Cognito PreventUserExistenceErrors setting with UserMigration Lambda in Go

Question

I am trying to use PreventUserExistenceErrors on a Cognito pool with a user migration Lambda trigger. Cognito documentation says:  
  
With user migration Lambda trigger, Cognito will return a simulated response for non existing users when an empty response was returned by the Lambda trigger.  
  
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html  
  
I don't know how to get this to work. I isolated this by setting up a pool and attaching a simple trigger which always returns an empty response (we're writing the triggers in Go on the project):  
  
package main  
  
import (  
    "fmt"  
  
    "github.com/aws/aws-lambda-go/lambda"  
)  
  
func Handle(event interface{}) (interface{}, error) {  
    fmt.Println("nil")  
    // also tried:  
    // return struct{}{}, nil  
    // return "", nil  
    return nil, nil  
}  
  
func main() {  
    lambda.Start(func(event interface{}) (interface{}, error) {  
        return Handle(event)  
    })  
}  
  
I wrote a client to try to log in to the pool with a username that doesn't exist. With the PreventUserExistenceErrors enabled I expect the error to be the same as if the trigger was not attached to the pool:  
  
Error executing "InitiateAuth" on "https://cognito-idp.eu-west-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.eu-west-1.amazonaws.com` resulted in a `400 Bad Request` response:  
{"__type":"NotAuthorizedException","message":"Incorrect username or password."}  
But I get a different error that shows the trigger failed:  
  
HTTP error: Client error: `POST https://cognito-idp.eu-west-1.amazonaws.com` resulted in a `400 Bad Request` response:  
{"__type":"UserNotFoundException","message":"Exception migrating user in app client 4i2oaatugssocd44d40kb55kni"}  
I tried returning nil, empty string and empty struct and all three show the error from the trigger. What's the correct way to return "empty response" from Cognito Lambda trigger in Go?

Answer

Setting just the Response field in the message returned from Lambda seems to work

Answer

The lambda contract is defined as JSON here:  
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html#cognito-user-pools-lambda-trigger-syntax-user-migration  
  
Can you debug your lambda function to check if the response object as part of the contract is not set?

Answer

For anyone looking for this same concept with the preAuthentication lambda function (or perhaps even other Cognito functions) with the same setting "PreventUserExistenceErrors" enabled:

You will **unfortunately** need to modify your Lambda to exit early (or other preferred logic) such as what I do below at the very beginning of my preAuthentication entry point:

```
export const myPreAuthenticationFunctionName = async (event: PreAuthenticationTriggerEvent, context, callback: Callback) => {
    // allows for using callbacks as finish/error-handlers
    context.callbackWaitsForEmptyEventLoop = false;

// Earliest exit point, returns event to Cognito if userNotFound to show Cognito's message for this event. (with the "PreventUserExistenceErrors" setting enabled, the error is: 'NotAuthorizedException: Incorrect username or password.' which is desired).
    const userNotFound = event.request.userNotFound;
    if (userNotFound) {
        console.info("User not found, returning event to Cognito handler.");
        return callback(null, event);
    }
}
```

Cognito PreventUserExistenceErrors setting with UserMigration Lambda in Go

関連するコンテンツ