From e1531475eeb1aa90e10dd7041c949fe690046d66 Mon Sep 17 00:00:00 2001
From: Kazuho Cryer-Shinozuka <malaysia.cryer@gmail.com>
Date: Fri, 20 Mar 2026 00:30:34 +0900
Subject: [PATCH 1/2] fix(auth): disable Cognito self sign-up by default

Set selfSignUpEnabled to false so that only administrators can create
users, improving the security posture of the starter kit.

Closes #106
---
 cdk/lib/constructs/auth/index.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cdk/lib/constructs/auth/index.ts b/cdk/lib/constructs/auth/index.ts
index 925ad72..e82500c 100644
--- a/cdk/lib/constructs/auth/index.ts
+++ b/cdk/lib/constructs/auth/index.ts
@@ -69,7 +69,9 @@ export class Auth extends Construct {
         requireDigits: true,
         minLength: 8,
       },
-      selfSignUpEnabled: true,
+      // Set to true to allow self sign-up.
+      // When false, administrators must create users via the Cognito console or API.
+      selfSignUpEnabled: false,
       signInAliases: {
         username: false,
         email: true,

From ee2bdbdf66fdbbcea65058e58adbc5b204a15012 Mon Sep 17 00:00:00 2001
From: Kazuho Cryer-Shinozuka <malaysia.cryer@gmail.com>
Date: Fri, 20 Mar 2026 00:34:21 +0900
Subject: [PATCH 2/2] test: update snapshots for selfSignUpEnabled change

---
 ...ess-fullstack-webapp-starter-kit-without-domain.test.ts.snap | 2 +-
 .../serverless-fullstack-webapp-starter-kit.test.ts.snap        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap b/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap
index 7b58331..3d54c92 100644
--- a/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap
+++ b/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap
@@ -1158,7 +1158,7 @@ exports[`Snapshot test 2`] = `
           ],
         },
         "AdminCreateUserConfig": {
-          "AllowAdminCreateUserOnly": false,
+          "AllowAdminCreateUserOnly": true,
         },
         "AutoVerifiedAttributes": [
           "email",
diff --git a/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap b/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap
index d02589b..43325df 100644
--- a/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap
+++ b/cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap
@@ -1069,7 +1069,7 @@ exports[`Snapshot test 2`] = `
           ],
         },
         "AdminCreateUserConfig": {
-          "AllowAdminCreateUserOnly": false,
+          "AllowAdminCreateUserOnly": true,
         },
         "AutoVerifiedAttributes": [
           "email",