AWS - Confirm User Cognito - amazon-web-services

I'm trying to register a user in a Cognito UserPool but I'm having issue with the Pre-signup trigger.
I've configured a lambda like in the docs example
exports.handler = (event, context, callback) => {
event.response.autoConfirmUser=true;
callback(null, event);
};
Using CloudWatch logs I can see that the autoConfirmUser attribute is correctly set to true, but the user isn't confirmed.
Here is the account in the UserPool:
Any idea how to fix this ?

Are you calling
context.done(error, event);
like in the examples provided?

Related

AWS amplify cognito accessing pubsub with AccessToken, IdToken and RefreshToken

I am using AWS amplify with Angular and I followed the instructions to setup Amplify, add backend and then auth.
I also created a user in cognito pool and used it to login in my angular app. I am able to see AccessToken, IdToken and RefreshToken in the browser network tab. As per the guide I have to use these to obtain the pool tokens using which I can get temporary aws credentials to access aws services. I want to access pubsub to show messages being sent to aws iot_core.
But I was unable to find any information of how exactly we use these 3 tokens to access AWS resources..? Can anybody shed some light on this?
async signIn() {
Auth.signIn('xxxxx', 'xxxxx')
.then(user => {
if (user.challengeName === 'NEW_PASSWORD_REQUIRED') {
const { requiredAttributes } = user.challengeParam; // the array of required attributes,
e.g ['email', 'phone_number']
Auth.completeNewPassword(
user, // the Cognito User Object
'xxx', // the new password
// OPTIONAL, the required attributes
{
email: 'xxxx#example.com',
}
).then(user => {
// at this time the user is logged in if no MFA required
console.log(user);
}).catch(e => {
console.log(e);
});
} else {
console.log("Connecting to AWS IoT...")
//Apply plugin with configuration
Amplify.addPluggable(new AWSIoTProvider({
aws_pubsub_region: 'us-east',
aws_pubsub_endpoint: 'wss://xxxxx-ats.iot.us-east-1.amazonaws.com/mqtt',
}));
console.log("hello")
}
}).catch(e => {
console.log(e);
});
}
As per the Amplify docs on PubSub you have to:
Create IAM policies for AWS IoT
Attach your policy to your Amazon Cognito Identity
Allow the Amazon Cognito Authenticated Role to access IoT Services
https://docs.amplify.aws/lib/pubsub/getting-started/q/platform/js/#step-1-create-iam-policies-for-aws-iot

AWS cognito how to forgot password with lambda

I need implement logic for forgot password with aws lambda. I have cognito user pool with users and i need implement lambda for forgot password. How can i do it? Thanks in advance.
You can use AWS SDK to invoke the Cognito-forgot password from LAMBDA. you can refer to this documentation. You may have to provide the User pool Client and Username of the user along with the request.
Note: Your Lambda execution policy should have cognito-idp:ForgotPassword
Here is the Documentation for implementing with Nodejs.
const AWS = require('aws-sdk');
export.handler = async (event) => {
const params = {
ClientId: 'USER POOL CLIENT ID',
Username: 'USERNAME'
}
const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
const response = cognitoidentityserviceprovider.forgotPassword(params).promise();
return response;
}

Can I use the context param of lambda function for this?

I have 2 react native apps that are connected to a single aws backend. And I have deployed a post-confirmation lambda function so that I can save items (Users etc.) into the dynamo db storage. I want to know how do I adjust my lambda function so that If someone signup from the user side of my app it save an item in the user table of dynamo db and if someone signup from the driver side of the app it saves an item in the driver table of dynamo db. Can I use context param to check whether from which side of the app someone is signing up?
You can use clientMetaData to pass parameters to the PostConfirmation Lambda function.
await Auth.signUp({
username,
password,
clientMetadata: {
isDriver: false,
},
});
and in the PostConfirmation Lambda
const AWS = require("aws-sdk");
exports.handler = async (event, context, callback) => {
AWS.config.region = event.region;
// you can access like this
// event.request.clientMetadata.isDriver
context.succeed(event);
};

AWS Unrecognizable Lambda Output Cognito error

I recently started working with AWS. I have integrated AWS Amplify using cognito user pools for my user management(login&signup) and it went perfect(User pool gets updated whenever a new user registers). Now i have added an Cognito Post confirmation trigger to save the registered email into database and here is my trigger codevar mysql = require('mysql');
var config = require('./config.json');
var pool = mysql.createPool({
host : config.dbhost,
user : config.dbuser,
password : config.dbpassword,
database : config.dbname
});
exports.handler = (event, context, callback) => {
let inserts = [event.request.userAttributes.email];
context.callbackWaitsForEmptyEventLoop = false; //prevents duplicate entry
pool.getConnection(function(error, connection) {
connection.query({
sql: 'INSERT INTO users (Email) VALUES (?);',
timeout: 40000, // 40s
values: inserts
}, function (error, results, fields) {
// And done with the connection.
connection.release();
// Handle error after the release.
if (error) callback(error);
else callback(null, results);
});
});
};
whenever a user registers and confirms his email this trigger invokes and throws me this error
"Unrecognizable Lambda Output Cognito ". Even though it throws me this error in the background my DB is getting inserted with new registered email, but i am unable to redirect my page due to this. Any help will be appreciated. Thanks
Aravind
Short answer: Replace callback(null, results); to callback(null, event);
Reason: You have to return the result that Cognito will use it for continue the authentication workflow. In this case, this is event object.

AWS API Gateway / Cognito Userpools / Lambdas not able to pass caller credentials

I'm working on an AWS API Gateway implementation with a Lambda backend. I use the API Gateway integration with the Cognito Userpools (fairly new) instead of building a custom authorizer using Lambda (which was the recommended way before it was integrated).
I've created a proof of concept (javascript) that authenticates a user with Cognito and then makes a call to the API Gateway with those credentials. So, basically, the end call to the API Gateway is with the JWT token that I received from Cognito (result.idToken.jwtToken) in the Authorization header. This all works and I can validate that only with this token you can access the API.
All working fine, but now I want to get access to the Cognito identity in my Lambda; for instance the identy id or the name or email. I have read how to map all the parameters, but I'm actually just using the standard 'Method Request Passthrough' template in the integration request. I log all the parameters in the lambda and all the 'cognito' parameters are empty.
I've looked through many similar questions and they all propose to enable the 'Invoke with caller credentials' checkbox on the integration request. That makes perfect sense.
However, this checkbox can only be enabled if you are using AWS_IAM as authorization and not if you have selected your cognito UserPool. So it is just not possible to select it and is actually disabled.
Does anybody know what to do in this case? Is this still work in progress, or is there a reason why you can't enable this and get the cognito credentials in your Lambda?
Many thanks.
If you need to log the user information in your backend, you can use $context.authorizer.claims.sub and $context.authorizer.claims.email to get the sub and email for your Cognito user pool.
Here is the documentation about Use Amazon Cognito Your User Pool in API Gateway
For anyone else still struggling to obtain the IdentityId in a Lambda Function invoked via API-Gateway with a Cognito User Pool Authorizer, I finally was able to use the jwtToken passed into the Authorization header to get the IdentityId by using the following code in my JavaScript Lambda Function:
const IDENTITY_POOL_ID = "us-west-2:7y812k8a-1w26-8dk4-84iw-2kdi849sku72"
const USER_POOL_ID = "cognito-idp.us-west-2.amazonaws.com/us-west-2_an976DxVk"
const { CognitoIdentityClient } = require("#aws-sdk/client-cognito-identity");
const { fromCognitoIdentityPool } = require("#aws-sdk/credential-provider-cognito-identity");
exports.handler = async (event,context) => {
const cognitoidentity = new CognitoIdentityClient({
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient(),
identityPoolId: IDENTITY_POOL_ID,
logins: {
[USER_POOL_ID]:event.headers.Authorization
}
}),
});
var credentials = await cognitoidentity.config.credentials()
var identity_ID = credentials.identityId
console.log( identity_ID)
const response = {
statusCode: 200,
headers: {
"Access-Control-Allow-Headers": "*",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods" : "OPTIONS,POST,GET,PUT"
},
body:JSON.stringify(identity_ID)
};
return response;
}
After a Cognito User has signed in to my application, I can use the Auth directive of aws-amplify and fetch() in my React-Native app to invoke the lambda function shown above by sending a request to my API-Gateway trigger (authenticated with a Cognito User Pool Authorizer) by calling the following code:
import { Auth } from 'aws-amplify';
var APIGatewayEndpointURL = 'https://5lstgsolr2.execute-api.us-west-2.amazonaws.com/default/-'
var response = {}
async function getIdentityId () {
var session = await Auth.currentSession()
var IdToken = await session.getIdToken()
var jwtToken = await IdToken.getJwtToken()
var payload = {}
await fetch(APIGatewayEndpointURL, {method:"POST", body:JSON.stringify(payload), headers:{Authorization:jwtToken}})
.then(async(result) => {
response = await result.json()
console.log(response)
})
}
More info on how to Authenticate using aws-amplify can be found here https://docs.amplify.aws/ui/auth/authenticator/q/framework/react-native/#using-withauthenticator-hoc