PasswortReset when Email not verified and Confirmation status unconfirmed

[johannespn]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

npmPackages:
    @aws-amplify/adapter-nextjs: 1.0.25 => 1.0.25 
    @aws-amplify/adapter-nextjs/api:  undefined ()
    @aws-amplify/adapter-nextjs/data:  undefined ()
    aws-amplify: 6.4.0 => 6.4.0 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    ...
    next: 14.1.4 => 14.1.4 

Describe the bug

Calling resetPassword({ username: values.email }) from import { resetPassword } from 'aws-amplify/auth'
when user Email verified = No and Confirmation status = Unconfirmed results in

{
    "resetPasswordStep": "CONFIRM_RESET_PASSWORD_WITH_CODE",
    "codeDeliveryDetails": {
        "deliveryMedium": "EMAIL",
        "destination": "j***@i***",
        "attributeName": "email"
    }
}

but no email with code is being sent.

Expected behavior

I would expect this method to throw an error in the case that user Email verified = No and Confirmation status = Unconfirmed

Reproduction steps

see description

Code Snippet

No response

Log output

No response

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hello, @johannespn and thank you for opening this issue. Can you double check in the Cognito console that this user's email is unconfirmed? We'd expect that a user with no confirmed email or phone number would throw an InvalidParameterException when trying to call the resetPassword() API in this situation (see Cognito docs here).

[johannespn]

Thank you for the quick answer @cwomack, I double checked that the users email is unconfirmed: see screenshot. I am not getting the exception, but the behavior I described above.

Also, I checked your codebase and the method I am calling (packages/auth/src/providers/cognito/apis/resetPassword.ts) has this signature:

/**
 * Resets a user's password.
 *
 * @param input -  The ResetPasswordInput object.
 * @returns ResetPasswordOutput
 * @throws -{@link ForgotPasswordException }
 * Thrown due to an invalid confirmation code or password.
 * @throws -{@link AuthValidationErrorCode }
 * Thrown due to an empty username.
 * @throws AuthTokenConfigException - Thrown when the token provider config is invalid.
 **/

So maybe it's missing the validation check for the confirmation status?

[cwomack]

@johannespn, was this user created via either the AWS CLI or manually in the Cognito console?

[johannespn]

@cwomack We create users via the JavaScript SDK which uses AWS CLI in the background, I believe

[johannespn]

@cwomack any updates on this? Our customers are complaining that they cannot reset their password

[josefaidt]

Hey @johannespn 👋 how are users created with the SDK? Do the end users receive an invitation mail they use to log in for the first time?

To reset the password for an unconfirmed user that has not verified their email, you will need to use the Admin* APIs from the SDK, specifically AdminResetUserPassword
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html

https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminResetUserPasswordCommand/

[ysabri]

@josefaidt @cwomack I'm facing this issue as well and I believe it's similar to this issue: #11270

I recently upgraded to V6 and now I can't handle this error from the frontend side because the hub doesn't send events for errors anymore. I have no way of finding out if the user who is attempting to reset their password has an unconfirmed email.

[ysabri]

For those who come across the issue till it's fixed:

To handle this in V6, I created a lambda that returns the following information:

        cognito_user = boto3_cognito_client.admin_get_user(
            UserPoolId=os.environ["REGION"] + '_' + os.environ["COGNITO"],
            Username=user.auth_id,
        )

        user_attributes = cognito_user.get("UserAttributes", [])

        return {
            "user_exists": True,
            "email_verified": any(
                attr["Name"] == "email_verified" and attr["Value"] == "true" for attr in user_attributes)
        }

I call this lambda inside the handleForgotPassword service and based on the lambda response, the user is shown an error that prompts them to email our support in order to fix the issue. Our support team will verify their email and then mark it as verified using boto3's 'admin_update_user_attributes'

[cwomack]

@johannespn, appreciate your patience on responses here. After @josefaidt's comment above and the related issue that @ysabri opened, can you let us know if you think this issue is fundamentally different than #11270? This appears to be the same Cognito limitation reported there.

[cwomack]

@ysabri, appreciate you linking these two! As for your comment about the hub events, what you mentioned is indeed tied to the changes in the Hub events that are emitted in Auth channel within v6, where there are fewer (v5 examples vs v6 examples).

[ysabri]

• @cwomack Yeah this is what I did in V5 to detect that the user is stuck in such a state (account confirmed + email not verified + trying to reset password):

 Hub.listen("auth", res => {
      const {payload} = res;
      const {event} = payload;

      const errorMsg = res.payload.data.message ? res.payload.data.message : null;
      if (errorMsg) {
        let errorNotif = errorMsg;

        if (errorMsg === "User does not exist.") {
          errorNotif = "Wrong email or password."
        } else if (errorMsg === "Username/client id combination not found.") {
          errorNotif = "The email is not registered."
        } else if (errorMsg === "Cannot reset password for the user as there is no registered/verified email or phone_number") {
          // Notify the user to open a support ticket so we can help them
          return;
        }
        notifyError(errorNotif);
      }
    });

As you mentioned, this isn't the case in V6. I was hoping that at least the handleForgotPassword service method in V6 would throw an error I could catch, but it executes successfully even though the operation isn't possible. This seems possible given that V5 had this code as part of the hub event errors.

[johannespn]

can you let us know if you think this issue is fundamentally different than #11270? This appears to be the same Cognito limitation reported there.

@cwomack Yes, seems like the same issue! A user signs up / is being signed up and does not verify their email. Then, they cannot use password reset flow.

[cwomack]

@johannespn, thank you for the confirmation. To consolidate the areas where we are tracking this and providing updates, we'll close this as a duplicate of #11270 since they stem from the same root cause. Please follow that issue for progress and updates, and thank you for taking the time to create this one!