RemovePasswordAsync() fails for an unconfirmed user

[IgorPietraszko]

The Question

I have a use case for changing the password and name for an unconfirmed user.

• A user signs up with with a name, email and password (CognitoUserManager.CreateAsync())
• A confirmation code is emailed to them
• User forgets to confirm their email and tries to sign up again (name, email, password) using the same email.

In this case I would like to change their name and password (in case it is different) and resend the confirmation code. Since I don't know their previous password, I cannot use ChangePasswordAsync() to change their password.

I have attempted to call RemovePasswordAsync() with the idea of later calling AddPaswordAsync() with the new password but I get an Exception (System.NotSupportedException: Store does not implement IUserPasswordStore) when calling RemovePasswordAsync(). Is this due to the fact that I cannot change the password on an unconfirmed user? Is there a way to accomplish that?

The workaround I have is to call DeleteAsync() prior to calling CreateAsync() but that seems a bit heavy-handed to accomplish what I need.

Environment

• Build Version: 3.0.0
• OS Info: Compiled on Ubuntu 20.04, runtime set to linux-x64
• Build Environment: Azure pipelines (pool Ubuntu 20.04, runtime set to linux-x64)
• Targeted .NET Platform: ASP.NET Core 3.1

---

This is a :question: general question

[ashishdhingra]

Hi @IgorPietraszko,

Good afternnoon.

Thanks for posting guidance question. Similar question was posted few days back, refer https://github.com/aws/aws-sdk-net/issues/1984. I do not think there is a workaround to handle the said scenario for unconfirmed user. Please refer the communication in the said issue and see if it helps.

Thanks, Ashish

[IgorPietraszko]

Thanks for the response.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[BhangeeF16]

you can check the user status by AdminGetUserAsync and then forcefully set a password against the user if you want to change the password,

NOTE = AdminSetUserPasswordAsync Summary: Sets the specified user's password in a user pool as an administrator. Works on any user. The password can be temporary or permanent. If it is temporary, the user status enters the FORCE_CHANGE_PASSWORD state. When the user next tries to sign in, the InitiateAuth/AdminInitiateAuth response will contain the NEW_PASSWORD_REQUIRED challenge. If the user doesn't sign in before it expires, the user won't be able to sign in, and an administrator must reset their password. Once the user has set a new password, or the password is permanent, the user status is set to Confirmed

the following is using AWS SDK IAmazonCognitoIdentityProvider (AWSSDK.CognitoIdentityProvider)

var result = await _cognitoProviderClient.AdminGetUserAsync(new AdminGetUserRequest
{
    Username = email,
    UserPoolId = _appConfig.UserPoolId
});

if(result.UserStatus == UserStatusType.UNCONFIRMED)
{
    var response = await _cognitoProviderClient.AdminSetUserPasswordAsync(new AdminSetUserPasswordRequest()
    {
        Username = email,
        Password = GenerateRandowmPassword(),
        Permanent = false,
        UserPoolId = _appConfig.UserPoolId
    });

    // other logic

}