diff --git a/package.json b/package.json index 18c6dfee5..22c8c3818 100644 --- a/package.json +++ b/package.json @@ -69,6 +69,7 @@ "@tanstack/react-query": "^5.12.2", "@umami/prisma-client": "^0.8.0", "@umami/redis-client": "^0.18.0", + "aws-jwt-verify": "^4.0.0", "chalk": "^4.1.1", "chart.js": "^4.2.1", "chartjs-adapter-date-fns": "^3.0.0", @@ -94,7 +95,6 @@ "maxmind": "^4.3.6", "moment-timezone": "^0.5.35", "next": "14.0.4", - "next-auth": "^4.24.5", "next-basics": "^0.39.0", "node-fetch": "^3.2.8", "npm-run-all": "^4.1.5", diff --git a/src/lib/jwtVerifier.ts b/src/lib/jwtVerifier.ts new file mode 100644 index 000000000..2bfa94678 --- /dev/null +++ b/src/lib/jwtVerifier.ts @@ -0,0 +1,10 @@ +import { JwtRsaVerifier } from "aws-jwt-verify"; + + +export const verifier = JwtRsaVerifier.create({ + issuer: process.env.COGNITO_ISSUER, // set this to the expected "iss" claim on your JWTs + audience:null, // set this to the expected "aud" claim on your JWTs + jwksUri: process.env.COGNITO_JWKS_URI, // set this to the JWKS uri from your OpenID configuration +}); + + diff --git a/src/lib/middleware.ts b/src/lib/middleware.ts index 71c7a211f..8114e7559 100644 --- a/src/lib/middleware.ts +++ b/src/lib/middleware.ts @@ -15,49 +15,10 @@ import { } from 'next-basics'; import { NextApiRequestCollect } from 'pages/api/send'; import { getUserById } from '../queries'; -import NextAuth from "next-auth" -import CognitoProvider from "next-auth/providers/cognito"; -import { to } from '@react-spring/web'; +import { verifier } from './jwtVerifier'; +import { JwtExpiredError,JwtInvalidIssuerError } from "aws-jwt-verify/error"; -export const authOptions = { - providers: [ - CognitoProvider({ - clientId: process.env.COGNITO_CLIENT_ID, - clientSecret: process.env.COGNITO_CLIENT_SECRET , - issuer: process.env.COGNITO_DOMAIN , - idToken: true, - name: 'Cognito', - checks: 'nonce', - }), - ], - callbacks: { - async jwt({ token, user, account }) { - console.log("in next auth::::",token) - if (account) { - if (account['provider'] === 'cognito') { - var tokenParsed = JSON.parse(Buffer.from(token.split('.')[1], 'base64').toString()); - console.log("token parsed",tokenParsed ) - // token.refreshToken = account?.refresh_token; - // token.accessTokenExpires = account.expires_at * 1000; - console.log("token parsed::::",tokenParsed['cognito:username'],tokenParsed['iat']) - return { userId: tokenParsed['cognito:username'], iat: tokenParsed['iat'] }; - } - } - // Return previous token if the access token has not expired yet - if ((Date.now()) < (token.accessTokenExpires ?? 0)) { - return token; - } - - // Access token has expired, try to update it - }, - } -} - - - -export default NextAuth(authOptions) - const log = debug('umami:middleware'); export const useCors = createMiddleware( @@ -92,19 +53,27 @@ export const useSession = createMiddleware(async (req, res, next) => { export const useAuth = createMiddleware(async (req, res, next) => { const token = getAuthToken(req); - //console.log("got auth token",token) const payload = parseSecureToken(token, secret()); const shareToken = await parseShareToken(req as any); - //console.log("got shareToken",shareToken); let cognitoPayload = {}; if(!payload){ - cognitoPayload = await authOptions.callbacks.jwt({token:token,user:"",account:{provider:"cognito"}}); + try { + const payload = await verifier.verify(token); + cognitoPayload = { userId: payload['cognito:username'], iat: payload['iat'] } + } catch(error){ + if (error instanceof JwtExpiredError) { + console.error("JWT expired!",error.message); + } + + if (error instanceof JwtInvalidIssuerError) { + console.error("JWT invalid issuer!",error.message); + } + + console.log('INVALID TOKEN:::::',error); + } } - console.log("cognito auth payload",cognitoPayload) - console.log("umami auth payload ",payload); let user = null; const { userId, authKey, grant } = payload || cognitoPayload || {}; - if (userId) { user = await getUserById(userId); } else if (redis.enabled && authKey) { @@ -152,4 +121,6 @@ export const useValidate = async (schema, req, res) => { next(); })(req, res); -}; \ No newline at end of file +}; + +//eyJraWQiOiIxcUJBak9xbGsyeEc5Q1laM25CbXBUNWZnSjJTMXduU3dZYTIzUnhucUU0PSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIwNmI2MjVmOS0zYTBmLTRmNjItOGQ2Ny0zZjVjYjI1ZjkyYTQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiY3VzdG9tOnJvbGVTdGF0dXMiOiJBUFBST1ZFRCIsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvdXMtZWFzdC0xX2dxYUMybFFqaCIsImNvZ25pdG86dXNlcm5hbWUiOiIwNmI2MjVmOS0zYTBmLTRmNjItOGQ2Ny0zZjVjYjI1ZjkyYTQiLCJnaXZlbl9uYW1lIjoiQW5raXQiLCJvcmlnaW5fanRpIjoiNTAyOTg5YTAtNDhjZi00MGY1LWI5MjEtZTA3ZmY4OTE3YzkyIiwiYXVkIjoiN2g2aGhvbXVpZnJsNWJlbWo4a25qbWIzbHUiLCJldmVudF9pZCI6ImVlYTAyYTk3LTVkMWItNGNlOC1hY2M3LTE3Y2IwMTQ5MGY5YiIsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNzA0Njg5MDM1LCJuYW1lIjoiQW5raXQgU2luZ2giLCJleHAiOjE3MDQ3MDM0MzUsImN1c3RvbTpyb2xlIjoiTk9OX1BST0ZJVCIsImlhdCI6MTcwNDY4OTAzNSwiZmFtaWx5X25hbWUiOiJTaW5naCIsImp0aSI6ImFjMTc0NWY3LWYyMGEtNDZiNS1iNmJiLThkOGU5Nzg4ZGUzNiIsImVtYWlsIjoiYXN0LmFua2l0MTAxOUBnbWFpbC5jb20ifQ.VkkVpcKi1DCtSLosSigqYFSfvotfMdFtpuNQBzotEF0EspxDgwbTcLLWpmw9zNp2A7s_s2wo2u6NnUhtJDt-VWhkPU0EvTuPkKldiviPej4i41jx6xNbeW7j9954sAvAxnbdyyXOFOfBrODyLR3OPpaZhR_VbB2ay5nFrp1IiDBG8OgHHO-Ca7kVTO0DznXwqzCdp82a8Tmlk4-Nej_nkIGuQmD1nAiUAk0IO7rmWA4lY377PZW4XEEC13K0ziM-lP5B6chp2SuycxcAeDBc-Yk_QcpumH2jpLy6pPee8Ehup7IHKsA28_4W7H1CTwxoNwviHI1k-jhQLzYiusn69g \ No newline at end of file diff --git a/yarn.lock b/yarn.lock index b24830a3c..efcfc8fcd 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2991,6 +2991,11 @@ available-typed-arrays@^1.0.5: resolved "https://registry.yarnpkg.com/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz#92f95616501069d07d10edb2fc37d3e1c65123b7" integrity sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw== +aws-jwt-verify@^4.0.0: + version "4.0.0" + resolved "https://registry.yarnpkg.com/aws-jwt-verify/-/aws-jwt-verify-4.0.0.tgz#e069da942807cdd997ad3e9426980b1ff9422e68" + integrity sha512-1kCv+Ub3jBaQ6HnIjfAXswjp7xD0LO4GxwbQZ/o9IoJpb8/ZBUhHu5GQ4k2O7jOVTS/KOz86uw4NV71V3s6V3g== + axe-core@^4.6.2: version "4.8.2" resolved "https://registry.yarnpkg.com/axe-core/-/axe-core-4.8.2.tgz#2f6f3cde40935825cf4465e3c1c9e77b240ff6ae"