Class: JwtAuthCognito::CognitoIdentityService

Inherits:

Object

• Object
• JwtAuthCognito::CognitoIdentityService

Defined in:

lib/jwt_auth_cognito/cognito_identity_service.rb

Overview

Fetches a user’s Cognito identity attributes (email, name, …) using the caller’s OWN access token. Cognito access tokens do not carry ‘email`; only ID tokens do. The access token scope `aws.cognito.signin.user.admin` authorizes the GetUser operation, so NO AWS IAM credentials are required —the token itself is the authorization.

Results are cached per-user (sub) so we don’t hit Cognito on every single validation. Any failure returns nil (never raises) so token validation is never blocked by an identity-enrichment problem.

Constant Summary

DEFAULT_IDENTITY_ATTRIBUTES =

Curated STANDARD identity attributes merged into the decoded token. Intentionally excludes custom:* attributes to avoid leaking arbitrary data.

%w[
  email email_verified name given_name family_name
  phone_number phone_number_verified preferred_username
].freeze

Instance Method Summary

• #clear_cache ⇒ Object
• #get_identity_attributes(access_token, sub = nil) ⇒ Object

  Returns a hash of identity attribute name => value for the user owning the access token, or nil on any failure (never raises).

• #initialize(config = JwtAuthCognito.configuration) ⇒ CognitoIdentityService constructor

  A new instance of CognitoIdentityService.

Constructor Details

#initialize(config = JwtAuthCognito.configuration) ⇒ CognitoIdentityService

Returns a new instance of CognitoIdentityService.

# File 'lib/jwt_auth_cognito/cognito_identity_service.rb', line 23

def initialize(config = JwtAuthCognito.configuration)
  @region = config.cognito_region
  @cache_ttl = config.identity_cache_timeout || 300
  configured = config.identity_attributes
  @attributes = configured && !configured.empty? ? configured : DEFAULT_IDENTITY_ATTRIBUTES
  @cache = {}
  @mutex = Mutex.new
end

Instance Method Details

#clear_cache ⇒ Object

# File 'lib/jwt_auth_cognito/cognito_identity_service.rb', line 55

def clear_cache
  @mutex.synchronize { @cache = {} }
end

#get_identity_attributes(access_token, sub = nil) ⇒ Object

Returns a hash of identity attribute name => value for the user owning the access token, or nil on any failure (never raises).

# File 'lib/jwt_auth_cognito/cognito_identity_service.rb', line 34

def get_identity_attributes(access_token, sub = nil)
  cache_key = sub || "token:#{access_token[-24..] || access_token}"

  cached = read_cache(cache_key)
  return cached if cached

  response = client.get_user(access_token: access_token)

  all = {}
  response.user_attributes.each { |attr| all[attr.name] = attr.value }

  filtered = {}
  @attributes.each { |name| filtered[name] = all[name] if all.key?(name) }

  write_cache(cache_key, filtered)
  filtered
rescue StandardError => e
  ErrorUtils.log_error(e, 'CognitoIdentityService.get_identity_attributes failed')
  nil
end