Cognito: UserNotConfirmedException before NotAuthorized

Question

Cognito: UserNotConfirmedException before NotAuthorized

cbaser opened this issue 10 months ago · 4 comments

Describe the bug

Hello,

My example scenario is the following:

If i register a new user with email : test@test.com , password : Test@123 and did not verify the mail, then if i login with same email but different password such as Example@123 then it gives an UserNotConfirmedException error which is for User is not confirmed.

Instead of that I need : wrong email / password combination - NotAuthorizedException. As password entered is incorrect.

Do you have any suggestions to fix this?

Thank you!

Expected Behavior

Cognito throws NotAuthorizedException

Current Behavior

Cognito throws UserNotConfirmedException

Reproduction Steps

try{
        const params = {
                    AuthFlow: 'USER_PASSWORD_AUTH',
                    ClientId: 'client_id',
                    AuthParameters: {
                        'USERNAME': username,
                        'PASSWORD': password
                    }
                };
                const data = await cognito.initiateAuth(params).promise();

// other code
  

}catch(err){
console.log(err)
}

Possible Solution

No response

Additional Information/Context

No response

SDK version used

2.1568.0

Environment details (OS name and version, etc.)

Node.js in Lambda

Answer 1 · 2024-03-28T22:48:43.000Z

Hi @cbaser - thanks for reaching out.

According to the service API docs, NotAuthorizedException gets thrown when a user isn't authorized and UserNotConfirmedException when a user isn't confirmed successfully. Since those are coming from the service API rather than SDK, I'm going to have to reach out to service team to get some guidance on your use case. I'll post update once I hear back. (ref: P124067600)

Answer 2 · 2024-05-03T15:03:57.000Z

@aBurmeseDev do you have any updates on this? We are still getting UserNotConfirmedException before NotAuthorizedException

Answer 3 · 2024-05-31T22:28:58.000Z

Hi @cbaser - apologies for the delay. Here's the response from service team:

This is intended behavior when the user is not confirmed.

It is possible to enable "Prevent User Existence Errors" to receive a generic "Incorrect username or password." response though following this post.
https://repost.aws/knowledge-center/cognito-prevent-user-existence-errors

Does that help? Let me know if you have any further questions for service team.

Answer 4 · 2024-06-11T00:11:55.000Z

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.