kndt84 / passport-cognito Goto Github PK
View Code? Open in Web Editor NEWPassport strategy for AWS Cognito User Pools
Home Page: https://www.npmjs.com/package/passport-cognito
License: MIT License
Passport strategy for AWS Cognito User Pools
Home Page: https://www.npmjs.com/package/passport-cognito
License: MIT License
I am getting this security issue.
High severity vulnerability found in crypto-browserify
Description: Insecure Randomness
From: [email protected] > [email protected] > [email protected] > [email protected]
Please, consider to upgrade amazon-cognito-identity-js to 3.0.6
When I added a new test user on Cognito, it's status is "FORCE_CHANGE_PASSWORD".
I think, because of that, when I try to login, it's always failing.
I have the standard standard code but put in my two pages:
app.post('/auth/cognito',
passport.authenticate('cognito', {
successRedirect: 'http://localhost:8081/home.html',
failureRedirect: 'http://localhost:8081/login.html'
}));
Based on what I read here: https://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-identity-user-pools-javascript-example-authenticating-admin-created-user.html
thought maybe something like the code below might work, but it hasn't yet:
app.post('/auth/cognito',
passport.authenticate('cognito', {
successRedirect: 'http://localhost:8081/home.html',
failureRedirect: 'http://localhost:8081/login.html',
newPasswordRequired: 'http://localhost:8081/newpass.html'
}));
I'm logging the URLS and post/parms as follows,
so it looks the redirect is working to the login.html page only:
08/16/2019 14:39:35: POST: Request URL:/auth/cognito
{ username: 'Test1', password: 'b#*5arNdESHrqtBk' }
08/16/2019 14:39:35: GET: Request URL:/login.html
Is there some other error we can send back to the client on the AJAX call that tell us what the issue is, for example, that he needs to change his password? Is there any type of console.log I can do in the code above to help debug further?
Any idea where to find code to change the password in NodeJS? That would be outside of Passport correct?
Thanks,
Neal
The momentjs version being used has an know ReDoS issue.
Please, consider to upgrade to 2.20.1
Hi there,
I was wondering if this library automatically sets the user field on the express request object for an authenticated request? Thanks.
All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.
I am getting this error from inside the cognito module:
at CognitoUser.authenticateUserInternal (/var/app/current/node_modules/amazon-cognito-identity-js/lib/CognitoUser.js:383:19)
It looks like Amazon wrote these modules assuming they will run in a browser.
I worked around this by adding global.navigator = {}
just before calling passport.use(new CognitoStrategy(...))
. Not thrilled about adding a global, but it works.
Figured I'd post this here in case anyone else stumbles upon this.
Comment in code states:
passport-cognito/lib/strategy.js
Line 33 in 79b1fdf
The documentation states that correct parameters are accessToken, idToken, refreshToken, user, cb
.
Is it possible to implement the passReqToCallback passport behaviour ?
passport.use(new CognitoStrategy({ userPoolId: 'ap-northeast-1_eSjqLfqKc', clientId: 'vtvg02tr21zmxvspyvawtv09b', region: 'ap-northeast-1', passReqToCallback: true }
The verify function signature would change.
I'm trying to put together a minimal sample but I'm not sure how the passport-cognito is supposed to go. Apologies in advance, I'm used to Auth0 which have spoiled me with fully-working starter code. Do you know of any sample code that uses passport-cognito?
Hi,
On Line 142 there is a:
console.log('newPassword2'...)
Would it be possible to comment this line out please?
Also is there a way to pass the password value into the function rather than explicit req.body.password?
The flow is
Currently I have to set the initial password onto the form inside hidden field (in plain text). I guess its not a big deal since its not leaking the real password.
Cheers,
Paul
Hi,
Thanks for coding this up!
I noticed earlier you said you would add an Express example; this is my first time using Passport/Express and I'd love to see an example of Express+Passport Cognito.
Thanks
Hi,
I have a nodejs/express app thats working great from home or deployed on EB. Great library thanks!
However at work behind our corporate proxy authentication requests seem to be timing out. AWS seem to provide a simple solution here: http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/node-configuring-proxies.html
and https://aws.amazon.com/blogs/developer/using-the-aws-sdk-for-javascript-from-behind-a-proxy/
As I'm kind of new to NodeJS I'm wondering how to pass this config when creating the CognitoStrategy object. Is it possible as I would like the option to run from my localhost?
Thanks,
Paul
I have configured it in one of loopback server supporting passport authentication. However, when i hit auth/cognito i get 404. It works for another cognito library and google.
Am i missing something?
function(accessToken, idToken, refreshToken, user, session, cb) {
process.nextTick(function() {
user.expiration = session.getIdToken().getExpiration();
...
cb(null, user);
})
--> How can I use the RefreshToken if the user.expiration is true...
When I make a post request, nothing happens. It goes to failure redirect url. but nothing happens.
Included log here and there to find failure point but it just doesnt move at all
Hi, Is it possible to integrate the passport-cognito into Nest.js by using PassportStrategy and AuthGuard? I found the JwtStrategy worked only for Auth0 and would like to customize a CognitoStrategy extends PassportStrategy(Strategy), something like following in TypeScript:
import { Strategy } from 'passport-cognito';
import { PassportStrategy } from '@nestjs/passport';
import { Injectable, Logger } from '@nestjs/common';
@Injectable()
export class CognitoStrategy extends PassportStrategy(Strategy) {
private readonly logger = new Logger(CognitoStrategy.name);
constructor() {
super( // please help here...);
}
async validate(payload: any) {
this.logger.log('payload: ', payload);
return payload;
}
}
Thanks a lot
The example on the README is throwing an error:
$.ajax({
type: "post",
url: 'http://localhost:3000/auth/cognito',
data: { username: "myname", password: "mypass" }
})
TypeError: Cannot read property 'username' of undefined
at CognitoStrategy.authenticate (/mypath/node_modules/passport-cognito/lib/strategy.js:76:26)
at attempt (/mypath/node_modules/passport/lib/middleware/authenticate.js:361:16)
at authenticate `
req.body is null in authenticate()
CognitoStrategy.prototype.authenticate = function(req, options) {
var user = {};
var username = req.body.username;
var password = req.body.password;
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.