This package is a configurable Booster rocket to add an authentication API based on Cognito to your Booster applications.
Install this package as a devDependency
in your Booster project (It's a devDependency
because it's only used during deployment, so we don't want this code to be uploaded to the project lambdas)
npm install --save-dev @boostercloud/rocket-auth-aws-infrastructure
In your Booster config file, pass a RocketDescriptor
array to the AWS Provider
initializer configuring the aws authentication rocket:
import { Booster } from '@boostercloud/framework-core'
import { BoosterConfig } from '@boostercloud/framework-types'
import * as AWS from '@boostercloud/framework-provider-aws'
Booster.configure('production', (config: BoosterConfig): void => {
config.appName = 'my-store'
config.providerPackage = '@boostercloud/framework-provider-aws'
config.rockets = [
{
packageName: '@boostercloud/rocket-auth-aws-infrastructure',
parameters: {
mode: 'UserPassword'
},
},
]
})
Make sure that you have defined the suitable roles for your application. Please, check the Official Booster Documentation for more information.
{
passwordPolicy?: { // Optional, all values are set to true by default.
minLength?: number, // Minimum length, which must be at least 6 characters but fewer than 99 character
requireDigits: boolean, // Require numbers
requireLowercase: boolean, // Require lowercase letters
requireSymbols: boolean, // Require special characters
requireUppercase: boolean // Require uppercase letters
}
mode: 'Passwordless' | 'UserPassword' // If Passwordless, the user must be a phone number. If UserPassword, the user must be a valid email.
}
The auth rocket will expose the following base url outputs:
<appName>.AuthApiURL = https://<httpURL>/production/auth
<appName>.AuthApiIssuer = https://cognito-idp.<app-region>.amazonaws.com/{userPoolId}
<appName>.AuthApiJwksUri = https://cognito-idp.<app-region>.amazonaws.com/{userPoolId}/.well-known/jwks.json
Output | Description |
---|---|
AuthApiURL | Base Api Url which will exposed all auth endpoints. |
AuthApiIssuer | The issuer who sign the JWT tokens. |
AuthApiJwksUri | Uri with all the public keys used to sign the JWT tokens. |
The AuthApiIssuer
and AuthApiJwksUri
must be used in the tokenVerifier
Booster config. More information about JWT Configuration here.
Users can use this endpoint to register in your application and get a role assigned to them.
POST https://<httpURL>/auth/sign-up
{
"username": "string",
"password": "string",
"userAttributes": {
"role": "string"
}
}
Parameter | Description |
---|---|
username | The username of the user you want to register. It must be an email in UserPassword mode or an phone number in Passwordless mode. |
password | The password the user will use to later login into your application and get access tokens. Only in UserPassword mode |
userAttributes | Here you can specify the attributes of your user. These are: -role: A unique role this user will have. You can only specify here a role where the signUpOptions property is not empty. |
{
"id": "cb61c0a4-8f85-4774-88a9-448ce6321eea",
"username": "+34999999999",
"userAttributes": {
"role": "User"
}
}
You will get an HTTP status code different from 2XX and a body with a message telling you the reason of the error.
Example of an account with the given username which already exists:
{
"error": {
"type": "UsernameExistsException",
"message": "An account with the given phone_number already exists."
}
}
You will get an HTTP status code different from 2XX and a body with a message telling you the reason of the error.
Whenever a User signs up with their phone number in Passwordless
mode, an SMS message will be sent with a confirmation code. If you're using a UserPassword
mode an email with a confirmation link will be sent.
They will need to provide this code to confirm registation by calling thesign-up/confirm
endpoint
POST https://<httpURL>/auth/sign-up/confirm
{
"confirmationCode": "string",
"username": "string"
}
Parameter | Description |
---|---|
confirmationCode | The confirmation code received in the SMS message. |
username | The username of the user you want to sign in. They must have previously signed up. |
{
"message": "The username: +34999999999 has been confirmed."
}
You will get an HTTP status code different from 2XX and a body with a message telling you the reason of the error. Common errors would be like submitting an expired confirmation code or a non valid one.
Example of an invalid verification code:
{
"error": {
"type": "CodeMismatchException",
"message": "Invalid verification code provided, please try again."
}
}
If for some reason the confirmation code never reaches your email, or your phone via SMS, you can ask the API to resend a new one.
POST https://<httpURL>/auth/sign-up/resend-code
{
"username": "string"
}
Parameter | Description |
---|---|
username | The username of the user you want to sign in. They must have previously signed up. |
{
"message": "The confirmation code to activate your account has been sent to: +34999999999."
}
You will get an HTTP status code different from 2XX and a body with a message telling you the reason of the error. Common errors would be like submitting an expired confirmation code or a non valid one.
This endpoint creates a session for an already registered user, returning an access token that can be used to access role-protected resources
POST https://<httpURL>/auth/sign-in
{
"username": "string",
"password": "string"
}
Parameter | Description |
---|---|
username | The username of the user you want to sign in. They must have previously signed up. |
password | The password used to sign up the user. Only in UserPassword mode |
UserPassword:
{
"accessToken": "string",
"expiresIn": "string",
"refreshToken": "string",
"tokenType": "string"
}
Parameter | Description |
---|---|
accessToken | The token you can use to finish de session. |
tokenId | The token you can use to access restricted resources. It must be sent in the Authorization header (prefixed with the tokenType ). |
expiresIn | The period of time, in seconds, after which the token will expire. |
refreshToken | The token you can use to get a new access token after it has expired. |
tokenType | The type of token used. It is always Bearer . |
Passwordless:
{
"session": "string",
"message": "string"
}
Parameter | Description |
---|---|
session | The type of token used. It is always Bearer . |
message | Message with the next steps. It is always: Use the session and the code we have sent you via SMS to get your access tokens via POST /token. . |
Call this endpoint to get the access token for Passwordless mode:
POST https://<httpURL>/auth/token
{
"username": "string",
"session": "string",
"confirmationCode": "string"
}
Parameter | Description |
---|---|
username | The phone number of the user you want to sign in. They must have previously signed up. |
session | The session obtained in the sign in response. |
confirmationCode | The confirmation code received in the SMS message after sign in. |
{
"accessToken": "string",
"expiresIn": "string",
"refreshToken": "string",
"tokenType": "string"
}
You will get an HTTP status code different from 2XX and a body with a message telling you the reason of the error.
Example: Login of a user that has not been confirmed
{
"error": {
"type": "UserNotConfirmedException",
"message": "User is not confirmed.."
}
}
Users can call this endpoint to finish the session before token expires.
POST https://<httpURL>/auth/token/revoke
{
"accessToken": "string"
}
Parameter | Description |
---|---|
accessToken | The access token you get in the sign-in process. |
{
"message": "string"
}
Parameter | Description |
---|---|
message | Message with sign out confirmation. It is always: Signed out |
You will get an HTTP status code different from 2XX and a body with a message telling you the reason of the error.
Example: Invalid access token specified
{
"error": {
"type": "NotAuthorizedException",
"message": "Invalid Access Token"
}
}
Users can call this endpoint to refresh the access token.
POST https://<httpURL>/auth/token/refresh
Refresh-token request body
{
"refreshToken": "string"
}
Parameter | Description |
---|---|
refreshToken | The token you can use to get a new access token after it has expired. |
{
"accessToken": "string",
"expiresIn": "string",
"refreshToken": "string",
"tokenType": "string"
}
Refresh token error response body example: Invalid refresh token specified
{
"error": {
"type": "NotAuthorizedException",
"message": "Invalid Refresh Token"
}
}
You will get a HTTP status code different from 2XX and a body with a message telling you the reason of the error.
In case the password is forgotten, users can initiate the password change process through this endpoint.
POST https://<httpURL>/auth/password/forgot
{
"username": "string"
}
Parameter | Description |
---|---|
username | The username of the user whose password you want to change. They must have previously signed up. |
{
"message": "string"
}
Parameter | Description |
---|---|
message | Confirmation message. It is always: "The confirmation code to change your password has been sent to: [USER_EMAIL]." |
You will get an HTTP status code different from 2XX and a body with a message telling you the reason of the error.
Example: User not found.
{
"error": {
"type": "UserNotFoundException",
"message": "Username/client id combination not found."
}
}
Using the code obtained from the email sent by the forgot password endpoint, users can change their password.
POST https://<httpURL>/auth/password/change
{
"username": "string",
"password": "string",
"confirmationCode": "string"
}
Parameter | Description |
---|---|
username | The username of the user you want to change the password. They must have signed up previously. |
password | The new password for sign in. |
confirmationCode | The confirmation code received in the user's email. |
{
"message": "string"
}
Parameter | Description |
---|---|
message | Confirmation Message. It is always: "Your password has been successfully changed." |
You will get an HTTP status code different from 2XX and a body with a message telling you the reason of the error.
Example: Confirmation Code is missing.
{
"error": {
"type": "MissingRequiredParameter",
"message": "Missing required key 'ConfirmationCode' in params"
}
}