serverless/serverless

Use of Cognito "PoolName" in Events Can Associate Function with Incorrect/Unexpected Cognito User Pool

Open

#8,270 建立於 2020年9月19日

在 GitHub 查看
 (3 留言) (0 反應) (1 負責人)JavaScript (46,915 star) (5,734 fork)batch import
bug/designcat/aws-event-cognitodeprecationhelp wanted

描述

When using a "PoolName" as the mechanism by which to associate a Lambda Function Event with a Cognito User Pool it is possible to associate a Lambda Function with an unexpected/incorrect User Pool. The cause of this issue is that User Pool Names are not guaranteed to be unique and the impact is that lambda functions can be triggered unexpectedly.

service: service

provider:
  name: aws
  region: us-west-2
  runtime: nodejs12.x
  stage: ${opt:stage}

functions:
  functionname:
    handler: function.handler
    events:
      - cognitoUserPool:
          existing: true
          # "poolname" is not guaranteed to be unique
          # resulting in a situation where his event/function could
          # be associated with an unexpected CognitoUserPool
          pool: poolname
          trigger: UserMigration

Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Installing dependencies for custom CloudFormation resources...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service auth.zip file to S3 (1.11 KB)...
Serverless: Uploading custom CloudFormation resources...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
.......
Serverless: Stack update finished...
Service Information
service: service
stage: dev
region: us-west-2
stack: stack
resources: 9
api keys:
  None
endpoints:
  None
functions:
  user-migration: function
layers:
  None
Serverless: Removing old service artifacts from S3...

Installed version

Framework Core: 2.1.1
Plugin: 4.0.4
SDK: 2.3.2
Components: 3.1.3

貢獻者指南

技術棧
javascriptawsnodejs
領域
backendcloud
議題類型
bug
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
3
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
half day
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
stale
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
mostly clear
前置要求
AWS CognitoServerless FrameworkJavaScript
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
30
研究方向
The issue arises because Cognito User Pool names are not unique, so associating a Lambda function by pool name can lead to incorrect pool association. The fix likely involves using the pool ID (which is unique) instead of the name. Investigate the serverless framework's code that processes cognitoUserPool events, specifically how it resolves the pool property. The relevant code is in the AWS provider's event handling for cognitoUserPool, possibly in `lib/plugins/aws/package/compile/events/cognitoUserPool/index.js`. Review the existing logic and consider adding a hash or requiring the pool ARN or ID for uniqueness. Check the comments in the issue for any maintainer feedback.