async def test_decode_access_token_with_app_id(): claims = cognitojwt.decode(TEST_ID_TOKEN, AWS_COGNITO_REGION, AWS_COGNITO_USERPOOL_ID, AWS_COGNITO_APP_CLIENT_ID, testmode=True) assert isinstance(claims, dict)
def authenticate(self, request): """Entrypoint for Django Rest Framework""" jwt_token = get_jwt_token(request) if jwt_token is None: return None verified_claims: dict # Authenticate token try: verified_claims: dict = cognitojwt.decode( get_jwt_token(request), COGNITO_AWS_REGION, COGNITO_USER_POOL, testmode= False # Disable token expiration check for testing purposes ) except: raise exceptions.AuthenticationFailed() USER_MODEL = get_user_model() user = USER_MODEL.objects.get_or_create( auth_key=verified_claims['sub'], defaults={ 'username': verified_claims['username'], 'is_active': True, }) return user[0], jwt_token
def verify_token(id_token: str): logger.info("Verifying token: {}".format(id_token)) if id_token is None or not id_token.startswith("Bearer "): exception = exceptions.get(exceptions.USER_NOT_AUTHORIZED_EXCEPTION) exception.append_to_log("id_token: {}".format(id_token)) exception.append_to_log("cause: Bearer not present") raise exception token = id_token.replace("Bearer ", "") try: verified_claims: dict = cognitojwt.decode( token, environment_config.aws_cognito_region, environment_config.aws_cognito_user_pool_id, testmode=not environment_config.aws_cognito_enabled) logger.info("Token validated successfully") return AuthUser(verified_claims["sub"], verified_claims["email"]) except CognitoJWTException as jwt_exception: exception = exceptions.get(exceptions.USER_NOT_AUTHORIZED_EXCEPTION) exception.append_to_log("id_token: {}".format(id_token)) exception.append_to_log("exception: {}".format(traceback.format_exc())) raise exception except ValueError as value_exception: exception = exceptions.get(exceptions.USER_NOT_AUTHORIZED_EXCEPTION) exception.append_to_log("id_token: {}".format(id_token)) exception.append_to_log("exception: {}".format(traceback.format_exc())) raise exception
def lambda_handler(event, context): id_token = event['authorizationToken'] methodArn = event['methodArn'] path = returnPath(methodArn) try: verified_claims: dict = cognitojwt.decode( id_token, REGION, USERPOOL_ID, app_client_id=APP_CLIENT_ID, testmode=False # Disable token expiration check for testing purposes ) username = verified_claims[USERNAME] role = verified_claims[ROLE_ATTRIBUTE] response = ddb.get_item(TableName=DDB_USAGE_TABLE, Key={'PrincipalId': { 'S': username }}) if 'Item' not in response: ddb.put_item(TableName=DDB_USAGE_TABLE, Item={ 'PrincipalId': { 'S': username }, 'CallLimit': { 'N': DEFAULT_CALL_LIMIT }, 'Calls': { 'N': '1' }, 'TTL': { 'N': reset_date } }) elif int(response['Item']['CallLimit']['N']) > int( response['Item']['Calls']['N']): Calls = str(int(response['Item']['Calls']['N']) + 1) ddb.update_item( TableName=DDB_USAGE_TABLE, Key={'PrincipalId': { 'S': username }}, AttributeUpdates={'Calls': { 'Value': { 'N': Calls } }}) else: errorMsg = "Daily call limit of {} has exceeded for {}".format( response['Item']['CallLimit']['N'], username) return deniedResponse(username, 'Deny', methodArn, errorMsg) return checkRolePermissions(role, path, ddb, DDB_ROLES_TABLE, username, methodArn) except CognitoJWTException as e: return deniedResponse('null', 'Deny', methodArn, str(e)) except JWTError as e: return deniedResponse('null', 'Deny', methodArn, str(e))
def test_decode_access_token_without_app_id(): claims = cognitojwt.decode( TEST_ACCESS_TOKEN, AWS_COGNITO_REGION, AWS_COGNITO_USERPOOL_ID, testmode=True ) assert isinstance(claims, dict)
def decode(self, token: str, client_id: str = None): try: return cognitojwt.decode(token, self._region, self._user_pool_id, app_client_id=client_id) except CognitoJWTException: raise ff.UnauthenticatedError()
def verify_token(token): verified_claims: dict = cognitojwt.decode( token, region, userpool_id, app_client_id=app_client_id, # Optional testmode=True, # Disable token expiration check for testing purposes ) return verified_claims
def get_user_sub(jwt_token): """ Validate JWT claims & retrieve user identifier """ try: verified_claims = cognitojwt.decode(jwt_token, os.environ["AWS_REGION"], os.environ["USERPOOL_ID"]) except (cognitojwt.CognitoJWTException, ValueError): verified_claims = {} return verified_claims.get("sub")
def decode(self, token: str, client_id: str = None): try: return cognitojwt.decode( token, self._region, self._user_pool_id, app_client_id=client_id ) except (KeyError, ValueError) as e: self.info(e) return except CognitoJWTException as e: self.exception(e) raise ff.UnauthenticatedError()
def verify_token(token): try: user = cognitojwt.decode(token, current_app.config['PROVIDER_REGION'], current_app.config['AUTH_POOL']) if user: g.user = user return True return False except Exception as ex: current_app.logger.error(f'Unable to verify token : {ex}') return False
def get_cognito_user_profile_info(self, jwt_token): resp = cognitojwt.decode( jwt_token, self.region, self.user_pool_id, app_client_id=self.app_client_id, # Optional testmode=True # Disable token expiration check for testing purposes ) if not resp or resp.status != 200: raise AuthenticationError( 'Failed to fetch user profile, status ({0})'.format( resp.status if resp else 'None')) return resp.data['name'], resp.data['email']
def verify_token(token): try: user = cognitojwt.decode( token, current_app.config['PROVIDER_REGION'], current_app.config['AUTH_POOL'], app_client_id=current_app.config['AUTH_CLIENT_ID'] ) if user: g.user = user return True return False except Exception as ex: return False
def check_cognito_jwt(self, request): """Check if valid cognito jwt.""" jwt = self.get_jwt_token(request) if not jwt: return False try: resp = cognitojwt.decode( jwt, AWS_REGION, COGNTIO_USER_POOL_ID, app_client_id=COGNITO_CLIENT_ID, ) self.username = resp["cognito:username"] self.groups = resp.get("cognito:groups", []) return self.username except Exception as e: logger.exception(e) return False
def sign(): signinform = SigninForm(prefix="signin") signupform = SignupForm(prefix="signup") if request.method == 'POST': form = request.form pprint.pprint(form) if request.form['btn'] == 'Signin': # session["active_panel"] = "login-form-link" if signinform.validate_on_submit(): try: auth_cognito = Cognito( cognito_userpool_id, cognito_client_id, user_pool_region=cognito_userpool_region, username=form['signin-username']) auth_cognito.authenticate(password=form['signin-password']) decoded_token = cognitojwt.decode(auth_cognito.id_token, cognito_userpool_region, cognito_userpool_id, cognito_client_id) user = auth_cognito.get_user() credit = user._data['custom:credit'] # except NotAuthorizedException as e: # flash(e.response['Error']['Message']) # return redirect(request.referrer) except Exception as e: if hasattr(e, 'message'): msg = e.message else: msg = str(e) flash(msg, 'error') return redirect(request.referrer) else: flash("Signin Successfully!") user = User() user.id = decoded_token["cognito:username"] user.credit = credit session['credit'] = credit session['expires'] = decoded_token["exp"] session['refresh_token'] = auth_cognito.refresh_token session['id_token'] = auth_cognito.id_token session['access_token'] = auth_cognito.access_token login_user(user, remember=True) next_url = request.args.get('next', 'index').strip("/") print("next_url:{}".format(next_url)) return redirect(url_for(next_url)) else: flash(signinform.errors) return redirect(request.referrer) elif request.form['btn'] == 'Signup': # session["active_panel"] = "register-form-link" if signupform.validate_on_submit(): try: u = Cognito(cognito_userpool_id, cognito_client_id, cognito_userpool_region) u.add_base_attributes(email=form['signup-email']) u.add_custom_attributes(credit='0') u.register(form['signup-username'], form['signup-password']) except Exception as e: if hasattr(e, 'message'): msg = e.message else: msg = str(e) flash(msg, 'error') else: pprint.pprint(session) flash("Finish the signup by confirm link in mailbox") else: flash(signupform.errors, "error") return redirect(request.referrer) return render_template('sign.html', signinform=signinform, signupform=signupform)
def decode_id_token(id_token): return cognitojwt.decode(id_token, "us-east-1", USER_POOL_ID)
def cognito_callback(): """ Read: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html A successful authentication will have the following dictionary: { "access_token": "......", "refresh_token": "......", "id_token": "......", "token_type": "Bearer", "expires_in": 3600 } """ L.info(message='Got stuff back from Cognito') code = request.args.get('code', None) state = request.args.get('state', None) L.info(message='code={}'.format(code)) L.info(message='state={}'.format(state)) if state is not None and code is not None: if state == 'DEMO-STATE': # Exchange code for token target_url = '{}/oauth2/token'.format(cognito_domain) L.info(message='target_url={}'.format(target_url)) L.info(message='cognito_client_id={}'.format(cognito_client_id)) L.info(message='code={}'.format(code)) L.info(message='cognito_login_callback_url={}'.format( cognito_login_callback_url)) try: token_request_response = requests.post( target_url, data={ 'grant_type': 'authorization_code', 'client_id': cognito_client_id, 'code': code, 'redirect_uri': cognito_login_callback_url, }, headers={ 'Authorization': 'Basic {}'.format(cognito_final_creds), 'Content-Type': 'application/x-www-form-urlencoded' }) if token_request_response.status_code == 200: flash('Thanks for logging in!') json_response = token_request_response.json() L.info(message='json_response={}'.format(json_response)) # Validate token verified_claims = dict() try: verified_claims: dict = cognitojwt.decode( json_response['access_token'], os.getenv('COGNITO_REGION', 'us-east-1'), os.getenv('COGNITO_USER_POOL_ID', 'not-set'), app_client_id=cognito_client_id, testmode=False) L.info(message='verified_claims={}'.format( verified_claims)) except: L.error(message='EXCEPTION: {}'.format( traceback.format_exc())) L.error(message='TOKENS ARE UNVERIFIED') user_info_target_url = '{}/oauth2/userInfo'.format( cognito_domain) user_info_response = requests.get( user_info_target_url, headers={ 'Authorization': 'Bearer {}'.format(json_response['access_token']), }) L.info(message='user_info_response={}'.format( user_info_response)) if user_info_response.status_code == 200: user_info_json_response = user_info_response.json() L.info(message='user_info_json_response={}'.format( user_info_json_response)) session['logged_in'] = True session['username'] = user_info_json_response['email'] session['cognito_raw_data'] = user_info_json_response return redirect('/secret') else: L.info(message='ERROR: LEG 2: return code: {}'.format( user_info_response.status_code)) flash( 'We failed to get a token - please ensure you are not being hacked! Or are you the haxor?' ) else: L.info(message='ERROR: LEG 1: return code: {}'.format( token_request_response.status_code)) flash( 'We failed to get a token - please ensure you are not being hacked! Or are you the haxor?' ) except: L.error(message='EXCEPTION: {}'.format(traceback.format_exc())) return redirect('/')