Validation code for forgotten password before sending new one

[Ownmarc]

Summary

Would it be possible to validate the code of the forgotten password before having to send the new password ? Maybe its on Cognito's end ?

Motivation

I didn't find anyway of doing that with amplify. I would like to not show the new password fields if I can't validate the user's code for the forgotten password.

Actually there is 2 functions used in the request new password flow :

• forgotPassword(username) that does its job and shouldn't be touched.
• forgotPasswordSubmit(username, code, newPassword) that I suggest we could split in 2 steps (validate the code first and then allow for password reset instead of sending everything at the same time)

Basic Example

Being able to make a "forgotten password" flow in 3 steps :

• Request code for forgotten password (send username)
• Validate code (send username + code) => (get back a token or something)
• Set the new password (send the token received at step 2 + username + new password )

Drawbacks

No, should have its own function along with forgotPasswordSubmit() and forgotPassword()

Related Issues

Here is all I found that is related :

amazon-archives/amazon-cognito-identity-js#466

References

None

[tnghia944]

.

[mlabieniec]

Have you tried using Cognito Triggers? Specifically the CustomMessage_ForgotPassword trigger. This should allow you to retrieve the code/validate and trigger the UI update/s based on the response.

[Ownmarc]

@mlabieniec I am not sure I understand how this allow us to validate the code the user is giving us. CustomMessage_ForgotPassword is used to template the email/message you will send to the user for forgotten password. You do not get access to the validation code there and even if you did, I do not see how one could use this trigger to do what was described in this issue. Would you mind elaborating ?

[nick-zh]

I agree with @Ownmarc, i tried several triggers, i was unable to custom verify the code or get access to the code itself. This would be a very nice feature indeed.
I see two possible approaches:

• be able to verify the code in an individual function (as suggested)
• have a lambda trigger that allows you to customize the code that is being sent, so you have control over it

[ryan-hellowynd]

facing the same problem, is there any update on this issue?

[Zecento]

any updates?

[tr3v3r]

As an hack solution it's possible to do something like.

const tempPassword = generateTempPassword()

await Auth.forgotPasswordSubmit(username, code, tempPassword)
// save temp password or pass to next screen

// on next screen / step just get saved temp password and ask user to add new one

await Auth.changePassword(username, tempPassword, newPassword)

[yunchanpaik]

As an hack solution it's possible to do something like.

const tempPassword = generateTempPassword()

await Auth.forgotPasswordSubmit(username, code, tempPassword)
// save temp password or pass to next screen

// on next screen / step just get saved temp password and ask user to add new one

await Auth.changePassword(username, tempPassword, newPassword)

This method doesn't work anymore since Auth.changePassword requires a cognito user instance instead of an username.

Would really love to get an official support from the AWS team on this issue. It's such a frustrating UX to enter the password two times only to find out the code had expired.

[dawid-bytys]

any update?

[dragosheroiu95]

In our case we have some rules defined for the password (numbers, special chars, uppercase and lowercase letters) and I was able to achieve this by intentionally setting a failing password.

   try {
      await confirmResetPassword({
        username: email,
        confirmationCode: code,
        newPassword: "thiisafailingpassword", // a passworrd which will always fail since we have restrictions mentioned above
      });
    } catch (error) {
      if (error.name === "InvalidPasswordException") {
        // This means your code is a valid one
      } else {
        // Something is wrong with the code or any other error
        setErrorMessage(error.message);
      }
    }