From c2727a7c205d183034f1fc14ac09234134c9135e Mon Sep 17 00:00:00 2001 From: Bert Blommers Date: Thu, 5 May 2022 22:34:37 +0000 Subject: [PATCH] CognitoIDP - allow unauthenticated requests to GetUser (#5099) --- moto/cognitoidp/models.py | 13 ++++++++++ moto/cognitoidp/responses.py | 2 +- tests/test_cognitoidp/test_server.py | 39 ++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) diff --git a/moto/cognitoidp/models.py b/moto/cognitoidp/models.py index e203fe303..8d6cabd1d 100644 --- a/moto/cognitoidp/models.py +++ b/moto/cognitoidp/models.py @@ -1800,6 +1800,15 @@ class GlobalCognitoIdpBackend(CognitoIdpBackend): # Without authentication-header, we lose the context of which region the request was send to # This backend will cycle through all backends as a workaround + def _find_backend_by_access_token(self, access_token): + for region, backend in cognitoidp_backends.items(): + if region == "global": + continue + for p in backend.user_pools.values(): + if access_token in p.access_tokens: + return backend + return cognitoidp_backends["us-east-1"] + def _find_backend_for_clientid(self, client_id): for region, backend in cognitoidp_backends.items(): if region == "global": @@ -1821,6 +1830,10 @@ class GlobalCognitoIdpBackend(CognitoIdpBackend): backend = self._find_backend_for_clientid(client_id) return backend.confirm_sign_up(client_id, username) + def get_user(self, access_token): + backend = self._find_backend_by_access_token(access_token) + return backend.get_user(access_token) + cognitoidp_backends = BackendDict(CognitoIdpBackend, "cognito-idp") cognitoidp_backends["global"] = GlobalCognitoIdpBackend("global") diff --git a/moto/cognitoidp/responses.py b/moto/cognitoidp/responses.py index f67734c37..bf6b46b7b 100644 --- a/moto/cognitoidp/responses.py +++ b/moto/cognitoidp/responses.py @@ -346,7 +346,7 @@ class CognitoIdpResponse(BaseResponse): def get_user(self): access_token = self._get_param("AccessToken") - user = cognitoidp_backends[self.region].get_user(access_token=access_token) + user = cognitoidp_backends["global"].get_user(access_token=access_token) return json.dumps(user.to_json(extended=True, attributes_key="UserAttributes")) def list_users(self): diff --git a/tests/test_cognitoidp/test_server.py b/tests/test_cognitoidp/test_server.py index c904058cd..a92d55d28 100644 --- a/tests/test_cognitoidp/test_server.py +++ b/tests/test_cognitoidp/test_server.py @@ -55,3 +55,42 @@ def test_sign_up_method_without_authentication(): ) res.status_code.should.equal(200) json.loads(res.data).should.have.key("UserConfirmed").equals(False) + + # Confirm Sign Up User + data = { + "ClientId": client_id, + "Username": "test@gmail.com", + "ConfirmationCode": "sth", + } + res = test_client.post( + "/", + data=json.dumps(data), + headers={"X-Amz-Target": "AWSCognitoIdentityProviderService.ConfirmSignUp"}, + ) + + # Initiate Auth + data = { + "ClientId": client_id, + "AuthFlow": "USER_PASSWORD_AUTH", + "AuthParameters": {"USERNAME": "test@gmail.com", "PASSWORD": "12345678"}, + } + res = test_client.post( + "/", + data=json.dumps(data), + headers={"X-Amz-Target": "AWSCognitoIdentityProviderService.InitiateAuth"}, + ) + res.status_code.should.equal(200) + access_token = json.loads(res.data)["AuthenticationResult"]["AccessToken"] + + # Get User + data = {"AccessToken": access_token} + res = test_client.post( + "/", + data=json.dumps(data), + headers={"X-Amz-Target": "AWSCognitoIdentityProviderService.GetUser"}, + ) + res.status_code.should.equal(200) + data = json.loads(res.data) + data.should.have.key("UserPoolId").equals(user_pool_id) + data.should.have.key("Username").equals("test@gmail.com") + data.should.have.key("UserStatus").equals("CONFIRMED")