func-cognito-pre-signup

Description

Cognito pre-signup Lambda trigger that enforces invitation-only access control. Fires before a new user account is created in the User Pool.

For Google federated sign-ins, the function:

Looks up the user's email address in the firefly-users DynamoDB table (the allowed list).
Allows the sign-in if the email is found and the invitation has not expired; raises an exception to block it otherwise.

Admin-created users (e.g., the first super user bootstrapped via the Cognito console, or test users created with AdminCreateUser) always pass through without an allowed-list check.

Invocation

Invoked by Cognito as a pre-signup Lambda trigger before a new user is confirmed in the User Pool.

Sequence Diagram

Trigger Sources

`triggerSource`	Behaviour
`PreSignUp_ExternalProvider`	Checks allowed list
`PreSignUp_AdminCreateUser`	Always allowed (bypasses allowed-list check)

Environment Variables

Variable	Description
`DYNAMODB_USERS_TABLE_NAME`	Name of the `firefly-users` DynamoDB table (hardcoded: `firefly-users`)

Deployment

See the deployment workflow documentation for workflow steps, infrastructure dependencies, and failure scenarios.

Hardware

Versions

Hardware Registration and Configuration Application

Controller Application

Configurator

Home Assistant and MQTT Automation

Hardware

Versions

Hardware Registration and Configuration

Client Application

Home Assistant and MQTT Automation

FireFly Management Console

Lambda Functions

Deployment and Deletion

Hardware Registration and Configuration Application

Controller Application

Configurator

Hardware Registration and Configuration

Client Application

func-cognito-pre-signup ​

Description ​

Invocation ​

Sequence Diagram ​

Trigger Sources ​