fix(api): confirm user apis return errors for invalid states

Author: jagregory

integration-tests/aws-sdk/adminConfirmSignUp.test.ts

@@ -6,11 +6,19 @@ describe(
     it("confirms a user", async () => {
       const client = Cognito();
 
+      const upc = await client
+        .createUserPoolClient({
+          UserPoolId: "test",
+          ClientName: "test",
+        })
+        .promise();
+
       await client
-        .adminCreateUser({
+        .signUp({
           UserAttributes: [{ Name: "phone_number", Value: "0400000000" }],
           Username: "abc",
-          UserPoolId: "test",
+          ClientId: upc.UserPoolClient?.ClientId!,
+          Password: "def",
         })
         .promise();
 
@@ -21,7 +29,7 @@ describe(
         })
         .promise();
 
-      expect(user.UserStatus).toEqual("FORCE_CHANGE_PASSWORD");
+      expect(user.UserStatus).toEqual("UNCONFIRMED");
 
       await client
         .adminConfirmSignUp({

integration-tests/aws-sdk/deleteUserAttributes.test.ts

@@ -36,9 +36,11 @@ describe(
         .promise();
 
       await client
-        .adminConfirmSignUp({
+        .adminSetUserPassword({
           UserPoolId: userPoolId,
           Username: "abc",
+          Password: "def",
+          Permanent: true,
         })
         .promise();
 

integration-tests/aws-sdk/getUserAttributeVerificationCode.test.ts

@@ -35,9 +35,11 @@ describe(
         .promise();
 
       await client
-        .adminConfirmSignUp({
+        .adminSetUserPassword({
           UserPoolId: userPoolId,
           Username: "abc",
+          Password: "def",
+          Permanent: true,
         })
         .promise();
 

integration-tests/aws-sdk/initiateAuth.test.ts

@@ -103,9 +103,11 @@ describe(
       );
 
       await client
-        .adminConfirmSignUp({
+        .adminSetUserPassword({
           UserPoolId: "test",
           Username: "abc",
+          Password: "def",
+          Permanent: true,
         })
         .promise();
 
@@ -190,9 +192,11 @@ describe(
       );
 
       await client
-        .adminConfirmSignUp({
+        .adminSetUserPassword({
           UserPoolId: "test",
           Username: "abc",
+          Password: "def",
+          Permanent: true,
         })
         .promise();
 

integration-tests/aws-sdk/updateUserAttributes.test.ts

@@ -35,9 +35,11 @@ describe(
         .promise();
 
       await client
-        .adminConfirmSignUp({
+        .adminSetUserPassword({
           UserPoolId: userPoolId,
           Username: "abc",
+          Password: "def",
+          Permanent: true,
         })
         .promise();
 

integration-tests/aws-sdk/verifyUserAttribute.test.ts

@@ -35,9 +35,11 @@ describe(
         .promise();
 
       await client
-        .adminConfirmSignUp({
-          UserPoolId: userPoolId,
+        .adminSetUserPassword({
           Username: "abc",
+          UserPoolId: userPoolId,
+          Password: "def",
+          Permanent: true,
         })
         .promise();
 

src/errors.ts

@@ -10,8 +10,8 @@ export class CognitoError extends Error {
 }
 
 export class NotAuthorizedError extends CognitoError {
-  public constructor() {
-    super("NotAuthorizedException", "User not authorized");
+  public constructor(message = "User not authorized") {
+    super("NotAuthorizedException", message);
   }
 }
 
@@ -33,6 +33,15 @@ export class CodeMismatchError extends CognitoError {
   }
 }
 
+export class ExpiredCodeError extends CognitoError {
+  public constructor() {
+    super(
+      "ExpiredCodeException",
+      "Invalid code provided, please request a code again."
+    );
+  }
+}
+
 export class InvalidPasswordError extends CognitoError {
   public constructor() {
     super("InvalidPasswordException", "Invalid password");

src/targets/adminConfirmSignUp.test.ts

@@ -45,8 +45,40 @@ describe("AdminConfirmSignUp target", () => {
     ).rejects.toEqual(new NotAuthorizedError());
   });
 
+  it.each([
+    "CONFIRMED",
+    "ARCHIVED",
+    "COMPROMISED",
+    "UNKNOWN",
+    "RESET_REQUIRED",
+    "FORCE_CHANGE_PASSWORD",
+    "something else",
+  ])("throws if the user has status %s", async (status) => {
+    const user = TDB.user({
+      UserStatus: status,
+    });
+
+    mockUserPoolService.getUserByUsername.mockResolvedValue(user);
+
+    await expect(
+      adminConfirmSignUp(TestContext, {
+        ClientMetadata: {
+          client: "metadata",
+        },
+        Username: user.Username,
+        UserPoolId: "test",
+      })
+    ).rejects.toEqual(
+      new NotAuthorizedError(
+        `User cannot be confirmed. Current status is ${status}`
+      )
+    );
+  });
+
   it("updates the user's status", async () => {
-    const user = TDB.user();
+    const user = TDB.user({
+      UserStatus: "UNCONFIRMED",
+    });
 
     mockUserPoolService.getUserByUsername.mockResolvedValue(user);
 
@@ -71,7 +103,9 @@ describe("AdminConfirmSignUp target", () => {
         (trigger) => trigger === "PostConfirmation"
       );
 
-      const user = TDB.user();
+      const user = TDB.user({
+        UserStatus: "UNCONFIRMED",
+      });
 
       mockUserPoolService.getUserByUsername.mockResolvedValue(user);
 
@@ -103,7 +137,9 @@ describe("AdminConfirmSignUp target", () => {
     it("invokes the trigger", async () => {
       mockTriggers.enabled.mockReturnValue(false);
 
-      const user = TDB.user();
+      const user = TDB.user({
+        UserStatus: "UNCONFIRMED",
+      });
 
       mockUserPoolService.getUserByUsername.mockResolvedValue(user);
 

src/targets/adminConfirmSignUp.ts

@@ -30,6 +30,12 @@ export const AdminConfirmSignUp =
       throw new NotAuthorizedError();
     }
 
+    if (user.UserStatus !== "UNCONFIRMED") {
+      throw new NotAuthorizedError(
+        `User cannot be confirmed. Current status is ${user.UserStatus}`
+      );
+    }
+
     const updatedUser = {
       ...user,
       UserLastModifiedDate: clock.get(),

src/targets/confirmSignUp.ts

@@ -2,7 +2,11 @@ import {
   ConfirmSignUpRequest,
   ConfirmSignUpResponse,
 } from "aws-sdk/clients/cognitoidentityserviceprovider";
-import { CodeMismatchError, NotAuthorizedError } from "../errors";
+import {
+  CodeMismatchError,
+  ExpiredCodeError,
+  NotAuthorizedError,
+} from "../errors";
 import { Services } from "../services";
 import { attribute, attributesAppend } from "../services/userPoolService";
 import { Target } from "./Target";
@@ -25,6 +29,10 @@ export const ConfirmSignUp =
       throw new NotAuthorizedError();
     }
 
+    if (!user.ConfirmationCode) {
+      throw new ExpiredCodeError();
+    }
+
     if (user.ConfirmationCode !== req.ConfirmationCode) {
       throw new CodeMismatchError();
     }