(Cognito User Pool): signInCaseSensitive default value contradicts service recommendation

mmatouk commented 1 year ago

Describe the feature

Amazon Cognito user pools created from console, APIs or CLI are case insensitive by default (signInCaseSensitive is false by default), this is more secure and the recommended default by the service.

CDK sets this flag to true by default which contradicts service default recommendation.

Use Case

Creating new user pool should create a case insensitive user pool by default.

Proposed Solution

Change signInCaseSensitive default value to false.

Other Information

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-case-sensitivity.html

Acknowledgements

[ ] I may be able to implement this feature request
[ ] This feature might incur a breaking change

CDK version used

2.58.1

Environment details (OS name and version, etc.)

all environments

pahud commented 1 year ago

Agree. I think you are right.

https://github.com/aws/aws-cdk/blob/64eb2bdb7126799e21bad03d668d91c7a501feb4/packages/%40aws-cdk/aws-cognito/lib/user-pool.ts#L668-L673

Are you interested to submit a PR for that?

givsly-stephen commented 1 year ago

Agreed.

The problem is changing it later is a PROBLEM.

Using the CDK on an existing userPool - I tried signInCaseSensitive: false but the pipeline fails with

Resource handler returned message: "Invalid request provided: Updates are not allowed for property - UsernameConfiguration." (RequestToken: a2b93ff0-168e-17bf-dc29-e7f56ce1a44c, HandlerErrorCode: InvalidRequest)

Any ideas?

aws / aws-cdk