YACb,SAAS,EAAE,SAA8B;SAC1C,CAAC,CACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,MAAM,CACJ,UAAU,CAAC;YACT,GAAG,UAAU;YACb,SAAS,EAAE,MAAM,CAAC,GAAwB;SAC3C,CAAC,CACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,2DAA2D;AAC3D,8EAA8E;AAE9E,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,MAAM,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QACpE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;QACzC,gBAAgB,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC/E,MAAM,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QACpE,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7D,gBAAgB,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,EAAE,CAAC,UAAU,CACX,OAAO,EACP,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CACf,IAAI,QAAQ,CACV,IAAI,CAAC,SAAS,CAAC;YACb,YAAY,EAAE,YAAY;YAC1B,QAAQ,EAAE,QAAQ;YAClB,aAAa,EAAE,aAAa;YAC5B,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,QAAQ;SACrB,CAAC,EACF,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CACF,CACF,CAAC;QAEF,MAAM,EAAE,aAAa,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QACjE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,MAAM,aAAa,CAChC;YACE,MAAM,EAAE,WAAW;YACnB,cAAc,EAAE,qBAAqB;YACrC,QAAQ,EAAE,aAAa;SACxB,EACD,qBAAqB,CACtB,CAAC;QACF,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEzB,MAAM,CAAC,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,sBAAsB,CAAC,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC;QACtE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,KAAK,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC;QAElE,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"cognito-auth.test.js","sourceRoot":"","sources":["../src/cognito-auth.test.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAEzE,6EAA6E;AAC7E,uCAAuC;AACvC,IAAI,YAAgC,CAAC;AACrC,IAAI,OAAe,CAAC;AAEpB,UAAU,CAAC,GAAG,EAAE;IACd,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;IAChC,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;IAC3B,EAAE,CAAC,YAAY,EAAE,CAAC;AACpB,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,GAAG,EAAE;IACb,IAAI,YAAY,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;;QACnD,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC;IACrC,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACrD,EAAE,CAAC,gBAAgB,EAAE,CAAC;IACtB,EAAE,CAAC,eAAe,EAAE,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,YAAY;IACzB,OAAO,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,GAAG;IACjB,WAAW,EAAE,QAAQ;IACrB,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,SAAS;IACvB,SAAS,EAAE,QAAiB;CAC7B,CAAC;AAEF,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAE9E,QAAQ,CAAC,wCAAwC,EAAE,GAAG,EAAE;IACtD,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QACnE,MAAM,CAAC,UAAU,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC5D,MAAM,CAAC,UAAU,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC3C,qEAAqE;QACrE,MAAM,CACJ,UAAU,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,MAA2B,EAAE,CAAC,CACtE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACpC,MAAM,CACJ,UAAU,CACR,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,IAAyB,EAAE,EACvD,EAAE,CACH,CACF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC5C,MAAM,CACJ,UAAU,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CACvD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,MAAM,CACJ,UAAU,CAAC;YACT,GAAG,UAAU;YACb,SAAS,EAAE,SAA8B;SAC1C,CAAC,CACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,MAAM,CACJ,UAAU,CAAC;YACT,GAAG,UAAU;YACb,SAAS,EAAE,MAAM,CAAC,GAAwB;SAC3C,CAAC,CACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,yEAAyE;AACzE,4EAA4E;AAC5E,wDAAwD;AACxD,8EAA8E;AAE9E,6EAA6E;AAC7E,gFAAgF;AAChF,gFAAgF;AAChF,SAAS,eAAe,CAAC,MAA+B;IACtD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;SACrE,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;SAChD,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtB,OAAO,GAAG,MAAM,IAAI,OAAO,YAAY,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,GAAG,4BAA4B,CAAC;AAChD,MAAM,WAAW,GAAG,4BAA4B,CAAC;AAEjD,MAAM,UAAU,GAAG;IACjB,MAAM,EAAE,WAAW;IACnB,cAAc,EAAE,sBAAsB;IACtC,QAAQ,EAAE,WAAW;CACtB,CAAC;AAEF,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC3D,MAAM,KAAK,GAAG,eAAe,CAAC,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QACrE,MAAM,CAAC,yBAAyB,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC3D,MAAM,KAAK,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9C,MAAM,CAAC,yBAAyB,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC3D,MAAM,CAAC,yBAAyB,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QAC3D,MAAM,CAAC,yBAAyB,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACxD,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,MAAM,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,GAC/D,MAAM,YAAY,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,eAAe,CAAC,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QACxE,gBAAgB,CAAC;YACf,GAAG,UAAU;YACb,WAAW,EAAE,QAAQ;YACrB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;SACvC,CAAC,CAAC;QACH,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAE1C,MAAM,MAAM,CACV,mBAAmB,CAAC,UAAU,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CACxD,CAAC,OAAO,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QAEzC,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QACvE,MAAM,SAAS,GAAG,eAAe,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1E,gBAAgB,CAAC;YACf,GAAG,UAAU;YACb,WAAW,EAAE,SAAS;YACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;SACvC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE;YACnD,WAAW,EAAE,KAAK;SACnB,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,MAAM,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QACvE,gBAAgB,CAAC;YACf,GAAG,UAAU;YACb,WAAW,EAAE,gBAAgB;YAC7B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;SACvC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,UAAU,EAAE;YACnD,WAAW,EAAE,KAAK;SACnB,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,2DAA2D;AAC3D,8EAA8E;AAE9E,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,MAAM,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QACpE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;QACzC,gBAAgB,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC/E,MAAM,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QACpE,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7D,gBAAgB,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,EAAE,CAAC,UAAU,CACX,OAAO,EACP,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CACf,IAAI,QAAQ,CACV,IAAI,CAAC,SAAS,CAAC;YACb,YAAY,EAAE,YAAY;YAC1B,QAAQ,EAAE,QAAQ;YAClB,aAAa,EAAE,aAAa;YAC5B,UAAU,EAAE,IAAI;YAChB,UAAU,EAAE,QAAQ;SACrB,CAAC,EACF,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CACF,CACF,CAAC;QAEF,MAAM,EAAE,aAAa,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;QACjE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,MAAM,aAAa,CAChC;YACE,MAAM,EAAE,WAAW;YACnB,cAAc,EAAE,qBAAqB;YACrC,QAAQ,EAAE,aAAa;SACxB,EACD,qBAAqB,CACtB,CAAC;QACF,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEzB,MAAM,CAAC,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,sBAAsB,CAAC,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC;QACtE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,KAAK,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC;QAElE,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,MAAM,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
package/package.json
CHANGED
package/src/cognito-auth.test.ts
CHANGED
|
@@ -99,6 +99,105 @@ describe("isExpiring — expiresAt shape tolerance", () => {
|
|
|
99
99
|
});
|
|
100
100
|
});
|
|
101
101
|
|
|
102
|
+
// ---------------------------------------------------------------------------
|
|
103
|
+
// Stale-pool detection — decodeAccessTokenClientId + getValidAccessToken
|
|
104
|
+
// self-evicts cached tokens minted by a different App Client (e.g. dev pool
|
|
105
|
+
// tokens left over from before the 2026-04-25 cutover).
|
|
106
|
+
// ---------------------------------------------------------------------------
|
|
107
|
+
|
|
108
|
+
/** Build a minimal unsigned JWT carrying the given claims. Cognito's real */
|
|
109
|
+
/** tokens are RS256-signed; we don't verify here so the signature can be */
|
|
110
|
+
/** anything — only the base64url-encoded payload matters. */
|
|
111
|
+
function makeAccessToken(claims: Record<string, unknown>): string {
|
|
112
|
+
const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" }))
|
|
113
|
+
.toString("base64")
|
|
114
|
+
.replace(/=+$/, "");
|
|
115
|
+
const payload = Buffer.from(JSON.stringify(claims))
|
|
116
|
+
.toString("base64")
|
|
117
|
+
.replace(/=+$/, "");
|
|
118
|
+
return `${header}.${payload}.signature`;
|
|
119
|
+
}
|
|
120
|
+
|
|
121
|
+
const DEV_CLIENT = "4mmujmjq3srakdueg656b9m0mp";
|
|
122
|
+
const PROD_CLIENT = "7acei2c8v870enheptb1j5foln";
|
|
123
|
+
|
|
124
|
+
const baseConfig = {
|
|
125
|
+
region: "us-east-1",
|
|
126
|
+
userPoolDomain: "vault-indigo-hq-prod",
|
|
127
|
+
clientId: PROD_CLIENT,
|
|
128
|
+
};
|
|
129
|
+
|
|
130
|
+
describe("decodeAccessTokenClientId", () => {
|
|
131
|
+
it("returns the client_id claim from a well-formed JWT", async () => {
|
|
132
|
+
const { decodeAccessTokenClientId } = await importModule();
|
|
133
|
+
const token = makeAccessToken({ client_id: DEV_CLIENT, sub: "abc" });
|
|
134
|
+
expect(decodeAccessTokenClientId(token)).toBe(DEV_CLIENT);
|
|
135
|
+
});
|
|
136
|
+
|
|
137
|
+
it("returns null when client_id is absent", async () => {
|
|
138
|
+
const { decodeAccessTokenClientId } = await importModule();
|
|
139
|
+
const token = makeAccessToken({ sub: "abc" });
|
|
140
|
+
expect(decodeAccessTokenClientId(token)).toBeNull();
|
|
141
|
+
});
|
|
142
|
+
|
|
143
|
+
it("returns null when the token has fewer than two segments", async () => {
|
|
144
|
+
const { decodeAccessTokenClientId } = await importModule();
|
|
145
|
+
expect(decodeAccessTokenClientId("not-a-jwt")).toBeNull();
|
|
146
|
+
});
|
|
147
|
+
|
|
148
|
+
it("returns null when the payload isn't valid JSON", async () => {
|
|
149
|
+
const { decodeAccessTokenClientId } = await importModule();
|
|
150
|
+
expect(decodeAccessTokenClientId("aaa.bbb.ccc")).toBeNull();
|
|
151
|
+
});
|
|
152
|
+
});
|
|
153
|
+
|
|
154
|
+
describe("getValidAccessToken stale-pool detection", () => {
|
|
155
|
+
it("evicts a cached token whose client_id mismatches the current config", async () => {
|
|
156
|
+
const { saveCachedTokens, loadCachedTokens, getValidAccessToken } =
|
|
157
|
+
await importModule();
|
|
158
|
+
const devToken = makeAccessToken({ client_id: DEV_CLIENT, sub: "abc" });
|
|
159
|
+
saveCachedTokens({
|
|
160
|
+
...baseTokens,
|
|
161
|
+
accessToken: devToken,
|
|
162
|
+
expiresAt: Date.now() + 60 * 60 * 1000,
|
|
163
|
+
});
|
|
164
|
+
expect(loadCachedTokens()).not.toBeNull();
|
|
165
|
+
|
|
166
|
+
await expect(
|
|
167
|
+
getValidAccessToken(baseConfig, { interactive: false }),
|
|
168
|
+
).rejects.toThrow(/No valid HQ session/);
|
|
169
|
+
|
|
170
|
+
expect(loadCachedTokens()).toBeNull();
|
|
171
|
+
});
|
|
172
|
+
|
|
173
|
+
it("keeps a cached token whose client_id matches", async () => {
|
|
174
|
+
const { saveCachedTokens, getValidAccessToken } = await importModule();
|
|
175
|
+
const prodToken = makeAccessToken({ client_id: PROD_CLIENT, sub: "abc" });
|
|
176
|
+
saveCachedTokens({
|
|
177
|
+
...baseTokens,
|
|
178
|
+
accessToken: prodToken,
|
|
179
|
+
expiresAt: Date.now() + 60 * 60 * 1000,
|
|
180
|
+
});
|
|
181
|
+
const access = await getValidAccessToken(baseConfig, {
|
|
182
|
+
interactive: false,
|
|
183
|
+
});
|
|
184
|
+
expect(access).toBe(prodToken);
|
|
185
|
+
});
|
|
186
|
+
|
|
187
|
+
it("keeps a cached token when client_id can't be decoded (back-compat)", async () => {
|
|
188
|
+
const { saveCachedTokens, getValidAccessToken } = await importModule();
|
|
189
|
+
saveCachedTokens({
|
|
190
|
+
...baseTokens,
|
|
191
|
+
accessToken: "opaque-non-jwt",
|
|
192
|
+
expiresAt: Date.now() + 60 * 60 * 1000,
|
|
193
|
+
});
|
|
194
|
+
const access = await getValidAccessToken(baseConfig, {
|
|
195
|
+
interactive: false,
|
|
196
|
+
});
|
|
197
|
+
expect(access).toBe("opaque-non-jwt");
|
|
198
|
+
});
|
|
199
|
+
});
|
|
200
|
+
|
|
102
201
|
// ---------------------------------------------------------------------------
|
|
103
202
|
// Round-trip: writers emit epoch-ms, readers read epoch-ms
|
|
104
203
|
// ---------------------------------------------------------------------------
|
package/src/cognito-auth.ts
CHANGED
|
@@ -120,6 +120,33 @@ export function isExpiring(tokens: CognitoTokens, bufferSeconds = 60): boolean {
|
|
|
120
120
|
return expiresAt - Date.now() < bufferSeconds * 1000;
|
|
121
121
|
}
|
|
122
122
|
|
|
123
|
+
/**
|
|
124
|
+
* Decode the `client_id` claim from a Cognito access token (no signature
|
|
125
|
+
* verification — we only need to identify which App Client minted it).
|
|
126
|
+
* Returns null when the token can't be parsed.
|
|
127
|
+
*
|
|
128
|
+
* Used by `getValidAccessToken` to detect stale cached sessions that target
|
|
129
|
+
* a different Cognito App Client. The canonical case is a pre-2026-04-25
|
|
130
|
+
* cache file holding a `hq-vault-dev` token after the user upgraded to a
|
|
131
|
+
* post-cutover CLI: the access token stays "non-expiring" for an hour but
|
|
132
|
+
* the prod vault API rejects it with 401, and the dev refresh token can't
|
|
133
|
+
* be exchanged at the prod token endpoint. Detecting the mismatch and
|
|
134
|
+
* forcing a re-login is the only safe self-heal.
|
|
135
|
+
*/
|
|
136
|
+
export function decodeAccessTokenClientId(accessToken: string): string | null {
|
|
137
|
+
try {
|
|
138
|
+
const parts = accessToken.split(".");
|
|
139
|
+
if (parts.length < 2) return null;
|
|
140
|
+
const payloadB64 = parts[1];
|
|
141
|
+
const padded = payloadB64 + "=".repeat((4 - (payloadB64.length % 4)) % 4);
|
|
142
|
+
const json = Buffer.from(padded, "base64").toString("utf-8");
|
|
143
|
+
const claims = JSON.parse(json) as { client_id?: unknown };
|
|
144
|
+
return typeof claims.client_id === "string" ? claims.client_id : null;
|
|
145
|
+
} catch {
|
|
146
|
+
return null;
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
|
|
123
150
|
// ---------------------------------------------------------------------------
|
|
124
151
|
// PKCE
|
|
125
152
|
// ---------------------------------------------------------------------------
|
|
@@ -375,7 +402,22 @@ export async function getValidAccessToken(
|
|
|
375
402
|
options: { interactive?: boolean } = {},
|
|
376
403
|
): Promise<string> {
|
|
377
404
|
const interactive = options.interactive ?? true;
|
|
378
|
-
|
|
405
|
+
let cached = loadCachedTokens();
|
|
406
|
+
|
|
407
|
+
// Stale-pool detection: if the cached access token was issued by a
|
|
408
|
+
// different Cognito App Client than the one we're talking to now, drop the
|
|
409
|
+
// cache and re-authenticate. Without this, a user holding a pre-cutover
|
|
410
|
+
// dev-pool token would either keep using a token the prod API rejects
|
|
411
|
+
// with 401, or attempt a refresh against the prod token endpoint with a
|
|
412
|
+
// dev refresh token (InvalidGrant). See `decodeAccessTokenClientId` for
|
|
413
|
+
// the full rationale.
|
|
414
|
+
if (cached) {
|
|
415
|
+
const cachedClientId = decodeAccessTokenClientId(cached.accessToken);
|
|
416
|
+
if (cachedClientId !== null && cachedClientId !== config.clientId) {
|
|
417
|
+
clearCachedTokens();
|
|
418
|
+
cached = null;
|
|
419
|
+
}
|
|
420
|
+
}
|
|
379
421
|
|
|
380
422
|
if (cached && !isExpiring(cached)) return cached.accessToken;
|
|
381
423
|
|