rollback cognito if dynamo fails to update user record

landonshumway-ia · landonshumway-ia · commit ff60361f57ed · 2025-07-01T17:23:54.000-05:00
diff --git a/backend/compact-connect/lambdas/python/provider-data-v1/handlers/provider_users.py b/backend/compact-connect/lambdas/python/provider-data-v1/handlers/provider_users.py
@@ -381,11 +381,48 @@ def _post_provider_email_verify(event: dict, context: LambdaContext):  # noqa: A
             raise
 
         # Update the provider record with new email and clear verification data
-        config.data_client.complete_provider_email_update(
-            compact=compact,
-            provider_id=provider_id,
-            new_email_address=new_email,
-        )
+        try:
+            config.data_client.complete_provider_email_update(
+                compact=compact,
+                provider_id=provider_id,
+                new_email_address=new_email,
+            )
+        except Exception as dynamo_error:
+            # If DynamoDB update fails, we need to roll back the Cognito change
+            logger.error(
+                'DynamoDB update failed after Cognito update succeeded, rolling back Cognito changes',
+                compact=compact,
+                provider_id=provider_id,
+                error=str(dynamo_error),
+            )
+            try:
+                # Roll back the Cognito email change
+                config.cognito_client.admin_update_user_attributes(
+                    UserPoolId=config.provider_user_pool_id,
+                    Username=new_email,  # Current username is now the new email
+                    UserAttributes=[
+                        {'Name': 'email', 'Value': current_email},
+                        {'Name': 'email_verified', 'Value': 'true'},
+                    ],
+                )
+                logger.info(
+                    'Successfully rolled back Cognito email change',
+                    compact=compact,
+                    provider_id=provider_id,
+                )
+            except ClientError as rollback_error:
+                logger.error(
+                    'Failed to roll back Cognito email change - user may be in inconsistent state',
+                    compact=compact,
+                    provider_id=provider_id,
+                    original_error=str(dynamo_error),
+                    rollback_error=str(rollback_error.response),
+                )
+
+            # Raise internal exception to trigger alert
+            raise CCInternalException(
+                'Failed to complete email update - system may be in inconsistent state'
+            ) from dynamo_error
 
         # Send notification to old email address
         try:
@@ -417,4 +454,4 @@ def _post_provider_email_verify(event: dict, context: LambdaContext):  # noqa: A
             provider_id=provider_id,
             error=str(e),
         )
-        raise CCInternalException('Failed to verify email address') from e
+        raise CCInternalException('Failed to complete email update. Please try again later.') from e
diff --git a/backend/compact-connect/lambdas/python/provider-data-v1/tests/function/test_handlers/test_provider_users_email.py b/backend/compact-connect/lambdas/python/provider-data-v1/tests/function/test_handlers/test_provider_users_email.py
@@ -4,6 +4,7 @@
 from datetime import datetime
 from unittest.mock import patch
 
+from cc_common.exceptions import CCInternalException
 from common_test.test_constants import DEFAULT_COMPACT, DEFAULT_PROVIDER_ID
 from moto import mock_aws
 
@@ -562,3 +563,82 @@ def test_endpoint_returns_400_if_new_email_becomes_unavailable_during_verificati
 
         # Original email should remain unchanged
         self.assertEqual(TEST_OLD_EMAIL, stored_provider_data.compactConnectRegisteredEmailAddress)
+
+
+@mock_aws
+@patch('cc_common.config._Config.current_standard_datetime', datetime.fromisoformat('2024-11-08T23:59:59+00:00'))
+class TestPostProviderUsersEmailVerifyRollback(TstFunction):
+    """
+    Separate test class for rollback functionality to avoid cached property issues with data_client mocking.
+    """
+
+    def _when_testing_provider_user_event_with_custom_claims(
+        self, code=TEST_VERIFICATION_CODE, expiration=TEST_TOKEN_EXPIRATION
+    ):
+        self.test_data_generator.put_default_provider_record_in_provider_table(
+            value_overrides={
+                'compactConnectRegisteredEmailAddress': TEST_OLD_EMAIL,
+                'pendingEmailAddress': TEST_NEW_EMAIL,
+                'emailVerificationCode': '1234',
+                'emailVerificationExpiry': expiration,
+            }
+        )
+
+        event = self.test_data_generator.generate_test_api_event()
+        event['httpMethod'] = 'POST'
+        event['resource'] = '/v1/provider-users/me/email/verify'
+        event['requestContext']['authorizer']['claims']['custom:providerId'] = DEFAULT_PROVIDER_ID
+        event['requestContext']['authorizer']['claims']['custom:compact'] = DEFAULT_COMPACT
+        event['body'] = json.dumps({'verificationCode': code})
+
+        return event
+
+    @patch('cc_common.config._Config.email_service_client')
+    @patch('handlers.provider_users.config.data_client.complete_provider_email_update')
+    def test_endpoint_rolls_back_cognito_change_when_dynamo_update_fails(
+        self, mock_complete_email_update, mock_email_service_client
+    ):
+        from handlers.provider_users import provider_users_api_handler
+
+        # First create the old email user in Cognito so we can update it
+        self.config.cognito_client.admin_create_user(
+            UserPoolId=self.config.provider_user_pool_id,
+            Username=TEST_OLD_EMAIL,
+            UserAttributes=[
+                {'Name': 'email', 'Value': TEST_OLD_EMAIL},
+                {'Name': 'email_verified', 'Value': 'true'},
+                {'Name': 'custom:compact', 'Value': DEFAULT_COMPACT},
+                {'Name': 'custom:providerId', 'Value': DEFAULT_PROVIDER_ID},
+            ],
+            MessageAction='SUPPRESS',
+        )
+
+        # Mock the DynamoDB update method to fail
+        mock_complete_email_update.side_effect = Exception('DynamoDB connection error')
+
+        event = self._when_testing_provider_user_event_with_custom_claims()
+
+        # Should raise CCInternalException to trigger an alert
+        with self.assertRaises(CCInternalException) as context:
+            provider_users_api_handler(event, self.mock_context)
+
+        # Verify the exception message
+        self.assertEqual('Failed to complete email update. Please try again later.', str(context.exception))
+
+        # Verify the Cognito user's email was rolled back to the original email
+        cognito_users = self.config.cognito_client.list_users(
+            UserPoolId=self.config.provider_user_pool_id, Filter=f'email = "{TEST_OLD_EMAIL}"'
+        )
+
+        self.assertEqual(1, len(cognito_users['Users']))
+        user_attributes = {attr['Name']: attr['Value'] for attr in cognito_users['Users'][0]['Attributes']}
+
+        # Verify the email was rolled back
+        self.assertEqual(TEST_OLD_EMAIL, user_attributes['email'])
+        self.assertEqual('true', user_attributes['email_verified'])
+
+        # Verify no user exists with the new email address (rollback succeeded)
+        new_email_users = self.config.cognito_client.list_users(
+            UserPoolId=self.config.provider_user_pool_id, Filter=f'email = "{TEST_NEW_EMAIL}"'
+        )
+        self.assertEqual(0, len(new_email_users['Users']))
