kndt84 / passport-cognito Goto Github PK

I am getting this security issue.

High severity vulnerability found in crypto-browserify
Description: Insecure Randomness
From: [email protected] > [email protected] > [email protected] > [email protected]

Please, consider to upgrade amazon-cognito-identity-js to 3.0.6

When I added a new test user on Cognito, it's status is "FORCE_CHANGE_PASSWORD".
I think, because of that, when I try to login, it's always failing.

I have the standard standard code but put in my two pages:

app.post('/auth/cognito',
  passport.authenticate('cognito', {
    successRedirect: 'http://localhost:8081/home.html',
    failureRedirect: 'http://localhost:8081/login.html'
}));

Based on what I read here: https://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-identity-user-pools-javascript-example-authenticating-admin-created-user.html
thought maybe something like the code below might work, but it hasn't yet:

app.post('/auth/cognito',
  passport.authenticate('cognito', {
    successRedirect: 'http://localhost:8081/home.html',
    failureRedirect: 'http://localhost:8081/login.html',
    newPasswordRequired: 'http://localhost:8081/newpass.html'
}));

I'm logging the URLS and post/parms as follows,
so it looks the redirect is working to the login.html page only:

08/16/2019 14:39:35: POST: Request URL:/auth/cognito
{ username: 'Test1', password: 'b#*5arNdESHrqtBk' }
08/16/2019 14:39:35: GET: Request URL:/login.html

Is there some other error we can send back to the client on the AJAX call that tell us what the issue is, for example, that he needs to change his password? Is there any type of console.log I can do in the code above to help debug further?

Any idea where to find code to change the password in NodeJS? That would be outside of Passport correct?

Thanks,
Neal

The momentjs version being used has an know ReDoS issue.

Please, consider to upgrade to 2.20.1

Hi there,
I was wondering if this library automatically sets the user field on the express request object for an authenticated request? Thanks.

NPM Audit failure

All versions of passport-cognito are vulnerable to Improper Authorization. The package fails to properly scope the variables containing authorization information, such as access token, refresh token and ID token. This causes a race condition where simultaneous authenticated users may receive authorization tokens for a different user. This would allow a user to take actions on another user's behalf.

I am getting this error from inside the cognito module:

at CognitoUser.authenticateUserInternal (/var/app/current/node_modules/amazon-cognito-identity-js/lib/CognitoUser.js:383:19)

It looks like Amazon wrote these modules assuming they will run in a browser.

I worked around this by adding global.navigator = {} just before calling passport.use(new CognitoStrategy(...)). Not thrilled about adding a global, but it works.

Figured I'd post this here in case anyone else stumbles upon this.

Comment in code states:

The documentation states that correct parameters are accessToken, idToken, refreshToken, user, cb.

Is it possible to implement the passReqToCallback passport behaviour ?

passport.use(new CognitoStrategy({ userPoolId: 'ap-northeast-1_eSjqLfqKc', clientId: 'vtvg02tr21zmxvspyvawtv09b', region: 'ap-northeast-1', passReqToCallback: true }

The verify function signature would change.

I'm trying to put together a minimal sample but I'm not sure how the passport-cognito is supposed to go. Apologies in advance, I'm used to Auth0 which have spoiled me with fully-working starter code. Do you know of any sample code that uses passport-cognito?

Hi,

On Line 142 there is a:
console.log('newPassword2'...)

Would it be possible to comment this line out please?

Also is there a way to pass the password value into the function rather than explicit req.body.password?

The flow is

1. user enters username/password
2. server detects (err.412) and redirects to "Change Password" - the temporary password is saved on session
3. user enters newpassword
4. server gets the password from session and authenticates with password & newpassword

Currently I have to set the initial password onto the form inside hidden field (in plain text). I guess its not a big deal since its not leaking the real password.

Cheers,
Paul

Hi,

Thanks for coding this up!
I noticed earlier you said you would add an Express example; this is my first time using Passport/Express and I'd love to see an example of Express+Passport Cognito.

Thanks

Hi,

I have a nodejs/express app thats working great from home or deployed on EB. Great library thanks!

However at work behind our corporate proxy authentication requests seem to be timing out. AWS seem to provide a simple solution here: http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/node-configuring-proxies.html
and https://aws.amazon.com/blogs/developer/using-the-aws-sdk-for-javascript-from-behind-a-proxy/

As I'm kind of new to NodeJS I'm wondering how to pass this config when creating the CognitoStrategy object. Is it possible as I would like the option to run from my localhost?

Thanks,
Paul

I have configured it in one of loopback server supporting passport authentication. However, when i hit auth/cognito i get 404. It works for another cognito library and google.
Am i missing something?

function(accessToken, idToken, refreshToken, user, session, cb) {
process.nextTick(function() {
user.expiration = session.getIdToken().getExpiration();
...
cb(null, user);
})

--> How can I use the RefreshToken if the user.expiration is true...

When I make a post request, nothing happens. It goes to failure redirect url. but nothing happens.
Included log here and there to find failure point but it just doesnt move at all

Hi, Is it possible to integrate the passport-cognito into Nest.js by using PassportStrategy and AuthGuard? I found the JwtStrategy worked only for Auth0 and would like to customize a CognitoStrategy extends PassportStrategy(Strategy), something like following in TypeScript:

import { Strategy } from 'passport-cognito';
import { PassportStrategy } from '@nestjs/passport';
import { Injectable, Logger } from '@nestjs/common';

@Injectable()
export class CognitoStrategy extends PassportStrategy(Strategy) {
  private readonly logger = new Logger(CognitoStrategy.name);

  constructor() {
    super( // please help here...);
  }

  async validate(payload: any) {
    this.logger.log('payload: ', payload);
    return payload;
  }
}

Thanks a lot

The example on the README is throwing an error:

 $.ajax({
            type: "post",
            url: 'http://localhost:3000/auth/cognito',
            data: { username: "myname", password: "mypass" }
        })

TypeError: Cannot read property 'username' of undefined
    at CognitoStrategy.authenticate (/mypath/node_modules/passport-cognito/lib/strategy.js:76:26)
    at attempt (/mypath/node_modules/passport/lib/middleware/authenticate.js:361:16)
    at authenticate `

req.body is null in authenticate()

CognitoStrategy.prototype.authenticate = function(req, options) {

  var user = {};
  var username = req.body.username;
  var password = req.body.password;