Identify the authorized cognito user in the controller

iqre8 · November 26, 2020, 4:08pm

After succesfully connecting RubyOnJets with a Cognito Userpool, we are able to login and access the different controllers. However I would like to know which user performed which task for auditing and other purposes. e.g., You are allowed to request leave, but only for yourself (obviously I can specify the user client side, but that is a security risk).
It would be nice if this was available through
event[‘requestContext’][‘authorizer’][‘claims’][‘username’]
event[‘requestContext’][‘authorizer’][‘claims’][‘sub’]
I believe this needs to be done in the API Gateway

event[‘requestContext’] currently looks like:
requestContext: {
“resourceId”=>“nj9enj”,
“resourcePath”=>"/api/v1/client_requests",
“httpMethod”=>“POST”,
“extendedRequestId”=>“WnqQiEPpDoEFT2Q=”,
“requestTime”=>“26/Nov/2020:14:37:16 +0000”,
“path”=>"/prod/api/v1/client_requests",
“accountId”=>“643562242024”,
“protocol”=>“HTTP/1.1”,
“stage”=>“prod”,
“domainPrefix”=>“e7fab7qbp4”,
“requestTimeEpoch”=>1606401436942,
“requestId”=>“211a4eb1-3d1d-4052-9fa9-8fc0c0682056”,
“identity”: {
“cognitoIdentityPoolId”=>nil,
“accountId”=>nil,
“cognitoIdentityId”=>nil,
“caller”=>nil,
“sourceIp”=>“192.154.110.43”,
“principalOrgId”=>nil,
“accessKey”=>nil,
“cognitoAuthenticationType”=>nil,
“cognitoAuthenticationProvider”=>nil,
“userArn”=>nil,
“userAgent”=>“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:84.0) Gecko/20100101 Firefox/84.0”,
“user”=>nil
},
“domainName”=>“e7fab7zbp4.execute-api.eu-west-1.amazonaws.com”,
“apiId”=>“e7fab7qbp4”
}

tim · December 2, 2020, 12:19pm

It doesn’t look like this request didn’t wasn’t authorized through Cognito.

cognitoIdentityPoolId”=>nil

did you specify an authorizer for the controller action that returned the above result?

(I also recommend censoring the domainName).

iqre8 · December 2, 2020, 5:10pm

Sorry, I seem to have forgotten that I had disabled it.
I found the data in
event[‘requestContext’][‘authorizer’][‘claims’][‘sub’]
event[‘requestContext’][‘authorizer’][‘claims’][‘cognito:username’]
event[‘requestContext’][‘authorizer’][‘claims’]['cognito:groups]

tim · December 3, 2020, 12:30am

Awesome! I use

event.dig(:requestContext, :authorizer, :claims, :sub)

to access the data.

iqre8 · December 4, 2020, 12:12pm

Cool, thanks.
That solves the issue of when event[‘requestContext’] would be nil
Do you have a way to add users/fetch a list of groups/users from cognito as well?
Or do I need to do the following

cognitoidentity = Aws::CognitoIdentity::Client.new(
  region: region_name,
  credentials: credentials,
  # ...
)

tim · December 4, 2020, 12:34pm

I mainly use the admin_ methods for my Cognito operations:
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Client.html

iqre8 · December 4, 2020, 2:43pm

Do you modify the i_am_role jets created or do you create a new one?
And do you create the client and how do you interact?

class GroupsController < ApplicationController
  authorizer "main#my_cognito"
  def index
    access_key_id ='foo'
    secret_access_key = 'secr3t'
    session_token = nil
    credentials = Aws::Credentials.new(access_key_id, secret_access_key, session_token)

    region_name = MainAuthorizer.cognito_authorizers.first.dig(:definition)["{namespace}_authorizer"].dig(:properties, :provider_arns).first.split('/')[1].split('_')[0]

    client = Aws::CognitoIdentityProvider::Client.new(
      region: region_name,
      credentials: credentials
    )
    pool_id='not_sure_which_is_the_id_yet'
    @response = client.list_groups(
      user_pool_id: pool_id
    )
    render json: @response
  end
end

tim · December 4, 2020, 2:56pm

I am not sure what you are trying to do in your code example. Is this an admin interface to manage users in your pool and group? I would leave that to the AWS console.