AWS Amplify Auth / Cognito talking too much?

1
votes

Currently using the Cognito Javascript SDK, I'm a bit surprised to be warned when the username I'm sending exists or not:

Here is the code I'm using:

login(username, password) {
    const authenticationData = {
      Username : username,
      Password : password,
    };

    const authenticationDetails = new AuthenticationDetails(authenticationData);

    const userPool = new CognitoUserPool(this.poolData);
    const userData = {
      Username : username,
      Pool : userPool,
    };

    this.cognitoUser = new CognitoUser(userData);
    this.cognitoUser.authenticateUser(authenticationDetails, {
      onSuccess: function (result) {
        console.log(result);
      },
      newPasswordRequired: function(...) {

      },
      onFailure: function(err) {
        console.log(err);
      },
    });
  }

If I set username to mytest (existing user) with a wrong password, I get the following error:

"NotAuthorizedException" Incorrect username or password.

It's ok. But if I set username to test12345 (non existing user), I get this error:

"UserNotFoundException" User does not exist.

I think telling end users that a username exists or not is not really safe.

Am I wrong? Is it something I did wrong?

I would like to have only the first exception to notice end users that login failed.

1
javascriptamazon-web-servicesamazon-cognitoaws-amplify
This is a security question, and one that has an answer.Bram
Thanks but I'm not talking about registration but authentication, and my user base would be rather small. I think Amazon should let us the ability to decide if we want this message to be displayed or not. It seems it's not possible yet...Vico

1 Answers

2
votes

It took me some time to find it but in the User Pool client settings there is an option Prevent users existence errors (General settings -> App Clients). See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html