search

jagregory / cognito-local

Local emulator for Amazon Cognito
MIT License
278 stars 67 forks source link

AdminDisableUser does not revoke tokens #381

Open KristobalJunta opened 1 year ago

KristobalJunta commented 1 year ago

There is an inconsistency in handling user tokens by cognito-local and "real" AWS Cognito.

  1. InitiateAuth API call with USER_PASSWORD_AUTH flow returns tokens, namely: AccessToken, IdToken, RefreshToken.

  2. If AdminDisableUser is called after that - user tokens are invalidated. As per documentation:

    Deactivates a user and revokes all access tokens for the user.

  3. If a new InitiateAuth is attempted after that with REFRESH_TOKEN_AUTH flow and a token saved from p1 - real AWS Cognito returns an error, due to the token being revoked.

  4. On the other hand, cognito-local does not revoke tokens after p2 and the second InitiateAuth (p3) completes successfully.

kadyrleev commented 5 months ago

Yep, userPasswordAuthFlow is currently missing a check for Enabled status.