AWS Cognito: Customize default invitation message

Question

We use AWS Cognito for authentication. When we create a user, Cognito sends the following email with the following message:

Your username is {username} and temporary password is {####}.

as we know, the user is created with FORCE_NEW_PASSWORD status. is that possible somehow to add access token to the email body so as to form a link to the page where user may change their password to activate account?

I believe you can customise this from user pool section.. but you should not sent token in email. — Deep Kakkar, Nov 28 '17 at 07:33
We would like to add a link to a page to change password. so user clicks it and change password page displays where user enters temporary password and new. we need that token to know what user changes password. — Annet, Nov 28 '17 at 09:46
@Annet Have you ever managed to resolve this? If so, what solution have you employed? — ZenMaster, Dec 30 '18 at 09:41

Deep Kakkar · Answer 1 · 2017-11-28T14:12:43.260

I have used aws-cognito in node js and angular2. When you attempt first time login then user injects the temporary credentials, after this an OTP will be sent to either phone or email ( decided by user pool ).

The following is function used for login:

var authenticationData = {
    Username: username, // req.body.username
    Password: password  // req.body.password
};

var poolData = {
            UserPoolId: upid,
            ClientId: cid,
            AuthFlow: 'ADMIN_NO_SRP_AUTH'
        };

var userPool = new AWS.CognitoIdentityServiceProvider.CognitoUserPool(poolData);

var authenticationDetails   = new AWS.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);

var userData = {
            Username: username,
            Pool: userPool
        };

var cognitoUser = new AWS.CognitoIdentityServiceProvider.CognitoUser(userData);

cognitoUser.authenticateUser(authenticationDetails, {
   onSuccess: function (result) {
     // not for first time login case and user has permanent credentials
   },
   onFailure: function (err) {
     res.send(err); //login failure
   },
   newPasswordRequired: function (userAttributes, requiredAttributes) {
         response = {"ChallengeName": "NEW_PASSWORD_REQUIRED", "userAttributes": userAttributes};
         localStorage.setItem('userAttributes', JSON.stringify(userAttributes)); // I have used localStorage to save data temporarily
         res.send(response);
   }
 }

Now, as you are asking for first time login. So you need to pass the old password and username, user attributes to next API call to get the permanent credentials.

I have not sent token in email message and keep that in localStorage so that can be utilised when user come back to the browser this way you will get the ID Token.

so you can use the code for update password as follows:

router.post('/updatepassword', function (req, res) {

 var username = req.body.username;
 var newPassword = req.body.newpassword;
 var userAttributes = req.body.userAttributes;
 var oldpassword = req.body.oldpassword;
 var userPool    = globalConfiguration(); // custom function to get pool data
 var userData = {
    Username: username, //req.body.username,
    Pool: userPool
 };
 var params = {
    UserPoolId: 'us-west-2_XxxxxXX', /* required */
    Username: username, //req.body.username,
 };
 var authenticationData = {
    Username: username, //req.body.username,
    Password: oldpassword, //req.body.password,
 };

 var authenticationDetails = new AWS.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
 // so only username and previous password are required.
 var cognitoUser = new AWS.CognitoIdentityServiceProvider.CognitoUser(userData);
 cognitoUser.authenticateUser(authenticationDetails, {
    onSuccess: function (result) { },
    onFailure: function (err) { },
    newPasswordRequired: function (userAttributes, requiredAttributes) {

        // the api doesn't accept this field back
        delete userAttributes.email_verified;
        delete userAttributes.phone_number_verified;

        cognitoUser.completeNewPasswordChallenge(newPassword, userAttributes, this);

        var success = {'success': 'success'};

        res.send(success);
    }
});
});

Hope this will helps you!

thank you Deep. it looks valid, but the main problem is how to put a url with this token to the invitation email? — Annet, Nov 28 '17 at 13:49
after first login attempt, redirect user to that screen where user have to input the OTP ( he get by either email or phone ) — Deep Kakkar, Nov 28 '17 at 14:01
but we need to add this link to the invitation email so as not to force user to go to login screen.... and open from email change password page — Annet, Nov 28 '17 at 14:07
put that link static in email where user will enter OTP. and because of localStorage, token is already saved there. so when user will be on that page , that will fetch token from localstorage — Deep Kakkar, Nov 28 '17 at 14:08
Apart from this, If you have checked the code there I am using var authenticationDetails = new AWS.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData); where authenticationData contains username and oldpassword ...... and only these are required — Deep Kakkar, Nov 28 '17 at 14:11

AWS Cognito: Customize default invitation message

1 Answers1