func-cognito-pre-signup

Description

Cognito pre-signup Lambda trigger that enforces invitation-only access control. Fires before a new user account is created in the User Pool.

For Google federated sign-ins, the function:

Looks up the user's email address in the firefly-users DynamoDB table (the allowed list).
Verifies the user has access to the current environment.
Allows the sign-in if both checks pass; raises an exception to block it otherwise.

Admin-created users (e.g., the first super user bootstrapped via the Cognito console, or test users created with AdminCreateUser) always pass through without an allowed-list check.

Invocation

Invoked by Cognito as a pre-signup Lambda trigger before a new user is confirmed in the User Pool.

Sequence Diagram

Trigger Sources

`triggerSource`	Behaviour
`PreSignUp_ExternalProvider`	Checks allowed list and environment access
`PreSignUp_AdminCreateUser`	Always allowed (bypasses allowed-list check)

Environment Variables

Variable	Description
`DYNAMODB_USERS_TABLE_NAME`	Name of the `firefly-users` DynamoDB table
`ENVIRONMENT_NAME`	Current environment (`dev` or `production`)

Deployment

See the deployment workflow documentation for workflow steps, infrastructure dependencies, and failure scenarios.

Hardware

Versions

Controller Application

Configuration

Hardware Registration and Configuration Application

Home Assistant Auto Discovery and MQTT

FireFly Management Console

Lambda Functions

Deployment and Deletion

Controller Application

Configuration

Hardware Registration and Configuration Application

func-cognito-pre-signup ​

Description ​

Invocation ​

Sequence Diagram ​

Trigger Sources ​