Refactored change password API endpoint (#1764)

* rebase with master

* Update README

* add new action AdminSetUserPassword to lambda policy

* update dist files

* Remove aws-sdk from package

* update package* files

* update dist files

Author: rafaelsiqueira

README.md

@@ -289,11 +289,6 @@ authentication flow - specifically multi-part emails are not supported; welcome
 to the 21st century. To work around these restrictions registration and password
 reset were decoupled using the Cognito Identity Service Provider admin APIs.
 Verification is implemented with custom verification codes and email delivery.
-However, as Cognito currently does not support setting the password for a user
-through the admin API, the user is deleted and recreated with the exact same
-identifier (a UUID). This is heavily tested with acceptance tests and just
-works, but it's not ideal. Hopefully AWS will address these issues in the
-future.
 
 ## License
 

modules/api/iam/policies/lambda.json

@@ -16,7 +16,8 @@
         "cognito-idp:AdminConfirmSignUp",
         "cognito-idp:AdminDeleteUser",
         "cognito-idp:AdminGetUser",
-        "cognito-idp:AdminUpdateUserAttributes"
+        "cognito-idp:AdminUpdateUserAttributes",
+        "cognito-idp:AdminSetUserPassword"
       ],
       "Resource": "${cognito_user_pool_arn}"
     },

modules/api/lambda/dist.zip

@@ -23,7 +23,6 @@
     "lint": "make lint",
     "start": "make start",
     "test": "make test",
-    "test:acceptance": "make test-acceptance",
     "watch": "make watch"
   },
   "dependencies": {
@@ -34,18 +33,19 @@
     "uuid": "^8.3.2"
   },
   "devDependencies": {
-    "@types/cookie": "^0.4.0",
-    "@types/express": "^4.17.11",
-    "@types/glob": "^7.1.3",
-    "@types/morgan": "^1.9.2",
+    "@types/cookie": "^0.4.1",
+    "@types/express": "^4.17.13",
+    "@types/glob": "^7.1.4",
+    "@types/morgan": "^1.9.3",
+    "@types/node": "^16.3.2",
     "@types/supertest": "^2.0.11",
-    "@types/uuid": "^8.3.0",
+    "@types/uuid": "^8.3.1",
     "express": "^4.17.1",
     "generate-password": "^1.6.0",
     "glob": "^7.1.7",
     "header-case-normalizer": "^1.0.3",
     "morgan": "^1.10.0",
     "supertest": "^6.1.3",
-    "typescript-json-schema": "^0.50.0"
+    "typescript-json-schema": "^0.50.1"
   }
 }

modules/api/lambda/package-lock.json

@@ -76,15 +76,7 @@ export class ManagementClient extends Client {
   }
 
   /**
-   * Reset password for user
-   *
-   * Hack: Cognito doesn't allow us to change the password of a user without
-   * his consent, so we have to work around this in order to implement our own
-   * customized authentication flow by deleting and re-creating the user.
-   * Hopefully, this issue will be adressed, see https://amzn.to/2snEPMm
-   *
-   * We must sign out the user to force re-authentication, but we don't need to
-   * do it explicitly as we delete the old and create a new user.
+   * Change password for user
    *
    * @param username - Username or email address
    * @param password - Password
@@ -94,27 +86,11 @@ export class ManagementClient extends Client {
   public async changePassword(
     username: string, password: string
   ): Promise<void> {
-    // this.cognito.adminSetUserPassword
-    const { Username: id, UserAttributes } =
-      await this.cognito.adminGetUser({
-        UserPoolId: process.env.COGNITO_USER_POOL_ID!,
-        Username: username
-      }).promise()
-
-    /* Delete user */
-    await this.deleteUser(id)
-
-    /* Re-create user */
-    await this.cognito.signUp({
-      ClientId: process.env.COGNITO_USER_POOL_CLIENT_ID!,
-      Username: id,
+    await this.cognito.adminSetUserPassword({
+      UserPoolId: process.env.COGNITO_USER_POOL_ID!,
+      Username: username,
       Password: password,
-      UserAttributes: UserAttributes!.filter(attr => {
-        return ["sub", "email_verified"].indexOf(attr.Name) === -1
-      })
+      Permanent: true
     }).promise()
-
-    /* Auto-verify user */
-    await this.verifyUser(id)
   }
 }