By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito's built in validations are preventing my own validation in my lambda's from running

0

Summary: When phone number attributes and mfa enabled, cognito's own validations occur before pre sign up lambda. However, with these disabled, presignup runs before the validation.

Issue: My presignup lambda is not running as cognito's own phone number validation is preventing it from being triggered in my dev environment. However, in my non prod environment, this is not the case and my lambda's run before any of cognito's own validations.

Attempted fixes:

  • Stripped code back to a simple function but the issue still persists
  • Compared cognito config, only noteable differences is that mfa is enabled in dev and phone number attribute is required whereas non prod uses email and username.
  • I have tried 'refreshing' the cognito triggers by changing them to none and back to their respective lambda's but the issue persists

Does anyone know what is causing this difference in behaviour?

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
Latif
asked 2 years ago897 views
1 Answer
0

When a standard attribute is marked as required, a user cannot register unless a value for the attribute is provided[1]. This means a user must provide a phone number before a successful SignUp API call can be made and the presignup lambda function can be triggered when you have set the phone number as required within your UserPool.

If this is not the intended behavior you are looking for and you don't want the phone number to be required, you will need create a new UserPool with your preferred required attributes since you cannot switch between required and not required attributes after a UserPool has been created[1]. Once the new UserPool has been created you can migrate the current users to the new UserPool using a lambda migration trigger[2].

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

[2] https://aws.amazon.com/premiumsupport/knowledge-center/cognito-change-user-pool-attributes/

AWS
SUPPORT ENGINEER
Michael_H
answered 2 years ago
  • Latif
    2 years ago

    Thank you for your response. I would like the phone number however I would like to do my own validation against it before cognito's built in one. For example, cognito returns the error "Invalid phone number format." when the user enters "07999999999".But, I have no option of customising this error as none of my lambda's run. Do you have any recommendations on how I can customise this error message?

  • Michael_H SUPPORT ENGINEER
    2 years ago

    Cognito does offer some form of customizing error responses, however it is only available for authentication, confirmation, and password recovery-related see the following documentation for more information[1]. Therefore if you are using the Hosted UI it is not possible to customize that particular error message as it is being passed on from the signup API(you will be able to see a similar message in CloudTrail also for the SignUp events).

    If you would like to have your own validations for the phone number, then you would need to build your own SignUp/SignIn page for Cognito and do the validations yourself before making SignUp API Call with the details provided by your users. An example of developing your own frontend to work with Cognito is Amplify[2].

    [1] Managing error responses - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html [2] https://docs.amplify.aws/lib/auth/emailpassword/q/platform/js/

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content