AWS iOS Cognito-如何在Userpool中检查用户?
[英]AWS iOS Cognito - How To Check For a User in a Userpool?
问题描述
I am just starting to work with, and learn AWS. 
我刚刚开始工作,并学习AWS。 I am using the services in the AWS Mobile Hub and so far have set up the Sign In & Sign Up methods. 我正在使用AWS Mobile Hub中的服务,到目前为止,已经设置了Sign In&Sign Up方法。
Everything works fine, and now I am working on the Forgot Password and Update Password . 一切正常,现在我正在使用“ 忘记密码”和“ 更新密码” 。
Problem: 问题:
The problem is, is that the way AWS has set up the Forgot Password is that: 问题是,AWS设置“忘记密码”的方式是:
You first enter a username and then after the user enters a username AWS sends a verification code via SMS to the phone number associated with that username. 您首先输入一个用户名,然后在用户输入用户名后,AWS通过SMS将验证码发送到与该用户名关联的电话号码。
That's an issue because it means that anyone can enter any username and a text message will be sent, resulting in my SMS payments increasing and to be honest it just looks sloppy. 这是一个问题,因为这意味着任何人都可以输入任何用户名,并且将发送一条短信,导致我的SMS付款增加,说实话,它看起来很草率。
What I want to have done is that: 我想做的是:
- After a user enters a username, they then have to enter the phone number associated with the account 用户输入用户名后,他们必须输入与该帐户关联的电话号码
- Then if it matches, it sends the SMS. 然后,如果匹配,则发送SMS。
Question 题
- How do I check if a user exists in a userpool? 如何检查用户池中是否存在用户?
- And then if it does, how do I get the user attribute associated with the phone number to check if it matches the phone number that the user enters? 然后,如何获取与电话号码关联的用户属性,以检查其是否与用户输入的电话号码匹配?
- Is this even possible? 这有可能吗? Can I even get the credentials of a user who isn't the one logged in? 我什至可以获取未登录用户的凭据?
Thanks in advance! 提前致谢!
2 个解决方案
解决方案1
1 已采纳 2017-03-10 18:55:05
Cognito User Pools does not currently allow you to get attributes for a user (such as phone number) without that user having signed in and gotten an access token. Cognito用户池当前不允许您在未登录并获得访问令牌的情况下获取该用户的属性(例如电话号码)。
The admin apis can do the lookup you're looking for, but they shouldn't be called from the client as that would mean you have to embed credentials. 管理员api可以执行您要查找的查找,但是不应从客户端调用它们,因为这将意味着您必须嵌入凭据。 If this is a must have for you, you could potentially secure those credentials by wrapping it in API Gateway or something along those lines and then call that from your client. 如果这是您的必备条件,则可以通过将其包装在API Gateway或类似内容中来保护这些凭据,然后从客户端调用该凭据。
解决方案2
0 2017-06-08 21:15:52
Here is how you should do it: 1) Create a web API using the APIGateway. 这是您应该执行的操作:1)使用APIGateway创建Web API。 Ideally you want to restrict access with an API Key, which you should bundle with your application. 理想情况下,您想使用API密钥来限制访问,该密钥应与应用程序捆绑在一起。 2) Connect a POST method to a Lambda function, which will (a) perform the necessary checks (whether the phone number specified is indeed the correct one, etc), calling the admin_* functions. 2)将POST方法连接到Lambda函数,该函数将(a)进行必要的检查(指定的电话号码是否确实是正确的电话等),并调用admin_ *函数。 (b) issue the client version of the password reset, which will trigger the sending of the SMS code. (b)发出密码重置的客户端版本,这将触发发送SMS代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.