feat(client-secret): Add example on how to use client secret (#4)

Author: mcharytoniuk

README.md

@@ -15,14 +15,31 @@ This example code demonstrates how to use AWS Cognito with AWS Go SDK in a form
 
 In order this solution to work, you need to have AWS credentials configured (file `.aws/configuration` exists) and User Pool created in AWS Console. You have to disable "Remember device" and enable "Sms second-factor" on authentication tab.
 
-You will also need to create App Client in User Pool without "Generate Secret Key" checkbox. When the app client is created, in it's settings select "Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)".
+When the app client is created, in it's settings select "Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)".
+
+It's possible to use go sdk with client secret. You can read a bit more about generating client secrets here:
+https://dev.to/mcharytoniuk/using-aws-cognito-app-client-secret-hash-with-go-8ld
 
 ## Build
 
 ```go
 go build -o ./build/cognito
+```
+
+## Run
 
+Without client secret:
+
+```go
 AWS_PROFILE=XXX COGNITO_APP_CLIENT_ID=XXX COGNITO_USER_POOL_ID=XXX PORT=8080 ./build/cognito
 ```
 
-Visit http://localhost:8080/ to see the list of available pages.
+With client secret:
+
+```go
+AWS_PROFILE=XXX COGNITO_APP_CLIENT_ID=XXX COGNITO_APP_CLIENT_SECRET=XXX  COGNITO_USER_POOL_ID=XXX PORT=8080 ./build/cognito
+```
+
+It's worth noting that in production environment you should not pass client secrets this way because with adequate permissions it's possible to read environmental variables of a running process. Also if you call a command that way, secret hash will be stored in your shell history. You should keep those issues in mind and mitigate them in your enviroment.
+
+Visit http://localhost:8080/ to see the list of available pages.

app/app.go

@@ -6,7 +6,8 @@ import (
 
 // App holds internals for auth flow.
 type App struct {
-	CognitoClient *cognito.CognitoIdentityProvider
-	UserPoolID    string
-	AppClientID   string
+	CognitoClient   *cognito.CognitoIdentityProvider
+	UserPoolID      string
+	AppClientID     string
+	AppClientSecret string
 }

app/login.go

@@ -1,6 +1,11 @@
 package app
 
 import (
+	// Those imports are required to compute the secret hash.
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+
 	"fmt"
 	"net/http"
 
@@ -12,6 +17,17 @@ import (
 const flowUsernamePassword = "USER_PASSWORD_AUTH"
 const flowRefreshToken = "REFRESH_TOKEN_AUTH"
 
+// Secret hash is not a client secret itself, but a base64 encoded hmac-sha256
+// hash.
+// The actual AWS documentation on how to compute this hash is here:
+// https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
+func computeSecretHash(clientSecret string, username string, clientId string) string {
+	mac := hmac.New(sha256.New, []byte(clientSecret))
+	mac.Write([]byte(username + clientId))
+
+	return base64.StdEncoding.EncodeToString(mac.Sum(nil))
+}
+
 // Login handles login scenario.
 func (a *App) Login(w http.ResponseWriter, r *http.Request) {
 	r.ParseForm()
@@ -27,6 +43,13 @@ func (a *App) Login(w http.ResponseWriter, r *http.Request) {
 		"PASSWORD": aws.String(password),
 	}
 
+	// Compute secret hash based on client secret.
+	if a.AppClientSecret != "" {
+		secretHash := computeSecretHash(a.AppClientSecret, username, a.AppClientID)
+
+		params["SECRET_HASH"] = aws.String(secretHash)
+	}
+
 	if refresh != "" {
 		flow = aws.String(flowRefreshToken)
 		params = map[string]*string{

main.go

@@ -59,9 +59,10 @@ func main() {
 	}
 
 	example := app.App{
-		CognitoClient: cognito.New(sess),
-		UserPoolID:    os.Getenv("COGNITO_USER_POOL_ID"),
-		AppClientID:   os.Getenv("COGNITO_APP_CLIENT_ID"),
+		CognitoClient:   cognito.New(sess),
+		UserPoolID:      os.Getenv("COGNITO_USER_POOL_ID"),
+		AppClientID:     os.Getenv("COGNITO_APP_CLIENT_ID"),
+		AppClientSecret: os.Getenv("COGNITO_APP_CLIENT_SECRET"),
 	}
 
 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {