Open bryan-robitaille opened 1 year ago
For future reference here is a branch I did some initial work on: fix/sanitize-cognito-errors
So far this is more of a proof of concept. The approach I took was to use a function that holds logic to sanitize cognito errors by replacing any sensitive error with a generic error. I also added some error enums and a response interface to help make consistency easier
Any call to Cognito should only return sanitized errors to the Browser.
Acceptable error messages back to the browser from
@lib/auth/cognito/initiateSignIn
can include:NotAuthorized
PasswordResetRequired
InternalServiceError
Acceptable error messages back to the browser from
@pages/api/account/confirmpassword
can include:CodeInvalid
CodeExpired
PasswordValidationFailed
InternalServiceError
Acceptable error messages back to the browser from
@pages/api/account/forgotpassword
can include:InternalServiceError
UsernotFound
should not be transmitted back to the browser. We should perhaps update content to mention that 'If you have an account a reset email has been sent'.Acceptable error messages back to the browser from
@pages/api/account/register
can include:InternalServiceError
UserNameExists
should not be transmitted to the client. An email should be generated and sent to the user informing them that someone has tried to register using their email address and if this was them they can reset their password at the following link.