iOS解决方案
当向aws cognito身份池提交忘记的密码请求时,该请求必须与忘记的密码请求中提交的用户名一起使用客户端的机密进行签名。
我们如何根据客户机密和swift中的用户名以aws要求的格式创建“secretHash”?
最佳答案
此功能没有文档记录,只在一些AWS库的测试中找到。此代码用作提交忘记密码请求的示例,直到AWSCongitoIdentityUserPool库更好地支持该功能。
银行代码3.2
func forgotPassword(username: String) {
let pool = AWSCognitoIdentityUserPool.default()
let request = AWSCognitoIdentityProviderForgotPasswordRequest()
request?.username = username
request?.clientId = pool.userPoolConfiguration.clientId
request?.secretHash = pool.calculateSecretHash(username: username)
AWSCognitoIdentityProvider.default().forgotPassword(request!) { (response, error) in
if let error = error {
print(error)
}
else {
print("success")
}
}
}
使用用户池中的客户端密钥对用户名进行签名。
extension AWSCognitoIdentityUserPool {
func calculateSecretHash(username: String) -> String? {
guard let clientSecret = userPoolConfiguration.clientSecret else {
return nil
}
guard let key = clientSecret.data(using: String.Encoding.ascii) else {
return nil
}
guard let data = (username + userPoolConfiguration.clientId).data(using: String.Encoding.utf8) else {
return nil
}
let hmac = sign256(data: data, key: key)
return hmac.base64EncodedString()
}
fileprivate func sign256(data: Data, key: Data) -> Data {
let algorithm: CCHmacAlgorithm = CCHmacAlgorithm(kCCHmacAlgSHA256)
let digestLength = Int(CC_SHA256_DIGEST_LENGTH)
let signature = UnsafeMutablePointer<CUnsignedChar>.allocate(capacity: digestLength)
defer { signature.deallocate(capacity: digestLength) }
data.withUnsafeBytes { dataBytes in
key.withUnsafeBytes { keyBytes in
CCHmac(algorithm, keyBytes, key.count, dataBytes, data.count, signature)
}
}
return Data(bytes: signature, count: digestLength)
}
}
关于ios - AWS忘记密码:无法验证iOS客户端的 secret 哈希,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/47426017/