async def test_decode_access_token_with_app_id():
claims = cognitojwt.decode(TEST_ID_TOKEN,
AWS_COGNITO_REGION,
AWS_COGNITO_USERPOOL_ID,
AWS_COGNITO_APP_CLIENT_ID,
testmode=True)
assert isinstance(claims, dict)
def authenticate(self, request):
"""Entrypoint for Django Rest Framework"""
jwt_token = get_jwt_token(request)
if jwt_token is None:
return None
verified_claims: dict
# Authenticate token
try:
verified_claims: dict = cognitojwt.decode(
get_jwt_token(request),
COGNITO_AWS_REGION,
COGNITO_USER_POOL,
testmode=
False # Disable token expiration check for testing purposes
)
except:
raise exceptions.AuthenticationFailed()
USER_MODEL = get_user_model()
user = USER_MODEL.objects.get_or_create(
auth_key=verified_claims['sub'],
defaults={
'username': verified_claims['username'],
'is_active': True,
})
return user[0], jwt_token
def verify_token(id_token: str):
logger.info("Verifying token: {}".format(id_token))
if id_token is None or not id_token.startswith("Bearer "):
exception = exceptions.get(exceptions.USER_NOT_AUTHORIZED_EXCEPTION)
exception.append_to_log("id_token: {}".format(id_token))
exception.append_to_log("cause: Bearer not present")
raise exception
token = id_token.replace("Bearer ", "")
try:
verified_claims: dict = cognitojwt.decode(
token,
environment_config.aws_cognito_region,
environment_config.aws_cognito_user_pool_id,
testmode=not environment_config.aws_cognito_enabled)
logger.info("Token validated successfully")
return AuthUser(verified_claims["sub"], verified_claims["email"])
except CognitoJWTException as jwt_exception:
exception = exceptions.get(exceptions.USER_NOT_AUTHORIZED_EXCEPTION)
exception.append_to_log("id_token: {}".format(id_token))
exception.append_to_log("exception: {}".format(traceback.format_exc()))
raise exception
except ValueError as value_exception:
exception = exceptions.get(exceptions.USER_NOT_AUTHORIZED_EXCEPTION)
exception.append_to_log("id_token: {}".format(id_token))
exception.append_to_log("exception: {}".format(traceback.format_exc()))
raise exception
def lambda_handler(event, context):
id_token = event['authorizationToken']
methodArn = event['methodArn']
path = returnPath(methodArn)
try:
verified_claims: dict = cognitojwt.decode(
id_token,
REGION,
USERPOOL_ID,
app_client_id=APP_CLIENT_ID,
testmode=False # Disable token expiration check for testing purposes
)
username = verified_claims[USERNAME]
role = verified_claims[ROLE_ATTRIBUTE]
response = ddb.get_item(TableName=DDB_USAGE_TABLE,
Key={'PrincipalId': {
'S': username
}})
if 'Item' not in response:
ddb.put_item(TableName=DDB_USAGE_TABLE,
Item={
'PrincipalId': {
'S': username
},
'CallLimit': {
'N': DEFAULT_CALL_LIMIT
},
'Calls': {
'N': '1'
},
'TTL': {
'N': reset_date
}
})
elif int(response['Item']['CallLimit']['N']) > int(
response['Item']['Calls']['N']):
Calls = str(int(response['Item']['Calls']['N']) + 1)
ddb.update_item(
TableName=DDB_USAGE_TABLE,
Key={'PrincipalId': {
'S': username
}},
AttributeUpdates={'Calls': {
'Value': {
'N': Calls
}
}})
else:
errorMsg = "Daily call limit of {} has exceeded for {}".format(
response['Item']['CallLimit']['N'], username)
return deniedResponse(username, 'Deny', methodArn, errorMsg)
return checkRolePermissions(role, path, ddb, DDB_ROLES_TABLE, username,
methodArn)
except CognitoJWTException as e:
return deniedResponse('null', 'Deny', methodArn, str(e))
except JWTError as e:
return deniedResponse('null', 'Deny', methodArn, str(e))
def test_decode_access_token_without_app_id():
claims = cognitojwt.decode(
TEST_ACCESS_TOKEN,
AWS_COGNITO_REGION,
AWS_COGNITO_USERPOOL_ID,
testmode=True
)
assert isinstance(claims, dict)
def decode(self, token: str, client_id: str = None):
try:
return cognitojwt.decode(token,
self._region,
self._user_pool_id,
app_client_id=client_id)
except CognitoJWTException:
raise ff.UnauthenticatedError()
def verify_token(token):
verified_claims: dict = cognitojwt.decode(
token,
region,
userpool_id,
app_client_id=app_client_id, # Optional
testmode=True, # Disable token expiration check for testing purposes
)
return verified_claims
def get_user_sub(jwt_token):
"""
Validate JWT claims & retrieve user identifier
"""
try:
verified_claims = cognitojwt.decode(jwt_token,
os.environ["AWS_REGION"],
os.environ["USERPOOL_ID"])
except (cognitojwt.CognitoJWTException, ValueError):
verified_claims = {}
return verified_claims.get("sub")
def decode(self, token: str, client_id: str = None):
try:
return cognitojwt.decode(
token,
self._region,
self._user_pool_id,
app_client_id=client_id
)
except (KeyError, ValueError) as e:
self.info(e)
return
except CognitoJWTException as e:
self.exception(e)
raise ff.UnauthenticatedError()
def verify_token(token):
try:
user = cognitojwt.decode(token, current_app.config['PROVIDER_REGION'],
current_app.config['AUTH_POOL'])
if user:
g.user = user
return True
return False
except Exception as ex:
current_app.logger.error(f'Unable to verify token : {ex}')
return False
def get_cognito_user_profile_info(self, jwt_token):
resp = cognitojwt.decode(
jwt_token,
self.region,
self.user_pool_id,
app_client_id=self.app_client_id, # Optional
testmode=True # Disable token expiration check for testing purposes
)
if not resp or resp.status != 200:
raise AuthenticationError(
'Failed to fetch user profile, status ({0})'.format(
resp.status if resp else 'None'))
return resp.data['name'], resp.data['email']
def verify_token(token):
try:
user = cognitojwt.decode(
token,
current_app.config['PROVIDER_REGION'],
current_app.config['AUTH_POOL'],
app_client_id=current_app.config['AUTH_CLIENT_ID']
)
if user:
g.user = user
return True
return False
except Exception as ex:
return False
def check_cognito_jwt(self, request):
"""Check if valid cognito jwt."""
jwt = self.get_jwt_token(request)
if not jwt:
return False
try:
resp = cognitojwt.decode(
jwt,
AWS_REGION,
COGNTIO_USER_POOL_ID,
app_client_id=COGNITO_CLIENT_ID,
)
self.username = resp["cognito:username"]
self.groups = resp.get("cognito:groups", [])
return self.username
except Exception as e:
logger.exception(e)
return False
def sign():
signinform = SigninForm(prefix="signin")
signupform = SignupForm(prefix="signup")
if request.method == 'POST':
form = request.form
pprint.pprint(form)
if request.form['btn'] == 'Signin':
# session["active_panel"] = "login-form-link"
if signinform.validate_on_submit():
try:
auth_cognito = Cognito(
cognito_userpool_id,
cognito_client_id,
user_pool_region=cognito_userpool_region,
username=form['signin-username'])
auth_cognito.authenticate(password=form['signin-password'])
decoded_token = cognitojwt.decode(auth_cognito.id_token,
cognito_userpool_region,
cognito_userpool_id,
cognito_client_id)
user = auth_cognito.get_user()
credit = user._data['custom:credit']
# except NotAuthorizedException as e:
# flash(e.response['Error']['Message'])
# return redirect(request.referrer)
except Exception as e:
if hasattr(e, 'message'):
msg = e.message
else:
msg = str(e)
flash(msg, 'error')
return redirect(request.referrer)
else:
flash("Signin Successfully!")
user = User()
user.id = decoded_token["cognito:username"]
user.credit = credit
session['credit'] = credit
session['expires'] = decoded_token["exp"]
session['refresh_token'] = auth_cognito.refresh_token
session['id_token'] = auth_cognito.id_token
session['access_token'] = auth_cognito.access_token
login_user(user, remember=True)
next_url = request.args.get('next', 'index').strip("/")
print("next_url:{}".format(next_url))
return redirect(url_for(next_url))
else:
flash(signinform.errors)
return redirect(request.referrer)
elif request.form['btn'] == 'Signup':
# session["active_panel"] = "register-form-link"
if signupform.validate_on_submit():
try:
u = Cognito(cognito_userpool_id, cognito_client_id,
cognito_userpool_region)
u.add_base_attributes(email=form['signup-email'])
u.add_custom_attributes(credit='0')
u.register(form['signup-username'],
form['signup-password'])
except Exception as e:
if hasattr(e, 'message'):
msg = e.message
else:
msg = str(e)
flash(msg, 'error')
else:
pprint.pprint(session)
flash("Finish the signup by confirm link in mailbox")
else:
flash(signupform.errors, "error")
return redirect(request.referrer)
return render_template('sign.html',
signinform=signinform,
signupform=signupform)
def decode_id_token(id_token):
return cognitojwt.decode(id_token, "us-east-1", USER_POOL_ID)
def cognito_callback():
"""
Read: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
A successful authentication will have the following dictionary:
{
"access_token": "......",
"refresh_token": "......",
"id_token": "......",
"token_type": "Bearer",
"expires_in": 3600
}
"""
L.info(message='Got stuff back from Cognito')
code = request.args.get('code', None)
state = request.args.get('state', None)
L.info(message='code={}'.format(code))
L.info(message='state={}'.format(state))
if state is not None and code is not None:
if state == 'DEMO-STATE':
# Exchange code for token
target_url = '{}/oauth2/token'.format(cognito_domain)
L.info(message='target_url={}'.format(target_url))
L.info(message='cognito_client_id={}'.format(cognito_client_id))
L.info(message='code={}'.format(code))
L.info(message='cognito_login_callback_url={}'.format(
cognito_login_callback_url))
try:
token_request_response = requests.post(
target_url,
data={
'grant_type': 'authorization_code',
'client_id': cognito_client_id,
'code': code,
'redirect_uri': cognito_login_callback_url,
},
headers={
'Authorization':
'Basic {}'.format(cognito_final_creds),
'Content-Type': 'application/x-www-form-urlencoded'
})
if token_request_response.status_code == 200:
flash('Thanks for logging in!')
json_response = token_request_response.json()
L.info(message='json_response={}'.format(json_response))
# Validate token
verified_claims = dict()
try:
verified_claims: dict = cognitojwt.decode(
json_response['access_token'],
os.getenv('COGNITO_REGION', 'us-east-1'),
os.getenv('COGNITO_USER_POOL_ID', 'not-set'),
app_client_id=cognito_client_id,
testmode=False)
L.info(message='verified_claims={}'.format(
verified_claims))
except:
L.error(message='EXCEPTION: {}'.format(
traceback.format_exc()))
L.error(message='TOKENS ARE UNVERIFIED')
user_info_target_url = '{}/oauth2/userInfo'.format(
cognito_domain)
user_info_response = requests.get(
user_info_target_url,
headers={
'Authorization':
'Bearer {}'.format(json_response['access_token']),
})
L.info(message='user_info_response={}'.format(
user_info_response))
if user_info_response.status_code == 200:
user_info_json_response = user_info_response.json()
L.info(message='user_info_json_response={}'.format(
user_info_json_response))
session['logged_in'] = True
session['username'] = user_info_json_response['email']
session['cognito_raw_data'] = user_info_json_response
return redirect('/secret')
else:
L.info(message='ERROR: LEG 2: return code: {}'.format(
user_info_response.status_code))
flash(
'We failed to get a token - please ensure you are not being hacked! Or are you the haxor?'
)
else:
L.info(message='ERROR: LEG 1: return code: {}'.format(
token_request_response.status_code))
flash(
'We failed to get a token - please ensure you are not being hacked! Or are you the haxor?'
)
except:
L.error(message='EXCEPTION: {}'.format(traceback.format_exc()))
return redirect('/')
