Skip to content

Supporting external logic for restoring / generating custom password #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rahulpsd18 merged 2 commits into from
Sep 14, 2018
Merged

Supporting external logic for restoring / generating custom password #1

rahulpsd18 merged 2 commits into from
Sep 14, 2018

Conversation

@juno-visualsquares
Copy link
Contributor

@juno-visualsquares juno-visualsquares commented Aug 20, 2018

  • For migrating cognito user pool, people might want to do silently for recovering a hashed password / use custom new password policy for each user
  • If all users are imported with the same new password (current password parameter's behavior), it is risky for any system

An example usage, create a pwd_module.js

var exports = module.exports = {};

exports.getPwdForUsername = function(username) {
    // Do custom logic generate password / lookup in a backup for hashed password here
    return 'XXXXX';
}

Usage:
node ./build/cli/cli.js restore --pwdModule {absolute path for pwd_module.js}

@juno-visualsquares
Copy link
Contributor Author

juno-visualsquares commented Aug 20, 2018

I am planning to add a local csv output too,
as when pwd/pwdModule options,
people would care about whether the users are imported with specified pwd.

'username', 'password'
'AAA', 'ABCDEF'
'BBB', 'BBBBBB'
'CCC', '(N/A, generated by Cognito)'

This might be wanted when people are going to migrate cognito user pool.
Any suggestion/comment on that?

@rahulpsd18
Copy link
Owner

rahulpsd18 commented Aug 20, 2018
edited
Loading

Hey, thanks for this. I appreciate you for taking time out and implementing this. But I was planning to remove the custom password setting option completely and make use of cognito generated password via email with OTP only.

Reason being, any access to manipulate user's password, where you know it or provide it (current implementation) or control it's generation (your PR) is a security loophole.

Any suggestions?

@juno-visualsquares
Copy link
Contributor Author

juno-visualsquares commented Aug 20, 2018

understand that concern. Security usually comes with compromise in flexibility.

For my usage, use of aws cognito user pool also creates enormous vendor lock-in for product if one cannot migrate a user pool without disturbing every user to reverify email and reset password on migration. We need to take a salt-and-hash approach before cognito to keep ourselves never knowing user input, this feature could be one essential part of it.

Programmers need to strike a balance of using these options or not, and handle security at their own risk if they do(e.g. Access control on their storage). (I personally would prefer hoping these options but give text warnings)

@rahulpsd18
Copy link
Owner

rahulpsd18 commented Aug 22, 2018

Yeah, I see where you are coming from. I appreciate you for taking time out and contribute.
I will gladly merge and release once I get around verifying the changes.
Thanks 😄

@rahulpsd18 rahulpsd18 merged commit 144d0f7 into rahulpsd18:master Sep 14, 2018
@rahulpsd18
Copy link
Owner

rahulpsd18 commented Feb 20, 2019

@all-contributors please add @juno-visualsquares for code and ideas

@allcontributors allcontributors bot mentioned this pull request Feb 20, 2019
Merged
@allcontributors
Copy link
Contributor

allcontributors bot commented Feb 20, 2019

@rahulpsd18

I've put up a pull request to add @juno-visualsquares! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@juno-visualsquares @rahulpsd18