Suppress NotAuthorizedError when requesting a magic link for non-existent user

[rgripper]

While replacing "user-not-found" by "invalid username or password" works well in password-based setups, this does not help in the magic link case. In my case a [malicious] person will know an email does not exist in Cognito when they get "invalid username or password" error, because there is never a password in magic link setup. Is there an easy way to suppress "invalid username or password" when requesting a magic link?

[ottokruse]

You can set Enable prevent user existence errors to true on your user pool client and then it will always look like an email was sent. That what you're after?

[ottokruse]

Also see this comment: https://github.com/aws-samples/amazon-cognito-passwordless-auth/issues/92#issuecomment-1733157780

[rgripper]

The property is set actually. As I already mentioned, this is not the "user does not exist" error, its the "invalid username or password", which is what you are supposed to get when preventUserExistenceErrors is true, right?

[ottokruse]

Mmm not following. In magic link scenarios you should never get "invalid username or password" when requesting a magic link. Only when verifying a magic link.

So user enumeration is prevented. Depending on your setting of "enable prevent user existence errors".

[ottokruse]

Circling back: "invalid username or password" will be shown if a custom auth flow fails. So, even if magic link verification fails, that will be shown as "invalid username or password" (that's how Cognito does it).

If a non-existent user requests a magic link (and you have enabled prevent user existence errors) then it will look to the user that the email will be sent, but it actually doesn't happen --> thus preventing user enumeration

If a non-existent user tries to verify a magic link (and you have enabled prevent user existence errors) then it will show "invalid username or password" same as if it was an existing user with an invalid magic link --> thus preventing user enumeration