yutakahashi114/cognito_admin_initiate_auth.go

## cognito_admin_initiate_auth.go
import (
	"crypto/rsa"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"log"
	"time"

	"github.com/aws/aws-sdk-go/service/cognitoidentityprovider"
	"github.com/dgrijalva/jwt-go"
)

var signKey *rsa.PrivateKey
var clientID ClientID

type ClientID string

func main() {
  	...


	signKey, err = getPrivateKey()
	if err != nil {
		panic(err)
	}

	clientID = ClientID(os.Getenv("CLIENT_ID"))

  	...
}

func getPrivateKey() (*rsa.PrivateKey, error) {
	signBytes, err := ioutil.ReadFile("./key.pem")
	if err != nil {
		return nil, err
	}
	return jwt.ParseRSAPrivateKeyFromPEM(signBytes)
}

func (u User) ToToken(userPoolID UserPoolID) *jwt.Token {
	token := jwt.New(jwt.SigningMethodRS256)
	token.Header["kid"] = jwkKeyID

	claims := token.Claims.(jwt.MapClaims)
	claims["iat"] = time.Now().Unix()
	claims["exp"] = time.Now().Add(time.Hour * 24 * 365 * 10).Unix()
	claims["sub"] = u.UUID
	claims["email"] = u.Email
	return token
}

func adminInitiateAuth(body []byte) ([]byte, error) {
	in := cognitoidentityprovider.AdminInitiateAuthInput{}
	err := json.Unmarshal(body, &in)
	if err != nil {
		return nil, err
	}
	// TODO: まだ ADMIN_NO_SRP_AUTH だけ
	if in.AuthFlow == nil || *in.AuthFlow != cognitoidentityprovider.AuthFlowTypeAdminNoSrpAuth {
		return nil, fmt.Errorf("invalid auth flow")
	}

	var cID ClientID
	if in.ClientId != nil {
		cID = ClientID(*in.ClientId)
	}
	if cID != clientID {
		return nil, fmt.Errorf("invalid client id")
	}

	var userPoolID UserPoolID
	if in.UserPoolId != nil {
		userPoolID = UserPoolID(*in.UserPoolId)
	}
	var username Username
	if u, ok := in.AuthParameters["USERNAME"]; ok && u != nil {
		username = Username(*u)
	}
	u, ok := userPool.GetUser(
		userPoolID,
		username,
	)
	if !ok {
		return nil, fmt.Errorf("user not found")
	}
	if !u.EmailVerified {
		return nil, fmt.Errorf("email not verified")
	}

	var password string
	if p, ok := in.AuthParameters["PASSWORD"]; ok && p != nil {
		password = *p
	}
	if u.Password != password {
		return nil, fmt.Errorf("password not match")
	}

	tokenString, err := u.ToToken(userPoolID).SignedString(signKey)
	if err != nil {
		return nil, err
	}
	return json.Marshal(cognitoidentityprovider.AdminInitiateAuthOutput{
		AuthenticationResult: &cognitoidentityprovider.AuthenticationResultType{
			AccessToken: &[]string{tokenString}[0],
		},
	})
}
	import (
	"crypto/rsa"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"log"
	"time"

	"github.com/aws/aws-sdk-go/service/cognitoidentityprovider"
	"github.com/dgrijalva/jwt-go"
	)

	var signKey *rsa.PrivateKey
	var clientID ClientID

	type ClientID string

	func main() {
	...


	signKey, err = getPrivateKey()
	if err != nil {
	panic(err)
	}

	clientID = ClientID(os.Getenv("CLIENT_ID"))

	...
	}

	func getPrivateKey() (*rsa.PrivateKey, error) {
	signBytes, err := ioutil.ReadFile("./key.pem")
	if err != nil {
	return nil, err
	}
	return jwt.ParseRSAPrivateKeyFromPEM(signBytes)
	}

	func (u User) ToToken(userPoolID UserPoolID) *jwt.Token {
	token := jwt.New(jwt.SigningMethodRS256)
	token.Header["kid"] = jwkKeyID

	claims := token.Claims.(jwt.MapClaims)
	claims["iat"] = time.Now().Unix()
	claims["exp"] = time.Now().Add(time.Hour * 24 * 365 * 10).Unix()
	claims["sub"] = u.UUID
	claims["email"] = u.Email
	return token
	}

	func adminInitiateAuth(body []byte) ([]byte, error) {
	in := cognitoidentityprovider.AdminInitiateAuthInput{}
	err := json.Unmarshal(body, &in)
	if err != nil {
	return nil, err
	}
	// TODO: まだ ADMIN_NO_SRP_AUTH だけ
	if in.AuthFlow == nil \|\| *in.AuthFlow != cognitoidentityprovider.AuthFlowTypeAdminNoSrpAuth {
	return nil, fmt.Errorf("invalid auth flow")
	}

	var cID ClientID
	if in.ClientId != nil {
	cID = ClientID(*in.ClientId)
	}
	if cID != clientID {
	return nil, fmt.Errorf("invalid client id")
	}

	var userPoolID UserPoolID
	if in.UserPoolId != nil {
	userPoolID = UserPoolID(*in.UserPoolId)
	}
	var username Username
	if u, ok := in.AuthParameters["USERNAME"]; ok && u != nil {
	username = Username(*u)
	}
	u, ok := userPool.GetUser(
	userPoolID,
	username,
	)
	if !ok {
	return nil, fmt.Errorf("user not found")
	}
	if !u.EmailVerified {
	return nil, fmt.Errorf("email not verified")
	}

	var password string
	if p, ok := in.AuthParameters["PASSWORD"]; ok && p != nil {
	password = *p
	}
	if u.Password != password {
	return nil, fmt.Errorf("password not match")
	}

	tokenString, err := u.ToToken(userPoolID).SignedString(signKey)
	if err != nil {
	return nil, err
	}
	return json.Marshal(cognitoidentityprovider.AdminInitiateAuthOutput{
	AuthenticationResult: &cognitoidentityprovider.AuthenticationResultType{
	AccessToken: &[]string{tokenString}[0],
	},
	})
	}