I have a ReactJS app and am creating a user portal for that website, with user accounts managed by Cognito. I am using amazon-cognito-identity-js in my ReactJS layer to register users with a User Pool.
Specifically, I want to allow users the flexibility to log into their user accounts with phone number, email address, and preferred username as aliases. In order to use email address and phone number as aliases, both must be verified using OTPs.
In order to use the signUp API in amazon-cognito-identity-js, a username must be provided. In this case, this username cannot be the email address or the phone number, since both are to be used as aliases. This is per User Pool Attributes - Amazon Cognito,
which states:
If you select email address as an alias, Amazon Cognito doesn't accept a user name that matches a valid email address format. Similarly, if you select phone number as an alias, Amazon Cognito doesn't accept a user name for that user pool that matches a valid phone number format.
Further, once the user's account is confirmed by verifying their phone number or email address, you can allow the user to set a preferred username. You cannot establish their preferred username as a username when registering:
Activate the preferred_username attribute so that your user can change the user name that they use to sign in while their username attribute value doesn't change. If you want to set up this user experience, submit the new username value as a preferred_username and choose preferred_username as an alias. Then users can sign in with the new value that they entered. If you select preferred_username as an alias, your user can provide the value only when they confirm an account. They can't provide the value during registration.
So, what I'd like to get some assurance on is what to provide Cognito for the username when calling the signUp API. When creating users using only their email addresses as a username, you provide the email address for the username parameter when calling the signUp API. The username is then set to the supplied email address. Something must be provided for the username parameter to Cognito's signUp API, and in this case it cannot be an email address or phone number. I've tested this and whatever I provide for the username parameter can be used for logging into the user account, even after setting the preferred_username. In essence, the account can then be accessed by TWO different usernames, plus the phone and email aliases.
Is having this "original username" in addition to the other three username values considered legit and safe? Should I generate a UUID myself in the javascript code for the username parameter, using a library such as UUID - npm? Or is there a different way so that the only three user IDs are limited to the phone number, email address, and preferred_username?