Cognito: re-send confirmation email - amazon-web-services

I'm working on a scenario when the user never got (or lost) the registration email with the temporary password. Now common sense will drive the user to the "forgot password" process. But here, he'll get an error saying "User password cannot be reset in the current state." What now? I'm trying to find a way to re-send the email with the temporary password FROM the client-side.
I know there's the option of AdminCreateUser with "MessageAction": "RESEND" but that involves the back-end and I would prefer keeping this logic in a component in client-side (where the rest of the authentication logic already is).
I've been trying with the method "resendConfirmationCode" of CognitoUser but I get a "NotAuthorizedException" error with the message "Can't resend confirmation code for this user"
Every other post I've read regarding this very scenario ultimately proposes the AdminCreateUser option without even trying to explain why "resendConfirmationCode" doesn't work.
Even if it can't be done, any help with this issue will be greatly appreciated.

Related

Amazon Cognito - using adminResetUserPassword method with hosted ui result in verification code being sent twice

Good afternoon,
I'm using Cognito hosted ui with some admin methods to configure my authentication flow.
I'd like my users to have the possibility to reset their own passwords using the Forgot your password? link on the hosted ui which works fine. But an administrator should also be able to force reset any user's password.
For that I use the adminResetUserPassword https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html which works fine excepts that it sends a first verification code by email and then when the users returns on the hosted ui page and enters his (right but old) password, he is redirected to /forgotPassword page, is prompted to enter his username (email) and then receive a second verification code.
The first one is then expired. I find it a bit confusing for the user to receive the verification code twice and the first one is never used.
I reckon I need to find a way to redirect my users to /confirmPassword instead of /forgotPassword which re-triggers a new verification code. Is there a way to do this?
Many thanks,

AWS Cognito - resendConfirmationCode 'User is already confirmed.'

We have a scenario where a user forgets their username or password and can click on a 'Forgot password' link, receiving a confirmation code in an SMS (via Cognito's ForgotPassword).
If, for some reason, the user doesn't receive the SMS, they can click on 'Resend code' link which will execute Cognito's ResendConfirmationCode.
The result from the POST request is a 400 containing the following:
{"__type":"InvalidParameterException","message":"User is already confirmed."}
How can the user be confirmed when they have requested their confirmation code? Any clarification into the cause of this issue would be much appreciated.
Not sure if this is the best approach, but managed to get another SMS sent to Cognito user by simply resubmitting ForgotPassword instead of using ResendConfirmationCode.

ConfirmationCode is not getting invalid in wso2

When i use the UserInformationRecoveryService verifyConfirmation Code web service,it should get invalid after it is verified once.We are sending askPassword email after creating a user.User should be able to use that confirmation code only once.
Is there any config need to be modified.??
Currently confirmation codes retrieved at password reset will be only invalidated at successful password reset or at confirmation code expiration. Please follow details here.
As far as I remember, we had a plan to make this configurable, but from the jira I can't find that we have implemented it or not, so most likely we haven't done that yet.

How to design email and username login

I have two question about usernames and emails
1. I judge username is a Email if '#' in username, and auth it follow:
email_user = User.objects.get(email__iexact=username)
authenticate(username=email_user.username)
Is that a good way that you recommended? or you may have a better advice?
I know a AbstractBaseUser can do it, but I think use User is more reasonable.
2. Should I store the user's email within the User.email field?
Imagine if I sign up a new user with:
username: '123'
email: '456#google.com'
and when I signup success, then I find that my email is wrong,
and now another user that email is '456#google.com' can't signup again.
I just want to a email is verified that can associate with the user.
what's your advice?
If you want to use email as your unique sign in key, it would save you a lot of trouble in future development of your website if you make a custom User model using AbstractBaseUser. If you want i can post a sample working code
In reference to your second question - You can use Cryptographic signing in Django (https://docs.djangoproject.com/ja/1.9/topics/signing/) to produce a key. Further send this key as a link (eg www.example.com/verify/:some_crypto_key:) and send it as a link to user's email address. This key will contain user id and time stamp. If you receive a request on that link, it means that email is legit. You may find a package that does a similar task maybe.
EDIT:
Implementation (short way) - As the user signups on your website, Immediately ask him/her to verify account using the link you have sent to the given email. If you do not receive a response from that email within a given time (say 20 mins), delete that user entry. This means that you can not let the user access your website until he/she verifies the account.
Flaw - Consider a situation where the user has submitted a wrong email. It is obvious that the user will never be able to verify it but for those 20 mins if co-incidentally the actual user with that same email tries to signup on your website, he won't be able to access. This is very unlikely. Also this user will receive an email from your website saying that user has signed-up on a website (so here you can provide another link, 'if this was not you, please click here' kind of thing)
Unless you have a burning desire to write your own custom user model, which will let you replace the username field with the email, I would recommend using something like Django AllAuth. It includes email verification (as outlined in your question), and can be set to use email as username fairly easily. It's a well established library with lots of support, and will be more immediately usable than rolling your own.
(That said - rolling your own is an illuminating experience, and RA123's point is the answer you should accept if you're going down that road.)

Deal with timeouts when posting data -no ajax

The use case:
User makes order his payment gets accepted and his details are getting post to a django's view. Using these details django's view creates user and everything that is necessary (Username and password is provided by me). Then before returning it sends email to clients email with his data (Username and password for now).
But sometimes I get a gateway timeout error from apache(app is deployed on openshift). Because the user is created I assume that the timeout comes from the email sending part. How can I make sure everything went ok and inform the user? How can I make sure that if the email isn't sent I can resend it? What is the best practice at that?
If you have timeouts with an API or Service, you should fire your POST / sendmail request with AJAX...
Serialize the whole form (like jQuery's serialize())
Send that data via AJAX (with jQuery's ajax())
Inform the User of success or error (alert() or jQuery UI dialog)
You can find a lot of examples on this website.
Another "dirty" approach would be to add the attribute target="_blank" to your form tag what opens your lazy request in a new tab / window.