ArranJacques / laravel-aws-cognito-auth

An authentication driver for Laravel for authenticating users in AWS Cognito User Pools.
Other
74 stars 26 forks source link

Laravel keeps checking for table users in the local database #1

Closed elmirb123 closed 7 years ago

elmirb123 commented 7 years ago

Hello,

I've been trying to set up the laravel-aws-cognito-auth to work with my project, but Auth::attempt() keeps searching for table users in the local database (I guess it is trying to verify user's details from there) instead of looking up the details through Cognito.

Also Auth::attempt() is failing for the user that is already stored in Cognito, and the details are correct for sure.

Do you maybe know what could be the cause of the issue?

Kind regards, Elmir

ArranJacques commented 7 years ago

In its current form this package still requires a users table as its not actaully getting any user details from the Cognito User Pool. All it does is try to authenticate a user in your users table with a user in a Cognito User Pool.

As an example you might have a users table that looks something like:

====================================================
|  id  |  email            |  f_name  |  l_name
====================================================
|  1   |  joe@example.com  |  Joe     |  Fraser
----------------------------------------------------
|  2   |  jane@example.com |  Jane    |  Smith

To authenticate these users using AWS Cognito you'd need to register them into your User Pool, setting their username as their email and their password as whatever you want

Once registered in the User Pool and their account has been verified if you were then the do

Auth::attempt([
    'email' => 'joe@example.com',
    'password' => 'xxxxxxxxxx',
]);

one of the first things that happens is that we try to retrieve the user from the users table. If we successfully retrieve the user then we try to authenticate that user with the Cognito User Pool using their email address and password. If they are successfully authenticated then the user is logged in.

After authenticating if you run Auth::user() you'll get a User model returned with the properties id, email, f_name, l_name.

If you are storing additional user details in your User Pool, for example lets say you also give them a telephone number, then that property wont be available on the User model as the package doesn't pull any user details from the User Pool. All it does is confirm a set of credentials authenticate with your User Pool, and then map that successful authentication back to a user in your users table.


As for why your user aren't authenticating, I'm guessing that you don't have a users table set up based on your comment? If you don't then create one. If you do then make sure the username-attribute value in the aws-cognito-auth.php is set correctly as this may be the issue.

I hope that helps.

elmirb123 commented 7 years ago

Thanks for a quick reply and the clarification.

I have created the table too but got an error (which was handled so I had to do some digging through your package):

exception 'Aws\CognitoIdentityProvider\Exception\CognitoIdentityProviderException' with message 'Error executing "AdminInitiateAuth" on "https://cognito-idp.us-east-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.us-east-1.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"NotAuthorizedException","message":"Unable to verify secret hash for client xxxxxxxxxxxxx"}
 NotAuthorizedException (client): Unable to verify secret hash for client xxxxxxxxxxxxxx- {"__type":"NotAuthorizedException","message":"Unable to verify secret hash for client xxxxxxxxxxxx"}'

I have found out that it seems that AWS demands some kind of SECRET_HASH forwarded to it. I have managed to solve it, I will update your package too and push it with a merge request if that is OK with you?

Regards

ArranJacques commented 7 years ago

I think it depends on how you set up your user pool as to wether you need the hash or not. For the project I wrote this package for I never needed the hash.

But in the interests of making this package more flexible than a few select use cases, yes, if you add that in a push a merge request that would be great, thanks.