SignIn gives UserNotConfirmedException error if password is incorrect #1688
Comments
desokroshan
added
mobile client
|
If user is not confirmed, you can't do anything with the user (sign in, change the password, etc), so I would say that current behavior is expected. User first needs to finish verification before she can proceed. If you don't want that, then why enabling code verification in Cognito at all. This is correct sign up authentication flow:
This is correct sign in authentication flow:
|
|
Btw, latest SDK doesn't give UserNotConfirmedException anymore but CognitoInternalErrorException, with its cause exception being UserNotConfirmedException. Take a look at #1721 |
|
I want to do sign in before email verification not after but I guess that is not possible currently. In response to your second message, I think what you're describing is not a result of using the latest SDK but a result of enabling legacy "Prevent User Existence Errors. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html |
|
It might be related to that change, thanks for bringing that up! Still, it seems like unintended behavior. |
|
+1 |
|
Also happens on the iOS sdk |
|
I'm facing that issue too. The flow is incorrect if so. I'm trying to cover up a case where a user left the sign up process in the middle, after he had entered his credentials and at the step where he should verify himself - he left. In that case when a user would log in again, we first wanna validate his credentials in order to let him verify himself. It doesn't make sense that you'll need to first verify him with the email verification and only then authenticate him. He should first enter his credentials right, and only then have the ability to verify himself with the MFA code. In that state, I can't know the different between a user that is currently unconfirmed and entered a wrong pass, to a user who entered the right password and he is unconfirmed. For me both cases gives the UserNotConfirmedException .. |
|
Hello @OrelVaizman this is the expected behaviour as its pointed out in the conversation. |
|
I know this is old but I thought I'd add a comment that you can use ListUsersAsync to find the user to determine the difference. Additionally things like ResendConfirmationCodeAsync do not even require a password to use, so the authentication to use it is moot. |
Describe the bug
SignIn gives UserNotConfirmedException error if password is incorrect and user is not confirmed.
To Reproduce
Sign up user. Don't confirm email yet. Call sign in with wrong password.
Code:
https://docs.amplify.aws/lib/auth/working-with-api/q/platform/android#signin
Which AWS service(s) are affected?
Cognitio User Pools
Expected behavior
If the password is incorrect and the user is not confirmed, it should return an authentication error related to the password, not UserNotConfirmedException.
Environment Information (please complete the following information):
Additional context
The context here is I want the user to first provide a correct password, then provide the email verification code, and then get the user's credentials using the correct password provided earlier. Since SignIn returns UserNotConfirmedException, I am forced to get the verification code and then have them sign in. User should not have to sign in after entering verification code.
The text was updated successfully, but these errors were encountered: