By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

PostAuthentication - auto verify phone_number (not in PreSignUp)

0

Hello All, Cognito/Amplify Team,

I am implementing passwordless SMS auth. Flow is: signIn -> error (userNotFound) -> signUp -> signIn -> OTP sent to mobile -> OTP entered by user -> confirmSignIn -> success and user is logged in. This flow works and user is able to successfully sign in. But verification of phone_number should better happen in PostAuthentication (after user is signed in after entering and successfully checking OTP) and not before that in PreSignUp.

I have following lambdas: PreSignUp, DefineAuthChallenge, CreateAuthChallenge, VerifyAuthChallengeResponse, PostAuthentication. Things have run fine. Want to change one thing for good: Auto verify phone number in Post Authentication instead of PreSignUp lambda. How to do that? I thought following can do it in PostAuthentication lambda:

    event.response.phone_number_verified = "true"

it did not. I also tried with setting:

event.request.userAttributes.phone_number_verified = "true"

it also did not. In PreSignUp, following did work fine:

event.response.autoVerifyPhone = true;

PostAuthentication lambda (custom.js):

exports.handler = async (event, context) => {
  console.log('Received EVENT', JSON.stringify(event, null, 2));                      if (event.request.userAttributes.hasOwnProperty("email")                                 && event.request.userAttributes.email_verified != "true") {                   
      event.request.userAttributes.email_verified = "true"                            
      event.response.email_verified = "true";
  }   
  if (event.request.userAttributes.hasOwnProperty("phone_number")              && event.request.userAttributes.phone_number_verified != "true") {   
      event.request.userAttributes.phone_number_verified = "true";  
      event.response.phone_number_verified = "true";   
  } 
  console.log('Returning event', JSON.stringify(event, null, 2))                      
  return event;                                                                       
};

PreSignUp (custom.js):

"use strict";
exports.handler = async (event) => {
    console.log('Received EVENT', JSON.stringify(event, null, 2));
    event.response.autoConfirmUser = true;
    /*
    if (event.request.userAttributes.hasOwnProperty("email")) {
        event.response.autoVerifyEmail = true;
    }
    if (event.request.userAttributes.hasOwnProperty("phone_number")) {
        event.response.autoVerifyPhone = true;
    }
    */
    console.log('Returning EVENT', JSON.stringify(event, null, 2));
    return event;

But when I check user in Cognito, it still shows as NotVerified. [1] which is in TS but also suggest to set: event.request.userAttributes.email_verified = "true"
[2] does not suggest how to auto verify phone_number in PostAuthentication lambda. [3] does suggest how to auto verify phone_number in PreSignUp.

[1] https://github.com/aws-samples/amazon-cognito-passwordless-email-auth/blob/master/cognito/lambda-triggers/post-authentication/post-authentication.ts [2] https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html [3] https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html

Can you help resolve this. How/what to set in PostAuthentication to auto verification of phone number?

Thanks in advance.

Topics
ServerlessComputeFront-End Web & MobileSecurity, Identity, & Compliance
Tags
AWS LambdaAWS AmplifyAmazon Cognito
Language
English
Raj
asked a year ago261 views
2 Answers
0
Accepted Answer

Hi,

you must not return verified true as part of the return structure but update the attribute through a dedicated API Call to AdminUpdateUserAttributes [ https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html ] in one of the Lambda function.

That is why the status is not updated.

Jeff

AWS
Jeff Lombardo-AWS
answered a year ago
  • Raj
    a year ago

    Thanks Jeff. It worked. Though, had to give the required permission to lambda.

0

Cognito showing the phone_number as NotVerified. This is after user has successfully logged in and session screen is presented using the baked-in authUser.

Phone_number: NotVerified

Raj
answered a year ago
  • Jeff Lombardo-AWS
    a year ago

    you masked the sub in the user attributes but no in the user Information pane, I do not know if this is a problem.

  • Raj
    a year ago

    Sharp eyes! sub is uuid inside aws and will change for next authUser instantiation. Looks harmless if such transient handle is leaked at one experimental point.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content