@strapi/plugin-users-permissions 4.6.0-beta.2 → 4.6.0

package/admin/src/pages/Providers/utils/forms.js

@@ -173,6 +173,21 @@ const forms = {
           },
         },
       ],
+      [
+        {
+          intlLabel: {
+            id: getTrad({ id: 'PopUpForm.Providers.jwksurl.label' }),
+            defaultMessage: 'JWKS URL',
+          },
+          name: 'jwksurl',
+          type: 'text',
+          placeholder: textPlaceholder,
+          size: 12,
+          validations: {
+            required: false,
+          },
+        },
+      ],
 
       [
         {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.6.0-beta.2",
+  "version": "4.6.0",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,11 +27,12 @@
     "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
   },
   "dependencies": {
-    "@strapi/helper-plugin": "4.6.0-beta.2",
-    "@strapi/utils": "4.6.0-beta.2",
+    "@strapi/helper-plugin": "4.6.0",
+    "@strapi/utils": "4.6.0",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
     "jsonwebtoken": "9.0.0",
+    "jwk-to-pem": "2.0.5",
     "koa": "^2.13.4",
     "koa2-ratelimit": "^1.1.2",
     "lodash": "4.17.21",
@@ -64,5 +65,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "b852090f931cd21868c4016f24db2f9fdfc7a7ab"
+  "gitHead": "a9e55435c489f3379d88565bf3f729deb29bfb45"
 }

package/server/services/providers-registry.js

@@ -2,6 +2,48 @@
 
 const { strict: assert } = require('assert');
 const jwt = require('jsonwebtoken');
+const jwkToPem = require('jwk-to-pem');
+
+const getCognitoPayload = async ({ idToken, jwksUrl, purest }) => {
+  const {
+    header: { kid },
+    payload,
+  } = jwt.decode(idToken, { complete: true });
+
+  if (!payload || !kid) {
+    throw new Error('The provided token is not valid');
+  }
+
+  const config = {
+    cognito: {
+      discovery: {
+        origin: jwksUrl.origin,
+        path: jwksUrl.pathname,
+      },
+    },
+  };
+  try {
+    const cognito = purest({ provider: 'cognito', config });
+    // get the JSON Web Key (JWK) for the user pool
+    const { body: jwk } = await cognito('discovery').request();
+    // Get the key with the same Key ID as the provided token
+    const key = jwk.keys.find(({ kid: jwkKid }) => jwkKid === kid);
+    const pem = jwkToPem(key);
+
+    // https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
+    const decodedToken = await new Promise((resolve, reject) => {
+      jwt.verify(idToken, pem, { algorithms: ['RS256'] }, (err, decodedToken) => {
+        if (err) {
+          reject();
+        }
+        resolve(decodedToken);
+      });
+    });
+    return decodedToken;
+  } catch (err) {
+    throw new Error('There was an error verifying the token');
+  }
+};
 
 const getInitialProviders = ({ purest }) => ({
   async discord({ accessToken }) {
@@ -19,19 +61,14 @@ const getInitialProviders = ({ purest }) => ({
         };
       });
   },
-  async cognito({ query }) {
-    // get the id_token
+  async cognito({ query, providers }) {
+    const jwksUrl = new URL(providers.cognito.jwksurl);
     const idToken = query.id_token;
-    // decode the jwt token
-    const tokenPayload = jwt.decode(idToken);
-    if (!tokenPayload) {
-      throw new Error('unable to decode jwt token');
-    } else {
-      return {
-        username: tokenPayload['cognito:username'],
-        email: tokenPayload.email,
-      };
-    }
+    const tokenPayload = await getCognitoPayload({ idToken, jwksUrl, purest });
+    return {
+      username: tokenPayload['cognito:username'],
+      email: tokenPayload.email,
+    };
   },
   async facebook({ accessToken }) {
     const facebook = purest({ provider: 'facebook' });