Lokicoule / nestjs-cognito

AWS Cognito utilities module for NestJS.

Home Page:https://www.npmjs.com/package/@nestjs-cognito/auth

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool


Node.js CI Coverage Status

Why You Should Start Using @NestJs-Cognito Today

As web developers, we understand the significance of having a secure and dependable authentication system for our applications. In today's world, where security threats are on the rise, it is imperative to ensure that our users' data is protected. But building an authentication system from scratch can be a challenging and time-consuming task, especially when we want to make it scalable and maintainable.

This is where NestJS and AWS Cognito come in. NestJS, the powerful Node.js framework developed by Kamil Myśliwiec, and AWS Cognito, the managed authentication service from AWS, can be integrated to create a robust authentication system with ease.

To make this integration simpler, we have the @nestjs-cognito package collection. It includes @nestjs-cognito/core, @nestjs-cognito/auth, @nestjs-cognito/graphql, and @nestjs-cognito/testing.

If you're looking for a secure, dependable, and scalable solution for authentication and authorization in your NestJS application, then @nestjs-cognito is the right choice for you. Start using @nestjs-cognito today and simplify your development process. And don't forget to give it a star on GitHub to support the project and show your appreciation!



A wrapper package for the @aws-sdk/client-cognito-identity-provider and aws-jwt-verify packages for use with NestJS applications.

This package provides a simplified and NestJS-friendly interface for integrating Amazon Cognito into your application. With this package, you can easily make API requests to Amazon Cognito and verify JWT tokens from Amazon Cognito.


To install the @nestjs-cognito/core module, run the following command:

npm install @nestjs-cognito/core

In addition to the @nestjs-cognito/core package, you will also need to install the @aws-sdk/client-cognito-identity-provider and/or aws-jwt-verify.

It's important to note that if you use the @nestjs-cognito/auth module, you won't need to install aws-jwt-verify manually. The choice of which package to use depends on your specific needs.

npm install @aws-sdk/client-cognito-identity-provider aws-jwt-verify


Options params

The CognitoModuleOptions interface is the configuration options for the @nestjs-cognito/core module. It contains two properties: identityProvider and jwtVerifier.

  • identityProvider is an optional configuration object for the @aws-sdk/client-cognito-identity-provider package.
  • jwtVerifier is an optional configuration object for the aws-jwt-verify package.

You can use the CognitoModuleOptionsFactory interface for creating the CognitoModuleOptions in an asynchronous way, using imports, providers, exports, and name properties.

CognitoModuleAsyncOptions is another interface for creating the CognitoModuleOptions asynchronously. It contains properties such as imports, inject, useFactory, and extraProviders.

 * @type CognitoJwtVerifier - The CognitoJwtVerifier instance
 * @property {CognitoJwtVerifierSingleUserPool<CognitoJwtVerifierProperties>} - The CognitoJwtVerifierSingleUserPool instance
export type CognitoJwtVerifier =

 * @type CognitoModuleOptions - Options for the CognitoModule
 * @property {CognitoIdentityProviderClientConfig} region - The region to use
 * @property {CognitoJwtVerifierProperties} userPoolId - The user pool id to use
 * @property {CognitoJwtVerifierProperties} clientId - The client id to use
 * @property {CognitoJwtVerifierProperties} tokenUse - The token use to use
 * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#constructor-property
 * @see https://github.com/awslabs/aws-jwt-verify#readme
export type CognitoModuleOptions = {
  identityProvider?: CognitoIdentityProviderClientConfig;
  jwtVerifier?: CognitoJwtVerifierProperties;

 * @interface CognitoModuleOptionsFactory - Metadata for the CognitoModule
 * @property {() => Promise<CognitoModuleOptions>} createCognitoModuleOptions - A factory function to create the CognitoModuleOptions
 * @property {Type<any>[]} imports - The imports to be used by the module
 * @property {Provider[]} providers - The providers to be used by the module
 * @property {(string | Provider)[]} exports - The exports to be used by the module
 * @property {string} name - The name of the module
export interface CognitoModuleOptionsFactory {
    | Promise<CognitoModuleOptions>
    | CognitoModuleOptions;

 * @interface CognitoModuleAsyncOptions - Options for the CognitoModule
 * @property {Function} imports - Imports the module asyncronously
 * @property {Function} inject - Injects the module asyncronously
 * @property {CognitoModuleOptions} useFactory - The factory function to create the CognitoModuleOptions
 * @property {CognitoModuleOptions} useClass - The class to create the CognitoModuleOptions
 * @property {CognitoModuleOptions} useExisting - The existing instance of the CognitoModuleOptions
export interface CognitoModuleAsyncOptions
  extends Pick<ModuleMetadata, "imports"> {
  extraProviders?: Provider[];
  inject?: any[];
  useClass?: Type<CognitoModuleOptionsFactory>;
  useExisting?: Type<CognitoModuleOptionsFactory>;
  useFactory?: (
    ...args: any[]
  ) => Promise<CognitoModuleOptions> | CognitoModuleOptions;


Use CognitoModule.register method with options of CognitoModuleOptions interface The method takes an options object that implements the CognitoModuleOptions interface as a parameter. This options object can contain configurations for both the jwtVerifier and identityProvider.

It's important to note that the identityProvider is used in the case where you want to use the Cognito identity provider. If you don't want to use the identity provider, you can omit this configuration from the options object and only specify the jwtVerifier configuration and vice-versa.

import { CognitoModule } from "@nestjs-cognito/core";
import { Module } from "@nestjs/common";

  imports: [
      jwtVerifier: {
        userPoolId: "user_pool_id",
        clientId: "client_id",
        tokenUse: "id",
      identityProvider: {
        region: "us-east-1",
export class AppModule {}


With CognitoModule.registerAsync you can import your ConfigModule and inject ConfigService to use it in useFactory method. It's also possible to use useExisting or useClass. You can find more details here.

Here's an example:

import { CognitoModule } from "@nestjs-cognito/core";
import { Module } from "@nestjs/common";
import { ConfigModule, ConfigService } from "@nestjs/config";

  imports: [
      imports: [ConfigModule],
      useFactory: async (configService: ConfigService) => ({
        jwtVerifier: {
          userPoolId: configService.get("COGNITO_USER_POOL_ID") as string,
          clientId: configService.get("COGNITO_CLIENT_ID"),
          tokenUse: "id",
        identityProvider: {
          region: configService.get("COGNITO_REGION"),
      inject: [ConfigService],
export class AppModule {}


You can use this module to interact with Amazon Cognito and make use of its functionality. In case you need to handle authentication and authorization, you may consider using the @nestjs-cognito/auth module, which is built on top of @nestjs-cognito/core. In this case, you won't need to install aws-jwt-verify manually, as it is already included in the @nestjs-cognito/auth module.

Cognito Identity Provider

import {
} from "@aws-sdk/client-cognito-identity-provider";
import {
} from "@nestjs-cognito/core";

export class MyService {
    private readonly client: CognitoIdentityProvider,
    private readonly cognitoIdentityProviderClient: CognitoIdentityProviderClient
  ) {}

AWS JWT Verify

import {
} from "@nestjs-cognito/core";

export class MyService {
    private readonly jwtVerifier: CognitoJwtVerifier
  ) {}


@nestjs-cognito/core is MIT licensed.



@nestjs-cognito/auth is a library for NestJS that provides authentication and authorization decorators and guards for applications using AWS Cognito. This library is built on top of @nestjs-cognito/core and aws-jwt-verify.


To install the library, use npm:

npm install @nestjs-cognito/auth


The @nestjs-cognito/auth library offers both synchronous and asynchronous configuration options. To use the library, a few configuration parameters are required, including the AWS Cognito user pool ID and client ID. Detailed information about the available options can be found in the @nestjs-cognito/core documentation.

Synchronous Configuration

The @nestjs-cognito/auth library can be easily integrated into your NestJS application by importing the CognitoAuthModule from the @nestjs-cognito/auth package.

Use the CognitoAuthModule.register method with options from the CognitoModuleOptions interface

Here's an example of how you can import the CognitoAuthModule into your NestJS application:

import { CognitoAuthModule } from "@nestjs-cognito/auth";
import { Module } from "@nestjs/common";

  imports: [
      jwtVerifier: {
        userPoolId: "user_pool_id",
        clientId: "client_id",
        tokenUse: "id",
export class AppModule {}

In this example, the CognitoAuthModule is imported and registered with the following configuration options:

  • jwtVerifier:
    • userPoolId: The ID of your AWS Cognito user pool.
    • clientId: The client ID of your AWS Cognito user pool.
    • tokenUse: The type of token to be used. It is recommended to use "id" instead of "access" token.

Note: You can also define an identity provider without importing the CognitoModule module by using the CognitoAuthModule.

Asynchronous Configuration

With CognitoModule.registerAsync you can import a ConfigModule and inject ConfigService to use it in useFactory method. Alternatively, you can use useExisting or useClass. You can find more information about asynchronous configuration in the NestJS documentation.

import { CognitoAuthModule } from "@nestjs-cognito/auth";
import { Module } from "@nestjs/common";
import { ConfigModule, ConfigService } from "@nestjs/config";

  imports: [
      imports: [ConfigModule],
      useFactory: async (configService: ConfigService) => ({
        jwtVerifier: {
          userPoolId: configService.get("COGNITO_USER_POOL_ID") as string,
          clientId: configService.get("COGNITO_CLIENT_ID"),
          tokenUse: "id",
      inject: [ConfigService],
export class AppModule {}


Once the @nestjs-cognito/auth module is installed and configured, you can use the following decorators and guards to protect your controllers and routes.

Built-in Decorators and Guards

  • Use the @Authentication decorator or the @UseGuards(AuthenticationGuard) syntax to apply the AuthenticationGuard to a controller and ensure that the user is authenticated.
  • Use the @Authorization decorator or the @UseGuards(AuthorizationGuard) syntax to apply the AuthorizationGuard to a controller and ensure that the user is authorized.
  • Decorate method arguments with the @CognitoUser decorator to retrieve the payload information extracted from the JWT.

Note: During the authorization process, the authentication of the user is already checked, so there's no need to use the authentication guard or decorator.

In addition, you can find more details about @UseGuards decorator from the official NestJS documentation.


@Authentication Decorator

To configure the authentication, you'll need to use the @Authentication decorator. You can add the @Authentication decorator to controllers or routes:

import { Authentication } from "@nestjs-cognito/auth";
import { Controller } from "@nestjs/common";

export class DogsController {
  // Your routes here


You can also use the AuthenticationGuard to secure individual routes or endpoint.

To use the AuthenticationGuard, you'll need to use the @UseGuards decorator:

import { Authentication } from "@nestjs-cognito/auth";
import { UseGuards } from "@nestjs/common";

export class DogsController {
  // Your routes here
Examples of using authentication:
import {
} from "@nestjs-cognito/auth";
import { Controller, Get, UseGuards } from "@nestjs/common";
import { CognitoJwtPayload } from "aws-jwt-verify/jwt-model";

export class DogsController {
  findAll(@CognitoUser("email") email: string): string {
    return "This action returns all my dogs";

export class CatsController {
  findAll(@CognitoUser(["groups", "email", "username"]) me): string {
    return "This action returns all my cats";

export class DogsController {
  findAll(@CognitoUser() CognitoJwtPayload): string {
    return "This action returns all my dogs";

export class CatsController {
  findAll(@CognitoUser(["groups", "email", "username"]) me): string {
    return "This action returns all my cats";


@Authorization Decorator

The @Authorization decorator can be used to secure an entire controller. You can specify the allowedGroups, requiredGroups, and/or prohibitedGroups for a given controller.

For example:

  allowedGroups: ["user", "admin"],
  requiredGroups: ["moderator"],
  prohibitedGroups: ["visitor"],
export class DogsController {
  findAll(@CognitoUser() CognitoJwtPayload): string {
    return "This action returns all my dogs";

You can also specify the allowedGroups as an array of strings:

@Authorization(["user"]) // allowedGroups by default
export class CatsController {
  findAll(@CognitoUser("username") username: string): string {
    return "This action returns all my cats";


The AuthorizationGuard can be used to secure a single route, allowing you to specify the allowedGroups, requiredGroups, and/or prohibitedGroups for a given endpoint.

For example:

    allowedGroups: ["user", "admin"],
    requiredGroups: ["moderator"],
    prohibitedGroups: ["visitor"],
export class CatsController {
  findAll(@CognitoUser("email") email: string): string {
    return "This action returns all my cats";

You can also use the AuthorizationGuard directly on a route:

export class CatsController {
  @UseGuards(AuthorizationGuard(["user", "admin"]))
  findAll(@CognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my cats";
Examples of using authorization:
import {
} from "@nestjs-cognito/auth";
import { Controller, Get, UseGuards } from "@nestjs/common";
import { CognitoJwtPayload } from "aws-jwt-verify/jwt-model";

  allowedGroups: ["user", "admin"],
  requiredGroups: ["moderator"],
  prohibitedGroups: ["visitor"],
export class DogsController {
  findAll(@CognitoUser() CognitoJwtPayload): string {
    return "This action returns all my dogs";

@Authorization(["user"]) // allowedGroups by default
export class CatsController {
  findAll(@CognitoUser("username") username: string): string {
    return "This action returns all my cats";

    allowedGroups: ["user", "admin"],
    requiredGroups: ["moderator"],
    prohibitedGroups: ["visitor"],
export class CatsController {
  findAll(@CognitoUser("email") email: string): string {
    return "This action returns all my cats";

export class CatsController {
  @UseGuards(AuthorizationGuard(["user", "admin"]))
  findAll(@CognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my cats";


To retrieve the cognito user from an incoming request, you'll need to use the @CognitoUser decorator. You can use the decorator to inject the entire CognitoJwtPayload object or specific properties from the payload, such as the username or email. Note that the cognito: namespace is automatically managed, so you don't need to include it when accessing properties such as cognito:username or cognito:groups.

It's important to note that this decorator must be used in conjunction with an authentication guard, such as Authentication or Authorization.

For example:

export class YourController {
  findAll(@CognitoUser() cognitoJwtPayload: CognitoJwtPayload): string {
    return "This action returns all the data";

Optional property name

You can specify the name of the property to inject the user into by passing a string as an argument.

import { Authentication, CognitoUser } from "@nestjs-cognito/auth";

export class YourController {
  getData(@CognitoUser("email") email: string): any {
    // Use the `email` string

Multiple properties

You can extract multiple properties from the cognito user by passing an array of strings.

import { Authentication, CognitoUser } from "@nestjs-cognito/auth";

export class YourController {
    @CognitoUser(["groups", "email", "username"])
    }: {
      groups: string[];
      email: string;
      username: string;
  ): any {
    // Use the `groups` and/or `username` and `email` strings


@nestjs-cognito/auth is MIT licensed.



This package is a complement to @nestjs-cognito/auth and adds GraphQL support for Amazon Cognito authentication and authorization. It does not expose a CognitoGraphqlModule.

This package includes a GraphQL middleware that provides the authenticated user information in the GraphQL context. The middleware checks the presence of an Authorization header in the request and verifies the token with aws-jwt-verify. If the token is valid, the middleware adds the user information to the context.

In addition to the middleware, this package also includes guards (AuthenticationGuard and AuthorizationGuard) and decorators (GqlCognitoUser, GqlAuthentication and GqlAuthorization) that can be used to restrict access to certain resolvers based on the user's authentication status or role. It's recommended to use the decorators instead of guards coupled with UseGuards NestJS decorator.


To install the library, use npm:

npm install @nestjs-cognito/graphql


To use this package, you need to configure the @nestjs-cognito/auth module. Once the authentication module is configured, you can use the following exports from this package to handle Cognito authentication and authorization in your GraphQL resolvers.


This is a GraphQL middleware that provides the authenticated user information in the GraphQL context. The middleware checks the presence of a Authorization header in the request and verifies the token with Amazon Cognito. If the token is valid, the middleware adds the user information to the context.

import { GqlAuthentication } from "@nestjs-cognito/graphql";

export class MyResolver {
  public async myQuery() {
    // Only authenticated user can access this resolver
Examples of using authentication:
import { UseGuards } from "@nestjs/common";
import { Args, Query, Resolver } from "@nestjs/graphql";
import {
} from "@nestjs-cognito/graphql";
import { CognitoJwtPayload } from "aws-jwt-verify/jwt-model";

export class DogsResolver {
  @Query(() => String)
  findAll(@GqlCognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my dogs";

export class CatsResolver {
  @Query(() => String)
  findAll(@GqlCognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my cats";

export class DogsResolver {
  @Query(() => String)
  findAll(@GqlCognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my dogs";


This is a decorator that can be used to enforce authorization rules in your GraphQL resolvers. The decorator takes a list of authorized groups and checks if the authenticated user is a member of any of the groups. If the user is not a member of any of the groups, an error is thrown.

import { GqlAuthorization } from "@nestjs-cognito/graphql";

export class MyResolver {
  @GqlAuthorization(["group1", "group2"])
  public async myQuery() {
    // only users in group1 or group2 can access this resolver
Examples of using authorization:
import { UseGuards } from "@nestjs/common";
import { Args, Query, Resolver } from "@nestjs/graphql";
import {
} from "@nestjs-cognito/graphql";
import { CognitoJwtPayload } from "aws-jwt-verify/jwt-model";

  allowedGroups: ["user", "admin"],
  requiredGroups: ["moderator"],
  prohibitedGroups: ["visitor"],
export class DogsResolver {
  @Query(() => String)
  findAll(@GqlCognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my dogs";

@GqlAuthorization(["user"]) // allowedGroups by default
export class CatsResolver {
  @Query(() => String)
  findAll(@GqlCognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my cats";

    allowedGroups: ["user", "admin"],
    requiredGroups: ["moderator"],
    prohibitedGroups: ["visitor"],
export class CatsResolver {
  @Query(() => String)
  findAll(@GqlCognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my cats";

export class CatsResolver {
  @Query(() => String)
  @UseGuards(AuthorizationGuard(["user", "admin"]))
  findAll(@GqlCognitoUser() me: CognitoJwtPayload): string {
    return "This action returns all my cats";


This is a decorator that can be used in your GraphQL resolvers to access the authenticated user information from the context.

import { GqlCognitoUser } from "@nestjs-cognito/graphql";
import { CognitoJwtPayload } from "aws-jwt-verify/jwt-model";

export class MyResolver {
  public async myQuery(@GqlCognitoUser() user: CognitoJwtPayload) {
    // user information from Cognito

For a complete example of how to use these guards and decorators, you can check out the @nestjs-cognito/auth package.


@nestjs-cognito/graphql is MIT licensed.



This module is a solution for NestJS which facilitates the integration with Amazon Cognito for end-to-end and integration testing purposes. It includes a module, a controller, and a service that simplify testing your authentication and authorization code based on Amazon Cognito.


npm install @nestjs-cognito/testing



To use the CognitoTestingModule, you will need to import it and use either the register or registerAsync method to set up its dependencies:

  imports: [
      identityProvider: {
        region: "eu-west-1",
export class AppModule {}


The CognitoTestingController is a simple controller that accepts a username and password and returns an access token. The code is shown below:

Controller Source Code
import { Body, Controller, Post } from "@nestjs/common";
import { CognitoTestingService } from "@nestjs-cognito/testing";

export class CognitoTestingController {
  constructor(private readonly authService: CognitoTestingService) {}

  login(@Body() body: Record<string, string>) {
    return this.authService.getAccessToken(
        username: body.username,
        password: body.password,


The CognitoTestingService is a service that uses the CognitoIdentityProvider client to get an access token. To call the method cognito-testing-login, you need to pass the following information in the request body:

  • username: The username of the test user
  • password: The password of the test user
  • clientId: Required for using the initiateAuth method provided by @aws-sdk/client-cognito-identity-provider.

Example using Jest and Pactum

import { CognitoTestingModule } from "@nestjs-cognito/testing";
import { INestApplication } from "@nestjs/common";
import { ConfigModule, ConfigService } from "@nestjs/config";
import { Test } from "@nestjs/testing";
import { request, spec } from "pactum";

describe("Cognito Module : Testing", () => {
  let app: INestApplication;
  let config: ConfigService;

  beforeAll(async () => {
    const moduleFixture = await Test.createTestingModule({
      imports: [
          region: "eu-west-1",

    app = moduleFixture.createNestApplication();
    config = moduleFixture.get<ConfigService>(ConfigService);

    await app.listen(0);
    const url = (await app.getUrl()).replace("[::1]", "localhost");

  afterAll(async () => {
    await app.close();

  describe("authentication", () => {
    it("should be able to access the private route", async () => {
      await spec()
          username: config.get("COGNITO_USER_EMAIL"),
          password: config.get("COGNITO_USER_PASSWORD"),
          clientId: config.get("COGNITO_CLIENT_ID"),
        .stores('token', 'AccessToken');
      await spec()
        .withHeaders('Authorization', 'Bearer $S{token}')


@nestjs-cognito/testing is MIT licensed.


@nestjs-cognito is MIT licensed.


AWS Cognito utilities module for NestJS.


License:MIT License


Language:TypeScript 99.2%Language:JavaScript 0.6%Language:Shell 0.2%