Comments (3)
ottokruse
commented on August 27, 2024
That piece of code is related to user enumeration prevention. It basically returns a bogus email address, that will be masked.
The story is that when requesting a magic link we return the masked e-mail address in the public challenge parameters. This is nice so the user knows where the magic link is sent to (in case the user does not sign-in with magic link but e.g. with username). Unfortunately this opens the door for user enumeration. Which is why we mask the e-mail addresses.
The code you pasted comes into play when a non-existing user signs in, and the user pool is configured with preventUserExistenceErrors=true (note, the default is false). To prevent user enumeration Cognito will then appear to proceed with the sign-in (event though it will never work) and call the custom auth lambda with event.request.userNotFound = true (so we know it is a non-existing user). In that case we don't have an e-mail address to mask and return as public challenge parameters, so we use the fake username to create a dummy e-mail address.
Now that I explained this to you I think we should remove sending back the e-mail address if the user pool is configured with preventUserExistenceErrors=true.
from amazon-cognito-passwordless-auth.
Simonl9l
commented on August 27, 2024
@ottokruse - thanks for the reply - for us the Cognito User Pool is not our System of Record for users (as passwordless makes this possible).
Given CloudFront distribution and latency based routing, our plan is to fire up regional stacks in various regions (as needed based on redundant geographical customer footprint or jurisdictional separations - e.g. due to GDPR) with an immutable architecture, leveraging Dynamo DB Global Tables (with said GDPR separations). Such that we'll create a new User Pool with that stack along with requisite lambdas and regional replicate of Global Table(s) etc.
As such in our Login controller, we can check email as a know user is in the DB and AdminCreateUser and any existing but missing users in the User Pool, before we InitiateAuth since User Migration trigger is incompatible with Custom Auth!
We'd bomb out before the InitiateAuth. Or do you suggest we Initiate the auth anyway to get the effect of the preventUserExistenceErrors=true?
Albeit thinking, we should also be denying magic link auth anyway that have a passkey/fido credential registered per security posture issue #68
well look out for the fix you mention above at the end.
from amazon-cognito-passwordless-auth.
ottokruse
commented on August 27, 2024
We have gotten rid of sending back the email address as public challenge parameter in #134
from amazon-cognito-passwordless-auth.
Related Issues (20)
- Passwordless.configureFromAmplify() no longer works with the latest version of Amplify (v6)
- Type error in Verifying FIDO2 Challenge Response HOT 6
- Usage of stepUpAuthenticationWithSmsOtp in plain web. HOT 5
- Feature request: HOT 1
- Amplify cli end-to-end example HOT 5
- [Question] Using Fido2 credentials for non-signin challenges HOT 1
- Prominently mention JWT/localStorage issues in FAQ -- Avoid JWT? HOT 6
- signInStatus is 'NOT_SIGNED_IN' during refresh of token HOT 3
- Dependency issue while implementing this tutorial HOT 4
- FrontEnd Shows "Unexpected End of JSON Input" HOT 8
- The example don't work corrrectly with Windows Hello through PIN authentication HOT 17
- [Feature] Provide a python package HOT 1
- Resetting state HOT 4
- Magic Link Metadata Storage HOT 8
- ReferenceError: debug is not defined HOT 1
- [Bug] Magic link abuse by authorized user HOT 9
- [Feature Request] Add OTP SMS authentication HOT 5
- Can we load logo from assets folder locally HOT 4
- Prevent users from self-edit attributes HOT 6
- [Need Help] - No "exports" main defined in ../node_modules/amazon-cognito-passwordless-auth/package.json HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amazon-cognito-passwordless-auth.