Deserialization error in Cognito triggered lambda for CUSTOM_AUTH flow

[ankushjain358]

Describe the bug

To enable CUSTOM_AUTH flow, I created below 3 Lambda functions in .NET, and used Amazon.Lambda.CognitoEvents NuGet package v2.2.0 for input events.

• DefineAuthChallenge
• CreateAuthChallenge
• VerifyAuthChallenge

Out of above 3, two Lambda functions are failing while deserializing incoming event JSON to .NET type. It seems that Cognito is sending boolean values as null, while respective .NET properties are not nullable.

Here are the .NET Types which are creating issue:

• CognitoDefineAuthChallengeEvent
  • response.issueTokens should be nullable
  • response.failAuthentication should be nullable
• CognitoVerifyAuthChallengeEvent
  • response.answerCorrect should be nullable

Expected Behavior

The .NET Lambda function should be triggered with the incoming event JSON without any error.

Current Behavior

The .NET Lambda function fails for the following triggers when using types defined in Amazon.Lambda.CognitoEvents library.

• Cognito > Custom authentication> Define auth challenge
• Cognito > Custom authentication > Verify auth challenge response

Reproduction Steps

Create lambda function as per below syntax for Cognito triggers.

1. DefineAuthChallenge

   public CognitoDefineAuthChallengeEventCustom DefineAuthChallenge(CognitoDefineAuthChallengeEvent challengeEvent)
   {
      ...
   }

2. VerifyAuthChallenge

   public CognitoVerifyAuthChallengeEventCustom VerifyAuthChallenge(CognitoVerifyAuthChallengeEventCustom challengeEvent)
   {
     ...
   }

Use the following JSON as input event, just make the boolean fields null.

• cognito-defineauthchallenge-event.json
• cognito-verifyauthchallenge-event.json

Possible Solution

Update boolean properties to nullable boolean.

• CognitoDefineAuthChallengeEvent
  • response.issueTokens should be nullable
  • response.failAuthentication should be nullable
• CognitoVerifyAuthChallengeEvent
  • response.answerCorrect should be nullable

Additional Information/Context

AWS .NET SDK and/or Package version used

<ItemGroup>
	<PackageReference Include="Amazon.Lambda.CognitoEvents" Version="2.2.0" />
	<PackageReference Include="Amazon.Lambda.Core" Version="2.2.0" />
	<PackageReference Include="Amazon.Lambda.Serialization.SystemTextJson" Version="2.4.0" />
	<PackageReference Include="Amazon.Lambda.Annotations" Version="1.0.0" />
	<PackageReference Include="AWS.Lambda.Powertools.Logging" Version="1.4.4" />
</ItemGroup>

Targeted .NET Platform

.NET 6

Operating System and version

Windows 10, Amazon Linux 2

[ashishdhingra]

Most likely the model from Cognito events changed and the corresponding POCO class needs an update.

[ashishdhingra]

@ankushjain358 Good afternoon. Here are my observations:

• If you refer page Verify Auth challenge response Lambda trigger, for answerCorrect, If the user successfully completes the challenge, Amazon Cognito sets the attribute value to true. If the user doesn't successfully complete the challenge, Amazon Cognito sets the value to false. There is also an example which demonstrates how to set the value for answerCorrect parameter.
  It doesn't specify under which conditions, the value of answerCorrect would be null.
• If you refer Define Auth challenge Lambda trigger,
  • For issueTokens, If you determine that the user has completed the authentication challenges sufficiently, set to true. If the user has not met the challenges sufficiently, set to false.
  • For failAuthentication, If you want to end the current authentication process, set to true. To continue the current authentication process, set to false.
    It doesn't specify guidance setting null to these values. The page also has an example, which demonstrates how to set the values.

Please confirm the following:

• Is your use case is that the default event object set by Cognito has null for these values having issue and that the Lambda Cognito Event POCO classes should allow null values for these fields?
• Is it possible to share end-to-end setup (without manually using customized response JSON) with steps, so that we could reproduce the issue at our end?
• Is it possible to contribute a PR for the fix (the fix appears to be pretty trivial) along with unit test cases?

Thanks,
Ashish

[ankushjain358]

Is your use case is that the default event object set by Cognito has null for these values having issue and that the Lambda Cognito Event POCO classes should allow null values for these fields?
Yes

Is it possible to share end-to-end setup (without manually using customized response JSON) with steps, so that we could reproduce the issue at our end?
Steps to reproduce this issue.

• Unzip attached cognito-lambda-triggers-demo.zip
• Run the following commands to deploy the stack,

  sam build
  sam deploy
  

• Run the following commands to create a user in Cognito User Pool.

  # perform sign-up
  aws cognito-idp sign-up \
    --region YOUR_COGNITO_REGION \
    --client-id YOUR_COGNITO_APP_CLIENT_ID  \
    --username [email protected] \
    --password Passw0rd!
  
  # confirm sign-up  
  aws cognito-idp admin-confirm-sign-up \
    --region YOUR_COGNITO_REGION \
    --user-pool-id YOUR_COGNITO_USER_POOL_ID \
    --username [email protected]   
  

• Run the following commands to perform CUSTOM_AUTH flow, and generate event logs in CloudWatch.

  aws cognito-idp initiate-auth --client-id YOUR_CLIENT_ID --auth-flow CUSTOM_AUTH --auth-parameters [email protected]
  
  aws cognito-idp respond-to-auth-challenge --client-id YOUR_CLIENT_ID --challenge-name CUSTOM_CHALLENGE --challenge-responses [email protected],ANSWER="Cricket" --session "SESSION_TOKEN"
  

• After running above commands, go to CloudWatch Log Groups, and see the logged event JSON.

Is it possible to contribute a PR for the fix (the fix appears to be pretty trivial) along with unit test cases?
Yes, I will raise it soon.

[ankushjain358]

@ashishdhingra - Any update here?

[ashishdhingra]

@ankushjain358 Could you please share sample JSON for testing in text format (not the image)? We would prefer actual JSON that you encounter as logged in CloudWatch.

[ankushjain358]

@ashishdhingra I have provided entire sample in zip file with the steps to reproduce in one of above comments. Can you please just deploy the zipped solution using SAM and reproduce the issue. That way you will also get the event JSON from CloudWatch.

[ashishdhingra]

@ashishdhingra I have provided entire sample in zip file with the steps to reproduce in one of above comments. Can you please just deploy the zipped solution using SAM and reproduce the issue. That way you will also get the event JSON from CloudWatch.

@ankushjain358 I reviewed this with the team. Since you have reproduced it end-to-end, we would instead write the unit test case against the JSON you share and make changes to POCO classes. Feel free to contribute PR so that this could be merged to library soon. This would be a breaking change since we are changing data types and would require major version bump, including call out in changelog.

[ankushjain358]

@ashishdhingra - I've created a pull request to address the issue.

Also, I don't believe this would require changes to test cases because I've seen a few other events with nullable bool properties, such as KinesisTimeWindowEvent, ActiveMQMessage, and others, that do not maintain separate event JSON files to test against null values.

PR Link - #1646

[ashovlin]

Thanks again for the PR! This has been released in Amazon.Lambda.CognitoEvents v3.0.0.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.