Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

cognitoUser.confirmPassword

See original GitHub issue

Before opening, please confirm:

I have searched for duplicate or closed issues and discussions.
I have read the guide for submitting bug reports.
I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication, REST API

Amplify Categories

auth, function, api

Environment information

# Put output below this line
System:
    OS: Linux 4.15 Ubuntu 18.04.5 LTS (Bionic Beaver)
    CPU: (4) x64 Intel(R) Core(TM) i3-8145U CPU @ 2.10GHz
    Memory: 1.51 GB / 15.55 GB
    Container: Yes
    Shell: 4.4.20 - /bin/bash
  Binaries:
    Node: 16.1.0 - ~/.nvm/versions/node/v16.1.0/bin/node
    Yarn: 1.22.10 - ~/.nvm/versions/node/v16.1.0/bin/yarn
    npm: 7.15.0 - ~/.nvm/versions/node/v16.1.0/bin/npm
  Browsers:
    Chrome: 91.0.4472.77
    Firefox: 88.0.1
  npmPackages:
    <%= name %>:  <%= version %> 
    @compodoc/compodoc: ^1.1.11 => 1.1.11 
    @nestjs/cli: ^7.6.0 => 7.6.0 
    @nestjs/common: ^7.6.15 => 7.6.15 
    @nestjs/config: ^0.6.3 => 0.6.3 
    @nestjs/core: ^7.6.15 => 7.6.15 
    @nestjs/jwt: ^7.2.0 => 7.2.0 
    @nestjs/mongoose: ^7.2.4 => 7.2.4 
    @nestjs/passport: ^7.1.5 => 7.1.5 
    @nestjs/platform-express: ^7.6.15 => 7.6.15 
    @nestjs/schematics: ^7.3.1 => 7.3.1 
    @nestjs/swagger: ^4.8.0 => 4.8.0 
    @nestjs/testing: ^7.6.15 => 7.6.15 
    @nestjs/typeorm: ^7.1.5 => 7.1.5 
    @storybook/addon-actions: ^6.2.9 => 6.2.9 
    @storybook/addon-essentials: ^6.2.9 => 6.2.9 
    @storybook/addon-links: ^6.2.9 => 6.2.9 
    @storybook/node-logger: ^6.2.9 => 6.2.9 
    @storybook/preset-create-react-app: ^3.1.7 => 3.1.7 
    @storybook/react: ^6.2.9 => 6.2.9 
    @testing-library/jest-dom: ^5.12.0 => 5.12.0 
    @testing-library/react: ^11.2.7 => 11.2.7 
    @testing-library/user-event: ^13.1.9 => 13.1.9 
    @types/classnames: ^2.3.1 => 2.3.1 
    @types/express: ^4.17.11 => 4.17.11 
    @types/jest: ^26.0.23 => 26.0.23 
    @types/lodash: ^4.14.169 => 4.14.169 
    @types/node: ^15.3.0 => 15.3.0 (14.17.0, 8.10.66, 10.17.60)
    @types/passport-jwt: ^3.0.5 => 3.0.5 
    @types/passport-local: ^1.0.33 => 1.0.33 
    @types/react: ^17.0.5 => 17.0.5 
    @types/react-dom: ^17.0.5 => 17.0.5 
    @types/react-redux: ^7.1.16 => 7.1.16 
    @types/react-redux-toastr: ^7.6.0 => 7.6.0 
    @types/react-router: ^5.1.14 => 5.1.14 
    @types/react-router-config: ^5.0.2 => 5.0.2 
    @types/react-router-dom: ^5.1.7 => 5.1.7 
    @types/react-router-redux: ^5.0.18 => 5.0.18 
    @types/redux: ^3.6.0 => 3.6.0 
    @types/redux-form: ^8.3.1 => 8.3.1 
    @types/redux-logger: ^3.0.8 => 3.0.8 
    @types/redux-thunk: ^2.1.0 => 2.1.0 
    @types/superagent: ^4.1.11 => 4.1.11 
    @types/supertest: ^2.0.11 => 2.0.11 
    amazon-chime-sdk-js: ^2.9.0 => 2.9.0 
    amazon-cognito-identity-js: ^5.0.1 => 5.0.1 
    aws-sdk: ^2.908.0 => 2.908.0 
    class-transformer: ^0.4.0 => 0.4.0 
    class-validator: ^0.13.1 => 0.13.1 
    classnames: ^2.3.1 => 2.3.1 
    cross-fetch: ^3.1.4 => 3.1.4 
    cross-fetch-polyfill:  0.0.0 
    formik: ^2.2.6 => 2.2.6 
    helmet: ^4.6.0 => 4.6.0 
    jest: 26.6.0 => 26.6.0 
    lodash: ^4.17.21 => 4.17.21 
    markdown-it: ^12.0.6 => 12.0.6 
    moment: ^2.29.1 => 2.29.1 
    mongoose: ^5.12.9 => 5.12.9 
    mssql: ^7.1.0 => 7.1.0 
    mysql: ^2.18.1 => 2.18.1 
    node-fetch: ^2.6.1 => 2.6.1 
    node-sass: ^6.0.0 => 6.0.0 
    passport: ^0.4.1 => 0.4.1 
    passport-jwt: ^4.0.0 => 4.0.0 
    passport-local: ^1.0.0 => 1.0.0 
    prettier: ^2.3.0 => 2.3.0 (2.2.1)
    react: ^17.0.2 => 17.0.2 
    react-calendar: ^3.4.0 => 3.4.0 
    react-dom: ^17.0.2 => 17.0.2 
    react-https-redirect: ^1.1.0 => 1.1.0 
    react-loadable: ^5.5.0 => 5.5.0 
    react-redux: ^7.2.4 => 7.2.4 
    react-redux-toastr: ^7.6.5 => 7.6.5 
    react-router: ^5.2.0 => 5.2.0 
    react-router-config: ^5.1.1 => 5.1.1 
    react-router-dom: ^5.2.0 => 5.2.0 
    react-router-redux: ^4.0.8 => 4.0.8 
    react-scripts: ^4.0.3 => 4.0.3 
    react-semantic-ui-datepickers: ^2.13.1 => 2.13.1 
    redux: ^4.1.0 => 4.1.0 
    redux-form: ^8.3.7 => 8.3.7 
    redux-localstorage-simple: ^2.4.0 => 2.4.0 
    redux-logger: ^3.0.6 => 3.0.6 
    redux-thunk: ^2.3.0 => 2.3.0 
    reflect-metadata: ^0.1.13 => 0.1.13 
    rimraf: ^3.0.2 => 3.0.2 (2.7.1)
    rxjs: ^7.0.1 => 7.0.1 (6.6.3, 6.6.7)
    rxjs/ajax:  undefined ()
    rxjs/fetch:  undefined ()
    rxjs/internal-compatibility:  undefined ()
    rxjs/operators:  undefined ()
    rxjs/testing:  undefined ()
    rxjs/webSocket:  undefined ()
    semantic-ui-css: ^2.4.1 => 2.4.1 
    semantic-ui-react: ^2.0.3 => 2.0.3 
    store2: ^2.12.0 => 2.12.0 
    superagent: ^6.1.0 => 6.1.0 
    superagent-intercept: ^0.1.2 => 0.1.2 
    supertest: ^6.1.3 => 6.1.3 
    swagger-ui-express: ^4.1.6 => 4.1.6 
    ts-jest: ^26.5.6 => 26.5.6 
    ts-loader: ^9.1.2 => 9.1.2 
    ts-node: ^9.1.1 => 9.1.1 
    tsconfig-paths: ^3.9.0 => 3.9.0 
    tslint: ^6.1.3 => 6.1.3 
    typeorm: ^0.2.32 => 0.2.32 
    typescript: ^4.2.4 => 4.2.4 (4.2.3, 2.9.1)
    uuid: ^8.3.2 => 8.3.2 (3.4.0, 8.3.1, 3.3.2)
    uuidv4: ^6.2.8 => 6.2.8 
  npmGlobalPackages:
    @nestjs/cli: 7.6.0
    @vue/cli-service-global: 4.5.13
    @vue/cli: 4.5.13
    node-gyp: 8.1.0
    npm: 7.15.0
    webpack-cli: 4.7.0
    webpack-dev-server: 3.11.2
    webpack: 5.38.1
    yalc: 1.0.0-pre.53
    yarn: 1.22.10

Describe the bug

I am not getting any error even when the user is using incorrect email to reset password. I am getting success response like this for forgotPassword call on cognito user. Response:

Code sent to:  {
  CodeDeliveryDetails: {
    AttributeName: 'email',
    DeliveryMedium: 'EMAIL',
    Destination: 'b***@y***.com'
  }
}

If the User’s account is not active then also they are not receiving any error or verification email.

Expected behavior

User should see error if the user is not active as the inactive user will not receive any email, also if a user who is not registered should also see error that the user is not registered instead it send success response.

Reproduction steps

install the plugin,

npm install amazon-cognito-identity-js

Then create Congnito User Pool with correct params. like so,

var userPool = new CognitoUserPool(poolData);

Then initiate the cognitoUser

var cognitoUser = new CognitoUser(userData);

Then use the information above to call cognitoUser.forgotPassword( and cognitoUser.confirmPassword

Code Snippet

// Put your code below this line.
var conf = await this.authConfig.getConfig();
if (conf.userPoolId !== undefined) {
    var poolData = {
        UserPoolId: conf.userPoolId, // Your user pool id here
        ClientId: conf.clientId, // Your client id here
    };
    var userPool = new CognitoUserPool(poolData);
    var userData = {
        Username: Email,
        Pool: userPool,
    };
    var cognitoUser = new CognitoUser(userData);
    return new Promise((resolve, reject) => {
        cognitoUser.forgotPassword({
            onSuccess: function(data) {
                // successfully initiated reset password request
                console.log('CodeDeliveryData from forgotPassword: ', data);
                resolve(data);
            },
            onFailure: function(err) {
                console.log(err.message || JSON.stringify(err));
                reject(err);
            },
            //Optional automatic callback
            inputVerificationCode: function(data) {
                console.log('Code sent to: ', data);
                resolve(data);
            },
        });
    })
} else {
    throw new Error("Cognito config is missing.");
}

Only users who are registered and active are receiving verification code but if they are not registered or inactive they are not receiving any error.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

Issue Analytics

State:
Created 2 years ago
Comments:6

Top GitHub Comments

2reactions

vyomr13commented, Mar 30, 2022

Unfortunately this is expected behavior from the service. Can use the same workaround as what the last customer @jamessouth provided. Closing this as it cannot be addressed from our libraries.

0reactions

jamessouthcommented, Feb 17, 2022

This seems to mostly be an issue with Cognito, not Amplify. This forum post asks about it. I tried to start to deal with this by implementing back-end username validation with a Lambda trigger but I think there’s a bug which I filed here. FWIW the only part of Amplify I use is the amazon-cognito-identity-js package.

EDIT: The SDKs can call the ListUsers action so if you could get a Lambda trigger to be called then this could potentially be worked around.

EDIT 2: To work-around, I did this: the SignUp action can be re-used as your forgot password functionality since it will call the PreSignup Lambda trigger, where you can search for the username with the ListUsers action. Then you can initiate ForgotPassword having already dealt with bogus usernames. I use client metadata to distinguish from actual sign up requests and I also error on all forgot password requests so it doesn’t attempt a sign up. On the front-end I consume the specific error I created for successful username searches (alternative would be a Cognito user already exists error) and redirect to the confirmation code entry page, and otherwise show all other errors.

EDIT 3: Just saw these docs which say the nonsense response is simulated. Apparently it is intended that it not error.

Top Results From Across the Web

ConfirmForgotPassword - Amazon Cognito User Pools

Allows a user to enter a confirmation code to reset a forgotten password.

How to allow my user to reset their password on Cognito User ...

You basically need to setup cognitoUser , then call forgotPassword ... confirmPassword() which will reset the password verifying the code ...

confirmPassword JavaScript and Node.js code examples

CognitoUser.prototype. ... Best JavaScript code snippets using confirmPassword(Showing top 15 results out ... confirmPassword.restore() }) assert(callbacks.

How to use the amazon-cognito-identity-js.CognitoUser ... - Snyk

confirmPassword (confirmationCode, password, { onSuccess: resolve, onFailure: error => { reject({ general: "invalid confirmation code" }); } }); }); };. Was this ...

CognitoUser (AWS SDK for Android - 2.22.1)

Sends the new password and the verification code to Cognito Identity Provider service, in background. void, confirmPassword(java.lang.String verificationCode, ...