Amplify-js: Is it possible to re-authenticate a password while a user is signed-in?

@TheVaporTrail currently that is not possible to do. We have an open RFC with admin auth task here.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

This feature would be nice to have for our team too.

Yeah :) My team also need this feature :+1:

same here

Is there any news on this request?

Hacky Way

I have not been able to find an API call to Cognito to be able to verify an authentication type. My particular case involves just a username and password. After clicking into the internals of the AWS Amplify code there is a simple way to replicate the authentication process without interfering with the currently authenticated user. Here is my particular criteria that I was trying to solve, you can adapt this solution to your own approach:

1. Verify a user without hijack the current user session
2. Use the USER_SRP_AUTH flow for authenticate users

import { AuthenticationDetails, CognitoUser, CognitoUserPool } from 'amazon-cognito-identity-js'

function fakeAuth(username, password) {
    let authDetail = new AuthenticationDetails({
        Username: username,
        Password: password,
    })
    console.log('AuthDetail', authDetail)
    let cognitoUser = new CognitoUser({
        Username: authDetail.getUsername(),
        Pool: new CognitoUserPool({
            UserPoolId: <USER_POOL_INFORMATION_GOES_HERE>,
            ClientId: <CLIENT_ID_INFORMATION_GOES_HERE>,
        }),
    })
    console.log('Cognito User', cognitoUser)
        //For some reason when I passed in Storage in the CognitoUserPool(...) it did not
        //want to set it, so I just override it below here. When you set the storage you can
        //can actually do whatever you with it, the storage is where are the token
        //information is kept, but seeing as I don't need it, I just blackhole it
    cognitoUser.storage = {
        getItem: (key, value) => {
            console.log('getItem', key, value)
            return ''
        },
        setItem: (key) => {
            console.log('setItem', key)
            return ''
        },
        removeItem: (key) => {
            console.log('removeItem')
        },
        clear: () => { console.log('clear') },
    }
    console.log('Cognito User', cognitoUser)
    cognitoUser.setAuthenticationFlowType('USER_SRP_AUTH')
    let promise = new Promise((resolve, reject) => {
        cognitoUser.authenticateUser(authDetail, { onSuccess: resolve, onFailure: reject })
    })
    promise.then(user => {
        console.log('Success', user)
    }).catch(e => {
        console.log('Error', e)
    })
}

Downsides:

The big downside here and how it might affect your application would be that this simulates a user logging in, which means any analytic information may be mislead by the extra user logins. However, what this does offer is a practical approach to testing a users login information.

Why not use an API call?

Like I said earlier I would have loved to use a Cognito API call for verifying a user that is already logged in, but I could not find one, so this will have to do! Let me know your thoughts.

Further information

Most of this was taken from Auth.js inside the Amplify library. The reason I did not use the Auth class is because it is meshed in with a lot of other Amplify classes and it seemed easy just to go straight to the meet of code, which is below for reference in case you want to know how I came up with the solution:

...
    var authDetails = new amazon_cognito_identity_js_1.AuthenticationDetails({
        Username: username,
        Password: password,
        ValidationData: validationData
    });
    if (password) {
        return this.signInWithPassword(authDetails);
    }
    else {
        return this.signInWithoutPassword(authDetails);
    }
...
AuthClass.prototype.signInWithPassword = function (authDetails) {
    var _this = this;
    var user = this.createCognitoUser(authDetails.getUsername());
    return new Promise(function (resolve, reject) {
        user.authenticateUser(authDetails, _this.authCallbacks(user, resolve, reject));
    });
};
...
AuthClass.prototype.createCognitoUser = function (username) {
    var userData = {
        Username: username,
        Pool: this.userPool,
    };
    userData.Storage = this._storage;
    var authenticationFlowType = this._config.authenticationFlowType;
    var user = new amazon_cognito_identity_js_1.CognitoUser(userData);
    if (authenticationFlowType) {
        user.setAuthenticationFlowType(authenticationFlowType);
    }
    return user;
};
...

@TheVaporTrail currently that is not possible to do. We have an open RFC with admin auth task here.

The RFC was already closed, but it doesn't look like it covered the original request from this issue?

I would like to see a re enter password feature.

Hi,

We've got a need for this too. I've written a function to reset a user's MFA settings (for when they've lost their device, etc). It's only available to my app's admin users, but ideally we'd like the admin to confirm their admin password before the request is made.

@elorzafe Any news on this 're-enter password' feature? It would be a nice +

@TheVaporTrail currently that is not possible to do. We have an open RFC with admin auth task here.

Hi @elorzafe,
It would be really great and more convenient if cognito can implement a reauthenticate function as firebase do.
Have you planed to realize it ?
Thanks

I'm assuming there is still no movement on this? It would be greatly needed by our team.