@aws-amplify/auth
Version:
Auth category of aws-amplify
88 lines (86 loc) • 4.22 kB
JavaScript
'use strict';
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
Object.defineProperty(exports, "__esModule", { value: true });
exports.handleDeviceSRPAuth = handleDeviceSRPAuth;
const cognitoIdentityProvider_1 = require("../../../foundation/factories/serviceClients/cognitoIdentityProvider");
const factories_1 = require("../factories");
const parsers_1 = require("../../../foundation/parsers");
const types_1 = require("./types");
const srp_1 = require("./srp");
const BigInteger_1 = require("./srp/BigInteger");
const userContextData_1 = require("./userContextData");
async function handleDeviceSRPAuth({ username, config, clientMetadata, session, tokenOrchestrator, }) {
const { userPoolId, userPoolEndpoint } = config;
const clientId = config.userPoolClientId;
const deviceMetadata = await tokenOrchestrator?.getDeviceMetadata(username);
(0, types_1.assertDeviceMetadata)(deviceMetadata);
const authenticationHelper = await (0, srp_1.getAuthenticationHelper)(deviceMetadata.deviceGroupKey);
const challengeResponses = {
USERNAME: username,
SRP_A: authenticationHelper.A.toString(16),
DEVICE_KEY: deviceMetadata.deviceKey,
};
const jsonReqResponseChallenge = {
ChallengeName: 'DEVICE_SRP_AUTH',
ClientId: clientId,
ChallengeResponses: challengeResponses,
ClientMetadata: clientMetadata,
Session: session,
};
const respondToAuthChallenge = (0, cognitoIdentityProvider_1.createRespondToAuthChallengeClient)({
endpointResolver: (0, factories_1.createCognitoUserPoolEndpointResolver)({
endpointOverride: userPoolEndpoint,
}),
});
const { ChallengeParameters: respondedChallengeParameters, Session } = await respondToAuthChallenge({ region: (0, parsers_1.getRegionFromUserPoolId)(userPoolId) }, jsonReqResponseChallenge);
return handleDevicePasswordVerifier(username, respondedChallengeParameters, clientMetadata, Session, authenticationHelper, config, tokenOrchestrator);
}
async function handleDevicePasswordVerifier(username, challengeParameters, clientMetadata, session, authenticationHelper, { userPoolId, userPoolClientId, userPoolEndpoint }, tokenOrchestrator) {
const deviceMetadata = await tokenOrchestrator?.getDeviceMetadata(username);
(0, types_1.assertDeviceMetadata)(deviceMetadata);
const serverBValue = new BigInteger_1.BigInteger(challengeParameters?.SRP_B, 16);
const salt = new BigInteger_1.BigInteger(challengeParameters?.SALT, 16);
const { deviceKey } = deviceMetadata;
const { deviceGroupKey } = deviceMetadata;
const hkdf = await authenticationHelper.getPasswordAuthenticationKey({
username: deviceMetadata.deviceKey,
password: deviceMetadata.randomPassword,
serverBValue,
salt,
});
const dateNow = (0, srp_1.getNowString)();
const challengeResponses = {
USERNAME: challengeParameters?.USERNAME ?? username,
PASSWORD_CLAIM_SECRET_BLOCK: challengeParameters?.SECRET_BLOCK,
TIMESTAMP: dateNow,
PASSWORD_CLAIM_SIGNATURE: (0, srp_1.getSignatureString)({
username: deviceKey,
userPoolName: deviceGroupKey,
challengeParameters,
dateNow,
hkdf,
}),
DEVICE_KEY: deviceKey,
};
const UserContextData = (0, userContextData_1.getUserContextData)({
username,
userPoolId,
userPoolClientId,
});
const jsonReqResponseChallenge = {
ChallengeName: 'DEVICE_PASSWORD_VERIFIER',
ClientId: userPoolClientId,
ChallengeResponses: challengeResponses,
Session: session,
ClientMetadata: clientMetadata,
UserContextData,
};
const respondToAuthChallenge = (0, cognitoIdentityProvider_1.createRespondToAuthChallengeClient)({
endpointResolver: (0, factories_1.createCognitoUserPoolEndpointResolver)({
endpointOverride: userPoolEndpoint,
}),
});
return respondToAuthChallenge({ region: (0, parsers_1.getRegionFromUserPoolId)(userPoolId) }, jsonReqResponseChallenge);
}
//# sourceMappingURL=handleDeviceSRPAuth.js.map