5

We have implemented the Custom Auth Triggers as described here. We have the user pool set up to let users login with either phone number or email.

The problem I am having is determining what medium (email or phonenumber) the user signed in as. I am using CognitoIdentityServiceProvider#signUp to reg / login a user.

When observing the event passed into the define / create / verify auth triggers, it seems like doesn't pass through what the username was used to initiate the authentication flow.. only the user attributes which in my case there could be both email or phone. I need to know which one it is so I know if i need to send the code through SMS or Email.

I have tried to add a custom UserAttribute with a prefix of custom: so I could do something like custom:preferredAuthMedium but that doesn't seem to populate the UserAttributes map on the user even though the docs say it should.

Is there a standard way to do this with the custom authentation flow?

Darussian
  • 1,573
  • 1
  • 16
  • 28

2 Answers2

0

This is a workaround by adding a custom attribute during passwordless login

Actually, the authenticationUser function needs to identify whether the user is adding email or phone during login

Step 1: during login process, before calling initiateAuthCommand, First set a custom attribute in Cognito user object - logged_in_by - email or phone

Step 2: once you add a key after that InitiateAuthCommand will be started and call the triggers

Step 3: When createAuthChallenge runs at the time we will have userAttributes.logged_in_by

If this attribute contains email this indicates that the user is trying to login with the email and we need to send OTP over email.

If this attribute contains a phone this indicates that the user is trying to log in with the phone and we need to send OTP over the phone number.

Tanuj Gupta
  • 286
  • 5
  • 20
-2

Different medium requires their own confirmation.

The following attributes says which medium the user signed up or verified for,

  • phone_number_verified is phone number.
  • email_verified is for email.

Hope it helps.

Kannaiyan
  • 12,554
  • 3
  • 44
  • 83
  • 1
    What happens, in case both a phone number and email are verified then how do I determine whether the user is trying to log in with phone or email. – Tanuj Gupta May 10 '22 at 07:48