def load_user_from_request_header(request):
try:
access_token_enc = request.headers["Authorization"]
access_token_dec = auth.decodeJWT(access_token_enc)
if(access_token_dec['exp'] < time.time()):
return None
# id_token_enc = request.headers["ID"]
# kid = jwt.get_unverified_header(id_token_enc)['kid']
# key = public_keys[kid]
# access_token_dec = jwt.decode(id_token_enc, public_keys[kid], algorithms='RS256')
access_token = request.headers["Authorization"]
cognito = Cognito(
environ.get('COGNITO_REGION'), environ.get('COGNITO_ACCESS'), access_token=access_token, user_pool_region='us-east-2')
username = cognito.get_user()._metadata.get("username")
if username is None:
return None
return User(username)
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
print(exc_type, fname, exc_tb.tb_lineno)
print(e)
return None
def setUp(self):
self.cognito_user_pool_id = env('COGNITO_USER_POOL_ID')
self.app_id = env('COGNITO_APP_ID')
self.username = env('COGNITO_TEST_USERNAME')
self.password = env('COGNITO_TEST_PASSWORD')
self.user = Cognito(self.cognito_user_pool_id,self.app_id,
username=self.username)
def login(self, username=None, password=None, id_token=None, access_token=None, refresh_token=None, token_storage_file=None):
""" Authenticates the current user using access tokens if provided or username/password if no tokens available.
Provide a path for storing the token data that can be used to reauthenticate without providing the password.
Tokens stored in the file are updated when they expire.
"""
# Use warrant to go through the SRP authentication to get an auth token and refresh token
client = boto3.client('cognito-idp', region_name='us-east-2',
config=botocore.client.Config(signature_version=botocore.UNSIGNED))
if id_token is not None and access_token is not None and refresh_token is not None:
# use existing tokens
self.cognito = Cognito(USER_POOL, CLIENT_ID,
user_pool_region='us-east-2',
id_token=id_token,
access_token=access_token,
refresh_token=refresh_token)
self.cognito.client = client
elif username is not None and password is not None:
#log in with username and password
self.cognito = Cognito(USER_POOL, CLIENT_ID,
user_pool_region='us-east-2', username=username)
self.cognito.client = client
self.cognito.authenticate(password=password)
else:
raise Exception('No authentication method found. Must supply username/password or id/auth/refresh tokens.')
if self.cognito.access_token is not None:
if token_storage_file is not None: self.token_storage_file = token_storage_file
self._check_token()
user = self.cognito.get_user()
self.username = user._data['email']
self.customer = self.get_customer_details()
self._store_tokens()
return self.customer is not None
def post(self):
headers = {'Content-Type': 'text/html'}
token = request.args.get('id_token')
if token:
return respondToToken(token)
else:
if request.form:
user = request.form['username']
pwd = request.form['pwd']
u = Cognito(COGNITO_USER_POOL,COGNITO_APP_ID, username=user)
print "No Token, Trying to login for user %s" %(user)
try:
u.authenticate(password=pwd)
except:
return make_response(
render_template('TokenError.html',
msg="Login Failed. Access Denied"
),404,headers)
try:
resp = respondToToken(u.id_token)
return resp
except:
return make_response(
render_template('TokenError.html',
msg="Something very bad happend!! Can Not Open Homepage!!"
),404,headers)
def updateProfile(self, id_token, refresh_token, access_token, attr_map):
u = Cognito(self.USER_POOL_ID,
self.CLIENT_ID,
id_token=id_token,
refresh_token=refresh_token,
access_token=access_token)
u.update_profile(attr_map)
def login():
loadMe = json.dumps(request.get_json(silent=True)["user"])
payInfo = json.loads(loadMe)
try:
u = Cognito(pool_id, client_id, user_pool_region='us-east-2',
access_key=os.environ["AWS_ACCESS_KEY"], secret_key=os.environ['AWS_SECRET_KEY'],
username=payInfo["email"]);
u.authenticate(password=payInfo["password"]);
uuid = generate_uuid(payInfo)
response = table.get_item(
Key={
'userID' : uuid
}
)
item = response['Item'];
# return jsonify(item);
convertedItem = json.loads(json.dumps(item, default=decimal_default));
adminStatus = convertedItem['admin'];
wholeTable = getTable();
if (adminStatus == 1):
return response_with(responses.SUCCESS_200, value={"value" : wholeTable}, message={"userID" : uuid, "admin" : adminStatus});
elif (adminStatus == 0): #just a reg employee
return response_with(responses.SUCCESS_200, value={"value": convertedItem}, message={"userID" : uuid, "admin" : adminStatus}); #returns just user
except Exception as e:
return response_with(responses.UNAUTHORIZED_401, value={"value" : str(e)})
def get_token(self, username: str, password: str) -> str:
u = Cognito(self.user_pool,
self.client_id,
self.region,
username=username)
u.authenticate(password=password)
return u.access_token
def authenticate_new_user(userPoolId,appClientId, username, password, region ):
u = Cognito(userPoolId, appClientId, username = username,user_pool_region=region)
authenticateUser = u.admin_authenticate(password)
return authenticateUser
def login(username, password):
"""
Use username and password to get Canotic api key.
"""
user = Cognito(access_key='AKIAIOSFODNN7EXAMPLE', secret_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
user_pool_id=COGNITO_USERPOOL_ID, client_id=COGNITO_CLIENT_ID,
user_pool_region=COGNITO_REGION, username=username)
try:
user.authenticate(password)
except ClientError as e:
if e.response['Error']['Code'] == 'UserNotFoundException' or e.response['Error'][
'Code'] == 'NotAuthorizedException':
print("Incorrect username or password")
return
else:
print(f"Unexpected error: {e}")
return
client = Client(auth_token=user.access_token)
api_keys = client.get_apikeys()
if len(api_keys) > 0:
save_api_key(api_keys[0])
print(f'Api key {api_keys[0]} was set')
else:
print(f'User {username} doesn\'t have any api keys')
def create_user(username, password, name, group):
"""
Create user and add him to the specifed group
"""
if not username:
raise ValidationError("error.create_user.invalid_user")
if not password:
raise ValidationError("error.create_user.invalid_password")
if not name:
raise ValidationError("error.create_user.invalid_name")
if not group:
raise ValidationError("error.create_user.invalid_group")
client = boto3.client("cognito-idp")
# check if group exists or through exception
try:
client.get_group(UserPoolId=cognito_userpool_id, GroupName=group)
except Exception as e:
log.exception(
"Failed to get_group, error.create_user.invalid_group, AWS Exception: {}"
.format(e))
raise ValidationError("error.create_user.invalid_group")
# here I am using warrant library because I found it easier than boto3
cognito = Cognito(cognito_userpool_id, cognito_app_client_id)
cognito.add_base_attributes(name=name)
# Register the user using warrant
try:
register_res = cognito.register(username, password)
except ClientError as e:
if "Username should be an email." in e.response["Error"]['Message']:
raise ValidationError("error.create_user.invalid_user")
elif "An account with the given email already exists." in e.response[
"Error"]['Message']:
raise ValidationError("error.create_user.already_exists")
elif "Password did not conform with policy" in e.response["Error"][
'Message']:
raise ValidationError("error.create_user.invalid_password")
else:
log.exception(
"Failed to register a user, error.create_user.failed, AWS Exception: {}"
.format(e))
raise ValidationError("error.create_user.failed")
# add user to the group using boto3 library
try:
client.admin_add_user_to_group(UserPoolId=cognito_userpool_id,
Username=username,
GroupName=group)
except Exception as e:
log.exception(
"Failed to add to a group, error.create_user.addtogroup.failed, AWS Exception: {}"
.format(e))
raise ValidationError("error.create_user.addtogroup.failed")
return register_res
def authenticate(self, username, password):
clientId = self.identity['provider']['client_id']
userPoolId = self.identity['provider']['userpool_id']
u = Cognito(userPoolId, clientId, username=username)
u.authenticate(password=password)
# TODO: if this fails, we should error gracefully with a 401
token = u.id_token
self.allowed_perms = self.set_perms(token)
def logout(self, auth):
u = Cognito(
self.pool_id,
self.client_id,
id_token=auth["id_token"],
refresh_token=auth["refresh_token"],
access_token=auth["access_token"],
)
u.logout()
def post(self):
data = self.parser.parse_args()
u = Cognito(os.environ['COGNITO_USERPOOL_ID'],
os.environ['COGNITO_APP_CLIENT_ID'],
username=data['username'])
try:
u.authenticate(password=data['password'])
except ClientError as e:
return {'message': str(e)}
return {'access_token': u.id_token}
def valid_login(username, password):
cognito = Cognito(cognito_userpool_id,
cognito_app_client_id,
username=username)
try:
cognito.authenticate(password)
except Exception as e:
print(e)
return False
return True
def post(self):
"""Sends a verification code to the user to use to change their password."""
json_data = request.get_json(force=True)
print(json_data)
email = json_data['email']
try:
u = Cognito(cognitoUserPoolId, cognitoUserPoolClientId, awsRegion, username=email)
u.initiate_forgot_password()
return ReturnDocument(email, "success").asdict()
except ClientError as err:
return ReturnDocument(err.__str__(), "error").asdict()
def test_set_attributes(self):
u = Cognito(self.cognito_user_pool_id,self.app_id)
u._set_attributes({
'ResponseMetadata':{
'HTTPStatusCode':200
}
},
{
'somerandom':'attribute'
}
)
self.assertEqual(u.somerandom,'attribute')
def check_auth(self, auth):
u = Cognito(
self.pool_id,
self.client_id,
id_token=auth.get("id_token"),
refresh_token=auth.get("refresh_token"),
access_token=auth.get("access_token"),
)
try:
u.check_token()
except AttributeError:
raise NotAuthenticated
def cognitoConfig(argUsername=""):
# poolID = os.environ['poolID']
# cognitoAppClientID = os.environ['cognitoAppClientID']
if argUsername:
# config = Cognito(poolID,cognitoAppClientID, username : aqrUsername )
config = Cognito("us-east-1_PqI7vgPYC",
"70uonffglttpu0juiu5p8spom0",
username=argUsername)
else:
# config = Cognito(poolID,cognitoAppClientID)
config = Cognito("us-east-1_PqI7vgPYC", "70uonffglttpu0juiu5p8spom0")
return config
def confirm_signup(username):
if request.method == 'POST':
code = request.form['confirm_code']
u = Cognito(USER_POOL_ID, CLIENT_ID, REGION, username=username,
access_key='dummy_not_used', secret_key='dummy_not_used')
try:
u.confirm_sign_up(code, username=username)
except ClientError as e:
flash(e.response.get('Error').get('Message'))
return redirect(url_for('confirm_signup', username=username))
return redirect(url_for('login', username=username))
return render_template('confirm_signup.html')
def get_cognito(request):
c = Cognito(settings.COGNITO_USER_POOL_ID,
settings.COGNITO_APP_ID,
access_token=request.session.get('ACCESS_TOKEN'),
id_token=request.session.get('ID_TOKEN'),
refresh_token=request.session.get('REFRESH_TOKEN'))
changed = c.check_token()
if changed:
request.session['ACCESS_TOKEN'] = c.access_token
request.session['REFRESH_TOKEN'] = c.refresh_token
request.session['ID_TOKEN'] = c.id_token
request.session.save()
return c
def do_work():
user_pool_id = os.environ['AWS_COGNITO_POOL_ID']
client_id = os.environ['AWS_COGNITO_CLIENT_ID']
client_secret = os.environ.get('AWS_COGNITO_SECRET_KEY')
username = os.environ.get('COGNITO_USER')
password = os.environ['COGNITO_PASSWORD']
u = Cognito(user_pool_id=user_pool_id,
client_id=client_id,
client_secret=client_secret,
username=username)
u.authenticate(password=password)
print(u.access_token)
def signout():
if 'id_token' in session and 'access_token' in session and 'refresh_token':
u = Cognito(cognito_userpool_id,
cognito_client_id,
cognito_userpool_region,
id_token=session['id_token'],
refresh_token=session['refresh_token'],
access_token=session['access_token'])
u.logout()
logout_user()
# to do
return redirect(url_for('index'))
def confirm_user(username, con_code):
if not username:
raise ValidationError("error.confirm_user.invalid_username")
if not con_code:
raise ValidationError("error.confirm_user.invalid_confirmation_code")
# here I am using warrant library because I found it easier than boto3
cognito = Cognito(cognito_userpool_id, cognito_app_client_id)
try:
cognito.confirm_sign_up(confirmation_code=con_code, username=username)
except Exception as e:
raise ValidationError("error.confirm_user.failed")
def authenticate_user(config, username, password):
u = Cognito(config['aws']['cognitio']['userPoolId'],
config['aws']['cognitio']['userPoolClientId'],
username=username)
u.authenticate(password=password)
user = u.get_user(attr_map={
"given_name": "first_name",
"family_name": "last_name"
})
print user.username, user.email_verified, u.access_token
return u.access_token
def setUp(self):
if env('USE_CLIENT_SECRET') == 'True':
self.app_id = env('COGNITO_APP_WITH_SECRET_ID')
self.client_secret = env('COGNITO_CLIENT_SECRET')
else:
self.app_id = env('COGNITO_APP_ID')
self.client_secret = None
self.cognito_user_pool_id = env('COGNITO_USER_POOL_ID')
self.username = env('COGNITO_TEST_USERNAME')
self.password = env('COGNITO_TEST_PASSWORD')
self.user = Cognito(self.cognito_user_pool_id,
self.app_id,
username=self.username,
client_secret=self.client_secret)
def register_new_user(userPoolId, appClientId, userPoolRegion, username, password):
"""
Test userpool in AWS database for existing accounts.
Inputs:
- awsService = 'cognito-idp'
- regionName = "us-east-2"
outputs:
- Response from AWS
"""
u = Cognito(userPoolId, appClientId, userPoolRegion)
u.add_base_attributes()
data = u.register(username, password)
return data
def logout_user():
access = request.headers.get('accessToken')
refresh = request.headers.get('refreshToken')
_id = request.headers.get('idToken')
u = Cognito(CONSTANTS['cognito_id'],
CONSTANTS['cognito_app'],
id_token=_id,
refresh_token=refresh,
access_token=access)
u.logout()
return Response(json.dumps({"status": True}),
status=200,
mimetype='application/json')
def post(self):
"""Allows a user to enter a code provided when they reset their password to update their password."""
json_data = request.get_json(force=True)
print(f"Reset pwd code: {json_data}")
email = json_data['email']
code = json_data['code']
password = json_data['password']
try:
u = Cognito(cognitoUserPoolId, cognitoUserPoolClientId, awsRegion, username=email)
u.confirm_forgot_password(code, password=password)
return ReturnDocument(email, "success").asdict()
except ClientError as err:
return ReturnDocument(err.__str__(), "error").asdict()
def post(self):
"""Confirm user registration"""
json_data = request.get_json(force=True)
email = json_data['email']
code = json_data['code']
try:
u = Cognito(cognitoUserPoolId, cognitoUserPoolClientId, awsRegion)
u.confirm_sign_up(code, username=email)
return ReturnDocument(email, "success").asdict()
except ClientError as err:
return ReturnDocument(err.__str__(), "error").asdict()
def employeeSignIn():
loadMe = json.dumps(request.form)
payInfo = json.loads(loadMe)
try:
uuid = generate_uuid(payInfo)
response = table.get_item(
Key={
'userID' : uuid
}
)
item = response['Item'];
dumpedItem = json.loads(json.dumps(item, default=decimal_default));
except Exception as e:
return response_with(responses.UNAUTHORIZED_401, value={"value" : str(e)})
else:
return response_with(responses.SUCCESS_200, value={"value" : dumpedItem});
loadMe = json.dumps(request.get_json(silent=True)["info"])
payInfo = json.loads(loadMe)
admin = payInfo["admin"]
u = Cognito(pool_id, client_id, user_pool_region="us-east-2", access_key=os.environ["AWS_ACCESS_KEY"],
secret_key=os.environ["AWS_SECRET_KEY"]);
u.add_base_attributes(email=payInfo["email"], name="name");
#email has to be proper email format
#password needs to have uppercase, lowercase, and a number
res = u.register(payInfo["email"], payInfo["password"]);
try:
uuid = generate_uuid(payInfo)
response = table.put_item(
Item={
'userID' : uuid,
'name': payInfo["name"],
'email': payInfo["email"],
'password': sha256encrypt(payInfo["password"]),
'hireDate' : payInfo["hireDate"], #format: MM/DD/YYYY
'department' : payInfo["department"],
'salary' : int(payInfo["salary"]),
'admin' :int(admin)
}
)
except Exception as e:
return response_with(responses.INVALID_FIELD_NAME_SENT_422, value={"value" : str(e)});
else:
return response_with(responses.SUCCESS_200, value={
"userID" : uuid,
"admin" : int(admin)
})
def handler(event, context):
print(event)
cognito_pool_id = os.environ['COGNITO_POOL_ID']
cognito_client_id = os.environ['COGNITO_CLIENT_ID']
username = event['username']
password = event['password']
cognito = Cognito(
cognito_pool_id,
cognito_client_id,
user_pool_region=os.environ['AWS_REGION'],
username=username)
try:
cognito.authenticate(password=password)
except Exception as e:
print(e)
raise Exception
else:
return cognito.id_token
def _cognito(cloud, **kwargs):
"""Get the client credentials."""
import botocore
import boto3
from warrant import Cognito
cognito = Cognito(
user_pool_id=cloud.user_pool_id,
client_id=cloud.cognito_client_id,
user_pool_region=cloud.region,
**kwargs
)
cognito.client = boto3.client(
'cognito-idp',
region_name=cloud.region,
config=botocore.config.Config(
signature_version=botocore.UNSIGNED
)
)
return cognito
