Aws-sdk-net: Cognito: UserNotConfirmedException not raised for non-confirmed user at login

Created on 14 Feb 2018 · 13Comments · Source: aws/aws-sdk-net

A user can sign up, but abandon the Confirmation Step. Upon returning and attempting to login,
Amazon.CognitoIdentityProvider.Model.UserNotConfirmedException is NOT thrown instead Amazon.CognitoIdentityProvider.Model.UserNotFoundException is thrown. There is no way for the user to get back to a confirmation UI. They would need to create a new account.

bug duplicate modulcredentials service-api

Source

aventurella

👍4

Most helpful comment

Hello, I'm having the exact same problem with my app.
I started to receive complaints from the users that they can't confirm their account if they get out of the app before confirming the account and when they later try to confirm it.

Any progress regarding this problem?

skodamaAcro on 3 Jul 2018

👍2

All 13 comments

What is this UI you are talking about? Could you provide a sample code that repros this?

sstevenkang on 14 Feb 2018

There is no UI.

Here's the workflow:

The implied Cognito Workflow (mobile app) is:

User signs up for a new account that requires verification.
After clicking submit, show the user a new view with a verification code input field.
Cognito will send out the verification email / sms with the code
User checks their email/phone gets the code, enters it, everything is great.

Here's where the issue is (using the user's email as the sign in alias):

User signs up for a new account that requires verification.
After clicking submit, show the user a new view with a verification code input field.
User abandons the verification for any reason
- App crashes
- Battery dies
- User gets distracted and closes the app or for whatever reason they force quit the app
- etc...

User comes back to the app, and goes to sign in. The error that Cognito reports is UserNotFoundException. It does not say UserNotConfirmedException. The latter would allow the confirmation view to be presented again. The former we don't know the state of the user's account or if it's truly not found.

The user knows they made an account, so now the user is confused.

This becomes even more interesting if a pre-signup trigger exists. So when an account is unverified, the email address is not uniquely constrained until it's verified. So I imagine the first response here would be:

well just have the user make a new account, it's a bad user experience, but it's the way to work around it. The abandoned account won't be an MAU, so it won't cost you anything.

While this is true and would work, if a pre-signup trigger is in place that checks email to be sure that only one email is used then the user won't be able to make a new account as the pre-signup trigger enforces that unique email constraint on sign up instead of on verification.

Anyway, it seems that ALL the possibilities become workable if Cognito just raised UserNotConfirmedException instead of UserNotFoundException. Then the developer decides what works for them, however to handle it.

So if you want to duplicate the issue:

Sign Up
DO NOT VERIFY
Try to resume the verification process

You can reference this here as well:

https://stackoverflow.com/questions/48779365/how-to-resume-confirm-user-signup-in-cognito-upon-login

using Amazon.Runtime;
using Amazon.CognitoIdentityProvider;
using Amazon.Extensions.CognitoAuthentication;


AuthFlowResponse response = null;

var provider = new AmazonCognitoIdentityProviderClient(
    credentials: new AnonymousAWSCredentials(),
    region: region
);

var userPool = new CognitoUserPool(
    poolID: poolId,
    clientID: clientId,
    provider: provider,
    clientSecret: clientSecret
);

var user = new CognitoUser(
    userID: username,
    clientID: clientId,
    pool: userPool,
    provider: provider,
    clientSecret: clientSecret,
    username: null
);

try
{
    response = await user.StartWithSrpAuthAsync(
    srpRequest: new InitiateSrpAuthRequest
    {
        Password = password
    });
} 
catch(Amazon.CognitoIdentityProvider.Model.UserNotConfirmedException e)
{
    // never catches here
}
catch(Amazon.CognitoIdentityProvider.Model.UserNotFoundException e)
{
    // catches here
}

aventurella on 14 Feb 2018

This looks like Cognito service is returning an incorrect error message. I'll try to repro and follow up with the service team.

sstevenkang on 14 Feb 2018

Any news on reproducing this?

aventurella on 4 Mar 2018

Any progress regarding this problem?

skodamaAcro on 3 Jul 2018

👍2

I’m facing the exact same problem in the Android app as well. Any news about this issue?

annaulkowska on 8 Aug 2019

I have the same problem here. Looking forward for updates.

philohelp on 12 Aug 2019

Same probleme here :(

SebSchwartz on 18 Nov 2019

Same problem facing. Any clue ? Please help.

prasadkesarkar on 30 Dec 2019

Any update on this?

pcashdown-tu on 8 Feb 2020

Same problem is still occurring. Results in having to track confirmation status outside of Cognito and use the Post-Confirmation trigger to maintain the status. This is far from ideal, some guidance on this would be appreciated.

j-petty on 4 Apr 2020

Duplicate of https://github.com/aws/aws-aspnet-cognito-identity-provider/issues/179

ashishdhingra on 5 Nov 2020

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.