From 0e3ac260682f3354912fe552c61d9b3e590903b8 Mon Sep 17 00:00:00 2001
From: Bert Blommers <bblommers@users.noreply.github.com>
Date: Fri, 13 May 2022 19:45:05 +0000
Subject: [PATCH] CognitoIDP - allow respond_to_auth_challenge without
 Auth-header (#5133)

---
 moto/cognitoidp/models.py            |  8 +++
 moto/cognitoidp/responses.py         |  2 +-
 tests/test_cognitoidp/test_server.py | 88 +++++++++++++++++++++++++++-
 3 files changed, 96 insertions(+), 2 deletions(-)

diff --git a/moto/cognitoidp/models.py b/moto/cognitoidp/models.py
index 018124f82..0fb33d618 100644
--- a/moto/cognitoidp/models.py
+++ b/moto/cognitoidp/models.py
@@ -1834,6 +1834,14 @@ class GlobalCognitoIdpBackend(CognitoIdpBackend):
         backend = self._find_backend_by_access_token(access_token)
         return backend.get_user(access_token)
 
+    def respond_to_auth_challenge(
+        self, session, client_id, challenge_name, challenge_responses
+    ):
+        backend = self._find_backend_for_clientid(client_id)
+        return backend.respond_to_auth_challenge(
+            session, client_id, challenge_name, challenge_responses
+        )
+
 
 cognitoidp_backends = BackendDict(CognitoIdpBackend, "cognito-idp")
 cognitoidp_backends["global"] = GlobalCognitoIdpBackend("global")
diff --git a/moto/cognitoidp/responses.py b/moto/cognitoidp/responses.py
index bf6b46b7b..f99f8eceb 100644
--- a/moto/cognitoidp/responses.py
+++ b/moto/cognitoidp/responses.py
@@ -444,7 +444,7 @@ class CognitoIdpResponse(BaseResponse):
         client_id = self._get_param("ClientId")
         challenge_name = self._get_param("ChallengeName")
         challenge_responses = self._get_param("ChallengeResponses")
-        auth_result = cognitoidp_backends[self.region].respond_to_auth_challenge(
+        auth_result = cognitoidp_backends["global"].respond_to_auth_challenge(
             session, client_id, challenge_name, challenge_responses
         )
 
diff --git a/tests/test_cognitoidp/test_server.py b/tests/test_cognitoidp/test_server.py
index a92d55d28..8098f332b 100644
--- a/tests/test_cognitoidp/test_server.py
+++ b/tests/test_cognitoidp/test_server.py
@@ -2,7 +2,7 @@ import json
 import moto.server as server
 
 
-def test_sign_up_method_without_authentication():
+def test_sign_up_user_without_authentication():
     backend = server.create_backend_app("cognito-idp")
     test_client = backend.test_client()
 
@@ -94,3 +94,89 @@ def test_sign_up_method_without_authentication():
     data.should.have.key("UserPoolId").equals(user_pool_id)
     data.should.have.key("Username").equals("test@gmail.com")
     data.should.have.key("UserStatus").equals("CONFIRMED")
+
+
+def test_admin_create_user_without_authentication():
+    backend = server.create_backend_app("cognito-idp")
+    test_client = backend.test_client()
+
+    # Create User Pool
+    res = test_client.post(
+        "/",
+        data='{"PoolName": "test-pool"}',
+        headers={
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.CreateUserPool",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=abcd/20010101/us-east-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...",
+        },
+    )
+    user_pool_id = json.loads(res.data)["UserPool"]["Id"]
+
+    # Create User Pool Client
+    data = {
+        "UserPoolId": user_pool_id,
+        "ClientName": "some-client",
+        "GenerateSecret": False,
+        "ExplicitAuthFlows": ["ALLOW_USER_PASSWORD_AUTH"],
+    }
+    res = test_client.post(
+        "/",
+        data=json.dumps(data),
+        headers={
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.CreateUserPoolClient",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=abcd/20010101/us-east-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...",
+        },
+    )
+    client_id = json.loads(res.data)["UserPoolClient"]["ClientId"]
+
+    # Admin Create User
+    data = {
+        "UserPoolId": user_pool_id,
+        "Username": "test@gmail.com",
+        "TemporaryPassword": "12345678",
+    }
+    res = test_client.post(
+        "/",
+        data=json.dumps(data),
+        headers={
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.AdminCreateUser",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=abcd/20010101/us-east-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=...",
+        },
+    )
+    res.status_code.should.equal(200)
+
+    # Initiate Auth
+    data = {
+        "ClientId": client_id,
+        "AuthFlow": "USER_PASSWORD_AUTH",
+        "AuthParameters": {"USERNAME": "test@gmail.com", "PASSWORD": "12345678"},
+    }
+    res = test_client.post(
+        "/",
+        data=json.dumps(data),
+        headers={"X-Amz-Target": "AWSCognitoIdentityProviderService.InitiateAuth"},
+    )
+    session = json.loads(res.data)["Session"]
+
+    # Respond to Auth Challenge
+    data = {
+        "ClientId": client_id,
+        "ChallengeName": "NEW_PASSWORD_REQUIRED",
+        "ChallengeResponses": {
+            "USERNAME": "test@gmail.com",
+            "NEW_PASSWORD": "abcdefgh",
+        },
+        "Session": session,
+    }
+    res = test_client.post(
+        "/",
+        data=json.dumps(data),
+        headers={
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.RespondToAuthChallenge"
+        },
+    )
+    res.status_code.should.equal(200)
+    response = json.loads(res.data)
+
+    response.should.have.key("AuthenticationResult")
+    response["AuthenticationResult"].should.have.key("IdToken")
+    response["AuthenticationResult"].should.have.key("AccessToken")