'AWS Cognito - Possible to resend Signup Email with temporary password?
After searching the official AWS CLI cognito-idp documentation, it seems there is no way to 'reset' a user back into a FORCE_CHANGE_PASSWORD
state once that user has been confirmed at some point.
It seems the only way to achieve this is to copy the user's data, delete the user's account, and then re-create a new account for the user with the copied data, for example:
client = boto3.client("cognito-idp", AWS_REGION)
try:
user = client.admin_get_user(user_pool_id, user_id) # get user
user_data = get_from(user) # copy user data
client.admin_delete_user(user_pool_id, user_id) # delete user
response = client.admin_create_user(**user_data) # create new user?
except Exception as e:
handle(e)
This would place the user in FORCE_CHANGE_PASSWORD
state, and re-trigger the signup email/message which is the desired outcome, however, this seems prone to all sorts of problems...
Note: I've already tried calling admin_create_user
again with the message action set to 'resend', however, if the user has been in a CONFIRMED
state at any point, the call will result in the following error message:
(UnsupportedUserStateException) when calling the AdminCreateUser operation: Resend not possible. XXXXXXXXXXXXXXX status is not FORCE_CHANGE_PASSWORD
The other option is to do a separate call to get the user's current status, and if they're in a confirmed state, call admin-reset-user-password
instead, which would at least mitigate the data integrity issues raised by deleting the account...
surely there is a more elegant solution?
Solution 1:[1]
For anyone having a similar issue, it turns out to be related to having email verified
as a requirement for the User Pool. I suspect if you don't require your user email addresses to be verified, you won't run into this issue.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Andrew Colbeck |