@vardario/cognito-client 2.0.0 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/cognito-client.d.ts +171 -6
- package/lib/cognito-client.js +54 -28
- package/lib/utils.d.ts +1 -0
- package/lib/utils.js +8 -0
- package/package.json +4 -3
package/lib/cognito-client.d.ts
CHANGED
|
@@ -1,7 +1,158 @@
|
|
|
1
|
+
export interface CognitoBaseRequest {
|
|
2
|
+
ClientId: string;
|
|
3
|
+
ClientMetadata?: Record<string, string>;
|
|
4
|
+
AnalyticsMetadata?: {
|
|
5
|
+
AnalyticsEndpointId: string;
|
|
6
|
+
};
|
|
7
|
+
UserContextData?: {
|
|
8
|
+
EncodedData?: string;
|
|
9
|
+
IpAddress?: string;
|
|
10
|
+
};
|
|
11
|
+
}
|
|
12
|
+
export interface AuthIntiUserSrpRequest extends CognitoBaseRequest {
|
|
13
|
+
AuthFlow: 'USER_SRP_AUTH';
|
|
14
|
+
AuthParameters: {
|
|
15
|
+
USERNAME: string;
|
|
16
|
+
SRP_A: string;
|
|
17
|
+
SECRET_HASH?: string;
|
|
18
|
+
};
|
|
19
|
+
}
|
|
20
|
+
export interface AuthIntiUserPasswordRequest extends CognitoBaseRequest {
|
|
21
|
+
AuthFlow: 'USER_PASSWORD_AUTH';
|
|
22
|
+
AuthParameters: {
|
|
23
|
+
USERNAME: string;
|
|
24
|
+
PASSWORD: string;
|
|
25
|
+
SECRET_HASH?: string;
|
|
26
|
+
};
|
|
27
|
+
}
|
|
28
|
+
export interface AuthIntiRefreshTokenRequest extends CognitoBaseRequest {
|
|
29
|
+
AuthFlow: 'REFRESH_TOKEN_AUTH';
|
|
30
|
+
AuthParameters: {
|
|
31
|
+
REFRESH_TOKEN: string;
|
|
32
|
+
SECRET_HASH?: string;
|
|
33
|
+
};
|
|
34
|
+
}
|
|
35
|
+
export interface AuthIntiCustomAuthRequest extends CognitoBaseRequest {
|
|
36
|
+
AuthFlow: 'CUSTOM_AUTH';
|
|
37
|
+
AuthParameters: {
|
|
38
|
+
USERNAME: string;
|
|
39
|
+
SECRET_HASH?: string;
|
|
40
|
+
};
|
|
41
|
+
}
|
|
42
|
+
export type AuthIntiRequest = AuthIntiUserSrpRequest | AuthIntiRefreshTokenRequest | AuthIntiCustomAuthRequest | AuthIntiUserPasswordRequest;
|
|
43
|
+
export interface RespondToAuthChallengeBaseRequest extends CognitoBaseRequest {
|
|
44
|
+
Session?: string;
|
|
45
|
+
}
|
|
46
|
+
export interface RespondToAuthChallengePasswordVerifierRequest extends RespondToAuthChallengeBaseRequest {
|
|
47
|
+
ChallengeName: 'PASSWORD_VERIFIER';
|
|
48
|
+
ChallengeResponses: {
|
|
49
|
+
USERNAME: string;
|
|
50
|
+
PASSWORD_CLAIM_SECRET_BLOCK: string;
|
|
51
|
+
PASSWORD_CLAIM_SIGNATURE: string;
|
|
52
|
+
TIMESTAMP: string;
|
|
53
|
+
SECRET_HASH?: string;
|
|
54
|
+
};
|
|
55
|
+
}
|
|
56
|
+
export interface RespondToAuthChallengeSmsMfaRequest extends RespondToAuthChallengeBaseRequest {
|
|
57
|
+
ChallengeName: 'SMS_MFA';
|
|
58
|
+
ChallengeResponses: {
|
|
59
|
+
USERNAME: string;
|
|
60
|
+
SMS_MFA_CODE: string;
|
|
61
|
+
SECRET_HASH?: string;
|
|
62
|
+
};
|
|
63
|
+
}
|
|
64
|
+
export interface RespondToAuthChallengeCustomChallengeNameRequest extends RespondToAuthChallengeBaseRequest {
|
|
65
|
+
ChallengeName: 'CUSTOM_CHALLENGE';
|
|
66
|
+
ChallengeResponses: {
|
|
67
|
+
USERNAME: string;
|
|
68
|
+
ANSWER: string;
|
|
69
|
+
SECRET_HASH?: string;
|
|
70
|
+
};
|
|
71
|
+
}
|
|
72
|
+
export interface RespondToAuthChallengeNewPasswordRequiredRequest extends RespondToAuthChallengeBaseRequest {
|
|
73
|
+
ChallengeName: 'NEW_PASSWORD_REQUIRED';
|
|
74
|
+
ChallengeResponses: {
|
|
75
|
+
USERNAME: string;
|
|
76
|
+
NEW_PASSWORD: string;
|
|
77
|
+
SECRET_HASH?: string;
|
|
78
|
+
};
|
|
79
|
+
}
|
|
80
|
+
export interface RespondToAuthChallengeSoftwareTokenMfaRequest extends RespondToAuthChallengeBaseRequest {
|
|
81
|
+
ChallengeName: 'SOFTWARE_TOKEN_MFA';
|
|
82
|
+
ChallengeResponses: {
|
|
83
|
+
USERNAME: string;
|
|
84
|
+
SOFTWARE_TOKEN_MFA_CODE: string;
|
|
85
|
+
SECRET_HASH?: string;
|
|
86
|
+
};
|
|
87
|
+
}
|
|
88
|
+
export interface RespondToAuthChallengeDeviceSrpAuthRequest extends RespondToAuthChallengeBaseRequest {
|
|
89
|
+
ChallengeName: 'DEVICE_SRP_AUTH';
|
|
90
|
+
ChallengeResponses: {
|
|
91
|
+
USERNAME: string;
|
|
92
|
+
SRP_A: string;
|
|
93
|
+
SECRET_HASH?: string;
|
|
94
|
+
};
|
|
95
|
+
}
|
|
96
|
+
export interface RespondToAuthChallengeDevicePasswordVerifierRequest extends RespondToAuthChallengeBaseRequest {
|
|
97
|
+
ChallengeName: 'DEVICE_PASSWORD_VERIFIER';
|
|
98
|
+
ChallengeResponses: {
|
|
99
|
+
USERNAME: string;
|
|
100
|
+
PASSWORD_CLAIM_SECRET_BLOCK: string;
|
|
101
|
+
PASSWORD_CLAIM_SIGNATURE: string;
|
|
102
|
+
TIMESTAMP: string;
|
|
103
|
+
DEVICE_KEY: string;
|
|
104
|
+
SECRET_HASH?: string;
|
|
105
|
+
};
|
|
106
|
+
}
|
|
107
|
+
export interface RespondToAuthChallengeMfaSetupRequest extends RespondToAuthChallengeBaseRequest {
|
|
108
|
+
ChallengeName: 'MFA_SETUP';
|
|
109
|
+
ChallengeResponses: {
|
|
110
|
+
USERNAME: string;
|
|
111
|
+
SMS_MFA_CODE?: string;
|
|
112
|
+
SOFTWARE_TOKEN_MFA_CODE?: string;
|
|
113
|
+
SECRET_HASH?: string;
|
|
114
|
+
};
|
|
115
|
+
}
|
|
116
|
+
export interface RespondToAuthChallengeSelectMfaTypeRequest extends RespondToAuthChallengeBaseRequest {
|
|
117
|
+
ChallengeName: 'SELECT_MFA_TYPE';
|
|
118
|
+
ChallengeResponses: {
|
|
119
|
+
USERNAME: string;
|
|
120
|
+
SOFTWARE_TOKEN_MFA_CODE?: string;
|
|
121
|
+
SECRET_HASH?: string;
|
|
122
|
+
};
|
|
123
|
+
}
|
|
124
|
+
export type RespondToAuthChallengeRequest = RespondToAuthChallengePasswordVerifierRequest | RespondToAuthChallengeSmsMfaRequest | RespondToAuthChallengeCustomChallengeNameRequest | RespondToAuthChallengeNewPasswordRequiredRequest | RespondToAuthChallengeSoftwareTokenMfaRequest | RespondToAuthChallengeDeviceSrpAuthRequest | RespondToAuthChallengeDevicePasswordVerifierRequest | RespondToAuthChallengeMfaSetupRequest | RespondToAuthChallengeSelectMfaTypeRequest;
|
|
1
125
|
export interface UserAttribute {
|
|
2
126
|
Name: string;
|
|
3
127
|
Value: string;
|
|
4
128
|
}
|
|
129
|
+
export interface ConfirmForgotPasswordRequest extends CognitoBaseRequest {
|
|
130
|
+
ConfirmationCode: string;
|
|
131
|
+
Password: string;
|
|
132
|
+
Username: string;
|
|
133
|
+
SecretHash?: string;
|
|
134
|
+
}
|
|
135
|
+
export interface ConfirmSignUpRequest extends CognitoBaseRequest {
|
|
136
|
+
ConfirmationCode: string;
|
|
137
|
+
Username: string;
|
|
138
|
+
SecretHash?: string;
|
|
139
|
+
ForceAliasCreation?: boolean;
|
|
140
|
+
}
|
|
141
|
+
export interface ForgotPasswordRequest extends CognitoBaseRequest {
|
|
142
|
+
Username: string;
|
|
143
|
+
SecretHash?: string;
|
|
144
|
+
}
|
|
145
|
+
export interface SignUpRequest extends CognitoBaseRequest {
|
|
146
|
+
Username: string;
|
|
147
|
+
Password: string;
|
|
148
|
+
SecretHash?: string;
|
|
149
|
+
UserAttributes?: UserAttribute[];
|
|
150
|
+
ValidationData?: UserAttribute[];
|
|
151
|
+
}
|
|
152
|
+
export interface ResendConfirmationCodeRequest extends CognitoBaseRequest {
|
|
153
|
+
Username: string;
|
|
154
|
+
SecretHash?: string;
|
|
155
|
+
}
|
|
5
156
|
/**
|
|
6
157
|
* Cognito related OAuth props.
|
|
7
158
|
*/
|
|
@@ -43,6 +194,10 @@ export interface CognitoClientProps {
|
|
|
43
194
|
* Cognito OAuth related options. See @see OAuthProps .
|
|
44
195
|
*/
|
|
45
196
|
oAuth2?: OAuth2Props;
|
|
197
|
+
/**
|
|
198
|
+
* Optional Cognito User Pool Client Secret.
|
|
199
|
+
*/
|
|
200
|
+
clientSecret?: string;
|
|
46
201
|
}
|
|
47
202
|
/**
|
|
48
203
|
* Cognito User Session
|
|
@@ -117,7 +272,8 @@ export declare enum CognitoServiceTarget {
|
|
|
117
272
|
ConfirmForgotPassword = "ConfirmForgotPassword",
|
|
118
273
|
ResendConfirmationCode = "ResendConfirmationCode",
|
|
119
274
|
UpdateUserAttributes = "UpdateUserAttributes",
|
|
120
|
-
VerifyUserAttribute = "VerifyUserAttribute"
|
|
275
|
+
VerifyUserAttribute = "VerifyUserAttribute",
|
|
276
|
+
GlobalSignOut = "GlobalSignOut"
|
|
121
277
|
}
|
|
122
278
|
/**
|
|
123
279
|
* Cognito supported federated identities public providers.
|
|
@@ -159,7 +315,8 @@ export declare class CognitoClient {
|
|
|
159
315
|
private readonly cognitoPoolName;
|
|
160
316
|
private readonly userPoolClientId;
|
|
161
317
|
private readonly oAuth?;
|
|
162
|
-
|
|
318
|
+
private readonly clientSecret?;
|
|
319
|
+
constructor({ userPoolId, userPoolClientId, endpoint, oAuth2: oAuth, clientSecret }: CognitoClientProps);
|
|
163
320
|
static getDecodedTokenFromSession(session: Session): DecodedTokens;
|
|
164
321
|
/**
|
|
165
322
|
*
|
|
@@ -185,11 +342,12 @@ export declare class CognitoClient {
|
|
|
185
342
|
/**
|
|
186
343
|
* Returns a new session based on the given refresh token.
|
|
187
344
|
*
|
|
188
|
-
* @param refreshToken
|
|
345
|
+
* @param refreshToken Refresh token from a previous session.
|
|
346
|
+
* @param username Username is required when using a client secret and needs to be the cognito user id.
|
|
189
347
|
* @returns @see Session
|
|
190
348
|
* @throws {InitiateAuthException}
|
|
191
349
|
*/
|
|
192
|
-
refreshSession(refreshToken: string): Promise<Session>;
|
|
350
|
+
refreshSession(refreshToken: string, username?: string): Promise<Session>;
|
|
193
351
|
/**
|
|
194
352
|
*
|
|
195
353
|
* @param username Username
|
|
@@ -238,11 +396,13 @@ export declare class CognitoClient {
|
|
|
238
396
|
*/
|
|
239
397
|
verifyUserAttribute(attributeName: string, code: string, accessToken: string): Promise<void>;
|
|
240
398
|
/**
|
|
241
|
-
*
|
|
399
|
+
* Revokes all of the access tokens generated by, and at the same time as, the specified refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.
|
|
242
400
|
*
|
|
401
|
+
* @param refreshToken Refresh token from a previous session.
|
|
402
|
+
* @param username Username is required when using a client secret and needs to be the cognito user id.
|
|
243
403
|
* @throws {RevokeTokenException}
|
|
244
404
|
*/
|
|
245
|
-
|
|
405
|
+
revokeToken(refreshToken: string): Promise<void>;
|
|
246
406
|
/**
|
|
247
407
|
* Request forgot password.
|
|
248
408
|
* @param username Username
|
|
@@ -293,4 +453,9 @@ export declare class CognitoClient {
|
|
|
293
453
|
* @throws {Error}
|
|
294
454
|
*/
|
|
295
455
|
handleCodeFlow(returnUrl: string, pkce: string): Promise<Session>;
|
|
456
|
+
/**
|
|
457
|
+
* Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior.
|
|
458
|
+
* @param accessToken Access token of the current user.
|
|
459
|
+
*/
|
|
460
|
+
globalSignOut(accessToken: string): Promise<void>;
|
|
296
461
|
}
|
package/lib/cognito-client.js
CHANGED
|
@@ -2,7 +2,7 @@ import hashJs from 'hash.js';
|
|
|
2
2
|
import { BigInteger } from 'jsbn';
|
|
3
3
|
import { Buffer } from 'buffer';
|
|
4
4
|
import { CognitoCommonException, CognitoError } from './error.js';
|
|
5
|
-
import { calculateSignature, calculateU, decodeJwt, generateA, generateSmallA, getPasswordAuthenticationKey, randomBytes } from './utils.js';
|
|
5
|
+
import { calculateSecretHash, calculateSignature, calculateU, decodeJwt, generateA, generateSmallA, getPasswordAuthenticationKey, randomBytes } from './utils.js';
|
|
6
6
|
/**
|
|
7
7
|
* List of used and supported Cognito API calls.
|
|
8
8
|
* @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html for more details
|
|
@@ -20,6 +20,7 @@ export var CognitoServiceTarget;
|
|
|
20
20
|
CognitoServiceTarget["ResendConfirmationCode"] = "ResendConfirmationCode";
|
|
21
21
|
CognitoServiceTarget["UpdateUserAttributes"] = "UpdateUserAttributes";
|
|
22
22
|
CognitoServiceTarget["VerifyUserAttribute"] = "VerifyUserAttribute";
|
|
23
|
+
CognitoServiceTarget["GlobalSignOut"] = "GlobalSignOut";
|
|
23
24
|
})(CognitoServiceTarget || (CognitoServiceTarget = {}));
|
|
24
25
|
/**
|
|
25
26
|
* Cognito supported federated identities public providers.
|
|
@@ -79,12 +80,13 @@ export async function cognitoRequest(body, serviceTarget, cognitoEndpoint) {
|
|
|
79
80
|
* Lightweight AWS Cogito client without any AWS SDK dependencies.
|
|
80
81
|
*/
|
|
81
82
|
export class CognitoClient {
|
|
82
|
-
constructor({ userPoolId, userPoolClientId, endpoint, oAuth2: oAuth }) {
|
|
83
|
+
constructor({ userPoolId, userPoolClientId, endpoint, oAuth2: oAuth, clientSecret }) {
|
|
83
84
|
const [cognitoPoolRegion, cognitoPoolName] = userPoolId.split('_');
|
|
84
85
|
this.cognitoEndpoint = (endpoint || `https://cognito-idp.${cognitoPoolRegion}.amazonaws.com`).replace(/\/$/, '');
|
|
85
86
|
this.cognitoPoolName = cognitoPoolName;
|
|
86
87
|
this.userPoolClientId = userPoolClientId;
|
|
87
88
|
this.oAuth = oAuth;
|
|
89
|
+
this.clientSecret = clientSecret;
|
|
88
90
|
}
|
|
89
91
|
static getDecodedTokenFromSession(session) {
|
|
90
92
|
const { payload: idToken } = decodeJwt(session.idToken);
|
|
@@ -112,7 +114,8 @@ export class CognitoClient {
|
|
|
112
114
|
ClientId: this.userPoolClientId,
|
|
113
115
|
AuthParameters: {
|
|
114
116
|
USERNAME: username,
|
|
115
|
-
SRP_A: A.toString(16)
|
|
117
|
+
SRP_A: A.toString(16),
|
|
118
|
+
SECRET_HASH: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
116
119
|
},
|
|
117
120
|
ClientMetadata: {}
|
|
118
121
|
};
|
|
@@ -122,18 +125,20 @@ export class CognitoClient {
|
|
|
122
125
|
const U = calculateU(A, B);
|
|
123
126
|
const hkdf = getPasswordAuthenticationKey(this.cognitoPoolName, challenge.ChallengeParameters.USER_ID_FOR_SRP, password, B, U, smallA, salt);
|
|
124
127
|
const { signature, timeStamp } = calculateSignature(this.cognitoPoolName, challenge.ChallengeParameters.USER_ID_FOR_SRP, challenge.ChallengeParameters.SECRET_BLOCK, hkdf);
|
|
125
|
-
const
|
|
128
|
+
const respondToAuthChallengeRequest = {
|
|
126
129
|
ChallengeName: 'PASSWORD_VERIFIER',
|
|
127
130
|
ClientId: this.userPoolClientId,
|
|
128
131
|
ChallengeResponses: {
|
|
129
132
|
PASSWORD_CLAIM_SECRET_BLOCK: challenge.ChallengeParameters.SECRET_BLOCK,
|
|
130
133
|
PASSWORD_CLAIM_SIGNATURE: signature,
|
|
131
134
|
USERNAME: challenge.ChallengeParameters.USER_ID_FOR_SRP,
|
|
132
|
-
TIMESTAMP: timeStamp
|
|
135
|
+
TIMESTAMP: timeStamp,
|
|
136
|
+
SECRET_HASH: this.clientSecret &&
|
|
137
|
+
calculateSecretHash(this.clientSecret, this.userPoolClientId, challenge.ChallengeParameters.USER_ID_FOR_SRP)
|
|
133
138
|
},
|
|
134
139
|
ClientMetadata: {}
|
|
135
140
|
};
|
|
136
|
-
const { AuthenticationResult } = await cognitoRequest(
|
|
141
|
+
const { AuthenticationResult } = await cognitoRequest(respondToAuthChallengeRequest, CognitoServiceTarget.RespondToAuthChallenge, this.cognitoEndpoint);
|
|
137
142
|
return authResultToSession(AuthenticationResult);
|
|
138
143
|
}
|
|
139
144
|
/**
|
|
@@ -151,7 +156,8 @@ export class CognitoClient {
|
|
|
151
156
|
ClientId: this.userPoolClientId,
|
|
152
157
|
AuthParameters: {
|
|
153
158
|
USERNAME: username,
|
|
154
|
-
PASSWORD: password
|
|
159
|
+
PASSWORD: password,
|
|
160
|
+
SECRET_HASH: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
155
161
|
},
|
|
156
162
|
ClientMetadata: {}
|
|
157
163
|
};
|
|
@@ -162,16 +168,18 @@ export class CognitoClient {
|
|
|
162
168
|
/**
|
|
163
169
|
* Returns a new session based on the given refresh token.
|
|
164
170
|
*
|
|
165
|
-
* @param refreshToken
|
|
171
|
+
* @param refreshToken Refresh token from a previous session.
|
|
172
|
+
* @param username Username is required when using a client secret and needs to be the cognito user id.
|
|
166
173
|
* @returns @see Session
|
|
167
174
|
* @throws {InitiateAuthException}
|
|
168
175
|
*/
|
|
169
|
-
async refreshSession(refreshToken) {
|
|
176
|
+
async refreshSession(refreshToken, username) {
|
|
170
177
|
const refreshTokenPayload = {
|
|
171
178
|
AuthFlow: 'REFRESH_TOKEN_AUTH',
|
|
172
179
|
ClientId: this.userPoolClientId,
|
|
173
180
|
AuthParameters: {
|
|
174
|
-
REFRESH_TOKEN: refreshToken
|
|
181
|
+
REFRESH_TOKEN: refreshToken,
|
|
182
|
+
SECRET_HASH: this.clientSecret && username && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
175
183
|
},
|
|
176
184
|
ClientMetadata: {}
|
|
177
185
|
};
|
|
@@ -189,13 +197,14 @@ export class CognitoClient {
|
|
|
189
197
|
* @throws {SignUpException}
|
|
190
198
|
*/
|
|
191
199
|
async signUp(username, password, userAttributes) {
|
|
192
|
-
const
|
|
200
|
+
const signUpRequest = {
|
|
193
201
|
ClientId: this.userPoolClientId,
|
|
194
202
|
Username: username,
|
|
195
203
|
Password: password,
|
|
196
|
-
UserAttributes: userAttributes
|
|
204
|
+
UserAttributes: userAttributes,
|
|
205
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
197
206
|
};
|
|
198
|
-
const data = await cognitoRequest(
|
|
207
|
+
const data = await cognitoRequest(signUpRequest, CognitoServiceTarget.SignUp, this.cognitoEndpoint);
|
|
199
208
|
return {
|
|
200
209
|
id: data.UserSub,
|
|
201
210
|
confirmed: data.UserConfirmed
|
|
@@ -210,12 +219,13 @@ export class CognitoClient {
|
|
|
210
219
|
* @throws {ConfirmSignUpException}
|
|
211
220
|
*/
|
|
212
221
|
async confirmSignUp(username, code) {
|
|
213
|
-
const
|
|
222
|
+
const confirmSignUpRequest = {
|
|
214
223
|
ClientId: this.userPoolClientId,
|
|
215
224
|
ConfirmationCode: code,
|
|
216
|
-
Username: username
|
|
225
|
+
Username: username,
|
|
226
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
217
227
|
};
|
|
218
|
-
await cognitoRequest(
|
|
228
|
+
await cognitoRequest(confirmSignUpRequest, CognitoServiceTarget.ConfirmSignUp, this.cognitoEndpoint);
|
|
219
229
|
}
|
|
220
230
|
/**
|
|
221
231
|
*
|
|
@@ -265,14 +275,17 @@ export class CognitoClient {
|
|
|
265
275
|
await cognitoRequest(verifyUserAttributePayload, CognitoServiceTarget.VerifyUserAttribute, this.cognitoEndpoint);
|
|
266
276
|
}
|
|
267
277
|
/**
|
|
268
|
-
*
|
|
278
|
+
* Revokes all of the access tokens generated by, and at the same time as, the specified refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.
|
|
269
279
|
*
|
|
280
|
+
* @param refreshToken Refresh token from a previous session.
|
|
281
|
+
* @param username Username is required when using a client secret and needs to be the cognito user id.
|
|
270
282
|
* @throws {RevokeTokenException}
|
|
271
283
|
*/
|
|
272
|
-
async
|
|
284
|
+
async revokeToken(refreshToken) {
|
|
273
285
|
const revokeTokenPayload = {
|
|
274
286
|
Token: refreshToken,
|
|
275
|
-
ClientId: this.userPoolClientId
|
|
287
|
+
ClientId: this.userPoolClientId,
|
|
288
|
+
ClientSecret: this.clientSecret
|
|
276
289
|
};
|
|
277
290
|
await cognitoRequest(revokeTokenPayload, CognitoServiceTarget.RevokeToken, this.cognitoEndpoint);
|
|
278
291
|
}
|
|
@@ -283,11 +296,12 @@ export class CognitoClient {
|
|
|
283
296
|
* @throws {ForgotPasswordException}
|
|
284
297
|
*/
|
|
285
298
|
async forgotPassword(username) {
|
|
286
|
-
const
|
|
299
|
+
const forgotPasswordRequest = {
|
|
287
300
|
ClientId: this.userPoolClientId,
|
|
288
|
-
Username: username
|
|
301
|
+
Username: username,
|
|
302
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
289
303
|
};
|
|
290
|
-
await cognitoRequest(
|
|
304
|
+
await cognitoRequest(forgotPasswordRequest, CognitoServiceTarget.ForgotPassword, this.cognitoEndpoint);
|
|
291
305
|
}
|
|
292
306
|
/**
|
|
293
307
|
* Confirms the new password via the given code send via cognito triggered by @see forgotPassword .
|
|
@@ -299,13 +313,14 @@ export class CognitoClient {
|
|
|
299
313
|
* @throws {ConfirmForgotPasswordException}
|
|
300
314
|
*/
|
|
301
315
|
async confirmForgotPassword(username, newPassword, confirmationCode) {
|
|
302
|
-
const
|
|
316
|
+
const confirmForgotPasswordRequest = {
|
|
303
317
|
ClientId: this.userPoolClientId,
|
|
304
318
|
Username: username,
|
|
305
319
|
ConfirmationCode: confirmationCode,
|
|
306
|
-
Password: newPassword
|
|
320
|
+
Password: newPassword,
|
|
321
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
307
322
|
};
|
|
308
|
-
await cognitoRequest(
|
|
323
|
+
await cognitoRequest(confirmForgotPasswordRequest, CognitoServiceTarget.ConfirmForgotPassword, this.cognitoEndpoint);
|
|
309
324
|
}
|
|
310
325
|
/**
|
|
311
326
|
* Triggers cognito to resend the confirmation code
|
|
@@ -314,11 +329,12 @@ export class CognitoClient {
|
|
|
314
329
|
* @throws {ResendConfirmationCodeException}
|
|
315
330
|
*/
|
|
316
331
|
async resendConfirmationCode(username) {
|
|
317
|
-
const
|
|
332
|
+
const resendConfirmationCodeRequest = {
|
|
318
333
|
ClientId: this.userPoolClientId,
|
|
319
|
-
Username: username
|
|
334
|
+
Username: username,
|
|
335
|
+
SecretHash: this.clientSecret && calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
|
|
320
336
|
};
|
|
321
|
-
await cognitoRequest(
|
|
337
|
+
await cognitoRequest(resendConfirmationCodeRequest, CognitoServiceTarget.ResendConfirmationCode, this.cognitoEndpoint);
|
|
322
338
|
}
|
|
323
339
|
/**
|
|
324
340
|
* Returns a link to Cognito`s Hosted UI for OAuth2 authentication.
|
|
@@ -402,4 +418,14 @@ export class CognitoClient {
|
|
|
402
418
|
});
|
|
403
419
|
return session;
|
|
404
420
|
}
|
|
421
|
+
/**
|
|
422
|
+
* Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior.
|
|
423
|
+
* @param accessToken Access token of the current user.
|
|
424
|
+
*/
|
|
425
|
+
async globalSignOut(accessToken) {
|
|
426
|
+
const globalSignOutPayload = {
|
|
427
|
+
AccessToken: accessToken
|
|
428
|
+
};
|
|
429
|
+
await cognitoRequest(globalSignOutPayload, CognitoServiceTarget.GlobalSignOut, this.cognitoEndpoint);
|
|
430
|
+
}
|
|
405
431
|
}
|
package/lib/utils.d.ts
CHANGED
|
@@ -21,3 +21,4 @@ export declare function decodeJwt<T = unknown>(jwt: string): {
|
|
|
21
21
|
};
|
|
22
22
|
export declare function randomBytes(num: number): Promise<Buffer>;
|
|
23
23
|
export declare function formatTimestamp(date: Date): string;
|
|
24
|
+
export declare function calculateSecretHash(clientSecret: string, userPoolClientId: string, username: string): string;
|
package/lib/utils.js
CHANGED
|
@@ -123,3 +123,11 @@ export async function randomBytes(num) {
|
|
|
123
123
|
export function formatTimestamp(date) {
|
|
124
124
|
return formatInTimeZone(date, 'UTC', "EEE MMM d HH:mm:ss 'UTC' yyyy");
|
|
125
125
|
}
|
|
126
|
+
export function calculateSecretHash(clientSecret, userPoolClientId, username) {
|
|
127
|
+
const message = `${username}${userPoolClientId}`;
|
|
128
|
+
const hash = Buffer.from(hashJs
|
|
129
|
+
.hmac(hashJs.sha256, clientSecret)
|
|
130
|
+
.update(message)
|
|
131
|
+
.digest()).toString('base64');
|
|
132
|
+
return hash;
|
|
133
|
+
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@vardario/cognito-client",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "3.0.0",
|
|
4
4
|
"description": "",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "Sahin Vardar",
|
|
@@ -16,8 +16,9 @@
|
|
|
16
16
|
"scripts": {
|
|
17
17
|
"build": "tsc --build",
|
|
18
18
|
"format": "prettier --plugin-search-dir . --write . && prettier-package-json --write && eslint --fix .",
|
|
19
|
+
"integration-test": "vitest run integration",
|
|
19
20
|
"prepare": "husky install",
|
|
20
|
-
"test": "vitest run",
|
|
21
|
+
"test": "vitest run unit",
|
|
21
22
|
"watch": "tsc --build --watch"
|
|
22
23
|
},
|
|
23
24
|
"dependencies": {
|
|
@@ -27,7 +28,7 @@
|
|
|
27
28
|
"jsbn": "^1.1.0"
|
|
28
29
|
},
|
|
29
30
|
"devDependencies": {
|
|
30
|
-
"@aws-sdk/client-cognito-identity-provider": "^3.
|
|
31
|
+
"@aws-sdk/client-cognito-identity-provider": "^3.465.0",
|
|
31
32
|
"@types/jsbn": "^1.2.33",
|
|
32
33
|
"@types/jsdom": "^21.1.5",
|
|
33
34
|
"@types/randombytes": "^2.0.3",
|