cognito-local
Advanced tools
A Good Enough offline emulator for Amazon Cognito.
| Feature | Support |
|---|---|
| AddCustomAttributes | ❌ |
| AdminAddUserToGroup | ❌ |
| AdminConfirmSignUp | 🕒 (partial support) |
| AdminCreateUser | 🕒 (partial support) |
| AdminDeleteUser | ✅ |
| AdminDeleteUserAttributes | ❌ |
| AdminDisableProviderForUser | ❌ |
| AdminDisableUser | ❌ |
| AdminEnableUser | ❌ |
| AdminForgetDevice | ❌ |
| AdminGetDevice | ❌ |
| AdminGetUser | ✅ |
| AdminInitiateAuth | 🕒 (partial support) |
| AdminLinkProviderForUser | ❌ |
| AdminListDevices | ❌ |
| AdminListGroupsForUser | ❌ |
| AdminListUserAuthEvents | ❌ |
| AdminRemoveUserFromGroup | ❌ |
| AdminResetUserPassword | ❌ |
| AdminRespondToAuthChallenge | ❌ |
| AdminSetUserMFAPreference | ❌ |
| AdminSetUserPassword | ✅ |
| AdminSetUserSettings | ❌ |
| AdminUpdateAuthEventFeedback | ❌ |
| AdminUpdateDeviceStatus | ❌ |
| AdminUpdateUserAttributes | 🕒 (partial support) |
| AdminUserGlobalSignOut | ❌ |
| AssociateSoftwareToken | ❌ |
| ChangePassword | 🕒 (partial support) |
| ConfirmDevice | ❌ |
| ConfirmForgotPassword | 🕒 (partial support) |
| ConfirmSignUp | 🕒 (partial support) |
| CreateGroup | ✅ |
| CreateIdentityProvider | ❌ |
| CreateResourceServer | ❌ |
| CreateUserImportJob | ❌ |
| CreateUserPool | ✅ |
| CreateUserPoolClient | 🕒 (partial support) |
| CreateUserPoolDomain | ❌ |
| DeleteGroup | ❌ |
| DeleteIdentityProvider | ❌ |
| DeleteResourceServer | ❌ |
| DeleteUser | ✅ |
| DeleteUserAttributes | ❌ |
| DeleteUserPool | ❌ |
| DeleteUserPoolClient | ❌ |
| DeleteUserPoolDomain | ❌ |
| DescribeIdentityProvider | ❌ |
| DescribeResourceServer | ❌ |
| DescribeRiskConfiguration | ❌ |
| DescribeUserImportJob | ❌ |
| DescribeUserPool | ❌ |
| DescribeUserPoolClient | ✅ |
| DescribeUserPoolDomain | ❌ |
| ForgetDevice | ❌ |
| ForgotPassword | 🕒 (partial support) |
| GetCSVHeader | ❌ |
| GetDevice | ❌ |
| GetGroup | ❌ |
| GetIdentityProviderByIdentifier | ❌ |
| GetSigningCertificate | ❌ |
| GetUICustomization | ❌ |
| GetUser | ✅ |
| GetUserAttributeVerificationCode | ❌ |
| GetUserPoolMfaConfig | ❌ |
| GlobalSignOut | ❌ |
| InitiateAuth | 🕒 (partial support) |
| ListDevices | ❌ |
| ListGroups | ✅¹ |
| ListIdentityProviders | ❌ |
| ListResourceServers | ❌ |
| ListTagsForResource | ❌ |
| ListUserImportJobs | ❌ |
| ListUserPoolClients | ❌ |
| ListUserPools | ✅¹ |
| ListUsers | ✅¹ |
| ListUsersInGroup | ❌ |
| ResendConfirmationCode | ❌ |
| RespondToAuthChallenge | 🕒 (partial support) |
| RevokeToken | 🕒 (partial support) |
| SetRiskConfiguration | ❌ |
| SetUICustomization | ❌ |
| SetUserMFAPreference | ❌ |
| SetUserPoolMfaConfig | ❌ |
| SetUserSettings | ❌ |
| SignUp | 🕒 (partial support) |
| StartUserImportJob | ❌ |
| StopUserImportJob | ❌ |
| TagResource | ❌ |
| UntagResource | ❌ |
| UpdateAuthEventFeedback | ❌ |
| UpdateDeviceStatus | ❌ |
| UpdateGroup | ❌ |
| UpdateIdentityProvider | ❌ |
| UpdateResourceServer | ❌ |
| UpdateUserAttributes | ❌ |
| UpdateUserPool | ❌ |
| UpdateUserPoolClient | ❌ |
| UpdateUserPoolDomain | ❌ |
| VerifySoftwareToken | ❌ |
| VerifyUserAttribute | ❌ |
¹ does not support pagination or query filters, all results and attributes will be returned in the first request.
Additional supported features:
cognito-local can emulate Cognito's Lambda Triggers
by either invoking a real Lambda in an AWS account or a Lambda running on your local machine (via any tool which
supports the LambdaInvoke functionality, for example
serverless-offline).
To configure a Lambda Trigger, modify your configuration file to include a TriggerFunctions object
with a key for the Trigger and the value as your Lambda function name.
{
"TriggerFunctions": {
"CustomMessage": "my-function-name"
}
}
If you're using local invoke, you will also need to modify the LambdaClient.endpoint configuration to tell
cognito-local how to connect to your local Lambda server:
{
"LambdaClient": {
"endpoint": "http://host:port"
},
"TriggerFunctions": {
"CustomMessage": "my-local-function-name"
}
}
If you're running cognito-local in Docker and your local Lambda functions on your host, you may need to use the Docker local networking hostname as your endpoint. For example, on my Mac I use
http://host.docker.internal:3002.
| Trigger | Operation | Support |
|---|---|---|
| CreateAuthChallenge | * | ❌ |
| CustomEmailSender | * | ❌ |
| CustomMessage | AdminCreateUser | ✅ |
| CustomMessage | Authentication | ✅ |
| CustomMessage | ForgotPassword | ✅ |
| CustomMessage | ResendCode | ❌ |
| CustomMessage | SignUp | ✅ |
| CustomMessage | UpdateUserAttribute | ❌ |
| CustomMessage | VerifyUserAttribute | ❌ |
| DefineAuthChallenge | * | ❌ |
| PostAuthentication | PostAuthentication_Authentication | ✅ |
| PostConfirmation | ConfirmForgotPassword | ✅ |
| PostConfirmation | ConfirmSignUp | ✅ |
| PreAuthentication | * | ❌ |
| PreSignUp | PreSignUp_AdminCreateUser | ❌ |
| PreSignUp | PreSignUp_ExternalProvider | ❌ |
| PreSignUp | PreSignUp_SignUp | ✅ |
| PreTokenGeneration | * | ❌ |
| UserMigration | Authentication | ✅ |
| UserMigration | ForgotPassword | ❌ |
| VerifyAuthChallengeResponse | * | ❌ |
docker run --publish 9229:9229 jagregory/cognito-local:latest
Cognito Local will now be listening on http://localhost:9229.
To persist your database between runs, mount the /app/.cognito volume to your host machine:
docker run --publish 9229:9229 --volume $(pwd)/.cognito:/app/.cognito jagregory/cognito-local:latest
npm install --save-dev cognito-local
yarn add --dev cognito-local
# if node_modules/.bin is in your $PATH
cognito-local
# OR
yarn cognito-local
# OR
npx cognito-local
Cognito Local will now be listening on http://localhost:9229.
cognito-local runs on port 9229 by default. If you would like to use a different port, you can set the PORT
environment variable:
PORT=4000 cognito-local
If you're running in Docker, you can also rebind the published ports when you run:
docker run -p4000:9229 jagregory/cognito-local
Or combine the two approaches by setting an environment variable when you run:
docker run -p4000:4000 -e PORT=4000 jagregory/cognito-local
The same can be done in docker-compose with environment variables and port binding in compose.
You will need to update your AWS code to use the local address for Cognito's endpoint. For example, if you're using
amazon-cognito-identity-js you can update your CognitoUserPool usage to override the endpoint:
new CognitoUserPool({
/* ... normal options ... */
endpoint: "http://localhost:9229/",
});
You only want to do this when you're running locally on your development machine.
Once you've started Cognito Local the easiest way to create a new User Pool is with the aws-cli:
aws --endpoint http://localhost:9229 cognito-idp create-user-pool --pool-name MyUserPool
Replace the
--endpointwith whatever host and port you're running Cognito Local on.
If you run ls .cognito/db you will now see a new file called local_???.json where ??? is the Id from the output
of the command you just ran.
You may commit this file to version control if you would like all your team to use a common User Pool when developing, or you can have each team member run the above command when they first start using Cognito Local.
You do not need to supply a config unless you need to customise the behaviour of Congito Local. If you are using Lambda
triggers with local Lambdas, you will definitely need to override LambdaClient.endpoint at a minimum.
Before starting Cognito Local, create a config file if one doesn't already exist:
mkdir .cognito && echo '{}' > .cognito/config.json
You can edit that .cognito/config.json and add any of the following settings:
| Setting | Type | Default | Description |
|---|---|---|---|
LambdaClient | object | Any setting you would pass to the AWS.Lambda Node.js client | |
LambdaClient.credentials.accessKeyId | string | local | |
LambdaClient.credentials.secretAccessKey | string | local | |
LambdaClient.endpoint | string | local | |
LambdaClient.region | string | local | |
TokenConfig.IssuerDomain | string | http://localhost:9229 | Issuer domain override |
TriggerFunctions | object | {} | Trigger name to Function name mapping |
TriggerFunctions.CustomMessage | string | CustomMessage local lambda function name | |
TriggerFunctions.PostAuthentication | string | PostAuthentication local lambda function name | |
TriggerFunctions.PostConfirmation | string | PostConfirmation local lambda function name | |
TriggerFunctions.PreSignUp | string | PostConfirmation local lambda function name | |
TriggerFunctions.UserMigration | string | PreSignUp local lambda function name | |
UserPoolDefaults | object | Default behaviour to use for the User Pool | |
UserPoolDefaults.MfaConfiguration | string | MFA type | |
UserPoolDefaults.UsernameAttributes | string[] | ["email"] | Username alias attributes |
The default config is:
{
"LambdaClient": {
"credentials": {
"accessKeyId": "local",
"secretAccessKey": "local"
},
"region": "local"
},
"TokenConfig": {
"IssuerDomain": "http://localhost:9229"
},
"TriggerFunctions": {},
"UserPoolDefaults": {
"UsernameAttributes": ["email"]
}
}
If you need your Lambda endpoint to be HTTPS with a self-signed certificate, you will need to disable certificate
verification in Node for Cognito Local. The easiest way to do this is to run Cognito Local with the
NODE_TLS_REJECT_UNAUTHORIZED environment variable.
NODE_TLS_REJECT_UNAUTHORIZED=0 cognito-local
docker run --env NODE_TLS_REJECT_UNAUTHORIZED=0 ...
User Pools are stored in .cognito/db/$userPoolId.json. As not all API features are supported yet, you'll likely find
yourself needing to manually edit this file to update the User Pool config or users. If you do modify this file, you
will need to restart Cognito Local.
User Pool Clients are stored in .cognito/db/clients.json. You can create new User Pool Clients using the
CreateUserPoolClient API.
USER_PASSWORD_AUTH flow is supportedThere is limited support for Multi-Factor Authentication in Cognito Local. Currently, if a User Pool is configured to
have a MfaConfiguration of OPTIONAL or ON and a user has an MFAOption of SMS then Cognito Local will
follow the MFA flows. If a user does not have a phone_number attribute or any other type of MFA is used, Cognito Local
will fail.
When a user is prompted for a code of some kind (confirming their account, multi-factor auth), Cognito Local will write a message to the console with their confirmation code instead of emailing it to the user.
For example:
╭───────────────────────────────────────────────────────╮
│ │
│ Confirmation Code Delivery │
│ │
│ Username: c63651ae-59c6-4ede-ae7d-a8400ff65e8d │
│ Destination: example@example.com │
│ Code: 3520 │
│ │
╰───────────────────────────────────────────────────────╯
If a Custom Message lambda is configured, the output of the function invocation will be printed in the console too (verbosely!).
FAQs
The npm package cognito-local receives a total of 10,709 weekly downloads. As such, cognito-local popularity was classified as popular.
We found that cognito-local demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious PyPI package ‘set-utils’ steals Ethereum private keys by exfiltrating them through blockchain transactions via the Polygon RPC.
Research
Security News
Malicious Go packages are impersonating popular libraries to install hidden loader malware on Linux and macOS, targeting developers with obfuscated payloads.
Security News
Bybit's $1.46B hack by North Korea's Lazarus Group pushes 2025 crypto losses to $1.6B in just two months, already surpassing all of 2024's $1.49B total.