AWS cognito 預授權 lambda 觸發器

Question

我目前正在從事一個用戶管理項目，我正在嘗試在 AWS cognito 中實施預身份驗證 lambda 觸發器，該觸發器在外部數據庫中檢查經過身份驗證的用戶擁有的訂閱並將其返回。 有人可以幫我舉個例子嗎？ 這是我第一次使用 aws cognito

我嘗試添加查詢以檢查外部數據庫中的用戶訂閱，但沒有成功。

Answer 1

要在 AWS Cognito 中使用預身份驗證 Lambda 觸發器，您需要創建一個 Lambda function 並將其附加到PreAuthentication屬性。

CloudFormation 模板示例

Resources:
  ExampleUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: ExampleUserPool
      LambdaConfig:
        PreAuthentication:
          - LambdaTrigger: true
            LambdaFunctionArn: !GetAtt PreAuthLambdaFunction.Arn

  PreAuthLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: PreAuthLambdaFunction
      Runtime: nodejs18.x

示例 Lambda function

exports.handler = async (event) => {
  // Extract attributes from the event object
  const { username } = event.request.userAttributes;

  // Check an external data base the subscription the authenticated user has
  const subscriptionStatus = await checkExternalDatabase(username);

  // Stop Cognito flow based on subscription status 
  if (subscriptionStatus !== 'ACTIVE') {
    throw new Error('User does not have a valid subscription');
  }

  // Continue Cognito flow
  return event;
};

請參閱： https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-lambdaconfig