1. 技术文章
  2. AWS Cognito - User stuck in CONFIRMED and email_verified = false

AWS Cognito - User stuck in CONFIRMED and email_verified = false

前提是你 提交于 2019-12-03 11:33:21

问题


How do I go about email verifying a user who is CONFIRMED yet email_verified is false?

The scenario is roughly an agent signs up user on their behalf, and I confirm the user through the admin call adminConfirmSignUp. At that point, the user cannot change their password because of the email_verified flag being false.

I can't call resendConfirmationCode because the user is already confirmed.

I can't call forgotPassword because the email_verified flag is false.

The best I can think of is deleting the user account and calling signUp (prompting them to re-enter their password or a new password), hence recreating their account.


回答1:


Currently, Cognito does not allow an external agent to update the email_verified and phone_verified attributes on behalf of the user. The only way these can be marked as true is through a code verification process which can be done by the end user. The exception to this is with admin level APIs, as answers below describe, but those shouldn't be done from client side.

The process is this: user signs-in and gets an access token. They then call GetUserAttrbuteVerificationCode API with the attribute they want to verify. This will deliver a code to the user, which can be used by calling VerifyUserAttribute which will flip the attribute as verified.




回答2:


Using the AWS CLI you can update the email_verified attribute:

aws cognito-idp admin-update-user-attributes 
--user-pool-id eu-west-xxxxxx 
--username xxxxyyyy@example.com
--user-attributes Name=email_verified,Value=true



回答3:


You can change email_verified, phone_number_verified and other attributes by calling adminUpdateUserAttributes without any lambdas and triggers:

'use strict'

var AWS = require('aws-sdk')

AWS.config.update({
  accessKeyId: 'YOUR_ACCESS_KEY_HERE',
  secretAccessKey: 'YOUR_SECRET_ACCESS_KEY_HERE',
  region: 'us-east-1' // change region if required
});

var CognitoIdentityServiceProvider = AWS.CognitoIdentityServiceProvider

var client = new CognitoIdentityServiceProvider({
  apiVersion: '2016-04-19',
  region: 'us-east-1' // change region if required
})

client.adminUpdateUserAttributes({
  UserAttributes: [{
      Name: 'phone_number_verified',
      Value: 'true'
    }, {
      Name: 'email_verified',
      Value: 'true'
    }
    // other user attributes like phone_number or email themselves, etc
  ],
  UserPoolId: 'COGNITO_USER_POOL_ID_HERE',
  Username: 'USERNAME'
}, function(err) {
  if (err) {
    console.log(err, err.stack)
  } else {
    console.log('Success!')
  }
})



回答4:


You can now programmatically set email_verified to true using the Pre-Signup lambda trigger and modifying the returned event with event.response.autoVerifyEmail = true;

It's not in the docs yet but referenced on this github issue. Also read working with cognito lambda triggers.




回答5:


Trigger on pre-registration this lambda function (Node.js v6):

exports.handler = function(event, context) {
 event.response.autoConfirmUser = true;
 event.response.autoVerifyEmail = true;
 event.response.autoVerifyPhone = true;
 context.done(null, event);
};

Using the "Configure test event" you can test it first with this payload

{
  "version": 1,
  "triggerSource": "PreSignUp_SignUp",
  "region": "<region>",
  "userPoolId": "<userPoolId>",
  "userName": "<userName>",
  "callerContext": {
      "awsSdk": "<calling aws sdk with version>",
      "clientId": "<apps client id>"
  },
  "request": {
      "userAttributes": {
          "email": "usertestsns06@yopmail.com"
       },
      "validationData": {
          "k1": "v1",
          "k2": "v2"
       }
  },
  "response": {
        "autoConfirmUser": false,
        "autoVerifyEmail": false,
        "autoVerifyPhone": false
  }
}

Now when you create the user from the API those verifications flags should be true.




回答6:


Here is the Another Approach you can use to create users by Agents. You can Use AdminCreateUser on the Behalf of user. By calling this API user will be created with a temp Password which will be sent to the user Email Address. (i.e. User will be in Force_Change_Password state). Now use RespondToAuthChallenge API to change the Password.

Note: You need to set "email_verified" attribute in attribute List. to make sure user email will be verified.

Here is the Code Example in NodeJS:

var params = {
 UserPoolId: process.env.userPoolId, /* required */
Username: email,//'STRING_VALUE', /* required */
DesiredDeliveryMediums: [
"EMAIL",
/* more items */
],
ForceAliasCreation: false,


 UserAttributes: [{
Name: 'email_verified',
Value: 'True'
},/* any other Attributes*/],
   };
cognitoidentityserviceprovider.adminCreateUser(params, function (err, data) {
 if (err) {
  console.log(err, err.stack);
  reject(err); // an error occurred
 }
 else {
  console.log(data);
   resolve(data);
 }// successful response 
});
 });



回答7:


verify user email on aws cognito with python

response =client.get_user_attribute_verification_code(AccessToken='eyJraWQiOiJtTEM4Vm......',AttributeName='email')

response = client.verify_user_attribute( AccessToken='eyJraWQiOiJtTEM......', AttributeName='email', Code='230433')



来源:https://stackoverflow.com/questions/39231797/aws-cognito-user-stuck-in-confirmed-and-email-verified-false

标签
amazon-cognito
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!