@vardario/cognito-client 5.0.0 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/lib/browser.js CHANGED
@@ -26,15 +26,15 @@ var COMMON_EXCEPTIONS = [
26
26
  "ThrottlingException" /* ThrottlingException */,
27
27
  "ValidationError" /* ValidationError */
28
28
  ];
29
- var AssociateSoftwareTokenException = /* @__PURE__ */ ((AssociateSoftwareTokenException2) => {
30
- AssociateSoftwareTokenException2["ConcurrentModificationException"] = "ConcurrentModificationException";
31
- AssociateSoftwareTokenException2["ForbiddenException"] = "ForbiddenException";
32
- AssociateSoftwareTokenException2["InternalErrorException"] = "InternalErrorException";
33
- AssociateSoftwareTokenException2["InvalidParameterException"] = "InvalidParameterException";
34
- AssociateSoftwareTokenException2["NotAuthorizedException"] = "NotAuthorizedException";
35
- AssociateSoftwareTokenException2["ResourceNotFoundException"] = "ResourceNotFoundException";
36
- AssociateSoftwareTokenException2["SoftwareTokenMFANotFoundException"] = "SoftwareTokenMFANotFoundException";
37
- return AssociateSoftwareTokenException2;
29
+ var AssociateSoftwareTokenException = /* @__PURE__ */ ((AssociateSoftwareTokenException3) => {
30
+ AssociateSoftwareTokenException3["ConcurrentModificationException"] = "ConcurrentModificationException";
31
+ AssociateSoftwareTokenException3["ForbiddenException"] = "ForbiddenException";
32
+ AssociateSoftwareTokenException3["InternalErrorException"] = "InternalErrorException";
33
+ AssociateSoftwareTokenException3["InvalidParameterException"] = "InvalidParameterException";
34
+ AssociateSoftwareTokenException3["NotAuthorizedException"] = "NotAuthorizedException";
35
+ AssociateSoftwareTokenException3["ResourceNotFoundException"] = "ResourceNotFoundException";
36
+ AssociateSoftwareTokenException3["SoftwareTokenMFANotFoundException"] = "SoftwareTokenMFANotFoundException";
37
+ return AssociateSoftwareTokenException3;
38
38
  })(AssociateSoftwareTokenException || {});
39
39
  var ChangePasswordException = /* @__PURE__ */ ((ChangePasswordException3) => {
40
40
  ChangePasswordException3["ForbiddenException"] = "ForbiddenException";
@@ -158,17 +158,17 @@ var ForgotPasswordException = /* @__PURE__ */ ((ForgotPasswordException3) => {
158
158
  ForgotPasswordException3["UserNotFoundException"] = "UserNotFoundException";
159
159
  return ForgotPasswordException3;
160
160
  })(ForgotPasswordException || {});
161
- var GetUserException = /* @__PURE__ */ ((GetUserException2) => {
162
- GetUserException2["ForbiddenException"] = "ForbiddenException";
163
- GetUserException2["InternalErrorException"] = "InternalErrorException";
164
- GetUserException2["InvalidParameterException"] = "InvalidParameterException";
165
- GetUserException2["NotAuthorizedException"] = "NotAuthorizedException";
166
- GetUserException2["PasswordResetRequiredException"] = "PasswordResetRequiredException";
167
- GetUserException2["ResourceNotFoundException"] = "ResourceNotFoundException";
168
- GetUserException2["TooManyRequestsException"] = "TooManyRequestsException";
169
- GetUserException2["UserNotConfirmedException"] = "UserNotConfirmedException";
170
- GetUserException2["UserNotFoundException"] = "UserNotFoundException";
171
- return GetUserException2;
161
+ var GetUserException = /* @__PURE__ */ ((GetUserException3) => {
162
+ GetUserException3["ForbiddenException"] = "ForbiddenException";
163
+ GetUserException3["InternalErrorException"] = "InternalErrorException";
164
+ GetUserException3["InvalidParameterException"] = "InvalidParameterException";
165
+ GetUserException3["NotAuthorizedException"] = "NotAuthorizedException";
166
+ GetUserException3["PasswordResetRequiredException"] = "PasswordResetRequiredException";
167
+ GetUserException3["ResourceNotFoundException"] = "ResourceNotFoundException";
168
+ GetUserException3["TooManyRequestsException"] = "TooManyRequestsException";
169
+ GetUserException3["UserNotConfirmedException"] = "UserNotConfirmedException";
170
+ GetUserException3["UserNotFoundException"] = "UserNotFoundException";
171
+ return GetUserException3;
172
172
  })(GetUserException || {});
173
173
  var GetIdException = /* @__PURE__ */ ((GetIdException2) => {
174
174
  GetIdException2["ExternalServiceException"] = "ExternalServiceException";
@@ -283,16 +283,16 @@ var RespondToAuthChallengeException = /* @__PURE__ */ ((RespondToAuthChallengeEx
283
283
  RespondToAuthChallengeException3["UserNotFoundException"] = "UserNotFoundException";
284
284
  return RespondToAuthChallengeException3;
285
285
  })(RespondToAuthChallengeException || {});
286
- var SetUserMFAPreferenceException = /* @__PURE__ */ ((SetUserMFAPreferenceException2) => {
287
- SetUserMFAPreferenceException2["ForbiddenException"] = "ForbiddenException";
288
- SetUserMFAPreferenceException2["InternalErrorException"] = "InternalErrorException";
289
- SetUserMFAPreferenceException2["InvalidParameterException"] = "InvalidParameterException";
290
- SetUserMFAPreferenceException2["NotAuthorizedException"] = "NotAuthorizedException";
291
- SetUserMFAPreferenceException2["PasswordResetRequiredException"] = "PasswordResetRequiredException";
292
- SetUserMFAPreferenceException2["ResourceNotFoundException"] = "ResourceNotFoundException";
293
- SetUserMFAPreferenceException2["UserNotConfirmedException"] = "UserNotConfirmedException";
294
- SetUserMFAPreferenceException2["UserNotFoundException"] = "UserNotFoundException";
295
- return SetUserMFAPreferenceException2;
286
+ var SetUserMFAPreferenceException = /* @__PURE__ */ ((SetUserMFAPreferenceException3) => {
287
+ SetUserMFAPreferenceException3["ForbiddenException"] = "ForbiddenException";
288
+ SetUserMFAPreferenceException3["InternalErrorException"] = "InternalErrorException";
289
+ SetUserMFAPreferenceException3["InvalidParameterException"] = "InvalidParameterException";
290
+ SetUserMFAPreferenceException3["NotAuthorizedException"] = "NotAuthorizedException";
291
+ SetUserMFAPreferenceException3["PasswordResetRequiredException"] = "PasswordResetRequiredException";
292
+ SetUserMFAPreferenceException3["ResourceNotFoundException"] = "ResourceNotFoundException";
293
+ SetUserMFAPreferenceException3["UserNotConfirmedException"] = "UserNotConfirmedException";
294
+ SetUserMFAPreferenceException3["UserNotFoundException"] = "UserNotFoundException";
295
+ return SetUserMFAPreferenceException3;
296
296
  })(SetUserMFAPreferenceException || {});
297
297
  var SignUpException = /* @__PURE__ */ ((SignUpException3) => {
298
298
  SignUpException3["CodeDeliveryFailureException"] = "CodeDeliveryFailureException";
@@ -378,18 +378,18 @@ var UpdateDeviceStatusException = /* @__PURE__ */ ((UpdateDeviceStatusException2
378
378
  UpdateDeviceStatusException2["UserNotFoundException"] = "UserNotFoundException";
379
379
  return UpdateDeviceStatusException2;
380
380
  })(UpdateDeviceStatusException || {});
381
- var ListDevicesException = /* @__PURE__ */ ((ListDevicesException2) => {
382
- ListDevicesException2["ForbiddenException"] = "ForbiddenException";
383
- ListDevicesException2["InternalErrorException"] = "InternalErrorException";
384
- ListDevicesException2["InvalidParameterException"] = "InvalidParameterException";
385
- ListDevicesException2["InvalidUserPoolConfigurationException"] = "InvalidUserPoolConfigurationException";
386
- ListDevicesException2["NotAuthorizedException"] = "NotAuthorizedException";
387
- ListDevicesException2["PasswordResetRequiredException"] = "PasswordResetRequiredException";
388
- ListDevicesException2["ResourceNotFoundException"] = "ResourceNotFoundException";
389
- ListDevicesException2["TooManyRequestsException"] = "TooManyRequestsException";
390
- ListDevicesException2["UserNotConfirmedException"] = "UserNotConfirmedException";
391
- ListDevicesException2["UserNotFoundException"] = "UserNotFoundException";
392
- return ListDevicesException2;
381
+ var ListDevicesException = /* @__PURE__ */ ((ListDevicesException3) => {
382
+ ListDevicesException3["ForbiddenException"] = "ForbiddenException";
383
+ ListDevicesException3["InternalErrorException"] = "InternalErrorException";
384
+ ListDevicesException3["InvalidParameterException"] = "InvalidParameterException";
385
+ ListDevicesException3["InvalidUserPoolConfigurationException"] = "InvalidUserPoolConfigurationException";
386
+ ListDevicesException3["NotAuthorizedException"] = "NotAuthorizedException";
387
+ ListDevicesException3["PasswordResetRequiredException"] = "PasswordResetRequiredException";
388
+ ListDevicesException3["ResourceNotFoundException"] = "ResourceNotFoundException";
389
+ ListDevicesException3["TooManyRequestsException"] = "TooManyRequestsException";
390
+ ListDevicesException3["UserNotConfirmedException"] = "UserNotConfirmedException";
391
+ ListDevicesException3["UserNotFoundException"] = "UserNotFoundException";
392
+ return ListDevicesException3;
393
393
  })(ListDevicesException || {});
394
394
  var RevokeTokenException = /* @__PURE__ */ ((RevokeTokenException3) => {
395
395
  RevokeTokenException3["ForbiddenException"] = "ForbiddenException";
@@ -498,6 +498,24 @@ var AssociateSoftwareTokenError = class extends CognitoError {
498
498
  this.cognitoException = cognitoException;
499
499
  }
500
500
  };
501
+ var SetUserMFAPreferenceError = class extends CognitoError {
502
+ constructor(message, cognitoException) {
503
+ super(message, "SetUserMFAPreferenceError", cognitoException);
504
+ this.cognitoException = cognitoException;
505
+ }
506
+ };
507
+ var ListDevicesError = class extends CognitoError {
508
+ constructor(message, cognitoException) {
509
+ super(message, "ListDevicesError", cognitoException);
510
+ this.cognitoException = cognitoException;
511
+ }
512
+ };
513
+ var GetUserError = class extends CognitoError {
514
+ constructor(message, cognitoException) {
515
+ super(message, "GetUserError", cognitoException);
516
+ this.cognitoException = cognitoException;
517
+ }
518
+ };
501
519
 
502
520
  // src/bigint-math.ts
503
521
  var abs = (n) => n < 0n ? -n : n;
@@ -585,8 +603,47 @@ function uint8ArrayToHexString(bytes) {
585
603
  return bytes.reduce((str, byte) => str + byte.toString(16).padStart(2, "0"), "");
586
604
  }
587
605
  function uint8ArrayToBase64String(bytes) {
606
+ if (bytes instanceof ArrayBuffer) {
607
+ const byteArray = new Uint8Array(bytes);
608
+ return btoa(String.fromCharCode(...byteArray));
609
+ }
588
610
  return btoa(String.fromCharCode(...bytes));
589
611
  }
612
+ function uint8ArrayToBase64UrlString(bytes) {
613
+ if (bytes === void 0) {
614
+ return void 0;
615
+ }
616
+ const base64String = uint8ArrayToBase64String(bytes);
617
+ return base64String.replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/, "");
618
+ }
619
+ function base64UrlToUint8Array(base64) {
620
+ const binary = atob(base64.replace(/-/g, "+").replace(/_/g, "/"));
621
+ const len = binary.length;
622
+ const bytes = new Uint8Array(len);
623
+ for (let i = 0; i < len; i++) {
624
+ bytes[i] = binary.charCodeAt(i);
625
+ }
626
+ return bytes;
627
+ }
628
+ function publicKeyCredentialToJSON(cred) {
629
+ return removeUndefined({
630
+ authenticatorAttachment: cred.authenticatorAttachment,
631
+ clientExtensionResults: cred.getClientExtensionResults(),
632
+ id: cred.id,
633
+ rawId: uint8ArrayToBase64UrlString(cred.rawId),
634
+ response: {
635
+ attestationObject: uint8ArrayToBase64UrlString(cred.response.attestationObject),
636
+ authenticatorData: cred.response.authenticatorData ? uint8ArrayToBase64UrlString(cred.response.authenticatorData) : void 0,
637
+ clientDataJSON: uint8ArrayToBase64UrlString(cred.response.clientDataJSON),
638
+ publicKey: cred.response.getPublicKey ? uint8ArrayToBase64UrlString(cred.response.getPublicKey()) : void 0,
639
+ publicKeyAlgorithm: cred.response.getPublicKeyAlgorithm ? cred.response.getPublicKeyAlgorithm() : void 0,
640
+ transports: cred.response.getTransports ? cred.response.getTransports() : void 0,
641
+ signature: cred.response.signature ? uint8ArrayToBase64UrlString(cred.response.signature) : void 0,
642
+ userHandle: cred.response.userHandle ? uint8ArrayToBase64UrlString(cred.response.userHandle) : void 0
643
+ },
644
+ type: cred.type
645
+ });
646
+ }
590
647
  var N = BigInt(
591
648
  "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"
592
649
  );
@@ -702,6 +759,24 @@ async function hmac(algorithm, key, data) {
702
759
  const signature = await crypto.subtle.sign("HMAC", cryptoKey, data);
703
760
  return new Uint8Array(signature);
704
761
  }
762
+ function removeUndefined(obj) {
763
+ if (Array.isArray(obj)) {
764
+ return obj.map((item) => removeUndefined(item)).filter((item) => item !== void 0);
765
+ }
766
+ if (obj !== null && typeof obj === "object") {
767
+ return Object.entries(obj).reduce(
768
+ (acc, [key, value]) => {
769
+ const cleaned = removeUndefined(value);
770
+ if (cleaned !== void 0) {
771
+ acc[key] = cleaned;
772
+ }
773
+ return acc;
774
+ },
775
+ {}
776
+ );
777
+ }
778
+ return obj !== void 0 ? obj : void 0;
779
+ }
705
780
 
706
781
  // src/cognito-client.ts
707
782
  var ServiceTarget = /* @__PURE__ */ ((ServiceTarget2) => {
@@ -722,6 +797,10 @@ var ServiceTarget = /* @__PURE__ */ ((ServiceTarget2) => {
722
797
  ServiceTarget2["VerifySoftwareToken"] = "VerifySoftwareToken";
723
798
  ServiceTarget2["ListDevices"] = "ListDevices";
724
799
  ServiceTarget2["SetUserMFAPreference"] = "SetUserMFAPreference";
800
+ ServiceTarget2["StartWebAuthnRegistration"] = "StartWebAuthnRegistration";
801
+ ServiceTarget2["CompleteWebAuthnRegistration"] = "CompleteWebAuthnRegistration";
802
+ ServiceTarget2["DeleteWebAuthnCredential"] = "DeleteWebAuthnCredential";
803
+ ServiceTarget2["ListWebAuthnCredentials"] = "ListWebAuthnCredentials";
725
804
  return ServiceTarget2;
726
805
  })(ServiceTarget || {});
727
806
  var IdentityProvider = /* @__PURE__ */ ((IdentityProvider2) => {
@@ -790,11 +869,24 @@ async function cognitoRequest(body, serviceTarget, cognitoEndpoint) {
790
869
  throw new VerifyUserAttributeError(errorMessage, cognitoException);
791
870
  case "GlobalSignOut" /* GlobalSignOut */:
792
871
  throw new GlobalSignOutError(errorMessage, cognitoException);
872
+ case "AssociateSoftwareToken" /* AssociateSoftwareToken */:
873
+ throw new AssociateSoftwareTokenError(errorMessage, cognitoException);
793
874
  case "VerifySoftwareToken" /* VerifySoftwareToken */:
794
875
  throw new VerifySoftwareTokenError(errorMessage, cognitoException);
876
+ case "SetUserMFAPreference" /* SetUserMFAPreference */:
877
+ throw new SetUserMFAPreferenceError(errorMessage, cognitoException);
878
+ case "ListDevices" /* ListDevices */:
879
+ throw new ListDevicesError(errorMessage, cognitoException);
880
+ case "GetUser" /* GetUser */:
881
+ throw new GetUserError(errorMessage, cognitoException);
795
882
  }
796
883
  }
797
884
  var CognitoClient = class {
885
+ cognitoEndpoint;
886
+ cognitoPoolName;
887
+ userPoolClientId;
888
+ oAuth;
889
+ clientSecret;
798
890
  constructor({ userPoolId, userPoolClientId, endpoint, oAuth2: oAuth, clientSecret }) {
799
891
  const [cognitoPoolRegion, cognitoPoolName] = userPoolId.split("_");
800
892
  this.cognitoEndpoint = (endpoint || `https://cognito-idp.${cognitoPoolRegion}.amazonaws.com`).replace(/\/$/, "");
@@ -811,6 +903,20 @@ var CognitoClient = class {
811
903
  accessToken
812
904
  };
813
905
  }
906
+ async initiateAuth(request) {
907
+ const cognitoResponse = await cognitoRequest(
908
+ {
909
+ ...request,
910
+ ClientId: this.userPoolClientId
911
+ },
912
+ "InitiateAuth" /* InitiateAuth */,
913
+ this.cognitoEndpoint
914
+ );
915
+ if (cognitoResponse.AuthenticationResult) {
916
+ cognitoResponse.AuthenticationResult = adaptExpiresIn(cognitoResponse.AuthenticationResult);
917
+ }
918
+ return cognitoResponse;
919
+ }
814
920
  /**
815
921
  *
816
922
  * Performs user authentication with username and password through ALLOW_USER_SRP_AUTH .
@@ -824,20 +930,15 @@ var CognitoClient = class {
824
930
  async authenticateUserSrp(username, password) {
825
931
  const smallA = await generateSmallA();
826
932
  const A = generateA(smallA);
827
- const initUserSrpAuthResponse = await cognitoRequest(
828
- {
829
- AuthFlow: "USER_SRP_AUTH",
830
- ClientId: this.userPoolClientId,
831
- AuthParameters: {
832
- USERNAME: username,
833
- SRP_A: A.toString(16),
834
- SECRET_HASH: this.clientSecret && await calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
835
- },
836
- ClientMetadata: {}
933
+ const initUserSrpAuthResponse = await this.initiateAuth({
934
+ AuthFlow: "USER_SRP_AUTH",
935
+ AuthParameters: {
936
+ USERNAME: username,
937
+ SRP_A: A.toString(16),
938
+ SECRET_HASH: this.clientSecret && await calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
837
939
  },
838
- "InitiateAuth" /* InitiateAuth */,
839
- this.cognitoEndpoint
840
- );
940
+ ClientMetadata: {}
941
+ });
841
942
  if (initUserSrpAuthResponse.ChallengeName !== "PASSWORD_VERIFIER") {
842
943
  return initUserSrpAuthResponse;
843
944
  }
@@ -893,7 +994,6 @@ var CognitoClient = class {
893
994
  async authenticateUser(username, password) {
894
995
  const initiateAuthPayload = {
895
996
  AuthFlow: "USER_PASSWORD_AUTH",
896
- ClientId: this.userPoolClientId,
897
997
  AuthParameters: {
898
998
  USERNAME: username,
899
999
  PASSWORD: password,
@@ -901,19 +1001,78 @@ var CognitoClient = class {
901
1001
  },
902
1002
  ClientMetadata: {}
903
1003
  };
904
- const initUserPasswordAuthResponse = await cognitoRequest(
905
- initiateAuthPayload,
906
- "InitiateAuth" /* InitiateAuth */,
907
- this.cognitoEndpoint
908
- );
1004
+ const initUserPasswordAuthResponse = await this.initiateAuth(initiateAuthPayload);
909
1005
  if (!initUserPasswordAuthResponse.AuthenticationResult) {
910
1006
  return initUserPasswordAuthResponse;
911
1007
  }
912
- initUserPasswordAuthResponse.AuthenticationResult = adaptExpiresIn(
913
- initUserPasswordAuthResponse.AuthenticationResult
914
- );
915
1008
  return initUserPasswordAuthResponse;
916
1009
  }
1010
+ /**
1011
+ * Initiates the authentication process for a user using a preferred challenge, such as WEB_AUTHN.
1012
+ */
1013
+ async authenticateWebAuthn(username) {
1014
+ const webAuthnPayload = {
1015
+ AuthFlow: "USER_AUTH",
1016
+ AuthParameters: {
1017
+ USERNAME: username,
1018
+ PREFERRED_CHALLENGE: "WEB_AUTHN"
1019
+ }
1020
+ };
1021
+ const authResponse = await this.initiateAuth(webAuthnPayload);
1022
+ if (authResponse.ChallengeName !== "WEB_AUTHN") {
1023
+ throw new InitAuthError(
1024
+ "Authentication failed, expected WEB_AUTHN challenge but received: " + authResponse.ChallengeName,
1025
+ "InternalErrorException" /* InternalErrorException */
1026
+ );
1027
+ }
1028
+ const credentialRequestOptions = JSON.parse(authResponse.ChallengeParameters.CREDENTIAL_REQUEST_OPTIONS);
1029
+ credentialRequestOptions.challenge = base64UrlToUint8Array(credentialRequestOptions.challenge);
1030
+ credentialRequestOptions.allowCredentials = (credentialRequestOptions.allowCredentials || []).map(
1031
+ (allowCred) => ({
1032
+ ...allowCred,
1033
+ id: base64UrlToUint8Array(allowCred.id)
1034
+ })
1035
+ );
1036
+ const credentials = await navigator.credentials.get({
1037
+ publicKey: credentialRequestOptions
1038
+ });
1039
+ const challengeResponse = await this.respondToAuthChallenge({
1040
+ ChallengeName: "WEB_AUTHN",
1041
+ ChallengeResponses: {
1042
+ USERNAME: username,
1043
+ CREDENTIAL: JSON.stringify(publicKeyCredentialToJSON(credentials)),
1044
+ SECRET_HASH: this.clientSecret && await calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
1045
+ },
1046
+ Session: authResponse.Session
1047
+ });
1048
+ if (challengeResponse.AuthenticationResult) {
1049
+ challengeResponse.AuthenticationResult = adaptExpiresIn(challengeResponse.AuthenticationResult);
1050
+ }
1051
+ return challengeResponse;
1052
+ }
1053
+ /**
1054
+ * Registers a new WebAuthn device for the current user.
1055
+ * This method initiates the WebAuthn registration process by requesting the necessary options from Cognito,
1056
+ * then creates a new public key credential using the WebAuthn API, and finally
1057
+ * completes the registration by sending the credential back to Cognito.
1058
+ *
1059
+ * @param accessToken Access token of the current user.
1060
+ */
1061
+ async registerWebAuthnDevice(accessToken) {
1062
+ const { CredentialCreationOptions } = await this.startWebAuthnRegistration({
1063
+ AccessToken: accessToken
1064
+ });
1065
+ const credentials = await navigator.credentials.create({
1066
+ publicKey: CredentialCreationOptions
1067
+ });
1068
+ if (!(credentials instanceof PublicKeyCredential)) {
1069
+ throw new Error("Invalid credentials returned from WebAuthn API");
1070
+ }
1071
+ await this.completeWebAuthnRegistration({
1072
+ AccessToken: accessToken,
1073
+ Credential: credentials
1074
+ });
1075
+ }
917
1076
  /**
918
1077
  * Returns a new session based on the given refresh token.
919
1078
  *
@@ -925,18 +1084,13 @@ var CognitoClient = class {
925
1084
  async refreshSession(refreshToken, username) {
926
1085
  const refreshTokenPayload = {
927
1086
  AuthFlow: "REFRESH_TOKEN_AUTH",
928
- ClientId: this.userPoolClientId,
929
1087
  AuthParameters: {
930
1088
  REFRESH_TOKEN: refreshToken,
931
1089
  SECRET_HASH: this.clientSecret && username && await calculateSecretHash(this.clientSecret, this.userPoolClientId, username)
932
1090
  },
933
1091
  ClientMetadata: {}
934
1092
  };
935
- const { AuthenticationResult } = await cognitoRequest(
936
- refreshTokenPayload,
937
- "InitiateAuth" /* InitiateAuth */,
938
- this.cognitoEndpoint
939
- );
1093
+ const { AuthenticationResult } = await this.initiateAuth(refreshTokenPayload);
940
1094
  if (!AuthenticationResult) {
941
1095
  throw new InitAuthError(
942
1096
  "Authentication failed, no authentication result returned",
@@ -946,7 +1100,7 @@ var CognitoClient = class {
946
1100
  if (!AuthenticationResult.RefreshToken) {
947
1101
  AuthenticationResult.RefreshToken = refreshToken;
948
1102
  }
949
- return adaptExpiresIn(AuthenticationResult);
1103
+ return AuthenticationResult;
950
1104
  }
951
1105
  /**
952
1106
  *
@@ -1001,15 +1155,40 @@ var CognitoClient = class {
1001
1155
  };
1002
1156
  await cognitoRequest(changePasswordPayload, "ChangePassword" /* ChangePassword */, this.cognitoEndpoint);
1003
1157
  }
1158
+ /**
1159
+ * Gets the user information.
1160
+ * @param accessToken Access token of the current user.
1161
+ * @returns User information.
1162
+ */
1004
1163
  async getUser(accessToken) {
1005
1164
  const getUserPayload = {
1006
1165
  AccessToken: accessToken
1007
1166
  };
1008
1167
  return cognitoRequest(getUserPayload, "GetUser" /* GetUser */, this.cognitoEndpoint);
1009
1168
  }
1169
+ /**
1170
+ * Associates a software token with the user.
1171
+ * @param params Request to associate a software token with the user.
1172
+ * @param params.AccessToken Access token of the current user.
1173
+ * @param params.Session Optional session identifier for the authentication process.
1174
+ * @param params.ClientMetadata Optional metadata to pass to the service.
1175
+ * @param params.UserContextData Optional user context data.
1176
+ * @param params.AnalyticsMetadata Optional analytics metadata.
1177
+ * @param params.FriendlyDeviceName Optional friendly name for the device.
1178
+ * @returns
1179
+ */
1010
1180
  async associateSoftwareToken(params) {
1011
1181
  return cognitoRequest(params, "AssociateSoftwareToken" /* AssociateSoftwareToken */, this.cognitoEndpoint);
1012
1182
  }
1183
+ /**
1184
+ * Verifies a software token.
1185
+ * @param params Request to verify a software token.
1186
+ * @param params.AccessToken Access token of the current user.
1187
+ * @param params.FriendlyDeviceName Optional friendly name for the device.
1188
+ * @param params.Session Optional session identifier for the authentication process.
1189
+ * @param params.UserCode The user code to verify.
1190
+ * @returns
1191
+ */
1013
1192
  async verifySoftwareToken(params) {
1014
1193
  return cognitoRequest(params, "VerifySoftwareToken" /* VerifySoftwareToken */, this.cognitoEndpoint);
1015
1194
  }
@@ -1152,6 +1331,59 @@ var CognitoClient = class {
1152
1331
  };
1153
1332
  await cognitoRequest(resendConfirmationCodeRequest, "ResendConfirmationCode" /* ResendConfirmationCode */, this.cognitoEndpoint);
1154
1333
  }
1334
+ async startWebAuthnRegistration(request) {
1335
+ const response = await cognitoRequest(request, "StartWebAuthnRegistration" /* StartWebAuthnRegistration */, this.cognitoEndpoint);
1336
+ response.CredentialCreationOptions.challenge = base64UrlToUint8Array(
1337
+ response.CredentialCreationOptions.challenge
1338
+ );
1339
+ response.CredentialCreationOptions.user.id = base64UrlToUint8Array(
1340
+ response.CredentialCreationOptions.user.id
1341
+ );
1342
+ response.CredentialCreationOptions.excludeCredentials = (response.CredentialCreationOptions.excludeCredentials || []).map((excludeCred) => ({
1343
+ ...excludeCred,
1344
+ id: base64UrlToUint8Array(excludeCred.id)
1345
+ }));
1346
+ return response;
1347
+ }
1348
+ /**
1349
+ * Completes registration of a passkey authenticator for the currently signed-in user.
1350
+ * @param request Request to complete WebAuthn registration.
1351
+ * @param request.AccessToken Access token of the current user.
1352
+ * @param request.Credential The credential object returned by the WebAuthn API.
1353
+ */
1354
+ async completeWebAuthnRegistration(request) {
1355
+ await cognitoRequest(
1356
+ {
1357
+ AccessToken: request.AccessToken,
1358
+ Credential: publicKeyCredentialToJSON(request.Credential)
1359
+ },
1360
+ "CompleteWebAuthnRegistration" /* CompleteWebAuthnRegistration */,
1361
+ this.cognitoEndpoint
1362
+ );
1363
+ }
1364
+ /**
1365
+ * Deletes a registered passkey, or WebAuthn, authenticator for the currently signed-in user.
1366
+ *
1367
+ * @param request Request to delete a WebAuthn credential.
1368
+ * @param request.AccessToken Access token of the current user.
1369
+ * @param request.CredentialId The ID of the credential to delete.
1370
+ */
1371
+ async deleteWebAuthnCredential(request) {
1372
+ await cognitoRequest(request, "DeleteWebAuthnCredential" /* DeleteWebAuthnCredential */, this.cognitoEndpoint);
1373
+ }
1374
+ /**
1375
+ * Lists all registered WebAuthn credentials for the currently signed-in user.
1376
+ *
1377
+ * @param request Request to list WebAuthn credentials.
1378
+ * @param request.AccessToken Access token of the current user.
1379
+ * @param request.MaxResults Maximum number of credentials to return.
1380
+ * @param request.NextToken Pagination token to continue listing credentials.
1381
+ * @returns
1382
+ */
1383
+ async listWebAuthnCredentials(request) {
1384
+ const response = await cognitoRequest(request, "ListWebAuthnCredentials" /* ListWebAuthnCredentials */, this.cognitoEndpoint);
1385
+ return response;
1386
+ }
1155
1387
  /**
1156
1388
  * Returns a link to Cognito`s Hosted UI for OAuth2 authentication.
1157
1389
  * This method works in conjunction with @see handleCodeFlow .
@@ -1265,12 +1497,14 @@ export {
1265
1497
  GetCredentialsForIdentityException,
1266
1498
  GetIdException,
1267
1499
  GetUserAttributeVerificationException,
1500
+ GetUserError,
1268
1501
  GetUserException,
1269
1502
  GlobalSignOutError,
1270
1503
  GlobalSignOutException,
1271
1504
  IdentityProvider,
1272
1505
  InitAuthError,
1273
1506
  InitiateAuthException,
1507
+ ListDevicesError,
1274
1508
  ListDevicesException,
1275
1509
  ResendConfirmationCodeError,
1276
1510
  ResendConfirmationException,
@@ -1279,6 +1513,7 @@ export {
1279
1513
  RevokeTokenError,
1280
1514
  RevokeTokenException,
1281
1515
  ServiceTarget,
1516
+ SetUserMFAPreferenceError,
1282
1517
  SetUserMFAPreferenceException,
1283
1518
  SignUpError,
1284
1519
  SignUpException,
@@ -1290,5 +1525,30 @@ export {
1290
1525
  VerifyUserAttributeError,
1291
1526
  VerifyUserAttributeException,
1292
1527
  adaptExpiresIn,
1293
- cognitoRequest
1528
+ base64UrlToUint8Array,
1529
+ calculateHKDF,
1530
+ calculateS,
1531
+ calculateSecretHash,
1532
+ calculateSignature,
1533
+ calculateU,
1534
+ cognitoRequest,
1535
+ decodeJwt,
1536
+ digest,
1537
+ formatTimestamp,
1538
+ generateA,
1539
+ generateSmallA,
1540
+ getPasswordAuthenticationKey,
1541
+ hashBuffer,
1542
+ hashHexString,
1543
+ hmac,
1544
+ padHex,
1545
+ publicKeyCredentialToJSON,
1546
+ randomBytes,
1547
+ removeUndefined,
1548
+ uint8ArrayFromBase64String,
1549
+ uint8ArrayFromHexString,
1550
+ uint8ArrayFromString,
1551
+ uint8ArrayToBase64String,
1552
+ uint8ArrayToBase64UrlString,
1553
+ uint8ArrayToHexString
1294
1554
  };