amplify-android icon indicating copy to clipboard operation
amplify-android copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Problem with ResetPassword with non-existing address

Open CeccoCQ opened this issue 2 years ago • 12 comments

Before opening, please confirm:

Language and Async Model

Java

Amplify Categories

Authentication

Gradle script dependencies

// Put output below this line
implementation 'com.amplifyframework:core:1.24.0'
implementation 'com.amplifyframework:aws-auth-cognito:1.24.0'

Environment information

# Put output below this line
------------------------------------------------------------
Gradle 7.0.2
------------------------------------------------------------

Build time:   2021-05-14 12:02:31 UTC
Revision:     1ef1b260d39daacbf9357f9d8594a8a743e2152e

Kotlin:       1.4.31
Groovy:       3.0.7
Ant:          Apache Ant(TM) version 1.10.9 compiled on September 27 2020
JVM:          15.0.2 (Oracle Corporation 15.0.2+7-27)
OS:           Mac OS X 10.16 x86_64

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

Hi guys, I'm using amplify and Cognito service to perform auth operations with my app. The app is "Kabeh" and you can find it into Amplifi Console.

On the Android side, I tried to reset the user's password by passing his email and, for an existing address, everything works fine. But I'm having a problem when the user sets a wrong email address (for example, the address of a user that doesn't exist in cognito). On the web side the resetPassword method returns an error (and this is the correct behavior) but on the mobile side everything works as if the email existed. I aspect an exception like "UserNotExists", or similar.

I'm using this library: https://github.com/aws-amplify/amplify-android implementation 'com.amplifyframework:core:1.24.0' implementation 'com.amplifyframework:aws-auth-cognito:1.24.0'

Reproduction steps (if applicable)

No response

Code Snippet

// Put your code below this line.
Amplify.Auth.resetPassword(email, res -> {}, error -> {});

Log output

// Put your logs below this line

amplifyconfiguration.json

No response

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response

CeccoCQ avatar Oct 23 '21 06:10 CeccoCQ

Thanks for reaching out to us. Are you using email as user name? Amplify.Auth.resetPassword("username", { Log.i("AuthQuickstart", "Password reset OK: $it") }, { Log.e("AuthQuickstart", "Password reset failed", error) } )

On trying to reproduce this issue in a setup where username is used for login. If a non existent user id is passed it goes to error callback with the exception "UserNotFoundException".

poojamat avatar Oct 29 '21 22:10 poojamat

I've already tried. Using username or email that not exists always returns OK, no error.

CeccoCQ avatar Oct 30 '21 12:10 CeccoCQ

Any news about this issue?

CeccoCQ avatar Nov 15 '21 15:11 CeccoCQ

@CeccoCQ I tried repro the issue and observe that expected error is returned in the exception callback. Could you please verify your code.

UserNotFoundException{message=User not found in the system., cause=com.amazonaws.services.cognitoidentityprovider.model.UserNotFoundException: Username/client id combination not found. (Service: AmazonCognitoIdentityProvider; Status Code: 400; Error Code: UserNotFoundException; Request ID: 70d0a712-25bd-430e-94de-7fb09c660707), recoverySuggestion=Please enter correct username.}

sdhuka avatar Nov 15 '21 16:11 sdhuka

Hi @sdhuka , my code is simple: Amplify.Auth.resetPassword(email, res -> {}, error -> {}); if I set email = "[email protected]", the method never invoke the error callback. I've already seen the logs without interesting info.

I think that a (paid) technical support that answer "on my side all works" is not a really good support :) (I don't know if you are a AWS engineer, and if I hadn't written a post here, I'd still be waiting).

CeccoCQ avatar Nov 16 '21 16:11 CeccoCQ

Hi @CeccoCQ. Do you have email configured as an alias for username (user can sign in with a username or an email) or can the user only sign in with an email? Could you also provide the code you use for sign up, confirm user, and sign in? This will help us reproduce your auth flow.

eeatonaws avatar Nov 16 '21 17:11 eeatonaws

@eeatonaws user can signin with email or username. The confirm is made by lambda trigger. The signin is this:

        List<AuthUserAttribute> authUserAttributeList = new ArrayList<>();
        authUserAttributeList.add(new AuthUserAttribute(AuthUserAttributeKey.familyName(), "firstname));
        authUserAttributeList.add(new AuthUserAttribute(AuthUserAttributeKey.givenName(), "lastname"));
        authUserAttributeList.add(new AuthUserAttribute(AuthUserAttributeKey.email(), "[email protected]"));

        AuthSignUpOptions options = AuthSignUpOptions.builder()
                .userAttributes(authUserAttributeList)
                .build();

        String username = SecureUtils.SHA1.makeHash("[email protected]");
        Amplify.Auth.signUp(username, userDTO.getPassword(), options, source::setResult, source::setException);

I have to create a SHA1 because I'm not able to signup with only email as first parameter. But the behaviour is the same, if I try to recover an email throught username: String username = SecureUtils.SHA1.makeHash(email); and Amplify.Auth.resetPassword(username, source::setResult, source::setException);

all works fine with an unexisting email.

CeccoCQ avatar Nov 19 '21 12:11 CeccoCQ

Hi @CeccoCQ, thank you for providing more details about your auth flow and setup. We are working on reproducing the issue with the additional information you provided.

eeatonaws avatar Nov 19 '21 19:11 eeatonaws

@CeccoCQ have you marked email as an alias, which in Cognito terms means I can use it to sign in with in addition to username.

poojamat avatar Dec 14 '21 23:12 poojamat

Why closed? This bug is still present for me. I've marked my mail as alias and if I try to reset password with Email (or alias) not works.

Same behaviour done by webapp, works.

CeccoCQ avatar Dec 20 '21 17:12 CeccoCQ

Why closed? This bug is still present for me. I've marked my mail as alias and if I try to reset password with Email (or alias) not works.

Same behaviour done by webapp, works.

not sure, if this will help. I had usernames only setting, but https://stackoverflow.com/questions/65019768/aws-amplify-amplify-js-forgotpassword-returns-no-error-with-invalid-username

setting in cognito app client helped

zemacnica avatar Sep 16 '22 12:09 zemacnica

@CeccoCQ are you still experiencing this issue? If so, could you try checking your user pool settings as @zemacnica suggested?

eeatonaws avatar Sep 27 '22 16:09 eeatonaws

Closing due to inactivity. Please reopen this issue or create a new issue if you are still experiencing the issue.

eeatonaws avatar Oct 28 '22 14:10 eeatonaws

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Oct 28 '22 14:10 github-actions[bot]