fix(auth): standardize CloudFormation trigger templates, prevent erro…

…rs at runtime (#7219) * fix: add-to-group PostConfirmation Lambda should not throw Co-authored-by: Colin Ihrig <[email protected]>
aws-amplify · Jul 12, 2021 · f9796bd · f9796bd
1 parent 753a737
commit f9796bd
Show file tree

Hide file tree

Showing 24 changed files with 152 additions and 201 deletions.
diff --git a/...ider-utils/awscloudformation/triggers/CreateAuthChallenge/boilerplate-create-challenge.js b/...ider-utils/awscloudformation/triggers/CreateAuthChallenge/boilerplate-create-challenge.js
@@ -1,12 +1,12 @@
 /* tslint:disable */
 /* eslint-disable */
 
-exports.handler = (event, context) => {
+exports.handler = async event => {
   if (event.request.session.length === 2 && event.request.challengeName === 'CUSTOM_CHALLENGE') {
     event.response.publicChallengeParameters = { trigger: 'true' };
 
     event.response.privateChallengeParameters = {};
     event.response.privateChallengeParameters.answer = process.env.CHALLENGEANSWER;
   }
-  context.done(null, event);
+  return event;
 };
diff --git a/...provider-utils/awscloudformation/triggers/CreateAuthChallenge/captcha-create-challenge.js b/...provider-utils/awscloudformation/triggers/CreateAuthChallenge/captcha-create-challenge.js
@@ -1,11 +1,11 @@
 /* tslint:disable */
 /* eslint-disable */
 
-exports.handler = (event, context) => {
+exports.handler = async event => {
   if (event.request.session.length === 2 && event.request.challengeName === 'CUSTOM_CHALLENGE') {
     event.response.publicChallengeParameters = { trigger: 'true' };
     event.response.privateChallengeParameters = { answer: '' };
     event.response.challengeMetadata = 'CAPTCHA_CHALLENGE';
   }
-  context.done(null, event);
+  return event;
 };
diff --git a/...ils/awscloudformation/triggers/CreateAuthChallenge/function-template-dir/trigger-index.js b/...ils/awscloudformation/triggers/CreateAuthChallenge/function-template-dir/trigger-index.js
diff --git a/...der-utils/awscloudformation/triggers/CustomMessage/function-template-dir/trigger-index.js b/...der-utils/awscloudformation/triggers/CustomMessage/function-template-dir/trigger-index.js
diff --git a/...ategory-auth/provider-utils/awscloudformation/triggers/CustomMessage/verification-link.js b/...ategory-auth/provider-utils/awscloudformation/triggers/CustomMessage/verification-link.js
@@ -1,4 +1,4 @@
-exports.handler = (event, context, callback) => {
+exports.handler = async event => {
   // Define the URL that you want the user to be directed to after verification is complete
   if (event.triggerSource === 'CustomMessage_SignUp') {
     const { codeParameter } = event.request;
@@ -26,7 +26,7 @@ exports.handler = (event, context, callback) => {
         redirectUrl,
         region,
         clientId,
-      })
+      }),
     ).toString('base64');
     const bucketUrl = `http://${resourcePrefix}verificationbucket-${process.env.ENV}.s3-website${seperator}${region}.amazonaws.com`;
     const url = `${bucketUrl}/?data=${payload}&code=${codeParameter}`;
@@ -35,8 +35,7 @@ exports.handler = (event, context, callback) => {
     event.response.emailSubject = process.env.EMAILSUBJECT;
     event.response.emailMessage = message;
     console.log('event.response', event.response);
-    callback(null, event);
-  } else {
-    callback(null, event);
   }
+
+  return event;
 };
diff --git a/...ider-utils/awscloudformation/triggers/DefineAuthChallenge/boilerplate-define-challenge.js b/...ider-utils/awscloudformation/triggers/DefineAuthChallenge/boilerplate-define-challenge.js
@@ -1,4 +1,4 @@
-exports.handler = (event, context) => {
+exports.handler = async event => {
   if (event.request.session.length === 1 && event.request.session[0].challengeName === 'SRP_A') {
     event.response.issueTokens = false;
     event.response.failAuthentication = false;
@@ -22,5 +22,6 @@ exports.handler = (event, context) => {
     event.response.issueTokens = false;
     event.response.failAuthentication = true;
   }
-  context.done(null, event);
+
+  return event;
 };
diff --git a/...provider-utils/awscloudformation/triggers/DefineAuthChallenge/captcha-define-challenge.js b/...provider-utils/awscloudformation/triggers/DefineAuthChallenge/captcha-define-challenge.js
@@ -1,4 +1,4 @@
-exports.handler = (event, context) => {
+exports.handler = async event => {
   if (event.request.session.length === 1 && event.request.session[0].challengeName === 'SRP_A') {
     event.response.issueTokens = false;
     event.response.failAuthentication = false;
@@ -22,5 +22,6 @@ exports.handler = (event, context) => {
     event.response.issueTokens = false;
     event.response.failAuthentication = true;
   }
-  context.done(null, event);
+
+  return event;
 };
diff --git a/...ils/awscloudformation/triggers/DefineAuthChallenge/function-template-dir/trigger-index.js b/...ils/awscloudformation/triggers/DefineAuthChallenge/function-template-dir/trigger-index.js
diff --git a/...tils/awscloudformation/triggers/PostAuthentication/function-template-dir/trigger-index.js b/...tils/awscloudformation/triggers/PostAuthentication/function-template-dir/trigger-index.js
diff --git a/...-category-auth/provider-utils/awscloudformation/triggers/PostConfirmation/add-to-group.js b/...-category-auth/provider-utils/awscloudformation/triggers/PostConfirmation/add-to-group.js
@@ -1,34 +1,31 @@
 /* eslint-disable-line */ const aws = require('aws-sdk');
 
-exports.handler = async (event, context) => {
-  const cognitoidentityserviceprovider = new aws.CognitoIdentityServiceProvider({ apiVersion: '2016-04-18' });
+const cognitoidentityserviceprovider = new aws.CognitoIdentityServiceProvider({
+  apiVersion: '2016-04-18',
+});
+
+exports.handler = async event => {
   const groupParams = {
     GroupName: process.env.GROUP,
     UserPoolId: event.userPoolId,
   };
-
   const addUserParams = {
     GroupName: process.env.GROUP,
     UserPoolId: event.userPoolId,
     Username: event.userName,
   };
-
+  /**
+   * Check if the group exists; if it doesn't, create it.
+   */
   try {
     await cognitoidentityserviceprovider.getGroup(groupParams).promise();
   } catch (e) {
     await cognitoidentityserviceprovider.createGroup(groupParams).promise();
   }
+  /**
+   * Then, add the user to the group.
+   */
+  await cognitoidentityserviceprovider.adminAddUserToGroup(addUserParams).promise();
 
-  try {
-    await cognitoidentityserviceprovider.adminAddUserToGroup(addUserParams).promise();
-    return {
-      statusCode: 200,
-      body: JSON.stringify(event)
-    }
-  } catch (error) {
-    return {
-      statusCode: 500,
-      body: JSON.stringify(error)
-    }
-  }
+  return event;
 };
diff --git a/...-utils/awscloudformation/triggers/PostConfirmation/function-template-dir/trigger-index.js b/...-utils/awscloudformation/triggers/PostConfirmation/function-template-dir/trigger-index.js
diff --git a/...utils/awscloudformation/triggers/PreAuthentication/function-template-dir/trigger-index.js b/...utils/awscloudformation/triggers/PreAuthentication/function-template-dir/trigger-index.js
diff --git a/...auth/provider-utils/awscloudformation/triggers/PreSignup/email-filter-allowlist-legacy.js b/...auth/provider-utils/awscloudformation/triggers/PreSignup/email-filter-allowlist-legacy.js
@@ -1,13 +1,13 @@
-exports.handler = (event, context, callback) => {
+exports.handler = async event => {
   // allowed domains
   const ald = process.env.DOMAINWHITELIST.split(',').map(d => d.trim());
 
   const { email } = event.request.userAttributes;
   const domain = email.substring(email.indexOf('@') + 1);
 
   if (!ald.includes(domain)) {
-    callback(new Error(`Invalid email domain: ${domain}`), event);
-  } else {
-    callback(null, event);
+    throw new Error(`Invalid email domain: ${domain}`);
   }
+
+  return event;
 };
diff --git a/...tegory-auth/provider-utils/awscloudformation/triggers/PreSignup/email-filter-allowlist.js b/...tegory-auth/provider-utils/awscloudformation/triggers/PreSignup/email-filter-allowlist.js
@@ -1,13 +1,13 @@
-exports.handler = (event, context, callback) => {
+exports.handler = async event => {
   // allowed domains
   const ald = process.env.DOMAINALLOWLIST.split(',').map(d => d.trim());
 
   const { email } = event.request.userAttributes;
   const domain = email.substring(email.indexOf('@') + 1);
 
   if (!ald.includes(domain)) {
-    callback(new Error(`Invalid email domain: ${domain}`), event);
-  } else {
-    callback(null, event);
+    throw new Error(`Invalid email domain: ${domain}`);
   }
+
+  return event;
 };
diff --git a/...-auth/provider-utils/awscloudformation/triggers/PreSignup/email-filter-denylist-legacy.js b/...-auth/provider-utils/awscloudformation/triggers/PreSignup/email-filter-denylist-legacy.js
@@ -1,13 +1,13 @@
-exports.handler = (event, context, callback) => {
+exports.handler = async event => {
   // disallowed domains
   const dld = process.env.DOMAINBLACKLIST.split(',').map(d => d.trim());
 
   const { email } = event.request.userAttributes;
   const domain = email.substring(email.indexOf('@') + 1);
 
   if (dld.includes(domain)) {
-    callback(new Error(`Invalid email domain: ${domain}`), event);
-  } else {
-    callback(null, event);
+    throw new Error(`Invalid email domain: ${domain}`);
   }
+
+  return event;
 };
diff --git a/...ategory-auth/provider-utils/awscloudformation/triggers/PreSignup/email-filter-denylist.js b/...ategory-auth/provider-utils/awscloudformation/triggers/PreSignup/email-filter-denylist.js
@@ -1,13 +1,13 @@
-exports.handler = (event, context, callback) => {
+exports.handler = async event => {
   // disallowed domains
   const dld = process.env.DOMAINDENYLIST.split(',').map(d => d.trim());
 
   const { email } = event.request.userAttributes;
   const domain = email.substring(email.indexOf('@') + 1);
 
   if (dld.includes(domain)) {
-    callback(new Error(`Invalid email domain: ${domain}`), event);
-  } else {
-    callback(null, event);
+    throw new Error(`Invalid email domain: ${domain}`);
   }
+
+  return event;
 };
diff --git a/...rovider-utils/awscloudformation/triggers/PreSignup/function-template-dir/trigger-index.js b/...rovider-utils/awscloudformation/triggers/PreSignup/function-template-dir/trigger-index.js
diff --git a/...ategory-auth/provider-utils/awscloudformation/triggers/PreTokenGeneration/alter-claims.js b/...ategory-auth/provider-utils/awscloudformation/triggers/PreTokenGeneration/alter-claims.js
@@ -1,4 +1,4 @@
-exports.handler = async (event, context, callback) => {
+exports.handler = async event => {
   event.response = {
     claimsOverrideDetails: {
       claimsToAddOrOverride: {
@@ -9,5 +9,5 @@ exports.handler = async (event, context, callback) => {
     },
   };
   // Return to Amazon Cognito
-  callback(null, event);
+  return event;
 };
diff --git a/...tils/awscloudformation/triggers/PreTokenGeneration/function-template-dir/trigger-index.js b/...tils/awscloudformation/triggers/PreTokenGeneration/function-template-dir/trigger-index.js
diff --git a/...ovider-utils/awscloudformation/triggers/VerifyAuthChallengeResponse/boilerplate-verify.js b/...ovider-utils/awscloudformation/triggers/VerifyAuthChallengeResponse/boilerplate-verify.js
@@ -1,8 +1,9 @@
-exports.handler = (event, context) => {
+exports.handler = async event => {
   if (event.request.privateChallengeParameters.answer === event.request.challengeAnswer) {
     event.response.answerCorrect = true;
   } else {
     event.response.answerCorrect = false;
   }
-  context.done(null, event);
+
+  return event;
 };
diff --git a/...h/provider-utils/awscloudformation/triggers/VerifyAuthChallengeResponse/captcha-verify.js b/...h/provider-utils/awscloudformation/triggers/VerifyAuthChallengeResponse/captcha-verify.js
@@ -2,23 +2,23 @@
 const axios = require('axios');
 /* eslint-enable */
 
-exports.handler = (event, context, callback) => {
-  axios
-    .post(
-      `https://www.google.com/recaptcha/api/siteverify?secret=${process.env.RECAPTCHASECRET}&response=${event.request.challengeAnswer}`,
-      {}
-    )
-    .then(response => {
-      if (response && response.data && response.data.success) {
-        event.response.answerCorrect = true;
-        callback(null, event);
-      } else {
-        event.response.answerCorrect = false;
-        callback(new Error('captcha verification error'), event);
-      }
-    })
-    .catch(() => {
-      event.response.answerCorrect = false;
-      callback(new Error('captcha verification error'), event);
-    });
+exports.handler = async event => {
+  const response = await axios.post(
+    `https://www.google.com/recaptcha/api/siteverify?secret=${process.env.RECAPTCHASECRET}&response=${event.request.challengeAnswer}`,
+    {},
+  );
+  /**
+   * Verify that the CAPTCHA challenge succeeded, and if it did, indicate so in
+   * the event response.
+   *
+   * If the challenge fails, throw an error.
+   */
+  const challengeSucceeded = response && response.data && response.data.success;
+  event.response.answerCorrect = !!challengeSucceeded;
+
+  if (!challengeSucceeded) {
+    throw new Error('CAPTCHA verification error');
+  }
+
+  return event;
 };