'AWS Cognito: Verify deletion of user

We need a verification step for user deletion through AWS Cognito.

Upon requesting delete a verification code should be sent to the users email address (like it's done with sign-up).

All AWS Cognito offers is:

  • DeleteUser: only needs a access token
  • AdminDeleteUser: only needs a username

How would you incorporate the verification step for deletion into AWS Cognito?

Side note: We're using Lambda in combination with API Gateway to handle all our requests to Cognito.



Solution 1:[1]

This flow is not natively supported by Cognito, meaning, if you want to achieve this, you'll have to implement this flow manually as one (or two) endpoints on your API Gateway and a Lambda which in turn uses the AdminDeleteUser functionality.

Simple example:

  1. GET /user/delete: Create a JWT token, send an email to the user with a link, including a token to verify the deletion request. The token can contain the username and an expiration time. (You can use Amazon SES to send the email).
  2. GET /user/delete?token=verificationToken: Extract the username from the token and execute AdminDeleteUser using the username.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 stijndepestel