Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(core): validate if access and id tokens are valid cognito tokens #13385

Merged
merged 12 commits into from
May 21, 2024
Merged

feat(core): validate if access and id tokens are valid cognito tokens #13385

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
8bad71e
feat(adapter-nextjs): validate if access and id tokens are valid cogn…
May 17, 2024
6c053e0
add unit tests and cleanups
May 17, 2024
f007450
increase bundle size
May 17, 2024
703394f
resolve conflicts
May 17, 2024
e741faa
increase bundle size
May 17, 2024
d149005
Update packages/core/src/adapterCore/serverContext/types/KeyValueStor…
ashwinkumar6 May 20, 2024
7970a41
Update packages/adapter-nextjs/__tests__/utils/createTokenValidator.t…
ashwinkumar6 May 20, 2024
2b300b4
Update packages/core/src/adapterCore/serverContext/types/KeyValueStor…
ashwinkumar6 May 20, 2024
afb3ba2
address feedback
May 20, 2024
dffa3cb
address feedback
May 20, 2024
27f25d7
Update packages/adapter-nextjs/src/utils/createTokenValidator.ts
ashwinkumar6 May 20, 2024
008eb27
address feedback
May 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions packages/adapter-nextjs/__tests__/utils/createTokenValidator.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

import { isValidCognitoToken } from '@aws-amplify/core/internals/utils';

import { createTokenValidator } from '../../src/utils/createTokenValidator';

jest.mock('@aws-amplify/core/internals/utils', () => ({
...jest.requireActual('@aws-amplify/core/internals/utils'),
isValidCognitoToken: jest.fn(),
}));
const mockIsValidCognitoToken = isValidCognitoToken as jest.Mock;

const userPoolId = 'userPoolId';
const userPoolClientId = 'clientId';
const tokenValidatorInput = {
userPoolId,
userPoolClientId,
};
const accessToken = {
key: 'CognitoIdentityServiceProvider.clientId.usersub.accessToken',
value:
'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMTEiLCJpc3MiOiJodHRwc',
};
const idToken = {
key: 'CognitoIdentityServiceProvider.clientId.usersub.idToken',
value: 'eyJzdWIiOiIxMTEiLCJpc3MiOiJodHRwc.XAiOiJKV1QiLCJhbGciOiJIUzI1NiJ',
};

const tokenValidator = createTokenValidator({
userPoolId,
userPoolClientId,
});

describe('Validator', () => {
afterEach(() => {
jest.resetAllMocks();
});
it('should return a validator', () => {
expect(createTokenValidator(tokenValidatorInput)).toBeDefined();
});

it('should return true for non-token keys', async () => {
const result = await tokenValidator.getItem?.('mockKey', 'mockValue');
expect(result).toBe(true);
expect(mockIsValidCognitoToken).toHaveBeenCalledTimes(0);
});

it('should return true for valid accessToken', async () => {
mockIsValidCognitoToken.mockImplementation(() => Promise.resolve(true));

const result = await tokenValidator.getItem?.(
accessToken.key,
accessToken.value,
);

expect(result).toBe(true);
expect(mockIsValidCognitoToken).toHaveBeenCalledTimes(1);
expect(mockIsValidCognitoToken).toHaveBeenCalledWith({
userPoolId,
clientId: userPoolClientId,
token: accessToken.value,
tokenType: 'access',
});
});

it('should return true for valid idToken', async () => {
mockIsValidCognitoToken.mockImplementation(() => Promise.resolve(true));

const result = await tokenValidator.getItem?.(idToken.key, idToken.value);
expect(result).toBe(true);
expect(mockIsValidCognitoToken).toHaveBeenCalledTimes(1);
expect(mockIsValidCognitoToken).toHaveBeenCalledWith({
userPoolId,
clientId: userPoolClientId,
token: idToken.value,
tokenType: 'id',
});
});

it('should return false if invalid tokenType is access', async () => {
mockIsValidCognitoToken.mockImplementation(() => Promise.resolve(false));

const result = await tokenValidator.getItem?.(idToken.key, idToken.value);
expect(result).toBe(false);
expect(mockIsValidCognitoToken).toHaveBeenCalledTimes(1);
});
});
6 changes: 6 additions & 0 deletions packages/adapter-nextjs/src/utils/createRunWithAmplifyServerContext.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import {

import { NextServer } from '../types';

import { createTokenValidator } from './createTokenValidator';
import { createCookieStorageAdapterFromNextServerContext } from './createCookieStorageAdapterFromNextServerContext';

export const createRunWithAmplifyServerContext = ({
Expand All @@ -34,6 +35,11 @@ export const createRunWithAmplifyServerContext = ({
createCookieStorageAdapterFromNextServerContext(
nextServerContext,
),
createTokenValidator({
userPoolId: resourcesConfig?.Auth.Cognito?.userPoolId,
userPoolClientId:
resourcesConfig?.Auth.Cognito?.userPoolClientId,
}),
);
const credentialsProvider = createAWSCredentialsAndIdentityIdProvider(
resourcesConfig.Auth,
Expand Down
38 changes: 38 additions & 0 deletions packages/adapter-nextjs/src/utils/createTokenValidator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

import { isValidCognitoToken } from '@aws-amplify/core/internals/utils';
import { KeyValueStorageMethodValidator } from '@aws-amplify/core/internals/adapter-core';

interface CreateTokenValidatorInput {
userPoolId?: string;
userPoolClientId?: string;
}
/**
* Creates a validator object for validating methods in a KeyValueStorage.
*/
export const createTokenValidator = ({
userPoolId,
userPoolClientId: clientId,
}: CreateTokenValidatorInput): KeyValueStorageMethodValidator => {
return {
// validate access, id tokens
getItem: async (key: string, value: string): Promise<boolean> => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The getItem method implies that it will get something but the return type is a boolean. We could either return the actual item/token and return null if it is invalid. The other option is to change the method name to something more deterministic that implies the validation of the token.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point 🤔,
This function returns a validationMap where the key is name of the function in KeyValueStorage that we want to add validation for (getItem in this case) and the value is the validation function that returns a bool if the validation was successful or now

We could maybe improve the function name to clarity that

const tokenType = key.includes('.accessToken')
? 'access'
: key.includes('.idToken')
? 'id'
: null;
if (!tokenType) return true;

if (!userPoolId || !clientId) return false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can require these two fields from createTokenValidator's consumer.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we make userPoolId and clientId required fields in this function, we would need make sure these are passed by it's consumer createRunWithAmplifyServerContext.

It's a bit tricky because if we add assertions in createRunWithAmplifyServerContext, we won't be able to get other keys from Storage if userPoolId or clientId are missing.


return isValidCognitoToken({
clientId,
userPoolId,
tokenType,
token: value,
});
},
};
};
39 changes: 39 additions & 0 deletions ...ests__/adapterCore/storageFactories/createKeyValueStorageFromCookieStorageAdapter.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,5 +84,44 @@ describe('keyValueStorage', () => {
}).toThrow('This method has not implemented.');
});
});

describe('in conjunction with token validator', () => {
const testKey = 'testKey';
const testValue = 'testValue';

beforeEach(() => {
mockCookiesStorageAdapter.get.mockReturnValueOnce({
name: testKey,
value: testValue,
});
});
afterEach(() => {
jest.clearAllMocks();
});

it('should return item successfully if validation passes when getting item', async () => {
const getItemValidator = jest.fn().mockImplementation(() => true);
const keyValueStorage = createKeyValueStorageFromCookieStorageAdapter(
mockCookiesStorageAdapter,
{ getItem: getItemValidator },
);

const value = await keyValueStorage.getItem(testKey);
expect(value).toBe(testValue);
expect(getItemValidator).toHaveBeenCalledTimes(1);
});

it('should return null if validation fails when getting item', async () => {
const getItemValidator = jest.fn().mockImplementation(() => false);
const keyValueStorage = createKeyValueStorageFromCookieStorageAdapter(
mockCookiesStorageAdapter,
{ getItem: getItemValidator },
);

const value = await keyValueStorage.getItem(testKey);
expect(value).toBe(null);
expect(getItemValidator).toHaveBeenCalledTimes(1);
});
});
});
});
Loading
Loading