vdelacou · December 7, 2019 09:41
diff --git a/alter-claims.js b/alter-claims.js

 const https = require('https');
 const AWS = require("aws-sdk");
 const urlParse = require("url").URL;

 const REGION = process.env.REGION;
 if (!REGION) {
  throw new Error(`Function requires environment variable: 'REGION'`);
 }

 const APP_SYNC_URL = process.env.API_AMPLIFYNINJA_GRAPHQLAPIENDPOINTOUTPUT;
 if (!APP_SYNC_URL) {
  throw new Error(`Function requires environment variable: 'API_AMPLIFYNINJA_GRAPHQLAPIENDPOINTOUTPUT'`);
 }
 const ENDPOINT = new urlParse(APP_SYNC_URL).hostname.toString();

 const listWorkSpacesQuery = `query ListWorkSpaces(
  $filter: ModelWorkSpaceFilterInput
  $limit: Int
  $nextToken: String
 ) {
  listWorkSpaces(filter: $filter, limit: $limit, nextToken: $nextToken) {
    items {
      id
      title
      owner
      workspaceUsers
    }
    nextToken
  }
 }
 `;

 exports.handler = async (event, context, callback) => {

  const userId = event.userName;
  if (!userId) {
    throw new Error(
      `Function requires to receive in event the username: 'event.userName'`
    );
  }

  const filterQuery = {
    "or": [
      {
        "owner": {
          "eq": event.userName
        }
      },
      {
        "workspaceUsers": {
          "contains": event.userName
        }
      }
    ]
  };


  const req = new AWS.HttpRequest(APP_SYNC_URL, REGION);

  req.method = "POST";
  req.headers.host = ENDPOINT;
  req.headers["Content-Type"] = "application/json";
  req.body = JSON.stringify({
    query: listWorkSpacesQuery,
    operationName: "ListWorkSpaces",
    variables: { "filter": filterQuery }
  });

  const signer = new AWS.Signers.V4(req, "appsync", true);
  signer.addAuthorization(AWS.config.credentials, AWS.util.date.getDate());


  const data = await new Promise((resolve) => {
    const httpRequest = https.request({ ...req, host: ENDPOINT }, (result) => {
      result.on('data', (data) => {
        resolve(JSON.parse(data.toString()));
      });
    });
    httpRequest.write(req.body);
    httpRequest.end();
  });

  const groupConfiguration = event.request.groupConfiguration;
  const groupsToOverride = groupConfiguration
    ? groupConfiguration.groupsToOverride
    : [];
  const validWorkspaceId = groupsToOverride ? groupsToOverride : [];

  data.data && data.data.listWorkSpaces && data.data.listWorkSpaces.items.forEach(
    workspace => {
      validWorkspaceId.push(workspace.id);
    }
  );

  // add valid workspaceId to identity token
  event.response = {
    claimsOverrideDetails: {
      groupOverrideDetails: {
        groupsToOverride: validWorkspaceId
      }
    }
  };

  console.log(`RESULT: ${JSON.stringify(data)}`)

  // insert code to be executed by your lambda trigger
  callback(null, event);
 };
diff --git a/event.json b/event.json
 {
  "version": "1",
  "triggerSource": "TokenGeneration_Authentication",
  "region": "ap-southeast-1",
  "userPoolId": "ap-southeast-X_XXXXXXXX",
  "userName": "xxxx-xxxx-xxxx-xxxx",
  "callerContext": {
    "awsSdkVersion": "aws-sdk-unknown-unknown",
    "clientId": "xxxxxxxxxxxxxxxx"
  },
  "request": {
    "userAttributes": {
      "sub": "xxxx-xxxx-xxxx-xxxx",
      "email_verified": "true",
      "cognito:user_status": "CONFIRMED",
      "cognito:email_alias": "[email protected]",
      "email": "[email protected]"
    },
    "groupConfiguration": {
      "groupsToOverride": [],
      "iamRolesToOverride": [],
      "preferredRole": null
    }
  },
  "response": {
    "claimsOverrideDetails": null
  }
 }

	const https = require('https');
	const AWS = require("aws-sdk");
	const urlParse = require("url").URL;

	const REGION = process.env.REGION;
	if (!REGION) {
	throw new Error(`Function requires environment variable: 'REGION'`);
	}

	const APP_SYNC_URL = process.env.API_AMPLIFYNINJA_GRAPHQLAPIENDPOINTOUTPUT;
	if (!APP_SYNC_URL) {
	throw new Error(`Function requires environment variable: 'API_AMPLIFYNINJA_GRAPHQLAPIENDPOINTOUTPUT'`);
	}
	const ENDPOINT = new urlParse(APP_SYNC_URL).hostname.toString();

	const listWorkSpacesQuery = `query ListWorkSpaces(
	$filter: ModelWorkSpaceFilterInput
	$limit: Int
	$nextToken: String
	) {
	listWorkSpaces(filter: $filter, limit: $limit, nextToken: $nextToken) {
	items {
	id
	title
	owner
	workspaceUsers
	}
	nextToken
	}
	}
	`;

	exports.handler = async (event, context, callback) => {

	const userId = event.userName;
	if (!userId) {
	throw new Error(
	`Function requires to receive in event the username: 'event.userName'`
	);
	}

	const filterQuery = {
	"or": [
	{
	"owner": {
	"eq": event.userName
	}
	},
	{
	"workspaceUsers": {
	"contains": event.userName
	}
	}
	]
	};


	const req = new AWS.HttpRequest(APP_SYNC_URL, REGION);

	req.method = "POST";
	req.headers.host = ENDPOINT;
	req.headers["Content-Type"] = "application/json";
	req.body = JSON.stringify({
	query: listWorkSpacesQuery,
	operationName: "ListWorkSpaces",
	variables: { "filter": filterQuery }
	});

	const signer = new AWS.Signers.V4(req, "appsync", true);
	signer.addAuthorization(AWS.config.credentials, AWS.util.date.getDate());


	const data = await new Promise((resolve) => {
	const httpRequest = https.request({ ...req, host: ENDPOINT }, (result) => {
	result.on('data', (data) => {
	resolve(JSON.parse(data.toString()));
	});
	});
	httpRequest.write(req.body);
	httpRequest.end();
	});

	const groupConfiguration = event.request.groupConfiguration;
	const groupsToOverride = groupConfiguration
	? groupConfiguration.groupsToOverride
	: [];
	const validWorkspaceId = groupsToOverride ? groupsToOverride : [];

	data.data && data.data.listWorkSpaces && data.data.listWorkSpaces.items.forEach(
	workspace => {
	validWorkspaceId.push(workspace.id);
	}
	);

	// add valid workspaceId to identity token
	event.response = {
	claimsOverrideDetails: {
	groupOverrideDetails: {
	groupsToOverride: validWorkspaceId
	}
	}
	};

	console.log(`RESULT: ${JSON.stringify(data)}`)

	// insert code to be executed by your lambda trigger
	callback(null, event);
	};
	{
	"version": "1",
	"triggerSource": "TokenGeneration_Authentication",
	"region": "ap-southeast-1",
	"userPoolId": "ap-southeast-X_XXXXXXXX",
	"userName": "xxxx-xxxx-xxxx-xxxx",
	"callerContext": {
	"awsSdkVersion": "aws-sdk-unknown-unknown",
	"clientId": "xxxxxxxxxxxxxxxx"
	},
	"request": {
	"userAttributes": {
	"sub": "xxxx-xxxx-xxxx-xxxx",
	"email_verified": "true",
	"cognito:user_status": "CONFIRMED",
	"cognito:email_alias": "[email protected]",
	"email": "[email protected]"
	},
	"groupConfiguration": {
	"groupsToOverride": [],
	"iamRolesToOverride": [],
	"preferredRole": null
	}
	},
	"response": {
	"claimsOverrideDetails": null
	}
	}