feat(cognito): integrate OpenID Connect discovery for improved OAuth flow

kilakewe · web-flow · commit 7a01cc3edc01 · 2024-12-13T12:08:43.000+01:00
* feat(cognito): integrate OpenID Connect discovery for improved OAuth flow

* feat(cognito): enhance OAuth flow by including client secret in discovery process

* chore: update lockfile
diff --git a/package.json b/package.json
@@ -42,6 +42,7 @@
     "hookable": "^5.5.3",
     "ofetch": "^1.4.1",
     "ohash": "^1.1.4",
+    "openid-client": "^6.1.4",
     "pathe": "^1.1.2",
     "scule": "^1.3.0",
     "uncrypto": "^0.1.3"
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/runtime/server/lib/oauth/cognito.ts b/src/runtime/server/lib/oauth/cognito.ts
@@ -1,10 +1,11 @@
+import type { OAuthConfig } from '#auth-utils'
+import { useRuntimeConfig } from '#imports'
+import { defu } from 'defu'
 import type { H3Event } from 'h3'
 import { eventHandler, getQuery, sendRedirect } from 'h3'
+import { discovery } from 'openid-client'
 import { withQuery } from 'ufo'
-import { defu } from 'defu'
-import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken } from '../utils'
-import { useRuntimeConfig } from '#imports'
-import type { OAuthConfig } from '#auth-utils'
+import { getOAuthRedirectURL, handleAccessTokenErrorResponse, handleMissingConfiguration, requestAccessToken } from '../utils'
 
 export interface OAuthCognitoConfig {
   /**
@@ -42,11 +43,6 @@ export interface OAuthCognitoConfig {
    * @default process.env.NUXT_OAUTH_COGNITO_REDIRECT_URL or current URL
    */
   redirectURL?: string
-  /**
-   * AWS Cognito App Custom Domain – some pool configurations require this
-   * @default ''
-   */
-  domain?: string
 }
 
 export function defineOAuthCognitoEventHandler({ config, onSuccess, onError }: OAuthConfig<OAuthCognitoConfig>) {
@@ -59,11 +55,16 @@ export function defineOAuthCognitoEventHandler({ config, onSuccess, onError }: O
       return handleMissingConfiguration(event, 'cognito', ['clientId', 'clientSecret', 'userPoolId', 'region'], onError)
     }
 
-    const urlBase = config?.domain || `${config.userPoolId}.auth.${config.region}.amazoncognito.com`
-
-    const authorizationURL = `https://${urlBase}/oauth2/authorize`
-    const tokenURL = `https://${urlBase}/oauth2/token`
-
+    const congitoDiscoveryUrl = new URL(`https://cognito-idp.${config.region}.amazonaws.com/${config.userPoolId}/.well-known/openid-configuration`)
+    const issuer = await discovery(congitoDiscoveryUrl, config.clientId, config.clientSecret)
+    const {
+      authorization_endpoint: authorizationURL,
+      token_endpoint: tokenURL,
+      userinfo_endpoint: userinfoURL,
+      // TODO: implement logout
+      // eslint-disable-next-line @typescript-eslint/no-unused-vars
+      end_session_endpoint: logoutURL,
+    } = issuer.serverMetadata()
     const query = getQuery<{ code?: string }>(event)
     const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
 
@@ -101,9 +102,8 @@ export function defineOAuthCognitoEventHandler({ config, onSuccess, onError }: O
 
     const tokenType = tokens.token_type
     const accessToken = tokens.access_token
-    // TODO: improve typing
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    const user: any = await $fetch(`https://${urlBase}/oauth2/userInfo`, {
+    // TODO: improve typing of user profile
+    const user: unknown = await $fetch(userinfoURL as string, {
       headers: {
         Authorization: `${tokenType} ${accessToken}`,
       },
