2

I have user pool set up to use email as user identifier (also configured to require email verification). Every main action / flow (login, signup, change password, reset password) seem to work fine and as expected.

The one important thing which does not work as one would expect is change email flow:

When email change is requested, Cognito sends verification code to the new email as expected, but it also updates email to the new value before verification.

This causes a problem when f.ex.: new email was mistyped (so verification code never arrives) and user forgets its password. There seem to be no way to recover from it. Am I missing, misconfigured or abuse something? There is a minimum user pool customisation I did (except case-insensitivity maybe).

What would be the reason that AWS allows to change email before verifying it (even if Cognito actually requires verification during signup, before account is created)?

Is there some user pool configuration settings (or lamba) or local SDK settings I am missing?

BTW: I am using AWSMobileClient from iOS SDK as a client but this probably does not matter(?).

Lukasz
  • 19,816
  • 17
  • 83
  • 139

2 Answers2

5

The Cognito team have finally fixed this, but you need to opt-in to the correct behavior.

From the developer guide:

Amazon Cognito can also require that your user verifies the new value before Amazon Cognito updates the attribute. When you require that your users first verify the new value, they can use the original value for sign-in and to receive messages until they verify the new value.

To opt-in to this behavior, follow the steps on that page:

  1. Sign in to the Amazon Cognito console. If prompted, enter your AWS credentials.

  2. In the navigation pane, choose User Pools, and choose the user pool you want to edit.

  3. In the Sign-up experience tab, choose Edit under Attribute verification and user account confirmation.

  4. Choose Keep original attribute value active when an update is pending.

  5. Under Active attribute values when an update is pending, choose the attributes that you want to require your users verify before Amazon Cognito updates the value.

  6. Choose Save changes.

This will enable what should be the default behavior for user pools: The attribute will keep its old value until the user actually verifies the new value, at which point Cognito updates the value to the new one.

Klaycon
  • 10,599
  • 18
  • 35
  • They still have not fixed their email templating issue. For example, `{username}` does not work with verification emails/texts. – Hafiz Temuri Jun 29 '22 at 22:07
  • @HafizTemuri I'm not sure what that has to do with the question or this answer. – Klaycon Jun 30 '22 at 22:53
  • 1
    just saying... because the above answer is still valid. It's best to do the verification flow yourself. Cognito is still full of bugs. – Hafiz Temuri Jul 02 '22 at 07:36
  • Also want to note here that the verification flow cannot be triggered by updating the login email with the admin API. (ie: adminUpdateUserAttributes). Just in case anybody sees this answer when searching for how to do this in a way that is not initiated by the user. – dmauldin Sep 22 '22 at 21:52
2

This is a bug in Cognito, still waiting to be resolved for over 3 years. The solution many people find for this problem is to create their own verification-system.

For more detailed infos, see: https://github.com/aws-amplify/amplify-js/issues/987

sɐunıɔןɐqɐp
  • 3,332
  • 15
  • 36
  • 40
Tran Minh Tri
  • 658
  • 4
  • 8