Controlling user auth flow with Lambda & Cognito (pt2)
Jodamco
Posted on June 3, 2024
Last post, we wrote the code for our preAuth trigger that would handle the count of attempts to login. The idea now is to reset the counter after the login is successful since we want all the atempts to be available when the user come to login for another session.
The code for the postAuth trigger is way simpler than the one for the preAuth. Let's dive into it
module.exports.postAuthTrigger = async (event) => {
await this.clearLoginAttempts(event)
return event
}
exports.clearLoginAttempts = async (event) => {
const updateParams = {
UserAttributes: [
{
Name: 'custom:login_attempts',
Value: '0',
},
],
UserPoolId: event.userPoolId,
Username: event.userName,
}
await cognitoService.adminUpdateUserAttributes(updateParams).promise()
}
To reset the login attempts, we just need to update the same counter we used in the preAuth trigger, which is stored into the prop 'custom:login_attempts'. We can do it by calling the adminUpdateUserAttributes function from the cognito API.
One other important thing to mention is that we need to return the 'event' object that we receive when the lambda is called since cognito will expect to have it to continue with the auth flow. After creating the lambdas, we need to setup the cognito accordingly with the needed property (login_attempts) and the setup for the triggers.
First you may need to create your user pool. To do so you start by signing in to the AWS Management Console and navigating to Amazon Cognito. Click "Manage User Pools" and then "Create a user pool". Along the wizard to create the user pool you will notice an option to create custom attributes. Here you will create your 'login_attempts' attribute. You will notice that even though we set the name as 'login_attempts', cognito will ask you to access it by calling 'custom:login_attempts'. That's the default for custom attributes on cognito
To finish the creation of the user pool, follow the steps and after review your configurations and click "Create pool."
Now, you just simply need to attach the created lambdas to your cognito. Open the created user pool and search for 'User pool properties', there you'll find the lambda trigger setup. Click on 'Add lambda trigger'.
You will notice a few different types of triggers. We will use Authentication triggers. Select the Authentication option, the preAuth trigger and attach the preAuthTrigger lambda you created. Then repeat the process but to attach the postAuthTrigger lambda to postAuth trigger.
And it's done! Now you have a cognito user pool setup to block user after n unsuccessful attempts of login! To test it out, you may integrate cognito with some web or mobile app using the Amplify SDK. You can also use this same triggers to add other features, such as saving last login from the user or triggering other services after the login.
Posted on June 3, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.