From 11f1566447702ed958ecb31f7eba4b73e2c45b8b Mon Sep 17 00:00:00 2001 From: Adrian Morfi Date: Mon, 6 Jun 2022 13:41:49 +0200 Subject: [PATCH] adding aud validation --- .../decode-verify-jwt/decode-verify-jwt.ts | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/Cognito/decode-verify-jwt/decode-verify-jwt.ts b/Cognito/decode-verify-jwt/decode-verify-jwt.ts index 00da2c1..c2070c7 100644 --- a/Cognito/decode-verify-jwt/decode-verify-jwt.ts +++ b/Cognito/decode-verify-jwt/decode-verify-jwt.ts @@ -48,11 +48,22 @@ interface Claim { client_id: string; } -const cognitoPoolId = process.env.COGNITO_POOL_ID || ''; -if (!cognitoPoolId) { - throw new Error('env var required for cognito pool'); +const USERPOOL_ID = process.env.COGNITO_POOL_ID || ''; +if (!USERPOOL_ID) { + throw new Error('USERPOOL_ID env var required'); } -const cognitoIssuer = `https://cognito-idp.us-east-1.amazonaws.com/${cognitoPoolId}`; + +const CLIENT_ID = process.env.CLIENT_ID || ''; +if (!CLIENT_ID) { + throw new Error('CLIENT_ID env var required'); +} + +const AWS_REGION = process.env.AWS_REGION || ''; +if (!AWS_REGION) { + throw new Error('AWS_REGION env var required'); +} + +const cognitoIssuer = `https://cognito-idp.${AWS_REGION}.amazonaws.com/${USERPOOL_ID}`; let cacheKeys: MapOfKidToPublicKey | undefined; const getPublicKeys = async (): Promise => { @@ -99,6 +110,11 @@ const handler = async (request: ClaimVerifyRequest): Promise if (claim.token_use !== 'access') { throw new Error('claim use is not access'); } + // Verify the Audience (use claims['client_id'] if verifying an access token) + if (claim.client_id !== CLIENT_ID) { + throw new Error('token was not issued for this audience'); + } + console.log(`claim confirmed for ${claim.username}`); result = {userName: claim.username, clientId: claim.client_id, isValid: true}; } catch (error) { @@ -107,4 +123,4 @@ const handler = async (request: ClaimVerifyRequest): Promise return result; }; -export {handler}; +export {handler}; \ No newline at end of file