{"id":16754,"library":"aws-cognito-srp-client","title":"AWS Cognito SRP Client","description":"This library provides a client-side implementation for the Secure Remote Password (SRP) authentication flow specifically designed for AWS Cognito User Pools. It abstracts away the complex cryptographic calculations required for SRP_A generation and signature verification, enabling developers to integrate SRP authentication into both browser and Node.js environments. The current stable version is 1.0.0, indicating a relatively new, but stable, initial release. Its primary function is to work in conjunction with the AWS SDK's `initiateAuth` and `respondToAuthChallenge` APIs for the `USER_SRP_AUTH` and `PASSWORD_VERIFIER` flows, respectively, handling the core SRP computations rather than the network requests themselves. It is differentiated by its focused scope on SRP, providing a streamlined experience for this specific Cognito authentication method.","status":"active","version":"1.0.0","language":"javascript","source_language":"en","source_url":"ssh://git@github.com/sodaru/aws-cognito-srp-client","tags":["javascript","SRP","SecureRemotePassword","AWS","Cognito","auth","userpool","typescript"],"install":[{"cmd":"npm install aws-cognito-srp-client","lang":"bash","label":"npm"},{"cmd":"yarn add aws-cognito-srp-client","lang":"bash","label":"yarn"},{"cmd":"pnpm add aws-cognito-srp-client","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Runtime helper library for TypeScript, often used for polyfills and emitting standard ES features.","package":"tslib","optional":false}],"imports":[{"note":"The library primarily exports its SRP client class as a default export.","wrong":"import { Srp } from 'aws-cognito-srp-client';","symbol":"Srp","correct":"import Srp from 'aws-cognito-srp-client';"},{"note":"For CommonJS environments, direct require without destructuring is appropriate for the default export.","wrong":"const { Srp } = require('aws-cognito-srp-client');","symbol":"Srp (CommonJS)","correct":"const Srp = require('aws-cognito-srp-client');"},{"note":"The library ships with TypeScript types, allowing for strong typing of the Srp class instances.","symbol":"Type (Srp instance)","correct":"import Srp from 'aws-cognito-srp-client'; const mySrp: Srp = new Srp('us-east-1_XXXXX');"}],"quickstart":{"code":"import Srp from 'aws-cognito-srp-client';\nimport { CognitoIdentityServiceProvider } from '@aws-sdk/client-cognito-identity-service-provider';\n\nconst userPoolId = 'us-east-1_XXXXX'; // Replace with your Cognito User Pool ID\nconst clientId = 'YYYYYYYYYYYYYYYYYYYYYYYYY'; // Replace with your Cognito App Client ID\nconst username = 'testuser'; // The user's username\nconst password = 'StrongPassword123!'; // The user's password\n\nconst cognitoClient = new CognitoIdentityServiceProvider({\n region: 'us-east-1' // Replace with your AWS Region\n});\n\nasync function authenticateUser() {\n const srp = new Srp(userPoolId);\n const srpA = srp.getA();\n\n console.log('Step 1: Generated SRP_A');\n\n // Step 2: Initiate Auth with Cognito\n const initiateAuthResponse = await cognitoClient.initiateAuth({\n AuthFlow: 'USER_SRP_AUTH',\n AuthParameters: {\n USERNAME: username,\n SRP_A: srpA\n },\n ClientId: clientId\n });\n\n console.log('Step 2: Initiate Auth response received');\n\n const challengeParameters = initiateAuthResponse.ChallengeParameters;\n if (!challengeParameters) {\n throw new Error('No challenge parameters received.');\n }\n\n const srpB = challengeParameters.SRP_B;\n const salt = challengeParameters.SALT;\n const secretBlock = challengeParameters.SECRET_BLOCK;\n\n // Step 3: Calculate signature and timestamp\n const { signature, timestamp } = srp.getSignature(\n username,\n srpB,\n salt,\n secretBlock,\n password\n );\n\n console.log('Step 3: Calculated signature and timestamp');\n\n // Step 4: Respond to Auth Challenge\n const respondToChallengeResponse = await cognitoClient.respondToAuthChallenge({\n ChallengeName: 'PASSWORD_VERIFIER',\n ChallengeResponses: {\n USERNAME: username,\n PASSWORD_CLAIM_SECRET_BLOCK: secretBlock,\n PASSWORD_CLAIM_SIGNATURE: signature,\n TIMESTAMP: timestamp\n },\n ClientId: clientId,\n Session: initiateAuthResponse.Session // Pass the session token\n });\n\n console.log('Authentication successful! Token:', respondToChallengeResponse.AuthenticationResult?.AccessToken);\n return respondToChallengeResponse.AuthenticationResult;\n}\n\nauthenticateUser().catch(console.error);\n","lang":"typescript","description":"This quickstart demonstrates the full four-step SRP authentication flow with AWS Cognito, showing how to generate SRP_A, initiate authentication, calculate the password verifier signature, and respond to the authentication challenge using the `aws-cognito-srp-client` library alongside the AWS SDK."},"warnings":[{"fix":"Ensure you have the AWS SDK installed and are correctly using its `initiateAuth` and `respondToAuthChallenge` methods, passing the computed SRP values from this library.","message":"This library exclusively handles the cryptographic SRP calculations. It does *not* make API calls to AWS Cognito itself. You must use the AWS SDK (e.g., `@aws-sdk/client-cognito-identity-service-provider`) to perform `initiateAuth` and `respondToAuthChallenge`.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Correctly map the `SECRET_BLOCK` string from `initiateAuthResponse.ChallengeParameters` to the `secret` argument of `getSignature`.","message":"The `secret` parameter in `srp.getSignature()` corresponds to the `SECRET_BLOCK` value received from Cognito's `initiateAuth` response, not a user-defined secret.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Verify your Cognito User Pool App Client settings in the AWS Console to ensure 'Enable SRP' is checked under Authentication Flows.","message":"Cognito User Pools must be configured to allow `USER_SRP_AUTH` as an authentication flow for the App Client. If not enabled, the `initiateAuth` call will fail.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Follow OWASP guidelines for client-side security. Do not store passwords in plain text. Use HTTPS for all communications. Implement proper error handling to avoid leaking information.","message":"Securely handling user passwords and the SRP process client-side requires careful attention to security best practices. Avoid logging sensitive data and ensure your environment (browser/Node.js) is secure against common client-side attacks.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"In your AWS Cognito console, navigate to your User Pool, then App Clients, and ensure the 'Enable SRP' checkbox is selected for the relevant App Client.","cause":"The Cognito User Pool App Client is not configured to allow the USER_SRP_AUTH flow.","error":"AuthFlow is not supported for this user pool."},{"fix":"If your App Client has a client secret, you must generate and include a `SECRET_HASH` in your Cognito API calls. Alternatively, configure your App Client *without* a client secret if it's a public client (e.g., mobile or web app).","cause":"This error often occurs when your Cognito App Client is configured with a client secret, but you're not providing `SECRET_HASH` in the `AuthParameters` of `initiateAuth` or `respondToAuthChallenge`.","error":"Invalid parameter: SECRET_HASH"},{"fix":"Ensure the username is correct and the user has been created and confirmed in the Cognito User Pool.","cause":"The username provided to `initiateAuth` does not correspond to an existing user in the Cognito User Pool.","error":"User does not exist."},{"fix":"Change your import statement to use a default import: `import Srp from 'aws-cognito-srp-client';`","cause":"You are attempting to import `Srp` as a named import (e.g., `import { Srp } from '...'`) when it is exported as a default.","error":"TypeScript error: Module 'aws-cognito-srp-client' has no default export."}],"ecosystem":"npm","meta_description":null}