Cognito allows duplicate email alias
Given a user pool with options to sign in using email or phone number, I created a user with attributes email and phone_number using Amplify's Auth.signUp method (See below).
Auth.signUp({
username: "<phone number>",
password,
attributes: {
email: "a valid email id",
phone_number: "<phone number>",
name
}
});
This code allowed to create the user and sent the OTP to the phone number. After confirming the OTP, Cognito has the user and marked phone number as verified but email as not verified. After this, I was able to change the user's email attribute using AWS SDK AdminUpdateUserAttributesCommand to an existing user's email alias. This should have raised AliasExistsException exception. But it sent OTP verification to the email Id I provided (which belongs to already existing user). Cognito also allowed me to confirm the OTP using Amplify's verifyUserAttributeSubmit method. As a result, Cognito userpool ended up having 2 distinct users with same email addresses. This user pool has option to sign in with email which means email has to be unique.
Recent feature to support verifying email/phone number Attribute's seems buggy? I also had another issue while working with Cognito.
- Newest
- Most votes
- Most comments
Resolved it following https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html article. My requirement was that users should be able to sign in with email or phone number. once they create account, they should be able to sign-in with either of these options to the same account. Also change the email/phone in future for the same account.
-
Created user pool with Multiple (Alias) sign in options.
-
From UI side, during signUp, ensured to pass in forceAliasCreation: true in amplify call.
const res = await Auth.confirmSignUp(username, code, {
forceAliasCreation: true
});
With the above configuration, I was able to log in using email/phone. In addition, If another user attempted to use the same email, Cognito ensured to mark only of the user account's email status as Verified. So only one verified email can sign-in at any time.
The behaviour you're experiencing is an expected behaviour. In this case, you may have configured "username" to be submitted as contact number or email ID. If you check the sub-value of both users, it's different. Let's see below scenario:
User signed up with username as "contact number" and then submits email & password. For two different contact numbers as username, even if you use the same email ID, the user would be created without any exception as you have configured that "Users can use an email address or phone number as their "username" to sign up and sign in" and in this case for both signup's the username(contact number) is different.
Same logic goes if you select "Username - Users can use a username and optionally multiple alternatives to sign up and sign in" option. A user which has unique username, can signup two times with the same email ID, and it would be considered as separate user entity.
Here, if you want that no user should be able to use email ID again to signup as a new user, you may select the option "Email address or phone number - Users can use an email address or phone number as their "username" to sign up and sign in" and then "Allow email addresses".
With respect to the new console, you may select option "Send email message, verify email address" for "Attribute verification and user account confirmation".
Have a read at below AWS document to understand the process in depth: Signing up and confirming user accounts
Relevant content
- asked 2 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
I could not understand the above suggestion but another article helped me address my query.