Skip to content

Releases: TocConsulting/cognito-api

CognitoApi v2.0.0

23 Jun 13:02
@TarekCheikh TarekCheikh
v2.0.0
f5781dd

Choose a tag to compare

View all tags
CognitoApi v2.0.0 Latest
Latest

CognitoApi v2.0.0

This release adds passwordless passkeys and self-service MFA recovery, makes token verification real, shortens refresh-token lifetime, and removes the API-key requirement.

✨ New features

  • Passkeys / WebAuthn — passwordless registration and sign-in, plus listing and deleting a user's credentials (6 endpoints: passkey-register-start/complete, passkey-login-start/complete, passkey-list, passkey-delete).
  • Self-service MFA reset — an email recovery-code flow to re-enroll an authenticator without admin involvement (mfa-reset-startmfa-reset-verifymfa-reset-confirm), built on Cognito custom-auth triggers (define/create/verify-auth-challenge).

🔒 Security

  • Real JWT verification/v1/userinfo now validates tokens against the user pool's JWKS (RS256, issuer + expiry checked) via PyJWKClient, instead of trusting an unverified signature.
  • Refresh-token lifetime cut from 30 days to 1 day (24h).
  • Anti-enumeration — the new MFA-reset and passkey flows return the same response whether or not the account exists, so callers can't probe for valid users.

🔑 Keyless API (breaking)

  • The API-key requirement was removed on every endpoint (is-api-key-required flipped truefalse). Authenticate with the bearer token; drop any x-api-key header. README and Postman updated to match.

🛠️ Improvements & cleanup

  • Region-portable — region now comes from the AWS_REGION environment variable (REGION = os.getenv('AWS_REGION', 'eu-west-1')); nothing is hardcoded.
  • Per-environment terraform.tfvars.* are gitignored; committed *.example templates carry placeholder values only.
  • Removed the dead resend-mfa Lambda (+ its IAM policy), the unused opencv / pillow / pyotp / qrcode build layers, the Cognito SNS-SMS IAM policies, and an unused s3.tf.

⚠️ Breaking changes

  • No API keyx-api-key is no longer accepted or required; remove it from clients.
  • Refresh tokens expire after 1 day (was 30) — clients refresh more often or re-authenticate.

⬆️ Upgrade notes

cd terraform
cp environments/dev/terraform.tfvars.dev.example environments/dev/terraform.tfvars.dev
# fill in your real values (this file is gitignored)
make apply

📦 Footprint

  • 27 Lambda functions.
Assets 2
Loading

1.0.0

29 Jun 19:00
@TarekCheikh TarekCheikh
1.0.0
7e629b6

Choose a tag to compare

View all tags
1.0.0

The 1.0.0 realease is production ready and using MIT License

Loading