By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito PreventUserExistenceErrors setting with UserMigration Lambda in Go

1

I am trying to use PreventUserExistenceErrors on a Cognito pool with a user migration Lambda trigger. Cognito documentation says:

With user migration Lambda trigger, Cognito will return a simulated response for non existing users when an empty response was returned by the Lambda trigger.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html

I don't know how to get this to work. I isolated this by setting up a pool and attaching a simple trigger which always returns an empty response (we're writing the triggers in Go on the project):

package main

import (
"fmt"

"github.com/aws/aws-lambda-go/lambda"

)

func Handle(event interface{}) (interface{}, error) {
fmt.Println("nil")
// also tried:
// return struct{}{}, nil
// return "", nil
return nil, nil
}

func main() {
lambda.Start(func(event interface{}) (interface{}, error) {
return Handle(event)
})
}

I wrote a client to try to log in to the pool with a username that doesn't exist. With the PreventUserExistenceErrors enabled I expect the error to be the same as if the trigger was not attached to the pool:

Error executing "InitiateAuth" on "https://cognito-idp.eu-west-1.amazonaws.com"; AWS HTTP error: Client error: POST https://cognito-idp.eu-west-1.amazonaws.com resulted in a 400 Bad Request response:
{"__type":"NotAuthorizedException","message":"Incorrect username or password."}
But I get a different error that shows the trigger failed:

HTTP error: Client error: POST https://cognito-idp.eu-west-1.amazonaws.com resulted in a 400 Bad Request response:
{"__type":"UserNotFoundException","message":"Exception migrating user in app client 4i2oaatugssocd44d40kb55kni"}
I tried returning nil, empty string and empty struct and all three show the error from the trigger. What's the correct way to return "empty response" from Cognito Lambda trigger in Go?

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
michalzava
asked 4 years ago700 views
3 Answers
1

The lambda contract is defined as JSON here:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html#cognito-user-pools-lambda-trigger-syntax-user-migration

Can you debug your lambda function to check if the response object as part of the contract is not set?

AWS
AWS-User-2053392
answered 4 years ago
1

Setting just the Response field in the message returned from Lambda seems to work

michalzava
answered 4 years ago
0

For anyone looking for this same concept with the preAuthentication lambda function (or perhaps even other Cognito functions) with the same setting "PreventUserExistenceErrors" enabled:

You will unfortunately need to modify your Lambda to exit early (or other preferred logic) such as what I do below at the very beginning of my preAuthentication entry point:

export const myPreAuthenticationFunctionName = async (event: PreAuthenticationTriggerEvent, context, callback: Callback<PreAuthenticationTriggerEvent>) => {
    // allows for using callbacks as finish/error-handlers
    context.callbackWaitsForEmptyEventLoop = false;

    // Earliest exit point, returns event to Cognito if userNotFound to show Cognito's message for this event. (with the "PreventUserExistenceErrors" setting enabled, the error is: 'NotAuthorizedException: Incorrect username or password.' which is desired).
    const userNotFound = event.request.userNotFound;
    if (userNotFound) {
        console.info("User not found, returning event to Cognito handler.");
        return callback(null, event);
    }
}
Christopher Boik
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content