-
Notifications
You must be signed in to change notification settings - Fork 16
/
amazon_support.go
82 lines (69 loc) · 2.56 KB
/
amazon_support.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
package amazonsupport
import (
"fmt"
"log"
"net/http"
"strings"
"github.com/golang-jwt/jwt"
"github.com/gorilla/sessions"
)
type AmazonCognitoConfiguration struct {
Region string
Domain string
RedirectUrl string
UserPoolId string
UserPoolClientId string
UserPoolClientSecret string
}
type AmazonCognitoClaims struct {
Email string `json:"email"`
Username string `json:"username"`
jwt.StandardClaims
}
type HTTPClient interface {
Do(req *http.Request) (*http.Response, error)
}
type AmazonSupport struct {
client HTTPClient
amazonConfig AmazonCognitoConfiguration
claimsParser ClaimsParser
session *sessions.CookieStore
}
func NewAmazonSupport(client HTTPClient, amazonConfig AmazonCognitoConfiguration, claimsParser ClaimsParser, session *sessions.CookieStore) *AmazonSupport {
return &AmazonSupport{client, amazonConfig, claimsParser, session}
}
type ClaimsParser interface {
ParseWithClaims(tokenString string, region string, claims jwt.Claims) (*jwt.Token, error)
}
type AmazonCognitoClaimsParser struct {
}
func (m AmazonCognitoClaimsParser) ParseWithClaims(tokenString string, _ string, claims jwt.Claims) (*jwt.Token, error) {
log.Println("Enabling amazon cognito middleware.")
// todo - currently unable to parse and verify the amazon elb token as the elb returns an un-parsable base64 token
tokenString = strings.Replace(tokenString, "=", "", -1)
token, _, err := new(jwt.Parser).ParseUnverified(tokenString, claims)
if err != nil {
return token, err
}
claims = token.Claims.(*AmazonCognitoClaims)
return nil, nil
}
func (a *AmazonSupport) Middleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if access := r.Header["X-Amzn-Oidc-Data"]; access != nil && len(access) > 0 {
claims := &AmazonCognitoClaims{}
_, tokenErr := a.claimsParser.ParseWithClaims(access[0], a.amazonConfig.Region, claims)
if tokenErr != nil {
log.Printf("Oops, error parsing amazon cognito token claims. %v\n", tokenErr.Error())
} else {
session, _ := a.session.Get(r, "session")
log.Println(fmt.Sprintf("Found amazon cognito authenticated user email %v", claims.Email))
session.Values["principal"] = []string{claims.Email}
session.Values["logout"] = fmt.Sprintf("https://%s.auth.%s.amazoncognito.com/logout?client_id=%v&redirect_uri=%s&response_type=code",
a.amazonConfig.Domain, a.amazonConfig.Region, a.amazonConfig.UserPoolClientId, a.amazonConfig.RedirectUrl)
_ = session.Save(r, w)
}
}
next.ServeHTTP(w, r)
})
}