We Keep Coding

Add role based authentication using next-auth in NextJS

I was implementing a role based authentication using next-auth v4 using CognitoProvider which I modified to add a role but the role attribute is not passed in the final session json
import NextAuth from "next-auth/next";
function CognitoProvider(options) {
return {
id: "cognito",
name: "Cognito",
type: "oauth",
wellKnown: `${options.issuer}/.well-known/openid-configuration`,
idToken: true,
profile(profile) {
console.log(profile);
return {
id: profile.sub,
name: profile.name,
email: profile.email,
image: profile.picture,
role: profile["cognito:groups"],
};
},
options,
};
}
export default NextAuth({
providers: [
CognitoProvider({
clientId: process.env.COGNITO_CLIENT_ID,
clientSecret: process.env.COGNITO_CLIENT_SECRET,
issuer: process.env.COGNITO_DOAMIN,
}),
],
callbacks: {
session: (props) => {
console.log(props);
return props.session;
},
},
});
Below is the console log of profile object
role: profile["cognito:groups"]
Actual Object
I have added a user to admin group and wanted him to access a specific route in my NextJS app.
Any help would be appreciated.

You need to configure the jwt and session callbacks to include more data in the session.
From Next-Auth docs:
If you want to make something available you added to the token [...] via the jwt() callback, you have to explicitly forward it here [the session() callback] to make it available to the client.
To add the user's role:
export default NextAuth({
// ...
callbacks: {
jwt({ token, account, profile }) {
if (account) {
// modify token
token.role = profile.role;
}
return token;
},
session({ session, token }) {
// Send properties to the client
if (session.user) {
// modify session
session.user.roles = token.role;
}
return session;
},
},
});
Then in your route, you would get the user's role from the session session.user.role

route53 returns forbidden for custom domain with API Gateway

I'm using AWS CDK to create an APIGateway. I want to attach a custom domain to my api so I can use api.findtechjobs.io. In the console, I can see I have a custom domain attached, however I always get a 403 response when using my custom domain.
Below is the following AWS CDK Stack I am using to create my API Gateway attached with a single lambda function.
AWS CDK deploys well, however, when I attempt to make a POST request to https://api.findtechjobs.io/search AWS returns a 403 Forbidden response. I don't have a VPC, WAF, or an API key for this endpoint.
I am very uncertain why my custom domain is returning a 403 response. I have been reading a lot of documentation, and used answers from other questions and I still can't figure out what I am doing wrong.
How can I associate api.findtechjobs.io to my API Gateway well using AWS CDK?
export class HostingStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props: cdk.StackProps) {
super(scope, id, props)
const zonefindtechjobsio = route53.HostedZone.fromLookup(this, 'findtechjobs.io', {
domainName: 'findtechjobs.io'
});
const certificate = new acm.Certificate(this, 'APICertificate', {
domainName: 'findtechjobs.io',
subjectAlternativeNames: ['api.findtechjobs.io'],
validation: acm.CertificateValidation.fromDns(zonefindtechjobsio),
});
const api = this.buildAPI(certificate)
new route53.ARecord( this, "AliasRecord api.findtechjobs.io", {
zone: zonefindtechjobsio,
recordName: `api`,
target: route53.RecordTarget.fromAlias(new route53targets.ApiGateway(api)),
});
}
private buildAPI(certificate: acm.Certificate) {
// API
const api = new apigateway.RestApi(this, "techjobapi", {
domainName: {
domainName: 'findtechjobs.io',
certificate: certificate
},
defaultCorsPreflightOptions: {
allowOrigins: apigateway.Cors.ALL_ORIGINS, // TODO limit this when you go to prod
},
deploy: true,
deployOptions: {
stageName: 'dev',
},
endpointTypes: [apigateway.EndpointType.REGIONAL]
});
const searchResource = api.root.addResource("search", {
defaultMethodOptions: {
operationName: "Search",
},
});
searchResource.addMethod(
"POST",
new apigateway.LambdaIntegration(new lambda.Function(this, "SearchLambda", {
runtime: lambda.Runtime.GO_1_X,
handler: "main",
code: lambda.Code.fromAsset(path.resolve("..", "search", "main.zip")),
environment: {
DB_NAME: "...",
DB_CONNECTION:"...",
},
})),
{
operationName: "search",
}
);
return api;
}
}

Same problem. After some struggle. I found out that the problem may lay in the DNS. Cause my domain was transferred from another registrar. The name server is not changed. After I change them to AWS dns it worked. But I can't 100% sure.
And I found out that the default API gateway domain(d-lb4byzxxx.execute-api.ap-east-1.amazonaws.com ) is always in 403 forbidden state.

AWS CDK - How to setup Cognito User Pool with "Authorization Code" flow

I'm currently trying to create an Amazon Cognito User Pool with OAuth flow "Authorization Code" via the AWS CDK as described in the documentation aws-cognito module.
Here is the typescript code of my stack:
import * as cdk from '#aws-cdk/core';
import { UserPool, VerificationEmailStyle, OAuthScope } from '#aws-cdk/aws-cognito';
import { Duration } from '#aws-cdk/core';
export class UserPoolStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const userPool = new UserPool(this, 'stackoverflow-userpool', {
userPoolName: 'stackoverflow-userpool',
selfSignUpEnabled: true,
signInCaseSensitive: false,
userVerification: {
emailSubject: 'Verify your email!',
emailBody: 'Hello, Thanks for signing up! {##Verify Email##}',
emailStyle: VerificationEmailStyle.LINK
},
signInAliases: {
username: true,
email: true
},
requiredAttributes: {
email: true
},
passwordPolicy: {
minLength: 12,
requireLowercase: true,
requireUppercase: true,
requireDigits: true,
requireSymbols: true,
tempPasswordValidity: Duration.days(7)
}
});
const client = userPool.addClient('stackoverflow-userpool-localhost-client', {
userPoolClientName: 'stackoverflow-localhost-client',
oAuth: {
flows: { authorizationCodeGrant: true },
scopes: [OAuthScope.OPENID],
callbackUrls: ['http://localhost:4200/callback']
}
});
userPool.addDomain('stackoverflow-userpool-domain-prefix', {
cognitoDomain: {
domainPrefix: 'stackoverflow'
}
});
}
}
For whatever reason my "Cognito User Pool" is not enabled as an "Identity Provider" in my "App client". (see screenshot)
Is my configuration wrong? I can't find any property that would enable this.
Is it a bug or because the module is still experimental? What confuses me is why would they describe how to set up the "Authorization Code" flow in the documentation if it doesn't work...

at the present date, looks good and worked for me. Maybe an old version of aws-cdk? In any case, you can explicitly enable Cognito User Pool on the client
const client = userPool.addClient('stackoverflow-userpool-localhost-client', {
userPoolClientName: 'stackoverflow-localhost-client',
oAuth: {
flows: { authorizationCodeGrant: true },
scopes: [OAuthScope.OPENID],
callbackUrls: ['http://localhost:4200/callback']
},
supportedIdentityProviders: [
UserPoolClientIdentityProvider.AMAZON,
UserPoolClientIdentityProvider.COGNITO,
]
});

How do I generate an IAM service specific credential using aws cdk?

I'm trying to figure out how to generate Service Specific Credentials for an IAM User with the AWS CDK.
I can see how to achieve this from:
Admin Console: IAM > Users > Security credentials:
HTTPS Git credentials for AWS CodeCommit, and
Credentials for Amazon Managed Apache Cassandra Service (MCS)
API: CreateServiceSpecificCredential
CLI: create-service-specific-credential
However I can't see how to achieve this with the AWS CDK (or from Cloud Formation for that matter).
If this is not currently supported from the CDK then what would be the recommended approach?

Building on what #JeffreyGoines replied above, a Construct calling CreateServiceSpecificCredential:
export class CodeCommitGitCredentialsProps {
userName: string
}
export class CodeCommitGitCredentials extends Construct {
readonly serviceSpecificCredentialId: string;
readonly serviceName: string;
readonly serviceUserName: string;
readonly servicePassword: string;
readonly status: string;
constructor(scope: Construct, id: string, props: CodeCommitGitCredentialsProps) {
super(scope, id);
// Create the Git Credentials required
const gitCredResp = new AwsCustomResource(this, "gitCredentials", {
// https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html#createServiceSpecificCredential-property
onCreate: {
service: "IAM",
action: "createServiceSpecificCredential",
parameters: {
ServiceName: "codecommit.amazonaws.com",
UserName: props.userName
},
physicalResourceId: PhysicalResourceId.fromResponse("ServiceSpecificCredential.ServiceSpecificCredentialId")
},
// https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html#deleteServiceSpecificCredential-property
onDelete: {
service: "IAM",
action: "deleteServiceSpecificCredential",
parameters: {
ServiceSpecificCredentialId: new PhysicalResourceIdReference(),
UserName: props.userName
}
},
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: AwsCustomResourcePolicy.ANY_RESOURCE,
}),
});
this.serviceSpecificCredentialId = gitCredResp.getResponseField("ServiceSpecificCredential.ServiceSpecificCredentialId");
this.serviceName = gitCredResp.getResponseField("ServiceSpecificCredential.ServiceName");
this.serviceUserName = gitCredResp.getResponseField("ServiceSpecificCredential.ServiceUserName");
this.servicePassword = gitCredResp.getResponseField("ServiceSpecificCredential.ServicePassword");
this.status = gitCredResp.getResponseField("ServiceSpecificCredential.Status");
}
}
And a usage example:
// User created for Git Push/Pull
this.user = new User(this, `codeCommitGitMirrorUser`, {
userName: `${props.repository.repositoryName}-GitMirrorUser`
});
props.repository.grantPullPush(this.user);
this.gitCredentials = new CodeCommitGitCredentials(this, "codeCommitGitCredentials", {
userName: this.user.userName
});

AWS Appsync 401 and 403 errors in React Native

I've been pulling out my hair trying to set Appsync and Cognito in my React Native app.
I've tried the two following ways:
Amplify.configure(config);
OR
Amplify.configure({
Auth: {
region: config.aws_cognito_region, // REQUIRED - Amazon Cognito Region
userPoolId: config.aws_user_pools_id, // OPTIONAL - Amazon Cognito User Pool ID
userPoolWebClientId: config.aws_user_pools_web_client_id, // User Pool App Client ID
},
});
AND
const client = new AWSAppSyncClient({
url: appSyncConfig.graphqlEndpoint,
region: appSyncConfig.region,
auth: {
type: appSyncConfig.authType,
jwtToken: async () => (await Auth.currentSession()).getIdToken().getJwtToken(),
},
});
OR
const client = new AWSAppSyncClient({
url: appSyncConfig.graphqlEndpoint,
region: appSyncConfig.region,
auth: {
type: appSyncConfig.authType,
apiKey: appSyncConfig.apiKey,
},
});
I've also followed these two tutorials Tackling user auth, Building a notes app.
In both cases, I get the following error in GraphQL with no description:
Error: Network error: Response not successful: Received status code
This is while in Authorization Type is Amazon Cognito User Pool. I've also tried AWS Identity and Access Management (IAM), but that gives me a 403 error. Can someone point me in a direction where I can debug this further?

It might be caused a typo in the docs / article you've read. Trying replacing :
auth: {
type: appSyncConfig.authType,
apiKey: appSyncConfig.apiKey
}
with :
auth: {
type: appSyncConfig.authenticationType,
apiKey: appSyncConfig.apiKey
}

I have the following code and its working for me:
import Amplify, { Auth } from 'aws-amplify';
import API, { graphqlOperation } from '#aws-amplify/api'
window.LOG_LEVEL = 'DEBUG';
Amplify.configure({
Auth: {
"identityPoolId":'ap-southeast-1:xxxxxx',
"mandatorySignIn": false,
"region": "ap-southeast-1",
"userPoolId": "ap-southeast-1_xxxx",
"userPoolWebClientId": "xxxxxxx"
},
API:{
"aws_appsync_graphqlEndpoint": 'https://xxxx.ap-southeast-1.amazonaws.com/graphql',
"aws_appsync_region": 'ap-southwest-1',
"aws_appsync_authenticationType": 'AMAZON_COGNITO_USER_POOLS',
"aws_appsync_apiKey": 'null',
}
});