I have gone through all the questions, but all are not matching exactly with my scenario.
Scenario:
Admin can reset the phone number of any user. After resetting/revoking the phone number, user will get logout (if already login), and then user will go through the login process. There, he will add his new number and will get verification code on the new number.
Actually, when admin set the contact number to null, it starts giving MFA error because of the "phone_number_verified" flag and I am unable to update this flag as I am doing with "phone_number" field. And if I don't remove the number and try to update the number, amplify sends the code on the previous number.
If I get success in deleting the "phone_number_verified" attribute as I am doing with "phone_number" attribute, I will be able to resolve the issue.
I faced a similar scenario while working with Cognito user authentication. It is simply not possible to update the number. I have went through different solutions but all led to nothing. I also tried to contact AWS support center for the confirmation. In the start, they were giving points but after further discussions, they confirmed that verified phone numbers cannot be updated.
Related
We have implemented the Custom Auth Triggers as described link here. We have the user pool set up to let users log in with either phone number or email.
The provided case is - the user has email & phone both verified in their Cognito account
The problem I am having is determining what medium (email or phone number) the user signed in
When observing the event passed into the define / create/verify auth triggers, it seems like doesn't pass through what the username was used to initiate the authentication flow.. only the user attributes which in my case there could be both email or phone. I need to know which one it is so I know if I need to send the code through SMS or Email.
I also read about ClientMetadata this key we can pass from in InitiateAuthCommandInput but it will provide a client metadata key only below these triggers
Pre signup
Pre-authentication
User migration
but it will not provide ClientMetadata in these triggers
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Verify auth challenge
After googling it too much, I found an article which had a tricky solution:
here is the link
I am not able to implement the provided solution.
I found a similar question in stack overflow too Link but there is also no answer, Can anyone please help me with this.
This is a workaround by adding a custom attribute during passwordless login
Actually, the authenticationUser function needs to identify whether the user is adding email or phone during login
Step 1: during login process, before calling initiateAuthCommand, First set a custom attribute in Cognito user object - logged_in_by - email or phone
Step 2: once you add a key after that InitiateAuthCommand will be started and call the triggers
Step 3:
When createAuthChallenge runs at the time we will have userAttributes.logged_in_by.
If this attribute contains email this indicates that the user is trying to login with the email and we need to send OTP over email.
If this attribute contains phone this indicates that the user is trying to log in with the phone and we need to send OTP over the phone number.
From the documentation I could find out that only upon first login into my app, the users name and email will be returned with the credential. So i go ahead and save these to my backend.
Now if the user decides to delete his account, I delete all his data from my backend (thats propably what the user wants me to do. And isnt that what i have to do anyway according to some privacy laws or what not?).
Now if the user ever decides to change his mind another time and install the app, will i not be able to fetch username and email? No matter what i do? Or did I miss some kind of user.ultimateSignoutAndDelete(for: .ever) to be able to fetch userdata on his next sign in?
Maybe this scenario seems a bit constructed but when testing apple-sign-in you stumble upon that immediately.
Once you delete a Firebase Auth account, there is no way to recover any information from that account. All links between the user and your projects are gone. The user will have to create a new account.
I am trying to login to my heroku account.
I keep getting an error message that says "There was a problem with your login". There are no details of what the problem is.
I tried changing my password through the forgot password action and I still get directed back around to the above error message.
I can't contact Heroku's support team because I can't login.
Has anyone found this problem and found a way around it - or even a way to contact Heroku?
I had the same problem, couldn't login even after resetting my password. I use the Last Pass chrome extension to fill in forms. When I entered the (same) credentials in manually I was able to login.
I started getting this error very recently. I believe it's linked to a recent email that I got regarding password requirement changes:
Heroku will start resetting user account passwords today, May 4, 2022, as mentioned in our previous notification. We recommend that you reset your user account password in advance here and follow the best practices below:
Minimum of 16 characters
Minimum complexity of 3 out of 4: Uppercase, Lowercase, Numeric, Symbol
Don't just add a letter or a 1 digit number to the existing password while changing
Passwords may not be duplicated across accounts
As mentioned elsewhere, resetting my password and ensuring LastPass included symbols resolved it.
I reset my password and it helped.
After a research I found that Last Pass auto generated password was not strong enough as per Heroku password reset requirement.
I solved it by opening password reset link on different browser (in my case safari). enter strong password (ex: 51lxgpf2F52PgOBAPdAM#)
I had this problem on "Opera", then I went to "Chrome", and still the error, but in the end it worked on "Microsoft Edge". So try changing your browser to this one)
I'm trying to create a new account and I can login but I get to the page that asks my account name, region, company name and role.
I've input in all fields and accepted the terms and conditions but run into an error that says tenant must have a name. I'm not sure what tenant refers to and how I should fill out the form to proceed.
This seems to be a problem on Auth0's side. I'm experiencing it too. I've opened a bug report on their forum here: https://ask.auth0.com/t/signup-flow-causes-tenant-must-have-a-name/2495.
I am very curious to know some of the points regarding registration and login related points as a developer points of view. Please see below the steps for any online account which is publicly open for all,
CREATE USER ACCOUNT : Insert the data entered by user along with a column activate which default value is 0
SEND A LINK TO ACTIVATE : a link has been sent to user email at the time of registration
ACTIVATE THE ACCOUNT : user clicks over the link and the link is verified and update the column 'activate' with value 1
Why to sent a link & verifying is necessary which I supposed that is not utmost required. I asked to clients why u want such verification and i get the answer almost same e.g. checking the authenticity of the user and it'd be helpful to stop the duplicity of the user.
but practically at the time of user login, i suppose it is useless to verify each time the activate column along with password for every user.
I would appreciate if u explain the points which is very important regarding my concern.
This is really a slippery slope, but there are reasons. Obviously spam users will try to create accounts as quickly as possible, for spam reasons. Email and captcha verification will handle this.
Another is the issue of clumsy or accident-prone users that will forget their passwords, which can be worked around by email reminders/resets. Sadly, users may try to add fake email addresses(or mistyped ones) and lose access to their accounts, requiring admin intervention. Simple verification can force users to get their account into a self-rescuable state before adding any data.