Skip to content

Commit

Permalink
feat(cognito): integrate OpenID Connect discovery for improved OAuth …
Browse files Browse the repository at this point in the history
…flow

* feat(cognito): integrate OpenID Connect discovery for improved OAuth flow

* feat(cognito): enhance OAuth flow by including client secret in discovery process

* chore: update lockfile
  • Loading branch information
kilakewe authored Dec 13, 2024
1 parent ac61ae5 commit 7a01cc3
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 17 deletions.
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
"hookable": "^5.5.3",
"ofetch": "^1.4.1",
"ohash": "^1.1.4",
"openid-client": "^6.1.4",
"pathe": "^1.1.2",
"scule": "^1.3.0",
"uncrypto": "^0.1.3"
Expand Down
21 changes: 21 additions & 0 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

34 changes: 17 additions & 17 deletions src/runtime/server/lib/oauth/cognito.ts
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
import type { OAuthConfig } from '#auth-utils'

Check failure on line 1 in src/runtime/server/lib/oauth/cognito.ts

View workflow job for this annotation

GitHub Actions / lint

`#auth-utils` type import should occur after import of `../utils`
import { useRuntimeConfig } from '#imports'

Check failure on line 2 in src/runtime/server/lib/oauth/cognito.ts

View workflow job for this annotation

GitHub Actions / lint

`#imports` import should occur after import of `../utils`
import { defu } from 'defu'
import type { H3Event } from 'h3'
import { eventHandler, getQuery, sendRedirect } from 'h3'
import { discovery } from 'openid-client'
import { withQuery } from 'ufo'
import { defu } from 'defu'
import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken } from '../utils'
import { useRuntimeConfig } from '#imports'
import type { OAuthConfig } from '#auth-utils'
import { getOAuthRedirectURL, handleAccessTokenErrorResponse, handleMissingConfiguration, requestAccessToken } from '../utils'

export interface OAuthCognitoConfig {
/**
Expand Down Expand Up @@ -42,11 +43,6 @@ export interface OAuthCognitoConfig {
* @default process.env.NUXT_OAUTH_COGNITO_REDIRECT_URL or current URL
*/
redirectURL?: string
/**
* AWS Cognito App Custom Domain – some pool configurations require this
* @default ''
*/
domain?: string
}

export function defineOAuthCognitoEventHandler({ config, onSuccess, onError }: OAuthConfig<OAuthCognitoConfig>) {
Expand All @@ -59,11 +55,16 @@ export function defineOAuthCognitoEventHandler({ config, onSuccess, onError }: O
return handleMissingConfiguration(event, 'cognito', ['clientId', 'clientSecret', 'userPoolId', 'region'], onError)
}

const urlBase = config?.domain || `${config.userPoolId}.auth.${config.region}.amazoncognito.com`

const authorizationURL = `https://${urlBase}/oauth2/authorize`
const tokenURL = `https://${urlBase}/oauth2/token`

const congitoDiscoveryUrl = new URL(`https://cognito-idp.${config.region}.amazonaws.com/${config.userPoolId}/.well-known/openid-configuration`)
const issuer = await discovery(congitoDiscoveryUrl, config.clientId, config.clientSecret)
const {
authorization_endpoint: authorizationURL,
token_endpoint: tokenURL,
userinfo_endpoint: userinfoURL,
// TODO: implement logout
// eslint-disable-next-line @typescript-eslint/no-unused-vars
end_session_endpoint: logoutURL,
} = issuer.serverMetadata()
const query = getQuery<{ code?: string }>(event)
const redirectURL = config.redirectURL || getOAuthRedirectURL(event)

Expand Down Expand Up @@ -101,9 +102,8 @@ export function defineOAuthCognitoEventHandler({ config, onSuccess, onError }: O

const tokenType = tokens.token_type
const accessToken = tokens.access_token
// TODO: improve typing
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const user: any = await $fetch(`https://${urlBase}/oauth2/userInfo`, {
// TODO: improve typing of user profile
const user: unknown = await $fetch(userinfoURL as string, {
headers: {
Authorization: `${tokenType} ${accessToken}`,
},
Expand Down

0 comments on commit 7a01cc3

Please sign in to comment.