Cognito用户池ID和客户端ID是否敏感？ [英] Are the Cognito User pool id and Client Id sensitive?

问题描述

有人知道用户池ID 和客户端ID 是否敏感吗？目前，我让他们坐在前端，只是想知道这是否危险。如果是这样，怎么利用它们？

Does anyone know if the User Pool Id and Client Id are sensitive? Currently I have them sitting on the frontend and was just wondering if this is dangerous. If it is, how can they be exploited?

推荐答案

不，不是。他们应该是公开的。可以利用它们的唯一方法是，有人可以使用它们对您的用户池进行大量的SignUp调用。但是，只要未验证这些注册，就不会将其转换为活动用户（除非您启用了用户自动验证）。这不是AWS的特定问题。假注册是一个很大的麻烦，即使没有使用SignUp api且使用PHP后端进行注册，也会面临这一问题。解决此问题的唯一方法是电子邮件/电话验证。

No, they are not. They are supposed to be public. The only way they can be exploited is that someone can use them to make a large amount of SignUp calls to your userpool. But as long as these registrations are not verified, these won't be converted into active users (unless you have enabled auto-verification of users). This is not an AWS specific issue. Fake registrations are a big headache and one will face this issue even if there is no SignUp api being used and a PHP backend is used for registration. The only way to face this is email/phone verification.

当然，如果您在用户池中禁用了SignUp，即只有管理员可以创建用户，那么这不是问题根本。

Of course, if you have disabled SignUp in your userpool i.e. only Admins can create users then this is not an issue at all.

这篇关于Cognito用户池ID和客户端ID是否敏感？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！