Temp password only succeeds once.

[robdubparker]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React Native

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

``` # Put output below this line System: OS: macOS 14.6.1 CPU: (10) arm64 Apple M1 Pro Memory: 1.58 GB / 16.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 20.16.0 - ~/.nvm/versions/node/v20.16.0/bin/node npm: 10.8.1 - ~/.nvm/versions/node/v20.16.0/bin/npm Watchman: 2024.07.15.00 - /opt/homebrew/bin/watchman Browsers: Chrome: 128.0.6613.137 Safari: 17.6 npmPackages: @aws-amplify/backend: ^1.2.1 => 1.2.1 @aws-amplify/backend-cli: ^1.2.6 => 1.2.6 @aws-amplify/react-native: ^1.1.4 => 1.1.4 @aws-amplify/ui-react-native: ^2.2.5 => 2.2.5 @aws-sdk/client-s3: 3.624.0 => 3.624.0 @babel/core: ^7.20.0 => 7.25.2 @expo/vector-icons: ^14.0.2 => 14.0.2 @react-native-async-storage/async-storage: 1.23.1 => 1.23.1 @react-native-community/netinfo: 11.3.1 => 11.3.1 @react-navigation/drawer: ^6.7.2 => 6.7.2 @react-navigation/native: ^6.0.2 => 6.1.18 @types/jest: ^29.5.12 => 29.5.12 @types/react: ~18.2.45 => 18.2.79 @types/react-test-renderer: ^18.0.7 => 18.3.0 HelloWorld: 0.0.1 aws-amplify: ^6.6.0 => 6.6.0 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/enable-oauth-listener: undefined () aws-amplify/auth/server: undefined () aws-amplify/data: undefined () aws-amplify/data/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () expo: ~51.0.28 => 51.0.32 expo-auth-session: ~5.5.2 => 5.5.2 expo-av: ~14.0.7 => 14.0.7 expo-font: ~12.0.9 => 12.0.10 expo-image-picker: ~15.0.7 => 15.0.7 expo-linking: ~6.3.1 => 6.3.1 expo-local-authentication: ~14.0.1 => 14.0.1 expo-router: ~3.5.23 => 3.5.23 expo-splash-screen: ~0.27.5 => 0.27.5 expo-status-bar: ~1.12.1 => 1.12.1 expo-system-ui: ~3.0.7 => 3.0.7 expo-web-browser: ~13.0.3 => 13.0.3 jest: ^29.2.1 => 29.7.0 jest-expo: ~51.0.4 => 51.0.4 react: 18.2.0 => 18.2.0 react-dom: 18.2.0 => 18.2.0 react-hook-form: 7.41.5 => 7.41.5 (7.53.0) react-native: 0.74.5 => 0.74.5 react-native-gesture-handler: ~2.16.1 => 2.16.2 react-native-get-random-values: ^1.11.0 => 1.11.0 react-native-paper: ^5.12.5 => 5.12.5 react-native-reanimated: ~3.10.1 => 3.10.1 react-native-safe-area-context: 4.10.5 => 4.10.5 react-native-screens: 3.31.1 => 3.31.1 react-native-web: ~0.19.10 => 0.19.12 react-test-renderer: 18.2.0 => 18.2.0 typescript: ~5.3.3 => 5.3.3 (4.4.4, 4.9.5) uuid: ^10.0.0 => 10.0.0 (9.0.1, 8.3.2, 7.0.3) web-streams-polyfill: 3.3.3 => 3.3.3 web-streams-polyfill-es2018: undefined () web-streams-polyfill-es6: undefined () web-streams-ponyfill: undefined () web-streams-ponyfill-es2018: undefined () web-streams-ponyfill-es6: undefined () npmGlobalPackages: corepack: 0.28.2 eas-cli: 10.2.1 expo-cli: 6.3.10 npm: 10.8.1 typescript: 5.3.3 ```

Describe the bug

If the CONFIRM_SIGN_IN_WITH_NEW_PASSWORD_REQUIRED session expires (which can happen for a handful of reasons), the users' temp password no longer works and a "NotAuthorizedException" error is thrown for any future attempts. The newly created user is now locked out of ever being able to login via aws-amplify/auth library. Reset password functionality does not work in this case either. The only way around this seems to be to delete the user and recreate them within the AWS Amplify console.

Expected behavior

User should be allowed to login and set their new password using the temp password provided during user creation.

Reproduction steps

1. A user is created in the Amplify console with a temp password assigned.
2. User enters username and temp password at the login prompt of custom site form.
3. On submit, the response contains nextStep.signInStep = 'CONFIRM_SIGN_IN_WITH_NEW_PASSWORD_REQUIRED'.
4. All good so far. This is when the user enters a new password which is then passed to the confirmSignIn function.
5. If session expires before the user sends a new password to confirmSignIn function, we hit our issue.

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[israx]

Hello @robdubparker. The default authentication session expiry time is 3 minutes. You can increase it up to 15 minutes.

• Go to the Cognito Console
• Go to App Integration section
• Scroll down to App client list
• Select your app client name
• Click the edit button on the App client information section
• Edit the Authentication flow session duration

[cwomack]

Hello, @robdubparker 👋. To add to what @israx said, the temporary password is only valid to be used once. More than likely, this is tied to the auth flow session duration mentioned above though.

[robdubparker]

Thanks for the quick responses to this. I think my issue was more tied to the temp password being valid only once. After that the user is sort of locked in a FORCE_PASSWORD_RESET state that can't be changed. The user needs to be deleted and re-created in this case. I wasn't sure if this was intentional or not. If intentional, no problem, I think I have some ideas if it becomes an issue. I'm hoping it's a scenario that won't happen very often, if at all.

[cwomack]

@robdubparker, wanted to circle back on this issue to point to a couple others in the repo that are capturing this "gap" in the user experience with Cognito's password reset flows. We have #9844 for the inability to indicate when a temp password has expired as well as #11270 detailing the "deadlocked" state that users can get into.

Since this issue is describing expected behavior that the temporary passwords can only be used once, we'll close this issue out. However, encourage you to upvote/comment/add context to the other issues above to help them gain traction. Thanks!