Cognito allows to create two profiles with same email if both requests are made in a very small timeframe.


Hello! Didn't find any place to file a bug report so I'm just posting it here (if anyone knows a more appropriate place, please do let me know).

After introducing a bug in my app that accidentally sent two requests for creating an account I discovered that you can create two accounts with the same e-mail (only one confirmation e-mail is sent and one account is verified later on). This is not a whitespace issue like someone else described here about a year ago. Only seems to happen if two requests are sent in a very small timeframe and the second request gets a "Amazon.CognitoIdentityProvider.Model.InvalidParameterException: Alias entry already exists for a different username" error, but an user is still created. The same request sent later gets a "Amazon.CognitoIdentityProvider.Model.UsernameExistsException: An account with the given email already exists." as expected. So this doesn't seem to be a configuration issue on Cognito side?

An example Enter image description here

Pihel S
asked a year ago724 views
1 Answer

It seems that you have discovered a bug in your application that is causing multiple user accounts to be created with the same email address in Amazon Cognito. This issue could be due to a race condition in your code that sends multiple sign-up requests in a very short time frame. The error message you are receiving suggests that Amazon Cognito is correctly detecting duplicate accounts, but the user accounts are still being created.

I would suggest reaching out to Amazon Web Services (AWS) support for further assistance in resolving this issue. They should be able to help you determine if the problem is with your code or if it is a configuration issue with Amazon Cognito.

profile picture
answered a year ago
  • Thank you for the reply.

    This is an issue on AWS side since returning an error on account creation which makes it seem like an account could not be created and still actually creating an account is not reasonable behaviour regardless of race conditions or configurations.

    Unfortunately it seems like contacting support requires a paid account and I have already resolved the issue on my side. I have also googled this issue and it seems like the same bug has already been reported a few years ago so I guess it is not a priority for AWS to fix.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions