search

aws / aws-sdk-js

AWS SDK for JavaScript in the browser and Node.js
https://aws.amazon.com/developer/language/javascript/
Apache License 2.0
7.57k stars 1.55k forks source link

Cognito: UserNotConfirmedException before NotAuthorized #4608

Closed cbaser closed 1 week ago

cbaser commented 3 months ago

Describe the bug

Hello,

My example scenario is the following:

If i register a new user with email : test@test.com , password : Test@123 and did not verify the mail, then if i login with same email but different password such as Example@123 then it gives an UserNotConfirmedException error which is for User is not confirmed.

Instead of that I need : wrong email / password combination - NotAuthorizedException. As password entered is incorrect.

Do you have any suggestions to fix this?

Thank you!

Expected Behavior

Cognito throws NotAuthorizedException

Current Behavior

Cognito throws UserNotConfirmedException

Reproduction Steps

try{
        const params = {
                    AuthFlow: 'USER_PASSWORD_AUTH',
                    ClientId: 'client_id',
                    AuthParameters: {
                        'USERNAME': username,
                        'PASSWORD': password
                    }
                };
                const data = await cognito.initiateAuth(params).promise();

// other code

}catch(err){
console.log(err)
}

Possible Solution

No response

Additional Information/Context

No response

SDK version used

2.1568.0

Environment details (OS name and version, etc.)

Node.js in Lambda

aBurmeseDev commented 3 months ago

Hi @cbaser - thanks for reaching out.

According to the service API docs, NotAuthorizedException gets thrown when a user isn't authorized and UserNotConfirmedException when a user isn't confirmed successfully. Since those are coming from the service API rather than SDK, I'm going to have to reach out to service team to get some guidance on your use case. I'll post update once I hear back. (ref: P124067600)

cbaser commented 1 month ago

@aBurmeseDev do you have any updates on this? We are still getting UserNotConfirmedException before NotAuthorizedException

aBurmeseDev commented 3 weeks ago

Hi @cbaser - apologies for the delay. Here's the response from service team:

This is intended behavior when the user is not confirmed.

It is possible to enable "Prevent User Existence Errors" to receive a generic "Incorrect username or password." response though following this post. https://repost.aws/knowledge-center/cognito-prevent-user-existence-errors

Does that help? Let me know if you have any further questions for service team.

github-actions[bot] commented 2 weeks ago

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.