How to resend confirmation code in Cognito's sign-up process - amazon-web-services

I'm having issues with resending the confirmation code for cases where for some reason the confirmation code was not delivered to the users. This is what I have:
First, I have a sign-up step:
const cognito = new AWS.CognitoIdentityServiceProvider({region});
const params = {
ClientId,
Username,
Password,
};
const result = await cognito.signUp(params).promise();
This step (in case of success) should send an email to the user's email address (which is also their username) with their confirmation code. Now let's assume for some reason that email is not sent (the reason itself is not important). I would like to provide a chance to the user to ask for a new email to be sent. These are what I've been testing for this purpose so far:
First, I've tested the resendConfirmationCode method:
const cognito = new AWS.CognitoIdentityServiceProvider({region});
const params = {
ClientId,
Username,
};
const result = await cognito.resendConfirmationCode(params).promise();
Executing this code throws this error message:
UnhandledPromiseRejectionWarning: NotAuthorizedException: Cannot resend codes. Auto verification not turned on.
Then, I tested this approach (because of the answer given in this post):
const cognito = new AWS.CognitoIdentityServiceProvider({region});
const params = {
UserPoolId,
Username,
DesiredDeliveryMediums: ["EMAIL"],
ForceAliasCreation: false,
MessageAction: "RESEND",
}
const result = await cognito.adminCreateUser(params).promise();
This time, I'm getting this error:
UnhandledPromiseRejectionWarning: UnsupportedUserStateException: Resend not possible. ********-****-****-****-********** status is not FORCE_CHANGE_PASSWORD
The retracted part is the user's sub.
So, does anyone know how I can resend the confirmation code for a user that is not confirmed yet?

For anyone else who might be facing this issue, this was because the User Pool's setting was not to sent the verification code in the first place. Here's how to enable sending the verification code on User Pool:
Go to Coginto and the User Pool
Go to the page "MFA and verifications"
In the section "Which attributes do you want to verify?" select one of the items (for me it was "Email")
But the actual issue for me was that this option was initially set properly earlier. But it was reset to "No verification" when I executed this command:
aws cognito-idp update-user-pool \
--region us-east-1 \
--user-pool-id us-east-1_********* \
--lambda-config CustomMessage=arn:aws:lambda:us-east-1:************:function:composeEmail
This command is supposed to introduce a lambda function to compose the email for verification code. But for some reason, it will reset the other setting as well and I have no idea why.
In any case, once you have that setting set properly, my first solution will work:
const cognito = new AWS.CognitoIdentityServiceProvider({region});
const params = {
ClientId,
Username,
};
const result = await cognito.resendConfirmationCode(params).promise();
After a chat with AWS support, you can specify verification attribute like this:
aws cognito-idp update-user-pool \
--region us-east-1 \
--user-pool-id us-east-1_********* \
--lambda-config CustomMessage=arn:aws:lambda:us-east-1:************:function:composeEmail
--auto-verified-attributes email

Related

Configure a Custom SMS Message for MFA in AWS Cognito

I Am using AWS Cognito for authentication in a web application.
If a user Forgets their password I have a Lambda Function Trigger that sends a custom email with a link that has the users email address and the verification code in so they can click the link and just enter their new password.
So There is a new requirement that should allow the user to receive an sms, but currently it looks like if you enable MFA for sending the SMS, you can only customise the message in the console area and in the Lambda function,
this event.response.smsMessage does not seem to do anything.
So if the user has phone_number_verified true, it sends the sms without triggering the Lambda function.
exports.handler = function(event, context) {
if(event.triggerSource === "CustomMessage_ForgotPassword") {
var url = 'http://myurl.com/forgotpassword/'+ event.request.userAttributes.email+'/'+event.request.codeParameter
event.response.smsMessage = 'Password Reset: Click the link ' + url + ' or enter Verification Code: ' + event.request.codeParameter
event.response.emailSubject = " Password reset";
event.response.emailMessage = "Custom HTML goes here";
}
context.done(null, event);
};
This is currently the Lambda function configure on custom message trigger in the cognito User pool.
After a long discussion with AWS support, They came to the resolution that my SMS text was more than 140 chars. Yes 140, And then the SMS would not be sent rather the email would. No errors in logs or anything whatsoever.
So they said they will look into adding something in the logs that at least tells you that the SMS was not sent because the character limit was exceeded.

Custom attributes missing in the getUserAttributes response - AWS cognito

const userData = { Username: username, Pool: userPool };
const cognitoUser = new AWS.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.getUserAttributes(function(err, result) {
if (err) {
alert(err);
return;
}
console.log(result)
for (i = 0; i < result.length; i++) {
console.log('attribute ' + result[i].getName() + ' has value ' + result[i].getValue());
}
});
I have a custom field userType. I have set the read, write permission for the custom attribute. But in the response of getUserAttributes i am getting only standard attributes(sub, email_verified, email). How can i retrieve both the standard and custom attributes?
This is my response
First of all, you need to make sure the App client has permissions to read the attribute(s).
Go to AWS Cognito, select the User Pool, then General Settings > App clients and select the App Client, then click "Set attribute read and write permissions"
You should see the following options (notice I have "custom:premium" attribute created and permission to read set)
Then in order to see the custom attributes in cognitoUser.getUserAttributes() results you need to set some value to it, this can be done for example via AWS CLI with the following command:
aws cognito-idp admin-update-user-attributes \
--user-pool-id userPoolId \
--username userName \
--user-attributes Name=custom:premium,Value=1
In the example above I'm setting "custom:premium" attribute to value 1 (obviously you need to replace userPoolId and userName with correct values.
userPoolId can be found in AWS Cognito (for example: eu-central-1_896ERRASw)
userName is username of the user you are currently logged in with in your app (and invoking cognitoUser.getUserAttributes())
And here is the result of the function call after properly setting permission and value of the custom attribute.
Hope it helps!

Restore password for FORCE_CHANGE_PASSWORD status

I need to restore or reset user password when his status is FORCE_CHANGE_PASSWORD. This situation happened when user try to restore password using "forgot password" feature and he lost email with temporary password. Now he can't do anything because he don't remember password and he can't reset password again
This code handle forgot password
return CognitoIdentitySP.forgotPassword(params, (err, resp) => {
if (err) { ... }
...
})
And I receive error (in case of FORCE_CHANGE_PASSWORD status)
NotAuthorizedException: User password cannot be reset in the current state.
Is there any way to reset password in such state?
You can use aws-cli to do it. Here is a sample command, replace POOL_ID and EMAIL_ADDRESS accordingly:
aws cognito-idp admin-create-user --user-pool-id <POOL_ID> --username <EMAIL_ADDRESS> --message-action RESEND --profile <AWS_PROFILE>
You can also use the admin-set-user-password command in this situation of the temporary password being lost or expired:
aws cognito-idp admin-set-user-password --user-pool-id <POOL_ID> --username <USERNAME> --password <PASSWORD> --no-permanent
This will set a new temporary password of whatever you set the password to be but importantly will force the user to set a new password as soon as they log in, so security is maintained.
You will need to communicate this to the user but we found this extremely useful when your company's security policies prevent you from being able to run the create user command.
You can call admin create user again with the MessageAction set to RESEND in which case Cognito will resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to "SUPPRESS" to suppress sending the message. Only one value can be specified.
When you create a user from the admin or with the admin sdk from the frontend you have to use the authentication flow "USER_PASSWORD_AUTH" previously you should have configured it in the app client:
https://docs.amplify.aws/lib/auth/switch-auth/q/platform/js/

Cognito change phone_number before confirm via Phone

I want to change phone_number attribute of user before they confirm via phone. My flow step:
User register by username, password, and phone number
User must be enter confirmation code received by the phone. In this step user want to change the phone number (wrong number or change the phone...)
2.1 In case the 1st phone number be wrong, the next phone number is correct -> only one confirmation code had been sent -> it works!
2.2 In case the 1st phone number and the next are correct -> have two confirmation code had been sent(1st - xxx, 2nd - yyy) -> User enter 2nd confirmed code, Cognito throws CodeMismatchException: Invalid verification code provided, please try again. error. User enter 1st code, user had been confirmed, but in Cognito system the user has phone_number is 2nd number and phone_number_verified is true.
I use adminUpdateUserAttributes to change phone_number of a user who has status is UNCONFIRMED. Confirmation code auto send after me call change phone number.
How to fix this?
!!!Update
Currently, I removed the feature User can update their phone_number before they confirmed via phone from my application.
It takes me about 5 days, I just want to memo my case.
When you try to update phone_number (or email) attribute, Cognito will send a confirmation to your phone (or email) in automatically, this is the first code - (1st - xxx), the code to confirm your new attribute value (not for user confirmation).
In the same time, logic code calls resendConfirmationCode function, it send the second code - (2nd - yyy), this is main reason only the second code working (we use confirmSignUp function to handle the code).
I am on the Cognito team, same as behrooziAWS. After looking at your scenario, it does seem to be a bug on our side. I will mention it within the team so that we prioritize it accordingly.
This question was asked awhile ago but some people still having issues with verification code being sent and no way to verify the code on an account not confirmed yet so I found a solution that works for us.
Our auth flow is:
SignUp -> OTP Screen -> Confirmed OTP -> Cognito Account confirmed -> Custom email sent to user to verify email address -> Update attribute email_verified = true
On the OTP screen, we display the number OTP has been sent to, if it's the incorrect number, we allow the user to go back to signup page and change number and resubmit signup. We use a UUID for the user on cognito so as to allow a user to signup again without causing errors where account already exists but not confirmed.
This means we get two accounts with UUID in cognito, one being confirmed and one being unconfirmed with the only difference in the accounts is the phone number. We then get rid of unconfirmed accounts after a certain period. eg 7 days
For anybody else seeking the answer to this, what I ended up doing was writing a lambda that essentially checks if a user is unconfirmed, delete's the user and then signs them up again. I originally went the updateUserAttributes route but it felt insecure in case a bad actor got access to the lambda and updated a confirmed users phone number to theirs. If a user signups with a different username but the same number from a different account, it will invalidate the others users account. Hence the logic below.
try {
const userParams = {
UserPoolId: process.env.userpool_id,
Username: event.args.username
};
const { UserStatus } = await identity.adminGetUser(userParams).promise();
if (UserStatus === 'UNCONFIRMED') {
const deletedIdentity = await identity.adminDeleteUser(userParams).promise();
if (deletedIdentity) {
const signupParams = {
ClientId: process.env.client_id,
Password: event.args.password,
Username: event.args.password,
UserAttributes: [
{
Name: 'phone_number',
Value: event.args.phoneNumber
}
]
}
const newSignUp = await identity.signUp(signupParams).promise();
if (newSignUp) {
response.send(event, context, response.SUCCESS, {
newSignUp
});
callback(null, newSignUp)
}
}
} else {
response.send(event, context, response.ACCESSDENIED, {
error: 'User not authorized to perform this action'
});
callback({error: 'User not authorized to perform this action'}, null)
}
} catch (error) {
response.send(event, context, response.FAILURE, {
error
});
callback(error, null)
}

AWS Cognito Test Environment

I'm currently working on using AWS Cognito to manage user authentication for our application. One snag I'm running into is figuring out a good way to implement a "test" or "qa" environment.
I have a lot of automated tests for my APIs that will create users with random data. Obviously I don't want to Cognito to send out actual SMS or Email messages in this environment. Also when doing manual testing we will be creating users a lot with fake phone numbers and emails. Is there any way to turn the User Pool in "development" mode where all messages simply get logged some way?
You can write a pre sign up lambda function and auto confirm the user in the lambda function by setting the autoConfirmUser flag. In that case, Cognito doesn't send any SMSes or emails with confirmation codes. Example lambda below from the documentation (http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html#aws-lambda-triggers-pre-registration-example).
exports.handler = function(event, context) {
// This Lambda function returns a flag to indicate if a user should be auto-confirmed.
// Perform any necessary validations.
// Impose a condition that the minimum length of the username of 5 is imposed on all user pools.
if (event.userName.length < 5) {
var error = new Error('failed!');
context.done(error, event);
}
// Access your resource which contains the list of emails of users who were invited to sign up
// Compare the list of email IDs from the request to the approved list
if(event.userPoolId === "yourSpecialUserPool") {
if (event.request.userAttributes.email in listOfEmailsInvited) {
event.response.autoConfirmUser = true;
}
}
// Return result to Cognito
context.done(null, event);
};
Here is what I did to create a "staging" environment User Pool in AWS Cognito that does not send real notifications to users. There were actually a couple different pieces involved, but I think I was able to get everything covered. That being said, it would sure be nice if Cognito simply provided a User Pool setting to turn off all notifications, that way I don't have to write environment specific logic into my code.
Prevent User Invitations
In our app we use the AdminCreateUser function to create users who get invited by other users. This function will normally send an invitation message to the new user's phone number or email. In order to prevent those invitations, you can provide MessageAction: 'SUPPRESS' as a parameter to the function arguments. Like so:
let params = {
UserPoolId: config.cognitoUserPoolId,
Username: uuid.v4(),
MessageAction: 'SUPPRESS', /* IMPORTANT! */
TemporaryPassword: user.phone_number.slice(-6),
UserAttributes: [
{ Name: 'given_name', Value: user.first_name },
{ Name: 'family_name', Value: user.last_name },
{ Name: 'phone_number', Value: user.phone_number }
]
};
cognito.adminCreateUser(params).promise().then(data => {
console.log(data);
});
Official docs for that here: http://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
Prevent User Attribute Update Verfications
In our production app, we want users to have to re-verify their phone number or email if it changes. But in our staging environment we don't actually need this. So uncheck the boxes for email and phone under the "Do you want to require verification of emails or phone numbers?" section in your User Pool settings.