amplify-js icon indicating copy to clipboard operation
amplify-js copied to clipboard
verified publisher icon aws-amplify

Add way to invalidate other sessions when the user changes their password.

Open duraz0rz opened this issue 5 years ago • 8 comments

Is your feature request related to a problem? Please describe. We're implementing a custom forgot password flow on our web app and, while changing the password works fine, I would've expected other sessions to be invalidated. We have a mobile app that goes along with the web app and the mobile app stays logged in.

Describe the solution you'd like I would like a way to be able to invalidate other sessions after the user changes their password via the forgot password Auth flow. We call Auth.forgotPassword to send the user the verification code, and Auth.forgotPasswordSubmit with their username, verification code, and new password already. An additional optional parameter on forgotPasswordSubmit would be nice to indicate we want to invalidate other sessions.

Describe alternatives you've considered I considered using Auth.signOut({ global: true }), but that requires the user being signed into the app in the first place; the forgot password flow only applies when the user is already signed out on the local session in our app.

duraz0rz avatar Aug 12 '20 16:08 duraz0rz

@duraz0rz did u find any solution/workaround?

reni11111 avatar Nov 27 '20 16:11 reni11111

still waiting for a workaround

s1mrankaur avatar Sep 21 '21 16:09 s1mrankaur

Sorry for the late reply, the workaround is the following

When prompting for username password and code you would have to keep on App state the username and password then you would have to call the following Auth APIs

  • Auth.forgotPasswordSubmit
  • Auth.signIn
  • Auth.globalSignout
  • Auth.signIn

We have this tracked on our backlog

Thanks for your feedback!

elorzafe avatar Jul 01 '22 23:07 elorzafe

Hi @elorzafe, great to hear that this is being tracked on the backlog, but I think it should be prioritized as this can create a security vulnerability. The account is still open on whatever browser or device it was logged into, so there is no way for the victim to remove the attacker's access if the account has already been compromised.

jerocosio avatar Aug 03 '22 00:08 jerocosio

@jerocosio

I think the safest way to do this would be on the Cognito API to have globalSignout flag to invalidate all the sessions for that user.

Does the workaround make sense meanwhile we don't have this feature from Cognito?

elorzafe avatar Aug 04 '22 17:08 elorzafe

Hey @elorzafe, thanks for the quick reply. I actually use the global signout flag on my app, but I believe that even this would allow the attacker to have access at least until the refresh token expires, right? And the minimum time for the refresh tokens is 60 minutes, so the attacker could still have access for the account on this time.

jerocosio avatar Aug 04 '22 22:08 jerocosio

Second @jerocosio's comment. If I recall correctly, minimum time for refresh tokens has been reduced to 5 mins but that's still not instant (short enough)

s1mrankaur avatar Aug 08 '22 15:08 s1mrankaur

Hello @elorzafe, I'm currently sending an e-mail to my users whenever there's a password reset, I'm doing this with a Cognito trigger and a Lambda function. Is there someway that I could invalidate the tokens on this function?

jerocosio avatar Aug 09 '22 03:08 jerocosio