Login/Register
User Pool allows two users with same email despite configuration
Asked Answered
javascriptamazon-web-servicesamazon-cognitoaws-amplify
R

4

19

Background

I'm using aws-amplify to interact with Cognito. So when a user registers with my app, I call Auth.signUp(). I'm passing only username (email) and password to this function.

My user pool is configured to allow sign in by email only:

User Pool Attributes configuration

The Bug?

In my front end code, I accidentally registered an event listener twice, so Auth.signUp() was being called twice (concurrently, or at least in rapid succession) with the same parameters.

This resulted in two users being created in my User Pool, with the same email. My understanding of my user pool configuration suggests that this shouldn't be possible.

Race Condition?

My first thought was that since I'm sending two requests so close together, this may be some sort of unavoidable race condition. If I introduce an artificial pause between the calls (a breakpoint, or a setTimeout, say), everything works as expected.

However, even with the requests very tightly spaced, the second request does return the error response I'd expect:

{ code: 'InvalidParameterException',
  name: 'InvalidParameterException',
  message: 'Alias entry already exists for a different username' 
}

Sadly, this response is misleading, because I do get a second (duplicate) user created in my pool with this request.

MCVE

This is easy to reproduce by exercising Auth.signUp twice concurrently, either in a node script or a browser. This repository contains examples of both.

The Question(s)

  • Is this a legitimate bug with Cognito?
  • Is a preSignUp Lambda trigger my only way to defend against this? If so, what would the broad strokes of that implementation look like?
Rorqual answered 6/6, 2018 at 22:58 Comment(5)
I think Cognito will let two users sign up with the same email, but only one will ever be able to verify/confirm the account. Otherwise someone could steal your email on the system... That might not be the problem you are seeing though, based on your race condition piece.Transversal
@PaulHoenecke thanks for chiming in. It seems like one second is the magic number... if my calls are more than about one second apart, I do not get two users created in my pool. If my calls are less than about one second apart, I do. I wouldn't consider this such buggy behavior if the second response (that creates the duplicate user) returned success. It's hard to reconcile the error response with a user being created, though. If a user is created, I need a success response so I can stuff metadata about the user into DynamoDB.Rorqual
Conversely, if I get an error response from signUp(), I'd like to be confident that no new user was created. The fact that I get a response that essentially says "Sorry, couldn't create that user", but a user is created anyway, just doesn't feel right. I feel lied to.Rorqual
This definitely seems like a bug (or two) to me. In this case I don't think a regular pre-signup trigger will help if it's just checking the cognito user pool for the existing email and could suffer from the same race condition. You could try inserting into a RDS table with a unique constraint but that defeats the purpose of having the check in cognito, but if your cognito signup fails for another reason you'd have to remove it somehow. Probably best to fix your code, raise an issue with AWS and move on :)Clammy
This is a very real bug, that I also just ran into.Magnetoelectricity
M
17

I sent this to AWS support. They're aware of the issue but have no ETA.

Thanks for contacting AWS Premium Support. I understand that you would like to know whether Cognito team is aware of the issue posted here[1].

I checked with Cognito team on our end and YES, they are aware of this issue/bug. Good news is, we already have trouble ticket open with Cognito Team to fix the issue. However, I won't be able to provide an ETA on when this fix will go live as I don't have any visibility into their development/release plans. But, I would like to thank you for your valued contribution in bringing this issue to our attention, I do appreciate it.

Magnetoelectricity answered 7/2, 2019 at 21:48 Comment(9)
did they ever come back to you?Dorsad
sheesh how have they not fixed this yet, it's crazy!Dur
@stavros.zavrakas nopeMagnetoelectricity
still no fix to this? absolutely bizarre that this could not be solved in the last few yearsSuperfluity
Any luck on this issue ?Sling
Any update from AWS side ?Sibell
It's August 2022 and the issue is still there.Boswall
It's April 2023 and the issue is still there.Secondhand
Its November 2023 and still counting.Dowse
D
4

I talked to AWS, still no fix and no time estimation.

Desma answered 15/8, 2021 at 15:33 Comment(0)
C
1

Cognito limits usernames to one user only. However, yes multiple user can share an email.

Crenshaw answered 26/7, 2020 at 21:0 Comment(1)
I have a requirement where multiple users in cognito can have same email address and also they can be verified with multiple users. As of now Cognito can have users with same email address but it keep verified for multiple users.Eulaliaeulaliah
Z
1

June 2023 and bug still exists. I have 4 users with same email in my Cognito pool. I was able to recreate by simply double clicking the sign up button on my login page. Amazingly I was unable to recreate it after I put in a simple statement to disable the button in the click handler (form submit handler) which performs the Auth.signup(), and then re-enable it after it is done. Sounds too simple to be the solution but seems to be working, atleast for situations where a sign up button is involved. Of course, it won't be the solution if different users on different devices are hitting Sign Up at the same time with the same email.

Zitella answered 20/6, 2023 at 21:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.