When is the CustomEmailSender_UpdateUserAttribute trigger source used? - amazon-cognito

I have set up a custom email sender function that currently just decrypts the code (if present) and logs the event.
I can see in the logs that the lambda is correctly triggered for the other trigger source types such as CustomEmailSender_AdminCreateUser when I run the aws cognito-idp admin-create-user CLI command, and the CustomEmailSender_ForgotPassword when I submit the Forgot Password form on the Hosted UI. However, I do not see any logs when user attributes are updated. I've tested with both the admin-update-user-attributes and the update-user-attributes commands, as well as in the AWS console.
When is the email with the CustomEmailSender_UpdateUserAttribute trigger source sent? Is there a configuration on my user pool or client that I am missing?

According to Cognito documentation on Custom message Lambda trigger sources:
CustomMessage_UpdateUserAttribute | Custom message – When a user's email or phone number is changed, this trigger sends a verification code automatically to the user. Cannot be used for other attributes.
So it only triggers with changes to the email or phone number fields, in order to verify them.

Related

Passwordless Authentication with Cognito - How to determine if a user signed up with email or phone number

We have implemented the Custom Auth Triggers as described link here. We have the user pool set up to let users log in with either phone number or email.
The provided case is - the user has email & phone both verified in their Cognito account
The problem I am having is determining what medium (email or phone number) the user signed in
When observing the event passed into the define / create/verify auth triggers, it seems like doesn't pass through what the username was used to initiate the authentication flow.. only the user attributes which in my case there could be both email or phone. I need to know which one it is so I know if I need to send the code through SMS or Email.
I also read about ClientMetadata this key we can pass from in InitiateAuthCommandInput but it will provide a client metadata key only below these triggers
Pre signup
Pre-authentication
User migration
but it will not provide ClientMetadata in these triggers
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Verify auth challenge
After googling it too much, I found an article which had a tricky solution:
here is the link
I am not able to implement the provided solution.
I found a similar question in stack overflow too Link but there is also no answer, Can anyone please help me with this.
This is a workaround by adding a custom attribute during passwordless login
Actually, the authenticationUser function needs to identify whether the user is adding email or phone during login
Step 1: during login process, before calling initiateAuthCommand, First set a custom attribute in Cognito user object - logged_in_by - email or phone
Step 2: once you add a key after that InitiateAuthCommand will be started and call the triggers
Step 3:
When createAuthChallenge runs at the time we will have userAttributes.logged_in_by.
If this attribute contains email this indicates that the user is trying to login with the email and we need to send OTP over email.
If this attribute contains phone this indicates that the user is trying to log in with the phone and we need to send OTP over the phone number.

plain text email for Cognito verification code

Is there a way to send Cognito verification email as plain text email?
Some of our customers use MMS email for Cognito registration. They use the app Message on iPhone to read those emails. After registration, the email verification comes but shows up on the Message as an HTML attachment, which needs a tap to open up the email content.
We want the content to show up nicely as an bubble-message, which can be done if the email is sent in plain text not HTML. I tried adding <meta http-equiv="Content-Type" content="text/plain; charset=utf-8" /> to the message customizations but it did not work.
Custom sender has solved my problem
https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html
Note that this trigger is not available in the console, so you must use update-user-pool api call to add it.
One important thing about this api is noted in the document: If you don't provide a value for an attribute, it will be set to the default value. . I wasted a lot of time to debug just to find out that some settings had been changed due to this behavior.
You can, yes.
Setup the Cognito Custom Message Trigger to call a lambda (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html)
Create a lambda script that sends an email using AWS SES. Using SES you can specify separate HTML and TEXT parts of the message (https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/ses-examples-sending-email.html)

How to require a verification code before changing attribute in AWS cognito

We are using amazon-cognito-identity-js to manage users in a javascript application.
Currently, once authenticated, a user can change their email address or phone number with cognitoUser.updateAttributes(). If that attribute is marked as verified, it will then be unverified, and we can trigger verification through cognitoUser.getAttributeVerificationCode() and it will send a confirmation code to the users phone.
Ideally, we would like to require a code BEFORE changing the attribute, much like the change password flow works. Is such an approach possible?

New sign-ups to Congito User pool default to disabled

I am using Cognito User pools and the hosted Cognito UI. I want new users to be disabled when they first sign-up.
I am trying to use a Cognito Trigger to disable the user.
The "Pre sign-up" trigger is to soon, the user has not been created yet. I have successfully used the "Post confirmation" to disable the user, however this is causing a side effect. After the user enters the confirmation code which is emailed to them, they see this message in the hosted UI "User is disabled".
Does anyone have a suggested solution on how to make the new users disabled by default?
We had a similar Business Requirement. For us we made use of a User Pool Group. This allowed the sign up and validation process to work as normal. We had the Post Confirmation trigger send our product team an email with details about the new confirmed user. We had a simple UI for the product team to add the group to a user if they should have access.
To Deny/Grant Access to the app: Our app checked the ID Token, once a user successfully authenticated, for the group (the ID Token has a 'cognito:groups' key which contains a list of all the groups the user is in). If the group was not present we displayed a page showing the user a customized access denied message

When using OpenDS for SMTP account status notification, how do I include user's name in notification?

We are using OpenDS for SMTP account status notification to notify users when their password is nearing expiration. The SMTP account status notification handler works fine to notify the user and a list of Server admins when the password is soon to expire but we are not able to find a way to have the customer's name in the email.
The notification Handler has no issue pulling the customer's email address and also referencing the password policy to correctly identify the pending password expiriation, so why not also identify the customer by name in the email? All this information is available so how would a variable be set to pull and use this customer information?
The notification handlers are quite powerful but definitely under-documented.
It's possible to identify the user by mail in the email. I've looked at the code of OpenDJ (the actively developed branch of OpenDS, http://opendj.forgerock.org), and you can reference any attribute from the user entry within the template.
More specifically for the mail attribute of the user, you should use this property in the template (templates are under config/message/ directory) :
%%notification-user-attr:mail%%
I haven't tested, but it should work.
I hope this helps.
Ludovic Poitou
PS: I've been told by our technical writer, that all tokens that can be used in the template messages is actually documented as part of OpenDJ administration guide : http://opendj.forgerock.org/doc/admin-guide/index.html#account-status-notification