By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito migration trigger runs successfully but return error

0

Hello, I have created a Migrate user Lambda trigger to automatically sign-up users from a MySQL DB into a Cognito pool once they sign-in.

I am using the hosted UI provided by Cognito and the trigger executes properly, it validates the user credentials and a context.succeed(event); is emitted back, yet I get an error response every time in the UI Incorrect username or password. and the user is not properly created in the Cognito pool.

Enter image description here

This Lambda function was previously working as expected, I was able to migrate user's successfully but it started to suddenly fail. Here's how it looks like:

exports.handler = async (event, context, callback) => {
	var user;

	if (event.triggerSource == "UserMigration_Authentication") {
		// authenticate the user with your existing user directory service
		user = await authenticateUser(event.userName, event.request.password);
		
		if (user) {
			event.response.userAttributes = {
				"email": user.email,
				"email_verified": "true"
			};
			event.response.finalUserStatus = "CONFIRMED";
			event.response.messageAction = "SUPPRESS";
			context.succeed(event);
		} else {
			// Return error to Amazon Cognito
			callback("Invalid password code");
		}
	} else if (event.triggerSource == "UserMigration_ForgotPassword") {
		// Lookup the user in your existing user directory service
		user = await lookupUser(event.userName);
		
		if (user) {
			event.response.userAttributes = {
				"email": user.email,
				// required to enable password-reset code to be sent to user
				"email_verified": "true"  
			};
			event.response.messageAction = "SUPPRESS";
			context.succeed(event);
		} else {
			// Return error to Amazon Cognito
			callback("User not found");
		}
	} else { 
		// Return error to Amazon Cognito
		callback("Invalid triggerSource " + event.triggerSource);
	}
};

And this is an example of the event sent back when a user is successfully authenticated:

{
  version: '1',
  triggerSource: 'UserMigration_Authentication',
  region: 'us-xxx-x',
  userPoolId: 'us-xxx-x_xxxXxXX',
  userName: 'qa_tests+email@email.com',
  callerContext: {
    awsSdkVersion: 'aws-sdk-unknown-unknown',
    clientId: '79vm3b2pogsddtl9udq5unrg'
  },
  request: { password: 'Password!', validationData: null, userAttributes: null },
  response: {
    userAttributes: {
      email: 'qa_tests+email@email.com',
      email_verified: 'true'
    },
    forceAliasCreation: null,
    enableSMSMFA: null,
    finalUserStatus: 'CONFIRMED',
    messageAction: 'SUPPRESS',
    desiredDeliveryMediums: null
  }
}

authenticateUser is the function fetching the user from MySQL and validating the credentials

lookupUser is the function fetching a user from MySQL.

I can not figure out what the problem is, specially given the error response Incorrect username or password. when both, email and password are correct.

This Lambda was properly working before, it just started to fail recently and I can't think of a reason, the only changes that I can recall have been adding and deleting client Apps in the pool.

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAmazon Cognito
Language
English
rePost-User-0514920
asked a year ago755 views
1 Answer
0
Accepted Answer

I've got my answer after digging deep and reading other posts

The user gev1695 provided the answer, essentially you have to increase the default memory of your lambda function.

I Can't believe how lacking your documentation is, not to mention how bad the logs to properly debug issues appear.

Feel free to close and mark this as resolved.

rePost-User-0514920
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content