PasswortReset when Email not verified and Confirmation status unconfirmed

[johannespn]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

``` npmPackages: @aws-amplify/adapter-nextjs: 1.0.25 => 1.0.25 @aws-amplify/adapter-nextjs/api: undefined () @aws-amplify/adapter-nextjs/data: undefined () aws-amplify: 6.4.0 => 6.4.0 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/enable-oauth-listener: undefined () aws-amplify/auth/server: undefined () aws-amplify/data: undefined () aws-amplify/data/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () ... next: 14.1.4 => 14.1.4 ```

Describe the bug

Calling resetPassword({ username: values.email }) from import { resetPassword } from 'aws-amplify/auth' when user Email verified = No and Confirmation status = Unconfirmed results in

{
    "resetPasswordStep": "CONFIRM_RESET_PASSWORD_WITH_CODE",
    "codeDeliveryDetails": {
        "deliveryMedium": "EMAIL",
        "destination": "j***@i***",
        "attributeName": "email"
    }
}

but no email with code is being sent.

Expected behavior

I would expect this method to throw an error in the case that user Email verified = No and Confirmation status = Unconfirmed

Reproduction steps

see description

Code Snippet

No response

Log output

No response

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hello, @johannespn and thank you for opening this issue. Can you double check in the Cognito console that this user's email is unconfirmed? We'd expect that a user with no confirmed email or phone number would throw an InvalidParameterException when trying to call the resetPassword() API in this situation (see Cognito docs here).

[johannespn]

Thank you for the quick answer @cwomack, I double checked that the users email is unconfirmed: see screenshot. I am not getting the exception, but the behavior I described above.

Also, I checked your codebase and the method I am calling (packages/auth/src/providers/cognito/apis/resetPassword.ts) has this signature:

/**
 * Resets a user's password.
 *
 * @param input -  The ResetPasswordInput object.
 * @returns ResetPasswordOutput
 * @throws -{@link ForgotPasswordException }
 * Thrown due to an invalid confirmation code or password.
 * @throws -{@link AuthValidationErrorCode }
 * Thrown due to an empty username.
 * @throws AuthTokenConfigException - Thrown when the token provider config is invalid.
 **/

So maybe it's missing the validation check for the confirmation status?

[cwomack]

@johannespn, was this user created via either the AWS CLI or manually in the Cognito console?

[johannespn]

@cwomack We create users via the JavaScript SDK which uses AWS CLI in the background, I believe

[johannespn]

@cwomack any updates on this? Our customers are complaining that they cannot reset their password

[josefaidt]

Hey @johannespn :wave: how are users created with the SDK? Do the end users receive an invitation mail they use to log in for the first time?

To reset the password for an unconfirmed user that has not verified their email, you will need to use the Admin* APIs from the SDK, specifically AdminResetUserPassword https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html

https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminResetUserPasswordCommand/

[ysabri]

@josefaidt @cwomack I'm facing this issue as well and I believe it's similar to this issue: https://github.com/aws-amplify/amplify-js/issues/11270

I recently upgraded to V6 and now I can't handle this error from the frontend side because the hub doesn't send events for errors anymore. I have no way of finding out if the user who is attempting to reset their password has an unconfirmed email.