in Modules/token-path.js [26:113]
function processPostRequest(event, callback) {
//Preparing the request to acquire Cognito Client App configuration
var params = {
ClientId: event.queryStringParameters.client_id,
UserPoolId: process.env.CUP_ID,
};
//Acquiring Cognito Client App configuration
common.cognitoidentityserviceprovider.describeUserPoolClient(params, function(err, data) {
if (err) {
console.log("There was an error acquiring the Cognito Client App configuration " + event.queryStringParameters.client_id);
console.log(err, err.stack);
common.returnJSONError(401, callback);
} else {
console.log("Acquired Cognito Client App Configuration");
//Configuration has been acquired
// An Authorization header has been provided, so this is a OAuth2 private client
if (event.headers.authorization && event.headers.authorization != '') {
console.log("this is a Private Client");
//If it is a Basic Authentication value in the Authorization header
if (event.headers.authorization.startsWith("Basic ")){
console.log("Private Client has a Basic Authorizaiton header")
var HeaderClientAppId = common.base64Decode(event.headers.authorization.replace("Basic ", "")).split(':')[0];
var HeaderClientAppSecret = common.base64Decode(event.headers.authorization.replace("Basic ", "")).split(':')[1];
//Check if there is no credentials abuse
if (HeaderClientAppId == event.queryStringParameters.client_id && HeaderClientAppId != "") {
//Check if header matches the Cognito Client App Configuration
if (HeaderClientAppId == data.UserPoolClient.ClientId && HeaderClientAppSecret == data.UserPoolClient.ClientSecret && HeaderClientAppSecret != "") {
console.log("Authorization header is valid");
if (!event.queryStringParameters.device_code && !event.queryStringParameters.grant_type) {
// If it is a POST on /token with valid client_id but no code parameter and no grant type, this is a request for codes
requestSetOfCodes(event, callback);
} else if (event.queryStringParameters.device_code && event.queryStringParameters.device_code != '' &&event.queryStringParameters.grant_type == "urn:ietf:params:oauth:grant-type:device_code") {
// If it is a POST on /token with valid client_id, a code parameter, and a grant type being "urn:ietf:params:oauth:grant-type:device_code", this is a request to get JWTs with a device code
requestJWTs(event, callback);
} else {
// If it is a POST on /token with valid client_id but missing a
// code parameter or a grant type being "urn:ietf:params:oauth:grant-type:device_code",
// this is a bad request
console.log("POST Call on /token with valid client_id but missing code or correct grant type");
common.returnJSONError(405, callback);
}
} else {
console.log("Authorization header is unvalid");
console.log("POST Call on /token with invalid client_id");
common.returnJSONError(401, callback);
}
} else {
console.log("Authorization header Client Id does not match paramater Client Id");
console.log("POST Call on /token with invalid client_id");
common.returnJSONError(401, callback);
}
//If something else, it is not supported
} else {
console.log("Authorization header is using an unsupported authentication scheme");
console.log("POST Call on /token with invalid client_id");
common.returnJSONError(401, callback);
}
// Otherwise this is a OAuth2 public client
} else {
//Check if request matches the Cognito Client App Configuration
if (HeaderClientAppId == data.UserPoolClient.ClientId && data.UserPoolClient.ClientSecret == "") {
console.log("Cognito Client App configuration is valid");
if (!event.queryStringParameters.device_code && !event.queryStringParameters.grant_type) {
// If it is a POST on /token with valid client_id but no code parameter and no grant type, this is a request for codes
requestSetOfCodes(event, callback);
} else if (event.queryStringParameters.device_code && event.queryStringParameters.device_code != '' && event.queryStringParameters.grant_type == "urn:ietf:params:oauth:grant-type:device_code") {
// If it is a POST on /token with valid client_id, a code parameter, and a grant type being "urn:ietf:params:oauth:grant-type:device_code", this is a request to get JWTs with a device code
requestJWTs(event, callback);
} else {
// If it is a POST on /token with valid client_id but missing a
// code parameter or a grant type being "urn:ietf:params:oauth:grant-type:device_code",
// this is a bad request
console.log("POST Call on /token with valid client_id but missing code or correct grant type");
common.returnJSONError(405, callback);
}
} else {
console.log("Cognito Client App configuration is a private client while request try to pass as a public client");
console.log("POST Call on /token with invalid client_id");
common.returnJSONError(401, callback);
}
}
}
});
}