首页>编程相关>其他源码
下载

Cognito-Express:使用 AWS Congito 进行 API 身份验证

概要

cognito-express 通过验证 Amazon Cognito 生成的AccessTokenIDToken的 JWT 签名,对 Node.js 应用程序(在服务器上运行或在 AWS Lambda 函数中运行)上的 API 请求进行身份验证。

动机

该模块允许您通过验证AccessTokenIDToken的 JWT 签名来对 Node.js API 请求进行身份验证,而无需为每个 API 调用调用 Amazon Cognito。

该模块可以轻松、不显眼地集成到任何支持 Connect 式中间件(包括 Express)的应用程序或框架中。

该模块本质上捆绑了有关在 Web API 中使用 ID 令牌和访问令牌的 AWS 官方文档中列出的步骤 1-7

  1. 下载并存储为您的用户池设置的 JSON Web 令牌 (JWT)。
  2. 将令牌字符串解码为 JWT 格式。
  3. 检查iss声明。它应该与您的用户池匹配。
  4. 检查tokenUse声明。它应该符合您对accessid令牌类型的设置首选项
  5. 从 JWT 令牌标头获取kid,并检索步骤 1 中存储的相应 JSON Web 密钥。
  6. 验证解码后的 JWT 令牌的签名。
  7. 检查 exp 声明并确保令牌未过期。

您现在可以信任令牌内的声明并根据您的要求使用它。

先决条件

成功验证用户身份后,Amazon Cognito 向客户端颁发三个令牌:

  • ID令牌
  • 访问令牌
  • 刷新令牌

(注意:该模块不包含登录机制,您必须单独构建它)

将这些令牌保存在客户端应用程序中(最好作为 cookie)。当客户端调用任何API时,将AccessTokenIDToken传递给服务器。

如何传入AccessTokenIDToken完全取决于您。这里有两个选项:

  1. 通过在请求标头中显式添加它们
  2. 只需将令牌保存为 cookie 即可。这样,每当调用 API 时,它们就会附加到请求标头。

配置

 //Initializing CognitoExpress constructor
const cognitoExpress = new CognitoExpress ( {
	region : "us-east-1" ,
	cognitoUserPoolId : "us-east-1_dXlFef73t" ,
	tokenUse : "access" , //Possible Values: access | id
	tokenExpiration : 3600000 //Up to default expiration of 1 hour (3600000 ms)
} ) ;

用法

 cognitoExpress . validate ( accessTokenFromClient , function ( err , response ) {
	if ( err ) {
		/*
			//API is not authenticated, do something with the error.
		    //Perhaps redirect user back to the login page
			
			//ERROR TYPES:
			
			//If accessTokenFromClient is null or undefined
			err = {
			    "name": "TokenNotFound",
			    "message": "access token not found"
			}
			
			//If tokenuse doesn't match accessTokenFromClient
			{
			    "name": "InvalidTokenUse",
			    "message": "Not an id token"
			}

			//If token expired
			err = {
			    "name": "TokenExpiredError",
			    "message": "jwt expired",
			    "expiredAt": "2017-07-05T16:41:59.000Z"
			}

			//If token's user pool doesn't match the one defined in constructor
			{
			    "name": "InvalidUserPool",
			    "message": "access token is not from the defined user pool"
			}

		*/
	} else {
		//Else API has been authenticated. Proceed.
		res . locals . user = response ; //Optional - if you want to capture user information
		next ( ) ;
	}
} ) ;

还支持异步/等待模式

 ( async function main ( ) {
  try {
    const response = await cognitoExpress . validate ( accessTokenFromClient ) ;
    console . log ( response ) ;
     //User is authenticated, proceed with rest of your business logic.

  } catch ( e ) {
    console . error ( e ) ;
     //User is not authenticated, do something with the error.
     //Perhaps redirect user back to the login page
  }
} ) ( ) ;

完整示例

app.js - 服务器
 //app.js
"use strict" ;

const express = require ( "express" ) ,
	CognitoExpress = require ( "cognito-express" ) ,
	port = process . env . PORT || 8000 ;

const app = express ( ) ,
	authenticatedRoute = express . Router ( ) ; //I prefer creating a separate Router for authenticated requests

app . use ( "/api" , authenticatedRoute ) ;

//Initializing CognitoExpress constructor
const cognitoExpress = new CognitoExpress ( {
	region : "us-east-1" ,
	cognitoUserPoolId : "us-east-1_dXlFef73t" ,
	tokenUse : "access" , //Possible Values: access | id
	tokenExpiration : 3600000 //Up to default expiration of 1 hour (3600000 ms)
} ) ;

//Our middleware that authenticates all APIs under our 'authenticatedRoute' Router
authenticatedRoute . use ( function ( req , res , next ) {
	
	//I'm passing in the access token in header under key accessToken
	let accessTokenFromClient = req . headers . accesstoken ;

	//Fail if token not present in header. 
	if ( ! accessTokenFromClient ) return res . status ( 401 ) . send ( "Access Token missing from header" ) ;

	cognitoExpress . validate ( accessTokenFromClient , function ( err , response ) {
		
		//If API is not authenticated, Return 401 with error message. 
		if ( err ) return res . status ( 401 ) . send ( err ) ;
		
		//Else API has been authenticated. Proceed.
		res . locals . user = response ;
		next ( ) ;
	} ) ;
} ) ;


//Define your routes that need authentication check
authenticatedRoute . get ( "/myfirstapi" , function ( req , res , next ) {
	res . send ( `Hi ${ res . locals . user . username } , your API call is authenticated!` ) ;
} ) ;

app . listen ( port , function ( ) {
	console . log ( `Live on port: ${ port } !` ) ;
} ) ;
client.js - 角度示例
 //client.js - angular example

"use strict" ;

//I stored my access token value returned from Cognito in a cookie called ClientAccessToken

app . controller ( "MyFirstAPI" , function ( $scope , $http , $cookies ) {
	$http ( {
		method : "GET" ,
		url : "/api/myfirstapi" ,
		headers : {
			accesstoken : $cookies . get ( "ClientAccessToken" ) 
            }
		}
	} ) . then (
		function success ( response ) {
			//Authenticated. Do something with the response. 
		} ,
		function error ( err ) {
			console . error ( err ) ;
		}
	) ;
} ) ;

贡献者

加里·阿罗拉

执照

麻省理工学院

展开
附加信息
相关应用
为您推荐
相关资讯 全部