I am using AWS amplify for user authentication on my front-end React app. My React app directly communicates with amplify without any backend(node server) interaction.
I have a REST API written in node/express. I want to secure that API using amplify.
Currently, I am planning to pass the access token from my react app to my node server. But I am unable to find a way through which I can verify this token on the backend using amplify.
Does aws-amplify package provide any function in which I can pass the access token to verify it?
Something like Auth.verifyToken(<access_token>)
AWS Amplify uses User Pools to store your user information and handle authorization, and it leverages Federated Identities to manage user access to AWS Resources, for example allowing a user to upload a file to an S3 bucket.
To manually deploy an app from Amazon S3 or a public URLSign in to the AWS Management Console and open the Amplify console . At the top of the page, choose Get started. In the Deliver section, choose Get started. On the Host your web app page, choose Deploy without Git provider.
Unfortunately, there is no such method available in official aws-amplify SDK. After doing a lot of research I had to write my own middleware for that. This is not that difficult as it may seem but the only difficult part is to gather the right information from the huge AWS documentation.
I 've written this middleware to achieve the same, Hope this helps
import axios from 'axios'
import awsconfig from '../../aws-exports';
const COGNITO_URL = `https://cognito-idp.${awsconfig.aws_project_region}.amazonaws.com/`;
const authentication = async (req, res, next) => {
    try {
        const accessToken = req.headers.authorization.split(" ")[1];
        const { data } = await axios.post(
            COGNITO_URL,
            {
                AccessToken: accessToken
            },
            {
                headers: {
                    "Content-Type": "application/x-amz-json-1.1",
                    "X-Amz-Target": "AWSCognitoIdentityProviderService.GetUser"
                }
            }
        )
        req.user = data;
        next();
    } catch (error) {
        return res.status(401).json({
            message: 'Auth failed'
        });
    }
};
export default authentication;
This middleware takes the authorization header and verifies the incoming accessToken using AWS Cognito REST API.
In order to get accessToken on your front-end you can do something like this:
const { accessToken: { jwtToken } } = await Auth.currentSession();
This jwtToken is your accessToken you can send this in your Authorization header and then verify this in the backend using the middleware I've written.
AWS actually has this documented pretty well. I have written a gist on a middleware I wrote to validate AWS Cognito tokens in my express.js server.
Essentially, when you create a User Pool in Amazon, AWS creates a JSON Web Key (JWK). The JWT contains a public key you can use to verify the signature of a JWT.
At a high level in Javascript:
import jwt from "jsonwebtoken";
const authToken = getJwtFromHeader(request);
// please remember to verify the "iss" claim and "exp" claim!
validateAuthToken(authToken);
// convert a jwk to a PEM for use by OpenSSL or crypto
const jwk = getJwkFromAWS();
const pem = jwkToPem(jwk);
// verify the signature of the token using the public key from AWS
await jwt.verify(authToken, pem, {algorithms: ['RS256']}, (err, decoded) =>{
  console.log('decoded', decoded);
  // TODO -- verify claims from decoded token
}); 
My GIST for a full express.js implementation: https://gist.github.com/fourgates/92dc769468497863168417c3524e24dd
AWS Resources:
https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With