aws-amplifyaws-amplify-cliaws-amplify-sdk-js

AWS Amplify/amplify-js forgotPassword() returns no error with invalid userName


I'm implementing authentication components with aws-amplify (Vue/TypeScript). Using forgotPassword(userName: string), I'm trying to send a verification code to the target email address. https://aws-amplify.github.io/amplify-js/api/classes/authclass.html#forgotpassword

import { Auth } from 'aws-amplify'
...
await Auth.forgotPassword(emailAddress)

enter image description here

However, with an invalid email address that is not one of the Cognito users, it returns this success message.

{"CodeDeliveryDetails":{"AttributeName":"email","DeliveryMedium":"EMAIL","Destination":"****@d***.com"}}

What I want is this.

{"__type":"UserNotFoundException","message":"Username/client id combination not found."}

I doubt mis-configuration on AWS Cognito, but cannot figure out what to change..


Solution

  • Visit Your User Pools

    Go to App Client in left navigation Bar.

    Then scroll down to Security configuration.

    Do select Legacy under "Prevent User Existence Errors"

    Note:- Default option is Enabled(Recommended). This default option is actual root cause.

    enter image description here enter image description here

    Now when you enter wrong username [in my case email-id], It will throw the exception.

    enter image description here

    enter image description here

    If you entered correct username [in my case email-id], Then it send verification code.

    enter image description here enter image description here