search

capless / warrant

Python library for using AWS Cognito. With support for SRP.
Apache License 2.0
468 stars 192 forks source link

Checking the access token. #52

Open human39 opened 6 years ago

human39 commented 6 years ago

I'm working on a proof of concept with using cognito via warrant as the auth mechanism on a web app. I'm able to auth and logout as expected, but .check_token() is always returning False.

I'm looking for an easy way to verify the token is still valid when checking the session. Any pointers?

bjinwright commented 6 years ago

Are you using 0.4.0?

armicron commented 6 years ago

https://github.com/capless/warrant/blob/3d6aa8c84841a1c7183f702ed7b4ad993c1ff37a/warrant/__init__.py#L255-L258 False returns when a token is not expired and don't need to be renewed. True returns when a token was renewed.

human39 commented 6 years ago

@bjinwright oops, pip was installing 0.2.0 by default.. I just updated to 0.4.0 -- same issues.

bjinwright commented 6 years ago

@human39 I think @armicron 's answer explains it pretty well. What is your token expiration set to?

human39 commented 6 years ago

Thanks for the reply. Maybe I can illustrate what I'm doing.

This is the test code I'm working with.

from warrant import Cognito
import os
import pprint

os.environ['AWS_DEFAULT_REGION'] = "us-west-2"
os.environ['AWS_ACCESS_KEY_ID'] = "<snip>"
os.environ['AWS_SECRET_ACCESS_KEY'] = "<snip>"

poolid = '<snip>'
clientid = '<snip>'
user =  '<snip>'
passwd = '<snip>'

# login.
u = Cognito(poolid, clientid, username=user)
u.authenticate(password=passwd)
accesstoken =  u.access_token

# Verify that we can get the info.
user = u.get_user()

# reset everything
u = False
# Logout
# reattach
u = Cognito(poolid,clientid, access_token=accesstoken)
u.logout()

# reset everything
u = False

u = Cognito(poolid,clientid,access_token=accesstoken)
user = u.get_user()

After logging out, the 'u.get_user()' fails with a message saying the token is revoked, which is what I expected. Looking to tie this in with a user's web session, I would like to have a method that I could call to see if the token is still valid. I guess I could just run a u.get_user() and then check the exception.. I guess I was hoping there was another way.

Looks like I basically answered my own question, so I guess we can close this but I'm interested in hearing any ideas if anybody has them.

bjinwright commented 6 years ago

We are working on something similar here on Issue #12 of the Capless framework. I will let you know what we find.