Cognito DR Demo

Sign up

Sign-up captures your password in the PreSignUp Lambda, which writes an argon2id hash to the DDB Global Table before Cognito confirms the account. Email verification is enforced by setting auto_verified_attributes = ["email"] on the user pool — Cognito emails a 6-digit code via SES, and only a ConfirmSignUp call with the matching code completes the account. After confirmation this form auto-advances to the sign-in tab.

Change password

Sign in first — password change requires an authenticated session.

Scaffold note: this flow currently calls Cognito's built-in ChangePassword, which in this project is a placeholder until the custom /password endpoint ships (see ARCHITECTURE.md § Password change). The final implementation routes the request through a Lambda that updates the argon2id hash in the DDB Global Table; until then, a password changed here WILL update Cognito but will NOT update DDB, so the next sign-in will fail. Use only in scaffolding demos.

Forgot password

Scaffold note: this flow currently calls Cognito's built-in ForgotPassword / ConfirmForgotPassword APIs. The final design (see ARCHITECTURE.md § Forgot password) routes through a custom /password-reset-initiate / /password-reset-complete pair of Lambdas so the DDB Global Table is kept in sync. Until that ships, this flow updates Cognito only and leaves DDB stale — a reset here will break sign-in.

Failover drill

Current request will be authenticated with your sign-in idToken. The drill endpoint re-validates your group membership server-side before touching ARC — your browser cannot bypass that check by editing the page.

Scaffold note: set failoverDrillEndpoint in demo-site/config.js to your deployed drill Lambda's HTTPS URL. Until then, the button will surface a network error. The Lambda contract is: POST { action: "flip" | "flipback" } with Authorization: Bearer <idToken>, returning { ok: true, message, state } on success or a non-2xx with { ok: false, message } on failure.

Session status