@aws-amplify/auth
Version:
Auth category of aws-amplify
104 lines (92 loc) • 3.91 kB
text/typescript
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
import { CognitoUserPoolConfig } from '@aws-amplify/core';
import { AuthAction } from '@aws-amplify/core/internals/utils';
import { AuthTokenOrchestrator } from '../../../providers/cognito/tokenProvider/types';
import {
ChallengeParameters,
RespondToAuthChallengeCommandOutput,
} from '../../../foundation/factories/serviceClients/cognitoIdentityProvider/types';
import { ClientMetadata } from '../../../providers/cognito/types';
import { createRespondToAuthChallengeClient } from '../../../foundation/factories/serviceClients/cognitoIdentityProvider';
import { createCognitoUserPoolEndpointResolver } from '../../../providers/cognito/factories';
import { getRegionFromUserPoolId } from '../../../foundation/parsers';
import { getAuthUserAgentValue } from '../../../utils';
import { getAuthenticationHelper } from '../../../providers/cognito/utils/srp';
import { getUserContextData } from '../../../providers/cognito/utils/userContextData';
import { setActiveSignInUsername } from '../../../providers/cognito/utils/setActiveSignInUsername';
import { retryOnResourceNotFoundException } from '../../../providers/cognito/utils/retryOnResourceNotFoundException';
import { handlePasswordVerifierChallenge } from '../../../providers/cognito/utils/handlePasswordVerifierChallenge';
/**
* Handles the SELECT_CHALLENGE response specifically for Password SRP authentication.
* This function combines the SELECT_CHALLENGE flow with Password SRP protocol.
*
* @param {string} username - The username for authentication
* @param {string} password - The user's password
* @param {ClientMetadata} [clientMetadata] - Optional metadata to be sent with auth requests
* @param {CognitoUserPoolConfig} config - Cognito User Pool configuration
* @param {string} session - The current authentication session token
* @param {AuthTokenOrchestrator} tokenOrchestrator - Token orchestrator for managing auth tokens
*
* @returns {Promise<RespondToAuthChallengeCommandOutput>} The challenge response
*/
export async function handleSelectChallengeWithPasswordSRP(
username: string,
password: string,
clientMetadata: ClientMetadata | undefined,
config: CognitoUserPoolConfig,
session: string,
tokenOrchestrator: AuthTokenOrchestrator,
): Promise<RespondToAuthChallengeCommandOutput> {
const { userPoolId, userPoolClientId, userPoolEndpoint } = config;
const userPoolName = userPoolId.split('_')[1] || '';
const authenticationHelper = await getAuthenticationHelper(userPoolName);
const authParameters: Record<string, string> = {
ANSWER: 'PASSWORD_SRP',
USERNAME: username,
SRP_A: authenticationHelper.A.toString(16),
};
const userContextData = getUserContextData({
username,
userPoolId,
userPoolClientId,
});
const respondToAuthChallenge = createRespondToAuthChallengeClient({
endpointResolver: createCognitoUserPoolEndpointResolver({
endpointOverride: userPoolEndpoint,
}),
});
const response = await respondToAuthChallenge(
{
region: getRegionFromUserPoolId(userPoolId),
userAgentValue: getAuthUserAgentValue(AuthAction.ConfirmSignIn),
},
{
ChallengeName: 'SELECT_CHALLENGE',
ChallengeResponses: authParameters,
ClientId: userPoolClientId,
ClientMetadata: clientMetadata,
Session: session,
UserContextData: userContextData,
},
);
const activeUsername = response.ChallengeParameters?.USERNAME ?? username;
setActiveSignInUsername(activeUsername);
if (response.ChallengeName === 'PASSWORD_VERIFIER') {
return retryOnResourceNotFoundException(
handlePasswordVerifierChallenge,
[
password,
response.ChallengeParameters as ChallengeParameters,
clientMetadata,
response.Session,
authenticationHelper,
config,
tokenOrchestrator,
],
activeUsername,
tokenOrchestrator,
);
}
return response;
}