@earnup/cognito-login v2.0.3

EarnUp Cognito library

This is a simple client library to interface with the EarnUp Cognito user pool.

Supported methods

signup
login

Usage:

Configuring the client:

require CognitoClient from '@earnup/cognito-login'; const cognitoClient = new CognitoClient(COGNITO_USER_POOL_ID, COGNITO_CLIENT_ID);

Signing up a user

const loggedIn = await cognitoClient.signup(
    TEST_USER, TEST_PASS, TEST_EMAIL, TEST_PHONE
  );
}

Note that new user accounts start out as unconfirmed accounts, meaning they cannot be logged into before the user takes action through email or another channel to activate the account.

Logging in a user

Once an account is confirmed a JWT token can be retrieved with the username and password of the account.

const loggedIn = await cognitoClient.login(
  TEST_USER, TEST_PASS
);

The payload includes an idToken which is the JWT token for authenticating with our services. The payload also contains the refresh token and the decoded token payload claims like the following:

{
    "custom:customer_id": "1000059651",
    "sub": "f0f56195-fba4-4b4a-82c8-c7ca05a13fc2",
    "aud": "nkeo7sbs4a7j02lubqa87rgoh",
    "email_verified": true,
    "event_id": "8e894747-3400-4ac8-a783-66e33c702845",
    "token_use": "id",
    "auth_time": 1586153770,
    "iss":
        "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_uDiejirsB",
    "cognito:username": "test_user20190624134040@mailinator.com",
    "exp": 1586157370,
    "iat": 1586153770,
    "email": "test_user20190624134040@mailinator.com"  
}

The sub field is the token subject, which is an ID that uniquely identifies the user that has been issued the token. Note that although usernames among active are unique, Cognito is free to reuse names but subject IDs will never be reused.

Validating client access tokens

Each EarnUp enterprise partner has an App Client in the EarnUp Cognito user pool. Calling the oauth2/token endpoint with the client_credentials grant type can be used to generate an accessToken. This is a Bearer authorization token that enables partners to interact with EarnUp's external facing APIs. It is a JWT and the decoded payload looks like this (notice token_use is different than when authenticating a user):

{
  "sub": "o17ge3vpl7pmtdnh7l52eb4d9",
  "token_use": "access",
  "scope": "https://partner.earnup.com/cfba52b5-dd9b-45b9-ac96-736e55ee42e0/customers.write https://partner.earnup.com/cfba52b5-dd9b-45b9-ac96-736e55ee42e0/loans.write",
  "auth_time": 1634012306,
  "iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_XksD0cYpc",
  "exp": 1634015906,
  "iat": 1634012306,
  "version": 2,
  "jti": "63bd71eb-61ae-4531-8bc8-b5b49f3e8416",
  "client_id": "o17ge3vpl7pmtdnh7l52eb4d9"
}

You can validate an accessToken like this:

let decodedToken = await CognitoClient.getValidatedTokenPayload(
  accessToken,
  COGNITO_USER_POOL_ID,
  clientId
);