I need to restore or reset user password when his status is FORCE_CHANGE_PASSWORD. This situation happened when user try to restore password using "forgot password" feature and he lost email with temporary password. Now he can't do anything because he don't remember password and he can't reset password again
This code handle forgot password
return CognitoIdentitySP.forgotPassword(params, (err, resp) => {
if (err) { ... }
...
})
And I receive error (in case of FORCE_CHANGE_PASSWORD status)
NotAuthorizedException: User password cannot be reset in the current state.
Is there any way to reset password in such state?
You can use aws-cli to do it. Here is a sample command, replace POOL_ID and EMAIL_ADDRESS accordingly:
aws cognito-idp admin-create-user --user-pool-id <POOL_ID> --username <EMAIL_ADDRESS> --message-action RESEND --profile <AWS_PROFILE>
You can also use the admin-set-user-password command in this situation of the temporary password being lost or expired:
aws cognito-idp admin-set-user-password --user-pool-id <POOL_ID> --username <USERNAME> --password <PASSWORD> --no-permanent
This will set a new temporary password of whatever you set the password to be but importantly will force the user to set a new password as soon as they log in, so security is maintained.
You will need to communicate this to the user but we found this extremely useful when your company's security policies prevent you from being able to run the create user command.
You can call admin create user again with the MessageAction set to RESEND in which case Cognito will resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to "SUPPRESS" to suppress sending the message. Only one value can be specified.
When you create a user from the admin or with the admin sdk from the frontend you have to use the authentication flow "USER_PASSWORD_AUTH" previously you should have configured it in the app client:
https://docs.amplify.aws/lib/auth/switch-auth/q/platform/js/
Related
I need to automate reset password of database application role.
Password must be encrypted or hash form due to security reason.
I tried to convert password into hashbytes form and reset application role password but didn't work.
SELECT HASHBYTES('SHA2_256','PASSWORD')
GO
USE <DATABASE NAME>
GO
ALTER APPLICATION ROLE [approle_name] WITH PASSWORD= 'password hash value'
GO
Can someone kindly help how can reset the password of application role with hash value or encryption form?
Thanks in Advance
I'm having issues with resending the confirmation code for cases where for some reason the confirmation code was not delivered to the users. This is what I have:
First, I have a sign-up step:
const cognito = new AWS.CognitoIdentityServiceProvider({region});
const params = {
ClientId,
Username,
Password,
};
const result = await cognito.signUp(params).promise();
This step (in case of success) should send an email to the user's email address (which is also their username) with their confirmation code. Now let's assume for some reason that email is not sent (the reason itself is not important). I would like to provide a chance to the user to ask for a new email to be sent. These are what I've been testing for this purpose so far:
First, I've tested the resendConfirmationCode method:
const cognito = new AWS.CognitoIdentityServiceProvider({region});
const params = {
ClientId,
Username,
};
const result = await cognito.resendConfirmationCode(params).promise();
Executing this code throws this error message:
UnhandledPromiseRejectionWarning: NotAuthorizedException: Cannot resend codes. Auto verification not turned on.
Then, I tested this approach (because of the answer given in this post):
const cognito = new AWS.CognitoIdentityServiceProvider({region});
const params = {
UserPoolId,
Username,
DesiredDeliveryMediums: ["EMAIL"],
ForceAliasCreation: false,
MessageAction: "RESEND",
}
const result = await cognito.adminCreateUser(params).promise();
This time, I'm getting this error:
UnhandledPromiseRejectionWarning: UnsupportedUserStateException: Resend not possible. ********-****-****-****-********** status is not FORCE_CHANGE_PASSWORD
The retracted part is the user's sub.
So, does anyone know how I can resend the confirmation code for a user that is not confirmed yet?
For anyone else who might be facing this issue, this was because the User Pool's setting was not to sent the verification code in the first place. Here's how to enable sending the verification code on User Pool:
Go to Coginto and the User Pool
Go to the page "MFA and verifications"
In the section "Which attributes do you want to verify?" select one of the items (for me it was "Email")
But the actual issue for me was that this option was initially set properly earlier. But it was reset to "No verification" when I executed this command:
aws cognito-idp update-user-pool \
--region us-east-1 \
--user-pool-id us-east-1_********* \
--lambda-config CustomMessage=arn:aws:lambda:us-east-1:************:function:composeEmail
This command is supposed to introduce a lambda function to compose the email for verification code. But for some reason, it will reset the other setting as well and I have no idea why.
In any case, once you have that setting set properly, my first solution will work:
const cognito = new AWS.CognitoIdentityServiceProvider({region});
const params = {
ClientId,
Username,
};
const result = await cognito.resendConfirmationCode(params).promise();
After a chat with AWS support, you can specify verification attribute like this:
aws cognito-idp update-user-pool \
--region us-east-1 \
--user-pool-id us-east-1_********* \
--lambda-config CustomMessage=arn:aws:lambda:us-east-1:************:function:composeEmail
--auto-verified-attributes email
I am auditing user passwords in AWS using boto3 and I'm not finding a way to accomplish the following CIS Benchmark: "Ensure credentials (with password enabled) unused for 90 days or greater are disabled."
I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.
For access keys (but not passwords), we have the following:
client = session.client('iam')
... (get user and keyid) ...
last_used = client.get_access_key_last_used(AccessKeyId=keyid)
... (determine the age of the key) ...
if age >= 90:
client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user)
Does anyone have any pointers?
delete_login_profile is the one you should use if you want to delete the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.
However to prevent all user access (including CLI and API access) you must also either make any access keys inactive or delete them.
From Boto3 Documentation:
Warning
Deleting a user's password does not prevent a user from accessing AWS
through the command line interface or the API. To prevent all user
access you must also either make any access keys inactive or delete
them. For more information about making keys inactive or deleting
them, see UpdateAccessKey and DeleteAccessKey.
If you want to change the password, you should use update_login_profile boto3 API. If you want to disable the password, you need to use delete_login_profile.
boto3 documentation for update_login_profile can be found here.
boto3 documentation for delete_login_profile can be found here.
Thanks to the responders, delete_login_profile followed by a password reset using create_login_profile is exactly what I needed. I saw it in the docs, but "delete" just sounded too scary.
def getPassword(client, user):
''' get the password data from aws '''
try:
response = client.get_login_profile(UserName=user)
return response
except client.exceptions.NoSuchEntityException as e:
print(e)
return ''
# setup the client handler
client = session.client('iam')
# set the user
user = 'some.user'
# if the user has a password, execute this code block
if getPassword(client=client, user=user):
... code to test the password age here ...
... if it's too old, then ...
# remove the login_profile/password/ability to use the Console
client.delete_login_profile(UserName=user)
# set the new password
passwd = raw_input('Enter New Password: ')
# create the new login_profile with the new password and force the user to change the password on the next login
client.create_login_profile(UserName=user, Password=passwd, PasswordResetRequired=True)
I have cognito set up with a pre sign up lambda which returns event with following set:
event.response.autoConfirmUser = true;
event.response.autoVerifyEmail = true;
this correctly marks user email and user itself as confirmed in aws console. But while trying to login I get the error "User does not exist." from cognito aws api, any ideas?
Cognito Pool is set up to use "email address" as "username" and this makes following even weirder - I can create new user with the same email address as above and authenticate fine. But what I ending up with are two confirmed users with the same email address!
My use case is relatively simple - I invite users to join via email so the email is confirmed already in a sense, that's why am using pre sign up lambda to mark user and email as confirmed/verified.
Any help greatly appreciated!
Thanks,
Tomek
Aws Cognito- User pools, how to recover / set password for a user when it has no email or phone.
I am using this on the web for a small business locally.
and want user to use only username.
not use email and phone.
On the verification tab, I leave both checkboxes: phone and email blank.
Then it displays the following red warning.
You have not selected either email or phone number verification,
so your users will not be able to
recover their passwords without contacting you for support.
So it is okay that I want them to contact support.
But I cannot find and API to set their password or recovery by admin.
If users contact me, how can I do it?
At the moment, there is a workaround through the API. Just set an email/phone where you/the admin can receive the one-off confirmation code (eg: support#test.com)
Just tested on an old cognito user pool that for some unknown reason, gets the emailed_verified attribute set to false every now and then (ref).
The User pool has the same configuration: No verification options are enabled.
However, you can ensure the email_verified attribute is ok, through an AWS user with dev credentials.
Example using CLI (tested on aws-cli/1.16.3 Python/2.7.10 Darwin/18.2.0 botocore/1.11.3):
USER=test#test.com
POOL_ID=us_east_1-123
POOL_APP_CLIENT_ID=fake123
# Ensure the email_verified attribute is set to true
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-update-user-attributes.html
aws cognito-idp admin-update-user-attributes --user-pool-id $POOL_ID --username $USER --user-attributes Name=email_verified,Value=true
# Check the attribute is set/added if missing
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/list-users.html
aws cognito-idp list-users --user-pool-id $POOL_ID --query 'Users[?Username==`$USER`].[*]'
# Run Admin Reset PWD
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-reset-user-password.html
aws cognito-idp admin-reset-user-password --user-pool-id <Pool ID> --username <USER>
# The email/phone for the user should get a confirmation code
# Set the new pwd
# https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/confirm-forgot-password.html
aws cognito-idp confirm-forgot-password --confirmation-code <Code> --password <New PWD> --username $USER --client-id $POOL_APP_CLIENT_ID
Basically that means that your users will not have to verify the email or phone number. Those can be auto verified either by writing a lambda function that verifies them or you could verify them on their behalf from the console.
Once the phone number or email are marked as verified, they can be used by users in a forgotPassword flow, they will basically get a code that they can use to reset the password.
You can also reset the user password on their behalf (from the console) which means that users will not be able to login and will have to complete a forgotPassword flow before logging in. Again, phone number and email can be marked as verified from the console.