DEV Community: Sam Lindstrom The latest articles on DEV Community by Sam Lindstrom (@slamflipstrom). https://dev.to/slamflipstrom https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F338531%2F6dae18bb-3ad9-4f82-9512-d7e1fa0b98c0.jpeg DEV Community: Sam Lindstrom https://dev.to/slamflipstrom en Remix Authentication with Amazon Cognito Sam Lindstrom Wed, 17 Jul 2024 22:24:06 +0000 https://dev.to/slamflipstrom/remix-authentication-with-amazon-cognito-ool https://dev.to/slamflipstrom/remix-authentication-with-amazon-cognito-ool <h2> Introduction </h2> <p><a href="https://remix.run/" rel="noopener noreferrer">Remix</a> is a powerful React-based web framework, and it offers a lot of benefits to developers and users alike. There are trade-offs of course, and the framework's small ecosystem and philosophy of remaining unopinionated can make it difficult to know where to turn when implementing features like authentication within the context of server-side rendering (SSR). I've had the pleasure of using Remix at two separate jobs and I'm happy to say that there are good strategies for navigating these challenges.</p> <h2> The Problem </h2> <p>Many guides for integrating Amazon's Cognito service recommend using AWS's Amplify <a href="https://aws.amazon.com/amplify/" rel="noopener noreferrer">library</a>. While Amplify works well for the traditional, client-side rendered single-page application (SPA), it doesn't yet support newer SSR paradigms. At the time of this writing, AWS Amplify doesn't support SSR in Remix <a href="https://github.com/aws-amplify/amplify-js/issues/9362" rel="noopener noreferrer">source</a>, though Amplify's Hosting service recently <a href="https://docs.aws.amazon.com/amplify/latest/userguide/ssr-Amplify-support.html" rel="noopener noreferrer">added support</a> for SSR in Next versions 12 and greater. While you can use Amplify's React SDK in your Remix application on the client, you will be losing some of the benefits of SSR.</p> <h2> TLDR </h2> <p>Use Remix-Auth and the OAuth2 strategy to set up an Authenticator instance with our Amazon Cognito User Pool and App Client information. This Authenticator instance will help us manage the granting, storing, and revocation of session tokens stored in HTTP cookies, enabling users to login to our application using a Cognito hosted UI.</p> <h2> The Solution </h2> <p>Utilizing Amazon Cognito's hosted UI, we can leverage existing libraries to implement custom handlers in Remix while retaining the advantages of SSR.</p> <h3> Cognito </h3> <h4> User Pool </h4> <p>In the AWS console UI, navigate to Amazon Cognito and select "User pools". <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html" rel="noopener noreferrer">Create one</a> if you don't already have an existing user pool to use. There are many configuration options for setting up a user pool so you'll have to assess what's right for you and your app. In this example, we're building an authentication process that doesn't currently support self-registration or MFA, so keep that in mind.</p> <p>Now that you have a user pool, select the "App Integration" option in the AWS console and look for "Cognito Domain". Copy this value and store it in your .env file. I stored it as <code>COGNITO_USER_POOL_URL</code> in the code below.</p> <h4> App Client </h4> <p>Next, we'll need an app client for our hosted UI. If you don't already have one, follow <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-app-integration.html" rel="noopener noreferrer">these instructions</a> to set one up. Ignore the step that tells you not to generate a client secret. We will need a client secret here so be sure to generate it.</p> <p>Once you've created the app client, store the client id and client secret in your .env as well. The last thing we'll need is the client callback url. This should've been something you set up when you created the app client. You can access this information after creation by selecting Edit on your hosted UI. Look for the section "Allowed callback URLs" in the Edit screen.</p> <p>Now that we have all of that information. Here's how it looks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>COGNITO_USER_POOL_URL="https://samlindstrom.auth.us-west-2.amazoncognito.com" COGNITO_APP_CLIENT_ID="&lt;INSERT YOUR ID&gt;" COGNITO_APP_CLIENT_SECRET="&lt;INSERT YOUR SECRET&gt;" COGNITO_APP_CLIENT_CALLBACK_URL="http://localhost:3000/auth/callback" </code></pre> </div> <p>Note: Variables that include URLs as a reference back to our Remix application should be conditionally set based on the environment. Example: we wouldn't want the above <code>COGNITO_APP_CLIENT_CALLBACK_URL</code> set as localhost domain in a production environment. Instead, we'd want to do something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">COGNITO_APP_CLIENT_CALLBACK_URL</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="o">&lt;</span><span class="nx">YOUR</span> <span class="nx">PROD</span> <span class="nx">DOMAIN</span><span class="o">&gt;</span><span class="p">}</span><span class="s2">/auth/callback`</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:3000/auth/callback</span><span class="dl">"</span> </code></pre> </div> <h3> Remix Auth </h3> <p>Once our Cognito configuration details are retrieved and stored, we'll want to begin implementing our Authenticator instance. The library we'll use to make this process simple is the excellent <a href="https://github.com/sergiodxa/remix-auth" rel="noopener noreferrer">Remix-Auth</a> from Sergio Xalambrí. Remix Auth offers <a href="https://github.com/sergiodxa/remix-auth/discussions/111" rel="noopener noreferrer">numerous strategies</a> for handling authentication in a Remix application. We'll be using the OAuth2 <a href="https://github.com/sergiodxa/remix-auth-oauth2" rel="noopener noreferrer">strategy</a> here.</p> <h4> Adding the OAuth2 Strategy </h4> <ol> <li>Install Remix Auth</li> <li>Establish Session Storage</li> <li>Create an authenticator instance in your Remix application (<code>auth.server.ts</code> in our case)</li> <li>Create callback, login, and logout routes</li> <li>Configure Cognito</li> </ol> <h5> Installation </h5> <p><code>npm add remix-auth-oauth2</code> or equivalent command in your package manager or choice.</p> <h5> Session Storage </h5> <p>First, let's start by setting up our session storage object in Remix. There are [numerous techniques]( for managing user session storage in Remix, but we'll be using cookie-based sessions today. See the Remix <a href="https://remix.run/docs/en/1.19.3/utils/sessions" rel="noopener noreferrer">sessions docs</a> if you'd like more information.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/session.server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createCookieSessionStorage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@remix-run/node</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// create the cookie-based session storage and export it</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">sessionStorage</span> <span class="o">=</span> <span class="nf">createCookieSessionStorage</span><span class="p">({</span> <span class="na">cookie</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">_session</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Cookie Name: any name will do here</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lax</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Helps with CSRF protection </span> <span class="na">path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Remember to add this so the cookie will be available on all routes</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// For security reasons, make this cookie http only so that it's inaccessible to JavaScript</span> <span class="na">secrets</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">secret-value</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// Replace this with an actual strong secret</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// enable this in prod only</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Export session methods for use in other parts of the application</span> <span class="k">export</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">getSession</span><span class="p">,</span> <span class="nx">commitSession</span><span class="p">,</span> <span class="nx">destroySession</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">sessionStorage</span><span class="p">;</span> </code></pre> </div> <h5> Create Authenticator Instance </h5> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/auth.server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@remix-run/node</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">JwtPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwt-decode</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwtDecode</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jwt-decode</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Authenticator</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">remix-auth</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">OAuth2Strategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">remix-auth-oauth2</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sessionStorage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../session.server</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">COGNITO_APP_CLIENT_CALLBACK_URL</span><span class="p">,</span> <span class="nx">COGNITO_USER_POOL_URL</span><span class="p">,</span> <span class="nx">COGNITO_APP_CLIENT_ID</span> <span class="o">=</span> <span class="dl">""</span><span class="p">,</span> <span class="nx">COGNITO_APP_CLIENT_SECRET</span> <span class="o">=</span> <span class="dl">""</span><span class="p">,</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">;</span> <span class="c1">// Define the type for authenticated user data</span> <span class="kd">type</span> <span class="nx">AuthenticatedUser</span> <span class="o">=</span> <span class="p">{</span> <span class="na">accessToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">tokenExpiry</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">name</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email_verified</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="c1">// Define the type for user info retrieved from Cognito</span> <span class="c1">// Derived from https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html</span> <span class="kd">type</span> <span class="nx">UserInfo</span> <span class="o">=</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email_verified</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">family_name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">given_name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">identities</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">[];</span> <span class="nl">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">preferred_username</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">sub</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">username</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="c1">// Define the type for decoded JWT token</span> <span class="kr">interface</span> <span class="nx">DecodedToken</span> <span class="kd">extends</span> <span class="nx">JwtPayload</span> <span class="p">{</span> <span class="nl">auth_time</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">username</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Initialize the authenticator with session storage</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authenticator</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Authenticator</span><span class="o">&lt;</span><span class="nx">AuthenticatedUser</span><span class="o">&gt;</span><span class="p">(</span> <span class="nx">sessionStorage</span> <span class="p">);</span> <span class="c1">// Configure OAuth2 strategy with Cognito details</span> <span class="kd">const</span> <span class="nx">OAuthStrategy</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OAuth2Strategy</span><span class="p">(</span> <span class="p">{</span> <span class="na">clientID</span><span class="p">:</span> <span class="nx">COGNITO_APP_CLIENT_ID</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">COGNITO_APP_CLIENT_SECRET</span><span class="p">,</span> <span class="na">callbackURL</span><span class="p">:</span> <span class="nx">COGNITO_APP_CLIENT_CALLBACK_URL</span> <span class="o">||</span> <span class="dl">""</span><span class="p">,</span> <span class="na">authorizationURL</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">COGNITO_USER_POOL_URL</span><span class="p">}</span><span class="s2">/oauth2/authorize`</span><span class="p">,</span> <span class="c1">// Read https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html</span> <span class="na">tokenURL</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">COGNITO_USER_POOL_URL</span><span class="p">}</span><span class="s2">/oauth2/token`</span><span class="p">,</span> <span class="c1">// Cognito token endpoint</span> <span class="na">useBasicAuthenticationHeader</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// defaults to false</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">accessToken</span> <span class="p">}):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AuthenticatedUser</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Decode the JWT token to get user details</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwtDecode</span><span class="o">&lt;</span><span class="nx">DecodedToken</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">accessToken</span><span class="p">);</span> <span class="c1">// Fetch user info from cognito and include in authenticator response</span> <span class="c1">// https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html</span> <span class="kd">let</span> <span class="nx">response</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">COGNITO_USER_POOL_URL</span><span class="p">}</span><span class="s2">/oauth2/userInfo`</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">ContentType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">There was a problem fetching user info: </span><span class="dl">"</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">info</span> <span class="o">=</span> <span class="nx">response</span> <span class="p">?</span> <span class="p">((</span><span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="k">as</span> <span class="nx">UserInfo</span><span class="p">)</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Return authenticated user details</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="na">tokenExpiry</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">exp</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">info</span><span class="p">?.</span><span class="nx">name</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">info</span><span class="p">?.</span><span class="nx">email</span><span class="p">,</span> <span class="na">email_verified</span><span class="p">:</span> <span class="nx">info</span><span class="p">?.</span><span class="nx">email_verified</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <h4> Set up routes in Remix App </h4> <p>Next we'll need to establish routes in our Remix application to handle logout and callback events.<br> To do this, we'll set up <a href="https://remix.run/docs/en/main/guides/resource-routes" rel="noopener noreferrer">resource routes</a> to facilitate communication between our Cognito hosted UI and our application.</p> <p>See Amazon's Hosted UI endpoint reference <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/hosted-UI-endpoints.html" rel="noopener noreferrer">doc</a> for more details.</p> <h5> Logout Resource Route </h5> <p>See Cognito <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html" rel="noopener noreferrer">documentation</a> for further reference.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/routes/auth.logout.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">ActionFunction</span><span class="p">,</span> <span class="nx">LoaderFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@remix-run/node</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@remix-run/node</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">destroySession</span><span class="p">,</span> <span class="nx">getSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../session.server</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">COGNITO_APP_CLIENT_ID</span> <span class="o">=</span> <span class="dl">''</span><span class="p">,</span> <span class="nx">COGNITO_USER_POOL_URL</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">;</span> <span class="c1">// Distinguish between dev and prod envs for your applications url</span> <span class="kd">const</span> <span class="nx">clientURL</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span> <span class="p">?</span> <span class="o">&lt;</span><span class="nx">YOUR_APP_DOMAIN</span><span class="o">&gt;</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:3000</span><span class="dl">"</span> <span class="kd">const</span> <span class="nx">handleLogout</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Get the current session</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSession</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Cookie</span><span class="dl">'</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">cognitoLogoutUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">COGNITO_USER_POOL_URL</span><span class="p">}</span><span class="s2">/logout`</span><span class="p">);</span> <span class="c1">// Set required parameters for Cognito logout URL</span> <span class="c1">// These values should correspond with configured settings in your app client</span> <span class="nx">cognitoLogoutUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="dl">'</span><span class="s1">client_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">COGNITO_APP_CLIENT_ID</span> <span class="p">);</span> <span class="nx">cognitoLogoutUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="dl">'</span><span class="s1">logout_uri</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">clientURL</span><span class="p">}</span><span class="s2">/auth/logout`</span> <span class="p">);</span> <span class="nx">cognitoLogoutUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">response_type</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">code</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Redirect to Cognito logout URL and destroy session</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="nx">cognitoLogoutUrl</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Set-Cookie</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nf">destroySession</span><span class="p">(</span><span class="nx">session</span><span class="p">)</span> <span class="p">}</span> <span class="p">});</span> <span class="p">};</span> <span class="c1">// Define loader and action functions for handling logout</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">loader</span><span class="p">:</span> <span class="nx">LoaderFunction</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">handleLogout</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">action</span><span class="p">:</span> <span class="nx">ActionFunction</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">handleLogout</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>Now you can add a logout button in your application which will invoke the above <code>loader</code>. We've also specified an <code>action</code> above in case the route receives a request that doesn't include an HTTP "GET" method.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Link</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@remix-run/react</span><span class="dl">'</span><span class="p">;</span> <span class="p">...</span> <span class="o">&lt;</span><span class="nx">Link</span> <span class="nx">to</span><span class="o">=</span><span class="dl">"</span><span class="s2">/auth/logout</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">button</span><span class="o">&gt;</span><span class="nx">Logout</span><span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span><span class="o">&lt;</span><span class="sr">/Link</span><span class="err">&gt; </span></code></pre> </div> <h5> Callback Resource Route </h5> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/routes/auth.callback.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">LoaderFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@remix-run/node</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@remix-run/node</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authenticator</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../auth.server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">commitSession</span><span class="p">,</span> <span class="nx">getSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../session.server</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">loader</span><span class="p">:</span> <span class="nx">LoaderFunction</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">authenticator</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="dl">"</span><span class="s2">oauth2</span><span class="dl">"</span><span class="p">,</span> <span class="nx">request</span><span class="p">);</span> <span class="c1">// Manually get the current session</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSession</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">Cookie</span><span class="dl">"</span><span class="p">));</span> <span class="c1">// Store authenticated user details in session</span> <span class="nx">session</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">authenticator</span><span class="p">.</span><span class="nx">sessionKey</span> <span class="k">as</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="nx">user</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">({</span> <span class="dl">"</span><span class="s2">Set-Cookie</span><span class="dl">"</span><span class="p">:</span> <span class="k">await</span> <span class="nf">commitSession</span><span class="p">(</span><span class="nx">session</span><span class="p">)</span> <span class="p">});</span> <span class="c1">// Redirect to the application root with updated session</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">headers</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <h5> Logout UI </h5> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Link</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@remix-run/react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">routes</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">~/routes</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LogoutPage</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">You</span> <span class="nx">have</span> <span class="nx">successfully</span> <span class="nx">logged</span> <span class="nx">out</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Link</span> <span class="nx">to</span><span class="o">=</span><span class="p">{</span><span class="nx">routes</span><span class="p">.</span><span class="nf">root</span><span class="p">()}</span><span class="o">&gt;</span><span class="nx">Go</span> <span class="nx">Home</span><span class="o">&lt;</span><span class="sr">/Link</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h5> Authenticate at Application Root </h5> <p>In your Remix app's root loader, you can now do the following<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/root.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">json</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">LoaderArgs</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@remix-run/node</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authenticator</span><span class="p">,</span> <span class="nx">checkTokenExpiry</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth.server</span><span class="dl">'</span><span class="p">;</span> <span class="p">...</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">loader</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">}:</span> <span class="nx">LoaderArgs</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">authenticator</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="dl">'</span><span class="s1">oauth2</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">);</span> <span class="c1">// Return authenticated user details as JSON</span> <span class="k">return</span> <span class="nf">json</span><span class="p">({</span> <span class="nx">user</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p>Alternatively, if you don't intend to authenticate at your application's root, you can avoid adding the <code>authenticate</code> call above and selectively add it to specific route loaders as a more targeted authentication approach. This is the approach you'll need to take if you intend to redirect a user back to a custom logout page.</p> <h6> What about our Login page? </h6> <p>Thankfully this is taken care of by Remix-Auth and our Cognito hosted UI. Upon visiting the application root, you should be redirected to the Cognito login form (hosted UI). If you already have a user set up in your user pool, login using those credentials otherwise set up a user in the AWS console and then login to test this new functionality. Once you successfully login, your application should now be able to access <code>user</code> details via the root loader.</p> <h4> Extra Credit </h4> <ul> <li>Create a function to check token expiration and invoke it at application root.</li> <li>Consider adding type safety to your session storage objects using Sergio's <a href="https://github.com/sergiodxa/remix-utils#typed-sessions" rel="noopener noreferrer">remix-utils library</a>.</li> </ul>