updated auth0 lock version and fixed auth function

Author: Assaf Gannon

aws-node-auth0-custom-authorizers-api/.gitignore

@@ -1,4 +1,5 @@
 node_modules
 .serverless
 secrets.json
-/frontend/misc.md
+public_key
+/frontend/misc.md

aws-node-auth0-custom-authorizers-api/frontend/app.js

@@ -8,63 +8,63 @@ const PUBLIC_ENDPOINT = 'https://your-aws-endpoint-here.amazonaws.com/dev/api/pu
 const PRIVATE_ENDPOINT = 'https://your-aws-endpoint-here.us-east-1.amazonaws.com/dev/api/private';
 
 // initialize auth0 lock
-const lock = new Auth0Lock(AUTH0_CLIENT_ID, AUTH0_DOMAIN, {
+const lock = new Auth0Lock(AUTH0_CLIENT_ID, AUTH0_DOMAIN, { // eslint-disable-line no-undef
+
   auth: {
     params: {
-      scope: 'openid email'
-    }
+      scope: 'openid email',
+    },
+    responseType: 'token id_token',
+  },
+});
+
+function updateUI() {
+  const isLoggedIn = localStorage.getItem('id_token');
+  if (isLoggedIn) {
+    // swap buttons
+    document.getElementById('btn-login').style.display = 'none';
+    document.getElementById('btn-logout').style.display = 'inline';
+    const profile = JSON.parse(localStorage.getItem('profile'));
+    // show username
+    document.getElementById('nick').textContent = profile.email;
   }
-})
+}
 
 // Handle login
-lock.on("authenticated", function(authResult) {
-  console.log(authResult)
-  lock.getProfile(authResult.idToken, function(error, profile) {
+lock.on('authenticated', (authResult) => {
+  console.log(authResult);
+  lock.getUserInfo(authResult.accessToken, (error, profile) => {
     if (error) {
       // Handle error
-      alert(JSON.stringify(error))
-      return false
+      return;
     }
-    // authResult.accessToken && authResult.idToken
-    // Save the JWT token.
-    localStorage.setItem('access_token', authResult.accessToken)
-    localStorage.setItem('id_token', authResult.idToken)
 
-    // Save the profile
-    localStorage.setItem('profile', JSON.stringify(profile))
+    document.getElementById('nick').textContent = profile.nickname;
 
-    updateUI()
+    localStorage.setItem('accessToken', authResult.accessToken);
+    localStorage.setItem('id_token', authResult.idToken);
+    localStorage.setItem('profile', JSON.stringify(profile));
+
+    updateUI();
   });
 });
 
-function updateUI() {
-  const isLoggedIn = localStorage.getItem('id_token')
-  if (isLoggedIn) {
-    // swap buttons
-    document.getElementById('btn-login').style.display = 'none'
-    document.getElementById('btn-logout').style.display = 'inline'
-    const profile = JSON.parse(localStorage.getItem('profile'))
-    // show username
-    document.getElementById('nick').textContent = profile.nickname
-  }
-}
-
-updateUI()
+updateUI();
 
 // Handle login
 document.getElementById('btn-login').addEventListener('click', () => {
-  lock.show()
-})
+  lock.show();
+});
 
 // Handle logout
 document.getElementById('btn-logout').addEventListener('click', () => {
-  localStorage.removeItem('id_token')
-  localStorage.removeItem('access_token')
-  localStorage.removeItem('profile')
-  document.getElementById('btn-login').style.display = 'flex'
-  document.getElementById('btn-logout').style.display = 'none'
-  document.getElementById('nick').textContent = ''
-})
+  localStorage.removeItem('id_token');
+  localStorage.removeItem('access_token');
+  localStorage.removeItem('profile');
+  document.getElementById('btn-login').style.display = 'flex';
+  document.getElementById('btn-logout').style.display = 'none';
+  document.getElementById('nick').textContent = '';
+});
 
 // Handle public api call
 document.getElementById('btn-public').addEventListener('click', () => {
@@ -73,40 +73,43 @@ document.getElementById('btn-public').addEventListener('click', () => {
     cache: 'no-store',
     method: 'POST',
   })
-  .then(response => response.json())
-  .then((data) => {
-    console.log('Message:', data)
-    document.getElementById('message').textContent = ''
-    document.getElementById('message').textContent = data.message
-  }).catch((e) => {
-    console.log('error', e)
-  })
-})
+    .then(response => response.json())
+    .then((data) => {
+      console.log('Message:', data);
+      document.getElementById('message').textContent = '';
+      document.getElementById('message').textContent = data.message;
+    })
+    .catch((e) => {
+      console.log('error', e);
+    });
+});
 
 // Handle private api call
 document.getElementById('btn-private').addEventListener('click', () => {
   // Call private API with JWT in header
-  const token = localStorage.getItem('id_token')
+  const token = localStorage.getItem('id_token');
   /*
    // block request from happening if no JWT token present
    if (!token) {
     document.getElementById('message').textContent = ''
-    document.getElementById('message').textContent = 'You must login to call this protected endpoint!'
+    document.getElementById('message').textContent =
+     'You must login to call this protected endpoint!'
     return false
   }*/
   // Do request to private endpoint
   fetch(PRIVATE_ENDPOINT, {
-    method: "POST",
+    method: 'POST',
     headers: {
-      Authorization: `Bearer ${token}`
-    }
+      Authorization: `Bearer ${token}`,
+    },
   })
-  .then(response => response.json())
-  .then((data) => {
-    console.log('Token:', data)
-    document.getElementById('message').textContent = ''
-    document.getElementById('message').textContent = data.message
-  }).catch((e) => {
-    console.log('error', e)
-  })
-})
+    .then(response => response.json())
+    .then((data) => {
+      console.log('Token:', data);
+      document.getElementById('message').textContent = '';
+      document.getElementById('message').textContent = data.message;
+    })
+    .catch((e) => {
+      console.log('error', e);
+    });
+});

aws-node-auth0-custom-authorizers-api/frontend/index.html

@@ -2,7 +2,7 @@
 <html>
 <head>
   <meta charset="utf-8">
-  <script src="//cdn.auth0.com/js/lock/10.1.0/lock.min.js"></script>
+  <script src="https://cdn.auth0.com/js/lock/11.4.0/lock.min.js"></script>
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <link href="app.css" rel="stylesheet">
 </head>

aws-node-auth0-custom-authorizers-api/handler.js

@@ -1,92 +1,90 @@
-const jwt = require('jsonwebtoken')
+const jwt = require('jsonwebtoken');
 
 // Set in `enviroment` of serverless.yml
-const AUTH0_CLIENT_ID = process.env.AUTH0_CLIENT_ID
-const AUTH0_CLIENT_SECRET = process.env.AUTH0_CLIENT_SECRET
+const AUTH0_CLIENT_ID = process.env.AUTH0_CLIENT_ID;
+const AUTH0_CLIENT_PUBLIC_KEY = process.env.AUTH0_CLIENT_PUBLIC_KEY;
 
 // Policy helper function
 const generatePolicy = (principalId, effect, resource) => {
-  const authResponse = {}
-  authResponse.principalId = principalId
+  const authResponse = {};
+  authResponse.principalId = principalId;
   if (effect && resource) {
-    const policyDocument = {}
-    policyDocument.Version = '2012-10-17'
-    policyDocument.Statement = []
-    const statementOne = {}
-    statementOne.Action = 'execute-api:Invoke'
-    statementOne.Effect = effect
-    statementOne.Resource = resource
-    policyDocument.Statement[0] = statementOne
-    authResponse.policyDocument = policyDocument
+    const policyDocument = {};
+    policyDocument.Version = '2012-10-17';
+    policyDocument.Statement = [];
+    const statementOne = {};
+    statementOne.Action = 'execute-api:Invoke';
+    statementOne.Effect = effect;
+    statementOne.Resource = resource;
+    policyDocument.Statement[0] = statementOne;
+    authResponse.policyDocument = policyDocument;
   }
-  return authResponse
-}
+  return authResponse;
+};
 
 // Reusable Authorizer function, set on `authorizer` field in serverless.yml
 module.exports.auth = (event, context, callback) => {
-  console.log('event', event)
+  console.log('event', event);
   if (!event.authorizationToken) {
-    return callback('Unauthorized')
+    return callback('Unauthorized');
   }
 
-  const tokenParts = event.authorizationToken.split(' ')
-  const tokenValue = tokenParts[1]
+  const tokenParts = event.authorizationToken.split(' ');
+  const tokenValue = tokenParts[1];
 
   if (!(tokenParts[0].toLowerCase() === 'bearer' && tokenValue)) {
     // no auth token!
-    return callback('Unauthorized')
+    return callback('Unauthorized');
   }
   const options = {
     audience: AUTH0_CLIENT_ID,
-  }
-  // decode base64 secret. ref: http://bit.ly/2hA6CrO
-  const secret = new Buffer.from(AUTH0_CLIENT_SECRET, 'base64')
+  };
+
   try {
-    jwt.verify(tokenValue, secret, options, (verifyError, decoded) => {
+    jwt.verify(tokenValue, AUTH0_CLIENT_PUBLIC_KEY, options, (verifyError, decoded) => {
       if (verifyError) {
-        console.log('verifyError', verifyError)
+        console.log('verifyError', verifyError);
         // 401 Unauthorized
-        console.log(`Token invalid. ${verifyError}`)
-        return callback('Unauthorized')
+        console.log(`Token invalid. ${verifyError}`);
+        return callback('Unauthorized');
       }
       // is custom authorizer function
-      console.log('valid from customAuthorizer', decoded)
-      return callback(null, generatePolicy(decoded.sub, 'Allow', event.methodArn))
-    })
-   } catch (err) {
-    console.log('catch error. Invalid token', err)
-    return callback('Unauthorized')
+      console.log('valid from customAuthorizer', decoded);
+      return callback(null, generatePolicy(decoded.sub, 'Allow', event.methodArn));
+    });
+  } catch (err) {
+    console.log('catch error. Invalid token', err);
+    return callback('Unauthorized');
   }
-}
+
+  // if for any reason you get here...
+  return callback('Unauthorized');
+};
 
 // Public API
-module.exports.publicEndpoint = (event, context, callback) => {
-  return callback(null, {
-    statusCode: 200,
-    headers: {
+module.exports.publicEndpoint = (event, context, callback) => callback(null, {
+  statusCode: 200,
+  headers: {
       /* Required for CORS support to work */
-      "Access-Control-Allow-Origin": "*",
+    'Access-Control-Allow-Origin': '*',
       /* Required for cookies, authorization headers with HTTPS */
-      "Access-Control-Allow-Credentials": true
-    },
-    body: JSON.stringify({
-      message: 'Hi ⊂◉‿◉つ from Public API',
-    }),
-  })
-}
+    'Access-Control-Allow-Credentials': true,
+  },
+  body: JSON.stringify({
+    message: 'Hi ⊂◉‿◉つ from Public API',
+  }),
+});
 
 // Private API
-module.exports.privateEndpoint = (event, context, callback) => {
-  return callback(null, {
-    statusCode: 200,
-    headers: {
+module.exports.privateEndpoint = (event, context, callback) => callback(null, {
+  statusCode: 200,
+  headers: {
       /* Required for CORS support to work */
-      "Access-Control-Allow-Origin": "*",
+    'Access-Control-Allow-Origin': '*',
       /* Required for cookies, authorization headers with HTTPS */
-      "Access-Control-Allow-Credentials": true
-    },
-    body: JSON.stringify({
-      message: 'Hi ⊂◉‿◉つ from Private API. Only logged in users can see this',
-    }),
-  })
-}
+    'Access-Control-Allow-Credentials': true,
+  },
+  body: JSON.stringify({
+    message: 'Hi ⊂◉‿◉つ from Private API. Only logged in users can see this',
+  }),
+});

aws-node-auth0-custom-authorizers-api/package.json

@@ -5,5 +5,8 @@
   "license": "MIT",
   "dependencies": {
     "jsonwebtoken": "^8.1.0"
+  },
+  "devDependencies": {
+    "serverless-offline": "^3.18.0"
   }
 }

aws-node-auth0-custom-authorizers-api/public_key-example

@@ -0,0 +1,4 @@
+-----BEGIN CERTIFICATE-----
+PUBLIC KEY - can be found in https://manage.auth0.com -> clients -> advanced settings ->Certivifates
+Replace this file with public_key
+-----END CERTIFICATE-----

aws-node-auth0-custom-authorizers-api/serverless.yml

@@ -1,13 +1,16 @@
 
 service: aws-custom-authorizer-auth0
 
+plugins:
+  - serverless-offline
+
 provider:
   name: aws
   runtime: nodejs6.10
   region: us-west-2
   environment:
     AUTH0_CLIENT_ID: ${file(./secrets.json):AUTH0_CLIENT_ID}
-    AUTH0_CLIENT_SECRET: ${file(./secrets.json):AUTH0_CLIENT_SECRET}
+    AUTH0_CLIENT_PUBLIC_KEY: ${file(./public_key)}
 
 functions:
   auth:
@@ -52,4 +55,4 @@ resources:
         ResponseType: UNAUTHORIZED
         RestApiId:
           Ref: 'ApiGatewayRestApi'
-        StatusCode: '401'
+        StatusCode: '401'