/amazon-api-gateway-pinpoint-otp-demo

This application demonstrates how you can leverage Amazon Pinpoint's One Time Password (OTP) feature, to authenticate Amazon API Gateway requests.

Primary LanguageJavaScriptMIT No AttributionMIT-0

Amazon API Gateway Pinpoint OTP Demo

This application demonstrates how you can leverage Amazon Pinpoint's One Time Password (OTP) feature, to authenticate Amazon API Gateway requests. It uses a Lambda Authorizer to authenticate incoming requests, and calls the SendOTPMessage and VerifyOTPMessage APIs in Amazon Pinpoint to validate OTPs and exchange the verification for an API key.

Architecture Diagram

NOTE: This application is a demo, intended to help you validate ideas and perform a proof-of-concept. It is not meant for production deployments as is.

Requirements

  • AWS Serverless Application Model (AWS SAM) Command Line Interface (CLI) to deploy to your account. Instructions for installing and setting up SAM CLI can be found here.
  • Amazon Pinpoint project to send SMS OTP messages. Follow the instructions to configure your project.
  • If the SMS channel on Amazon Pinpoint is not enabled for your SenderID, leverage the SMS sandbox.
  • Replace the PINPOINT_APPLICATION_ID variables in the template file before deployment. This identifier is displayed as the Project ID on the Amazon Pinpoint console.
  • Optionally, replace the BRAND_NAME variable with a name of your choosing.

Deployment

  • Once the above requirements are met, deploy the application using sam deploy --guided
  • Optionally you can browse to the AWS CloudFormation console to view the resources in more detail
  • Note down the Amazon API Gateway endpoint - it will be used to invoke the APIs in the next step.

Demo

  • Make a GET /call without passing any headers. It should return with a 403 forbidden error.
  • Next call the POST /login API and pass the Phone header with the recepient phone number. You should receive the OTP code as SMS.
  • Next call the POST /verify API and pass the Phone and Otp headers. In the API response you should receive an API token.
  • Lastly, call the GET / API again, and pass the Authorization header with the API token from previous step. You API call should return with a 200 response.

Cleanup

  • Use sam delete to delete the application from your AWS account, and avoid incurring additional charges.
  • Note: The above command does not delete any components that you create manually.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.