I am using AWS Cognito for user management in my application. The userpool is configured that the users login with a unique username and a password, and that multiple users can have the same email addess. I am using Amplify built-in components for authentification.
The problem I can't seem to resolve, are double verification mesages upon updating user email. When an an email is chaged CustomMessage_UpdateUserAttribute is triggered, and when user wants to verify the changed email CustomMessage_VerifyUserAttribute is triggered. I have a custom lambda function that listens for these triggers among others and sends corresponding emails based on the action user is trying to perform: login, verify email, reset password etc.
So if a user modifies his email address, CustomMessage_UpdateUserAttribute is triggered and the user recieves an email with the following (default) message "Please verify your account and enter the following verification code to reset your password: xxxxxx". However, when this user loggs in, amplify recognises that the user is in the "verifyContact" state, and displays the screen you can see below.
The user has two options:
to skip the verification, or
to select the only attribute that awaits verification and click on "verify" button.
Clicking on the "verify" button triggers CustomMessage_VerifyUserAttribute and sends yet another email to the user. The user is redirected to the following screen.
The second screen shows where user is supposed to input newly sent code (from the second email). So the user has absolutely no need for the first email (and code) that is sent automatically when the email is updated. I have tried to find a way to avoid sending the email, but have not found a good solution. Congito won't let you override the message in lambda without sending the confirmation code in it, which is completely unnecessary since there is no place where user can input it. I don't want to disable email verification, or set email_verified to true upon updating.
Do you have any suggestions what I could do?
If anybody is facing the same problem, a workaround is to update email_verified field twice. When updating the email, set email_verified to true. This will prevent Cognito from sending and email on CustomMessage_UpdateUserAttribute. Then in a separate user attribute update request update only email_verified field to false. This will set the user to "verifyContact" state and request email verification on login.
Related
I have a Login activity with email and passwords fields, when you fill those fields with credentials of an account created using FirebaseAuth createUserWithEmailAndPassword() method no problem at all.
But when you fill the email and pass fields with credentials of an account created using GoogleSignIn button it gives me this error: The password is invalid or the user does not have a password.
I have tried to send and accept a verification email when a user sets up his account because I thought it had something to do with non-verificated emails, but I still get the error.
- SUMMARY -
So the thing is I want to have 2 ways of registering users, one by filling the email & pass fields and, the other through GoogleSignIn. So my problem is, how do I design a "system" to log in those accounts? I mean, I can log in user who have filled the email & pass fields, but I can not log in users who had use GoogleSignIn.
At this point, it's clear that I'm not understanding well how this process works. Can anyone guide me a little bit about it? Thanks in advance :)
- EDIT -
I have been trying a workaround with giving the user a Google SignIn button in the same Login Activity but I'm also facing a problem which I have already made another StackOverflow post
Ive created the UI design for a "request form" in which the user enters their request for a specific song. Id like the user's request to be sent to my email, but the user wouldn't have to use their own email, theyd just have to enter the details and click the button whcih would then sen m the request. Is this possible? If it is how can i apply this. if not then is there another way? Thank You
You cannot send message without mail address, but you can create a mail by yourself, hardcode it into your app, and use as sender address. Also you can pass all data about user that you need (if you collect it), if you want to recognize one, in the message
I have set 2FA up with spring security. The problem is, at the moment the 2FA code must be entered in the same form as the username/password. Is there a way to ask for the username and password first, and then, if they are valid, ask for the 2FA code?
I have done the same in angularJs.
The logic:
When the user has 2FA enabled, on form submit with only username and password, instead of returning a bad credentials response (401) or a success response, I return a Status code (403) indicating the server understood the request but refused to fulfill it.
When angular receives this 403 status it hides the username and password field and shows the OTP field. At this point the username and password are still present as angular objects but only hidden.
When the user enters the OTP and clicks submit, I again make a post call and this time pass the username, password and OTP.
After registration, system send a verification mail to subscriber's mail id.
When user once clicks on verification link, the token must be expired.
I want to display the link expired message from next time click?
How to do it?
You may override VerifyEmailAddressAction.java action class, and set custom error message in SessionErrors and display it in Email Verification screen.
I'm developing a website with using struts2 and jsp pages. In many sites after you sign-up, a link will be sent to your email and after clicking on that the registration is complete. I want this feature on my webstie, but I don't have any idea how to do this and how is this working? Should I save user's information on my database until he/she is verified or not? I searched web but there is learning for php forms.
any tutorial?
Thanks in advance.
The algorithm is something like this:
Save the user's info, marking it with a pending status.
Generate a token that contains some info
related to the user's account.
Generate the email, which must
include the URL to activate the
account and the URL will have the
token in it.
The URL must point to
some servlet or service in your app
that will validate the token, check
if the user related to the token is
inactive, present a completion form
(let the user set a password,
present a captcha, etc) and on form
submission you activate the account
with the password they set.
You should periodically scan the
inactivate accounts and delete the
ones that are several days old and
have not been activated.
To generate the token, you can encrypt some data such as user ID, email, etc and encode it in Base 64 (the URL-safe variant) - remember to salt it when you encrypt. When you receive the token, you decode and decrypt it, and it must point to an inactivate user account.