No description
  • JavaScript 100%
Find a file
2026-05-27 00:02:43 +00:00
src exporter 2026-05-27 00:02:43 +00:00
.env.example proxy 2026-05-25 10:58:46 +00:00
.gitignore exporter 2026-05-27 00:02:43 +00:00
package.json proxy 2026-05-25 10:58:46 +00:00
README.md readme 2026-05-25 08:18:03 +00:00

Kiro AWS Builder ID — Standalone Auth Backend

Backend otentikasi Kiro yang diekstrak dari 9router. Menangani login AWS Builder ID, AWS IAM Identity Center, Social Login (Google/GitHub), dan Import Token — lalu menyimpan session ke SQLite.

Instalasi

cd kiro-awsbuilder
npm install

Menjalankan

npm start
# Server berjalan di http://localhost:3200

Port bisa diubah via environment variable PORT.

Metode Otentikasi

Metode Deskripsi
AWS Builder ID Device Code Flow (default, gratis)
AWS IAM Identity Center (IDC) Device Code Flow dengan startUrl & region custom
Google / GitHub Social Login via PKCE + manual callback
Import Token Paste atau auto-detect refresh token dari ~/.aws/sso/cache/

Penggunaan

1. AWS Builder ID (Device Code Flow)

Alur standar OAuth Device Code Flow (RFC 8628). Server berfungsi sebagai perantara antara client dan AWS SSO OIDC.

Step 1: Request Device Code

curl http://localhost:3200/api/kiro/device-code

Response:

{
  "device_code": "AQUAAAAK...",
  "user_code": "XTLF-CQNW",
  "verification_uri": "https://device.sso.us-east-1.amazonaws.com/",
  "verification_uri_complete": "https://device.sso.us-east-1.amazonaws.com/?user_code=XTLF-CQNW",
  "expires_in": 600,
  "interval": 5,
  "_clientId": "...",
  "_clientSecret": "...",
  "_region": "us-east-1",
  "_authMethod": "builder-id",
  "_startUrl": "https://view.awsapps.com/start"
}

Step 2: User Buka URL di Browser

Buka verification_uri_complete di browser. User akan diminta login dengan AWS Builder ID dan mengotorisasi.

Step 3: Poll Token

Selama user belum selesai otorisasi, poll setiap interval detik (default 5 detik):

curl -X POST http://localhost:3200/api/kiro/poll \
  -H "Content-Type: application/json" \
  -d '{
    "deviceCode": "<device_code>",
    "extraData": {
      "_clientId": "<dari step 1>",
      "_clientSecret": "<dari step 1>",
      "_region": "us-east-1",
      "_authMethod": "builder-id",
      "_startUrl": "https://view.awsapps.com/start"
    }
  }'

Belum authorize:

{ "success": false, "error": "authorization_pending", "pending": true }

Sudah authorize:

{ "success": true, "session": { "id": "uuid", "email": "user@example.com" } }

Ditolak / expired:

{ "success": false, "error": "access_denied", "errorDescription": "..." }

Contoh Script Otomatis (Bash)

#!/bin/bash
BASE=http://localhost:3200

# Step 1: Dapatkan device code
DATA=$(curl -s $BASE/api/kiro/device-code)
DEVICE_CODE=$(echo $DATA | jq -r '.device_code')
VERIFY_URL=$(echo $DATA | jq -r '.verification_uri_complete')
EXTRA=$(echo $DATA | jq -c '{_clientId, _clientSecret, _region, _authMethod, _startUrl}')
INTERVAL=$(echo $DATA | jq -r '.interval')

echo "Buka URL ini di browser:"
echo "$VERIFY_URL"
echo ""
echo "Polling token..."

# Step 2: Poll sampai dapat token
for i in $(seq 1 60); do
  sleep $INTERVAL
  RESULT=$(curl -s -X POST $BASE/api/kiro/poll \
    -H "Content-Type: application/json" \
    -d "{\"deviceCode\":\"$DEVICE_CODE\",\"extraData\":$EXTRA}")

  SUCCESS=$(echo $RESULT | jq -r '.success')
  if [ "$SUCCESS" = "true" ]; then
    echo "Berhasil! Session:"
    echo $RESULT | jq .
    break
  fi

  PENDING=$(echo $RESULT | jq -r '.pending')
  if [ "$PENDING" = "true" ]; then
    echo "[$i] Menunggu otorisasi..."
  else
    echo "Gagal: $(echo $RESULT | jq -r '.error')"
    break
  fi
done

2. AWS IAM Identity Center (IDC)

Sama dengan Builder ID, tetapi dengan parameter tambahan:

curl "http://localhost:3200/api/kiro/device-code?start_url=https://your-org.awsapps.com/start&region=ap-southeast-1&auth_method=idc"

Lanjutkan dengan poll sama seperti Builder ID.


3. Import Token

Auto-Detect dari AWS SSO Cache

Membaca ~/.aws/sso/cache/ untuk mencari token Kiro:

curl http://localhost:3200/api/kiro/auto-import
{
  "found": true,
  "refreshToken": "aorAAAAAG...",
  "source": "kiro-auth-token.json"
}

Manual Import

Paste refresh token langsung:

curl -X POST http://localhost:3200/api/kiro/import \
  -H "Content-Type: application/json" \
  -d '{"refreshToken": "aorAAAAAG..."}'

4. Social Login (Google/GitHub)

Catatan: Social login memerlukan manual callback karena redirect URL menggunakan custom protocol kiro://.

Step 1: Generate Auth URL

curl "http://localhost:3200/api/kiro/social-authorize?provider=google"
{
  "authUrl": "https://prod.us-east-1.auth.desktop.kiro.dev/login?idp=Google&...",
  "state": "...",
  "codeVerifier": "...",
  "provider": "google"
}

Step 2: User Login di Browser

Buka authUrl di browser. Setelah login, browser redirect ke kiro://kiro.kiroAgent/authenticate-success?code=XXX&state=YYY. Copy URL lengkap dari address bar.

Step 3: Exchange Code

curl -X POST http://localhost:3200/api/kiro/social-exchange \
  -H "Content-Type: application/json" \
  -d '{
    "code": "<dari callback URL>",
    "codeVerifier": "<dari step 1>",
    "provider": "google"
  }'

Session Management

List Semua Session

curl http://localhost:3200/api/sessions

Detail Session (auto-refresh jika token hampir expired)

curl http://localhost:3200/api/sessions/<session_id>

Hapus Session

curl -X DELETE http://localhost:3200/api/sessions/<session_id>

Health Check

curl http://localhost:3200/health

Struktur Project

kiro-awsbuilder/
├── package.json
└── src/
    ├── server.js                  # Express server entry point
    ├── oauth/
    │   ├── config.js              # KIRO_CONFIG (AWS endpoints, scopes)
    │   ├── pkce.js                # PKCE generator
    │   ├── kiroService.js         # KiroService class
    │   ├── deviceFlow.js          # Device Code Flow logic
    │   └── tokenRefresh.js        # Token refresh (proactive)
    ├── db/
    │   ├── schema.js              # SQLite schema (kiro_sessions)
    │   ├── jsonCol.js             # JSON helpers
    │   └── sessions.js            # Session CRUD + dedup by email
    └── routes/
        ├── oauth.js               # /api/kiro/*
        └── sessions.js            # /api/sessions/*

API Endpoints

Method Endpoint Body / Params Deskripsi
GET /api/kiro/device-code ?start_url=&region=&auth_method= Request device code
POST /api/kiro/poll { deviceCode, extraData } Poll token
GET /api/kiro/auto-import Auto-detect token dari ~/.aws/sso/cache/
POST /api/kiro/import { refreshToken } Import manual refresh token
GET /api/kiro/social-authorize ?provider=google|github Generate social login URL
POST /api/kiro/social-exchange { code, codeVerifier, provider } Exchange social auth code
GET /api/sessions List semua session aktif
GET /api/sessions/:id Detail session (auto-refresh token)
DELETE /api/sessions/:id Hapus session
GET /health Health check

Penyimpanan Data

Session disimpan di SQLite (data/data.sqlite) dengan schema:

Field Keterangan
id UUID primary key
email Email dari JWT
accessToken JWT access token
refreshToken Refresh token
expiresAt ISO timestamp expiry
authMethod builder-id, idc, google, github, imported
providerSpecificData JSON (clientId, clientSecret, region, startUrl)
isActive Status aktif

Dedup otomatis: jika login lagi dengan email yang sama, session di-update (bukan dibuat baru).