amazon-cognito-identity-js icon indicating copy to clipboard operation
amazon-cognito-identity-js copied to clipboard

Published 20 hours ago verified publisher icon amazon-archives

Password Reset Not Possible!?

Open bradennapier opened this issue 7 years ago • 4 comments

More issues with this library...

A user is marked as RESET_REQUIRED

image

When I try to login the user, it calls onFailure:

cognito.js?d648:344 Failed To Authenticate User: Password reset required for the user Error: Password reset required for the user
    at Request.extractError (json.js:48)

It does not call newPasswordRequired

newPasswordRequired: (userAttributes, requiredAttributes) => {
      // User was signed up by an admin and must provide new
      // password and required attributes, if any, to complete
      // authentication.
      console.log('New Password Required');
      // the api doesn't accept this field back
      delete userAttributes.email_verified;
      observer.publish('new_password', { userAttributes, requiredAttributes }, password => {
        User.completeNewPasswordChallenge(password, userAttributes, this);
      });

Forgot Password does not work, it throws the error that the phone number is not validated.

The phone number WAS validated until the password was set to require a reset.

Therefore - this user appears to now be 100% broken and has to be removed completely, losing all their saved data.

bradennapier avatar Jul 06 '17 19:07 bradennapier

Thank you for bringing this up.

In order to allow user ForgotPassword flow, Cognito needs user mobile number to be verified to send the code to his mobile number. If user has not verified it, admin has a way to verify the phone_number by using AdminUpdateUserAttributes API. Start by referring docs for attributes - http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

At the same time, we will also consider better ways to handle this scenario.

ankitnaugariya avatar Jul 20 '17 21:07 ankitnaugariya

In order understand the issue better, can you please let us know how were you able to get to User status as RESET_REQUIRED without verifying either phone_number or email. Please list the steps with lead to this user state.

ankitnaugariya avatar Jul 20 '17 21:07 ankitnaugariya

@ankitnaugariya please test out a few scenarios without using server-side Cognito functions. It appears much of functionality is expected to be handled by a back-end service outside of Cognito. In addition, confirmed users can be created without verified email/phone by the admin UI. It appears if the user is not sent an email upon creation, this is possible.

skhameneh-strive avatar Nov 20 '17 20:11 skhameneh-strive

I have this issue which I believe is related to:

  • "Use case 23. Authenticate a user and set new password for a user that was created using AdminCreateUser API."
  • Use case 12. Starting and completing a forgot password flow for an unauthenticated user."

The use case is "Authenticate a user and set new password for a user that was RESET using AdminResetUserPassword API."

In other words the reset was initiated by admin, not by the user.

For this authenticateUser does not have a callback and we see :onFailure. I don't think :newPasswordRequired is the solution as we need to call 'completeNewPasswordChallenge()' for that scenario. What we'd need is something like :resetConfirmPassword callback that we can complete with 'confirmPassword()'

shnplr avatar Dec 13 '17 03:12 shnplr