User accounts

.github/workflows/deploy-ui-staging.workflow.yml

@@ -19,6 +19,8 @@ jobs:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       GATSBY_API_BASE_URL: ${{ secrets.GATSBY_API_BASE_URL }}
+      GATSBY_COGNITO_APP_CLIENT_ID: ${{ secrets.GATSBY_COGNITO_APP_CLIENT_ID }}
+      GATSBY_COGNITO_USER_POOL_ID: ${{ secrets.GATSBY_COGNITO_USER_POOL_ID }}
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2

aws/LICENSE

@@ -0,0 +1,14 @@
+MIT No Attribution
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this
+software and associated documentation files (the "Software"), to deal in the Software
+without restriction, including without limitation the rights to use, copy, modify,
+merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

aws/README.md

@@ -0,0 +1,34 @@
+## Amazon Cognito Passwordless Email Auth
+
+Based of [the blog post on passwordless e-mail auth in Amazon Cognito](https://aws.amazon.com/blogs/mobile/implementing-passwordless-email-authentication-with-amazon-cognito/).
+
+- [./cognito](./cognito): a Serverless Application that includes a Cognito user pool with the necessary setup
+
+This is currently used for the forgot password flow to verify a user's email and set a new password.
+
+
+# Deployment from command line
+
+Set the following environment variables
+**PROD**
+```bash
+export S3_BUCKET_NAME=tracktak-cognito;
+export [email protected];
+export STACK_NAME=tracktakCognitoEmailAuthFlow;
+export USER_POOL_NAME=Tracktak;
+export AWS_DEFAULT_REGION=eu-west-2;
+```
+
+**TEST**
+```bash
+export S3_BUCKET_NAME=tracktak-cognito-test;
+export [email protected];
+export STACK_NAME=tracktakCognitoEmailAuthFlowTest;
+export USER_POOL_NAME=TracktakTest;
+export AWS_DEFAULT_REGION=eu-west-2;
+```
+
+Run
+```bash
+npm run bd
+```

aws/cognito/.gitignore

@@ -0,0 +1,137 @@
+# Created by https://www.gitignore.io/api/osx,node,linux,windows
+
+### Linux ###
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+### Node ###
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Typescript v1 declaration files
+typings/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+
+
+### OSX ###
+*.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Windows ###
+# Windows thumbnail cache files
+Thumbs.db
+ehthumbs.db
+ehthumbs_vista.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+
+# End of https://www.gitignore.io/api/osx,node,linux,windows
+
+# Ignore the generated cloudformation template
+packaged.yaml
+
+# Ignore js as we'll be doing typescript
+*.js
+
+# Ignore local file for setting environment variables
+setenvs.sh

aws/cognito/LICENSE

@@ -0,0 +1,14 @@
+MIT No Attribution
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this
+software and associated documentation files (the "Software"), to deal in the Software
+without restriction, including without limitation the rights to use, copy, modify,
+merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

aws/cognito/README.md

@@ -0,0 +1,52 @@
+# Cognito E-Mail Auth Backend
+
+This is an AWS Serverless Application. If you deploy it, this is what you get:
+
+- An Amazon Cognito User Pool, pre-configured with AWS Lambda triggers to implement passwordless e-mail auth
+- An Amazon Cognito User Pool Client, that you can use to integrate with the User Pool
+- The needed Lambda functions that serve as User Pool triggers
+- The permissions on the Lambda functions so that the User Pool may invoke them
+
+## Deployment instructions
+
+Deploy either through the Serverless Application Repository or with the AWS SAM CLI
+
+### Deployment trough Serverless Application Repository
+
+This is the easiest path. Find the Serverless Application in the [Repository](https://console.aws.amazon.com/serverlessrepo/) using tags "cognito" and "passwordless" or navigate to it directly with [this link](https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:520945424137:applications~amazon-cognito-passwordless-email-auth).
+
+If you deploy the Serverless Application you'll get a CloudFormation stack with the resources mentioned above. The outputs of the CloudFormation stack will contain the ID's of the user pool and client, that you can use in your client web app.
+
+#### Pre-requisite
+
+- You need to have a [verified e-mail address in Amazon SES](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses-procedure.html) to send the e-mails from. If your AWS account in still in the [SES sandbox](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html), you also need to verify the e-mail adresses you want to send mails to. Lastly, if you don't want your mails to end up in spam folders, [verify the domain](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domain-procedure.html) you use to send mails from as well.
+
+### Alternative Deployment with AWS SAM CLI
+
+#### Pre-requisites
+
+1. Download and install [Node.js](https://nodejs.org/en/download/)
+2. Download and install [AWS SAM CLI](https://github.com/awslabs/aws-sam-cli)
+3. Of course you need an AWS account and necessary permissions to create resources in it. Make sure your AWS credentials can be found during deployment, e.g. by making your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY available as environment variables.
+4. You need to have a [verified e-mail address in Amazon SES](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses-procedure.html) to send the e-mails from. If your AWS account in still in the [SES sandbox](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html), you also need to verify the e-mail adresses you want to send mails to. Lastly, if you don't want your mails to end up in spam folders, [verify the domain](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domain-procedure.html) you use to send mails from as well.
+5. You need an existing S3 bucket to use for the SAM deployment. Create an empty bucket.
+
+NOTE: To deploy this application _**please pick an AWS Region in which you can use Amazon Simple E-Mail Service (i.e. us-east-1, us-west-2 or eu-west-1)**_ and create all resources (including the S3 bucket) in that region. This is not a hard requirement for setting up e-mail auth in Cognito in general; but it is so in this demo application to keep things simple.
+
+#### How to deploy the Serverless Application with AWS SAM CLI
+
+1. Clone this repo `git clone https://github.com/aws-samples/amazon-cognito-passwordless-email-auth.git`
+2. Enter cognito directory: `cd amazon-cognito-passwordless-email-auth/cognito`
+3. Install dependencies: `npm install`
+4. Set the following environment variables (all mandatory):
+  - S3_BUCKET_NAME='the bucket name of the bucket you want to use for your SAM deployment'
+  - SES_FROM_ADDRESS='the verfied e-mail address in SES the e-mails will be sent from'
+  - STACK_NAME='the name you want the CloudFormation stack to be created with'
+  - USER_POOL_NAME='the name you want your User Pool to be created with'
+5. Build and deploy the application: `npm run bd` This runs AWS SAM CLI
+
+if that succeeded, you have succesfully deployed your application. The outputs of the CloudFormation stack will contain the ID's of the User Pool and Client, that you can use in your client web app.
+
+## License Summary
+
+This sample code is made available under a modified MIT license. See the LICENSE file.

aws/cognito/lambda-triggers/change-password/change-password.ts

@@ -0,0 +1,42 @@
+// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT-0
+
+import { Handler } from 'aws-lambda';
+import { CognitoIdentityProviderClient, AdminSetUserPasswordCommand } from "@aws-sdk/client-cognito-identity-provider";
+import { BaseTriggerEvent, StringMap } from 'aws-lambda/trigger/cognito-user-pool-trigger/_common';
+
+interface ChangePasswordTriggerEvent extends BaseTriggerEvent<'VerifyAuthChallengeResponse_Authentication'> {
+    request: {
+        clientMetadata?: StringMap;
+    };
+    response: {
+        passwordSet: boolean;
+    };
+}
+
+type ChangePasswordTriggerHandler = Handler<ChangePasswordTriggerEvent>;
+
+export const handler: ChangePasswordTriggerHandler = async (event, _, callback) => {
+    const response = await changePassword(event);
+    const responseCode = response?.$metadata?.httpStatusCode;
+    const passwordSet = responseCode && responseCode >= 200 && responseCode < 300;
+    return callback(null, passwordSet);
+};
+
+//@ts-ignore
+const changePassword = async (event) => {
+    const client = new CognitoIdentityProviderClient({
+        credentials: {
+            accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
+            secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
+        }
+    });
+    const command = new AdminSetUserPasswordCommand({
+        UserPoolId: 'eu-west-2_LX9s4plN5',
+        Username: event.username,
+        Password: event.newPassword,
+        Permanent: true,
+    });
+
+    return await client.send(command);
+}