2

Consider the following chain of events:

  1. My site uses AWS Cognito to manage it's users, and uses the default Cognito hosted UI
  2. One of my users creates an account this way
  3. They enter their email address and a password
  4. They get taken to a screen where Cognito asks them to enter a verification code that was sent to their email address
  5. For whatever reason, the user exits this process before doing so

The user now exists in a "soft-locked" state:

  1. They cannot log in, and instead just get a big red error message saying "user is not confirmed"
  2. They cannot sign up again, and get a message saying "an account with the given email already exists"
  3. The "forgot password" route may allow them to get in (I'm still checking this), but a user would not be indicated to try this

The only way for the user to get in seems to be for an admin to either manually confirm the account, or delete it to allow the user to recreate it. This is obviously unacceptable in production.

What is Cognito's proposed way of handling this situation? I haven't been able to find any documentation around it, but this chain of events is, I would argue, quite a normal thing to happen.

Tim Leach
  • 87
  • 10
  • "The only way for the user to get in seems to be for an admin to either manually confirm the account, or delete it to allow the user to recreate it. This is obviously unacceptable in production." That sounds like my exact experience with Cognito and as far as I know there is no work-around. – Mark B Jun 19 '23 at 15:53
  • @MarkB that's what I was worried about thanks for the reply! – Tim Leach Jun 19 '23 at 16:02
  • Here is one [custom solution](https://stackoverflow.com/a/64083490/1273882) for the exact same problem. This solution makes use of Cognito Lambda triggers. – Ankush Jain Jun 19 '23 at 17:01

0 Answers0