in lambda/decode-verify-jwt-get.ts [184:302]
public async handle(event: APIGatewayEvent): Promise<APIEventResponse> {
try {
const redirectUri = util.getEnv('COGNITO_REDIRECT_URI');
const cognitoDomainPrefix = util.getEnv('COGNITO_DOMAIN_PREFIX');
const cognitoClientId = util.getEnv('COGNITO_APP_CLIENT_ID');
const cognitoRegion = util.getEnv('COGNITO_REGION');
const tokenEndpoint =
`https://${cognitoDomainPrefix}.auth.${cognitoRegion}.` +
`amazoncognito.com/oauth2/token`;
console.log(`tokenEndpoint: ${tokenEndpoint}`);
if (!event.queryStringParameters) {
return this.failure(null, 400, 'Missing code query string parameter');
}
const code = event.queryStringParameters.code;
const refresh = event.queryStringParameters.refresh;
let postData: any;
if (code) {
console.log(`Verifying ${code}`);
postData = {
grant_type: 'authorization_code',
client_id: cognitoClientId,
code,
redirect_uri: redirectUri
};
} else {
if (!refresh) {
return this.failure(null, 401, 'No refresh token');
}
console.log('Refreshing: ' + refresh);
postData = {
grant_type: 'refresh_token',
client_id: cognitoClientId,
refresh_token: refresh
};
}
// Call the Cognito TOKEN endpoint
const resp = await axios.default({
method: 'post',
url: tokenEndpoint,
data: qs.stringify(postData),
headers: {
'content-type': 'application/x-www-form-urlencoded;charset=utf-8'
}
});
console.log(`token endpoint response: ${JSON.stringify(resp.data, null, 0)}`);
const token = resp.data;
// Verify the token
const result = await verify(token.access_token);
console.info('verify result: ', result);
if (!result.isValid) {
return this.failure(result.error, 500, 'Token validation failed');
}
if (!result.userName) {
return this.failure(null, 500, 'Missing userName');
}
// With federated access, this might be the first time we've
// seen this user. Save a new user record, or record the last login time.
let user = await this.db.userGetByUsername(result.userName);
if (!user) {
// This is a first time login
console.log(`First time login for ${result.userName}`);
// Save the user
user = {
emailAddress: result.email || result.userName + '@example.com',
username: result.userName,
firstName: result.firstName || result.userName,
lastName: result.lastName || result.userName
} as User;
const userId = await this.db.userSave(user);
console.log(`Created user ${userId} for ${result.userName}`);
} else {
// Returning user
console.log(`Returning user ${result.userName}`);
}
console.log(`verify result: ${JSON.stringify(result, null, 0)}`);
if (result.isValid) {
const retval = {
idToken: token.id_token,
refreshToken: token.refresh_token || refresh, // Only code gives us refresh
username: result.userName,
expiresIn: token.expires_in
};
return this.success(retval);
} else {
return this.failure(null, 400, result.error);
}
} catch (ex) {
return this.failure(ex);
}
}