aws-samples / amazon-api-gateway-pinpoint-otp-demo Goto Github PK

This application demonstrates how you can leverage Amazon Pinpoint's One Time Password (OTP) feature, to authenticate Amazon API Gateway requests. It uses a Lambda Authorizer to authenticate incoming requests, and calls the SendOTPMessage and VerifyOTPMessage APIs in Amazon Pinpoint to validate OTPs and exchange the verification for an API key.

NOTE: This application is a demo, intended to help you validate ideas and perform a proof-of-concept. It is not meant for production deployments as is.

• AWS Serverless Application Model (AWS SAM) Command Line Interface (CLI) to deploy to your account. Instructions for installing and setting up SAM CLI can be found here.
• Amazon Pinpoint project to send SMS OTP messages. Follow the instructions to configure your project.
• If the SMS channel on Amazon Pinpoint is not enabled for your SenderID, leverage the SMS sandbox.
• Replace the PINPOINT_APPLICATION_ID variables in the template file before deployment. This identifier is displayed as the Project ID on the Amazon Pinpoint console.
• Optionally, replace the BRAND_NAME variable with a name of your choosing.

• Once the above requirements are met, deploy the application using sam deploy --guided
• Optionally you can browse to the AWS CloudFormation console to view the resources in more detail
• Note down the Amazon API Gateway endpoint - it will be used to invoke the APIs in the next step.

• Make a GET /call without passing any headers. It should return with a 403 forbidden error.
• Next call the POST /login API and pass the Phone header with the recepient phone number. You should receive the OTP code as SMS.
• Next call the POST /verify API and pass the Phone and Otp headers. In the API response you should receive an API token.
• Lastly, call the GET / API again, and pass the Authorization header with the API token from previous step. You API call should return with a 200 response.

• Use sam delete to delete the application from your AWS account, and avoid incurring additional charges.
• Note: The above command does not delete any components that you create manually.

See CONTRIBUTING for more information.

This library is licensed under the MIT-0 License. See the LICENSE file.