diff --git a/src/cognito-srp-helper.ts b/src/cognito-srp-helper.ts index a9eb7c1..1ffabcc 100644 --- a/src/cognito-srp-helper.ts +++ b/src/cognito-srp-helper.ts @@ -101,22 +101,22 @@ const createTimestamp = (): string => { return `${weekDay} ${month} ${day} ${time} UTC ${year}`; }; -export const createSecretHash = (username: string, clientId: string, secretId: string): string => { - const hmac = CryptoJS.HmacSHA256(`${username}${clientId}`, secretId); +export const createSecretHash = (userId: string, clientId: string, secretId: string): string => { + const hmac = CryptoJS.HmacSHA256(`${userId}${clientId}`, secretId); const secretHash = hmac.toString(CryptoJS.enc.Base64); return secretHash; }; -export const createPasswordHash = (username: string, password: string, poolId: string): string => { +export const createPasswordHash = (userId: string, password: string, poolId: string): string => { const poolIdAbbr = poolId.split("_")[1]; - const usernamePassword = `${poolIdAbbr}${username}:${password}`; + const usernamePassword = `${poolIdAbbr}${userId}:${password}`; const passwordHash = hash(usernamePassword); return passwordHash; }; -export const createSrpSession = (username: string, passwordHash: string, poolId: string): SrpSession => { +export const createSrpSession = (username: string, password: string, poolId: string, isHashed = true): SrpSession => { const poolIdAbbr = poolId.split("_")[1]; const timestamp = createTimestamp(); const smallA = generateSmallA(); @@ -124,8 +124,10 @@ export const createSrpSession = (username: string, passwordHash: string, poolId: return { username, + poolId, poolIdAbbr, - passwordHash, + password, + isHashed, timestamp, smallA: smallA.toString(16), largeA: largeA.toString(16), @@ -139,8 +141,14 @@ export const signSrpSession = (session: SrpSession, response: InitiateAuthRespon if (!response.ChallengeParameters.SECRET_BLOCK) throw new MissingSecretError(); if (!response.ChallengeParameters.SRP_B) throw new MissingLargeBError(); - const { SALT: salt, SECRET_BLOCK: secret, SRP_B: largeB } = response.ChallengeParameters; - const { username, poolIdAbbr, passwordHash, timestamp, smallA, largeA } = session; + const { + SALT: salt, + SECRET_BLOCK: secret, + SRP_B: largeB, + USER_ID_FOR_SRP: userIdForSrp, + } = response.ChallengeParameters; + const { poolId, poolIdAbbr, password, isHashed, timestamp, smallA, largeA } = session; + const passwordHash = isHashed ? password : createPasswordHash(userIdForSrp, password, poolId); // Check server public key isn't 0 if (largeB.replace(/^0+/, "") === "") throw new AbortOnZeroBSrpError(); @@ -154,7 +162,7 @@ export const signSrpSession = (session: SrpSession, response: InitiateAuthRespon const message = CryptoJS.lib.WordArray.create( Buffer.concat([ Buffer.from(poolIdAbbr, "utf8"), - Buffer.from(username, "utf8"), + Buffer.from(userIdForSrp, "utf8"), Buffer.from(secret, "base64"), Buffer.from(timestamp, "utf8"), ]), diff --git a/src/types.ts b/src/types.ts index 453c388..92feec7 100644 --- a/src/types.ts +++ b/src/types.ts @@ -171,8 +171,12 @@ export type Credentials = { export type SrpSession = { /** Username of the user. It is stored here for convenience when passing parameters into `computePasswordSignature` */ username: string; - /** Password hash generated using the users credentials */ - passwordHash: string; + /** Password used for authentication */ + password: string; + /** Flag indicating whether the password has already been hashed */ + isHashed: boolean; + /** Full un-abbreviated ID of the Cognito Userpool. Here it is the full ID that's used e.g. 'eu-west-2_abc123' */ + poolId: string; /** Abbreviated ID of the Cognito Userpool. Here it is just the succeeding ID that's used e.g. 'eu-west-2_abc123' becomes 'abc123' */ poolIdAbbr: string; /** Timestamp captured in the format requiree for Cogntio */