serverless/serverless

Use of Cognito "PoolName" in Events Can Associate Function with Incorrect/Unexpected Cognito User Pool

Open

#8,270 opened on 2020年9月19日

GitHub で見る
 (3 comments) (0 reactions) (1 assignee)JavaScript (46,915 stars) (5,734 forks)batch import
bug/designcat/aws-event-cognitodeprecationhelp wanted

説明

When using a "PoolName" as the mechanism by which to associate a Lambda Function Event with a Cognito User Pool it is possible to associate a Lambda Function with an unexpected/incorrect User Pool. The cause of this issue is that User Pool Names are not guaranteed to be unique and the impact is that lambda functions can be triggered unexpectedly.

service: service

provider:
  name: aws
  region: us-west-2
  runtime: nodejs12.x
  stage: ${opt:stage}

functions:
  functionname:
    handler: function.handler
    events:
      - cognitoUserPool:
          existing: true
          # "poolname" is not guaranteed to be unique
          # resulting in a situation where his event/function could
          # be associated with an unexpected CognitoUserPool
          pool: poolname
          trigger: UserMigration

Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Installing dependencies for custom CloudFormation resources...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service auth.zip file to S3 (1.11 KB)...
Serverless: Uploading custom CloudFormation resources...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
.......
Serverless: Stack update finished...
Service Information
service: service
stage: dev
region: us-west-2
stack: stack
resources: 9
api keys:
  None
endpoints:
  None
functions:
  user-migration: function
layers:
  None
Serverless: Removing old service artifacts from S3...

Installed version

Framework Core: 2.1.1
Plugin: 4.0.4
SDK: 2.3.2
Components: 3.1.3

コントリビューターガイド

技術スタック
javascriptawsnodejs
領域
backendcloud
Issue 種別
bug
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
3
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
half day
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
stale
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
mostly clear
前提条件
AWS CognitoServerless FrameworkJavaScript
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
30
調査方針
The issue arises because Cognito User Pool names are not unique, so associating a Lambda function by pool name can lead to incorrect pool association. The fix likely involves using the pool ID (which is unique) instead of the name. Investigate the serverless framework's code that processes cognitoUserPool events, specifically how it resolves the pool property. The relevant code is in the AWS provider's event handling for cognitoUserPool, possibly in `lib/plugins/aws/package/compile/events/cognitoUserPool/index.js`. Review the existing logic and consider adding a hash or requiring the pool ARN or ID for uniqueness. Check the comments in the issue for any maintainer feedback.