Is it possible to re-authenticate a password while a user is signed-in? #1582
Comments
elorzafe
added
investigating
jordanranz
added
question
elorzafe
added
feature-request
|
@TheVaporTrail currently that is not possible to do. We have an open RFC with admin auth task here. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This feature would be nice to have for our team too. |
|
Yeah :) My team also need this feature 👍 |
|
same here |
|
Is there any news on this request? |
Hacky WayI have not been able to find an API call to Cognito to be able to verify an authentication type. My particular case involves just a username and password. After clicking into the internals of the AWS Amplify code there is a simple way to replicate the authentication process without interfering with the currently authenticated user. Here is my particular criteria that I was trying to solve, you can adapt this solution to your own approach:
import { AuthenticationDetails, CognitoUser, CognitoUserPool } from 'amazon-cognito-identity-js'
function fakeAuth(username, password) {
let authDetail = new AuthenticationDetails({
Username: username,
Password: password,
})
console.log('AuthDetail', authDetail)
let cognitoUser = new CognitoUser({
Username: authDetail.getUsername(),
Pool: new CognitoUserPool({
UserPoolId: <USER_POOL_INFORMATION_GOES_HERE>,
ClientId: <CLIENT_ID_INFORMATION_GOES_HERE>,
}),
})
console.log('Cognito User', cognitoUser)
//For some reason when I passed in Storage in the CognitoUserPool(...) it did not
//want to set it, so I just override it below here. When you set the storage you can
//can actually do whatever you with it, the storage is where are the token
//information is kept, but seeing as I don't need it, I just blackhole it
cognitoUser.storage = {
getItem: (key, value) => {
console.log('getItem', key, value)
return ''
},
setItem: (key) => {
console.log('setItem', key)
return ''
},
removeItem: (key) => {
console.log('removeItem')
},
clear: () => { console.log('clear') },
}
console.log('Cognito User', cognitoUser)
cognitoUser.setAuthenticationFlowType('USER_SRP_AUTH')
let promise = new Promise((resolve, reject) => {
cognitoUser.authenticateUser(authDetail, { onSuccess: resolve, onFailure: reject })
})
promise.then(user => {
console.log('Success', user)
}).catch(e => {
console.log('Error', e)
})
}Downsides:The big downside here and how it might affect your application would be that this simulates a user logging in, which means any analytic information may be mislead by the extra user logins. However, what this does offer is a practical approach to testing a users login information. Why not use an API call?Like I said earlier I would have loved to use a Cognito API call for verifying a user that is already logged in, but I could not find one, so this will have to do! Let me know your thoughts. Further informationMost of this was taken from ...
var authDetails = new amazon_cognito_identity_js_1.AuthenticationDetails({
Username: username,
Password: password,
ValidationData: validationData
});
if (password) {
return this.signInWithPassword(authDetails);
}
else {
return this.signInWithoutPassword(authDetails);
}
...
AuthClass.prototype.signInWithPassword = function (authDetails) {
var _this = this;
var user = this.createCognitoUser(authDetails.getUsername());
return new Promise(function (resolve, reject) {
user.authenticateUser(authDetails, _this.authCallbacks(user, resolve, reject));
});
};
...
AuthClass.prototype.createCognitoUser = function (username) {
var userData = {
Username: username,
Pool: this.userPool,
};
userData.Storage = this._storage;
var authenticationFlowType = this._config.authenticationFlowType;
var user = new amazon_cognito_identity_js_1.CognitoUser(userData);
if (authenticationFlowType) {
user.setAuthenticationFlowType(authenticationFlowType);
}
return user;
};
... |
The RFC was already closed, but it doesn't look like it covered the original request from this issue? |
|
I would like to see a re enter password feature. |
|
Hi, We've got a need for this too. I've written a function to reset a user's MFA settings (for when they've lost their device, etc). It's only available to my app's admin users, but ideally we'd like the admin to confirm their admin password before the request is made. |
|
@elorzafe Any news on this 're-enter password' feature? It would be a nice + |
Hi @elorzafe, |
|
I'm assuming there is still no movement on this? It would be greatly needed by our team. |
|
Please upadte this, we now authen multiple Organization fo diddferent project! |
|
This is indeed a very important feature. Would be nice if the team could implement this. |
|
Hi guys, are there any chances that this might be picked up by someone at a later date? It's a critical use case for my team. |
|
Also interested in this! |
|
Very much needed feature! |
|
Hello everyone, we have informed the Cognito team of the need for this feature, however this is not on their immediate roadmap at this point in time. We will provide updates when we have progress on this issue. |
|
Also need this, very surprised to see it's not possible, and exceptionally disheartened to see this issue is 5 years old. |
|
Need this feature too, need a way to get a user to enter their password and MFA again before deleting account, changing password or email. |
|
Hate to do this but adding my own +1 here. Had an issue come up that we just can't reliably work around without first genuinely re-authenticating the user and this would have been extremely helpful to integrate into that workflow. |
|
It is possible to re-authenticate the user using Auth.signIn API. it doesn't sign-out the user session if the password is wrong. |
|
We also require this feature. We would like to prompt our users for a password before performing sensitive actions such as changing an email, modifying MFA settings, or deleting an account. |
This is great and seems to work. Has anybody implemented this and come across any issues, or is this a reliable working solution? Maybe this is why they haven't felt the need to implement any alternative? |
using this solution for a while, have not faced any issue so far. |
I don't think it works correctly. It will lock the account if the user enters the wrong password multiple times, which can affect the login process. |
This is spot on, reusing the signin feature to "re-authenticate" may be a hacky okay way for non 2fa applications but we are running into this issue as well. The code being sent throws off the user experience and if you do try to reenter that code that was sent via SMS you will get thrown an error that only a singular session can be used once. A confirm password feature would be very helpful. |
|
@duyta7598 I found another hacky solution to avoid MFA... utilizing change password but not actually updating the password just pass the current password as both values which returns just a success if it is successful. |
|
I tried calling the signIn API in V6 to re-authenticate the user and it comes back with an error saying "There is already a signed in user." Does anyone else get this? |
Yes, I have run into same issue today. The signIn API was changed somehow and you cannot perform another sign in while an user is authenticated. |
|
Re-authenticating as a way to verify user password is no longer possible since this change: #12033 :( |
Based on the changes made here, it looks like we can't use this anymore, so does anyone know of a proper way to validate a signed-in user's password rather than using the password change API?
|
|
I too need to provide a "delete account" link before I can upgrade my game's Android app. The workaround I have thought of, hopefully in the meantime this request is picked up by the Cognito team, is to disable the link shortly after signing in, and to let the user know that they can send a "delete user" request only within 30 seconds or so of signing in. So a user attempting to delete their account is directed to sign out, sign back in, and then click on the link before it grays out. |
I am also wondering about this |
and others
** Which Category is your question related to? **
Authentication/Cognito
** What AWS Services are you utilizing? **
Authentication, Storage, Analytics
** Provide additional details e.g. code snippets **
I would like to the user to enter their password again before I perform a dangerous action, in particular, before deleting all of the user's stored data and then the user's account (with CognitoUser.deleteUser).
Is there a way, while the user is authenticated, to submit the password to Cognito for re-verification? I don't want a password verification failure at this point to affect the authentication state.
Thank you,
David
The text was updated successfully, but these errors were encountered: