Email alias verification bugs

[tranan89]

Hi,

We are generating usernames and using phone and email as alias and have found 1-2 issues with the email alias.

1. If we call confirmRegistration with forceAliasCreation as false. We don't get the AliasExistsException even though we use an email that is already verified on another user. It does however work with phone.
2. If we try to login with an email alias that isn't verified we get an error back that the user doesn't exist. It would be good if we get an error indicating that the email isn't verified instead (or something like that) so that we can handle it properly. We want to tell the user that they need to verify their email.

Thanks in advance Peter

[clintfoster]

I have run into both of these issues too. I posted the following to the Cognito forum regarding the first case:

https://forums.aws.amazon.com/thread.jspa?messageID=740154&#740154

This is particularly problematic if you're using generated usernames since you end up with two accounts if the user confirms the second registration. The first account is no longer accessible by email address since the email address becomes unverified in that account. So it's stranded unless the user signs in with the generated username.

I didn't try the suggested solution of implementing a pre-signUp lambda since I'm hoping the Cognito team will provide a way for signUp() to fail in this case. For this to be useful it would need to provide an indication of why it failed.

Regarding the second case, even if the error message is updated to be more specific, another problem with the JS SDK in general is that it doesn't provide programmatic codes to distinguish between different error cases. So you have to look for strings in the error messages if you want to take programmatic action.

[kushwahavinay]

@tranan89

1. There should not be any difference in behavior in email and phone if both are marked as alias at pool level.
2. Typically as part of account confirmation one of the attributes (email or phone) also gets verified and alias gets created. So if user does not confirm his account he will not be able to login anyway irrespective of alias.

@clintfoster Current design supports alias creation only for verified phone number or email. Another option is to not use alias feature and directly use email in user name. This will prevent another user to sign up with the same email. But then you will not be able to leverage the features provided by alias, For eg:

• Alias is set only for verified attributes.
• Owner of email/phone can claim alias instead of reusing an old account. Alias is more useful when you want multiple usernames to be allowed for a given user.

[clintfoster]

Thanks for the response. I know these corner cases seem subtle, but they're important. The case where a user may already have an account with a particular email or phone alias when attempting to register is likely to be quite common. The most logical behavior would be for signUp() to fail with an appropriate indication of the problem (not just an error message, but a code that the app can check in the callback). Then the user can be prompted to choose whether they want to create a new account or reset the password for the old account (or cancel if they want to try signing into the existing account). This provides the most flexibility, and allows the app to handle use cases that are likely to be quite common without resorting to Lambda hooks or compromising the design by requiring the email address or phone number to literally be the username.

[tranan89]

Hi kushwahavinay,

I'm glad for the response, but it doesn't feel like you have actually tried it out yourself. Maybe I was unclear?

1. Well, that is apparently not true. I can confirm a new user with the same email as an existing (confirmed) user, as long as the phone is different.
2. Please try this
   • Create an account with email and phone aliases
   • Confirm the account with the phone alias
   • Try to login with the email alias
   • Response: The user doesn't exist
   • Wanted Response: The email alias is not verified

[kushwahavinay]

@clintfoster Thanks for your input. That's something we can consider in future releases. Original intention of this design was to ensure that only owner of email or phone can know if the account with the alias exists. If you just want to check user alias existence during signup, one workaround for this is during sign up call initiateAuth to check if alias already exists. You will get exception if user does not exist, else this call will succeed.

@tranan89

1. When both phone and email are set to auto verified. Phone is prioritized over email to send the code and verify the account. Once email is verified as well, there should not be any difference in behavior.
2. With current design there is no such state called "alias verified". Once phone number or email are verified they can be used as an alias for username. Unless they are verified (and became alias) they are treated same as wrong username. Email can be present in multiple accounts in unverified state but only one account can have it in verified state and that account will claim the email alias. This is why it is not possible to throw "email alias not verified".