[Bell-410] Add AWS Cognito provider

Providers.md

@@ -111,6 +111,30 @@ credentials.profile = {
 };
 ```
 
+### Cognito
+
+[Provider Documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html)
+
+- `scope`: Defaults to `['openid', 'email', 'profile']`
+- `config`:
+  - `uri`: Point to your Cognito user pool uri.  Intentionally no default as Cognito is organization specific.
+- `auth`: https://your-cognito-user-pool.amazoncognito.com/oauth2/authorize
+- `token`: https://your-cognito-user-pool.amazoncognito.com/oauth2/token
+
+The default profile response will look like this:
+
+```javascript
+credentials.profile = {
+    id: profile.sub,
+    username: profile.preferred_username,
+    displayName: profile.name,
+    firstName: profile.given_name,
+    lastName: profile.family_name,
+    email: profile.email,
+    raw: profile
+};
+```
+
 ### DigitalOcean
 
 [Provider Documentation](https://developers.digitalocean.com/documentation/oauth)
@@ -499,6 +523,28 @@ credentials.profile = {
 };
 ```
 
+### Pingfed
+
+[Provider Documentation](https://www.pingidentity.com/content/developer/en/resources/openid-connect-developers-guide.html)
+
+- `scope`: Defaults to `['openid', 'email']`
+- `config`:
+  - `uri`: Point to your Pingfederate enterprise uri.  Intentionally no default as Ping is organization specific.
+- `auth`: https://www.example.com:9031/as/authorization.oauth2
+- `token`: https://www.example.com:9031/as/token.oauth2
+
+The default profile response will look like this:
+
+```javascript
+credentials.profile = {
+    id: profile.sub,
+    username: profile.email,
+    displayName: profile.email,
+    email: profile.email,
+    raw: profile
+};
+```
+
 ### Pinterest
 
 [Provider Documentation](https://developers.pinterest.com/docs/api/overview/)
@@ -817,7 +863,7 @@ credentials.profile = {
 
 - `scope`: Defaults to `['openid', 'email', 'offline_access']`
 - `config`:
-  - `uri`: Point to your Okta enterprise uri.  Intentionally no default as Okta is organization specific..
+  - `uri`: Point to your Okta enterprise uri.  Intentionally no default as Okta is organization specific.
 - `auth`: https://your-organization.okta.com/oauth2/v1/authorize
 - `token`: https://your-organization.okta.com/oauth2/v1/token
 

README.md

@@ -6,11 +6,12 @@ Third-party authentication plugin for [hapi](https://github.com/hapijs/hapi).
 
 [![Build Status](https://secure.travis-ci.org/hapijs/bell.svg?branch=master)](http://travis-ci.org/hapijs/bell)
 
-**bell** ships with built-in support for authentication using `Facebook`, `GitHub`, `Google`,
-`Google Plus`, `Instagram`, `LinkedIn`, `Slack`, `Stripe`, `Twitter`, `Yahoo`, `Foursquare`,
-`VK`, `ArcGIS Online`, `Windows Live`, `Nest`, `Phabricator`, `BitBucket`, `Dropbox`, `Reddit`,
-`Tumblr`, `Twitch`, `Mixer`, `Salesforce`, `Pinterest`, `Discord`, `DigitalOcean`, `AzureAD`,
-`trakt.tv` and `Okta`.
+**bell** ships with built-in support for authentication using `ArcGIS Online`, `Auth0`, `AzureAD`,
+`BitBucket`, `Cognito`, `DigitalOcean`, `Discord`, `Dropbox`, `Facebook`, `Fitbit`, `Foursquare`,
+`GitHub`, `GitLab`, `Google Plus`, `Google`, `Instagram`, `LinkedIn`, `Medium`, `Meetup`, `Mixer`,
+`Nest`, `Office365`, `Okta`, `Phabricator`, `Pingfed`, `Pinterest`, `Reddit`, `Salesforce`, `Slack`,
+`Spotify`, `Stripe`, `trakt.tv`, `Tumblr`, `Twitch`, `Twitter`, `VK`, `Wordpress`, `Windows Live`,
+and `Yahoo`.
 
 It also supports any compliant `OAuth 1.0a` and `OAuth 2.0` based login services with a simple
 configuration object.

lib/providers/cognito.js

@@ -0,0 +1,40 @@
+'use strict';
+
+
+const Joi = require('@hapi/joi');
+
+
+const internals = {
+    schema: Joi.object({
+        uri: Joi.string().uri().required()
+    }).required()
+};
+
+
+exports = module.exports = function (options) {
+
+    const settings = Joi.attempt(options, internals.schema);
+
+    return {
+        protocol: 'oauth2',
+        auth: settings.uri + '/oauth2/authorize',
+        token: settings.uri + '/oauth2/token',
+        scope: ['openid', 'email', 'profile'],
+        scopeSeparator: ' ',
+        useParamsAuth: true,
+        profile: async function (credentials, params, get) {
+
+            const profile = await get(settings.uri + '/oauth2/userInfo');
+
+            credentials.profile = {
+                id: profile.sub,
+                username: profile.preferred_username,
+                displayName: profile.name,
+                firstName: profile.given_name,
+                lastName: profile.family_name,
+                email: profile.email,
+                raw: profile
+            };
+        }
+    };
+};

lib/providers/index.js

@@ -8,6 +8,7 @@ exports = module.exports = {
     auth0: require('./auth0'),
     azuread: require('./azuread'),
     bitbucket: require('./bitbucket'),
+    cognito: require('./cognito'),
     digitalocean: require('./digitalocean'),
     discord: require('./discord'),
     dropbox: require('./dropbox'),

test/providers/cognito.js

@@ -0,0 +1,89 @@
+'use strict';
+
+const Bell = require('../..');
+const Code = require('@hapi/code');
+const Hapi = require('@hapi/hapi');
+const Hoek = require('@hapi/hoek');
+const Lab = require('@hapi/lab');
+
+const Mock = require('../mock');
+
+
+const internals = {};
+
+
+const { describe, it } = exports.lab = Lab.script();
+const expect = Code.expect;
+
+
+describe('cognito', () => {
+
+    it('fails with no uri', () => {
+
+        expect(Bell.providers.cognito).to.throw(Error);
+    });
+
+    it('authenticates with mock and custom uri ', async (flags) => {
+
+        const mock = await Mock.v2(flags);
+        const server = Hapi.server({ host: 'localhost', port: 80 });
+        await server.register(Bell);
+
+        const custom = Bell.providers.cognito({ uri: 'http://example.com' });
+        Hoek.merge(custom, mock.provider);
+
+        const profile = {
+            sub: '1111111111',
+            email: 'steve.smith@example.com',
+            preferred_username: 'steve.smith',
+            name: 'Steve Smith',
+            given_name: 'Steve',
+            family_name: 'Smith'
+        };
+
+        Mock.override('http://example.com/oauth2/userInfo', profile);
+
+        server.auth.strategy('custom', 'bell', {
+            password: 'cookie_encryption_password_secure',
+            isSecure: false,
+            clientId: 'cognito',
+            clientSecret: 'secret',
+            provider: custom
+        });
+
+        server.route({
+            method: '*',
+            path: '/login',
+            config: {
+                auth: 'custom',
+                handler: function (request, h) {
+
+                    return request.auth.credentials;
+                }
+            }
+        });
+
+        const res1 = await server.inject('/login');
+        const cookie = res1.headers['set-cookie'][0].split(';')[0] + ';';
+
+        const res2 = await mock.server.inject(res1.headers.location);
+
+        const res3 = await server.inject({ url: res2.headers.location, headers: { cookie } });
+        expect(res3.result).to.equal({
+            provider: 'custom',
+            token: '456',
+            expiresIn: 3600,
+            refreshToken: undefined,
+            query: {},
+            profile: {
+                id: '1111111111',
+                username: 'steve.smith',
+                email: 'steve.smith@example.com',
+                displayName: 'Steve Smith',
+                firstName: 'Steve',
+                lastName: 'Smith',
+                raw: profile
+            }
+        });
+    });
+});