Read/Write to Cognito DeveloperOnlyAttribute

Question

can someone provide some guidance how to read and write to the DeveloperOnlyAttribute as mentioned in this link?

I've created this attribute using Cloudformation, and in the Cognito console, a custom attribute is created as custom:dev:custom:paid_user. If my understanding to the purpose of DeveloperOnlyAttribute is correct, my use case is, once user paid for the app, I'll have a back-end Lambda function that will change this attribute. User themselves will not have the authorization to change this attribute. Correct?

Thanks.

Updated 2020/07

The aws document has been updated with this line:

We recommend that you use WriteAttributes in the user pool client to control how attributes can be mutated for new use cases instead of using DeveloperOnlyAttribute.

My use case scenario is that there are certain attributes that user can view, but cannot edit. Example paid_user attribute where after payment, the system will update this attribute; and user can never edit this attribute themself.

What I've done for my case is that I will set those attributes as non-writtable attributes. User will not be able to edit those attributes, but using adminUpdateUserAttributes() I'm still able to update them

Answer 1

There is close to zero information on this from the AWS documentation, but here's what I've discovered from testing myself.

Mutable DeveloperOnlyAttributes:

• always have a dev:custom prefix on them, except in the AWS console, where the prefix is custom:dev:custom. So in your case when using the apis you should be referring to the attribute as dev:custom:paid_user
• are not visible in a call to getUser(), regardless of whether it is called with developer credentials or not
• are visible when calling adminGetUser(). Calling this api requires developer credentials
• are editable when calling adminUpdateUserAttributes(). Calling this api requires developer credentials
• are editable when calling updateUserAttributes(), regardless of whether it is called with developer credentials or not

Re-read that last one for a moment. You don't need developer credentials to write to a DeveloperOnlyAttribute. A user can login with their username/password, and then make a call to updateUserAttributes() to change any DeveloperOnlyAttributes defined on their entry in the user pool. At least that's what my testing has shown, would love for somebody else to try this out and verify/disprove this behavior.

If cognito had a public bug tracker, this would go there.

Use at your own risk.

UPDATE 2020/05:

AWS Cognito has since contacted me privately to say they fixed the security issue outlined above.