Amplify + Cognito signup trigger create document in lambda - amazon-cognito

I am using amplify auth and have a table in documentdb managing user profile information. I want to be able to create a document in dynamodb on signup with the cognitoIdentityId as a field so I can query for it later.
I was hoping I could handle this in a trigger on the cognito pool but I cannot get access to the identity inside my lambda function as it doesn't appear to be on the event.
Is it possible to get access to the id so I can create my document on the trigger or is there a better way to achieve this?

Related

Check if user existed in cognito as federated user by using only email/username

I'm having trouble implementing a feature where I need check if a user does not exist or is existing in cognito but as federated user. The prior is done without trouble but I'm stuck on the latter without any clue. I went through the cognito and amplify documents but couldn't find any clue. Could there be a work-around or a function that I don't know about, any suggest is welcomed.
You can create a mutable custom user attribute on Cognito such as isFederatedUser and set this on user during user creation.
If this is not possible, you can call list-users and filter the identities attribute.

Cognito PreSignup Lambda to create user internally first and then in userpool

We have an existing system where we create the user id (db) internally and use it across db tables as refrential integrity. We are looking to move to Cognito and Api Gateway for authentication and authorization flow. However, we would like to retain the existing identity (user id in db) internally once we authenticate at Api Gateway using Cognito. To do this, we are thinking of using Pre-Signup Lambda trigger to first create the user in our system via that and then Cognito will create the user in the userpool. This way we can associate custom attribute (user id) information using Pre-Token generation lambda which will be passed to Api Gateway with ID Token.
Is this the right approach to create the user first in our system (via Pre-Signup lambda) and then in Cognito?

PostConfirmationTrigger for federated sign-in in AWS Cognito

I am using AWS Cognito for auth. I am using AWS Amplify framework.
Currently I have email-password signup option. On Cognito PostConfirmationTrigger I add user to User DynamoDB table.
I want to add google signup option as well.
In federated sign-in (signup time), this trigger is not triggered so I am unable to add user to User DynamoDB table.
Any hints how can I invoke that trigger lambda only for first time federated sign-in (signup)?
The post confirmation trigger is worth avoiding as it also doesn't trigger for admin confirmations. Reimplement it as a post-authentication or pre-token-generation trigger and, if need be, add a condition expression to your put item request to avoid overwriting existing user items.
Cognito is a bit borked when it comes to federated sign-on and triggers. Triggers only seem to be called the first time a user logs in.

AWS Amplify - update another user attributes

Is there a way I can update another user attributes using AWS amplify with cognito? I.e. when user reply to a post I want to change a rating of a person that started a thread. Or for this I will need a table in DB to manage it.
In docs i see that there is a method:
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminUpdateUserAttributes-property
but I dont see a way to use it in Amplify.
I have not seen any API of aws-amplify which can alter user attributes as admin.
Generally, it is good practice not to duplicate data or keeping data duplication minimal if unavoidable. In other words, keeping a single source of truth. Use Cognito as only for authentication, I mean obtaining JWT token.
Rating, user basic info, and role; keep those at your own data source.

aws lambda: authentication with Cognito and a fixed user

I have a web application where people can upload files and I want a login for this so some functions can only be accessed by people who are logged in. I want to have one fixed pair of username and password, so there should be no option for users to create their own account (only the people who have the right information can access). I have a login paige where I proof with JavaScript if the fields are filled and if they are there should be invoked a lambda function to set the user to auth in Cognito to login. I created a fixed user in Cognito with username and password and I now want to proof if the entries of the fields are the same like the created user so that the user is logged in and can use the functions on the web app.
I read a lot of tutorials how to set up an authentication with cognito and lambda, but totally different to what I want to do. So I really have no idea how I can write the lambda function to do what I want.
Has anyone an idea how I can build up my plan or is it a bad idea like that?
Thank you for your help
you don't need the user/pass, in api gateway in the lambda method set the auth type to AWS_IAM, so only auth users will be able to call the lambda method... and then only that specific user will be able to call your lambda method.
inside the lambda method you can access
event.requestContext.identity.cognitoAuthenticationProvider
and
event.requestContext.identity.cognitoIdentityId
to get the user that was auth by AWS