-
Notifications
You must be signed in to change notification settings - Fork 39
/
index.js
111 lines (91 loc) · 2.87 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
'use strict';
var jwt = require('jsonwebtoken');
var jwkToPem = require('jwk-to-pem');
/*
TO DO:
copy values from CloudFormation outputs into USERPOOLID and JWKS variables
*/
var USERPOOLID = '##USERPOOLID##';
var JWKS = '##JWKS##';
/*
verify values above
*/
var region = 'us-east-1';
var iss = 'https://cognito-idp.' + region + '.amazonaws.com/' + USERPOOLID;
var pems;
pems = {};
var keys = JSON.parse(JWKS).keys;
for(var i = 0; i < keys.length; i++) {
//Convert each key to PEM
var key_id = keys[i].kid;
var modulus = keys[i].n;
var exponent = keys[i].e;
var key_type = keys[i].kty;
var jwk = { kty: key_type, n: modulus, e: exponent};
var pem = jwkToPem(jwk);
pems[key_id] = pem;
}
const response401 = {
status: '401',
statusDescription: 'Unauthorized'
};
exports.handler = (event, context, callback) => {
const cfrequest = event.Records[0].cf.request;
const headers = cfrequest.headers;
console.log('getting started');
console.log('USERPOOLID=' + USERPOOLID);
console.log('region=' + region);
console.log('pems=' + pems);
//Fail if no authorization header found
if(!headers.authorization) {
console.log("no auth header");
callback(null, response401);
return false;
}
//strip out "Bearer " to extract JWT token only
var jwtToken = headers.authorization[0].value.slice(7);
console.log('jwtToken=' + jwtToken);
//Fail if the token is not jwt
var decodedJwt = jwt.decode(jwtToken, {complete: true});
if (!decodedJwt) {
console.log("Not a valid JWT token");
callback(null, response401);
return false;
}
//Fail if token is not from your UserPool
if (decodedJwt.payload.iss != iss) {
console.log("invalid issuer");
callback(null, response401);
return false;
}
//Reject the jwt if it's not an 'Access Token'
if (decodedJwt.payload.token_use != 'access') {
console.log("Not an access token");
callback(null, response401);
return false;
}
//Get the kid from the token and retrieve corresponding PEM
var kid = decodedJwt.header.kid;
var pem = pems[kid];
if (!pem) {
console.log('Invalid access token');
callback(null, response401);
return false;
}
//Verify the signature of the JWT token to ensure it's really coming from your User Pool
jwt.verify(jwtToken, pem, { issuer: iss }, function(err, payload) {
if(err) {
console.log('Token failed verification');
callback(null, response401);
return false;
} else {
//Valid token.
console.log('Successful verification');
//remove authorization header
delete cfrequest.headers.authorization;
//CloudFront can proceed to fetch the content from origin
callback(null, cfrequest);
return true;
}
});
};