1

I have an AWS Cognito user pool that I'm using for oauth sign-in with Google inside a React web app with amplify auth. I want to restrict sign-in to Google accounts from my company's domain, so I created a custom lambda function (below) and configured it as a pre-auth trigger in the AWS console for my user pool:

exports.handler = (event, context, callback) => {
  console.log ("Trigger function: ", event.triggerSource);

  if (event.request.userAttributes.email.endsWith('@mycompany.com')) {
        console.log ("Authentication successful: ", event.request);
        callback(null, event);
  } else {
    console.log ("Authentication failed (non-company domain): ", event.request);
    callback("Non-company domain account", event)
  }
};

The trigger is correctly permitting company accounts to sign-in, but if someone tries to sign in with a non-company account the app throws an error and crashes:

OAuth.js:380 Uncaught (in promise) Error: Exception+processing+authorization+code
at OAuth.<anonymous> (OAuth.js:380)
at step (OAuth.js:146)
at Object.next (OAuth.js:77)
at OAuth.js:49
at new Promise (<anonymous>)
at push../node_modules/@aws-amplify/auth/lib/OAuth/OAuth.js.__awaiter (OAuth.js:26)
at OAuth.handleAuthResponse (OAuth.js:361)
at AuthClass.<anonymous> (Auth.js:2199)
at step (Auth.js:136)
at Object.next (Auth.js:67)
at Auth.js:39
at new Promise (<anonymous>)
at push../node_modules/@aws-amplify/auth/lib/Auth.js.__awaiter (Auth.js:16)
at AuthClass._handleAuthResponse (Auth.js:2166)
at Auth.js:323
at Object.push../node_modules/@aws-amplify/auth/lib/urlListener.js.exports.default (urlListener.js:24)
at AuthClass.configure (Auth.js:320)
at Amplify.js:36
at Array.map (<anonymous>)
at Function.Amplify.configure (Amplify.js:35)
at Module../src/index.tsx (index.tsx:14)
at __webpack_require__ (bootstrap:781)
at fn (bootstrap:149)
at Object.0 (materialUi.ts:46)
at __webpack_require__ (bootstrap:781)
at checkDeferredModules (bootstrap:45)
at Array.webpackJsonpCallback [as push] (bootstrap:32)
at main.chunk.js:1

What is wrong with my lambda function? It would appear that when it returns the callback with an error, that error is not being handled by the app code but I can't figure out why.

JMLdev
  • 846
  • 2
  • 10
  • 21

1 Answers1

1

You have to use an error object as the first argument of callback().

var error = new Error("Non-company domain account");
callback(error, event);

You can find a Pre Authentication Example with correct error handling in the Cognito documentation.

o1y
  • 31
  • 4