AWS Cognito userpool changed email address pointless validation code? - amazon-web-services

i have set up a user pool using option 2 ( see docs here ) where i use the email address to sign in together with a password.
users are able to register and log in successfully.
users can successfully change the email address.
i then use this code to change the email address:
cognitoUser.updateAttributes(attributeList, function (err,
result) {....}
the confusion or problem is:
changing the email address automatically sends a validation code to the new email address. what do i need to do with this code as the email address is changed without validation and the user can use the new address to login without any problems.
is it necessary to validate the changed email address when the address seems to be automatically validated without using the validation code? if i don't have to use the validation code, is there any way of preventing it being sent to the user when they change the email address as they will probably be confused when they receive it seeing that the changed email address works?
thanks

Verification is needed when user will try to use forgot password. If email is not verified the code for reseting password will not be send.
You can prevent it from being sent from General settings > MFA and verifications under "Which attributes do you want to verify?"

Related

AWS Cognito: How can I prevent multiple registrations with the same email address?

In my user pool, I currently see two options for the login flow:
Using username and email adress
Using email adress or phone number
Option 1: The username is unique. You will get an error message if you try to register again with this username. BUT: The email address is not unique. You can try to register again with this email address. The user will then be created in the User Pool, but you will not be able to reconfirm this email address.
Option 2: The email address and / or phone number are unique. But the username can no longer be used to log in.
What do I want?
I need a mix of both options. I want my users to log in with username AND email address (which is the case with option 1), but I don't want to allow them to create multiple accounts with the same email address (they need a unique email as with option 2).
Is there an easy way to accomplish this? I couldn't find anything in the Cognito Console and feel like I need something like a custom Lambda trigger .... Thanks for any tips!
Your are already going into the right direction. You need a pre-signup lambda to do the check of email uniqueness for you. Should be relatively straightforward Here is the link to the documentation about how to set up such lambda:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
Your Lambda needs to be able to execute actions on the User Pool to figure out if user with a specific email already exists.
The easiest way to search for such users is to use the ListUsers API (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html) with a filter to select only users having the email address in question.

AWS Cognito Workflow: Using email alias for primary username

So I am trying to get my head around AWS Cognito but I have hit some walls.
So, right now I can register an account, and verify it and sign in. Simple enough. The edge cases are where my walls are.
Here's the info I have so far:
username's cannot be changed once created
I am using UUIDs as my username values
email is marked as an alias, which in Cognito terms means I can use it to sign in with in addition to username.
if email is chosen as an alias, per the docs, the same value cannot be used as the username (http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases):
If email is selected as an alias, a username cannot match a valid email format. Similarly, if phone number is selected as an alias, a username that matches a valid phone number pattern will not be accepted by the service for that user pool.
The email address can ONLY be used to sign in once the account has been verified (http://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases)
Phone numbers and email addresses only become active aliases for a user after the phone numbers and email addresses have been verified. We therefore recommend that you choose automatic verification of email addresses and phone numbers if you choose to use them as aliases.
Here in lies my edge case.
If a user signs up, but does NOT immediately verify:
they get called away
maybe the app crashes
they lose connectivity
their battery dies
they force quit
app get's accidentally deleted.
In their mind they have signed up just not verified their account. At this point it effectively leaves no way to verify their account they thought they signed up for. I guess it could be solved with messaging:
"Warning your account will not be created until you verify your email address." or something along those lines. Anyway...
They can't attempt to sign in as they won't know the UUID that was randomly assigned as their username.
Even if that wasn't the case, they provided their email address as their username. From the user's POV they would have no idea what their username could even be since they only entered their email address.
The best they could hope for is to try to sign up again. (Assuming they read the verification warning above) In this case now Cognito potentially has abandoned unconfirmed accounts piling up.
"Piling up" may be too strong a phrase, this is likely a pretty fringe case.
Now the plus side is, since they have not "verified" their email they can sign up again with the same email address since the email doesn't get uniquely constrained until it's verified. If someone tries to verify an address that has already been verified they get a AliasExistsException. This actually brings up an interesting point which I just tested as well.
I can register with an email address, then verify that email address so the account becomes confirmed. I can then turn right around and sign up with the same email address and I don't get an official AWS error until I try go to verify that account with the duplicate email address. There isn't any way to surface this error earlier? I guess the expectation is that it's on the developer to write a verification service in the Pre-Signup Trigger:
This trigger is invoked when a user submits their information to sign up, allowing you to perform custom validation to accept or deny the sign up request.
To sum up, and to restate the question:
It seems to be required, practically speaking, that when using an email address with Cognito a Pre-Signup Lambda is required to ensure an account with an email doesn't already exist since the AWS Exception won't be handled until a verification attempt is made.
Is my assumption here correct? By required here I think it's pretty reasonable to let a user know an email address is not available as soon as possible. For example:
John Doe : jdoe#gmail.com
Jane Doe : jdoe#gmail.com
You are correct.
Another solution is to create a lambda (not triggered by preSignUp) and called whenever the user finished typing into the email field. And getting a response "This email is already used" or "This email is available" before even sending the sign-up event.
Referring the first part of your question. If the user does not immediately verify their email. You probably mean confirmation by code. I prefer using confirmation by link sent to email which avoids this problem.
Knowing that this is an old question, here's a solution for posterity... I am using generated UUIDs for usernames, just like you, undisclosed to the user.
When the user wants to confirm the code at a later time (or perhaps ask to resend it), he doesn't know the username but he does know the email address that he registered with...
You can search for Cognito users with a certain email (or any other attribute) using ListUsers with a filter like email = "user#signupemail.com".
Once you find the user, you can access their username via response.Users[0].Username, and use it to confirm the account.

WSO2 identity server email as username + forgot password reset link

I am using WSO2 for authentication. I want to use email as username so i did below change
<EnableEmailUserName>true</EnableEmailUserName>
It is working fine as expected.
Then i try to implement forgot password functionality. As per my requirement i need to send email notification with link to the user if he/she forgot the password. On doing this, i have to verify the username and get the key. My username should be example#gmail.com#tenant.com to get the key, but the problem is while calling "sendRecoveryNotification(username, key, notificationType)" it is expecting the username as only email without tenant id like "example#gmail.com".
But the actual key generated against the username "example#gmail.com#tenant.com" and it is throwing exception like "javax.mail.SendFailedException: Invalid Addresses". When i give only email address "example#gmail.com" it is throwing "18001 invalid confirmation code for user: example#gmail.com".
I don't know where i am missing. Is this problem with WSO2?
The only solution i have is to use javax library directly to send email notification.
Can anyone help me to get out of this. Thanks in advance.

Receiving emails with sendgrid and cloudmailin

I have the same concept as mentioned in this question(generating a unique random email address for each user in rails app. When the user sends an email that that randomly generated email address, we process the body and store in db.
I followed the following steps:
Deployed my app in Heroku
Created a sendgrid account and configured the username and password to heroku(to get the sendgrid addon).
added griddler gem and followed the steps mentioned in griddler.
Configured the parse webhook in sendgrid with my host and url.
Here comes the main problem:
I registered to coludmailin and it generated the single email address. I don't really understand how to receive uniq emails to my rails application now. I tried white labeling the cloudmailin.net in sendgrid but it doesn't work(may be am wrong here).
Googled a lot but didn't understand how to proceed from here. Can someone please help me in solving this issue. Appreciate if I get a good step-by-step reference
There are two options to do this with CloudMailin.
Option 1:
On the free plan you can use a + in order to separate the email address given to you on CloudMailin and still create a unique email address that each customer can respond to. For example:
If you CloudMailin email address is example1234#cloudmailin.net you can use example1234+unique_id_54321#cloudmailin.net. CloudMailin calls unique_id_54321 the disposable part of this email address. This way you can send an email out and state the sender of that email is example1234+unique_id_54321#cloudmailin.net and then tell one user from another.
Option 2 (the better option):
However, the best way to do this is to use CloudMailin's custom domains. You can then receive anything#yourdomain.com.
With custom domains enabled you set CloudMailin up to be your MX server. Then any email coming into yourdomain.com goes direct to CloudMailin (you can use app.yourdomain.com to avoid conflicts with your regular email if needed).
You can then send email out with the sender as user-12345#yourdomain.com, task-12345#yourdomain.com or any other unique identifier. When you receive the email from CloudMailin the envelope will show that the email was sent to user-12345#yourdomain.com and you can then use this to resolve who the user was.

how to get a users #facebook.com email?

I am trying to find out if a user has an #facebook.com email for messaging but can not see where to request that I do request perms for their regular email and can get that, but can't see where to get their #facebook.com email. It's not included in https://graph.facebook.com/me/ and since there's no guarantee that they have set one up I can't assume that it's based on their username
If a user has a facebook.com email address it will be their {username}#facebook.com. However, just because a user has a username setup, doesn't mean there's a corresponding email for it. I've had a username since Facebook landrushed them, and just the other day I setup an email for it. There's no way to tell if they've set it up. Your best bet is to ask the user for an email address that your app can use.
Just go to your privacy settings and from there act as you are editing you email address then there is a Facebook email button setup there.