sungly · dependabot · Jan 8, 2021 · Jan 8, 2021
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ CLI for Cognito user life cycle management and basic user authentication to retr
 
 ## Requirements
 
--   ### AWS credentials
+-   AWS credentials
 
     When interacting with Amazon Cognito, it is a requirement to have aws credentials. There are a few methods available to you for getting these credentials. [Read here](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html).
 
@@ -18,9 +18,9 @@ CLI for Cognito user life cycle management and basic user authentication to retr
     aws_secret_access_key=
     ```
 
--   ### Enable USER_PASSWORD_AUTH on the app client
+-   Enable USER_PASSWORD_AUTH on the app client
 
-    General > App client > show details > `Enable SRP (secure remote password) protocol based authentication (ALLOW_USER_SRP_AUTH)`
+    General > App client > show details > `Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH)`
 
 ## Install
 
@@ -53,6 +53,8 @@ init                        # initializing the CLI
 
 login                       # retrieve access, id and refresh token via USER_PASSWORD_AUTH against a specified user pool in the config.
 
+srp-login                   # retrieve acesss, id and refresh token via SRP authentication.
+
 create-user                 # create a user profile using the `requiredAttributeList`
 
 confirm-user                # confirm user registration with a confirmation code

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -32,14 +32,15 @@
         "access": "public"
     },
     "dependencies": {
+        "amazon-user-pool-srp-client": "^1.0.4",
         "aws-sdk": "^2.667.0",
         "babel-cli": "^6.26.0",
         "bluebird": "^3.7.2",
         "dotenv": "^8.2.0",
         "jsonwebtoken": "^8.5.1",
         "minimist": "^1.2.5",
-        "prompt": "^1.0.0",
-        "winston": "latest"
+        "prompt": "^1.1.0",
+        "winston": "^3.3.3"
     },
     "devDependencies": {
         "@semantic-release/changelog": "^3.0.6",

diff --git a/src/cmds/authentication/srp-login.js b/src/cmds/authentication/srp-login.js
@@ -0,0 +1,117 @@
+import prompt from 'prompt';
+import { SRPClient, calculateSignature, getNowString } from 'amazon-user-pool-srp-client'
+
+import config from '../../config';
+import { logger, cognitoClient, addSecretHashToParams } from '../../util';
+
+function responseToSrpAuth({ 
+    ChallengeName, 
+    ChallengeParameters, 
+    userPoolId, 
+    clientId, 
+    clientSecret, 
+    password, 
+    srpClient 
+}) {
+    const hkdf = srpClient.getPasswordAuthenticationKey(
+        ChallengeParameters.USER_ID_FOR_SRP, 
+        password, ChallengeParameters.SRP_B, 
+        ChallengeParameters.SALT);
+    const dateNow = getNowString()
+    const signatureString = calculateSignature(
+            hkdf, 
+            userPoolId, 
+            ChallengeParameters.USER_ID_FOR_SRP, 
+            ChallengeParameters.SECRET_BLOCK, 
+            dateNow
+        );
+
+    const challengeResponses = {
+        PASSWORD_CLAIM_SIGNATURE: signatureString,
+        PASSWORD_CLAIM_SECRET_BLOCK: ChallengeParameters.SECRET_BLOCK,
+        TIMESTAMP: dateNow,
+        USERNAME: ChallengeParameters.USERNAME
+      }
+
+    const params = {
+        ClientId: clientId,
+        ChallengeName,
+        ChallengeResponses: addSecretHashToParams({ 
+            params: challengeResponses, 
+            clientId, 
+            clientSecret, 
+            username: ChallengeParameters.USERNAME 
+        })
+    }
+
+    return cognitoClient.respondToAuthChallenge(params).promise();
+}
+
+
+async function initiateSrpAuth({ username, clientId, clientSecret, srpClient }) {
+    const SRP_A = srpClient.calculateA()
+
+    const authParams = {
+        USERNAME: username,
+        SRP_A
+    }
+
+    const params = {
+        AuthFlow: 'USER_SRP_AUTH',
+        ClientId: clientId,
+        AuthParameters: addSecretHashToParams({ params: authParams, clientId, clientSecret, username })
+      };
+
+    return cognitoClient.initiateAuth(params).promise();    
+}
+
+
+export default function srpLogin() {
+    prompt.start();
+
+    prompt.get(
+        [
+            {
+                name: 'username',
+                required: true,
+            },
+            {
+                name: 'password',
+                hidden: true,
+            },
+        ],
+        async (err, result) => {
+            logger.info(`message: Logging in...`);
+
+            const { userPoolId, clientId, clientSecret } = config;
+
+            const poolId = userPoolId.split('_')[1];
+
+            const srpClient = new SRPClient(poolId)
+
+            try {
+                const { ChallengeName, ChallengeParameters } = await initiateSrpAuth({
+                    username: result.username, 
+                    clientId, 
+                    clientSecret,
+                    srpClient
+                }); 
+
+                const res = await responseToSrpAuth({
+                    ChallengeName,
+                    ChallengeParameters,
+                    userPoolId: poolId,
+                    clientId,
+                    clientSecret,
+                    username: result.username,
+                    password: result.password,
+                    srpClient
+                });
+
+                logger.info(res);
+            } catch (e) {
+                logger.error(e.message);
+            }
+        }
+    );
+}
diff --git a/src/cmds/login.js → ...mds/authentication/user-password-login.js b/src/cmds/login.js → ...mds/authentication/user-password-login.js
@@ -1,8 +1,7 @@
 import prompt from 'prompt';
 
-import { hash, cognitoClient } from '../util';
-import config from '../config';
-import logger from '../util/logger';
+import { hash, cognitoClient, logger} from '../../util';
+import config from '../../config';
 
 function clientSecretCheck({ username, password, clientId, clientSecret }) {
     const authParams = {

diff --git a/src/cmds/index.js b/src/cmds/index.js
@@ -1,10 +1,11 @@
 import minimist from 'minimist';
 
 import init from './init';
-import login from './login';
+import userPasswordAuthLogin from './authentication/user-password-login';
+import srpLogin from './authentication/srp-login';
 import UserCmd from './user';
 import TokenCmd from './token';
-import logger from '../util/logger';
+import {logger} from '../util';
 
 const userCmd = new UserCmd();
 const tokenCmd = new TokenCmd();
@@ -28,9 +29,14 @@ const cli = () => {
 
             break;
         case 'login':
-            logger.info('@NOTE: Only user password auth is supported ATM.');
+            logger.info('Logging in with user password auth');
+            userPasswordAuthLogin();
+            break;
+        case 'srp-login':
+            logger.info('Logging in with SRP');
+
+            srpLogin();
 
-            login();
             break;
         case 'create-user':
             logger.info('Creating user');

diff --git a/src/cmds/init.js b/src/cmds/init.js
@@ -2,7 +2,7 @@ import prompt from 'prompt';
 import fs from 'fs';
 import os from 'os';
 
-import logger from '../util/logger';
+import {logger} from '../util';
 
 function initCognitoConfig() {
     prompt.start();

diff --git a/src/cmds/token/index.js b/src/cmds/token/index.js
@@ -1,7 +1,7 @@
 import prompt from 'prompt';
 import jwt from 'jsonwebtoken';
 
-import logger from '../../util/logger';
+import {logger} from '../../util';
 
 class TokenCmd {
     decode() {

diff --git a/src/cmds/user/index.js b/src/cmds/user/index.js
@@ -3,7 +3,7 @@ import Promise from "bluebird";
 
 import config from '../../config';
 import { userService } from '../../services';
-import logger from '../../util/logger';
+import {logger} from '../../util';
 
 class UserCmd {
     createUser() {

diff --git a/src/services/CognitoService.js b/src/services/CognitoService.js
@@ -1,7 +1,7 @@
 import { cognitoClient } from '../util/cognitoClient';
 import config from '../config';
 import { hash } from '../util/hash';
-import logger from '../util/logger';
+import {logger} from '../util';
 
 class UserService {
     constructor({userPoolId, clientId, clientSecret}) {

diff --git a/src/util/hash.js b/src/util/hash.js
@@ -6,3 +6,15 @@ export function hash({ username, clientId, clientSecret }) {
         .update(username + clientId)
         .digest('base64');
 }
+
+export function addSecretHashToParams({ params, username, clientId, clientSecret }) {
+    if (clientSecret) {
+        params.SECRET_HASH = hash({
+            username,
+            clientId,
+            clientSecret,
+        });
+    }
+
+    return params;
+}
diff --git a/src/util/index.js b/src/util/index.js
@@ -1,3 +1,3 @@
 export * from './cognitoClient';
 export * from './hash';
-export * from './logger';
+export * from './logger';
diff --git a/src/util/logger.js b/src/util/logger.js
@@ -14,7 +14,7 @@ winston.addColors({
   error: 'red'
 });
 
-const logger = winston.createLogger({
+export const logger = winston.createLogger({
   transports: [
     new winston.transports.Console({
       level: 'info',
@@ -26,4 +26,3 @@ const logger = winston.createLogger({
   ]
 });
 
-export default logger;