nexmo-community / verify-aws-cognito-php Goto Github PK

View Code? Open in Web Editor NEW

3.0 11.0 1.0 39 KB

Example in PHP for using Vonage Verify for 2FA with Amazon Cognito

License: MIT License

PHP 100.00%

aws cognito verify 2fa php

verify-aws-cognito-php's Introduction

verify-aws-cognito-php

Example in PHP for using Vonage Verify for 2FA with Amazon Cognito

Setup Instructions

Clone this repo nexmo-community/verify-aws-cognito-php and navigate into the newly created directory to proceed.

Install Dependencies

This example requires the use of Composer to install dependencies and set up the autoloader.

Assuming you have Composer installed globally, run:

composer install

AWS Setup

This example uses Amazon Cognito User Pools to hold users. I set up a User Pool as follows:

Navigate to the Amazon Cognito Dashboard in the AWS Console.
Select Manage User Pools.
Create a new user pool.
- Give the pool a name, and click Step through settings
- Select Email address or phone number and pick Allow email addresses
- Click Next step
- Set the minimum password length, and desired complexity settings
- Make sure to Allow users to sign themselves up
- Click Next step
- Leave the next step as-is, for this example. We will use Vonage for 2FA
- Click Next step
- Select a FROM email address ARN from the dropdown. This assumes you've already created an idenity in Amazon Simple Email Service(SES)
- Add a FROM email address as desired.
- Leave the rest of this page unchanged. However, I do recommend you remove the trailing periods from the email messages. This prevents the recipient from mistakenly using the period as part of the temporary password.
- Click Next step
- Skip adding tags by clicking Next step
- Skip devices by clicking Next step
- Click the link to Add an app client
- Give the app client a name
- Uncheck the box to Generate client secret
- Check the rest of the boxes
- Click Create app client
- Click Next step
- Skip triggers by clicking Next step
- Click Create pool

Update Environment

Rename the provided .env.default file to .env and update the values as needed:

AWS_PROFILE=default
AWS_ACCESS_KEY_ID=<aws-access-key-id>
AWS_SECRET_ACCESS_KEY=<aws-secret-access-key>
AWS_VERSION=latest
AWS_REGION=us-east-1
AWS_CLIENT_ID=<aws-client-id>
AWS_USERPOOL_ID=<aws-userpool-id>
NEXMO_API_KEY=<nexmo-api-key>
NEXMO_API_SECRET=<nexmo-api-secret>

NOTE: All placeholders noted by <> need to be updated. Update the others as needed.

Launch or Deploy

Test the app by running it locally with the PHP built-in webserver with the command:

php -S localhost:8080

View the main landing page by going to http://localhost:8080 in a web browser.

IMPORTANT: Though this app functions, as-is it is intended for educational purposes and is not ready for production/public use.

Functionality

The app flow is as follows:

From the main page, click either Login or Register.
- After registration (user_register.php) the user is redirected to a mandatory password change page. (login_reset.php) Here they should utilize the temporary password emailed to them.
- After updating the temporary password the user is redirected to the login page. (login.php)
- The login is where a new user, or an existing user can login.
- After successful login, the user is redirected to the 2FA verification page. (login_verify.php) Here they enter the 6 digit code sent to their mobile number.
- Upon successful 2FA verification, the user is then redirected back to the main page (index.php) where they see they are now logged in with an option to logout. (logout.php)

Contributing

We love questions, comments, issues - and especially pull requests. Either open an issue to talk to us, or reach us on twitter: https://twitter.com/VonageDev.

verify-aws-cognito-php's People

Contributors

Stargazers

Watchers

Forkers

adamculp

verify-aws-cognito-php's Issues

nexmo/client-2.0.0: 6 vulnerabilities (highest severity is: 8.1)

Vulnerable Library - nexmo/client-2.0.0

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (nexmo/client version)	Remediation Possible**
CVE-2022-29248	High	8.1	guzzlehttp/guzzle-6.5.5	Transitive	N/A*	❌
CVE-2022-31091	High	7.7	guzzlehttp/guzzle-6.5.5	Transitive	N/A*	❌
CVE-2022-31090	High	7.7	guzzlehttp/guzzle-6.5.5	Transitive	N/A*	❌
CVE-2022-31043	High	7.5	guzzlehttp/guzzle-6.5.5	Transitive	N/A*	❌
CVE-2022-31042	High	7.5	guzzlehttp/guzzle-6.5.5	Transitive	N/A*	❌
CVE-2021-41106	Low	3.3	lcobucci/jwt-3.3.2	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-29248

Vulnerable Library - guzzlehttp/guzzle-6.5.5

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/9d4290de1cfd701f38099ef7e183b64b4b7b0c5e

Dependency Hierarchy:

nexmo/client-2.0.0 (Root Library)
- php-http/guzzle6-adapter-v2.0.1
  - ❌ guzzlehttp/guzzle-6.5.5 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Publish Date: 2022-05-25

URL: CVE-2022-29248

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248

Release Date: 2022-05-25

Fix Resolution: guzzlehttp/guzzle - 6.5.6,guzzlehttp/guzzle - 7.4.3

CVE-2022-31091

Vulnerable Library - guzzlehttp/guzzle-6.5.5

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/9d4290de1cfd701f38099ef7e183b64b4b7b0c5e

Dependency Hierarchy:

nexmo/client-2.0.0 (Root Library)
- php-http/guzzle6-adapter-v2.0.1
  - ❌ guzzlehttp/guzzle-6.5.5 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

Guzzle, an extensible PHP HTTP client. Authorization and Cookie headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization and Cookie headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

Publish Date: 2022-06-27

URL: CVE-2022-31091

CVSS 3 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091

Release Date: 2022-06-27

Fix Resolution: 6.5.8,7.4.5

CVE-2022-31090

Vulnerable Library - guzzlehttp/guzzle-6.5.5

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/9d4290de1cfd701f38099ef7e183b64b4b7b0c5e

Dependency Hierarchy:

nexmo/client-2.0.0 (Root Library)
- php-http/guzzle6-adapter-v2.0.1
  - ❌ guzzlehttp/guzzle-6.5.5 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

Guzzle, an extensible PHP HTTP client. Authorization headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the CURLOPT_HTTPAUTH option to specify an Authorization header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the CURLOPT_HTTPAUTH option before continuing, stopping curl from appending the Authorization header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.

Publish Date: 2022-06-27

URL: CVE-2022-31090

CVSS 3 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-25mq-v84q-4j7r

Release Date: 2022-05-19

Fix Resolution: 6.5.8,7.4.5

CVE-2022-31043

Vulnerable Library - guzzlehttp/guzzle-6.5.5

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/9d4290de1cfd701f38099ef7e183b64b4b7b0c5e

Dependency Hierarchy:

nexmo/client-2.0.0 (Root Library)
- php-http/guzzle6-adapter-v2.0.1
  - ❌ guzzlehttp/guzzle-6.5.5 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

Guzzle is an open source PHP HTTP client. In affected versions Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, https to http downgrades did not result in the Authorization header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.

Publish Date: 2022-06-10

URL: CVE-2022-31043

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w248-ffj2-4v5q

Release Date: 2022-06-10

Fix Resolution: 6.5.7,7.4.4

CVE-2022-31042

Vulnerable Library - guzzlehttp/guzzle-6.5.5

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/9d4290de1cfd701f38099ef7e183b64b4b7b0c5e

Dependency Hierarchy:

nexmo/client-2.0.0 (Root Library)
- php-http/guzzle6-adapter-v2.0.1
  - ❌ guzzlehttp/guzzle-6.5.5 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

Guzzle is an open source PHP HTTP client. In affected versions the Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the Cookie header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any Cookie header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

Publish Date: 2022-06-10

URL: CVE-2022-31042

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f2wf-25xc-69c9

Release Date: 2022-06-10

Fix Resolution: 6.5.7,7.4.4

CVE-2021-41106

Vulnerable Library - lcobucci/jwt-3.3.2

A simple library to work with JSON Web Token and JSON Web Signature

Library home page: https://api.github.com/repos/lcobucci/jwt/zipball/56f10808089e38623345e28af2f2d5e4eb579455

Dependency Hierarchy:

nexmo/client-2.0.0 (Root Library)
- nexmo/client-core-2.1.0
  - ❌ lcobucci/jwt-3.3.2 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with Lcobucci\JWT\Signer\Key\LocalFileReference as key are having their tokens issued/validated using the file path as hashing key - instead of the contents. The HMAC hashing functions take any string as input and, since users can issue and validate tokens, users are lead to believe that everything works properly. Versions 3.4.6, 4.0.4, and 4.1.5 have been patched to always load the file contents, deprecated the Lcobucci\JWT\Signer\Key\LocalFileReference, and suggest Lcobucci\JWT\Signer\Key\InMemory as the alternative. As a workaround, use Lcobucci\JWT\Signer\Key\InMemory instead of Lcobucci\JWT\Signer\Key\LocalFileReference to create the instances of one's keys.

Publish Date: 2021-09-28

URL: CVE-2021-41106

CVSS 3 Score Details (3.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41106

Release Date: 2021-09-28

Fix Resolution: lcobucci/jwt - 3.4.6,4.0.4,4.1.5

aws/aws-sdk-php-3.143.2: 3 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - aws/aws-sdk-php-3.143.2

AWS SDK for PHP - Use Amazon Web Services in your PHP project

Library home page: https://api.github.com/repos/aws/aws-sdk-php/zipball/d44eac162f8ed1869d20c076adca9869c70a8ad9

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (aws/aws-sdk-php version)	Remediation Possible**
CVE-2022-24775	High	7.5	guzzlehttp/psr7-1.6.1	Transitive	N/A*	❌
CVE-2022-23395	Medium	6.1	aws/aws-sdk-php-3.143.2	Direct	N/A	❌
CVE-2023-51651	Low	3.3	aws/aws-sdk-php-3.143.2	Direct	3.288.1	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-24775

Vulnerable Library - guzzlehttp/psr7-1.6.1

PSR-7 HTTP message library

Dependency Hierarchy:

aws/aws-sdk-php-3.143.2 (Root Library)
- ❌ guzzlehttp/psr7-1.6.1 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

Publish Date: 2022-03-21

URL: CVE-2022-24775

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q7rv-6hp3-vh96

Release Date: 2022-03-21

Fix Resolution: 1.8.4,2.1.1

CVE-2022-23395

Vulnerable Library - aws/aws-sdk-php-3.143.2

AWS SDK for PHP - Use Amazon Web Services in your PHP project

Library home page: https://api.github.com/repos/aws/aws-sdk-php/zipball/d44eac162f8ed1869d20c076adca9869c70a8ad9

Dependency Hierarchy:

❌ aws/aws-sdk-php-3.143.2 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS).

Publish Date: 2022-03-02

URL: CVE-2022-23395

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2023-51651

Vulnerable Library - aws/aws-sdk-php-3.143.2

AWS SDK for PHP - Use Amazon Web Services in your PHP project

Library home page: https://api.github.com/repos/aws/aws-sdk-php/zipball/d44eac162f8ed1869d20c076adca9869c70a8ad9

Dependency Hierarchy:

❌ aws/aws-sdk-php-3.143.2 (Vulnerable Library)

Found in HEAD commit: 4cd03afa364ce79169ece6fb7d8cc36d521117bd

Found in base branch: main

Vulnerability Details

AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the buildEndpoint method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The buildEndpoint method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed. This issue has been patched in version 3.288.1.

Publish Date: 2023-12-22

URL: CVE-2023-51651

CVSS 3 Score Details (3.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-51651

Release Date: 2023-12-22

Fix Resolution: 3.288.1

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.