AWS Cognito Test Environment

Question

I'm currently working on using AWS Cognito to manage user authentication for our application. One snag I'm running into is figuring out a good way to implement a "test" or "qa" environment.

I have a lot of automated tests for my APIs that will create users with random data. Obviously I don't want to Cognito to send out actual SMS or Email messages in this environment. Also when doing manual testing we will be creating users a lot with fake phone numbers and emails. Is there any way to turn the User Pool in "development" mode where all messages simply get logged some way?

Answer 1

You can write a pre sign up lambda function and auto confirm the user in the lambda function by setting the autoConfirmUser flag. In that case, Cognito doesn't send any SMSes or emails with confirmation codes. Example lambda below from the documentation (http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html#aws-lambda-triggers-pre-registration-example).

exports.handler = function(event, context) {
    // This Lambda function returns a flag to indicate if a user should be auto-confirmed.

    // Perform any necessary validations.

    // Impose a condition that the minimum length of the username of 5 is imposed on all user pools.
    if (event.userName.length < 5) {
        var error = new Error('failed!');
        context.done(error, event);
    }

    // Access your resource which contains the list of emails of users who were invited to sign up

    // Compare the list of email IDs from the request to the approved list
    if(event.userPoolId === "yourSpecialUserPool") {
        if (event.request.userAttributes.email in listOfEmailsInvited) {
            event.response.autoConfirmUser = true;
        }
    }
    // Return result to Cognito
    context.done(null, event);
};

Answer 2

Here is what I did to create a "staging" environment User Pool in AWS Cognito that does not send real notifications to users. There were actually a couple different pieces involved, but I think I was able to get everything covered. That being said, it would sure be nice if Cognito simply provided a User Pool setting to turn off all notifications, that way I don't have to write environment specific logic into my code.

Prevent User Invitations

In our app we use the AdminCreateUser function to create users who get invited by other users. This function will normally send an invitation message to the new user's phone number or email. In order to prevent those invitations, you can provide MessageAction: 'SUPPRESS' as a parameter to the function arguments. Like so:

let params = {
    UserPoolId: config.cognitoUserPoolId,
    Username: uuid.v4(),
    MessageAction: 'SUPPRESS', /* IMPORTANT! */
    TemporaryPassword: user.phone_number.slice(-6),
    UserAttributes: [
        { Name: 'given_name', Value: user.first_name },
        { Name: 'family_name', Value: user.last_name },
        { Name: 'phone_number', Value: user.phone_number }
    ]
};

cognito.adminCreateUser(params).promise().then(data => {
    console.log(data);
});

Official docs for that here: http://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html

Prevent User Attribute Update Verfications

In our production app, we want users to have to re-verify their phone number or email if it changes. But in our staging environment we don't actually need this. So uncheck the boxes for email and phone under the "Do you want to require verification of emails or phone numbers?" section in your User Pool settings.