feat: refresh token rotation (#14427)

* feat: add GetTokensFromRefreshToken service clients

* feat: use GetTokensFromRefreshToken instead of initiateAuth to refresh tokens

* test: update tests for refreshing tokens

* chore: add GetTokensFromRefreshToken to dts-bundler

Author: soberm

packages/auth/__tests__/providers/cognito/refreshToken.test.ts

@@ -6,7 +6,7 @@ import {
 	oAuthTokenRefreshException,
 	tokenRefreshException,
 } from '../../../src/providers/cognito/utils/types';
-import { createInitiateAuthClient } from '../../../src/foundation/factories/serviceClients/cognitoIdentityProvider';
+import { createGetTokensFromRefreshTokenClient } from '../../../src/foundation/factories/serviceClients/cognitoIdentityProvider';
 import { createCognitoUserPoolEndpointResolver } from '../../../src/providers/cognito/factories';
 
 import { mockAccessToken, mockRequestId } from './testUtils/data';
@@ -16,35 +16,37 @@ jest.mock(
 );
 jest.mock('../../../src/providers/cognito/factories');
 
-const mockCreateInitiateAuthClient = jest.mocked(createInitiateAuthClient);
+const mockCreateGetTokensFromRefreshTokenClient = jest.mocked(
+	createGetTokensFromRefreshTokenClient,
+);
 const mockCreateCognitoUserPoolEndpointResolver = jest.mocked(
 	createCognitoUserPoolEndpointResolver,
 );
 
 describe('refreshToken', () => {
 	const mockedUsername = 'mockedUsername';
 	const mockedRefreshToken = 'mockedRefreshToken';
-	const mockInitiateAuth = jest.fn();
+	const mockGetTokensFromRefreshToken = jest.fn();
 
 	beforeEach(() => {
-		mockCreateInitiateAuthClient.mockReturnValueOnce(mockInitiateAuth);
+		mockCreateGetTokensFromRefreshTokenClient.mockReturnValueOnce(
+			mockGetTokensFromRefreshToken,
+		);
 	});
 
 	afterEach(() => {
-		mockCreateInitiateAuthClient.mockClear();
 		mockCreateCognitoUserPoolEndpointResolver.mockClear();
 	});
 
 	describe('positive cases', () => {
 		beforeEach(() => {
-			mockInitiateAuth.mockResolvedValue({
+			mockGetTokensFromRefreshToken.mockResolvedValue({
 				AuthenticationResult: {
 					AccessToken: mockAccessToken,
 					ExpiresIn: 3600,
 					IdToken: mockAccessToken,
 					TokenType: 'Bearer',
 				},
-				ChallengeParameters: {},
 				$metadata: {
 					attempts: 1,
 					httpStatusCode: 200,
@@ -54,7 +56,7 @@ describe('refreshToken', () => {
 		});
 
 		afterEach(() => {
-			mockInitiateAuth.mockReset();
+			mockGetTokensFromRefreshToken.mockReset();
 		});
 
 		it('should refresh token', async () => {
@@ -86,54 +88,13 @@ describe('refreshToken', () => {
 			expect(JSON.parse(JSON.stringify(response))).toMatchObject(
 				JSON.parse(JSON.stringify(expectedOutput)),
 			);
-			expect(mockInitiateAuth).toHaveBeenCalledWith(
-				expect.objectContaining({ region: 'us-east-1' }),
-				expect.objectContaining({
-					ClientId: 'aaaaaaaaaaaa',
-					AuthFlow: 'REFRESH_TOKEN_AUTH',
-					AuthParameters: {
-						REFRESH_TOKEN: mockedRefreshToken,
-					},
-				}),
-			);
-		});
-
-		it('should send UserContextData', async () => {
-			(window as any).AmazonCognitoAdvancedSecurityData = {
-				getData() {
-					return 'abcd';
-				},
-			};
-			await refreshAuthTokens({
-				username: 'username',
-				tokens: {
-					accessToken: decodeJWT(
-						'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MTAyOTMxMzB9.YzDpgJsrB3z-ZU1XxMcXSQsMbgCzwH_e-_76rnfehh0',
-					),
-					idToken: decodeJWT(
-						'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE3MTAyOTMxMzB9.YzDpgJsrB3z-ZU1XxMcXSQsMbgCzwH_e-_76rnfehh0',
-					),
-					clockDrift: 0,
-					refreshToken: 'refreshtoken',
-					username: 'username',
-				},
-				authConfig: {
-					Cognito: {
-						userPoolId: 'us-east-1_aaaaaaa',
-						userPoolClientId: 'aaaaaaaaaaaa',
-					},
-				},
-			});
-			expect(mockInitiateAuth).toHaveBeenCalledWith(
+			expect(mockGetTokensFromRefreshToken).toHaveBeenCalledWith(
 				expect.objectContaining({ region: 'us-east-1' }),
 				expect.objectContaining({
-					AuthFlow: 'REFRESH_TOKEN_AUTH',
-					AuthParameters: { REFRESH_TOKEN: 'refreshtoken' },
 					ClientId: 'aaaaaaaaaaaa',
-					UserContextData: { EncodedData: 'abcd' },
+					RefreshToken: mockedRefreshToken,
 				}),
 			);
-			(window as any).AmazonCognitoAdvancedSecurityData = undefined;
 		});
 
 		it('invokes mockCreateCognitoUserPoolEndpointResolver with expected parameters', async () => {
@@ -164,7 +125,7 @@ describe('refreshToken', () => {
 			expect(mockCreateCognitoUserPoolEndpointResolver).toHaveBeenCalledWith({
 				endpointOverride: expectedParam,
 			});
-			expect(mockCreateInitiateAuthClient).toHaveBeenCalledWith({
+			expect(mockCreateGetTokensFromRefreshTokenClient).toHaveBeenCalledWith({
 				endpointResolver: expectedEndpointResolver,
 			});
 		});
@@ -174,13 +135,13 @@ describe('refreshToken', () => {
 		const mockedError = new Error('Refresh Token has expired');
 		mockedError.name = 'NotAuthorizedException';
 		beforeEach(() => {
-			mockInitiateAuth.mockImplementationOnce(() => {
+			mockGetTokensFromRefreshToken.mockImplementationOnce(() => {
 				throw mockedError;
 			});
 		});
 
 		afterEach(() => {
-			mockInitiateAuth.mockReset();
+			mockGetTokensFromRefreshToken.mockReset();
 		});
 
 		it('should throw an exception when refresh_token is not available', async () => {

packages/auth/src/foundation/factories/serviceClients/cognitoIdentityProvider/createGetTokensFromRefreshTokenClient.ts

@@ -0,0 +1,31 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { composeServiceApi } from '@aws-amplify/core/internals/aws-client-utils/composers';
+
+import {
+	GetTokensFromRefreshTokenCommandInput,
+	GetTokensFromRefreshTokenCommandOutput,
+	ServiceClientFactoryInput,
+} from './types';
+import {
+	createUserPoolDeserializer,
+	createUserPoolSerializer,
+} from './shared/serde';
+import { cognitoUserPoolTransferHandler } from './shared/handler';
+import { DEFAULT_SERVICE_CLIENT_API_CONFIG } from './constants';
+
+export const createGetTokensFromRefreshTokenClient = (
+	config: ServiceClientFactoryInput,
+) =>
+	composeServiceApi(
+		cognitoUserPoolTransferHandler,
+		createUserPoolSerializer<GetTokensFromRefreshTokenCommandInput>(
+			'GetTokensFromRefreshToken',
+		),
+		createUserPoolDeserializer<GetTokensFromRefreshTokenCommandOutput>(),
+		{
+			...DEFAULT_SERVICE_CLIENT_API_CONFIG,
+			...config,
+		},
+	);

packages/auth/src/foundation/factories/serviceClients/cognitoIdentityProvider/index.ts

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 export { createInitiateAuthClient } from './createInitiateAuthClient';
+export { createGetTokensFromRefreshTokenClient } from './createGetTokensFromRefreshTokenClient';
 export { createRevokeTokenClient } from './createRevokeTokenClient';
 export { createSignUpClient } from './createSignUpClient';
 export { createConfirmSignUpClient } from './createConfirmSignUpClient';

packages/auth/src/foundation/factories/serviceClients/cognitoIdentityProvider/shared/serde/createUserPoolSerializer.ts

@@ -13,6 +13,7 @@ type ClientOperation =
 	| 'ForgotPassword'
 	| 'ConfirmForgotPassword'
 	| 'InitiateAuth'
+	| 'GetTokensFromRefreshToken'
 	| 'RespondToAuthChallenge'
 	| 'ResendConfirmationCode'
 	| 'VerifySoftwareToken'

packages/auth/src/foundation/factories/serviceClients/cognitoIdentityProvider/types/sdk.ts

@@ -408,6 +408,99 @@ declare namespace DeleteUserAttributesResponse {
 	 */
 	const filterSensitiveLog: (obj: DeleteUserAttributesResponse) => any;
 }
+
+/**
+ * @public
+ *
+ * The input for {@link GetTokensFromRefreshTokenCommand}.
+ */
+export interface GetTokensFromRefreshTokenCommandInput
+	extends GetTokensFromRefreshTokenRequest {}
+/**
+ * @public
+ *
+ * The output of {@link GetTokensFromRefreshTokenCommand}.
+ */
+export interface GetTokensFromRefreshTokenCommandOutput
+	extends GetTokensFromRefreshTokenResponse,
+		__MetadataBearer {}
+/**
+ * @public
+ */
+export interface GetTokensFromRefreshTokenRequest {
+	/**
+	 * <p>A valid refresh token that can authorize the request for new tokens. When refresh
+	 *             token rotation is active in the requested app client, this token is invalidated after
+	 *             the request is complete.</p>
+	 * @public
+	 */
+	RefreshToken: string | undefined;
+	/**
+	 * <p>The app client that issued the refresh token to the user who wants to request new
+	 *             tokens.</p>
+	 * @public
+	 */
+	ClientId: string | undefined;
+	/**
+	 * <p>The client secret of the requested app client, if the client has a secret.</p>
+	 * @public
+	 */
+	ClientSecret?: string | undefined;
+	/**
+	 * <p>When you enable device remembering, Amazon Cognito issues a device key that you can use for
+	 *             device authentication that bypasses multi-factor authentication (MFA). To implement
+	 *                 <code>GetTokensFromRefreshToken</code> in a user pool with device remembering, you
+	 *             must capture the device key from the initial authentication request. If your application
+	 *             doesn't provide the key of a registered device, Amazon Cognito issues a new one. You must
+	 *             provide the confirmed device key in this request if device remembering is
+	 *             enabled in your user pool.</p>
+	 *          <p>For more information about device remembering, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with devices</a>.</p>
+	 * @public
+	 */
+	DeviceKey?: string | undefined;
+	/**
+	 * <p>A map of custom key-value pairs that you can provide as input for certain custom
+	 *             workflows that this action triggers.</p>
+	 *          <p>You create custom workflows by assigning Lambda functions to user pool triggers.
+	 *             When you use the <code>GetTokensFromRefreshToken</code> API action, Amazon Cognito invokes the
+	 *             Lambda function the pre token generation trigger.</p>
+	 *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
+	 * Using Lambda triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
+	 *          <note>
+	 *             <p>When you use the <code>ClientMetadata</code> parameter, note that Amazon Cognito won't do the
+	 *                 following:</p>
+	 *             <ul>
+	 *                <li>
+	 *                   <p>Store the <code>ClientMetadata</code> value. This data is available only
+	 *                         to Lambda triggers that are assigned to a user pool to support custom
+	 *                         workflows. If your user pool configuration doesn't include triggers, the
+	 *                         <code>ClientMetadata</code> parameter serves no purpose.</p>
+	 *                </li>
+	 *                <li>
+	 *                   <p>Validate the <code>ClientMetadata</code> value.</p>
+	 *                </li>
+	 *                <li>
+	 *                   <p>Encrypt the <code>ClientMetadata</code> value. Don't send sensitive
+	 *                         information in this parameter.</p>
+	 *                </li>
+	 *             </ul>
+	 *          </note>
+	 * @public
+	 */
+	ClientMetadata?: Record<string, string> | undefined;
+}
+/**
+ * @public
+ */
+export interface GetTokensFromRefreshTokenResponse {
+	/**
+	 * <p>The object that your application receives after authentication. Contains tokens and
+	 *             information for device authentication.</p>
+	 * @public
+	 */
+	AuthenticationResult?: AuthenticationResultType | undefined;
+}
+
 /**
  * <p>An Amazon Pinpoint analytics endpoint.</p>
  *         <p>An endpoint uniquely identifies a mobile device, email address, or phone number that can receive messages from Amazon Pinpoint analytics.</p>

packages/auth/src/providers/cognito/utils/refreshAuthTokens.ts

@@ -12,10 +12,8 @@ import { CognitoAuthTokens, TokenRefresher } from '../tokenProvider/types';
 import { getRegionFromUserPoolId } from '../../../foundation/parsers';
 import { assertAuthTokensWithRefreshToken } from '../utils/types';
 import { AuthError } from '../../../errors/AuthError';
-import { createInitiateAuthClient } from '../../../foundation/factories/serviceClients/cognitoIdentityProvider';
 import { createCognitoUserPoolEndpointResolver } from '../factories';
-
-import { getUserContextData } from './userContextData';
+import { createGetTokensFromRefreshTokenClient } from '../../../foundation/factories/serviceClients/cognitoIdentityProvider';
 
 const refreshAuthTokensFunction: TokenRefresher = async ({
 	tokens,
@@ -30,34 +28,19 @@ const refreshAuthTokensFunction: TokenRefresher = async ({
 	const { userPoolId, userPoolClientId, userPoolEndpoint } = authConfig.Cognito;
 	const region = getRegionFromUserPoolId(userPoolId);
 	assertAuthTokensWithRefreshToken(tokens);
-	const refreshTokenString = tokens.refreshToken;
-
-	const AuthParameters: Record<string, string> = {
-		REFRESH_TOKEN: refreshTokenString,
-	};
-	if (tokens.deviceMetadata?.deviceKey) {
-		AuthParameters.DEVICE_KEY = tokens.deviceMetadata.deviceKey;
-	}
-
-	const UserContextData = getUserContextData({
-		username,
-		userPoolId,
-		userPoolClientId,
-	});
 
-	const initiateAuth = createInitiateAuthClient({
+	const getTokensFromRefreshToken = createGetTokensFromRefreshTokenClient({
 		endpointResolver: createCognitoUserPoolEndpointResolver({
 			endpointOverride: userPoolEndpoint,
 		}),
 	});
 
-	const { AuthenticationResult } = await initiateAuth(
+	const { AuthenticationResult } = await getTokensFromRefreshToken(
 		{ region },
 		{
 			ClientId: userPoolClientId,
-			AuthFlow: 'REFRESH_TOKEN_AUTH',
-			AuthParameters,
-			UserContextData,
+			RefreshToken: tokens.refreshToken,
+			DeviceKey: tokens.deviceMetadata?.deviceKey,
 		},
 	);
 
@@ -79,7 +62,7 @@ const refreshAuthTokensFunction: TokenRefresher = async ({
 		accessToken,
 		idToken,
 		clockDrift,
-		refreshToken: refreshTokenString,
+		refreshToken: AuthenticationResult?.RefreshToken ?? tokens.refreshToken,
 		username,
 	};
 };