JavaScript (v3): Cognito - Add the "auto-confirm user" scenario. Part of the Pools and Triggers workflow.

.doc_gen/metadata/cognito-identity-provider_metadata.yaml

@@ -753,6 +753,14 @@ cognito-identity-provider_DeleteUser:
               snippet_tags:
                 - gov2.cognito-identity-provider.CognitoActions.struct
                 - gov2.cognito-identity-provider.DeleteUser
+    JavaScript:
+      versions:
+        - sdk_version: 3
+          github: javascriptv3/example_code/cross-services/wkflw-pools-triggers
+          excerpts:
+            - description:
+              snippet_tags:
+                - javascript.v3.cognito-idp.actions.DeleteUser
   services:
     cognito-identity-provider: {DeleteUser}
 cognito-identity-provider_CreateUserPool:
@@ -793,6 +801,15 @@ cognito-identity-provider_UpdateUserPool:
               snippet_tags:
                 - gov2.cognito-identity-provider.CognitoActions.struct
                 - gov2.cognito-identity-provider.UpdateUserPool
+    JavaScript:
+      versions:
+        - sdk_version: 3
+          github: javascriptv3/example_code/cross-services/wkflw-pools-triggers
+          sdkguide:
+          excerpts:
+            - description:
+              snippet_tags:
+                - javascript.v3.cognito-idp.actions.UpdateUserPool
   services:
     cognito-identity-provider: {UpdateUserPool}
 cognito-identity-provider_ForgotPassword:

.doc_gen/metadata/cross_metadata.yaml

@@ -822,6 +822,38 @@ cross_CognitoAutoConfirmUser:
             - description: Clean up resources.
               snippet_tags:
                 - gov2.cognito-identity-provider.Resources.complete
+    JavaScript:
+      versions:
+        - sdk_version: 3
+          github: javascriptv3/example_code/cross-services/wkflw-pools-triggers
+          sdk_guide:
+          excerpts:
+            - description: |
+                Configure an interactive "Scenario" run. The JavaScript (v3) examples
+                share a Scenario runner to streamline complex examples. The complete
+                source code is on GitHub.
+              snippet_tags:
+                - javascript.v3.wkflw.pools-triggers.index
+            - description: |
+                This Scenario demonstrates auto-confirming a known user.
+                It orchestrates the example steps.
+              snippet_tags:
+                - javascript.v3.wkflw.pools-triggers.AutoConfirm
+            - description: These are steps that are shared with other Scenarios.
+              snippet_tags:
+                - javascript.v3.wkflw.pools-triggers.common
+            - description: A handler for the <code>PreSignUp</code> trigger with a &LAM; function.
+              snippet_tags:
+                - javascript.v3.wkflw.pools-triggers.handler.AutoConfirm
+            - description: Module of &CWL; actions.
+              snippet_files:
+                - javascriptv3/example_code/cross-services/wkflw-pools-triggers/actions/cloudwatch-logs-actions.js
+            - description: Module of &COG; actions.
+              snippet_files:
+                - javascriptv3/example_code/cross-services/wkflw-pools-triggers/actions/cognito-actions.js
+            - description: Module of &DDB; actions.
+              snippet_files:
+                - javascriptv3/example_code/cross-services/wkflw-pools-triggers/actions/dynamodb-actions.js
   services:
     cognito-identity-provider: {UpdateUserPool, SignUp, InitiateAuth, DeleteUser}
     lambda: {}

javascriptv3/biome.json

@@ -13,7 +13,9 @@
       "./example_code/kinesis/kinesis-cdk",
       "./example_code/medical-imaging/scenarios/health-image-sets/pixel-data-verification/openjphjs/openjphjs.js",
       "./example_code/cross-services/textract-react",
-      "**/dist"
+      "**/dist",
+      "**/cdk.out",
+      "cdk.json"
     ]
   },
   "formatter": {

javascriptv3/example_code/cognito-identity-provider/README.md

@@ -44,18 +44,21 @@ Code excerpts that show you how to call individual service functions.
 - [AssociateSoftwareToken](actions/associate-software-token.js#L9)
 - [ConfirmDevice](actions/confirm-device.js#L9)
 - [ConfirmSignUp](actions/confirm-sign-up.js#L9)
+- [DeleteUser](../cross-services/wkflw-pools-triggers/actions/cognito-actions.js#L122)
 - [InitiateAuth](actions/initiate-auth.js#L10)
 - [ListUsers](actions/list-users.js#L9)
 - [ResendConfirmationCode](actions/resend-confirmation-code.js#L9)
 - [RespondToAuthChallenge](actions/respond-to-auth-challenge.js#L10)
 - [SignUp](actions/sign-up.js#L9)
+- [UpdateUserPool](../cross-services/wkflw-pools-triggers/actions/cognito-actions.js#L13)
 - [VerifySoftwareToken](actions/verify-software-token.js#L9)
 
 ### Scenarios
 
 Code examples that show you how to accomplish a specific task by calling multiple
 functions within the same service.
 
+- [Automatically confirm known users with a Lambda function](../cross-services/wkflw-pools-triggers/index.js)
 - [Sign up a user with a user pool that requires MFA](actions/admin-initiate-auth.js)
 
 
@@ -104,6 +107,22 @@ node ./hello.js
 ```
 
 
+#### Automatically confirm known users with a Lambda function
+
+This example shows you how to automatically confirm known Amazon Cognito users with a Lambda function.
+
+- Configure a user pool to call a Lambda function for the <code>PreSignUp</code> trigger.
+- Sign up a user with Amazon Cognito.
+- The Lambda function scans a DynamoDB table and automatically confirms known users.
+- Sign in as the new user, then clean up resources.
+
+<!--custom.scenario_prereqs.cross_CognitoAutoConfirmUser.start-->
+<!--custom.scenario_prereqs.cross_CognitoAutoConfirmUser.end-->
+
+
+<!--custom.scenarios.cross_CognitoAutoConfirmUser.start-->
+<!--custom.scenarios.cross_CognitoAutoConfirmUser.end-->
+
 #### Sign up a user with a user pool that requires MFA
 
 This example shows you how to do the following:

javascriptv3/example_code/cross-services/wkflw-pools-triggers/README.md

@@ -0,0 +1,99 @@
+# Customize Amazon Cognito authentication behavior with Lambda functions
+
+## Overview
+
+This example shows how to use AWS SDKs to customize Amazon Cognito authentication behavior. You can configure
+your Amazon Cognito user pool to automatically invoke AWS Lambda functions at various points in the authentication
+process, such as before sign-up, during sign-in, and after authentication.
+
+There are three workflows demonstrated by this example:
+
+* Automatically confirm and verify the email of known users by using a pre sign-up trigger.
+* [Not yet implemented] Automatically add known users at sign-in by using a migrate user trigger.
+* [Not yet implemented] Write custom information to an Amazon DynamoDB table after users are authenticated by using a post authentication trigger.
+
+These workflows are described in more detail in the main [README](../../../../workflows/user_pools_and_lambda_triggers/README.md) 
+for these examples.
+
+## Automatically confirm known users
+
+A [pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html)
+is invoked when a user starts the sign-up process and lets your Lambda function
+take action before Amazon Cognito adds the user to the user pool.
+
+## Automatically migrate known users
+
+A [migrate user Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html)
+is invoked when a user doesn't exist in the user pool at sign-in with a password.
+After the Lambda function returns successfully, Amazon Cognito creates the user in the user pool.
+
+## Write custom activity after authentication
+
+A [post authentication Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html)
+is invoked after signing in a user, so you can add custom logic after Amazon Cognito authenticates the user.
+
+## ⚠ Important
+
+* Running this code might result in charges to your AWS account.
+* Running the tests might result in charges to your AWS account.
+* We recommend that you grant your code least privilege. At most, grant only the minimum permissions required to perform the task. For more information, see [Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege).
+* This code is not tested in every AWS Region. For more information, see [AWS Regional Services](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services).
+
+## Run the examples
+
+### Prerequisites
+
+For general prerequisites, see the [README](../../../README.md#prerequisites) in the `javascriptv3` folder.
+
+### Setup
+
+This example deploys several resources by using an AWS CloudFormation stack. This stack
+deploys the following resources:
+
+* An Amazon DynamoDB table named `doc-example-custom-users` that has a `UserEmail` primary key.
+  This table functions as an external user store.
+* An Amazon Cognito user pool that requires an email, sends an email with verification code
+  when a new user is added, does not require MFA, and allows account recovery with a verified email.
+* An Amazon Cognito client application. This is required for client calls to sign-up and
+  authentication users.
+* An AWS Identity and Access Management (IAM) role that can be assumed by Lambda.
+  This role grants permission to Lambda to read from and write to the DynamoDB table and
+  write to CloudWatch Logs.
+
+### Deploy AWS resources
+
+The AWS resources for this example are deployed by using the AWS Cloud Development Kit (AWS CDK).
+
+To install the AWS CDK, follow the instructions in the
+[Developer Guide](https://docs.aws.amazon.com/cdk/v2/guide/home.html).
+
+Deploy resources at a command prompt from the [cdk](./cdk/) folder:
+
+```
+npm install
+cdk deploy
+```
+
+###  Instructions
+
+Run `./index --help` for instructions on running a scenario.
+
+### Cleanup
+
+Delete resources deployed for this example by deleting the stack.
+
+Delete the stack at a command prompt from the [cdk](./cdk/) folder:
+
+```
+cdk destroy
+```
+
+## Additional resources
+
+- [Amazon Cognito Identity Provider Developer Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html)
+- [Amazon Cognito Identity Provider API Reference](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html)
+- [SDK for JavaScript V3 Amazon Cognito Identity Provider reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/)
+
+---
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0

javascriptv3/example_code/cross-services/wkflw-pools-triggers/actions/cloudwatch-logs-actions.js

@@ -0,0 +1,69 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import {
+  CloudWatchLogsClient,
+  GetLogEventsCommand,
+  OrderBy,
+  paginateDescribeLogStreams,
+} from "@aws-sdk/client-cloudwatch-logs";
+
+/**
+ * Get the latest log stream for a Lambda function.
+ * @param {{ functionName: string, region: string }} config
+ * @returns {Promise<[import("@aws-sdk/client-cloudwatch-logs").LogStream | null, unknown]>}
+ */
+export const getLatestLogStreamForLambda = async ({ functionName, region }) => {
+  try {
+    const logGroupName = `/aws/lambda/${functionName}`;
+    const cwlClient = new CloudWatchLogsClient({ region });
+    const paginator = paginateDescribeLogStreams(
+      { client: cwlClient },
+      {
+        descending: true,
+        limit: 1,
+        orderBy: OrderBy.LastEventTime,
+        logGroupName,
+      },
+    );
+
+    for await (const page of paginator) {
+      return [page.logStreams[0], null];
+    }
+  } catch (err) {
+    return [null, err];
+  }
+};
+
+/**
+ * Get the log events for a Lambda function's log stream.
+ * @param {{
+ *   functionName: string,
+ *   logStreamName: string,
+ *   eventCount: number,
+ *   region: string
+ * }} config
+ * @returns {Promise<[import("@aws-sdk/client-cloudwatch-logs").OutputLogEvent[] | null, unknown]>}
+ */
+export const getLogEvents = async ({
+  functionName,
+  logStreamName,
+  eventCount,
+  region,
+}) => {
+  try {
+    const cwlClient = new CloudWatchLogsClient({ region });
+    const logGroupName = `/aws/lambda/${functionName}`;
+    const response = await cwlClient.send(
+      new GetLogEventsCommand({
+        logStreamName: logStreamName,
+        limit: eventCount,
+        logGroupName: logGroupName,
+      }),
+    );
+
+    return [response.events, null];
+  } catch (err) {
+    return [null, err];
+  }
+};