Closed tony-musico closed 1 year ago
I agree the password policy should not be fetched so frequently but we can't put that caching logic here. This method is a pure GET
operation and a caller should be safe to assume that it is returning the latest policy.
I'm going to close this PR but what I recommend is in the CognitoPasswordValidator implement the caching. I would suggest caching the password policy but if the password validation has any errors then attempt to fetch the latest policy and then rerun the validation. We need some way for applications to be aware when the policy does change. We can't have our answer be go bounce all of your prod instances.
Issue:
When a user is registered, a call to
DescribeUserPool
is made to retrieve the Cognito user pool password policy. The password is validated client side before sending theSignUp
to Cognito.DescribeUserPool
has a low unchangeable quota, so using this API call should be kept to a minimum. The password policy does not change frequently which makes it a good candidate to be cached client side for the duration of the application.CognitoUserPool
by default is added to the DI containerIServiceCollection
with the lifetime ofSingleton
.see aws-aspnet-cognito-identity-provider source for TryAddCognitoUserPool This allows us to cache the password policy to the class
CognitoUserPool
as an instance property (static not needed).Description of change:
CognitoUserPool
.PasswordPolicy
was added to hold the cached password policy.CognitoUserPool
.GetPasswordPolicyTypeAsync()
was modified to callDescribeUserPool
only when neededBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.