jayg-hive · February 9, 2022 07:02 · jayg-hive · Feb 9, 2022
diff --git a/token.ts b/token.ts
 import { createRemoteJWKSet, jwtVerify } from "jose";

 import type { JWTPayload } from "jose";

 import { AWS_REGION, COGNITO_USER_POOL_ID, COGNITO_WEB_CLIENT_ID } from "../utils/consts";

 const cognitoIssuer = `https://cognito-idp.${AWS_REGION}.amazonaws.com/${COGNITO_USER_POOL_ID}`;
 const cognitoPublicJwks = `${cognitoIssuer}/.well-known/jwks.json`;

 interface AWSAuth extends JWTPayload {
  "cognito:groups": string[];
  client_id: string;
  origin_jti: string;
  event_id: string;
  token_use: string;
  scope: string;
  username: string;
 }

 // Reference: https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/
 export async function verifyJwtToken(
  jwtAccessToken: string,
  // requestUsername: string  // some requests provide this (i.e., via CognitoIdentityServiceProvider cookies), validation for this can be otherwise skipped.
 ): Promise<boolean> {
  try {
    const jwks = createRemoteJWKSet(new URL(cognitoPublicJwks));
    // verify if the token is valid
    const { payload } = await jwtVerify(jwtAccessToken, jwks, {});
    if (!payload) throw new Error("Failed verifying this token.");
    const { iss, username, client_id: clientId } = payload as AWSAuth;

    // verify if correct issuer is given
    if (iss !== cognitoIssuer) throw new Error("Invalid issuer");
    // verify if request is from the correct client
    if (clientId !== COGNITO_WEB_CLIENT_ID) throw new Error("Invalid web client");
    // verify if request is from the same username
    // if (requestUsername !== username) throw new Error("User doesn't match");
    return true;
  } catch (error) {
    // do error handling stuff here
    return false;
  }
 }
	import { createRemoteJWKSet, jwtVerify } from "jose";

	import type { JWTPayload } from "jose";

	import { AWS_REGION, COGNITO_USER_POOL_ID, COGNITO_WEB_CLIENT_ID } from "../utils/consts";

	const cognitoIssuer = `https://cognito-idp.${AWS_REGION}.amazonaws.com/${COGNITO_USER_POOL_ID}`;
	const cognitoPublicJwks = `${cognitoIssuer}/.well-known/jwks.json`;

	interface AWSAuth extends JWTPayload {
	"cognito:groups": string[];
	client_id: string;
	origin_jti: string;
	event_id: string;
	token_use: string;
	scope: string;
	username: string;
	}

	// Reference: https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/
	export async function verifyJwtToken(
	jwtAccessToken: string,
	// requestUsername: string // some requests provide this (i.e., via CognitoIdentityServiceProvider cookies), validation for this can be otherwise skipped.
	): Promise<boolean> {
	try {
	const jwks = createRemoteJWKSet(new URL(cognitoPublicJwks));
	// verify if the token is valid
	const { payload } = await jwtVerify(jwtAccessToken, jwks, {});
	if (!payload) throw new Error("Failed verifying this token.");
	const { iss, username, client_id: clientId } = payload as AWSAuth;

	// verify if correct issuer is given
	if (iss !== cognitoIssuer) throw new Error("Invalid issuer");
	// verify if request is from the correct client
	if (clientId !== COGNITO_WEB_CLIENT_ID) throw new Error("Invalid web client");
	// verify if request is from the same username
	// if (requestUsername !== username) throw new Error("User doesn't match");
	return true;
	} catch (error) {
	// do error handling stuff here
	return false;
	}
	}