Can I make Mobile Hub user sign up without Username field? - amazon-cognito

I try to implement sign up AWS Mobile Hub process in an iOS app. I chose "How are your users going to login?" only email option. But the test app (downloaded from 'Integration Steps' page after User pool creation) have required Username field on a sign-up and log-in screens.
Can I implement this flow with user email and password fields only?

It should be possible, though you might have to autogenerate a fake username on the first sign up. You should make sure email is then passed in as an attribute and is set as an alias for the pool.
One possible sticking point: if email and phone are both given to be confirmed, phone overrides email. In that case, you'd have to ensure manually that emails are confirmed.

Related

Adding Cognito users from our application Users page

I have my own Users page in my application where user Admin can create a new user.
I do not want to let the user sign up by himself, but have the admin of the system add this user.
What do you think the flow for that should be ?
I thought about:
create a new user with username and temp password in the users page.
The user gets an email and presses a link to confirm the email.
The user goes to the login screen of my application and inserts the username and temp password.
the login page changes to Change password so the user will insert the password and confirm the password for him.
when pressing login the user logins to the system.
I cannot find a best practice for adding a new user from a built-in users page in the app.
Do you think my flow is reasonable?
Do you have any code that I can use for that?
This is pretty close to the flow which Cognito has for admin-created users by default when using the Amplify UI Authenticator component. The only difference is that the temporary password is sent to the user via email, so the admin never needs to see it.
To achieve this, you need to use the AdminCreateUser action. The way you do this will vary depending on the library you're using to communicate with Cognito. If it's Python, you can use boto3. If it's JS, you can use the AWS JS SDK. (Sample code in this GitHub comment.)
It's not required to use Amplify UI, you could write all the pages yourself. But it works well with very little effort and looks quite professional. So it should be the first thing you try. Here's another answer providing sample code for React.

How to require a verification code before changing attribute in AWS cognito

We are using amazon-cognito-identity-js to manage users in a javascript application.
Currently, once authenticated, a user can change their email address or phone number with cognitoUser.updateAttributes(). If that attribute is marked as verified, it will then be unverified, and we can trigger verification through cognitoUser.getAttributeVerificationCode() and it will send a confirmation code to the users phone.
Ideally, we would like to require a code BEFORE changing the attribute, much like the change password flow works. Is such an approach possible?

"Forgot username" flow for AWS Cognito?

I'm using ASW Cognito for authenticating users. Cognito has a well-documented flow to handle users who have forgotten their passwords.
How do I handle users who have forgotten their usernames? Is there a built-in flow that lets the user enter their email or phone number, and then receive an email or text with their associated username? I found the ListUser API, which returns all the users in a userpool. I could write a Lambda function that filters through all my users, looking for a match on email or phone number. But this seems like overkill.
Unfortunately, there is no default out of the box workflow of "Forgot Username".
I am implementing similar workflow. We ask user for their registered phone number/email, and we retrieve username based on that number and send it to email/phone according to configuration. If user is configured to use email and phone both, we send SMS to phone if user forget username (which is email id they used during sign up).
One major drawback of this approach is that, we need to provide ListUsers API call access to anonymous user which is a potential security issue but can't seem to find any other way by which we inform user about their login details.
For those, who are looking for the solution, don't give the anonymous user access to ListUser API as suggested in the accepted answer.
There are two ways to implement 'Forgot username flow'.
Enable email as an alias for your Cognito User Pool:
Calling this API causes a message to be sent to the end user with a
confirmation code that is required to change the user's password. For
the Username parameter, you can use the username or user alias. The
method used to send the confirmation code is sent according to the
specified AccountRecoverySetting.
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html
The user will be able to reset the password with their email and code delivered to provided email address. If you still want to remind the username, you can use Lambda trigger to generate the password reset email with both username and verification code.
Use the backend (web server or lambda) which will receive the email address as an input to the 'Forgot username flow'. The backend will have permissions to invoke List Users API (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html) and will perform user lookup using the email. You now can go into Forgot Password flow using the retrieved username. Lambda trigger will be used to generate password reset email with username and verification code.
You can protect this API from abuse using WAF and/or captcha.

Parse login with phone number (no password)

Using Parse.com, I want my users to login only with their phone number, just like WhatsApp.
Enter your phone number, get a verification code by SMS, enter the code - you are logged in and stay logged-in!
I can see how I can use Twilio to send a verification code.
My problem is how to tie it in with the Parse authentication framework.
When to use signUp vs login?
What is the password?
What to do the second time the app is launched?
What to do when the application is re-installed?
I don't think you should use the predefined Signup and login classes provided by parse as they do not allow you to create a user without a password,
Nor should you use the Anonymous Users as the data will be lost once the user sign out/uninstall.
For Signup, Use another object to store the numbers , Implement a onSave hook in cloud code to ensure that all the username"phone nos" are unique during Signing in.
For each device, perform an OPT(one time password) to the phone of the user by using the installation class's id
Perform a query and load the data connected to the number during Login
To keep the user logged in , use the local data store , pin a Boolean variable that indicates the status of a user, either logged in or out.
In the parse DB , You can use the phone num as the link to the other data of the user.
In this way, no password , only OTP
You will need to store something on the user settings/profile to pin that user, I do not recommend using a boolean but rather something that ties that device with the user so that if someone decides to copy that file and paste it into a rooted phone you will be able to determine if the app install corresponds to that user.
I would recommend using the a unique token to create a password for a user in Parse.com - you can use the token that RingCaptcha generates for this, ensuring it will never collide with other users and that every phone number will only be able to verify one time for each device. RC is a new service that helps you onboard verified users into your apps in seconds via SMS. Integration is a breeze with all the available plugins for web, APIs, and SDKs of all flavours.
[Disclaimer: I'm part of the team behind RingCaptcha]

Linking a mobile device to a useraccount

For an assignment I have to make the CMS-system easily accessible trough mobile devices. Ideally we would like to create a way for user authentication with the least amount of input possible.
I have created a system with php/javascript which mimics the android pattern lock, so at this moment a user can login by swiping a pattern. But the problem remains that they still have to manually type a username.
Would it be possible to get some sort of unique ID from a smartphone, so we can store this in the database and link it to an account. So that if a user wants to login in to the CMS, he only has to browse the website, the system will recognize who he is, he swipes his pattern and the user is authenticated!
Unfortunately, it is not possible to get a unique device id from a browser.
However, you can do it like this:
If remember me is checked, you can set a cookie on the client's browser where you store the username. Next time the user opens the page, you check if the cookie is set. If so, you prefill the username.
This way the user would only have to enter the username the first time and it will be prefilled until he deletes the cookies of his browser or the cookie expires.