I'm using AWS Cognito in one of my projects. I have several custom fields for the user. How can I make sure that a user doesn't update a field which he shouldn't, e.g. "custom:account_type" or "custom:status"? Because the code is called from the client it can be manipulated.
One way to solve this is have a call to the application backend which in turn will validate the data and make the call then to Cognito, but I don't like this approach. The backend shouldn't be involved in this flow.
Since the client SDKs offer this possibility to update all the attributes, I'm wondering can't I make a Lambda function that is called prior to executing the endpoint and which validates the data? Or is there some other solution?
If I do nothing there will be a big security issue where a user can update a restricted field which might grant him extra permissions.
On the console and using the CLIs, you can set which attributes are readable and writable by each configured application client. You can have a client for your users that is not allowed to write attributes such as custom:account_type and custom:status. You can however, update those fields from your backend for your users.
You can have application clients be able to read those fields if you want to have custom logic for that.