Automatic login after successful registration

[pcaversaccio]

Based on the user feedback we should evaluate whether to enable automatic login after successful email verification.

[ttattl]

@dachanh did you check the support from AWS? I do not think AWS support that due to the lack of security. From my side, I want to ignore it. Really dangerous in security @pcaversaccio .

[pcaversaccio]

I don't understand the security risk @ttattl? Once the user enters the confirmation code in the fronted the user expects that he/she is logged in. Or in other words, why is this re-sign-in flow after the confirmation code entering more secure?

[ttattl]

The code is used for activating the user in Cognito only. So there is a problem if the client wants to log in automatically, we need a token (generated from ID and password) to log in. AWS does not support us to generate the token to log in when we know the confirmation code.
Actually, whenever a client wants to log in, we need the acc ID and password. Therefore, the front-end has to store the password on the client-side, and this is a high-security risk.

[pcaversaccio]

Ok, I do understand @ttattl - in theory, we could build the logic ourselves by having a flag in the user profile and letting him/her login automatically by disabling the verification logic from Cognito. But the complexity should not be underestimated as well as the security considerations to bypass maybe this. So let's stick for the moment to the current flow but I let this issue open for later considerations.

[ttattl]

Not considered in this quarter. Keep it.

[pcaversaccio]

Recheck in the next phase May 2022.