npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@my-liminal-space/cw-validate-cognito-jwt

v1.0.1

Published

A library for verifying AWS Cognito JWT values in a Cloudflare Workers project

Downloads

2

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

andyredheadandyredhead

Keywords

Readme

Cloudflare Worker Validate Cognito JWT

Introduction

This "library" checks that a JWT created by AWS Cognito is valid for use within a perticular Cloudflare Workers and Cloudflare KV based environment.

The code is very much based on AWS examples, making use of:

  • jwk-to-pem
  • jsonwebtoken

The validation checks are:

  • JWT has 3 non-zero length sections
  • Signature is valid against the payload (using public key)
  • Expiry date has not passed already
  • Issuer matches Cognito endpoint URL
  • Audience matches Cognito user pool app client id
  • Token use is "id"

The code makes use of KV to store each PEM encoded JWK by its kid.

The primary method in the library is:

export async function validateCognitoJwt(cognitoEndpointUrl, appClientId, 
    kvInstance, cognitoJwt)

Where the parameters are:

cognitoEndpointUrl - from Cognito config, expected form; 
    https://cognito-idp.<aws-region-x>.amazonaws.com/<aws-region-x>_<idstr>

appClientId - from Cognito user pool config (an alphanumeric string)

kvInstance - Binding name of KV instance used to cache PEM values

cognitoJwt - JWT instance to validate

It is assumed that; cognitoEndpointUrl and appClientId will be configured as environment variables in the Workers app wrangler.toml.

It is expected that the library will be included using a statement such as:

import { validateCognitoJwt } from 'cw-validate-cognito-jwt';

Development

The code lives in this GitHub repo.

Testing code that depends upon features of the Cloudflare Worker platform (such as client HTTP Fetch, which this code uses to fetch the public JWK from the Cognito endpoint) is "interesting"...

In order to build confidence that the code will work as expected, the approach taken is to test by deploying the lib along with a test harness into a live Cloudflare Workers app and point it at a real Cognito instance.

The test harness uses the built in 'assert' library to demonstrate that the code works as intended.

The tests are triggered by running run-test.sh from a command line. This script requires:

  • The aws cli to be installed locally
  • Valid Cognito username and password credentials to be available as env vars

These are necessary as the script passes the username/password combo to the aws cli to generate a valid JWT, which is sent as a query string param to the test suite running in Cloudflare.

In the repo, the main library code is in the file 'check-jwt.js' and the test harness is in file 'test.js' with package.json 'main' set to 'test.js'. The tests can be deployed and run using the bash script 'run-test.sh' (tried on Ubuntu 18).

If you want to replicate the test environment, you will need to modify wrangler.toml to use your own values.

Distribution

When packaged for deployment (using pkg.sh), a new folder structure is created that is sets up a package focussed on distribtion, which means:

  • only check-jwt.js is included (renamed as index.js)
  • an alternative package.json is included, pointing to index.js