What is proper username in Cognito User Pool? - amazon-cognito

I need to check that a proper username is entered in the custom signin form on my web site to pass it to Auth.signUp method of aws-amplify.
Things like minimum/maximum number of characters and allowed characters.
Documentation at this link does not help, please point me to a correct page, thank you!

See AWS SDK for validation rules.
The username for the user. Must be unique within the user pool. Must
be a UTF-8 string between 1 and 128 characters. After the user is
created, the username can't be changed.
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/admincreateusercommandinput.html
Not perhaps a perfect description but has at least the minimum and maximum character count.
Edit: Cognito API reference reveals that regex pattern for username validation is: [\p{L}\p{M}\p{S}\p{N}\p{P}]+
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
BTW, username cannot be changed after creation so perhaps you want to use preferred_username attribute to store the username which a user submits in sign in form (and make back-end to generate a value for username automatically (uuid for example)).
The document behind the link states:
Activate the preferred_username attribute so that your user can change the user name that they use to sign in while their username attribute value doesn't change.

Related

TYPO3 password protection without username

I want to have a subpage on my website that is password protected. There should be a list of 6-digit passwords that allow access to the site. However, I don't want the user to type in a username. He should only type in one of the 6-digit passwords.
Any ideas, how I can accomplish this?
The default login for TYPO3 uses username and password. If you only needed 1 password you could create 1 user and use a custom template with the username in a hidden field. However, since you want multiple passwords, there is no default way to do it without creating your own authentication service.
It's a bit much to explain how to create an authentication service here, but you can read the documentation here https://docs.typo3.org/m/typo3/reference-coreapi/9.5/en-us/ApiOverview/Authentication/Index.html.
You can also look at an example like https://github.com/tschikarski/shibboleth, which is a but complicated, but you'll mainly need to look at \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addService in ext_localconf.php and the getUser and authUser functions in Classes/ShibbolethAuthentificationService.php.
With Typo3 mechanism, a password is always associated with a user name, I think you should do it by yourself :
if the content is from one of your extension, you can easily do it
if it's not the case, I think you could use a hook before page is displayed and manage password access in that hook
or you can make a specific template with which you can conditionally manage rendering
Why don't reverse the usage?
Create FE-users with the selected passwords as username, then assign all users the same password.
For the login you change the login form:
The password field gets a default value (the password you had set to
all accounts) and is hidden
The input field for the username is changed into a browser passowrdfield so the input is hidden by asteriks.
Then you might change the errormessages as they would confuse the user about his username so he only enters a "password".
There now exists an extension for that, too:
https://extensions.typo3.org/extension/sessionpassword
With that, you just have to create a specific usergroup for your purpose,
set a password an d include the plugin on the desired page.
Works for me in that case.

Where does password is stored in auth0 dashboad

I would like to know where the password field is shown in dashboard. I cant see in password field in user profile object. How can I get it.
You can't see the password for a user (only a secure password hash is stored, so Auth has no way of getting the actual value). As a dashboard administrator, you can however change the password using the red Actions drop down list, and then selecting Change Password.

Can/should IdentityServer4 be used to create a token for user-email verification

I have IdentityServer4 setup for API authentication although I have a use case where I want to verify that a guest (user) is essentially a valid user. A valid user in my case is anyone with a valid email address, so I want to do the following:
send the user an email with a verification token (preferably something which is a mash up of their email address, some salt and an expiry
the user can then enter this token into my app and they are "allowed" to go ahead
I was wondering if IdentityServer4 can/should be used to achieve the above?
Their tools show that you can generate a token although I am very new to this topic so was hoping for some guidance.
No, the tokens Identity Server deals with are access_tokens which are to do with claims-based authentication.
The tokens you need to use for email verification are commonly referred to as User Tokens, or one-time passwords (OTP). You can find a wealth of information on how to generate/consume these using those search terms but if you use the aspnet identity classes such as the UserManager you will find it has some in-built read to use. Or you can register your own UserTokenProvider with the UserManager.
In general you'd do something like this:
Use your UserTokenProvider to get a token (otp) for a specific user. The UserManager will use the security hash of that user and your own 'reason' (e.g. "EmailVerification") to generate the short OTP.
You could then wrap that OTP into an object that includes the email address, a userid maybe, and whatever you like. Safe Base64 encode it (there is a helper function within Identity Server that has this in fact, making sure it doesn't have the superfluous _ at the end which will mess with HTML links), put it in an email to the user
User clicks your link which takes them to your 'verify password' controller, with your mashed up token as payload. You decode it, work out which user it was for, get UserManager to verify the OTP part is still valid.
Job done.
If you want them to enter the OTP into your app directly, while logged in, then you could just skip the whole mash-up part of emailing a link, and email the short OTP directly.

Liferay password comparison for custom log In

Scenario : I am trying to create custom log in functionality for liferay 6.1
In this, first I am asking email to user and I am checking, is this user is existing or new one. If it is existing then I will ask to fill password otherwise will ask him to create account.
My problem is, How to compare user given password and password exist in DB. User given password is plain text and DB saved password is in encoded form.
Any pointers on this will be helpful..Thanks in Advance.
There's a utility class for password comparison.
PasswordTrackerLocalServiceUtil#isSameAsCurrentPassword(userId, newClearTextPwd)

Reset or recover a user's password by an admin using a username in SimpleMembership

I am working on an ASP.Net MVC 4 application where it uses SimpleMembership and I have two types of user one is normal user and an admin. I am trying to add a feature where an admin can reset a normal user's password just by entering a username and type in a new password and then he can manually send the new password to the user.
Is there a good way I can use SimpleMemberShip to get this feature?
Well, you can certainly change the password for a user account to whatever you'd like in code.
To change the password for an account using the any sub class of the MembershipProvider (I.e. WebMatrix.WebData.SimpleMembershipProvider), you must first retrieve (or be supplied) the current password. Assuming you have a way to query the Database, one way is to to get the stored password from the DB. If it is stored as an encrypted value, you can use the provider Decrypt method and convert that resulting byte array to a string value.
How convert byte array to string
Then, using the SimpleMembershipProvider method ChangePassword, supply the username, oldpassword, and the new password. The result of this method is a boolean that indicates if the change was successful.
From a security standpoint, if you are going to make an MVC form view for the Admins to use, I'd make sure the controller action that handles the processing is secure and only allows authenticated Admins to use it. If you've not already done so, you'll need to implement the use of Roles or at least designate specific user names in the [Authorize] attribute of that action.
If you need the code for all this, I suggest starting a bounty.