aws-amplify
Validation code for forgotten password before sending new one
Summary
Would it be possible to validate the code of the forgotten password before having to send the new password ? Maybe its on Cognito's end ?
Motivation
I didn't find anyway of doing that with amplify. I would like to not show the new password fields if I can't validate the user's code for the forgotten password.
Actually there is 2 functions used in the request new password flow :
- forgotPassword(username) that does its job and shouldn't be touched.
- forgotPasswordSubmit(username, code, newPassword) that I suggest we could split in 2 steps (validate the code first and then allow for password reset instead of sending everything at the same time)
Basic Example
Being able to make a "forgotten password" flow in 3 steps :
- Request code for forgotten password (send username)
- Validate code (send username + code) => (get back a token or something)
- Set the new password (send the token received at step 2 + username + new password )
Drawbacks
No, should have its own function along with forgotPasswordSubmit() and forgotPassword()
Related Issues
Here is all I found that is related :
https://github.com/amazon-archives/amazon-cognito-identity-js/issues/466
References
None
Have you tried using Cognito Triggers? Specifically the CustomMessage_ForgotPassword trigger. This should allow you to retrieve the code/validate and trigger the UI update/s based on the response.
@mlabieniec I am not sure I understand how this allow us to validate the code the user is giving us. CustomMessage_ForgotPassword is used to template the email/message you will send to the user for forgotten password. You do not get access to the validation code there and even if you did, I do not see how one could use this trigger to do what was described in this issue. Would you mind elaborating ?
I agree with @Ownmarc, i tried several triggers, i was unable to custom verify the code or get access to the code itself. This would be a very nice feature indeed. I see two possible approaches:
- be able to verify the code in an individual function (as suggested)
- have a lambda trigger that allows you to customize the code that is being sent, so you have control over it
As an hack solution it's possible to do something like.
const tempPassword = generateTempPassword()
await Auth.forgotPasswordSubmit(username, code, tempPassword)
// save temp password or pass to next screen
// on next screen / step just get saved temp password and ask user to add new one
await Auth.changePassword(username, tempPassword, newPassword)
As an hack solution it's possible to do something like.
const tempPassword = generateTempPassword() await Auth.forgotPasswordSubmit(username, code, tempPassword) // save temp password or pass to next screen// on next screen / step just get saved temp password and ask user to add new one await Auth.changePassword(username, tempPassword, newPassword)
This method doesn't work anymore since Auth.changePassword requires a cognito user instance instead of an username.
Would really love to get an official support from the AWS team on this issue. It's such a frustrating UX to enter the password two times only to find out the code had expired.
In our case we have some rules defined for the password (numbers, special chars, uppercase and lowercase letters) and I was able to achieve this by intentionally setting a failing password.
try {
await confirmResetPassword({
username: email,
confirmationCode: code,
newPassword: "thiisafailingpassword", // a passworrd which will always fail since we have restrictions mentioned above
});
} catch (error) {
if (error.name === "InvalidPasswordException") {
// This means your code is a valid one
} else {
// Something is wrong with the code or any other error
setErrorMessage(error.message);
}
}
