yutakahashi114 · June 28, 2021 13:49
diff --git a/cognito_admin_initiate_auth.go b/cognito_admin_initiate_auth.go
 import (
 	"crypto/rsa"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"time"

 	"github.com/aws/aws-sdk-go/service/cognitoidentityprovider"
 	"github.com/dgrijalva/jwt-go"
 )

 var signKey *rsa.PrivateKey
 var clientID ClientID

 type ClientID string

 func main() {
  	...
 	
 	
 	signKey, err = getPrivateKey()
 	if err != nil {
 		panic(err)
 	}
 	
 	clientID = ClientID(os.Getenv("CLIENT_ID"))
 	
  	...
 }

 func getPrivateKey() (*rsa.PrivateKey, error) {
 	signBytes, err := ioutil.ReadFile("./key.pem")
 	if err != nil {
 		return nil, err
 	}
 	return jwt.ParseRSAPrivateKeyFromPEM(signBytes)
 }

 func (u User) ToToken(userPoolID UserPoolID) *jwt.Token {
 	token := jwt.New(jwt.SigningMethodRS256)
 	token.Header["kid"] = jwkKeyID

 	claims := token.Claims.(jwt.MapClaims)
 	claims["iat"] = time.Now().Unix()
 	claims["exp"] = time.Now().Add(time.Hour * 24 * 365 * 10).Unix()
 	claims["sub"] = u.UUID
 	claims["email"] = u.Email
 	return token
 }

 func adminInitiateAuth(body []byte) ([]byte, error) {
 	in := cognitoidentityprovider.AdminInitiateAuthInput{}
 	err := json.Unmarshal(body, &in)
 	if err != nil {
 		return nil, err
 	}
 	// TODO: まだ ADMIN_NO_SRP_AUTH だけ
 	if in.AuthFlow == nil || *in.AuthFlow != cognitoidentityprovider.AuthFlowTypeAdminNoSrpAuth {
 		return nil, fmt.Errorf("invalid auth flow")
 	}

 	var cID ClientID
 	if in.ClientId != nil {
 		cID = ClientID(*in.ClientId)
 	}
 	if cID != clientID {
 		return nil, fmt.Errorf("invalid client id")
 	}

 	var userPoolID UserPoolID
 	if in.UserPoolId != nil {
 		userPoolID = UserPoolID(*in.UserPoolId)
 	}
 	var username Username
 	if u, ok := in.AuthParameters["USERNAME"]; ok && u != nil {
 		username = Username(*u)
 	}
 	u, ok := userPool.GetUser(
 		userPoolID,
 		username,
 	)
 	if !ok {
 		return nil, fmt.Errorf("user not found")
 	}
 	if !u.EmailVerified {
 		return nil, fmt.Errorf("email not verified")
 	}

 	var password string
 	if p, ok := in.AuthParameters["PASSWORD"]; ok && p != nil {
 		password = *p
 	}
 	if u.Password != password {
 		return nil, fmt.Errorf("password not match")
 	}

 	tokenString, err := u.ToToken(userPoolID).SignedString(signKey)
 	if err != nil {
 		return nil, err
 	}
 	return json.Marshal(cognitoidentityprovider.AdminInitiateAuthOutput{
 		AuthenticationResult: &cognitoidentityprovider.AuthenticationResultType{
 			AccessToken: &[]string{tokenString}[0],
 		},
 	})
 }
	import (
	"crypto/rsa"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"log"
	"time"

	"github.com/aws/aws-sdk-go/service/cognitoidentityprovider"
	"github.com/dgrijalva/jwt-go"
	)

	var signKey *rsa.PrivateKey
	var clientID ClientID

	type ClientID string

	func main() {
	...


	signKey, err = getPrivateKey()
	if err != nil {
	panic(err)
	}

	clientID = ClientID(os.Getenv("CLIENT_ID"))

	...
	}

	func getPrivateKey() (*rsa.PrivateKey, error) {
	signBytes, err := ioutil.ReadFile("./key.pem")
	if err != nil {
	return nil, err
	}
	return jwt.ParseRSAPrivateKeyFromPEM(signBytes)
	}

	func (u User) ToToken(userPoolID UserPoolID) *jwt.Token {
	token := jwt.New(jwt.SigningMethodRS256)
	token.Header["kid"] = jwkKeyID

	claims := token.Claims.(jwt.MapClaims)
	claims["iat"] = time.Now().Unix()
	claims["exp"] = time.Now().Add(time.Hour * 24 * 365 * 10).Unix()
	claims["sub"] = u.UUID
	claims["email"] = u.Email
	return token
	}

	func adminInitiateAuth(body []byte) ([]byte, error) {
	in := cognitoidentityprovider.AdminInitiateAuthInput{}
	err := json.Unmarshal(body, &in)
	if err != nil {
	return nil, err
	}
	// TODO: まだ ADMIN_NO_SRP_AUTH だけ
	if in.AuthFlow == nil \|\| *in.AuthFlow != cognitoidentityprovider.AuthFlowTypeAdminNoSrpAuth {
	return nil, fmt.Errorf("invalid auth flow")
	}

	var cID ClientID
	if in.ClientId != nil {
	cID = ClientID(*in.ClientId)
	}
	if cID != clientID {
	return nil, fmt.Errorf("invalid client id")
	}

	var userPoolID UserPoolID
	if in.UserPoolId != nil {
	userPoolID = UserPoolID(*in.UserPoolId)
	}
	var username Username
	if u, ok := in.AuthParameters["USERNAME"]; ok && u != nil {
	username = Username(*u)
	}
	u, ok := userPool.GetUser(
	userPoolID,
	username,
	)
	if !ok {
	return nil, fmt.Errorf("user not found")
	}
	if !u.EmailVerified {
	return nil, fmt.Errorf("email not verified")
	}

	var password string
	if p, ok := in.AuthParameters["PASSWORD"]; ok && p != nil {
	password = *p
	}
	if u.Password != password {
	return nil, fmt.Errorf("password not match")
	}

	tokenString, err := u.ToToken(userPoolID).SignedString(signKey)
	if err != nil {
	return nil, err
	}
	return json.Marshal(cognitoidentityprovider.AdminInitiateAuthOutput{
	AuthenticationResult: &cognitoidentityprovider.AuthenticationResultType{
	AccessToken: &[]string{tokenString}[0],
	},
	})
	}