Amplify-js: Auth.signUp does not verify user email if phone number is provided
Describe the bug
Auth.signUp does not verify user email if phone_number is provided
To Reproduce
Steps to reproduce the behavior:
- make a cognito user pool with all the things, email as username
- sign up with an email and also provide the user's phone_number
Expected behavior
When a user signs up with email and phone number on AWS Amplify -> Cognito I expect the system to send verification to both the user's phone and email.
This would take one line of code in Cognito. Why do I need to send secondary verification and add another whole screen to my sign up flow?
Screenshots
Desktop (please complete the following information):
- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]
Smartphone (please complete the following information):
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
Additional context
if i sign up with email and phone, please verify email and phone. simple
You can turn on the debug mode to provide more info for us by setting window.LOG_LEVEL = 'DEBUG'; in your app.
bionicles
All 5 comments
Hi @bionicles,
Amplify wraps around the cognito js sdk and the signup functionality on the sdk currently doesnot support this feature directly. It's on their backlog. For the time being you could follow the Important section in this guide : https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html and work with the cognito sdk to make it work.
@yuntuowang , is there an update for this from Cognito ?
nidsharm
on 19 Sep 2018
this is a major security problem and needs to be fixed ASAP because hackers with IMSI catchers or social engineering to get sim cards can easily verify accounts for emails they don't own. this delays our platform launch. this is really frustrating
what is the reason to wait around for 30+ days on this @nidsharm @yuntuowang ?
do you think i should email jeff bezos AGAIN about this issue, 42 days after my first email, and tell him you guys still haven't fixed it?
bionicles
on 23 Oct 2018
@nidsharm @yuntuowang
bionicles
on 14 Nov 2018
@bionicles,
As you know, we (AWS) have reviewed your GitHub issues (#1685, #1959, and #2102), replied multiple times, and spoke with you on the phone. Just to summarize:
We understand that you “expect the system to send verification to both the user's phone and email” during signup. However, as we state in our documentation, this is not yet a feature Cognito supports:
Important
If a user signs up with both a phone number and an email address, and your user pool settings require verification of both attributes, a verification code is sent via SMS to the phone. The email address is not verified, so your app needs to call GetUser to see if an email address is awaiting verification. If it is, the app should call GetUserAttributeVerificationCode to initiate the email verification flow and then submit the verification code by calling VerifyUserAttribute.
While most customers' use cases have been satisfied with the ability to verify either by phone number OR email address, we understand that your particular application has the requirement to verify both phone number AND email address. We've therefore provided you instructions on how your application can verify both the user's phone and email in the Cognito Developer Guide and GitHub issue #1959. As we’ve also shared, we’re happy to help you implement this in your app.
We understand that you’d prefer the service offer the feature above more easily, but this is not a security issue in the service as it’s working as documented. Your screenshot in issue #2102 does not demonstrate a security vulnerability. In your example, the user shows confirmed. A viewer might incorrectly assume that the jeff@ email address was used to confirm the user, however if you click on the username you can view the user details page where we clearly show that jeff@ email address itself is not verified. The user was confirmed via phone, matching the Cognito documentation. We do appreciate your feedback, and agree that we could probably make the UI clearer. We will move quickly on trying to make those tweaks. We will also explore your feature request of verifying users by both email and phone number for our longer-term roadmap, however, we understand if Cognito does not yet meet your immediate needs for this project.
Thank you for sharing your feedback,
(Posted on behalf of...)
Saroj Thatte
GM, Amazon Cognito
adrianhall
on 16 Nov 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 16 Jun 2019
Related issues
cgarvis
·
3Comments
ddemoll
·
3Comments
rayhaanq
·
3Comments
DougWoodCDS
·
3Comments
lucasmike
·
3Comments
Most helpful comment
@bionicles,
As you know, we (AWS) have reviewed your GitHub issues (#1685, #1959, and #2102), replied multiple times, and spoke with you on the phone. Just to summarize:
We understand that you “expect the system to send verification to both the user's phone and email” during signup. However, as we state in our documentation, this is not yet a feature Cognito supports:
Important
If a user signs up with both a phone number and an email address, and your user pool settings require verification of both attributes, a verification code is sent via SMS to the phone. The email address is not verified, so your app needs to call GetUser to see if an email address is awaiting verification. If it is, the app should call GetUserAttributeVerificationCode to initiate the email verification flow and then submit the verification code by calling VerifyUserAttribute.
While most customers' use cases have been satisfied with the ability to verify either by phone number OR email address, we understand that your particular application has the requirement to verify both phone number AND email address. We've therefore provided you instructions on how your application can verify both the user's phone and email in the Cognito Developer Guide and GitHub issue #1959. As we’ve also shared, we’re happy to help you implement this in your app.
We understand that you’d prefer the service offer the feature above more easily, but this is not a security issue in the service as it’s working as documented. Your screenshot in issue #2102 does not demonstrate a security vulnerability. In your example, the user shows confirmed. A viewer might incorrectly assume that the jeff@ email address was used to confirm the user, however if you click on the username you can view the user details page where we clearly show that jeff@ email address itself is not verified. The user was confirmed via phone, matching the Cognito documentation. We do appreciate your feedback, and agree that we could probably make the UI clearer. We will move quickly on trying to make those tweaks. We will also explore your feature request of verifying users by both email and phone number for our longer-term roadmap, however, we understand if Cognito does not yet meet your immediate needs for this project.
Thank you for sharing your feedback,
(Posted on behalf of...)
Saroj Thatte
GM, Amazon Cognito