Can't send validationData to lambda pre-sign-in trigger via confirmSignUp

[jasonrdunne]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

CDK

Environment information

Binaries:
Node: 22.9.0 - /opt/homebrew/bin/node
Yarn: 1.22.21 - /opt/homebrew/bin/yarn
npm: 10.8.3 - /opt/homebrew/bin/npm
Browsers:
Chrome: 133.0.6943.142
Edge: 130.0.2849.56
Safari: 17.1
npmPackages:
@ampproject/toolbox-optimizer: undefined ()
@aws-amplify/auth: ^6.0.20 => 6.0.20
@aws-amplify/auth/cognito: undefined ()
@aws-amplify/auth/cognito/server: undefined ()
@aws-amplify/auth/enable-oauth-listener: undefined ()
@aws-amplify/auth/server: undefined ()
@aws-amplify/core: ^6.0.20 => 6.0.20
@aws-amplify/core/internals/adapter-core: undefined ()
@aws-amplify/core/internals/aws-client-utils: undefined ()
@aws-amplify/core/internals/aws-client-utils/composers: undefined ()
@aws-amplify/core/internals/aws-clients/cognitoIdentity: undefined ()
@aws-amplify/core/internals/aws-clients/pinpoint: undefined ()
@aws-amplify/core/internals/providers/pinpoint: undefined ()
@aws-amplify/core/internals/utils: undefined ()
@aws-amplify/core/server: undefined ()
@aws-amplify/ui-react: ^6.1.5 => 6.1.5
@aws-amplify/ui-react-internal: undefined ()
@babel/core: undefined ()
@babel/runtime: 7.22.5
@chatscope/chat-ui-kit-react: ^2.0.3 => 2.0.3
@chatscope/chat-ui-kit-styles: ^1.4.0 => 1.4.0
@edge-runtime/cookies: 4.1.0
@edge-runtime/ponyfill: 2.4.2
@edge-runtime/primitives: 4.1.0
@fortawesome/fontawesome-svg-core: ^6.5.1 => 6.5.1 (1.3.0)
@fortawesome/free-regular-svg-icons: ^6.5.1 => 6.5.1
@fortawesome/react-fontawesome: ^0.2.0 => 0.2.0 (0.1.19)
@hapi/accept: undefined ()
@hcaptcha/react-hcaptcha: ^1.10.1 => 1.10.1
@headlessui/react: 2.1.8 => 2.1.8
@mswjs/interceptors: undefined ()
@napi-rs/triples: undefined ()
@next/font: undefined ()
@next/react-dev-overlay: undefined ()
@opentelemetry/api: undefined ()
@react-pdf/renderer: ^3.1.14 => 3.1.14
@smastrom/react-rating: ^1.3.2 => 1.3.2
@stripe/connect-js: ^3.3.20 => 3.3.20
@stripe/react-connect-js: ^3.3.13 => 3.3.13
@stripe/react-stripe-js: ^2.7.3 => 2.7.3
@stripe/stripe-js: ^4.2.0 => 4.2.0
@t3-oss/env-nextjs: ^0.2.2 => 0.2.2
@types/eslint: ^8.21.3 => 8.44.7
@types/graphql: ^14.5.0 => 14.5.0
@types/node: 20.11.16 => 20.11.16 (20.11.27, 16.18.88)
@types/node-fetch: ^2.6.11 => 2.6.11
@types/react: ^18.0.28 => 18.2.37
@types/react-dom: ^18.0.11 => 18.2.15
@types/react-dropzone: ^5.1.0 => 5.1.0
@types/stripe-v3: ^3.1.33 => 3.1.33
@typescript-eslint/eslint-plugin: ^5.56.0 => 5.62.0
@typescript-eslint/parser: ^5.56.0 => 5.62.0
@vercel/nft: undefined ()
@vercel/og: 0.6.2
@welldone-software/why-did-you-render: ^7.0.1 => 7.0.1
acorn: undefined ()
amphtml-validator: undefined ()
anser: undefined ()
arg: undefined ()
assert: undefined ()
async-retry: undefined ()
async-sema: undefined ()
autoprefixer: ^10.4.16 => 10.4.16
aws-amplify: ^6.0.20 => 6.0.20
aws-amplify/adapter-core: undefined ()
aws-amplify/analytics: undefined ()
aws-amplify/analytics/kinesis: undefined ()
aws-amplify/analytics/kinesis-firehose: undefined ()
aws-amplify/analytics/personalize: undefined ()
aws-amplify/analytics/pinpoint: undefined ()
aws-amplify/api: undefined ()
aws-amplify/api/server: undefined ()
aws-amplify/auth: undefined ()
aws-amplify/auth/cognito: undefined ()
aws-amplify/auth/cognito/server: undefined ()
aws-amplify/auth/enable-oauth-listener: undefined ()
aws-amplify/auth/server: undefined ()
aws-amplify/datastore: undefined ()
aws-amplify/in-app-messaging: undefined ()
aws-amplify/in-app-messaging/pinpoint: undefined ()
aws-amplify/push-notifications: undefined ()
aws-amplify/push-notifications/pinpoint: undefined ()
aws-amplify/storage: undefined ()
aws-amplify/storage/s3: undefined ()
aws-amplify/storage/s3/server: undefined ()
aws-amplify/storage/server: undefined ()
aws-amplify/utils: undefined ()
aws-appsync: ^4.1.10 => 4.1.10
babel-packages: undefined ()
browser-image-compression: ^2.0.2 => 2.0.2
browserify-zlib: undefined ()
browserslist: undefined ()
buffer: undefined ()
bytes: undefined ()
ci-info: undefined ()
cli-select: undefined ()
client-only: 0.0.1
comment-json: undefined ()
compression: undefined ()
conf: undefined ()
constants-browserify: undefined ()
content-disposition: undefined ()
content-type: undefined ()
cookie: undefined ()
cookies-next: ^4.1.1 => 4.1.1
cross-spawn: undefined ()
crypto-browserify: undefined ()
css.escape: undefined ()
data-uri-to-buffer: undefined ()
debug: undefined ()
depcheck: ^1.4.7 => 1.4.7
devalue: undefined ()
domain-browser: undefined ()
edge-runtime: undefined ()
eslint: ^8.36.0 => 8.53.0
eslint-config-next: ^14.1.3 => 14.1.3
events: undefined ()
find-cache-dir: undefined ()
find-up: undefined ()
framer-motion: ^11.9.0 => 11.9.0
fresh: undefined ()
get-orientation: undefined ()
glob: undefined ()
graphql: ^16.8.1 => 16.8.1 (15.8.0)
graphql-subscriptions: ^2.0.0 => 2.0.0
graphql-ws: ^5.15.0 => 5.15.0
gzip-size: undefined ()
http-proxy: undefined ()
http-proxy-agent: undefined ()
https-browserify: undefined ()
https-proxy-agent: undefined ()
icss-utils: undefined ()
ignore-loader: undefined ()
image-size: undefined ()
is-animated: undefined ()
is-docker: undefined ()
is-wsl: undefined ()
jest-worker: undefined ()
jose: ^5.1.3 => 5.1.3
json5: undefined ()
jsonwebtoken: undefined ()
jwt-decode: ^4.0.0 => 4.0.0
loader-runner: undefined ()
loader-utils: undefined ()
lodash.curry: undefined ()
lru-cache: undefined ()
micromatch: undefined ()
mini-css-extract-plugin: undefined ()
nanoid: undefined ()
native-url: undefined ()
neo-async: undefined ()
next: ^14.1.3 => 14.1.3
node-fetch: ^3.3.2 => 3.3.2 (2.7.0, )
node-html-parser: undefined ()
obscenity: ^0.2.1 => 0.2.1
ora: undefined ()
os-browserify: undefined ()
p-limit: undefined ()
path-browserify: undefined ()
platform: undefined ()
postcss: ^8.4.31 => 8.4.31 (8.4.40)
postcss-flexbugs-fixes: undefined ()
postcss-modules-extract-imports: undefined ()
postcss-modules-local-by-default: undefined ()
postcss-modules-scope: undefined ()
postcss-modules-values: undefined ()
postcss-preset-env: undefined ()
postcss-safe-parser: undefined ()
postcss-scss: undefined ()
postcss-value-parser: undefined ()
prettier: ^3.0.3 => 3.1.0
process: undefined ()
punycode: undefined ()
querystring-es3: undefined ()
raw-body: undefined ()
react: ^18.2.0 => 18.2.0
react-builtin: undefined ()
react-currency-input-field: ^3.6.11 => 3.6.12
react-dom: ^18.2.0 => 18.2.0
react-dom-builtin: undefined ()
react-dom-experimental-builtin: undefined ()
react-dropzone: ^14.2.3 => 14.2.3
react-experimental-builtin: undefined ()
react-google-recaptcha: ^3.1.0 => 3.1.0
react-is: 18.2.0
react-pdf: ^7.5.1 => 7.5.1
react-query: ^3.39.3 => 3.39.3
react-refresh: 0.12.0
react-server-dom-turbopack-builtin: undefined ()
react-server-dom-turbopack-experimental-builtin: undefined ()
react-server-dom-webpack-builtin: undefined ()
react-server-dom-webpack-experimental-builtin: undefined ()
regenerator-runtime: 0.13.4
sass: ^1.62.1 => 1.69.5
sass-loader: undefined ()
scheduler-builtin: undefined ()
scheduler-experimental-builtin: undefined ()
schema-utils: undefined ()
semver: undefined ()
send: undefined ()
server-only: 0.0.1
setimmediate: undefined ()
shell-quote: undefined ()
source-map: undefined ()
stacktrace-parser: undefined ()
stream-browserify: undefined ()
stream-http: undefined ()
string-hash: undefined ()
string_decoder: undefined ()
strip-ansi: undefined ()
subscriptions-transport-ws: ^0.11.0 => 0.11.0
superstruct: undefined ()
tailwindcss: ^3.4.3 => 3.4.3
tar: undefined ()
terser: undefined ()
text-table: undefined ()
timers-browserify: undefined ()
tslint: ^6.1.3 => 6.1.3
tty-browserify: undefined ()
typescript: ^5.4.2 => 5.4.2
ua-parser-js: undefined ()
unistore: undefined ()
util: undefined ()
uuid: ^10.0.0 => 10.0.0 (9.0.1, 8.3.2, 3.4.0)
vm-browserify: undefined ()
watchpack: undefined ()
web-vitals: undefined ()
webpack: undefined ()
webpack-sources: undefined ()
ws: undefined ()
zod: ^3.21.4 => 3.22.4 ()
npmGlobalPackages:
@aws-amplify/cli: 12.10.1
npm: 10.8.3

Describe the bug

I'm doing the autosignin process with amplify, meaning:

1. The user signs up (with autosign in)
2. The user enters the confirmation code
3. The sign in process is automatically triggered by amplify

Amplify lets you pass metadata to the pre-sign-in lambda called "validationData". I am able to pass validationData through the signUp() parameters... however, I can't find a way to pass the metadata in via the confirmSignUp() parameters.

Expected behavior

I should be able to pass validationData in via confirmSignIn() parameters because this function runs before the sign-in is attempted.

Reproduction steps

I can successfully pass validationData in via signUp(...):

const { userId, nextStep } = await signUp({
        username: email.toLowerCase(),
        password,
        options: {
            userAttributes: {
                    email,
            },
            autoSignIn: {
                enabled: true,
                clientMetadata: {
                    METADATA: 'TEST', // lambda receives this
                },
            }
        },
});

However, I need to pass metadata via confirmSignUp(...), I already tried this:

const { isSignUpComplete, nextStep } = await confirmSignUp({
  username: email.toLowerCase(),
  confirmationCode: confirmationCode,
  options: {
    autoSignIn: {
      clientMetadata: {
        METADATA: 'TEST',
      },
      validationData: {
        METADATA: 'TEST',
      },
    },
    clientMetadata: {
      METADATA: 'TEST',
    },
    validationData: {
      METADATA: 'TEST',
    },
  },
});

How can i pass validationData in confirmSignUp to the sign-in trigger?

Code Snippet

No response

Log output

No response

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[HuiSF]

Hi @jasonrdunne According to this documentation, passing clientMetadata should be supported.

The sample code of calling the signUp and confirmSignUp APIs doesn't seem correct, in particular the options parameters of both API calls.

For example, the correct the code of calling the signUp API should be the following, note the autoSignIn parameters expects a boolean, and the clientMetadata parameter is its sibling. See the signUp API reference for more details.

  signUp({
    username: 'username',
    password: 'password',
    options: {
      userAttributes: {
        email: 'test@email.com',
      },
      autoSignIn: true,
      clientMetadata: {
        test: 'value',
      },
      validationData: {
        test: 'value',
      }
    }
  })

The correct code of calling the confirmSignUp() API should be the following, note that the options parameter of this API doesn't have autoSignIn and validationData properties. See the confirmSignUp API reference for more details.

  confirmSignUp({
    username: 'username',
    confirmationCode: '123456',
    options: {
      clientMetadata: {
        test: 'value',
      }
    }
  })

Can you correct the API calls, and try again?

[heitorzf]

Please EXCLUDE the repository!

[HuiSF]

Hi @heitorzf if you need any help from us, please feel free to open an issue. Thanks.

[jasonrdunne]

Hi @HuiSF i tried it like you said:

  confirmSignUp({
    username: 'username',
    confirmationCode: '123456',
    options: {
      clientMetadata: {
        test: 'value',
      }
    }
  })

and this metadata got routed into the signUp trigger, not signIn.

This is the order of operations:
1.

  signUp({
    username: 'username',
    password: 'password',
    options: {
      userAttributes: {
        email: 'test@email.com',
      },
      autoSignIn: true,
      clientMetadata: {
        test: 'value',
      },
      validationData: {
        test: 'value',
      }
    }
  })

  confirmSignUp({
    username: 'username',
    confirmationCode: '123456',
    options: {
      clientMetadata: {
        test: 'value',
      }
    }
  })

3. signUp lambda is triggered
4. signIn lambda is triggered

i need to pass metadata from confirmSignUp into the signin lambda trigger
It should be possible, in theory, because you can see confirmSignUp occurs before the signIn lambda executes.

[HuiSF]

Hi @jasonrdunne my apologies for my wrong evaluation of the signUp API's options parameter, you can actually passing clientMetadata under options.autoSignIn, i.e.

  signUp({
    username: 'username',
    password: 'password',
    options: {
      userAttributes: {
        email: 'test@email.com',
      },
      autoSignIn: {
        clientMetadata: {
		  hey: 'hi'
        },
      },
      clientMetadata: {
        test: 'value',
      },
      validationData: {
        test: 'value',
      }
    }
  })

The clientMetadata under the autoSignIn property will be used and submitted to the service when you call the autoSignIn() API to complete the new user sign-up flow.

Can you confirm, by "pre-sign-in trigger" you meant the "pre authentication trigger", correct?

I tested with the following flow

1. call the signUp API with the above payload
2. call the confirmSignUp API to confirm with the code
3. call the autoSignIn API when the next step became COMPLETE_AUTO_SIGN_IN

I observed the underlying service calls (InitiateAuth and RespondToAuthChallenge) both included the ClientMetadata: { hey: "hi"}. Then verified my pre authentication trigger lambda function received request also includes the data as the following

  request: {
    userAttributes: {
      sub: 'a881f3a0-8061-7078-a3d3-5974458a5afd',
      email_verified: 'false',
      'cognito:user_status': 'CONFIRMED',
      email: 'test@email.com'
    },
    validationData: { hey: 'hi' },
    userNotFound: false
  },

Which is expected as this documentation states:

validationData
One or more key-value pairs that contain the validation data in the user's sign-in request. To pass this data to your Lambda function, use the ClientMetadata parameter in the InitiateAuth and AdminInitiateAuth API actions.

[jasonrdunne]

Hi @HuiSF,

Yes I meant the "pre authentication trigger".

But like I said in the post, I've don't have troubles getting validationData sent using signUp(). The problem is I want to pass the validationData from confirmSignUp().

The reason I need to do this is because my validationData is a captcha token which expires in 2 minutes. If i include the token in signUp(), it expires while the user gets the code from their email. If i could include validationData from confirmSignUp(), then it wouldn't expire before the authentication trigger.

[HuiSF]

Hi @jasonrdunne got it, looking at the Amazon Cognito documentation, however, confirmSignUp triggers only the post confirmation hook. The pre authentication hook is triggered by a signIn request. Therefore I don't think you can send validationData to the pre authentication hook via a confirmSignUp call.

[jasonrdunne]

Hi @HuiSF,
How do people usually do captcha + signup then? This seems like a catch22, if you have to do captcha before the confirmation code process begins?

[yuhengshs]

Hi @jasonrdunne ,

You can consider doing the captcha validation in the the pre-sign-up lambda. Where you can validate users before they use the sign up api. This will also prevent orphan users exist from userpool because this will lock their creations.