berkorbay/cognito_r_direct_query.R

## cognito_r_direct_query.R
#######
#### This gist is a very quick way to implement just authentication function. This is a minimal example.
#### You need an AWS IAM account and your AWS Cognito User Pool set up.
#### Check the steps in the description of https://github.com/chi2labs/cognitoR
#### After creating your user pool on the left sidebar under General Settings, click on App clients
### Make sure "Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH)" is checked
### Create a user from the interface for testing purposes. Let username be "usertest" and password be "passtest".
#######

#### Variables

## USER_USERNAME "usertest" # Our test user's username (Make it parametric for production)
## USER_PASSWORD = "passtest" # Our test user's password (Make it parametric for production)

## COGNITO_APP_CLIENT_ID = "idididididi" # In aws cognito panel, after creating your user pool, go to App Clients. You will see your app client id there.
## COGNITO_APP_CLIENT_SECRET "secsecsecsec" # In aws cognito panel, after creating your user pool, go to App Clients. You will see your app client secret there

## AWS_ACCESS_KEY_ID = "keykeykeykeykey" # This is an IAM key id with cognito privileges
## AWS_ACCESS_KEY_SECRET = "ksksksks" # This is an IAM key secret with cognito privileges
## AWS_REGION = "eu-west-1" # This is the region where you set your user pool

library(paws)
#library(digest)
library(base64enc)

svc <- cognitoidentityprovider(
  config = list(
    region = AWS_REGION,
    credentials = list(
      creds = list(
        access_key_id=AWS_ACCESS_KEY_ID,
        secret_access_key = AWS_ACCESS_KEY_SECRET
))))

tryCatch({
  svc$initiate_auth(
    ClientId = COGNITO_APP_CLIENT_ID,
    AuthFlow = "USER_PASSWORD_AUTH",
    AuthParameters = list(
      USERNAME = USER_USERNAME,
      PASSWORD = USER_PASSWORD,
      SECRET_HASH = base64encode(digest::hmac(key=COGNITO_APP_CLIENT_SECRET,object=paste0(THE_USERNAME,COGNITO_APP_CLIENT_ID), algo="sha256",serialize=FALSE,raw=TRUE))
    ))

},error = function(e){
  print(e)
})

#########
### NOTES
#########
#### If successful, you will get a list with a bunch of tokens. Otherwise you will get an error.
#### Even after successful implementation, errors are informative (e.g. "No such username or password")
#### The complicated part was to create SECRET_HASH. You need to hash it with base64 encoding on HMAC-SHA256 encryption of a concatenation of username and Cognitor app client id, using your app client secret as key. Thanks to base64enc and digest packages.
#### This is only start of authentication. But you can use it in your basic Shiny authentication procedures.
#### Remember, NO WARRANTIES. This is most probably not the safest or smartest way to apply authentication. Though, since all background communication will be between Shiny server and Cognito, it can be quite safe.
#### As a general, gentle reminder DO NOT DIRECTLY COPY PASTE YOUR AWS IAM (OR ANY) CREDENTIALS IN YOUR CODE! USE VARIABLES, FILES OR SECURE APPLICATIONS
	#######
	#### This gist is a very quick way to implement just authentication function. This is a minimal example.
	#### You need an AWS IAM account and your AWS Cognito User Pool set up.
	#### Check the steps in the description of https://github.com/chi2labs/cognitoR
	#### After creating your user pool on the left sidebar under General Settings, click on App clients
	### Make sure "Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH)" is checked
	### Create a user from the interface for testing purposes. Let username be "usertest" and password be "passtest".
	#######

	#### Variables

	## USER_USERNAME "usertest" # Our test user's username (Make it parametric for production)
	## USER_PASSWORD = "passtest" # Our test user's password (Make it parametric for production)

	## COGNITO_APP_CLIENT_ID = "idididididi" # In aws cognito panel, after creating your user pool, go to App Clients. You will see your app client id there.
	## COGNITO_APP_CLIENT_SECRET "secsecsecsec" # In aws cognito panel, after creating your user pool, go to App Clients. You will see your app client secret there

	## AWS_ACCESS_KEY_ID = "keykeykeykeykey" # This is an IAM key id with cognito privileges
	## AWS_ACCESS_KEY_SECRET = "ksksksks" # This is an IAM key secret with cognito privileges
	## AWS_REGION = "eu-west-1" # This is the region where you set your user pool

	library(paws)
	#library(digest)
	library(base64enc)

	svc <- cognitoidentityprovider(
	config = list(
	region = AWS_REGION,
	credentials = list(
	creds = list(
	access_key_id=AWS_ACCESS_KEY_ID,
	secret_access_key = AWS_ACCESS_KEY_SECRET
	))))

	tryCatch({
	svc$initiate_auth(
	ClientId = COGNITO_APP_CLIENT_ID,
	AuthFlow = "USER_PASSWORD_AUTH",
	AuthParameters = list(
	USERNAME = USER_USERNAME,
	PASSWORD = USER_PASSWORD,
	SECRET_HASH = base64encode(digest::hmac(key=COGNITO_APP_CLIENT_SECRET,object=paste0(THE_USERNAME,COGNITO_APP_CLIENT_ID), algo="sha256",serialize=FALSE,raw=TRUE))
	))

	},error = function(e){
	print(e)
	})

	#########
	### NOTES
	#########
	#### If successful, you will get a list with a bunch of tokens. Otherwise you will get an error.
	#### Even after successful implementation, errors are informative (e.g. "No such username or password")
	#### The complicated part was to create SECRET_HASH. You need to hash it with base64 encoding on HMAC-SHA256 encryption of a concatenation of username and Cognitor app client id, using your app client secret as key. Thanks to base64enc and digest packages.
	#### This is only start of authentication. But you can use it in your basic Shiny authentication procedures.
	#### Remember, NO WARRANTIES. This is most probably not the safest or smartest way to apply authentication. Though, since all background communication will be between Shiny server and Cognito, it can be quite safe.
	#### As a general, gentle reminder DO NOT DIRECTLY COPY PASTE YOUR AWS IAM (OR ANY) CREDENTIALS IN YOUR CODE! USE VARIABLES, FILES OR SECURE APPLICATIONS