Enhance Inactive User Account Management

🗣 Description

This update introduces a systematic approach to managing user inactivity within our AWS Lambda function. It implements a tiered strategy for user notifications and account deactivation/removal based on inactivity duration thresholds: 30, 45, and 90 days. Addresses issue #2458

💭 Motivation and Context

The need for this enhancement arises from our commitment to maintaining a secure, active user base and adhering to data management best practices. By proactively managing inactive accounts through notifications, password resets, and eventual removal, we mitigate security risks and comply with data protection standards.

🧪 Testing

Testing was conducted in a controlled environment to simulate user inactivity scenarios. The updated function was verified to:

Notify users of impending deactivation after 30 days of inactivity.
Reset passwords and notify users at the 45-day mark.
Remove user accounts from both AWS Cognito and the database after 90 days, following a notification.

The function accurately identifies inactive users based on the lastLoggedIn timestamp and performs actions without affecting active users. Unit tests were added for the new logic, and integration tests were updated accordingly.

✅ Pre-approval Checklist

[x] Informative, human-readable PR title.
[x] Limited changes to a single goal to avoid scope creep.
[x] Captured all future TODOs in issues with references in code comments.
[x] Added appropriate labels for type-of-change.
[x] Reviewed the CONTRIBUTING document.
[x] Followed cisagov code standards.
[x] Updated relevant documentation to reflect PR changes.
[x] Added/modified tests to cover new/changed functionality.
[x] Ensured all new and existing tests pass.

✅ Pre-merge Checklist

[ ] Revert any dependency changes to default branches.
[ ] Finalize version before merging.

✅ Post-merge Checklist

[ ] Create a new release reflecting the changes.

cisagov / crossfeed

Update backend tasks to check for cognito user expiration #2510