Cognito Support?

ortizstl · May 24, 2019, 7:01pm

There is documentation stating that jets support Cognito User Pools, but there isnt examples on how to use it?

How would I use Jets for an existing Cognito User Pool?

tung · May 24, 2019, 7:21pm

Currently don’t have detailed docs for this yet. It was a contributor PR that added support at the API Gateway routing layer: https://github.com/tongueroo/jets/pull/74/files So believe he’s using it.

When you set the config.api.authorization_type, it sets https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html#cfn-apigateway-method-authorizationtype Will need to play with it more to figure it out actually. If you figure it out, am interested.

ortizstl · May 24, 2019, 7:43pm

I’ll give it a shot and if I get it working, I’ll let you know

balutbomber · May 29, 2019, 6:16pm

I’m using cognito to restrict access to the resources created by Jets. As @tung mentions, from a Jets configuration it is as simple as setting config.api.authorization_type = ‘AWS_IAM’.

For this all to work you will need the following:

Cognito user pool

Cognito Identity Pool

Add you user pool as an authentication provider for this identity pool
Create a role/policy for unathenticated users and attach
Create a role/policy for authenticated users and attach. The policy on the role needs the following permission for your api "execute-api:Invoke"

So now once you have a user authenticate through your user pool, they will be assigned the Authenticated Role created above. If you are using AWS Amplify API it will automatically put the appropriate AWS Sig4 header values needed to make it past the API gateway.
Should be as simple as that at least for my use case of locking down the API to authenticated users. I’m not doing any more than that right now.

heythisisnate · October 9, 2019, 3:56am

I found this helpful, thanks! I also found a little bit simpler way to leverage Cognito to limit access to API resources to logged-in users and also know the identity of the user within the controller, so thought I’d share.

You can use a Cognito Authorizer without the extra complexity of creating an Identity Pool with roles and policies. Set up the Cognito Authorizer as described in the docs and connect it to a route or controller.

Then, in your API requests, set the Authorization header to the Cognito idToken.jwtToken. Only requests with a valid token will succeed. Now in the Jets controller you can access the user’s identity with event['requestContext']['authorizer']['claims']

In my case, I’m using AWS Amplify in a mobile app as the client to my Jets server API. I also had to enable CORS to get this to work:

Jets.application.configure do
  ...
  config.cors = true
  config.api.cors_authorization_type = "NONE"
end

Then in my Amplify mobile app, define the API like this to populate the header:

Amplify.configure({
  API: {
    endpoints: [
      {
        name: "Devices",
        endpoint: "https://xxxxxxxxx.execute-api.us-east-1.amazonaws.com/dev",
        custom_header: async () => { 
          return { Authorization: `${(await Auth.currentSession()).getIdToken().getJwtToken()}` }
        }
      }
    ]
  }
})