@vardario/cognito-client 1.0.1 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/lib/cognito-client.d.ts +189 -12
- package/lib/cognito-client.js +107 -57
- package/lib/error.d.ts +342 -101
- package/lib/error.js +379 -114
- package/lib/utils.d.ts +1 -0
- package/lib/utils.js +8 -0
- package/package.json +3 -2
package/README.md
CHANGED
package/lib/cognito-client.d.ts
CHANGED
|
@@ -1,7 +1,158 @@
|
|
|
1
|
+
export interface CognitoBaseRequest {
|
|
2
|
+
ClientId: string;
|
|
3
|
+
ClientMetadata?: Record<string, string>;
|
|
4
|
+
AnalyticsMetadata?: {
|
|
5
|
+
AnalyticsEndpointId: string;
|
|
6
|
+
};
|
|
7
|
+
UserContextData?: {
|
|
8
|
+
EncodedData?: string;
|
|
9
|
+
IpAddress?: string;
|
|
10
|
+
};
|
|
11
|
+
}
|
|
12
|
+
export interface AuthIntiUserSrpRequest extends CognitoBaseRequest {
|
|
13
|
+
AuthFlow: 'USER_SRP_AUTH';
|
|
14
|
+
AuthParameters: {
|
|
15
|
+
USERNAME: string;
|
|
16
|
+
SRP_A: string;
|
|
17
|
+
SECRET_HASH?: string;
|
|
18
|
+
};
|
|
19
|
+
}
|
|
20
|
+
export interface AuthIntiUserPasswordRequest extends CognitoBaseRequest {
|
|
21
|
+
AuthFlow: 'USER_PASSWORD_AUTH';
|
|
22
|
+
AuthParameters: {
|
|
23
|
+
USERNAME: string;
|
|
24
|
+
PASSWORD: string;
|
|
25
|
+
SECRET_HASH?: string;
|
|
26
|
+
};
|
|
27
|
+
}
|
|
28
|
+
export interface AuthIntiRefreshTokenRequest extends CognitoBaseRequest {
|
|
29
|
+
AuthFlow: 'REFRESH_TOKEN_AUTH';
|
|
30
|
+
AuthParameters: {
|
|
31
|
+
REFRESH_TOKEN: string;
|
|
32
|
+
SECRET_HASH?: string;
|
|
33
|
+
};
|
|
34
|
+
}
|
|
35
|
+
export interface AuthIntiCustomAuthRequest extends CognitoBaseRequest {
|
|
36
|
+
AuthFlow: 'CUSTOM_AUTH';
|
|
37
|
+
AuthParameters: {
|
|
38
|
+
USERNAME: string;
|
|
39
|
+
SECRET_HASH?: string;
|
|
40
|
+
};
|
|
41
|
+
}
|
|
42
|
+
export type AuthIntiRequest = AuthIntiUserSrpRequest | AuthIntiRefreshTokenRequest | AuthIntiCustomAuthRequest | AuthIntiUserPasswordRequest;
|
|
43
|
+
export interface RespondToAuthChallengeBaseRequest extends CognitoBaseRequest {
|
|
44
|
+
Session?: string;
|
|
45
|
+
}
|
|
46
|
+
export interface RespondToAuthChallengePasswordVerifierRequest extends RespondToAuthChallengeBaseRequest {
|
|
47
|
+
ChallengeName: 'PASSWORD_VERIFIER';
|
|
48
|
+
ChallengeResponses: {
|
|
49
|
+
USERNAME: string;
|
|
50
|
+
PASSWORD_CLAIM_SECRET_BLOCK: string;
|
|
51
|
+
PASSWORD_CLAIM_SIGNATURE: string;
|
|
52
|
+
TIMESTAMP: string;
|
|
53
|
+
SECRET_HASH?: string;
|
|
54
|
+
};
|
|
55
|
+
}
|
|
56
|
+
export interface RespondToAuthChallengeSmsMfaRequest extends RespondToAuthChallengeBaseRequest {
|
|
57
|
+
ChallengeName: 'SMS_MFA';
|
|
58
|
+
ChallengeResponses: {
|
|
59
|
+
USERNAME: string;
|
|
60
|
+
SMS_MFA_CODE: string;
|
|
61
|
+
SECRET_HASH?: string;
|
|
62
|
+
};
|
|
63
|
+
}
|
|
64
|
+
export interface RespondToAuthChallengeCustomChallengeNameRequest extends RespondToAuthChallengeBaseRequest {
|
|
65
|
+
ChallengeName: 'CUSTOM_CHALLENGE';
|
|
66
|
+
ChallengeResponses: {
|
|
67
|
+
USERNAME: string;
|
|
68
|
+
ANSWER: string;
|
|
69
|
+
SECRET_HASH?: string;
|
|
70
|
+
};
|
|
71
|
+
}
|
|
72
|
+
export interface RespondToAuthChallengeNewPasswordRequiredRequest extends RespondToAuthChallengeBaseRequest {
|
|
73
|
+
ChallengeName: 'NEW_PASSWORD_REQUIRED';
|
|
74
|
+
ChallengeResponses: {
|
|
75
|
+
USERNAME: string;
|
|
76
|
+
NEW_PASSWORD: string;
|
|
77
|
+
SECRET_HASH?: string;
|
|
78
|
+
};
|
|
79
|
+
}
|
|
80
|
+
export interface RespondToAuthChallengeSoftwareTokenMfaRequest extends RespondToAuthChallengeBaseRequest {
|
|
81
|
+
ChallengeName: 'SOFTWARE_TOKEN_MFA';
|
|
82
|
+
ChallengeResponses: {
|
|
83
|
+
USERNAME: string;
|
|
84
|
+
SOFTWARE_TOKEN_MFA_CODE: string;
|
|
85
|
+
SECRET_HASH?: string;
|
|
86
|
+
};
|
|
87
|
+
}
|
|
88
|
+
export interface RespondToAuthChallengeDeviceSrpAuthRequest extends RespondToAuthChallengeBaseRequest {
|
|
89
|
+
ChallengeName: 'DEVICE_SRP_AUTH';
|
|
90
|
+
ChallengeResponses: {
|
|
91
|
+
USERNAME: string;
|
|
92
|
+
SRP_A: string;
|
|
93
|
+
SECRET_HASH?: string;
|
|
94
|
+
};
|
|
95
|
+
}
|
|
96
|
+
export interface RespondToAuthChallengeDevicePasswordVerifierRequest extends RespondToAuthChallengeBaseRequest {
|
|
97
|
+
ChallengeName: 'DEVICE_PASSWORD_VERIFIER';
|
|
98
|
+
ChallengeResponses: {
|
|
99
|
+
USERNAME: string;
|
|
100
|
+
PASSWORD_CLAIM_SECRET_BLOCK: string;
|
|
101
|
+
PASSWORD_CLAIM_SIGNATURE: string;
|
|
102
|
+
TIMESTAMP: string;
|
|
103
|
+
DEVICE_KEY: string;
|
|
104
|
+
SECRET_HASH?: string;
|
|
105
|
+
};
|
|
106
|
+
}
|
|
107
|
+
export interface RespondToAuthChallengeMfaSetupRequest extends RespondToAuthChallengeBaseRequest {
|
|
108
|
+
ChallengeName: 'MFA_SETUP';
|
|
109
|
+
ChallengeResponses: {
|
|
110
|
+
USERNAME: string;
|
|
111
|
+
SMS_MFA_CODE?: string;
|
|
112
|
+
SOFTWARE_TOKEN_MFA_CODE?: string;
|
|
113
|
+
SECRET_HASH?: string;
|
|
114
|
+
};
|
|
115
|
+
}
|
|
116
|
+
export interface RespondToAuthChallengeSelectMfaTypeRequest extends RespondToAuthChallengeBaseRequest {
|
|
117
|
+
ChallengeName: 'SELECT_MFA_TYPE';
|
|
118
|
+
ChallengeResponses: {
|
|
119
|
+
USERNAME: string;
|
|
120
|
+
SOFTWARE_TOKEN_MFA_CODE?: string;
|
|
121
|
+
SECRET_HASH?: string;
|
|
122
|
+
};
|
|
123
|
+
}
|
|
124
|
+
export type RespondToAuthChallengeRequest = RespondToAuthChallengePasswordVerifierRequest | RespondToAuthChallengeSmsMfaRequest | RespondToAuthChallengeCustomChallengeNameRequest | RespondToAuthChallengeNewPasswordRequiredRequest | RespondToAuthChallengeSoftwareTokenMfaRequest | RespondToAuthChallengeDeviceSrpAuthRequest | RespondToAuthChallengeDevicePasswordVerifierRequest | RespondToAuthChallengeMfaSetupRequest | RespondToAuthChallengeSelectMfaTypeRequest;
|
|
1
125
|
export interface UserAttribute {
|
|
2
126
|
Name: string;
|
|
3
127
|
Value: string;
|
|
4
128
|
}
|
|
129
|
+
export interface ConfirmForgotPasswordRequest extends CognitoBaseRequest {
|
|
130
|
+
ConfirmationCode: string;
|
|
131
|
+
Password: string;
|
|
132
|
+
Username: string;
|
|
133
|
+
SecretHash?: string;
|
|
134
|
+
}
|
|
135
|
+
export interface ConfirmSignUpRequest extends CognitoBaseRequest {
|
|
136
|
+
ConfirmationCode: string;
|
|
137
|
+
Username: string;
|
|
138
|
+
SecretHash?: string;
|
|
139
|
+
ForceAliasCreation?: boolean;
|
|
140
|
+
}
|
|
141
|
+
export interface ForgotPasswordRequest extends CognitoBaseRequest {
|
|
142
|
+
Username: string;
|
|
143
|
+
SecretHash?: string;
|
|
144
|
+
}
|
|
145
|
+
export interface SignUpRequest extends CognitoBaseRequest {
|
|
146
|
+
Username: string;
|
|
147
|
+
Password: string;
|
|
148
|
+
SecretHash?: string;
|
|
149
|
+
UserAttributes?: UserAttribute[];
|
|
150
|
+
ValidationData?: UserAttribute[];
|
|
151
|
+
}
|
|
152
|
+
export interface ResendConfirmationCodeRequest extends CognitoBaseRequest {
|
|
153
|
+
Username: string;
|
|
154
|
+
SecretHash?: string;
|
|
155
|
+
}
|
|
5
156
|
/**
|
|
6
157
|
* Cognito related OAuth props.
|
|
7
158
|
*/
|
|
@@ -43,6 +194,10 @@ export interface CognitoClientProps {
|
|
|
43
194
|
* Cognito OAuth related options. See @see OAuthProps .
|
|
44
195
|
*/
|
|
45
196
|
oAuth2?: OAuth2Props;
|
|
197
|
+
/**
|
|
198
|
+
* Optional Cognito User Pool Client Secret.
|
|
199
|
+
*/
|
|
200
|
+
clientSecret?: string;
|
|
46
201
|
}
|
|
47
202
|
/**
|
|
48
203
|
* Cognito User Session
|
|
@@ -150,6 +305,7 @@ export interface ChallengeResponse {
|
|
|
150
305
|
};
|
|
151
306
|
}
|
|
152
307
|
export declare function authResultToSession(authenticationResult: AuthenticationResult): Session;
|
|
308
|
+
export declare function cognitoRequest(body: object, serviceTarget: CognitoServiceTarget, cognitoEndpoint: string): Promise<any>;
|
|
153
309
|
/**
|
|
154
310
|
* Lightweight AWS Cogito client without any AWS SDK dependencies.
|
|
155
311
|
*/
|
|
@@ -158,9 +314,9 @@ export declare class CognitoClient {
|
|
|
158
314
|
private readonly cognitoPoolName;
|
|
159
315
|
private readonly userPoolClientId;
|
|
160
316
|
private readonly oAuth?;
|
|
161
|
-
|
|
317
|
+
private readonly clientSecret?;
|
|
318
|
+
constructor({ userPoolId, userPoolClientId, endpoint, oAuth2: oAuth, clientSecret }: CognitoClientProps);
|
|
162
319
|
static getDecodedTokenFromSession(session: Session): DecodedTokens;
|
|
163
|
-
private cognitoRequest;
|
|
164
320
|
/**
|
|
165
321
|
*
|
|
166
322
|
* Performs user authentication with username and password through ALLOW_USER_SRP_AUTH .
|
|
@@ -168,7 +324,8 @@ export declare class CognitoClient {
|
|
|
168
324
|
*
|
|
169
325
|
* @param username Username
|
|
170
326
|
* @param password Password
|
|
171
|
-
*
|
|
327
|
+
*
|
|
328
|
+
* @throws {InitiateAuthException}
|
|
172
329
|
*/
|
|
173
330
|
authenticateUserSrp(username: string, password: string): Promise<Session>;
|
|
174
331
|
/**
|
|
@@ -178,23 +335,24 @@ export declare class CognitoClient {
|
|
|
178
335
|
*
|
|
179
336
|
* @param username Username
|
|
180
337
|
* @param password Password
|
|
181
|
-
* @throws {
|
|
338
|
+
* @throws {InitiateAuthException}
|
|
182
339
|
*/
|
|
183
340
|
authenticateUser(username: string, password: string): Promise<Session>;
|
|
184
341
|
/**
|
|
185
342
|
* Returns a new session based on the given refresh token.
|
|
186
343
|
*
|
|
187
344
|
* @param refreshToken
|
|
345
|
+
* @param username
|
|
188
346
|
* @returns @see Session
|
|
189
|
-
* @throws {
|
|
347
|
+
* @throws {InitiateAuthException}
|
|
190
348
|
*/
|
|
191
|
-
refreshSession(refreshToken: string): Promise<Session>;
|
|
349
|
+
refreshSession(refreshToken: string, username?: string): Promise<Session>;
|
|
192
350
|
/**
|
|
193
351
|
*
|
|
194
352
|
* @param username Username
|
|
195
353
|
* @param password Password
|
|
196
354
|
*
|
|
197
|
-
* @throws {
|
|
355
|
+
* @throws {SignUpException}
|
|
198
356
|
*/
|
|
199
357
|
signUp(username: string, password: string, userAttributes?: UserAttribute[]): Promise<{
|
|
200
358
|
id: string;
|
|
@@ -206,7 +364,7 @@ export declare class CognitoClient {
|
|
|
206
364
|
* @param username Username
|
|
207
365
|
* @param code Confirmation code the user gets through the registration E-Mail
|
|
208
366
|
*
|
|
209
|
-
* @throws {
|
|
367
|
+
* @throws {ConfirmSignUpException}
|
|
210
368
|
*/
|
|
211
369
|
confirmSignUp(username: string, code: string): Promise<void>;
|
|
212
370
|
/**
|
|
@@ -214,22 +372,39 @@ export declare class CognitoClient {
|
|
|
214
372
|
* @param currentPassword Current user password.
|
|
215
373
|
* @param newPassword New user password.
|
|
216
374
|
*
|
|
217
|
-
* @throws {
|
|
375
|
+
* @throws {ChangePasswordException}
|
|
218
376
|
*/
|
|
219
377
|
changePassword(currentPassword: string, newPassword: string, accessToken: string): Promise<void>;
|
|
378
|
+
/**
|
|
379
|
+
* Updates the user attributes.
|
|
380
|
+
*
|
|
381
|
+
* @param userAttributes List of user attributes to update.
|
|
382
|
+
* @param accessToken Access token of the current user.
|
|
383
|
+
*
|
|
384
|
+
* @throws {UpdateUserAttributesException}
|
|
385
|
+
*/
|
|
220
386
|
updateUserAttributes(userAttributes: UserAttribute[], accessToken: string): Promise<void>;
|
|
387
|
+
/**
|
|
388
|
+
* Verifies a given user attribute
|
|
389
|
+
*
|
|
390
|
+
* @param attributeName Name of the attribute to verify
|
|
391
|
+
* @param code Verification code
|
|
392
|
+
* @param accessToken Access token of the current user.
|
|
393
|
+
*
|
|
394
|
+
* @throws {VerifyUserAttributeException}
|
|
395
|
+
*/
|
|
221
396
|
verifyUserAttribute(attributeName: string, code: string, accessToken: string): Promise<void>;
|
|
222
397
|
/**
|
|
223
398
|
* Sign out the user and remove the current user session.
|
|
224
399
|
*
|
|
225
|
-
* @throws {
|
|
400
|
+
* @throws {RevokeTokenException}
|
|
226
401
|
*/
|
|
227
402
|
signOut(refreshToken: string): Promise<void>;
|
|
228
403
|
/**
|
|
229
404
|
* Request forgot password.
|
|
230
405
|
* @param username Username
|
|
231
406
|
*
|
|
232
|
-
* @throws {
|
|
407
|
+
* @throws {ForgotPasswordException}
|
|
233
408
|
*/
|
|
234
409
|
forgotPassword(username: string): Promise<void>;
|
|
235
410
|
/**
|
|
@@ -239,12 +414,14 @@ export declare class CognitoClient {
|
|
|
239
414
|
* @param newPassword New password
|
|
240
415
|
* @param confirmationCode Confirmation code which the user got through E-mail
|
|
241
416
|
*
|
|
242
|
-
* @throws {
|
|
417
|
+
* @throws {ConfirmForgotPasswordException}
|
|
243
418
|
*/
|
|
244
419
|
confirmForgotPassword(username: string, newPassword: string, confirmationCode: string): Promise<void>;
|
|
245
420
|
/**
|
|
246
421
|
* Triggers cognito to resend the confirmation code
|
|
247
422
|
* @param username Username
|
|
423
|
+
*
|
|
424
|
+
* @throws {ResendConfirmationCodeException}
|
|
248
425
|
*/
|
|
249
426
|
resendConfirmationCode(username: string): Promise<void>;
|
|
250
427
|
/**
|
package/lib/cognito-client.js
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
import hashJs from 'hash.js';
|
|
2
2
|
import { BigInteger } from 'jsbn';
|
|
3
3
|
import { Buffer } from 'buffer';
|
|
4
|
-
import {
|
|
5
|
-
import { calculateSignature, calculateU, decodeJwt, generateA, generateSmallA, getPasswordAuthenticationKey, randomBytes } from './utils.js';
|
|
4
|
+
import { CognitoCommonException, CognitoError } from './error.js';
|
|
5
|
+
import { calculateSecretHash, calculateSignature, calculateU, decodeJwt, generateA, generateSmallA, getPasswordAuthenticationKey, randomBytes } from './utils.js';
|
|
6
6
|
/**
|
|
7
7
|
* List of used and supported Cognito API calls.
|
|
8
8
|
* @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html for more details
|
|
@@ -41,16 +41,51 @@ export function authResultToSession(authenticationResult) {
|
|
|
41
41
|
refreshToken: authenticationResult.RefreshToken
|
|
42
42
|
};
|
|
43
43
|
}
|
|
44
|
+
export async function cognitoRequest(body, serviceTarget, cognitoEndpoint) {
|
|
45
|
+
const cognitoResponse = await fetch(cognitoEndpoint, {
|
|
46
|
+
headers: {
|
|
47
|
+
'x-amz-target': `AWSCognitoIdentityProviderService.${serviceTarget}`,
|
|
48
|
+
'content-type': 'application/x-amz-json-1.1'
|
|
49
|
+
},
|
|
50
|
+
method: 'POST',
|
|
51
|
+
body: JSON.stringify(body)
|
|
52
|
+
});
|
|
53
|
+
if (cognitoResponse && cognitoResponse.status < 300) {
|
|
54
|
+
return cognitoResponse.json();
|
|
55
|
+
}
|
|
56
|
+
const cognitoResponseBody = await cognitoResponse.json();
|
|
57
|
+
/**
|
|
58
|
+
* The whole error handling and value sanitization was inspired
|
|
59
|
+
* by @see https://github.com/aws-amplify/amplify-js/blob/1f5eefd9c40285eb99e57764ac8fca1f9519e2c6/packages/core/src/clients/serde/json.ts#L14
|
|
60
|
+
*/
|
|
61
|
+
const sanitizeErrorType = (rawValue) => {
|
|
62
|
+
const [cleanValue] = rawValue.toString().split(/[,:]+/);
|
|
63
|
+
if (cleanValue.includes('#')) {
|
|
64
|
+
return cleanValue.split('#')[1];
|
|
65
|
+
}
|
|
66
|
+
return cleanValue;
|
|
67
|
+
};
|
|
68
|
+
const errorMessage = cognitoResponse.headers.get('X-Amzn-ErrorMessage') ??
|
|
69
|
+
cognitoResponseBody.message ??
|
|
70
|
+
cognitoResponseBody.Message ??
|
|
71
|
+
'Unknown error';
|
|
72
|
+
const cognitoException = sanitizeErrorType(cognitoResponse.headers.get('X-Amzn-ErrorType') ??
|
|
73
|
+
cognitoResponseBody.code ??
|
|
74
|
+
cognitoResponseBody.__type ??
|
|
75
|
+
CognitoCommonException.Unknown);
|
|
76
|
+
throw new CognitoError(errorMessage, cognitoException);
|
|
77
|
+
}
|
|
44
78
|
/**
|
|
45
79
|
* Lightweight AWS Cogito client without any AWS SDK dependencies.
|
|
46
80
|
*/
|
|
47
81
|
export class CognitoClient {
|
|
48
|
-
constructor({ userPoolId, userPoolClientId, endpoint, oAuth2: oAuth }) {
|
|
82
|
+
constructor({ userPoolId, userPoolClientId, endpoint, oAuth2: oAuth, clientSecret }) {
|
|
49
83
|
const [cognitoPoolRegion, cognitoPoolName] = userPoolId.split('_');
|
|
50
84
|
this.cognitoEndpoint = (endpoint || `https://cognito-idp.${cognitoPoolRegion}.amazonaws.com`).replace(/\/$/, '');
|
|
51
85
|
this.cognitoPoolName = cognitoPoolName;
|
|
52
86
|
this.userPoolClientId = userPoolClientId;
|
|
53
87
|
this.oAuth = oAuth;
|
|
88
|
+
this.clientSecret = clientSecret;
|
|
54
89
|
}
|
|
55
90
|
static getDecodedTokenFromSession(session) {
|
|
56
91
|
const { payload: idToken } = decodeJwt(session.idToken);
|
|
@@ -60,22 +95,6 @@ export class CognitoClient {
|
|
|
60
95
|
accessToken
|
|
61
96
|
};
|
|
62
97
|
}
|
|
63
|
-
async cognitoRequest(body, serviceTarget) {
|
|
64
|
-
const cognitoResponse = await fetch(this.cognitoEndpoint, {
|
|
65
|
-
headers: {
|
|
66
|
-
'x-amz-target': `AWSCognitoIdentityProviderService.${serviceTarget}`,
|
|
67
|
-
'content-type': 'application/x-amz-json-1.1'
|
|
68
|
-
},
|
|
69
|
-
method: 'POST',
|
|
70
|
-
body: JSON.stringify(body)
|
|
71
|
-
});
|
|
72
|
-
if (cognitoResponse.status < 200 || cognitoResponse.status > 299) {
|
|
73
|
-
const errorMessage = cognitoResponse.headers.get('X-Amzn-ErrorMessage') ?? 'Unknown';
|
|
74
|
-
const cognitoException = cognitoResponse.headers.get('X-Amzn-ErrorType') ?? CognitoException.Unknown;
|
|
75
|
-
throw new CognitoError(errorMessage, cognitoException);
|
|
76
|
-
}
|
|
77
|
-
return cognitoResponse.json();
|
|
78
|
-
}
|
|
79
98
|
/**
|
|
80
99
|
*
|
|
81
100
|
* Performs user authentication with username and password through ALLOW_USER_SRP_AUTH .
|
|
@@ -83,7 +102,8 @@ export class CognitoClient {
|
|
|
83
102
|
*
|
|
84
103
|
* @param username Username
|
|
85
104
|
* @param password Password
|
|
86
|
-
*
|
|
105
|
+
*
|
|
106
|
+
* @throws {InitiateAuthException}
|
|
87
107
|
*/
|
|
88
108
|
async authenticateUserSrp(username, password) {
|
|
89
109
|
const smallA = await generateSmallA();
|
|
@@ -93,28 +113,31 @@ export class CognitoClient {
|
|
|
93
113
|
ClientId: this.userPoolClientId,
|
|
94
114
|
AuthParameters: {
|
|
95
115
|
USERNAME: username,
|
|
96
|
-
SRP_A: A.toString(16)
|
|
116
|
+
SRP_A: A.toString(16),
|
|
117
|
+
SECRET_HASH: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
97
118
|
},
|
|
98
119
|
ClientMetadata: {}
|
|
99
120
|
};
|
|
100
|
-
const challenge = (await
|
|
121
|
+
const challenge = (await cognitoRequest(initiateAuthPayload, CognitoServiceTarget.InitiateAuth, this.cognitoEndpoint));
|
|
101
122
|
const B = new BigInteger(challenge.ChallengeParameters.SRP_B, 16);
|
|
102
123
|
const salt = new BigInteger(challenge.ChallengeParameters.SALT, 16);
|
|
103
124
|
const U = calculateU(A, B);
|
|
104
125
|
const hkdf = getPasswordAuthenticationKey(this.cognitoPoolName, challenge.ChallengeParameters.USER_ID_FOR_SRP, password, B, U, smallA, salt);
|
|
105
126
|
const { signature, timeStamp } = calculateSignature(this.cognitoPoolName, challenge.ChallengeParameters.USER_ID_FOR_SRP, challenge.ChallengeParameters.SECRET_BLOCK, hkdf);
|
|
106
|
-
const
|
|
127
|
+
const respondToAuthChallengeRequest = {
|
|
107
128
|
ChallengeName: 'PASSWORD_VERIFIER',
|
|
108
129
|
ClientId: this.userPoolClientId,
|
|
109
130
|
ChallengeResponses: {
|
|
110
131
|
PASSWORD_CLAIM_SECRET_BLOCK: challenge.ChallengeParameters.SECRET_BLOCK,
|
|
111
132
|
PASSWORD_CLAIM_SIGNATURE: signature,
|
|
112
133
|
USERNAME: challenge.ChallengeParameters.USER_ID_FOR_SRP,
|
|
113
|
-
TIMESTAMP: timeStamp
|
|
134
|
+
TIMESTAMP: timeStamp,
|
|
135
|
+
SECRET_HASH: this.clientSecret &&
|
|
136
|
+
calculateSecretHash(this.clientSecret, this.userPoolClientId, challenge.ChallengeParameters.USER_ID_FOR_SRP)
|
|
114
137
|
},
|
|
115
138
|
ClientMetadata: {}
|
|
116
139
|
};
|
|
117
|
-
const { AuthenticationResult } = await
|
|
140
|
+
const { AuthenticationResult } = await cognitoRequest(respondToAuthChallengeRequest, CognitoServiceTarget.RespondToAuthChallenge, this.cognitoEndpoint);
|
|
118
141
|
return authResultToSession(AuthenticationResult);
|
|
119
142
|
}
|
|
120
143
|
/**
|
|
@@ -124,7 +147,7 @@ export class CognitoClient {
|
|
|
124
147
|
*
|
|
125
148
|
* @param username Username
|
|
126
149
|
* @param password Password
|
|
127
|
-
* @throws {
|
|
150
|
+
* @throws {InitiateAuthException}
|
|
128
151
|
*/
|
|
129
152
|
async authenticateUser(username, password) {
|
|
130
153
|
const initiateAuthPayload = {
|
|
@@ -132,11 +155,12 @@ export class CognitoClient {
|
|
|
132
155
|
ClientId: this.userPoolClientId,
|
|
133
156
|
AuthParameters: {
|
|
134
157
|
USERNAME: username,
|
|
135
|
-
PASSWORD: password
|
|
158
|
+
PASSWORD: password,
|
|
159
|
+
SECRET_HASH: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
136
160
|
},
|
|
137
161
|
ClientMetadata: {}
|
|
138
162
|
};
|
|
139
|
-
const { AuthenticationResult } = (await
|
|
163
|
+
const { AuthenticationResult } = (await cognitoRequest(initiateAuthPayload, CognitoServiceTarget.InitiateAuth, this.cognitoEndpoint));
|
|
140
164
|
const session = authResultToSession(AuthenticationResult);
|
|
141
165
|
return session;
|
|
142
166
|
}
|
|
@@ -144,19 +168,21 @@ export class CognitoClient {
|
|
|
144
168
|
* Returns a new session based on the given refresh token.
|
|
145
169
|
*
|
|
146
170
|
* @param refreshToken
|
|
171
|
+
* @param username
|
|
147
172
|
* @returns @see Session
|
|
148
|
-
* @throws {
|
|
173
|
+
* @throws {InitiateAuthException}
|
|
149
174
|
*/
|
|
150
|
-
async refreshSession(refreshToken) {
|
|
175
|
+
async refreshSession(refreshToken, username) {
|
|
151
176
|
const refreshTokenPayload = {
|
|
152
177
|
AuthFlow: 'REFRESH_TOKEN_AUTH',
|
|
153
178
|
ClientId: this.userPoolClientId,
|
|
154
179
|
AuthParameters: {
|
|
155
|
-
REFRESH_TOKEN: refreshToken
|
|
180
|
+
REFRESH_TOKEN: refreshToken,
|
|
181
|
+
SECRET_HASH: this.clientSecret && username && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
156
182
|
},
|
|
157
183
|
ClientMetadata: {}
|
|
158
184
|
};
|
|
159
|
-
const { AuthenticationResult } = (await
|
|
185
|
+
const { AuthenticationResult } = (await cognitoRequest(refreshTokenPayload, CognitoServiceTarget.InitiateAuth, this.cognitoEndpoint));
|
|
160
186
|
if (!AuthenticationResult.RefreshToken) {
|
|
161
187
|
AuthenticationResult.RefreshToken = refreshToken;
|
|
162
188
|
}
|
|
@@ -167,16 +193,17 @@ export class CognitoClient {
|
|
|
167
193
|
* @param username Username
|
|
168
194
|
* @param password Password
|
|
169
195
|
*
|
|
170
|
-
* @throws {
|
|
196
|
+
* @throws {SignUpException}
|
|
171
197
|
*/
|
|
172
198
|
async signUp(username, password, userAttributes) {
|
|
173
|
-
const
|
|
199
|
+
const signUpRequest = {
|
|
174
200
|
ClientId: this.userPoolClientId,
|
|
175
201
|
Username: username,
|
|
176
202
|
Password: password,
|
|
177
|
-
UserAttributes: userAttributes
|
|
203
|
+
UserAttributes: userAttributes,
|
|
204
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
178
205
|
};
|
|
179
|
-
const data = await
|
|
206
|
+
const data = await cognitoRequest(signUpRequest, CognitoServiceTarget.SignUp, this.cognitoEndpoint);
|
|
180
207
|
return {
|
|
181
208
|
id: data.UserSub,
|
|
182
209
|
confirmed: data.UserConfirmed
|
|
@@ -188,22 +215,23 @@ export class CognitoClient {
|
|
|
188
215
|
* @param username Username
|
|
189
216
|
* @param code Confirmation code the user gets through the registration E-Mail
|
|
190
217
|
*
|
|
191
|
-
* @throws {
|
|
218
|
+
* @throws {ConfirmSignUpException}
|
|
192
219
|
*/
|
|
193
220
|
async confirmSignUp(username, code) {
|
|
194
|
-
const
|
|
221
|
+
const confirmSignUpRequest = {
|
|
195
222
|
ClientId: this.userPoolClientId,
|
|
196
223
|
ConfirmationCode: code,
|
|
197
|
-
Username: username
|
|
224
|
+
Username: username,
|
|
225
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
198
226
|
};
|
|
199
|
-
await
|
|
227
|
+
await cognitoRequest(confirmSignUpRequest, CognitoServiceTarget.ConfirmSignUp, this.cognitoEndpoint);
|
|
200
228
|
}
|
|
201
229
|
/**
|
|
202
230
|
*
|
|
203
231
|
* @param currentPassword Current user password.
|
|
204
232
|
* @param newPassword New user password.
|
|
205
233
|
*
|
|
206
|
-
* @throws {
|
|
234
|
+
* @throws {ChangePasswordException}
|
|
207
235
|
*/
|
|
208
236
|
async changePassword(currentPassword, newPassword, accessToken) {
|
|
209
237
|
const changePasswordPayload = {
|
|
@@ -211,47 +239,65 @@ export class CognitoClient {
|
|
|
211
239
|
ProposedPassword: newPassword,
|
|
212
240
|
AccessToken: accessToken
|
|
213
241
|
};
|
|
214
|
-
await
|
|
242
|
+
await cognitoRequest(changePasswordPayload, CognitoServiceTarget.ChangePassword, this.cognitoEndpoint);
|
|
215
243
|
}
|
|
244
|
+
/**
|
|
245
|
+
* Updates the user attributes.
|
|
246
|
+
*
|
|
247
|
+
* @param userAttributes List of user attributes to update.
|
|
248
|
+
* @param accessToken Access token of the current user.
|
|
249
|
+
*
|
|
250
|
+
* @throws {UpdateUserAttributesException}
|
|
251
|
+
*/
|
|
216
252
|
async updateUserAttributes(userAttributes, accessToken) {
|
|
217
253
|
const updateUserAttributesPayload = {
|
|
218
254
|
UserAttributes: userAttributes,
|
|
219
255
|
AccessToken: accessToken
|
|
220
256
|
};
|
|
221
|
-
await
|
|
257
|
+
await cognitoRequest(updateUserAttributesPayload, CognitoServiceTarget.UpdateUserAttributes, this.cognitoEndpoint);
|
|
222
258
|
}
|
|
259
|
+
/**
|
|
260
|
+
* Verifies a given user attribute
|
|
261
|
+
*
|
|
262
|
+
* @param attributeName Name of the attribute to verify
|
|
263
|
+
* @param code Verification code
|
|
264
|
+
* @param accessToken Access token of the current user.
|
|
265
|
+
*
|
|
266
|
+
* @throws {VerifyUserAttributeException}
|
|
267
|
+
*/
|
|
223
268
|
async verifyUserAttribute(attributeName, code, accessToken) {
|
|
224
269
|
const verifyUserAttributePayload = {
|
|
225
270
|
AttributeName: attributeName,
|
|
226
271
|
Code: code,
|
|
227
272
|
AccessToken: accessToken
|
|
228
273
|
};
|
|
229
|
-
await
|
|
274
|
+
await cognitoRequest(verifyUserAttributePayload, CognitoServiceTarget.VerifyUserAttribute, this.cognitoEndpoint);
|
|
230
275
|
}
|
|
231
276
|
/**
|
|
232
277
|
* Sign out the user and remove the current user session.
|
|
233
278
|
*
|
|
234
|
-
* @throws {
|
|
279
|
+
* @throws {RevokeTokenException}
|
|
235
280
|
*/
|
|
236
281
|
async signOut(refreshToken) {
|
|
237
282
|
const revokeTokenPayload = {
|
|
238
283
|
Token: refreshToken,
|
|
239
284
|
ClientId: this.userPoolClientId
|
|
240
285
|
};
|
|
241
|
-
await
|
|
286
|
+
await cognitoRequest(revokeTokenPayload, CognitoServiceTarget.RevokeToken, this.cognitoEndpoint);
|
|
242
287
|
}
|
|
243
288
|
/**
|
|
244
289
|
* Request forgot password.
|
|
245
290
|
* @param username Username
|
|
246
291
|
*
|
|
247
|
-
* @throws {
|
|
292
|
+
* @throws {ForgotPasswordException}
|
|
248
293
|
*/
|
|
249
294
|
async forgotPassword(username) {
|
|
250
|
-
const
|
|
295
|
+
const forgotPasswordRequest = {
|
|
251
296
|
ClientId: this.userPoolClientId,
|
|
252
|
-
Username: username
|
|
297
|
+
Username: username,
|
|
298
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
253
299
|
};
|
|
254
|
-
await
|
|
300
|
+
await cognitoRequest(forgotPasswordRequest, CognitoServiceTarget.ForgotPassword, this.cognitoEndpoint);
|
|
255
301
|
}
|
|
256
302
|
/**
|
|
257
303
|
* Confirms the new password via the given code send via cognito triggered by @see forgotPassword .
|
|
@@ -260,27 +306,31 @@ export class CognitoClient {
|
|
|
260
306
|
* @param newPassword New password
|
|
261
307
|
* @param confirmationCode Confirmation code which the user got through E-mail
|
|
262
308
|
*
|
|
263
|
-
* @throws {
|
|
309
|
+
* @throws {ConfirmForgotPasswordException}
|
|
264
310
|
*/
|
|
265
311
|
async confirmForgotPassword(username, newPassword, confirmationCode) {
|
|
266
|
-
const
|
|
312
|
+
const confirmForgotPasswordRequest = {
|
|
267
313
|
ClientId: this.userPoolClientId,
|
|
268
314
|
Username: username,
|
|
269
315
|
ConfirmationCode: confirmationCode,
|
|
270
|
-
Password: newPassword
|
|
316
|
+
Password: newPassword,
|
|
317
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
271
318
|
};
|
|
272
|
-
await
|
|
319
|
+
await cognitoRequest(confirmForgotPasswordRequest, CognitoServiceTarget.ConfirmForgotPassword, this.cognitoEndpoint);
|
|
273
320
|
}
|
|
274
321
|
/**
|
|
275
322
|
* Triggers cognito to resend the confirmation code
|
|
276
323
|
* @param username Username
|
|
324
|
+
*
|
|
325
|
+
* @throws {ResendConfirmationCodeException}
|
|
277
326
|
*/
|
|
278
327
|
async resendConfirmationCode(username) {
|
|
279
|
-
const
|
|
328
|
+
const resendConfirmationCodeRequest = {
|
|
280
329
|
ClientId: this.userPoolClientId,
|
|
281
|
-
Username: username
|
|
330
|
+
Username: username,
|
|
331
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
282
332
|
};
|
|
283
|
-
await
|
|
333
|
+
await cognitoRequest(resendConfirmationCodeRequest, CognitoServiceTarget.ResendConfirmationCode, this.cognitoEndpoint);
|
|
284
334
|
}
|
|
285
335
|
/**
|
|
286
336
|
* Returns a link to Cognito`s Hosted UI for OAuth2 authentication.
|