首页 文章

AWS Cognito / Amplify - 将新用户注册自动添加到用户组

提问于
浏览
4

我正在使用AWS Amplify库为AppSync项目注册并执行Auth . 这使用Cognito . 但是,当新用户通过Amplify / Cognito注册时,新用户不会分配到cognito池中的任何特定组 . 我使用Amplify高阶组件进行登录/注册 .

import { withAuthenticator } from 'aws-amplify-react';

我将一个组件包裹起来

class Authenticator extends React.Component {
   //... basically empty component, only exists so I can wrap it w/ the HOC
}
export default withAuthenticator(Authenticator)

Amplify在index.js中设置

import config from './aws-exports';
import Amplify from 'aws-amplify';
Amplify.configure(config);

aws-exports.js由AWS Mobile Hub CLI自动生成 . 好像...

const awsmobile = {
    'aws_app_analytics': 'enable',
    'aws_cognito_identity_pool_id': 'us-west-2:XXX',
    'aws_cognito_region': 'us-west-2',
    'aws_content_delivery': 'enable',
    'aws_content_delivery_bucket': 'flashcards-hosting-mobilehub-XXX',
    'aws_content_delivery_bucket_region': 'us-west-2',
    'aws_content_delivery_cloudfront': 'enable',
    'aws_content_delivery_cloudfront_domain': 'XXX.cloudfront.net',
    'aws_mandatory_sign_in': 'enable',
    'aws_mobile_analytics_app_id': 'XXX',
    'aws_mobile_analytics_app_region': 'us-east-1',
    'aws_project_id': 'XXX',
    'aws_project_name': 'flash-cards',
    'aws_project_region': 'us-west-2',
    'aws_resource_name_prefix': 'flashcards-mobilehub-XXX',
    'aws_sign_in_enabled': 'enable',
    'aws_user_pools': 'enable',
    'aws_user_pools_id': 'us-west-2_XXX',
    'aws_user_pools_mfa_type': 'OFF',
    'aws_user_pools_web_client_id': 'XXX',
}
export default awsmobile;
amazon-web-services aws-cognito aws-mobilehub aws-appsync aws-amplify

2 回答

  • 10

    我搞定了 . 正如Vladamir在评论中所提到的,这需要在服务器端完成,在Post Confirmation lambda触发器中 . 这是lambda函数 .

    'use strict';
var AWS = require('aws-sdk');
module.exports.addUserToGroup = (event, context, callback) => {
  // console.log("howdy!",event);
  var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
  var params = {
    GroupName: 'users', //The name of the group in you cognito user pool that you want to add the user to
    UserPoolId: event.userPoolId, 
    Username: event.userName 
  };
  //some minimal checks to make sure the user was properly confirmed
  if(! (event.request.userAttributes["cognito:user_status"]==="CONFIRMED" && event.request.userAttributes.email_verified==="true") )
    callback("User was not properly confirmed and/or email not verified")
  cognitoidentityserviceprovider.adminAddUserToGroup(params, function(err, data) {
    if (err) {
      callback(err) // an error occurred
    }
    callback(null, event);           // successful response
  });  
};

    您还必须为lambda函数角色设置策略 . 在IAM控制台中,找到此lambda的角色并添加此内联策略 . 这为lambda提供了知识产权所需的一切,所以让你的限制更多 .

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-identity:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        { //this might be the only one you really need
            "Effect": "Allow",
            "Action": [
                "cognito-idp:*"
            ],
            "Resource": "*"
        }
    ]
}
    回复于
  • 6

    Cognito不会知道新注册用户需要加入哪个组 . 您必须以编程方式(或手动)将用户分配给特定组 . 一旦您的代码将用户置于特定组中,JWT ID令牌将包含此用户所属的所有相关组/ IAM角色的列表 .

    有关组here的更多信息 .

    回复于

相关问题