#@wethecurious/wtc-auth-base-lib
Shared library for WTC exhibit dataServers using node backend that need permissions
How to use it
##Auth
Auth is based in cognito groups, to change the group name that the user should belong to be authorized
you can set COGNITO_USER_GROUP_NAME
env var on .env.*.json
files
{
...,
"COGNITO_USER_GROUP_NAME": "MyAuthorizedGroup"
}
A default value fallback for is recommended, editors
is used in the example below
In the project to be embedded it will look like this:
//...
const groupName = process.env.COGNITO_USER_GROUP_NAME || 'editors';
const region = process.env.AWS_REGION; // set up by serverless itself
const cognitoUserPoolId = process.env.COGNITO_USER_POOL_ID; // needed for auth
const app = express();
// Enable CORS for all endpoints
app.use(cors());
app.use(bodyParser.json({strict: false}));
const config = {
app,
groupName,
cognitoRegion: region,
cognitoUserPoolId,
auth: 'automatic',
env: process.env,
};
cognitoServerAuth(config);
//...
On serverless.yml you will need to give some extra permissions to the lambda
provider:
# permissions required for THIS LAMBDA (not the user of the API)
iamRoleStatements:
- Effect: Allow
Action:
- cognito-idp:ListUsers
- cognito-idp:AdminListGroupsForUser
Resource:
# This incantation is required for the lambda to have permission to access the cognito user pool
- "arn:aws:cognito-idp:${self:provider.region}:*"