Search code examples
javascriptnode.jstypescriptamazon-web-servicesamazon-cognito

How to confirm Cognito User after it was created with adminCreateUser command

After creating a Cognito user with

let AWS = require("aws-sdk");
AWS.config.update({
  region: "us-east-1"
});

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider({
  apiVersion: "2016-04-19",
  region: "us-east-1"
});

let USER_POOL_ID = "my-cognito-user-pool-id"

var poolData = {
  UserPoolId: USER_POOL_ID,
  Username: "[email protected]",
  DesiredDeliveryMediums: ["EMAIL"],
  TemporaryPassword: "Test123456",
  UserAttributes: [
    {
    Name: "email",
    Value: "[email protected]"
    },
    {
    Name: "email_verified",
    Value: "true"
    }
  ]
};

cognitoidentityserviceprovider.adminCreateUser(poolData, (error, data) => {
  console.log(error);
  console.log(data);
});

The output of the command is below

{
  User: {
    Username: 'e9c137e4-6482-4bf5-9fb9-03f764dd0b4b',
    Attributes: [ [Object], [Object], [Object] ],
    UserCreateDate: 2021-04-27T14:17:43.856Z,
    UserLastModifiedDate: 2021-04-27T14:17:43.856Z,
    Enabled: true,
    UserStatus: 'FORCE_CHANGE_PASSWORD'
  }
}

From this output I take the Username value and use it next to confirm the user with adminConfirmSignUp command:

var params = {
  UserPoolId: USER_POOL_ID, 
  Username: 'e9c137e4-6482-4bf5-9fb9-03f764dd0b4b', 
  ClientMetadata: {
    'STRING_KEY_1': 'STRING_VALUE_1',
    'STRING_KEY_2': 'STRING_VALUE_2'
  }
};
cognitoidentityserviceprovider.adminConfirmSignUp(params, function(err, data) {
  if (err) console.log(err, err.stack); 
  else     console.log(data);           
});

But I am getting the error:

NotAuthorizedException: User cannot be confirmed. Current status is FORCE_CHANGE_PASSWORD

Later I found, that I can use adminSetUserPassword command that was designed to change the user password. It happens it also confirms the user and it works fine, except it doesn't trigger Post Confirmation lambda which I need to be triggered

var params = {
  Password: 'New-password', 
  UserPoolId: USER_POOL_ID, 
  Username: 'e9c137e4-6482-4bf5-9fb9-03f764dd0b4b', 
  Permanent: true
};
cognitoidentityserviceprovider.adminSetUserPassword(params, function(err, data) {
  if (err) console.log(err, err.stack); 
  else     console.log(data);           
});

How do I confirm the user created with adminCreateUser command. I don't want to use the adminSetUserPassword to confirm it. I would rather use the adminConfirmSignUp command that should confirm the user and trigger the Post Confirmation lambda. Please advise.

Solution

  • This is a known issue with cognito. The following workaround might suit your use-case depending on what behavior you expect.

    Perform a check in a post-authentication handler and do your post confirmation logic there as well as in your post-confirmation handler.

    def handler(event, _):
    ''' handle post auth event '''
    status = event['request']['userAttributes']['cognito:user_status']
 
    # If the status hasn't been confirmed yet, we can assume it now is
    if status == 'FORCE_CHANGE_PASSWORD':
       # Do Something
 
    return event

    AdminConfirmSignUp still won't call the post-confirmation handler so don't waste your time to get it working. If you want to perform some logic as part of a user provisioning step just call the handler yourself, don't count on cognito making sense.