use crate::client::HttpClientExt;
use crate::error::ConnectError;
use crate::provider::Provider;
use crate::user::ConnectUser;
use async_trait::async_trait;
use serde_json::Value;
static DEFAULT_CLIENT: ::std::sync::LazyLock<::std::sync::Arc<dyn crate::client::HttpClient>> =
::std::sync::LazyLock::new(|| ::std::sync::Arc::new(crate::client::ReqwestClient::new()));
pub struct CognitoProvider {
client_id: String,
client_secret: String,
redirect_url: String,
domain: String,
http_client: ::std::sync::Arc<dyn crate::client::HttpClient>,
scopes: Vec<String>,
state: Option<String>,
pkce_challenge: Option<String>,
}
impl CognitoProvider {
pub fn new(
client_id: String,
client_secret: String,
redirect_url: String,
domain: String,
) -> Self {
let clean_domain = domain.trim_end_matches('/').to_string();
Self {
client_id,
client_secret,
redirect_url,
domain: clean_domain,
http_client: DEFAULT_CLIENT.clone(),
scopes: vec![
"openid".to_string(),
"profile".to_string(),
"email".to_string(),
],
state: None,
pkce_challenge: None,
}
}
pub fn with_scopes(mut self, scopes: &[&str]) -> Self {
self.scopes = scopes.iter().copied().map(String::from).collect();
self
}
pub fn with_state(mut self, state: &str) -> Self {
self.state = Some(state.to_owned());
self
}
pub fn with_pkce(mut self, challenge: &str) -> Self {
self.pkce_challenge = Some(challenge.to_owned());
self
}
pub fn with_http_client(
mut self,
client: ::std::sync::Arc<dyn crate::client::HttpClient>,
) -> Self {
self.http_client = client;
self
}
}
#[async_trait]
impl Provider for CognitoProvider {
fn redirect_url(&self) -> String {
let mut params = crate::provider::build_oauth_params(
&self.client_id,
&self.redirect_url,
&self.scopes,
self.state.as_deref(),
self.pkce_challenge.as_deref(),
);
format!("{}/oauth2/authorize?{}", self.domain, params.finish())
}
async fn get_user(
&self,
auth_code: &str,
) -> Result<crate::user::ConnectUser, crate::error::ConnectError> {
let token = crate::provider::fetch_access_token(
self.http_client.as_ref(),
&self.token_url(),
&self.client_id,
&self.client_secret,
auth_code,
&self.redirect_url,
)
.await?;
let mut user = self.get_user_from_token(&token.access_token).await?;
user.refresh_token = token.refresh_token;
user.expires_in = token.expires_in;
Ok(user)
}
async fn get_user_from_token(&self, access_token: &str) -> Result<ConnectUser, ConnectError> {
let user_res = self
.http_client
.get(format!("{}/oauth2/userInfo", self.domain))
.bearer_auth(access_token)
.send()
.await?
.error_for_status()?
.json::<Value>()
.await?;
Ok(ConnectUser {
id: user_res["sub"].as_str().map(String::from).ok_or_else(|| {
crate::error::ConnectError::Provider("Missing user id".to_string())
})?,
name: user_res["name"]
.as_str()
.or_else(|| user_res["username"].as_str())
.map(String::from)
.unwrap_or_default(),
email: user_res["email"].as_str().map(String::from),
avatar_url: user_res["picture"].as_str().map(String::from),
email_verified: None,
raw_data: user_res,
access_token: access_token.to_string(),
refresh_token: None,
expires_in: None,
})
}
fn token_url(&self) -> String {
format!("{}/oauth2/token", self.domain)
}
async fn refresh_token(
&self,
refresh_token: &str,
) -> Result<crate::user::ConnectUser, crate::error::ConnectError> {
let token = crate::provider::fetch_refresh_token(
self.http_client.as_ref(),
&self.token_url(),
&self.client_id,
&self.client_secret,
refresh_token,
)
.await?;
let mut user = self.get_user_from_token(&token.access_token).await?;
user.refresh_token = token.refresh_token;
user.expires_in = token.expires_in;
Ok(user)
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_cognito_redirect_url() {
let provider = CognitoProvider::new(
"client_id".to_string(),
"client_secret".to_string(),
"https://redirect.url".to_string(),
"https://my-domain.auth.us-east-1.amazoncognito.com".to_string(),
);
let url = provider.redirect_url();
assert!(
url.starts_with("https://my-domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?")
);
assert!(url.contains("client_id=client_id"));
assert!(url.contains("redirect_uri=https%3A%2F%2Fredirect.url"));
}
}