1.0.0 • Published 8 years ago

cognito-authenticator-cli v1.0.0

Weekly downloads
2
License
ISC
Repository
github
Last release
8 years ago

cognito-authenticator-cli

Retrieves AWS Access Key from Cognito Username/Password as a CLI-capable javascript tool, or a Node package.

Usage as a Node Package

Installing using NPM

npm install --save cognito-authenticator-cli

Node.js Usage for any Cognito User Pool + Identity Pool:

var cognito = require('cognito-authenticator-cli');
var params = {
    Username: 'Heroku-Addon-User-01234567-89ab-cdef-0123-456789abcdef',
    Password: 'C4$j1%f1#f4*S5&I1@b7$b1~Q6(C7%f3*G4`d1`C3&l4(j1[b3#',
    UserPoolId: 'us-east-1_QY61qoJbZ',
    ClientId: '6a2ae7i6mvd9u6bt9hvpa9c8i2',
    IdentityPoolId: 'us-east-1:95219c8a-4ad1-41ca-80fe-669764b389cf',
    AWSRegion: 'us-east-1'
}

function callback(err, creds) {
    if (err) {
      console.log(err);
    } else {
      console.log(creds.AccessKeyId);
      console.log(creds.SecretAccessKey);
      console.log(creds.SessionToken);
    }
}

cognito.getAWSAccessCredentialsForCognitoUser(params, callback);

Usage with the Polyverse Scrambled Binary Access Heroku Addon

var cognito = require('cognito-authenticator-cli');
var AWS = require('aws-sdk');

var params = {
    Username: process.env['POLYVERSESCRAMBLEDBINARYACCESS_COGNITO_USERNAME'],
    Password: process.env['POLYVERSESCRAMBLEDBINARYACCESS_COGNITO_PASSWORD'],
    UserPoolId: process.env['POLYVERSESCRAMBLEDBINARYACCESS_COGNITO_USER_POOL_ID'],
    ClientId: process.env['POLYVERSESCRAMBLEDBINARYACCESS_COGNITO_CLIENT_ID'],
    IdentityPoolId: process.env['POLYVERSESCRAMBLEDBINARYACCESS_COGNITO_IDENTITY_POOL_ID'],
    AWSRegion: process.env['POLYVERSESCRAMBLEDBINARYACCESS_COGNITO_REGION']
}

cognito.getAWSAccessCredentialsForCognitoUser(params, function(err, creds) {
      if (err) {
        console.log(err);
      } else {
          //update AWS creds
          AWS.config.update({accessKeyId: creds.AccessKeyId, secretAccessKey: creds.SecretAccessKey, sessionToken: creds.SessionToken});
    
          var S3 = new AWS.S3();
          S3.listObjects({
              Bucket: process.env['POLYVERSESCRAMBLEDBINARYACCESS_S3_BUCKET'],
          },
          function(err, objects) {
              if (err) {
                  console.log(err);
              } else {
                  console.log(objects);
              }
    
          })
      }
});

CLI Usage:

The CLI usage is intended to allow non-Node apps to call this package over the shell and acquire credentials to AWS. Node is required for this mode to work. First obtain this repo, either by Git cloning it, or npm-installing it.

Then under the root directory, make sure all dependencies are installed:

npm install

Usage Parameters:

node cognito-auth-cli.js
Usage:
  cognito-auth-cli.js [OPTIONS] [ARGS]

Options:
  -u, --username STRING  A username for an Amazon Cognito User Pool
  -p, --password STRING  The Password for the Amazon Cognito User
      --region STRING    An AWS region for the Amazon Cognito User Pool
  -upid, --user_pool_id STRINGThe Amazon Cognito User Pool Id to auth these
                              credentials against
  -cid, --client_id STRINGAn Amazon Cognito client id for an App that is
                          registered within the provided User Pool
  -idpid, --identity_pool_id STRINGAn Amazon Cognito Identity Pool ID to
                                   federate the User Pool credentials
  -h, --help             Display help and usage details

Implicit Heroku-Addon Usage

When you have the heroku-addon variables exposed in your environment, they are automatically picked up as defaults for options. So you don't need to provide any command-line parameters for this to work.

node cognito-auth-cli.js
{ AccessKeyId: 'ASIAIGFIPCBVXOY7OD4Q',
  SecretAccessKey: 'KNm0QBe1SoMPQlgYcVhxtozI+j3eVV9g9vXi4lY0',
  SessionToken: 'AgoGb3JpZ2luEJX//////////wEaCXVzLWVhc3QtMSKAAnvcHDC5+JAsyXnulF1gJ/ymqBWXGkA2vw0tSPBhwKQg7KHzLCSwIWDKzLc+Lf3jrJfV8BMsowsB6/TV66yAH0TcwZG//tj0FTJD34jxTbYctbxXCmfmId3mnPCAnmqGcnLeR9InROeqr71C3Q/OJgcsbcKmJTD+VPc3U+yL60b4WRXwWZmYJULUoCEhdjIEOOCtJQVX3EP/7NHzLcWugcG9V+RRdl9pI+dWgC0nWL0/NifLw6LxVrHzSqN8UbooP37X/vekkKOhm1qn4zEaJ/Ur4zJ7xOI0v89UWOcu4lLroBVK0UGW2krzBq8hZ/OqrhXutLjCqVxvx473JeL1MBsqpgUIOhAAGgw1MDc3NjA3MjQwNjQiDP4IPkwy6wTvwkSWXCqDBVTGi0dagLru5SKrObs8FW1Pc3P+3ZD0FDCLKfhlMkiJ2IueukMz6VnM6KYZoH7n/MF6Il5sS/dyidc10tuhfbD5iBCcnLCi32hS9i765qQrMU0FfavoZ5OuMpOl+52YwcbapAt3lBtHgUGuVnLiLueybGfxi81juEeNSMi5Mv5eVS2cjvpnjho1gxb8WQIG+N6Ucg51LfsPJs5zcxdoWXvjCnuAQSRsKCzxAINKazxduWYRXGm+CN/yJz0d0XjX200rgY2qvShiFNHk7tl4aP+xtI0KeCmxz6BTFaEQGnQML3nr+YKUDXjXqEKHToCeA8YNA3pRBHh6vv/C5Tth0GwvDrMvCznZ5BHM35C9wMw4PaGNOe6GJymXKRwoLS22BKmtDfBAFsFuDOMe86fvGZKBlp/sknpT2ApCn3fjRQ/cKvQB5CjfuByMcuon9ZcG2ugwm+DGHy3LgVeo23j9byJ5sPKqu3UCixx7H2U9UcW1T9zOtyKYra1kzgZdk+nGYetxxyozCvOvKwFBOSxc0L5eocba8VWCwv7I+HMdnFlgpAbAWWBD6oimDbO5XZO3+R6oXODRYUran2gkSOMblxTRBYHxMEVqS4t6/1QuXI5L8zpDSICOD4sbWLq5QtgQsNUZBMbzXtzwZm2HdY3NeuHWmKk+zrSHFR4ShTkhLlWWggPLjfFpvAxH5jKTlhBnu/l505vBhJBMj07XF2QTkt7ZjAeYbNM9dk6+/nWqCyR5W0NrJVgnWO7PhdhiuLUXchoOB2mqiik5mZxhHcphAYgzoYJ9WtfaOBhfGZ0EpO+ZHgkmiUyUI96nkcHU21qKmFUG/jc4D8nNTrm7Qqb0s9DRMTIwg5KCvwU=' }

Explicit usage with passed-in parameters

This mode is very useful when you want to consume credentials in a non-Node process. While admittedly not ideal, and prone to some more brittleness than using a pure-language in-proc library, it is a start in that direction.

This also especially makes retrieving credentials in the Shell possible for our scrambling build pack

node cognito-auth-cli.js --username 'Heroku-Addon-User-a3b05f17-f024-4261-b0bc-af499ca8d920' --password 'd3&G4^b5@E6%b5*d3%d7%n3]C7*I6@x3;b5)l$E5&h1$C2]b1^' --region "us-east-1" --user_pool_id 'us-east-1_QY61qoJbZ' --client_id '6a2ae7i6mvd9u6bt9hvpa9c8i2' --identity_pool_id 'us-east-1:95219c8a-4ad1-41ca-80fe-669764b389cf'
{ AccessKeyId: 'ASIAJMTXSNOAYXSX5RPA',
  SecretAccessKey: '5+vlF9GQzgpk5nX629GUu4u4nYSbcxRRJ6Wa0EA0',
  SessionToken: 'AgoGb3JpZ2luEKP//////////wEaCXVzLWVhc3QtMSKAAlezWx4GI2MdsQN8/XurLl4p2qjFS4r7VbWGiiN9tmpqL2Ui/AOaOCJSggjrgKREyJGENDyQ9P30/rt2vVamQvZFy6Dsz2LzUDM+CKzSPsEJv3VIVYwNzK9xaVckcrBwrtK9QH5EHyrdGIRxM5qkSucBQTZiHmOXiBJaY9PcfrvS5ry2ivr0H9J+S4txECQwTxx4XLQNY38V1XNlcK85Efs+FpSaZou7z5bxITQOHyy+GuteWwkunI0oogleDiZnv3lBtvcmutJYOpUqDFizjHLnsVCD0lVQHZNbGN1yhGe6Xq7ZXMP2wG0txA0qCSLTuZQRN1y+m6MfajS2pCVlOUgqpgUISBAAGgw1MDc3NjA3MjQwNjQiDONIDdAF2kYRsx7azCqDBdatQsQTBeXmQtU8sQGCuRWNcvYXiGJkofN62nvGpAprty/XKNBvdi8DkeZDsvlegvF2PXs1lgvbNsJ9POdQuEW1UdFhG3IgIZILHZTFbCgMdCCZrGbpjCcNI5Nw8Je7MwqiEOs57QCs0oj91hrL+js1D6akFlXQQRn4Ysdjboldv62ELKnF9ur03+UZFKrLVFotr2+HEbNTEkP2Xbyohdl7UJ0W/aQJ9T6Pf1IuHBb6TX5i3rjtX8UwDvg86l8iCUCeIUlzIsqbaLOyvHDGXrmb3rVImIKeeFkWmVZI5vQf6TzgXh78WKfQTjO83rmVI1T26cGAEHB5GtR7v3mL/zTzMKt+LguTFahnXO+QdZmpyMvl5vDcw9wzPClTYAvaK/Fr1cgGW4DMCUl8Dso7rVt4xIGw4Umc5WckX3kAm/nJBmFHdSOI3Ap/ix3Ky86yg29obEAOA3MoosIX+d698Ad3XoC8z0KqzploKDtTJCPH+nwSwZoqUsul05NzbC/0HAbfv0u3pIL8RPFwVW1bGJbGQP+CZ/pBzTJrBYBO4K8m9Ns61a18uCujaQ5Vh9vk59PoLGzH4W6Cgz4JNkN6MbYsIgcy1G6u8pPIBEI+qGmY/PognNP08kl3aMk+scfmT80s42S1qYfInFfIUbnTg6O/lxYujsSrUz+CB+YaNYyaMSu9KMe3QHZX9vU1M15vbdd6eST8SA3a5vbNHuqCfhtCkDSrGkZ/PN0eoyFHIUeYjS0dQqyotWTTvvYUAkSuMvHJldRRMn5nZkYz2aOn0ciejUhZBhF1btGDxgv6U76KKnWLRlt/k9vZlAqmmhUomsrifbekSWbh/6BqxWscB/VowXQwv6KFvwU=' }

What problem does this solve?

Amazon Cognito provides a web-based package to authenticate a cognito-user (mainly in a Cognito User Pool, but also federated through a Cognito Identity.) https://github.com/aws/amazon-cognito-identity-js

The challenge is, this package doesn't easily work on server-side code. There are some changes/hacks to make it work, but they don't work by npm install'ing the package.

We wanted to provide a way to take any username/password pair, and retrieve AWS Access credentials on a server (or any environment that is not necessarily a browser.)

CognitoIdentityAmazonUserPoolsAuthenticationClientAWSCredentials
amazon-cognito-identity-jsaws-sdkjsbnmock-browsersjcl
@everything-registry/sub-chunk-1353@zalastax/nolb-cog@ixor/aws.cognito.token.retrieval
1.0.0

8 years ago