Menu
Background
I'm using aws-amplify to interact with Cognito. So when a user registers with my app, I call Auth.signUp(). I'm passing only username (email) and password to this function.
My user pool is configured to allow sign in by email only:
The Bug?
In my front end code, I accidentally registered an event listener twice, so Auth.signUp() was being called twice (concurrently, or at least in rapid succession) with the same parameters.
This resulted in two users being created in my User Pool, with the same email. My understanding of my user pool configuration suggests that this shouldn't be possible.
Race Condition?
My first thought was that since I'm sending two requests so close together, this may be some sort of unavoidable race condition. If I introduce an artificial pause between the calls (a breakpoint, or a setTimeout, say), everything works as expected.
However, even with the requests very tightly spaced, the second request does return the error response I'd expect:
{ code: 'InvalidParameterException',
name: 'InvalidParameterException',
message: 'Alias entry already exists for a different username'
}
Sadly, this response is misleading, because I do get a second (duplicate) user created in my pool with this request.
MCVE
This is easy to reproduce by exercising Auth.signUp twice concurrently, either in a node script or a browser. This repository contains examples of both.
The Question(s)
295
To create a user poolChoose Manage User Pools. Choose Create a user pool. Enter a name for your user pool and choose Review defaults to save the name. On the Review page, choose Create pool.
Amazon Cognito can automatically verify email addresses or phone numbers. To do this verification, Amazon Cognito sends a verification code or a verification link. For email addresses, Amazon Cognito can send a code or a link in an email message. For phone numbers, Amazon Cognito sends a code in an SMS text message.
The flow for changing a user's email is pretty similar to how we sign a user up. We ask a user to put in their new email. Cognito sends them a verification code. They enter the code and we confirm that their email has been changed.
You can't change standard user pool attributes after a user pool is created. Instead, create a new user pool with the attributes that you want to require for user registration. Then, migrate existing users to the new user pool by using an AWS Lambda function as a user migration trigger.
I sent this to AWS support. They're aware of the issue but have no ETA.
Thanks for contacting AWS Premium Support. I understand that you would like to know whether Cognito team is aware of the issue posted here[1].
I checked with Cognito team on our end and YES, they are aware of this issue/bug. Good news is, we already have trouble ticket open with Cognito Team to fix the issue. However, I won't be able to provide an ETA on when this fix will go live as I don't have any visibility into their development/release plans. But, I would like to thank you for your valued contribution in bringing this issue to our attention, I do appreciate it.
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
