I almost feel stupid for asking, but I can't figure out how to resend a verification email to a user who can't login using email & password on Play Authenticate. I.e. a user signed up for an account, the token on the verification email has expired, and a new verification email is required.
I understand the original verification email is sent after the user account is created and subsequently logged in, but I can't figure out how to do it with the user not logged in.
I believe you have your order of events wrong, the email is sent after the account is created and BEFORE they log in. If they have already logged in, then they must have validated the email. If they never validated the email, I believe you just need to ask the user to re-signup and a new email will be sent.
..Chet
Related
If a cognito user lost his confirmation email is unable to reset his password, or ask for resent if his is in "force_change_password" status, and no error is displayed to him.
Is there any known fix on that?
Doesn't completely solve my issue, but it does provide an error message to the user.
If you go to User Pool -> General Settings -> App clients -> under Prevent User Existence Errors -> change from enabled to legacy.
So when the user clicks on the forget password will see this error message "Could not reset password for the account, please contact support or try again".
If a user is in "force_change_password" it is often because you performed an Admin create user operation, where the user is then sent a temporary password to use. After using that temp password the user will be asked to set a new password.
If this is the password you are referring to you can perform admin create user again for the same user and set MessageAction to 'RESEND' [1].
"Set to "RESEND" to resend the invitation message to a user that already exists and reset the expiration limit on the user's account."
[1] https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
I'm in the middle of implementing "forgot password". my auth is via jwt access token. (user log in, gets an access token, sends it with the rest api calls).
so let's say the user which currently isn't logged in, click the "forgot password".
i create for him some hashed token, and then send him a mail.
if he will click it I'll decode, display him the change password, and create a new access token, like this is the main idea and all good.
My question is for this scenario:
user clicks forgot password, enter his mail, i send him a mail, but then instead of clicking the url and resetting, he logs in via his password.
should i let him log in? creating an access token and all good? while resetting the token from the sent mail (or is it still a valid token to reset the password with?)
display some error saying go to your mail and continue forgot password process?
my question is from security aspects, since maybe a user think his password was compromised, and then if i do let him in, then maybe someone who got the password (which isn't the user) can still log in /change password - while the original user goes to the mail and think he processed with the process.
i know it's maybe a rare race condition but i would like to avoid it.
(also, if i do let him in, and then he click the url from the mail which was already sent, should i reset it? in my scenario, maybe it's better not to reset? or if a user click twice "forgot password" should i create 2 different tokens, accepting only the later?)
ii realy would appreciate an advice, how to handle that scenarios, all forgot password related.
thanks.
Im not an Expert. This is just my opinion:
The "Forgot Password" funktionality should not render the old password unusable as someone else could invoke this process to prevent the owner of the acount from logging in.
It could take you quite some time to realize the email and would cause a lot of headdache.
When someone requests multiple emails in a short while they should all be functional. It happens often that the mail servers take their time and humans are not known for their patience so they click the button twice but use the first link arriving in their inbox.
This is all conserning usabilty.
Now to security:
The emails should also stay active when someone loggs in. As you mentioned a malicious actor could log in and otherwies prevent the owner from changing their password that way.
I'm using ASW Cognito for authenticating users. Cognito has a well-documented flow to handle users who have forgotten their passwords.
How do I handle users who have forgotten their usernames? Is there a built-in flow that lets the user enter their email or phone number, and then receive an email or text with their associated username? I found the ListUser API, which returns all the users in a userpool. I could write a Lambda function that filters through all my users, looking for a match on email or phone number. But this seems like overkill.
Unfortunately, there is no default out of the box workflow of "Forgot Username".
I am implementing similar workflow. We ask user for their registered phone number/email, and we retrieve username based on that number and send it to email/phone according to configuration. If user is configured to use email and phone both, we send SMS to phone if user forget username (which is email id they used during sign up).
One major drawback of this approach is that, we need to provide ListUsers API call access to anonymous user which is a potential security issue but can't seem to find any other way by which we inform user about their login details.
For those, who are looking for the solution, don't give the anonymous user access to ListUser API as suggested in the accepted answer.
There are two ways to implement 'Forgot username flow'.
Enable email as an alias for your Cognito User Pool:
Calling this API causes a message to be sent to the end user with a
confirmation code that is required to change the user's password. For
the Username parameter, you can use the username or user alias. The
method used to send the confirmation code is sent according to the
specified AccountRecoverySetting.
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html
The user will be able to reset the password with their email and code delivered to provided email address. If you still want to remind the username, you can use Lambda trigger to generate the password reset email with both username and verification code.
Use the backend (web server or lambda) which will receive the email address as an input to the 'Forgot username flow'. The backend will have permissions to invoke List Users API (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html) and will perform user lookup using the email. You now can go into Forgot Password flow using the retrieved username. Lambda trigger will be used to generate password reset email with username and verification code.
You can protect this API from abuse using WAF and/or captcha.
I would like to know which procedure should I take in the following situation:
A user register itself into the system and an email is sent to confirm the account (with the confirmation token).
But the user doesn't comfirm the account...
If later, the same user or another user try to register itself with the same email, should I:
Delete all the information about the first user, create an entirely new account and send a new email for validation?
Change the existing account by reseting the password and send an email with a new confirmation token?
Another suggestion?
In this scenario, I'd say that registering an account is like putting down a deposit. You've basically staked a claim to that user account. I would give the confirmation tokens an expiry time - say, three days or so. If a second user tries to register an account that conflicts, check whether the user it conflicts with is verified, and for unverified users, check whether their token is expired.
If there's a verified user with that name, tell them "sorry, that username is taken".
If there's a user who has yet to verify...
If their token is expired, then delete it all and give the new user the name, generating a new verification token for them.
If their token is still active, then the new user can't have the name. It's up to you whether you just say "that username is taken" or maybe let them know that it's not verified and may be up for grabs sometime soon. I'd probably avoid confusing the users with that much detail, and just say it's taken.
Would there be any big issues if they never expire?
Somebody forgot his password and requests to reset his password, an email with the password reset link is sent to him.
He then suddenly remembers his password and so he simply ignores the password reset email. But after a few days, he forgot again. Since he already has a password reset email in his mailbox, he simply clicks on that link to go back to the website to reset his password.
This seems ok, so why should we make account activation/password reset links expire after some time?
What if their email account was compromised. The attacker then sees all these "password reset" links and clicks through them further compromising more accounts. Among them your service which may use Real Money or Credit Card information.