Open pcaversaccio opened 2 years ago
ttattl
commented
2 years ago @dachanh did you check the support from AWS? I do not think AWS support that due to the lack of security. From my side, I want to ignore it. Really dangerous in security @pcaversaccio .
pcaversaccio
commented
2 years ago I don't understand the security risk @ttattl? Once the user enters the confirmation code in the fronted the user expects that he/she is logged in. Or in other words, why is this re-sign-in flow after the confirmation code entering more secure?
ttattl
commented
2 years ago The code is used for activating the user in Cognito only. So there is a problem if the client wants to log in automatically, we need a token (generated from ID and password) to log in. AWS does not support us to generate the token to log in when we know the confirmation code. Actually, whenever a client wants to log in, we need the acc ID and password. Therefore, the front-end has to store the password on the client-side, and this is a high-security risk.
pcaversaccio
commented
2 years ago Ok, I do understand @ttattl - in theory, we could build the logic ourselves by having a flag in the user profile and letting him/her login automatically by disabling the verification logic from Cognito. But the complexity should not be underestimated as well as the security considerations to bypass maybe this. So let's stick for the moment to the current flow but I let this issue open for later considerations.
ttattl
commented
2 years ago Not considered in this quarter. Keep it.
pcaversaccio
commented
2 years ago Recheck in the next phase May 2022.
Based on the user feedback we should evaluate whether to enable automatic login after successful email verification.