Add Recaptcha/Verification to User Sign Up - Cognito

0

I am implementing a passwordless phone OTP authentication flow in Amazon Cognito. According to a blog from AWS, a user is automatically signed up (added to user pool) when they input their phone number alone.

https://aws.amazon.com/blogs/mobile/implementing-passwordless-email-authentication-with-amazon-cognito/

The problem with this is that a single client can input multiple phone numbers (even when they do not own it) thus multiple sign ups, leading to an increase in Monthly Active Users (MAU) and subsequently higher costs in Amazon Cognito. How can I avoid this scenario or simply can anyone point me to the right way for implementing recaptcha/verification to sign ups. Resources online seems to only cater for sign ins.

Renz
asked 8 months ago1003 views
3 Answers
1

Add reCAPTCHA to your sign-up form. For this, you can use libraries like react-google-recaptcha if you're using React. This library provides an easy way to integrate Google's reCAPTCHA into your forms.

profile picture
Jagan
answered 8 months ago
  • The thing that's bothering me with this approach is that recaptcha would only be implemented on the frontend. I'm not some sort of cybersecurity expert but that doesn't sound good.

    The best solution I could think of is validate the token generated after completing the captcha the moment a user clicks sign up. I'm not sure though if this approach is possible with Cognito.

1

Hi guys,

Look at this example [1] in the Amplify documentation. It's an example of how we can add the Captcha Google (version 2) feature to our applications. Only take into account there is a couple of errors. Especifically you should use the "Custom Auth Challenge with Google reCaptcha" example. Finally in the following portion of code:

const handleSignIn = async () => { try { const response = await signIn({ username, password, options: { authFlowType: 'CUSTOM_WITH_SRP' } }); } catch (e) { console.log(e); } };

You should add the showCaptcha code as follows:

try {
  const response = await signIn({
    username,
    password,
    options: {
      authFlowType: 'CUSTOM_WITH_SRP'
    }
  });
  if (
    response.nextStep.signInStep === "CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE"
  ) {
    setShowCaptcha(true);
  }
} catch (e) {
  console.log(e)
  const response = await signOut();
}

This is one error, the second error is that the "CaptchaConfirmation" component present in the "return" code should be called to "CaptchaConfirmSignIn", since this is the name of the component in which we can see the "handleConfirmSignIn" method.

Well, and that's it, as you could see the example was in React, but also you can adapt the code to Javascript sure.

Hope this solution will be helpful !

Greetings.

[1] https://docs.amplify.aws/javascript/tools/cli/usage/lambda-triggers/#pageMain

answered 8 months ago
  • This is for sign ins though. I need to implement recaptcha to sign ups only since otp is already good enough for sign ins.

0

Hi again,

Ok that's right, but maybe you can adapt the example to your perticular context. With the signUp method it could be easy to adapt, for example using the signup confirmation method that calls the captcha, since the captcha were defined with lambda triggers. Also you can use the example code and implement it without using Amplify. The lambda trigger here that verifies the captcha is the Verify lambda trigger in which you should define the secret key of Google recaptcha. Well, I hope you could adapt the code to your particular context.

Have an awesome day ahead.

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions