UNPKG

@aws-amplify/auth

Version:

Auth category of aws-amplify

aws-amplify.github.io

aws-amplify/amplify-js

205 lines (202 loc) 9.03 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
import { ConsoleLogger, createGetCredentialsForIdentityClient } from '@aws-amplify/core'; import { assertIdentityPoolIdConfig } from '@aws-amplify/core/internals/utils'; import { AuthError } from '../../../errors/AuthError.mjs'; import { assertServiceError } from '../../../errors/utils/assertServiceError.mjs'; import { getRegionFromIdentityPoolId } from '../../../foundation/parsers/regionParsers.mjs'; import { assertIdTokenInAuthTokens } from '../utils/types.mjs'; import '@aws-amplify/core/internals/aws-client-utils'; import { createCognitoIdentityPoolEndpointResolver } from '../factories/createCognitoIdentityPoolEndpointResolver.mjs'; import { cognitoIdentityIdProvider } from './IdentityIdProvider.mjs'; import { formLoginsMap } from './utils.mjs'; // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 const logger = new ConsoleLogger('CognitoCredentialsProvider'); const CREDENTIALS_TTL = 50 * 60 * 1000; // 50 min, can be modified on config if required in the future class CognitoAWSCredentialsAndIdentityIdProvider { constructor(identityIdStore) { this._nextCredentialsRefresh = 0; this._identityIdStore = identityIdStore; } async clearCredentialsAndIdentityId() { logger.debug('Clearing out credentials and identityId'); this._credentialsAndIdentityId = undefined; await this._identityIdStore.clearIdentityId(); } async clearCredentials() { logger.debug('Clearing out in-memory credentials'); this._credentialsAndIdentityId = undefined; } async getCredentialsAndIdentityId(getCredentialsOptions) { const isAuthenticated = getCredentialsOptions.authenticated; const { tokens } = getCredentialsOptions; const { authConfig } = getCredentialsOptions; try { assertIdentityPoolIdConfig(authConfig?.Cognito); } catch { // No identity pool configured, skipping return; } if (!isAuthenticated && !authConfig.Cognito.allowGuestAccess) { // TODO(V6): return partial result like Native platforms return; } const { forceRefresh } = getCredentialsOptions; const tokenHasChanged = this.hasTokenChanged(tokens); const identityId = await cognitoIdentityIdProvider({ tokens, authConfig: authConfig.Cognito, identityIdStore: this._identityIdStore, }); // Clear cached credentials when forceRefresh is true OR the cache token has changed if (forceRefresh || tokenHasChanged) { this.clearCredentials(); } if (!isAuthenticated) { return this.getGuestCredentials(identityId, authConfig.Cognito); } else { assertIdTokenInAuthTokens(tokens); return this.credsForOIDCTokens(authConfig.Cognito, tokens, identityId); } } async getGuestCredentials(identityId, authConfig) { // Return existing in-memory cached credentials only if it exists, is not past it's lifetime and is unauthenticated credentials if (this._credentialsAndIdentityId && !this.isPastTTL() && this._credentialsAndIdentityId.isAuthenticatedCreds === false) { logger.info('returning stored credentials as they neither past TTL nor expired.'); return this._credentialsAndIdentityId; } // Clear to discard if any authenticated credentials are set and start with a clean slate this.clearCredentials(); const region = getRegionFromIdentityPoolId(authConfig.identityPoolId); const getCredentialsForIdentity = createGetCredentialsForIdentityClient({ endpointResolver: createCognitoIdentityPoolEndpointResolver({ endpointOverride: authConfig.identityPoolEndpoint, }), }); // use identityId to obtain guest credentials // save credentials in-memory // No logins params should be passed for guest creds: // https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html let clientResult; try { clientResult = await getCredentialsForIdentity({ region }, { IdentityId: identityId, }); } catch (e) { assertServiceError(e); throw new AuthError(e); } if (clientResult?.Credentials?.AccessKeyId && clientResult?.Credentials?.SecretKey) { this._nextCredentialsRefresh = new Date().getTime() + CREDENTIALS_TTL; const res = { credentials: { accessKeyId: clientResult.Credentials.AccessKeyId, secretAccessKey: clientResult.Credentials.SecretKey, sessionToken: clientResult.Credentials.SessionToken, expiration: clientResult.Credentials.Expiration, }, identityId, }; if (clientResult.IdentityId) { res.identityId = clientResult.IdentityId; this._identityIdStore.storeIdentityId({ id: clientResult.IdentityId, type: 'guest', }); } this._credentialsAndIdentityId = { ...res, isAuthenticatedCreds: false, }; return res; } else { throw new AuthError({ name: 'CredentialsNotFoundException', message: `Cognito did not respond with either Credentials, AccessKeyId or SecretKey.`, }); } } async credsForOIDCTokens(authConfig, authTokens, identityId) { if (this._credentialsAndIdentityId && !this.isPastTTL() && this._credentialsAndIdentityId.isAuthenticatedCreds === true) { logger.debug('returning stored credentials as they neither past TTL nor expired.'); return this._credentialsAndIdentityId; } // Clear to discard if any unauthenticated credentials are set and start with a clean slate this.clearCredentials(); const logins = authTokens.idToken ? formLoginsMap(authTokens.idToken.toString()) : {}; const region = getRegionFromIdentityPoolId(authConfig.identityPoolId); const getCredentialsForIdentity = createGetCredentialsForIdentityClient({ endpointResolver: createCognitoIdentityPoolEndpointResolver({ endpointOverride: authConfig.identityPoolEndpoint, }), }); let clientResult; try { clientResult = await getCredentialsForIdentity({ region }, { IdentityId: identityId, Logins: logins, }); } catch (e) { assertServiceError(e); throw new AuthError(e); } if (clientResult?.Credentials?.AccessKeyId && clientResult?.Credentials?.SecretKey) { this._nextCredentialsRefresh = new Date().getTime() + CREDENTIALS_TTL; const res = { credentials: { accessKeyId: clientResult.Credentials.AccessKeyId, secretAccessKey: clientResult.Credentials.SecretKey, sessionToken: clientResult.Credentials.SessionToken, expiration: clientResult.Credentials.Expiration, }, identityId, }; if (clientResult.IdentityId) { res.identityId = clientResult.IdentityId; // note: the following call removes guest identityId from the persistent store (localStorage) this._identityIdStore.storeIdentityId({ id: clientResult.IdentityId, type: 'primary', }); } // Store the credentials in-memory along with the expiration this._credentialsAndIdentityId = { ...res, isAuthenticatedCreds: true, associatedIdToken: authTokens.idToken?.toString(), }; return res; } else { throw new AuthError({ name: 'CredentialsException', message: `Cognito did not respond with either Credentials, AccessKeyId or SecretKey.`, }); } } isPastTTL() { return this._nextCredentialsRefresh === undefined ? true : this._nextCredentialsRefresh <= Date.now(); } hasTokenChanged(tokens) { return (!!tokens && !!this._credentialsAndIdentityId?.associatedIdToken && tokens.idToken?.toString() !== this._credentialsAndIdentityId.associatedIdToken); } } export { CognitoAWSCredentialsAndIdentityIdProvider }; //# sourceMappingURL=credentialsProvider.mjs.map