Support cognito admin user password auth flow (#3547)

Applies the user credentials pattern from the ADMIN_NO_SRP_AUTH flow to the ADMIN_USER_PASSWORD_AUTH auth flow for Cognito admin_initiate_auth requests. Co-authored-by: Robin Wilkins <r.wilkins@waracle.com>
2020-12-15 07:48:52 +00:00 · 2020-12-15 07:48:52 +00:00 · a31599d000
commit a31599d000
parent c9c30b8286
2 changed files with 113 additions and 76 deletions
--- a/moto/cognitoidp/models.py
+++ b/moto/cognitoidp/models.py
@ -719,6 +719,27 @@ class CognitoIdpBackend(BaseBackend):
                    "Session": session,
                }

+            return self._log_user_in(user_pool, client, username)
+        elif auth_flow == "ADMIN_USER_PASSWORD_AUTH":
+            username = auth_parameters.get("USERNAME")
+            password = auth_parameters.get("PASSWORD")
+            user = user_pool.users.get(username)
+            if not user:
+                raise UserNotFoundError(username)
+
+            if user.password != password:
+                raise NotAuthorizedError(username)
+
+            if user.status == UserStatus["FORCE_CHANGE_PASSWORD"]:
+                session = str(uuid.uuid4())
+                self.sessions[session] = user_pool
+
+                return {
+                    "ChallengeName": "NEW_PASSWORD_REQUIRED",
+                    "ChallengeParameters": {},
+                    "Session": session,
+                }
+
            return self._log_user_in(user_pool, client, username)
        elif auth_flow == "REFRESH_TOKEN":
            refresh_token = auth_parameters.get("REFRESH_TOKEN")