AWS Cognito Workflow: Using email alias for primary username

So I am trying to get my head around AWS Cognito but I have hit some walls.

So, right now I can register an account, and verify it and sign in. Simple enough. The edge cases are where my walls are.

Here's the info I have so far:

• username's cannot be changed once created
• I am using UUIDs as my username values
• email is marked as an alias, which in Cognito terms means I can use it to sign in with in addition to username.

• if email is chosen as an alias, per the docs, the same value cannot be used as the username (http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases):

  If email is selected as an alias, a username cannot match a valid email format. Similarly, if phone number is selected as an alias, a username that matches a valid phone number pattern will not be accepted by the service for that user pool.

• The email address can ONLY be used to sign in once the account has been verified (http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases)

  Phone numbers and email addresses only become active aliases for a user after the phone numbers and email addresses have been verified. We therefore recommend that you choose automatic verification of email addresses and phone numbers if you choose to use them as aliases.

Here in lies my edge case.

If a user signs up, but does NOT immediately verify:

• they get called away
• maybe the app crashes
• they lose connectivity
• their battery dies
• they force quit
• app get's accidentally deleted.

In their mind they have signed up just not verified their account. At this point it effectively leaves no way to verify their account they thought they signed up for. I guess it could be solved with messaging:

"Warning your account will not be created until you verify your email address." or something along those lines. Anyway...

• They can't attempt to sign in as they won't know the UUID that was randomly assigned as their username.
• Even if that wasn't the case, they provided their email address as their username. From the user's POV they would have no idea what their username could even be since they only entered their email address.
• The best they could hope for is to try to sign up again. (Assuming they read the verification warning above) In this case now Cognito potentially has abandoned unconfirmed accounts piling up.

"Piling up" may be too strong a phrase, this is likely a pretty fringe case.

Now the plus side is, since they have not "verified" their email they can sign up again with the same email address since the email doesn't get uniquely constrained until it's verified. If someone tries to verify an address that has already been verified they get a AliasExistsException. This actually brings up an interesting point which I just tested as well.

I can register with an email address, then verify that email address so the account becomes confirmed. I can then turn right around and sign up with the same email address and I don't get an official AWS error until I try go to verify that account with the duplicate email address. There isn't any way to surface this error earlier? I guess the expectation is that it's on the developer to write a verification service in the Pre-Signup Trigger:

This trigger is invoked when a user submits their information to sign up, allowing you to perform custom validation to accept or deny the sign up request.

To sum up, and to restate the question:

It seems to be required, practically speaking, that when using an email address with Cognito a Pre-Signup Lambda is required to ensure an account with an email doesn't already exist since the AWS Exception won't be handled until a verification attempt is made.

Is my assumption here correct? By required here I think it's pretty reasonable to let a user know an email address is not available as soon as possible. For example:

John Doe : [email protected]
Jane Doe : [email protected]