Hi,
I integrated with cognitoUser.authenticate yesterday and stumbled across something that I consider to be a bug.
I have a user in my User Pool with username=foo.
When I try to authenticate with this user but give an incorrect password I get the following error message:
{
"message": "Incorrect username or password.",
"code": "NotAuthorizedException",
...
}
It correctly tells me that either the username or password was incorrect.
How ever, if I try to authenticate with username=bar I get the following error message:
{
"message": "Username/client id combination not found.",
"code": "ResourceNotFoundException",
...
}
Now it tells me that the username does not exist.
This can easily be done to harvest valid usernames and since a lot of sites opt to use email as username it's a great way to harvest valid email adresses.
Both these errors should yield the same error message, namely the first one which does not indicate what went wrong (although, at the moment we know it was the password that was incorrect since it did not complain about the user not existing).
I understand that these errors most likely originate from the backend so I guess that this might not be something that you guys can adress but maybe you can send this feedback to the backend team or help me get in touch with them.
Hi,
Thank you bringing this to our attention. We are aware of this issue and are working towards finding an appropriate way to handle such cases.
Thanks,
Essentially the same issue with sign up as well - essentially should always reply with "A confirmation code has been sent _if this username does not already exist_"
I believe this should be configurable, as I've seen different handling of this requirement (mostly dependent on if you use email as username, but not exclusively)
Related but lesser problem is that passwords less than 6 chars get an API ValidationError rather than a friendlier complexity requirement message.
Just checking in - has there been any progress here? Not only is the messaging different between the invalid user / invalid password cases (including several error headers), but there is a whole second network request (validating the password) that never happens in the invalid user case.
As-is, this probably isn't suitable for client-side use and it looks like the JS SDK is intended for both browser and node (i.e. there isn't a separate web client SDK) -- is there a different Cognito endpoint that abstracts over these authentication steps?
You can use the admin APIs which is what we do. Essentially thin Lambsa
proxy between your client and Cognitio. It might even be preferable if you
ever want to swap cognitio for something else and have multiple clients
which a lot if services have today.
On Wed, Jan 10, 2018, 20:44 Mark Szumowski notifications@github.com wrote:
Just checking in - has there been any progress here? Not only is the
messaging different between the invalid user / invalid password cases
(including several error headers), but there is a whole second network
request (validating the password) that never happens in the invalid user
case.As-is, this probably isn't suitable for client-side use and it looks like
the JS SDK is intended for both browser and node (i.e. there isn't a
separate web client SDK) -- is there a different Cognito endpoint that
abstracts over these authentication steps?—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/aws/amazon-cognito-identity-js/issues/38#issuecomment-356797547,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEzRobrxkiatSiHCkGhsbF1GyU_dx2llks5tJWeVgaJpZM4Ih-m-
.
Most helpful comment
Hi,
Thank you bringing this to our attention. We are aware of this issue and are working towards finding an appropriate way to handle such cases.
Thanks,