aws-amplify
Is it possible to re-authenticate a password while a user is signed-in?
** Which Category is your question related to? ** Authentication/Cognito
** What AWS Services are you utilizing? ** Authentication, Storage, Analytics
** Provide additional details e.g. code snippets ** I would like to the user to enter their password again before I perform a dangerous action, in particular, before deleting all of the user's stored data and then the user's account (with CognitoUser.deleteUser).
Is there a way, while the user is authenticated, to submit the password to Cognito for re-verification? I don't want a password verification failure at this point to affect the authentication state.
Thank you, David
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hacky Way
I have not been able to find an API call to Cognito to be able to verify an authentication type. My particular case involves just a username and password. After clicking into the internals of the AWS Amplify code there is a simple way to replicate the authentication process without interfering with the currently authenticated user. Here is my particular criteria that I was trying to solve, you can adapt this solution to your own approach:
- Verify a user without hijack the current user session
- Use the
USER_SRP_AUTHflow for authenticate users
import { AuthenticationDetails, CognitoUser, CognitoUserPool } from 'amazon-cognito-identity-js'
function fakeAuth(username, password) {
let authDetail = new AuthenticationDetails({
Username: username,
Password: password,
})
console.log('AuthDetail', authDetail)
let cognitoUser = new CognitoUser({
Username: authDetail.getUsername(),
Pool: new CognitoUserPool({
UserPoolId: <USER_POOL_INFORMATION_GOES_HERE>,
ClientId: <CLIENT_ID_INFORMATION_GOES_HERE>,
}),
})
console.log('Cognito User', cognitoUser)
//For some reason when I passed in Storage in the CognitoUserPool(...) it did not
//want to set it, so I just override it below here. When you set the storage you can
//can actually do whatever you with it, the storage is where are the token
//information is kept, but seeing as I don't need it, I just blackhole it
cognitoUser.storage = {
getItem: (key, value) => {
console.log('getItem', key, value)
return ''
},
setItem: (key) => {
console.log('setItem', key)
return ''
},
removeItem: (key) => {
console.log('removeItem')
},
clear: () => { console.log('clear') },
}
console.log('Cognito User', cognitoUser)
cognitoUser.setAuthenticationFlowType('USER_SRP_AUTH')
let promise = new Promise((resolve, reject) => {
cognitoUser.authenticateUser(authDetail, { onSuccess: resolve, onFailure: reject })
})
promise.then(user => {
console.log('Success', user)
}).catch(e => {
console.log('Error', e)
})
}
Downsides:
The big downside here and how it might affect your application would be that this simulates a user logging in, which means any analytic information may be mislead by the extra user logins. However, what this does offer is a practical approach to testing a users login information.
Why not use an API call?
Like I said earlier I would have loved to use a Cognito API call for verifying a user that is already logged in, but I could not find one, so this will have to do! Let me know your thoughts.
Further information
Most of this was taken from Auth.js inside the Amplify library. The reason I did not use the Auth class is because it is meshed in with a lot of other Amplify classes and it seemed easy just to go straight to the meet of code, which is below for reference in case you want to know how I came up with the solution:
...
var authDetails = new amazon_cognito_identity_js_1.AuthenticationDetails({
Username: username,
Password: password,
ValidationData: validationData
});
if (password) {
return this.signInWithPassword(authDetails);
}
else {
return this.signInWithoutPassword(authDetails);
}
...
AuthClass.prototype.signInWithPassword = function (authDetails) {
var _this = this;
var user = this.createCognitoUser(authDetails.getUsername());
return new Promise(function (resolve, reject) {
user.authenticateUser(authDetails, _this.authCallbacks(user, resolve, reject));
});
};
...
AuthClass.prototype.createCognitoUser = function (username) {
var userData = {
Username: username,
Pool: this.userPool,
};
userData.Storage = this._storage;
var authenticationFlowType = this._config.authenticationFlowType;
var user = new amazon_cognito_identity_js_1.CognitoUser(userData);
if (authenticationFlowType) {
user.setAuthenticationFlowType(authenticationFlowType);
}
return user;
};
...
@TheVaporTrail currently that is not possible to do. We have an open RFC with admin auth task here.
The RFC was already closed, but it doesn't look like it covered the original request from this issue?
Hi,
We've got a need for this too. I've written a function to reset a user's MFA settings (for when they've lost their device, etc). It's only available to my app's admin users, but ideally we'd like the admin to confirm their admin password before the request is made.
@elorzafe Any news on this 're-enter password' feature? It would be a nice +
@TheVaporTrail currently that is not possible to do. We have an open RFC with admin auth task here.
Hi @elorzafe, It would be really great and more convenient if cognito can implement a reauthenticate function as firebase do. Have you planed to realize it ? Thanks
I'm assuming there is still no movement on this? It would be greatly needed by our team.
Please upadte this,
we now authen multiple Organization fo diddferent project!
This is indeed a very important feature. Would be nice if the team could implement this.
Hi guys, are there any chances that this might be picked up by someone at a later date? It's a critical use case for my team.
Hello everyone, we have informed the Cognito team of the need for this feature, however this is not on their immediate roadmap at this point in time. We will provide updates when we have progress on this issue.
Also need this, very surprised to see it's not possible, and exceptionally disheartened to see this issue is 5 years old.
Need this feature too, need a way to get a user to enter their password and MFA again before deleting account, changing password or email.
Hate to do this but adding my own +1 here. Had an issue come up that we just can't reliably work around without first genuinely re-authenticating the user and this would have been extremely helpful to integrate into that workflow.
It is possible to re-authenticate the user using Auth.signIn API. The implementation was as follows:
const reAuthenticate = async (password) => {
await Auth.signIn(user?.getUsername(), password),
}
it doesn't sign-out the user session if the password is wrong.
We also require this feature. We would like to prompt our users for a password before performing sensitive actions such as changing an email, modifying MFA settings, or deleting an account.
@abidhkm It is possible to re-authenticate the user using Auth.signIn API.
This is great and seems to work. Has anybody implemented this and come across any issues, or is this a reliable working solution? Maybe this is why they haven't felt the need to implement any alternative?
@abidhkm It is possible to re-authenticate the user using Auth.signIn API.
This is great and seems to work. Has anybody implemented this and come across any issues, or is this a reliable working solution? Maybe this is why they haven't felt the need to implement any alternative?
using this solution for a while, have not faced any issue so far. I wonder why it hasn't added to the documentation or the issue closed?
@abidhkm It is possible to re-authenticate the user using Auth.signIn API.
This is great and seems to work. Has anybody implemented this and come across any issues, or is this a reliable working solution? Maybe this is why they haven't felt the need to implement any alternative?
using this solution for a while, have not faced any issue so far. I wonder why it hasn't added to the documentation or the issue closed?
I don't think it works correctly. It will lock the account if the user enters the wrong password multiple times, which can affect the login process. And if they use 2FA, it sends the otp code, which is a step I don't want. We could use another function similar to this called Auth.changePassword to check if the password is wrong, but it seems like if we call it multiple times, it locks this function for a while and we cannot change the password at that time
@abidhkm It is possible to re-authenticate the user using Auth.signIn API.
This is great and seems to work. Has anybody implemented this and come across any issues, or is this a reliable working solution? Maybe this is why they haven't felt the need to implement any alternative?
using this solution for a while, have not faced any issue so far. I wonder why it hasn't added to the documentation or the issue closed?
I don't think it works correctly. It will lock the account if the user enters the wrong password multiple times, which can affect the login process. And if they use 2FA, it sends the otp code, which is a step I don't want. We could use another function similar to this called Auth.changePassword to check if the password is wrong, but it seems like if we call it multiple times, it locks this function for a while and we cannot change the password at that time
This is spot on, reusing the signin feature to "re-authenticate" may be a hacky okay way for non 2fa applications but we are running into this issue as well. The code being sent throws off the user experience and if you do try to reenter that code that was sent via SMS you will get thrown an error that only a singular session can be used once. A confirm password feature would be very helpful.
@duyta7598 I found another hacky solution to avoid MFA... utilizing change password but not actually updating the password just pass the current password as both values which returns just a success if it is successful.
I tried calling the signIn API in V6 to re-authenticate the user and it comes back with an error saying "There is already a signed in user." Does anyone else get this?