Closed owhittlef closed 6 months ago
Hi @owhittlef Thanks for reporting this issue.
Reading your issue description, the issue is that when you specify the domain
attribute of the CookieStorage
, even after signing a user correctly, it says no user has been authenticated.
I noticed that from your screenshot, you are running your web app on localhost
for testing, so the domain for your web app is localhost
. After a user signs in, following your settings, it sets an authentication token into the cookie store with the domain attribute having the value xvoucher.us
. The domain is mismatched in this case, so the browser won't store the cookie, and furthermore, the library won't work as there is no auth token available.
This is expected behavior as you generally cannot set a cookie with a domain attribute that doesn't match the domain of your web app. It's a security measure to prevent cross-site scripting (XXS) attacks. Cookies are bound to a specific domain for security reasons.
For your use case you should consider setting the domain value dynamically based on the running environment of your app. For example, if you are running your web app in dev mode locally, you should set the domain as localhost
, and set the actual domain when your app is running in production mode in your hosting space.
HI @owhittlef following up here - did the comment from @HuiSF help to get you unblocked?
Yes -- silly mistake on my part! Thank you @HuiSF and @nadetastic for your help!
I do have one other question... After resetting the password and passing the temp password sent to the user's email, the email is still unverified. It seems like it should be verified since the user provided a password sent to their email.
I'm guessing I could write the email as verified in the user verified lambda trigger, but is it necessary to do so? Is there a simpler way to make Cognito mark the user as verified when I provide a temp password sent to their email account?
@owhittlef correct that is expected behavior - setting a permanent password doesn't automatically verify email. You can either write the email as verified when creating the user, or update the user email attribute as shown in the documentation here - Also note that if using the Amplify UI Authenticator component, it incorporates this flow for you automatically.
@owhittlef I'm going to mark this issue as resolved, but let me know if you have any more related questions.
Before opening, please confirm:
JavaScript Framework
React
Amplify APIs
Authentication
Amplify Version
v6
Amplify Categories
auth
Backend
Other
Environment information
Describe the bug
I am using AdminCreateUser to create a user on a web server like so using :
Note the server call is not using Amplify, it's just an AWS SDK for C#. The server connects to my user pool using an app client with a secret. After the server call, I have a user who looks like this in the console:
Now, I would like to allow the user to reset their password in a React app with a custom UI. I am not using the hosted UI or or Amplify UI components. The React app connects to the pool though a different app client that is public and does not have a secret. I ask the user for the temp password (sent to their email when they are created with the server call) and a new password, and try to reset their password like so:
I am following the docs here but something isn't quite right. The call to
signIn()
seems to work and returnsCONFIRM_SIGN_IN_WITH_NEW_PASSWORD_REQUIRED
as the next step, but thenconfirmSignIn()
fails with the following error:As you can probably guess, after this error I do not get auth cookies written to my browser's storage. Despite the apparent failure, the user is now confirmed in Cognito, however, their email is not verified.
Subsequent calls to
signIn()
fail with a similar error:FWIW, here's the implementation of handleSignIn from the stack trace above:
Expected behavior
confirmSignIn()
signIn()
function properlyReproduction steps
I get this error by following the steps in the description. I also noticed I could get a similar error if I took a user who was working and set MFA to inactive for them. Then, I get this error:
The implementation of
handleSignIn()
from the stacktrace above is in the issue description. I'm a little bewildered about this because MFA is set to optional on my pool.Code Snippet
All code is in the issue description.
Log output
aws-exports.js
Not applicable.
Manual configuration
Here's how I'm configuring Amplify:
Additional configuration
Command:
aws cognito-idp describe-user-pool --user-pool-id us-east-1_UqGevkEHM
Output:
Mobile Device
NA
Mobile Operating System
NA
Mobile Browser
NA
Mobile Browser Version
NA
Additional information and screenshots
No response