验证用户使用AWS IOS SDK
验证我创建了一个lamdba函数执行以下操作:验证用户使用AWS IOS SDK
var param =
{
IdentityPoolId: "us-east-1:the-full-identity-id",
Logins: {} // To have provider name in a variable
};
param.Logins["com.test.website.login"] = userIdICreatedAndStoredInDynamoDB;
cognitoidentity.getOpenIdTokenForDeveloperIdentity(param,
function(err, data)
{
if (err) return fn(err); // an error occurred
else fn(null, data.IdentityId, data.Token); // successful response
});
它返回identityId和令牌的用户。所有内容均通过IAM角色和AWS Cognito Identity进行设置,并且似乎在控制台中进行了身份验证。
我有两个问题:
- 如何在应用测试用户进行身份验证?我将身份标识和令牌保存在应用设备中。
- 认证持续多久?我希望用户保持登录状态。这是我使用的大多数应用程序的工作方式,并保持登录状态,直到他们登出。
谢谢。
要回答第一个问题:
如何在用户进行身份验证的应用程序测试
它是在记录?我将
identityId
和令牌保存在应用设备中。
您通过进行“自定义授权者”测试认证
的AWS实例功能,您可以在lambda功能。例如发现当你去做出新的功能 (如果您筛选的NodeJS 4.3功能,它的背面)
或者你可以看看THIS这是同样的事情,只是在GitHub上。
我在这里做了一个八九不离十修改后的版本:
"use strict";
const
codes = {
100: "Continue", 101: "Switching Protocols", 102: "Processing",
200: "OK", 201: "Created", 202: "Accepted", 203: "Non-Authoritative Information", 204: "No Content", 205: "Reset Content", 206: "Partial Content", 207: "Multi-Status", 208: "Already Reported", 226: "IM Used",
300: "Multiple Choices", 301: "Moved Permanently", 302: "Found", 303: "See Other", 304: "Not Modified", 305: "Use Proxy", 307: "Temporary Redirect", 308: "Permanent Redirect",
400: "Bad Request", 401: "Unauthorized", 402: "Payment Required", 403: "Forbidden", 404: "Not Found", 405: "Method Not Allowed", 406: "Not Acceptable", 407: "Proxy Authentication Required", 408: "Request Timeout", 409: "Conflict", 410: "Gone", 411: "Length Required", 412: "Precondition Failed", 413: "Payload Too Large", 414: "URI Too Long",
415: "Unsupported Media Type", 416: "Range Not Satisfiable", 417: "Expectation Failed", 418: "I'm a teapot", 421: "Misdirected Request", 422: "Unprocessable Entity", 423: "Locked", 424: "Failed Dependency", 425: "Unordered Collection", 426: "Upgrade Required", 428: "Precondition Required", 429: "Too Many Requests", 431: "Request Header Fields Too Large", 451: "Unavailable For Legal Reasons",
500: "Internal Server Error", 501: "Not Implemented", 502: "Bad Gateway", 503: "Service Unavailable", 504: "Gateway Timeout", 505: "HTTP Version Not Supported", 506: "Variant Also Negotiates", 507: "Insufficient Storage", 508: "Loop Detected", 509: "Bandwidth Limit Exceeded", 510: "Not Extended", 511: "Network Authentication Required"
},
resp = (statusCode, data) => ({ statusCode, message: codes[ statusCode ], data }),
AWS = require("aws-sdk"),
crypto = require("crypto"),
COG = new AWS.CognitoIdentity(),
token = {
algorithm: "aes-256-ctr",
encrypt: item => {
item = JSON.stringify(item);
let cipher = crypto.createCipher(token.algorithm, process.env.PoolId),
crypted = cipher.update(item, 'utf8', 'base64');
crypted += cipher.final('base64');
return crypted;
},
decrypt: item => {
let decipher = crypto.createDecipher(token.algorithm, process.env.PoolId),
dec = decipher.update(item, 'base64', 'utf8');
dec += decipher.final('utf8');
return dec;
}
};
function AuthPolicy(principal, awsAccountId, apiOptions) {
this.awsAccountId = awsAccountId;
this.principalId = principal;
this.version = '2012-10-17';
this.pathRegex = new RegExp('^[/.a-zA-Z0-9-\*]+$');
this.allowMethods = [];
this.denyMethods = [];
if(!apiOptions || !apiOptions.restApiId) this.restApiId = '*';
else this.restApiId = apiOptions.restApiId;
if(!apiOptions || !apiOptions.region) this.region = '*';
else this.region = apiOptions.region;
if(!apiOptions || !apiOptions.stage) this.stage = '*';
else this.stage = apiOptions.stage;
}
AuthPolicy.HttpVerb = {
GET: 'GET',
POST: 'POST',
PUT: 'PUT',
PATCH: 'PATCH',
HEAD: 'HEAD',
DELETE: 'DELETE',
OPTIONS: 'OPTIONS',
ALL: '*',
};
AuthPolicy.prototype = (function AuthPolicyClass() {
function addMethod(effect, verb, resource, conditions) {
if(verb !== '*' && !Object.prototype.hasOwnProperty.call(AuthPolicy.HttpVerb, verb)) {
throw new Error(`Invalid HTTP verb ${verb}. Allowed verbs in AuthPolicy.HttpVerb`);
}
if(!this.pathRegex.test(resource))
throw new Error(`Invalid resource path: ${resource}. Path should match ${this.pathRegex}`);
let cleanedResource = resource;
if(resource.substring(0, 1) === '/')
cleanedResource = resource.substring(1, resource.length);
const resourceArn = `arn:aws:execute-api:${this.region}:${this.awsAccountId}:${this.restApiId}/${this.stage}/${verb}/${cleanedResource}`;
if(effect.toLowerCase() === 'allow')
this.allowMethods.push({
resourceArn,
conditions,
});
else if(effect.toLowerCase() === 'deny')
this.denyMethods.push({
resourceArn,
conditions,
});
}
function getEmptyStatement(effect) {
const statement = {};
statement.Action = 'execute-api:Invoke';
statement.Effect = effect.substring(0, 1).toUpperCase() + effect.substring(1, effect.length).toLowerCase();
statement.Resource = [];
return statement;
}
function getStatementsForEffect(effect, methods) {
const statements = [];
if(methods.length > 0) {
const statement = getEmptyStatement(effect);
for(let i = 0; i < methods.length; i++) {
const curMethod = methods[ i ];
if(curMethod.conditions === null || curMethod.conditions.length === 0)
statement.Resource.push(curMethod.resourceArn);
else {
const conditionalStatement = getEmptyStatement(effect);
conditionalStatement.Resource.push(curMethod.resourceArn);
conditionalStatement.Condition = curMethod.conditions;
statements.push(conditionalStatement);
}
}
if(statement.Resource !== null && statement.Resource.length > 0)
statements.push(statement);
}
return statements;
}
return {
constructor: AuthPolicy,
allowAllMethods() {
addMethod.call(this, 'allow', '*', '*', null);
},
denyAllMethods() {
addMethod.call(this, 'deny', '*', '*', null);
},
allowMethod(verb, resource) {
addMethod.call(this, 'allow', verb, resource, null);
},
denyMethod(verb, resource) {
addMethod.call(this, 'deny', verb, resource, null);
},
allowMethodWithConditions(verb, resource, conditions) {
addMethod.call(this, 'allow', verb, resource, conditions);
},
denyMethodWithConditions(verb, resource, conditions) {
addMethod.call(this, 'deny', verb, resource, conditions);
},
build() {
if((!this.allowMethods || this.allowMethods.length === 0) &&
(!this.denyMethods || this.denyMethods.length === 0))
throw new Error('No statements defined for the policy');
const policy = {}, doc = {};
policy.principalId = this.principalId;
doc.Version = this.version;
doc.Statement = [];
doc.Statement = doc.Statement.concat(getStatementsForEffect.call(this, 'Allow', this.allowMethods));
doc.Statement = doc.Statement.concat(getStatementsForEffect.call(this, 'Deny', this.denyMethods));
policy.policyDocument = doc;
return policy;
},
};
}());
exports.handler = (event, context, cb) => {
const
principalId = process.env.principalId,
tmp = event.methodArn.split(':'),
apiGatewayArnTmp = tmp[ 5 ].split('/'),
awsAccountId = tmp[ 4 ],
apiOptions = {
region: tmp[ 3 ],
restApiId: apiGatewayArnTmp[ 0 ],
stage: apiGatewayArnTmp[ 1 ]
},
policy = new AuthPolicy(principalId, awsAccountId, apiOptions);
let response;
if(!event.authorizationToken || typeof event.authorizationToken !== "string")
response = resp(401);
let item = token.decrypt(event.authorizationToken);
try { item = resp(100, JSON.parse(item)); }
catch(e) { item = resp(401); }
if(item.statusCode !== 100)
response = resp(401);
else if(item.data.Expiration <= new Date().getTime())
response = resp(407);
else
response = resp(100);
if(response.statusCode >= 400) {
policy.denyAllMethods();
const authResponse = policy.build();
authResponse.context = response;
cb(null, authResponse);
} else {
COG.getCredentialsForIdentity({
IdentityId: item.data.IdentityId,
Logins: {
'cognito-identity.amazonaws.com': item.data.Token
}
}, (e, d) => {
if(e) {
policy.denyAllMethods();
response = resp(401);
} else {
policy.allowMethod(AuthPolicy.HttpVerb.GET, "/user");
policy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/user");
response = resp(202);
}
const authResponse = policy.build();
authResponse.context = response;
cb(null, authResponse);
});
}
};
以上是完整的例子......但是,让我打破下来,并解释为什么他们提供一个不一样有用。
下面是设置这个步骤,所以你可以看到为什么它必须是这样的。
- 转到Lambda和做出函数调用
Auth_isValid
或类似的东西 - 把你
PoolId
和principalId
到环境变量,所以很容易转移到API网关更改后 - 头,让链接这件事
- 在左侧API选项,打
Authorizers
- 点击
Create
- >Custom Authorizer
- 填写您的Lambda区域,函数名称(应自动填充),授权人名称,身份令牌源(现在简单地使用
method.request.header.Authorization
,并且TTL可以是300)。让我们不要混淆执行角色或令牌验证表达式。 - 保存/更新它并返回到Lambda - 稍后我们将使用此授权人与功能挂钩。
好了,所以当你在看我的功能,你会看到,我做这种怪异的加密/在解密事情的顶部:
token = {
algorithm: "aes-256-ctr",
encrypt: item => {
item = JSON.stringify(item);
let cipher = crypto.createCipher(token.algorithm, process.env.PoolId),
crypted = cipher.update(item, 'utf8', 'base64');
crypted += cipher.final('base64');
return crypted;
},
decrypt: item => {
let decipher = crypto.createDecipher(token.algorithm, process.env.PoolId),
dec = decipher.update(item, 'base64', 'utf8');
dec += decipher.final('utf8');
return dec;
}
};
基本上,我换一些项目我想里面的加密密钥很简单,所以我可以将所有信息传递给易于使用的人。 (我将Identity Pool作为散列传递给它,使其变得既酷又简单,只要您从不将身份池ID发送到前端,我们就很好!)
Custom Authorizer需要一个令牌,而不是一个JSON块,你会说什么是一个“标记”或什么(你可以做,但它看起来愚蠢)
所以我们有一个统一的令牌传入,我呼吁decrypt
函数为此(我会在一秒钟内显示加密示例)
现在有些人可能会说“哦,这实际上不是加密,它可以很容易地找出来” - 我对此的回答是:“你好吧它会无论如何都是未加密的,原始文本,为什么不容易呢。“
好吧,现在你已经看到了这个部分,头部下降到函数的底部。
let response;
if(!event.authorizationToken || typeof event.authorizationToken !== "string")
response = resp(401);
let item = token.decrypt(event.authorizationToken);
try { item = resp(100, JSON.parse(item)); }
catch(e) { item = resp(401); }
if(item.statusCode !== 100)
response = resp(401);
else if(item.data.Expiration <= new Date().getTime())
response = resp(407);
else
response = resp(100);
if(response.statusCode >= 400) {
policy.denyAllMethods();
const authResponse = policy.build();
authResponse.context = response;
cb(null, authResponse);
} else {
COG.getCredentialsForIdentity({
IdentityId: item.data.IdentityId,
Logins: {
'cognito-identity.amazonaws.com': item.data.Token
}
}, (e, d) => {
if(e) {
policy.denyAllMethods();
response = resp(401);
} else {
policy.allowMethod(AuthPolicy.HttpVerb.GET, "/user");
policy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/user");
response = resp(202);
}
const authResponse = policy.build();
authResponse.context = response;
cb(null, authResponse);
});
}
更新:
我们从API网关进入的数据是:
{
"type":"TOKEN",
"authorizationToken":"<session_token>",
"methodArn":"arn:aws:execute-api:<region>:<Account_ID>:<API_ID>/<Stage>/<Method>/<Resource_Path>"
}
我们从LAMBDA传出的数据应该是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": [
"arn:aws:execute-api:<region>:<Account_ID>:<API_ID>/<Stage>/*/*"
]
}
]
}
根据我们的授权情况而定。
所以在我的第一if
检查,我确保authorizationToken
是存在的,它是一个string
,如果不是的话,我们说这是Unauthorized
(大家应该知道并使用他们的状态码)
其次,我解密令牌并确保尝试执行try-catch
。如果它不好,他们是Unauthorized
。如果是这样,我们可以Continue
。
你会看到在令牌中,我把一个变量Expiration
,这是我如何检查密钥是否被接受和正确,现在只是过期。为此,我说Proxy Authentication Required
。它告诉我的前端,再次呼叫登录并给我新的信誉。不要忘记,这个功能的目的只是为了检查我们是否被授权。不要做像刷新标记这样的花式东西。
接下来,我检查是否一切正常,并致电denyAllMethods
并将响应代码放在响应的context
中。 API网关是非常挑剔,只想要简单的IAM格式化政策传来传去 - 没有其它信息或格式或任何可能在那里,如果不是指定它HERE或HERE
如果一切正常,我叫getCredentialsForIdentity
- 使用IdentityId
和Token
,确保令牌实际上也是有效的,然后我允许当时需要的功能。这些是非常重要的,并且将验证令牌仅仅是那些功能 - 换句话说。如果您在IAM中的IAM角色表示可以访问所有内容,则将显示为否,您只能在/user
和*问GET
和DELETE
。所以不要让它愚弄你。毕竟,这是一个定制授权人。
接下来,我需要向您展示如何将所有这些内容从Login部分放入。我有同样的token = {
的一部分,但在我的登录功能,我添加了一个getToken
功能:以上
token.getToken = obj => {
return new Promise((res, rej) => {
COG.getOpenIdTokenForDeveloperIdentity({
IdentityPoolId: process.env.PoolId,
Logins: {
"com.whatever.developerIdthing": obj.email
},
TokenDuration: duration
}, (e, r) => {
r.Expiration = new Date().getTime() + (duration * 1000);
if(e) rej(e);
else res(token.encrypt(r));
});
});
};
通知,:
duration
部分。
这是回答你的第二个问题:
多久认证持续多久?我希望用户保持登录状态。这是我使用的大多数应用程序的工作方式,并保持登录状态,直到他们登出。
创建使用任何你想找出他们和TokenDuration
是秒他们的电子邮件或OpenIdToken
。我会建议做这一两个星期,但如果你想要一年或什么东西,31536000
就是了。这样做的另一种方法是创建一个仅授予您授权凭据的功能,并且在407
情景出现时,不要在授权人中调用denyAll
,而是使其唯一方法可以调用allowMethod(POST, /updateCreds);
或类似的东西。这样,你可以每隔一段时间刷新一次。
为伪是:
删除:
if(response.statusCode >= 400)
else
,做:
if(statusCode >= 400)
denyAll
else if(statusCode === 407)
allow refresh function
else
allow everything else
希望这有助于!
要测试它们是否已登录,您需要设置一个服务,该服务将检查针对Cognito的令牌。快速和肮脏的方法是设置一个基本的lambda,通过授权者指向您的用户标识池,通过API网关公开它。所有的lambda需要做的是返回HTTP 200,因为你真正检查的是授权者。然后让你的应用获得/发布/ etc到带有“授权”标头的API URL:$ ACCESS_TOKEN。要么它会在成功时反击200,要么会返回未经授权的消息。
Cognit令牌只适用于一个小时,但您可以刷新该令牌以保持一个人登录。当您的用户通过身份验证时,他们有三个令牌:ID,Access和Refresh令牌。您可以使用后者来请求新的访问令牌。 http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
仍在寻找一个好的答案。 – cdub
请参阅下面的评论以获取更多信息。 – cdub