InvalidParameterEception even if value is ok. Email to long exception

[joshua-classen]

Describe the bug

Hi, i get an Email should not be longer than 256 characters on a 256 character long email. This is a bug.

private readonly IAmazonCognitoIdentityProvider _cognitoService;

//...

var userAttributes = new List<AttributeType>
        {
            new() { Name = "email", Value = email }, // email is for example 256 character long
            new() { Name = "custom:role", Value = userType.ToString().ToLower() }
        };

        var signUpRequest = new SignUpRequest
        {
            UserAttributes = userAttributes,
            Username = userName,
            ClientId = _clientId,
            Password = password,
            SecretHash = CalculateSecretHash(userName)
        };

        try
        {
            var response = await _cognitoService.SignUpAsync(signUpRequest); // will throw:
            // Amazon.CognitoIdentityProvider.Model.InvalidParameterException: 1 validation error detected: Value 'email = "asdöklfaslkdf@asdfjalksdjfklajskldfkasjlasdklfjklasjdfkljalskjdfljakdfklaksdflkajskldfjlkasjfdkljasdlkfjklasdjfkljasdkl
fjalskdjfklasdjfklsadjfkldsjflkasklfjasdfjalksdjfklajskldfkasjlasdklfjklasjdfkljalskjdfljaksdfklaksdflkajskldfjlkasjfdkljasdlkfjkeajsj.de"' at 'filter' failed to satisfy constraint: Member must have length less than or equal to 256

Please fix that.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

I expect that the Error Message will be correct. The error message says that it would not fail if the email is 256 characters long, but it failed.

Current Behavior

email to long exception for a not to long email

Reproduction Steps

call the SignUpAsync method from IAmazonCognitoIdentityProvider

Possible Solution

Allow or dissallow emails with that length.

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.CognitoIdentityProvider version 3.7.404.1

Targeted .NET Platform

.NET 8

Operating System and version

Windows 11

[joshua-classen]

It even happens if the email is way shorter than 256 for example 250 characters only

[ashishdhingra]

@joshua-classen Good afternoon. The issue is not reproducible using the code below (used AWSSDK.CognitoIdentityProvider version 3.7.404.2). This also assumes that Username is selected as SignIn option while creating user pool):

using Amazon.CognitoIdentityProvider;
using Amazon.CognitoIdentityProvider.Model;
using System.Security.Cryptography;
using System.Text;

namespace CognitoIDPTest
{
    internal class Program
    {
        static void Main(string[] args)
        {
            Amazon.AWSConfigs.LoggingConfig.LogResponses = Amazon.ResponseLoggingOption.Always;
            Amazon.AWSConfigs.LoggingConfig.LogTo = Amazon.LoggingOptions.Console;
            Amazon.AWSConfigs.AddTraceListener("Amazon", new System.Diagnostics.ConsoleTraceListener());

            IAmazonCognitoIdentityProvider _cognitoService = new AmazonCognitoIdentityProviderClient();
            string email256Chars = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijkl@gmail.com";
            string userName = "<<username>>";
            string password = "<<password>>";
            string clientId = "<<appclientid>>";
            string clientSecret = "<<appclientsecret>>";

            var userAttributes = new List<AttributeType>
            { new() { Name="email", Value = email256Chars } };

            var signUpRequest = new SignUpRequest
            {
                Username = userName,
                Password = password,
                ClientId = clientId,
                UserAttributes = userAttributes,
                SecretHash = GetUserPoolSecretHash(userName, clientId, clientSecret)
            };

            var response = _cognitoService.SignUpAsync(signUpRequest).Result;
        }

        public static string GetUserPoolSecretHash(string userID, string clientID, string clientSecret)
        {
            string s = userID + clientID;
            byte[] bytes = Encoding.UTF8.GetBytes(clientSecret);
            byte[] bytes2 = Encoding.UTF8.GetBytes(s);
            return Convert.ToBase64String(new HMACSHA256(bytes).ComputeHash(bytes2));
        }
    }
}

However, while using an email asdöklfaslkdf@asdfjalksdjfklajskldfkasjlasdklfjklasjdfkljalskjdfljakdfklaksdflkajskldfjlkasjfdkljasdlkfjklasdjfkljasdklfjalskdjfklasdjfklsadjfkldsjflkasklfjasdfjalksdjfklajskldfkasjlasdklfjklasjdfkljalskjdfljaksdfklaksdflkajskldfjlkasjfdkljasdlkfjkeajsj.de shared by you, we get error Invalid email address format. error. I'm unsure if this is because of long domain name in your email address.

Kindly note that the AWSSDK.CognitoIdentityProvider is autogenerated from service models and the above error is thrown by the AWS Cognito service.

Do you get this error other than the one you originally reported initially? Could you try using short domain name?

Also, in my case, in User pool's Sign Up setting page:

• Attributes to verify setting is set as Send email message, verify email address.
• Automatically send is set as Allow Cognito to automatically send messages to verify and confirm - Recommended.

May be Cognito validation is being done in my setup. What are these settings for your user pool. Could you please share non-default User pool and app client settings for your setup?

If required, I could open an internal ticket to Cognito team to get their inputs.

Thanks,
Ashish

[joshua-classen]

I found my error on a different location. Before I signup a user I want to check if the user with this mail already exists and I call this function before.

public async Task<UserType?> FindUserByEmailAsync(string email)
    {
        _logger.LogDebug("Searching for user by email: {Email}", email);

        var request = new ListUsersRequest
        {
            UserPoolId = _userPoolId,
            Filter = $"email = \"{email}\""
        };

        try
        {
            var response = await _cognitoService.ListUsersAsync(request); // will throw  at 'filter' failed to satisfy constraint: Member must have length less than or equal to 256
            // for FILTER = email = "asdöklfaslkdf@fkasfsdfsdfjlasdklfjklasjdfkljalskjdfljakdfklaksdflkajskldfjlkasjfdkljasdlkfjklasdjfkljasdklfjalskdjfklasdjfklsadjfkldsjflkasklfjasdfjalksdjfklajskldfkasjlasdklfjklasjdfkljalskjdfljaksdfklaksdflkajskldfjlkasjfdkljasdlkfffffffffjkeajsj.de"

            // because this is then longer than 256 characters
            if (response.Users.Any())
            {
                _logger.LogInformation("User found with email: {Email}", email);
                return response.Users.First();
            }

            _logger.LogInformation("No user found with email: {Email}", email);
            return null;
        }
        catch (Exception ex)
        {
            _logger.LogError(ex, "Error searching for user by email: {Email}", email);
            throw;
        }
    }

The Email can be of a valid format for example asdasdfasdfjkhajkshdfjkhajksdhfjkhkajsdhfjkhajksdhfjkhaksjdhfjkhasjkdhfkjhasjkdfhkjashdfjkhajksdhfjkhasdjkfhjkasdfkhasjkdfhjkahsdjkfhjkasdhfjkhasjkdfhjkashdjkfhjkasdhfkjhasdkjfhkjashdfjkhasjkdfhkjashdfkhasjkdfhkjhkdashfkhhhhf@fasdgasgasdgasdkkkkgj.de

but then the Filter string is to long and it will throw an exception. Basically you can not filter for correct emails.

[joshua-classen]

This is really a bug in the filtering technology. It says that the Filter String can only be of max 256 characters lenght.
Type: String

Length Constraints: Maximum length of 256.

Required: No

Source: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html

This is a problem because the user is allowed to save an email that has 256 characters. But you can not filter these email because the Filter attribute gets longer because "email = " gets attached.

[ashishdhingra]

Issue is reproducible using code below when using email with 256 characters in Filter:

public static async Task<UserType?> FindUserByEmailAsync(IAmazonCognitoIdentityProvider cognitoService, string userPoolId, string email)
{
    var request = new ListUsersRequest
    {
        UserPoolId = userPoolId,
        Filter = $"email = \"{email}\""
    };

    try
    {
        var response = await cognitoService.ListUsersAsync(request);

        // because this is then longer than 256 characters
        if (response.Users.Any())
        {
            return response.Users.First();
        }

        return null;
    }
    catch (Exception)
    {
        throw;
    }
}

@joshua-classen As you rightly pointed out, per AWS Cognito > ListUsers service API reference, Filter string can have maximum length of 256. This is a service API limitation, AWS SDK for .NET cannot do much about it. Please provide Feedback using link at top left of AWS Cognito > ListUsers service API reference page. This would open a ticket with the correct team and this way you would get updates on any progress made on the issue.

Thanks,
Ashish

[github-actions]

This issue has not received a response in 5 days. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.