- 最新
- 最多得票
- 最多評論
Ok - so ...... turns out the issue was NOT duplicate emails. The issue was whitespace
Users managed to get accounts with both "test@test.com" and "test@test.com " and sometimes " test@test.com" - the email attribute is not automatically trimmed and spaces before or after an email address are not considered invalid or anything else. Also, as far as cognito is concerned, these are treated as different email addresses.
In the UI, the email appears the same - because you can't see the rouge spaces.
The solution is to clean up these accounts and make sure these attributes are trimmed before the signup call.
I think it might be considered as a Cognito bug. Since even though you can trim the email using Java SDK, an attacker can sign up a new account using the same technique using Cognito API directly without using UI.
相關內容
- 已提問 5 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前