Skip to content

Commit 9396e6f

Browse files
fix: disable Cognito self sign-up by default (#115)
## Summary - Set `selfSignUpEnabled` to `false` on the Cognito UserPool so that only administrators can create users - Improves default security posture of the starter kit Closes #106
1 parent 3cc66bf commit 9396e6f

File tree

3 files changed

+5
-3
lines changed

3 files changed

+5
-3
lines changed

cdk/lib/constructs/auth/index.ts

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,9 @@ export class Auth extends Construct {
6969
requireDigits: true,
7070
minLength: 8,
7171
},
72-
selfSignUpEnabled: true,
72+
// Set to true to allow self sign-up.
73+
// When false, administrators must create users via the Cognito console or API.
74+
selfSignUpEnabled: false,
7375
signInAliases: {
7476
username: false,
7577
email: true,

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1158,7 +1158,7 @@ exports[`Snapshot test 2`] = `
11581158
],
11591159
},
11601160
"AdminCreateUserConfig": {
1161-
"AllowAdminCreateUserOnly": false,
1161+
"AllowAdminCreateUserOnly": true,
11621162
},
11631163
"AutoVerifiedAttributes": [
11641164
"email",

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1069,7 +1069,7 @@ exports[`Snapshot test 2`] = `
10691069
],
10701070
},
10711071
"AdminCreateUserConfig": {
1072-
"AllowAdminCreateUserOnly": false,
1072+
"AllowAdminCreateUserOnly": true,
10731073
},
10741074
"AutoVerifiedAttributes": [
10751075
"email",

0 commit comments

Comments
 (0)