add jwt verifier

package.json

@@ -69,6 +69,7 @@
     "@tanstack/react-query": "^5.12.2",
     "@umami/prisma-client": "^0.8.0",
     "@umami/redis-client": "^0.18.0",
+    "aws-jwt-verify": "^4.0.0",
     "chalk": "^4.1.1",
     "chart.js": "^4.2.1",
     "chartjs-adapter-date-fns": "^3.0.0",
@@ -94,7 +95,6 @@
     "maxmind": "^4.3.6",
     "moment-timezone": "^0.5.35",
     "next": "14.0.4",
-    "next-auth": "^4.24.5",
     "next-basics": "^0.39.0",
     "node-fetch": "^3.2.8",
     "npm-run-all": "^4.1.5",

src/lib/jwtVerifier.ts

@@ -0,0 +1,10 @@
+import { JwtRsaVerifier } from "aws-jwt-verify";
+
+
+export const verifier = JwtRsaVerifier.create({
+  issuer: process.env.COGNITO_ISSUER, // set this to the expected "iss" claim on your JWTs
+  audience:null, // set this to the expected "aud" claim on your JWTs
+  jwksUri:  process.env.COGNITO_JWKS_URI, // set this to the JWKS uri from your OpenID configuration
+});
+
+

src/lib/middleware.ts

@@ -15,49 +15,10 @@ import {
 } from 'next-basics';
 import { NextApiRequestCollect } from 'pages/api/send';
 import { getUserById } from '../queries';
-import NextAuth from "next-auth"
-import CognitoProvider from "next-auth/providers/cognito";
-import { to } from '@react-spring/web';
+import { verifier } from './jwtVerifier';
+import { JwtExpiredError,JwtInvalidIssuerError } from "aws-jwt-verify/error";
 
 
-export const authOptions = {
-  providers: [
-    CognitoProvider({
-      clientId: process.env.COGNITO_CLIENT_ID,
-      clientSecret: process.env.COGNITO_CLIENT_SECRET ,
-      issuer: process.env.COGNITO_DOMAIN ,
-      idToken: true,
-      name: 'Cognito',
-      checks: 'nonce',
-    }),
-  ],
-  callbacks: {
-    async jwt({ token, user, account }) {
-      console.log("in next auth::::",token)
-      if (account) {
-        if (account['provider'] === 'cognito') {
-          var tokenParsed = JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString());
-          console.log("token parsed",tokenParsed )
-          // token.refreshToken = account?.refresh_token;
-          // token.accessTokenExpires = account.expires_at * 1000;
-          console.log("token parsed::::",tokenParsed['cognito:username'],tokenParsed['iat'])
-          return { userId: tokenParsed['cognito:username'], iat: tokenParsed['iat'] };
-        }
-      }
-      // Return previous token if the access token has not expired yet
-      if ((Date.now()) < (token.accessTokenExpires ?? 0)) {
-        return token;
-      }
-
-      // Access token has expired, try to update it
-    },
-  }
-}
-
-
-
-export default NextAuth(authOptions)
-
 const log = debug('umami:middleware');
 
 export const useCors = createMiddleware(
@@ -92,19 +53,27 @@ export const useSession = createMiddleware(async (req, res, next) => {
 
 export const useAuth = createMiddleware(async (req, res, next) => {
   const token = getAuthToken(req);
-  //console.log("got auth token",token)
   const payload = parseSecureToken(token, secret());
   const shareToken = await parseShareToken(req as any);
-  //console.log("got shareToken",shareToken);
   let cognitoPayload = {};
   if(!payload){
-    cognitoPayload =  await authOptions.callbacks.jwt({token:token,user:"",account:{provider:"cognito"}});
+    try {
+      const payload = await verifier.verify(token);
+      cognitoPayload = { userId: payload['cognito:username'], iat: payload['iat'] }
+    } catch(error){
+      if (error instanceof JwtExpiredError) {
+        console.error("JWT expired!",error.message);
+      }
+
+      if (error instanceof JwtInvalidIssuerError) {
+        console.error("JWT invalid issuer!",error.message);
+      }
+
+      console.log('INVALID TOKEN:::::',error);
+    }
   }
-  console.log("cognito auth payload",cognitoPayload)
-  console.log("umami auth payload ",payload);
   let user = null;
   const { userId, authKey, grant } = payload || cognitoPayload || {};
-
   if (userId) {
     user = await getUserById(userId);
   } else if (redis.enabled && authKey) {
@@ -152,4 +121,6 @@ export const useValidate = async (schema, req, res) => {
 
     next();
   })(req, res);
-};
+};
+
+//eyJraWQiOiIxcUJBak9xbGsyeEc5Q1laM25CbXBUNWZnSjJTMXduU3dZYTIzUnhucUU0PSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIwNmI2MjVmOS0zYTBmLTRmNjItOGQ2Ny0zZjVjYjI1ZjkyYTQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiY3VzdG9tOnJvbGVTdGF0dXMiOiJBUFBST1ZFRCIsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvdXMtZWFzdC0xX2dxYUMybFFqaCIsImNvZ25pdG86dXNlcm5hbWUiOiIwNmI2MjVmOS0zYTBmLTRmNjItOGQ2Ny0zZjVjYjI1ZjkyYTQiLCJnaXZlbl9uYW1lIjoiQW5raXQiLCJvcmlnaW5fanRpIjoiNTAyOTg5YTAtNDhjZi00MGY1LWI5MjEtZTA3ZmY4OTE3YzkyIiwiYXVkIjoiN2g2aGhvbXVpZnJsNWJlbWo4a25qbWIzbHUiLCJldmVudF9pZCI6ImVlYTAyYTk3LTVkMWItNGNlOC1hY2M3LTE3Y2IwMTQ5MGY5YiIsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNzA0Njg5MDM1LCJuYW1lIjoiQW5raXQgU2luZ2giLCJleHAiOjE3MDQ3MDM0MzUsImN1c3RvbTpyb2xlIjoiTk9OX1BST0ZJVCIsImlhdCI6MTcwNDY4OTAzNSwiZmFtaWx5X25hbWUiOiJTaW5naCIsImp0aSI6ImFjMTc0NWY3LWYyMGEtNDZiNS1iNmJiLThkOGU5Nzg4ZGUzNiIsImVtYWlsIjoiYXN0LmFua2l0MTAxOUBnbWFpbC5jb20ifQ.VkkVpcKi1DCtSLosSigqYFSfvotfMdFtpuNQBzotEF0EspxDgwbTcLLWpmw9zNp2A7s_s2wo2u6NnUhtJDt-VWhkPU0EvTuPkKldiviPej4i41jx6xNbeW7j9954sAvAxnbdyyXOFOfBrODyLR3OPpaZhR_VbB2ay5nFrp1IiDBG8OgHHO-Ca7kVTO0DznXwqzCdp82a8Tmlk4-Nej_nkIGuQmD1nAiUAk0IO7rmWA4lY377PZW4XEEC13K0ziM-lP5B6chp2SuycxcAeDBc-Yk_QcpumH2jpLy6pPee8Ehup7IHKsA28_4W7H1CTwxoNwviHI1k-jhQLzYiusn69g

yarn.lock

@@ -2991,6 +2991,11 @@ available-typed-arrays@^1.0.5:
   resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz#92f95616501069d07d10edb2fc37d3e1c65123b7"
   integrity sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==
 
+aws-jwt-verify@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/aws-jwt-verify/-/aws-jwt-verify-4.0.0.tgz#e069da942807cdd997ad3e9426980b1ff9422e68"
+  integrity sha512-1kCv+Ub3jBaQ6HnIjfAXswjp7xD0LO4GxwbQZ/o9IoJpb8/ZBUhHu5GQ4k2O7jOVTS/KOz86uw4NV71V3s6V3g==
+
 axe-core@^4.6.2:
   version "4.8.2"
   resolved "https://registry.yarnpkg.com/axe-core/-/axe-core-4.8.2.tgz#2f6f3cde40935825cf4465e3c1c9e77b240ff6ae"