forked from atinux/nuxt-auth-utils
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cognito.ts
116 lines (107 loc) · 3.69 KB
/
cognito.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
import type { H3Event } from 'h3'
import { eventHandler, createError, getQuery, getRequestURL, sendRedirect } from 'h3'
import { withQuery, parsePath } from 'ufo'
import { defu } from 'defu'
import { useRuntimeConfig } from '#imports'
import type { OAuthConfig } from '#auth-utils'
export interface OAuthCognitoConfig {
/**
* AWS Cognito App Client ID
* @default process.env.NUXT_OAUTH_COGNITO_CLIENT_ID
*/
clientId?: string
/**
* AWS Cognito App Client Secret
* @default process.env.NUXT_OAUTH_COGNITO_CLIENT_SECRET
*/
clientSecret?: string
/**
* AWS Cognito User Pool ID
* @default process.env.NUXT_OAUTH_COGNITO_USER_POOL_ID
*/
userPoolId?: string
/**
* AWS Cognito Region
* @default process.env.NUXT_OAUTH_COGNITO_REGION
*/
region?: string
/**
* AWS Cognito Scope
* @default []
*/
scope?: string[]
/**
* Extra authorization parameters to provide to the authorization URL
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
*/
authorizationParams?: Record<string, string>
}
export function oauthCognitoEventHandler({ config, onSuccess, onError }: OAuthConfig<OAuthCognitoConfig>) {
return eventHandler(async (event: H3Event) => {
config = defu(config, useRuntimeConfig(event).oauth?.cognito, {
authorizationParams: {},
}) as OAuthCognitoConfig
const { code } = getQuery(event)
if (!config.clientId || !config.clientSecret || !config.userPoolId || !config.region) {
const error = createError({
statusCode: 500,
message: 'Missing NUXT_OAUTH_COGNITO_CLIENT_ID, NUXT_OAUTH_COGNITO_CLIENT_SECRET, NUXT_OAUTH_COGNITO_USER_POOL_ID, or NUXT_OAUTH_COGNITO_REGION env variables.',
})
if (!onError) throw error
return onError(event, error)
}
const authorizationURL = `https://${config.userPoolId}.auth.${config.region}.amazoncognito.com/oauth2/authorize`
const tokenURL = `https://${config.userPoolId}.auth.${config.region}.amazoncognito.com/oauth2/token`
const redirectUrl = getRequestURL(event).href
if (!code) {
config.scope = config.scope || ['openid', 'profile']
// Redirect to Cognito login page
return sendRedirect(
event,
withQuery(authorizationURL as string, {
client_id: config.clientId,
redirect_uri: redirectUrl,
response_type: 'code',
scope: config.scope.join(' '),
...config.authorizationParams,
}),
)
}
// TODO: improve typing
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const tokens: any = await $fetch(
tokenURL as string,
{
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
body: `grant_type=authorization_code&client_id=${config.clientId}&client_secret=${config.clientSecret}&redirect_uri=${parsePath(redirectUrl).pathname}&code=${code}`,
},
).catch((error) => {
return { error }
})
if (tokens.error) {
const error = createError({
statusCode: 401,
message: `Cognito login failed: ${tokens.error_description || 'Unknown error'}`,
data: tokens,
})
if (!onError) throw error
return onError(event, error)
}
const tokenType = tokens.token_type
const accessToken = tokens.access_token
// TODO: improve typing
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const user: any = await $fetch(`https://${config.userPoolId}.auth.${config.region}.amazoncognito.com/oauth2/userInfo`, {
headers: {
Authorization: `${tokenType} ${accessToken}`,
},
})
return onSuccess(event, {
tokens,
user,
})
})
}