├── README.md ├── addUserToGroup.js ├── confirmFromDomain.js └── getCognitoUserInfo.js /README.md: -------------------------------------------------------------------------------- 1 | ### Examples of Lambda triggers and other functions to help you interact with Cognito from Lambda 2 | 3 | 1. `addUserToGroup.js` 4 | 5 | Adds a user to a Cognito user group 6 | 7 | 2. `confirmFromDomain.js` 8 | 9 | Automatically confirms a user based on their domain email address. 10 | 11 | 3. `getCognitoUserInfo.js` 12 | 13 | Gets the Cognito user attributes based on the sub and then gets the Cognito groups based on the username. It then checks to see if the user is in a required group, and if so, will either authorize or deny the request. -------------------------------------------------------------------------------- /addUserToGroup.js: -------------------------------------------------------------------------------- 1 | const aws = require('aws-sdk'); 2 | 3 | exports.handler = (event, context, callback) => { 4 | const cognitoidentityserviceprovider = new aws.CognitoIdentityServiceProvider({ apiVersion: '2016-04-18' }); 5 | 6 | const email = event.request.userAttributes.email.split('.') 7 | const domain = email[email.length - 1] 8 | 9 | if (domain === 'edu') { 10 | const params = { 11 | GroupName: 'STUDENTS', 12 | UserPoolId: event.userPoolId, 13 | Username: event.userName, 14 | } 15 | 16 | cognitoidentityserviceprovider.adminAddUserToGroup(params, (err) => { 17 | if (err) { callback(err) } 18 | callback(null, event); 19 | }) 20 | } else { 21 | callback(null, event) 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /confirmFromDomain.js: -------------------------------------------------------------------------------- 1 | exports.handler = (event, context, callback) => { 2 | // Set the user pool autoConfirmUser flag after validating the email domain 3 | event.response.autoConfirmUser = false; 4 | 5 | // Split the email address so we can compare domains 6 | var address = event.request.userAttributes.email.split("@") 7 | 8 | // This example uses a custom attribute "custom:domain" 9 | if (event.request.userAttributes.hasOwnProperty("custom:domain")) { 10 | if ( event.request.userAttributes['custom:domain'] === address[1]) { 11 | event.response.autoConfirmUser = true; 12 | } 13 | } 14 | 15 | // Return to Amazon Cognito 16 | callback(null, event); 17 | }; 18 | 19 | /* 20 | To use: 21 | 22 | send an attribute with the signUp for your custom domain: 23 | 24 | "custom:domain": "example.com" 25 | 26 | If the custom domain matches the user's email address, the confirmation will be taken care of automatically. 27 | */ -------------------------------------------------------------------------------- /getCognitoUserInfo.js: -------------------------------------------------------------------------------- 1 | const AWS = require('aws-sdk') 2 | const cognito = new AWS.CognitoIdentityServiceProvider({apiVersion: '2016-04-18'}) 3 | var userpoolId = process.env.USER_POOL_ID 4 | 5 | async function getGroupsForUser(event) { 6 | // first gets the user attributes from the sub of the user invoking the event 7 | let userSub = event.requestContext.identity.cognitoAuthenticationProvider.split(':CognitoSignIn:')[1] 8 | let userParams = { 9 | UserPoolId: userpoolId, 10 | Filter: `sub = "${userSub}"`, 11 | } 12 | let userData = await cognito.listUsers(userParams).promise() 13 | const user = userData.Users[0] 14 | // next gets the groups for the user invoking the event 15 | var groupParams = { 16 | UserPoolId: userpoolId, 17 | Username: user.Username 18 | } 19 | const groupData = await cognito.adminListGroupsForUser(groupParams).promise() 20 | // returns the group data 21 | return groupData 22 | } 23 | 24 | async function canPerformAction(event, group) { 25 | return new Promise(async (resolve, reject) => { 26 | if (!event.requestContext.identity.cognitoAuthenticationProvider) { 27 | return reject('not authorized to perform this action') 28 | } 29 | const groupData = await getGroupsForUser(event) 30 | const groupsForUser = groupData.Groups.map(group => group.GroupName) 31 | if (groupsForUser.includes(group)) { 32 | resolve() 33 | } else { 34 | reject('user not in group, cannot perform action..') 35 | } 36 | }) 37 | } 38 | 39 | exports.handler = async event => { 40 | try { 41 | await canPerformAction(event, 'Admin') 42 | // do something 43 | return { success: 'performing action' } 44 | } catch (err) { 45 | return { error: err } 46 | } 47 | } --------------------------------------------------------------------------------