viralsavaniIM · November 16, 2022 23:23
diff --git a/PreSignUp_Cognito_Trigger_Without_Consent.js b/PreSignUp_Cognito_Trigger_Without_Consent.js
 ///////////////////////////////////////////////////////////////////////////////
 // Copyright (c) 2021 Facebank, Inc.                                         //
 // All rights reserved.                                                      //
 //                                                                           //
 // Redistribution and use in source and binary forms, with or without        //
 // modification, are permitted provided that the following conditions are    //
 // met:                                                                      //
 //                                                                           //
 //   Redistributions of source code must retain the above copyright          //
 //   notice, this list of conditions and the following disclaimer.           //
 //   Redistributions in bytecode form must reproduce the above copyright     //
 //   notice, this list of conditions and the following disclaimer in         //
 //   the documentation and/or other materials provided with the              //
 //   distribution.                                                           //
 //                                                                           //
 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS       //
 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT         //
 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR     //
 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT      //
 // HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,               //
 // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,      //
 // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS     //
 // OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND    //
 // ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR     //
 // TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE    //
 // USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH          //
 // DAMAGE.                                                                   //
 ///////////////////////////////////////////////////////////////////////////////

 const AWS = require("aws-sdk");

 const cognitoIdp = new AWS.CognitoIdentityServiceProvider();

 /**
 * The name you gave the Facebank OIDC provider when conneting it in the Cognito
 */
 const FACEBANK_COGNITO_PROVIDER_NAME = "FacebankApp";

 /**
 * Name of the trigger when sign up lambda was invoked for federated users
 */
 const EXTERNAL_AUTHENTICATION_PROVIDER_TRIGGER_SOURCE =
  "PreSignUp_ExternalProvider";

 /**
 * Get all the users matching @param email
 * {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#listUsers-property}
 * @param {String} userPoolId Cognito pool id
 * @param {String} email
 */
 async function listUsersByEmail(userPoolId, email) {
  const params = {
    UserPoolId: userPoolId,
    Filter: `email = "${email}"`,
  };
  return new Promise((resolve, reject) => {
    cognitoIdp.listUsers(params, (err, data) => {
      if (err) {
        reject(err);
        return;
      }
      resolve(data);
    });
  });
 }

 /**
 * Runs AdminLinkProviderForUser linking current user in cognito to user retrurned by external provider
 * {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminLinkProviderForUser-property}
 * @param {String} userPoolId Cognito pool id
 * @param {String} cognitoNativeUserID user id of a native Cognito user
 * @param {String} providerName name of the Federated provider
 * @param {String} providerUserID user id given to the user from the Federated provider
 */
 async function adminLinkUserAccounts(
  userPoolId,
  cognitoNativeUserID,
  providerName,
  providerUserID
 ) {
  const params = {
    DestinationUser: {
      ProviderAttributeValue: cognitoNativeUserID,
      ProviderName: "Cognito",
    },
    SourceUser: {
      ProviderAttributeName: "Cognito_Subject",
      ProviderAttributeValue: providerUserID,
      ProviderName: providerName,
    },
    UserPoolId: userPoolId,
  };

  return new Promise((resolve, reject) => {
    cognitoIdp.adminLinkProviderForUser(params, (err, data) => {
      if (err) {
        reject(err);
        return;
      }
      resolve(data);
    });
  });
 }

 exports.handler = async (event, context, callback) => {
  try {
    const triggerSource = event.triggerSource;
    const userPoolId = event.userPoolId;
    const userName = event.userName;
    const userEmail = event.request.userAttributes.email;

    if (triggerSource === EXTERNAL_AUTHENTICATION_PROVIDER_TRIGGER_SOURCE) {

      // example userName: facebankapp_672g71e6-c8qf-4c69-9725-031epl1d96b1
      const [providerNameValue, providerUserId] = userName.split("_");

      if (FACEBANK_COGNITO_PROVIDER_NAME.toLowerCase() === providerNameValue) {
        const usersFilteredByEmail = await listUsersByEmail(
          userPoolId,
          userEmail
        );
        if (
          usersFilteredByEmail.Users &&
          usersFilteredByEmail.Users.length > 0
        ) {
          // user already has cognito account
          const attributes = usersFilteredByEmail.Users[0].Attributes;

          // Only link the user if link doesn't already exists
          /**
           *  1. Get the User Attributes
           *  2. Filter out the attribute named "identities"
           *  3. Parse the "identities" value from JSON string to valid JSON
           *  4. Filter out all the identities which matches `FACEBANK_COGNITO_PROVIDER_NAME`
           *  5. If no link exists create the link
           */
          let shouldCreateLink = true;
          const userIdentity = attributes.filter(
            (attribute) => attribute.Name === "identities"
          );
          if (userIdentity.length > 0) {
            // this does not handle the case if user has multiple idenity from different federated providers
            const identityJSON = JSON.parse(userIdentity[0].Value);
            const faceBankIdentityEntry = identityJSON.filter(
              (identity) =>
                identity.providerName === FACEBANK_COGNITO_PROVIDER_NAME
            );
            if (faceBankIdentityEntry.length !== 0) {
              shouldCreateLink = false;
            }
          }
          if (shouldCreateLink) {
            const cognitoUsername = usersFilteredByEmail.Users[0].Username;
            await adminLinkUserAccounts(
              userPoolId,
              cognitoUsername,
              FACEBANK_COGNITO_PROVIDER_NAME,
              providerUserId
            );

            // Throw a known error which can be trapped on the client side and
            // show a friendly message to the users
            return callback(Error("Accounts linked successfully"), event);
          }
        } else {
          // Optionally you can create a native user and link it to the incoming federated user
        }
      }
    }
    return callback(null, event);
  } catch (error) {
    return callback(error, event);
  }
 };
	///////////////////////////////////////////////////////////////////////////////
	// Copyright (c) 2021 Facebank, Inc. //
	// All rights reserved. //
	// //
	// Redistribution and use in source and binary forms, with or without //
	// modification, are permitted provided that the following conditions are //
	// met: //
	// //
	// Redistributions of source code must retain the above copyright //
	// notice, this list of conditions and the following disclaimer. //
	// Redistributions in bytecode form must reproduce the above copyright //
	// notice, this list of conditions and the following disclaimer in //
	// the documentation and/or other materials provided with the //
	// distribution. //
	// //
	// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS //
	// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT //
	// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR //
	// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT //
	// HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, //
	// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, //
	// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS //
	// OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND //
	// ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR //
	// TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE //
	// USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH //
	// DAMAGE. //
	///////////////////////////////////////////////////////////////////////////////

	const AWS = require("aws-sdk");

	const cognitoIdp = new AWS.CognitoIdentityServiceProvider();

	/**
	* The name you gave the Facebank OIDC provider when conneting it in the Cognito
	*/
	const FACEBANK_COGNITO_PROVIDER_NAME = "FacebankApp";

	/**
	* Name of the trigger when sign up lambda was invoked for federated users
	*/
	const EXTERNAL_AUTHENTICATION_PROVIDER_TRIGGER_SOURCE =
	"PreSignUp_ExternalProvider";

	/**
	* Get all the users matching @param email
	* {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#listUsers-property}
	* @param {String} userPoolId Cognito pool id
	* @param {String} email
	*/
	async function listUsersByEmail(userPoolId, email) {
	const params = {
	UserPoolId: userPoolId,
	Filter: `email = "${email}"`,
	};
	return new Promise((resolve, reject) => {
	cognitoIdp.listUsers(params, (err, data) => {
	if (err) {
	reject(err);
	return;
	}
	resolve(data);
	});
	});
	}

	/**
	* Runs AdminLinkProviderForUser linking current user in cognito to user retrurned by external provider
	* {@link https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminLinkProviderForUser-property}
	* @param {String} userPoolId Cognito pool id
	* @param {String} cognitoNativeUserID user id of a native Cognito user
	* @param {String} providerName name of the Federated provider
	* @param {String} providerUserID user id given to the user from the Federated provider
	*/
	async function adminLinkUserAccounts(
	userPoolId,
	cognitoNativeUserID,
	providerName,
	providerUserID
	) {
	const params = {
	DestinationUser: {
	ProviderAttributeValue: cognitoNativeUserID,
	ProviderName: "Cognito",
	},
	SourceUser: {
	ProviderAttributeName: "Cognito_Subject",
	ProviderAttributeValue: providerUserID,
	ProviderName: providerName,
	},
	UserPoolId: userPoolId,
	};

	return new Promise((resolve, reject) => {
	cognitoIdp.adminLinkProviderForUser(params, (err, data) => {
	if (err) {
	reject(err);
	return;
	}
	resolve(data);
	});
	});
	}

	exports.handler = async (event, context, callback) => {
	try {
	const triggerSource = event.triggerSource;
	const userPoolId = event.userPoolId;
	const userName = event.userName;
	const userEmail = event.request.userAttributes.email;

	if (triggerSource === EXTERNAL_AUTHENTICATION_PROVIDER_TRIGGER_SOURCE) {

	// example userName: facebankapp_672g71e6-c8qf-4c69-9725-031epl1d96b1
	const [providerNameValue, providerUserId] = userName.split("_");

	if (FACEBANK_COGNITO_PROVIDER_NAME.toLowerCase() === providerNameValue) {
	const usersFilteredByEmail = await listUsersByEmail(
	userPoolId,
	userEmail
	);
	if (
	usersFilteredByEmail.Users &&
	usersFilteredByEmail.Users.length > 0
	) {
	// user already has cognito account
	const attributes = usersFilteredByEmail.Users[0].Attributes;

	// Only link the user if link doesn't already exists
	/**
	* 1. Get the User Attributes
	* 2. Filter out the attribute named "identities"
	* 3. Parse the "identities" value from JSON string to valid JSON
	* 4. Filter out all the identities which matches `FACEBANK_COGNITO_PROVIDER_NAME`
	* 5. If no link exists create the link
	*/
	let shouldCreateLink = true;
	const userIdentity = attributes.filter(
	(attribute) => attribute.Name === "identities"
	);
	if (userIdentity.length > 0) {
	// this does not handle the case if user has multiple idenity from different federated providers
	const identityJSON = JSON.parse(userIdentity[0].Value);
	const faceBankIdentityEntry = identityJSON.filter(
	(identity) =>
	identity.providerName === FACEBANK_COGNITO_PROVIDER_NAME
	);
	if (faceBankIdentityEntry.length !== 0) {
	shouldCreateLink = false;
	}
	}
	if (shouldCreateLink) {
	const cognitoUsername = usersFilteredByEmail.Users[0].Username;
	await adminLinkUserAccounts(
	userPoolId,
	cognitoUsername,
	FACEBANK_COGNITO_PROVIDER_NAME,
	providerUserId
	);

	// Throw a known error which can be trapped on the client side and
	// show a friendly message to the users
	return callback(Error("Accounts linked successfully"), event);
	}
	} else {
	// Optionally you can create a native user and link it to the incoming federated user
	}
	}
	}
	return callback(null, event);
	} catch (error) {
	return callback(error, event);
	}
	};