- Le plus récent
- Le plus de votes
- La plupart des commentaires
Ok - so ...... turns out the issue was NOT duplicate emails. The issue was whitespace
Users managed to get accounts with both "test@test.com" and "test@test.com " and sometimes " test@test.com" - the email attribute is not automatically trimmed and spaces before or after an email address are not considered invalid or anything else. Also, as far as cognito is concerned, these are treated as different email addresses.
In the UI, the email appears the same - because you can't see the rouge spaces.
The solution is to clean up these accounts and make sure these attributes are trimmed before the signup call.
I think it might be considered as a Cognito bug. Since even though you can trim the email using Java SDK, an attacker can sign up a new account using the same technique using Cognito API directly without using UI.
Contenus pertinents
- demandé il y a un an
- demandé il y a un mois
- Réponse acceptéedemandé il y a 7 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans