Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Inviting and confirming users securely?

See original GitHub issue

** Which Category is your question related to? ** Amplify.signIn in the case of confirming a user after invitation on dashboard or adminCreateUser.

** What AWS Services are you utilizing? ** Just Cognito.

** Provide additional details e.g. code snippets **

I’m currently using adminCreateUser when a user invites another user to sign up onto the platform. The invited user has his/her password set to testing at the moment. Upon calling adminCreateUser we send an invitation email to the new user with a button to join the platform and claim the acct. However, the docs suggest using Auth.signIn and Auth.completeNewPassword() on these users. I may be misunderstanding something, but this seems insecure as a malicious party could just send his/her own Auth.SignIn and Auth.completeNewPassword to claim another person’s account. Any clarification would be super helpful. (More info below)

The docs for Amplify suggest this strategy when using adminCreateUser.

The user would be asked to provide his new password and required attributes the first time he signs in if he is created in the AWS Cognito console. In that case, you need to call this method to finish this process:

import { Auth } from 'aws-amplify';

Auth.signIn(username, password)
.then(user => {
    if (user.challengeName === 'NEW_PASSWORD_REQUIRED') {
        const { requiredAttributes } = user.challengeParam; // the array of required attributes, e.g ['email', 'phone_number']
        Auth.completeNewPassword(
            user,               // the Cognito User Object
            newPassword,       // the new password
            // OPTIONAL, the required attributes
            {
              email: 'xxxx@example.com',
              phone_number: '1234567890'
            }
        ).then(user => {
            // at this time the user is logged in if no MFA required
            console.log(user);
        }).catch(e => {
          console.log(e);
        });
    } else {
        // other situations
    }
}).catch(e => {
    console.log(e);
});

Issue Analytics

State:
Created 5 years ago
Comments:11 (2 by maintainers)

Top GitHub Comments

4reactions

PaulGLujancommented, Jul 3, 2019

adminCreateUser should be incorporated into Amplify. I am running into the same issue where I have to use the Cognito SDK for adminCreateUser

1reaction

gkptycommented, Oct 8, 2019

Hey, know the issue has been closed for inactivity but i just ran into this.

my work around (not using the cognito SDK)

i implemented authorization with groups.
i switched confirmation message in cognito to a link
implemented a custom field in users called parentUser (or organization in my case)
i check for user group and give admin users access to a component called inviteUsers
i built a form inside inviteUsers with my signUp fields.

bellow is the submit handler for the form

handleSubmit = async (event) => {
        event.preventDefault();
        try {
            await Auth.signUp({
                'username':this.state.username,
                'password':this.state.password,
                'attributes': {
                    'email':this.state.email,
                    'custom:organization':this.state.org.id,
                }
            }).then(result => {
                console.log(`Succesfully invited ${result.user.username}`);
                return result
        } catch (err) {
            console.log('error signing up: ', err);
            return err
        }
    }

Hope this helps!