From 0fe1bd0b4d103334a660110cb61714d70c6282a6 Mon Sep 17 00:00:00 2001
From: Stian Fredrik Aune <post@stian-aune.com>
Date: Sat, 5 Jul 2025 12:45:19 +0200
Subject: [PATCH] first commit

---
 .drone.yml                      |  34 +++++++++++
 .gitignore                      |   2 +
 .idea/.gitignore                |   8 +++
 .idea/cognito-token-checker.iml |   9 +++
 .idea/modules.xml               |   8 +++
 .idea/vcs.xml                   |   6 ++
 Dockerfile                      |  14 +++++
 README.md                       |  18 ++++++
 go.mod                          |   7 +++
 go.sum                          |   4 ++
 main.go                         | 100 ++++++++++++++++++++++++++++++++
 11 files changed, 210 insertions(+)
 create mode 100644 .drone.yml
 create mode 100644 .gitignore
 create mode 100644 .idea/.gitignore
 create mode 100644 .idea/cognito-token-checker.iml
 create mode 100644 .idea/modules.xml
 create mode 100644 .idea/vcs.xml
 create mode 100644 Dockerfile
 create mode 100644 README.md
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 main.go

diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..23f11ce
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,34 @@
+name: cognito-token-checker
+
+kind: pipeline
+type: docker
+
+steps:
+  - name: docker-test
+    image: plugins/docker
+    settings:
+      auto_tag: true
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+      repo: r.vmaple.dev/red/server
+      registry: r.vmaple.dev
+      dry_run: true
+    when:
+      event:
+        exclude:
+          - tag
+  - name: docker-tag
+    image: plugins/docker
+    settings:
+      auto_tag: true
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+      repo: r.vmaple.dev/stian/cognito-token-checker
+      registry: r.vmaple.dev
+    when:
+      event:
+        - tag
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..baa2b1e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+checker
+*.json
diff --git a/.idea/.gitignore b/.idea/.gitignore
new file mode 100644
index 0000000..13566b8
--- /dev/null
+++ b/.idea/.gitignore
@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/.idea/cognito-token-checker.iml b/.idea/cognito-token-checker.iml
new file mode 100644
index 0000000..5e764c4
--- /dev/null
+++ b/.idea/cognito-token-checker.iml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="WEB_MODULE" version="4">
+  <component name="Go" enabled="true" />
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
new file mode 100644
index 0000000..90621ed
--- /dev/null
+++ b/.idea/modules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/cognito-token-checker.iml" filepath="$PROJECT_DIR$/.idea/cognito-token-checker.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
new file mode 100644
index 0000000..94a25f7
--- /dev/null
+++ b/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..0f1d43f
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,14 @@
+FROM golang:1.23 AS build
+
+WORKDIR /build
+
+ENV CGO_ENABLED 0
+
+COPY . .
+
+RUN go build -ldflags "-w -s" -o checker main.go
+
+FROM alpine:3.20.1 AS run
+COPY --from=build /build/checker /bin/checker
+
+CMD checker
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..72dc057
--- /dev/null
+++ b/README.md
@@ -0,0 +1,18 @@
+# Cognito token checker
+
+Environment variables:
+
+- `COGNITO_REGION`
+- `COGNITO_POOL_ID`
+
+Location in docker container
+
+- `/bin/checker`
+
+Example:
+
+```bash
+FILE=/tmp/token-123
+verifier $FILE
+echo "$FILE.json" | jq
+```
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..7cf3f10
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,7 @@
+module git.aiterp.net/stian/cognito-token-checker
+
+go 1.23
+
+require github.com/MicahParks/keyfunc v1.9.0
+
+require github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..b27abb6
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,4 @@
+github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID3+o=
+github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw=
+github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..ac32d66
--- /dev/null
+++ b/main.go
@@ -0,0 +1,100 @@
+package main
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"github.com/MicahParks/keyfunc"
+	"github.com/golang-jwt/jwt/v4"
+	"os"
+	"strings"
+)
+
+func main() {
+	region := os.Getenv("COGNITO_REGION")
+	poolId := os.Getenv("COGNITO_POOL_ID")
+
+	url := "https://cognito-idp." + region + ".amazonaws.com/" + poolId + "/.well-known/jwks.json"
+	tokenFile := os.Args[1]
+
+	tokenBytes, err := os.ReadFile(tokenFile)
+	if err != nil {
+		writeError(tokenFile, err)
+		return
+	}
+	token := string(tokenBytes)
+
+	jwks, err := keyfunc.Get(url, keyfunc.Options{})
+	if err != nil {
+		writeError(tokenFile, err)
+		return
+	}
+
+	parsed, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
+		return jwks.Keyfunc(t)
+	})
+	if err != nil {
+		writeError(tokenFile, err)
+		return
+	}
+
+	err = parsed.Claims.Valid()
+	if err != nil {
+		writeError(tokenFile, err)
+		return
+	}
+
+	parts := strings.Split(parsed.Raw, ".")
+	payload := parts[1]
+	jsonPayload, err := base64.RawURLEncoding.DecodeString(payload)
+	if err != nil {
+		writeError(tokenFile, err)
+		return
+	}
+
+	var payloadData struct {
+		Sub string `json:"sub"`
+		Exp int    `json:"exp"`
+	}
+	err = json.NewDecoder(bytes.NewReader(jsonPayload)).Decode(&payloadData)
+	if err != nil {
+		writeError(tokenFile, err)
+		return
+	}
+
+	writeResult(tokenFile, Result{
+		Success: true,
+		Sub:     payloadData.Sub,
+		Expiry:  payloadData.Exp,
+	})
+}
+
+func writeResult(fileName string, result Result) {
+	_ = os.Remove(fileName + ".json")
+
+	file, err := os.OpenFile(fileName+".json", os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		panic(err)
+	}
+
+	data, err := json.Marshal(result)
+	if err != nil {
+		panic(err)
+	}
+
+	_, err = file.Write(data)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func writeError(fileName string, err error) {
+	writeResult(fileName, Result{Error: err.Error()})
+}
+
+type Result struct {
+	Success bool   `json:"success"`
+	Error   string `json:"error"`
+	Sub     string `json:"sub"`
+	Expiry  int    `json:"exp"`
+}