Amplify-js: Inviting and confirming users securely?
* Which Category is your question related to? *
Amplify.signIn in the case of confirming a user after invitation on dashboard or adminCreateUser.
* What AWS Services are you utilizing? *
Just Cognito.
* Provide additional details e.g. code snippets *
I'm currently using adminCreateUser when a user invites another user to sign up onto the platform. The invited user has his/her password set to testing at the moment. Upon calling adminCreateUser we send an invitation email to the new user with a button to join the platform and claim the acct. However, the docs suggest using Auth.signIn and Auth.completeNewPassword() on these users. I may be misunderstanding something, but this seems insecure as a malicious party could just send his/her own Auth.SignIn and Auth.completeNewPassword to claim another person's account. Any clarification would be super helpful. (More info below)
The docs for Amplify suggest this strategy when using adminCreateUser.
The user would be asked to provide his new password and required attributes the first time he signs in if he is created in the AWS Cognito console. In that case, you need to call this method to finish this process:
import { Auth } from 'aws-amplify';
Auth.signIn(username, password)
.then(user => {
if (user.challengeName === 'NEW_PASSWORD_REQUIRED') {
const { requiredAttributes } = user.challengeParam; // the array of required attributes, e.g ['email', 'phone_number']
Auth.completeNewPassword(
user, // the Cognito User Object
newPassword, // the new password
// OPTIONAL, the required attributes
{
email: '[email protected]',
phone_number: '1234567890'
}
).then(user => {
// at this time the user is logged in if no MFA required
console.log(user);
}).catch(e => {
console.log(e);
});
} else {
// other situations
}
}).catch(e => {
console.log(e);
});
stephenhuh
All 10 comments
malicious party could just send his/her own
Auth.SignInandAuth.completeNewPasswordto claim another person's account
How would the third party have access to the email address of the user which the admin wishes to send a sign-up invitation? You still need to own the verification channel (email, phone, etc.) where the invite is being sent.
undefobj
on 15 Feb 2019
I am working through a similar (but slightly different maybe) issue.
I have an administrator view and want to call something like Auth.adminCreateUser but don't have that functionality. My app is invite-only. It feels weird loading the Cognito API just for the adminCreateUser function when I'm using Amplify for everything else.
wmlutz
on 10 Jun 2019
@wmlutz yep! that's where this issue actually spawned from -- it definitely is not intuitive, but that seems to be the way to go if you want adminCreateUser like functionality.
stephenhuh
on 14 Jun 2019
Was your original question answered @stephenhuh?
If not can you please elaborate. I am thinking this may be a feature request to build adminCreateUser into Amplify Auth?
jordanranz
on 3 Jul 2019
adminCreateUser should be incorporated into Amplify. I am running into the same issue where I have to use the Cognito SDK for adminCreateUser
PaulGLujan
on 4 Jul 2019
@jordanranz -- i'd agree with @PaulGLujan and @wmlutz as I had run into a similar issue which was where this case stemmed from but it should probably be a new issue/feature-request.
stephenhuh
on 5 Jul 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 4 Aug 2019
This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.
stale[bot]
on 11 Aug 2019
Hey, know the issue has been closed for inactivity but i just ran into this.
my work around (not using the cognito SDK)
- i implemented authorization with groups.
- i switched confirmation message in cognito to a link
- implemented a custom field in users called parentUser (or organization in my case)
- i check for user group and give admin users access to a component called inviteUsers
- i built a form inside inviteUsers with my signUp fields.
bellow is the submit handler for the form
handleSubmit = async (event) => {
event.preventDefault();
try {
await Auth.signUp({
'username':this.state.username,
'password':this.state.password,
'attributes': {
'email':this.state.email,
'custom:organization':this.state.org.id,
}
}).then(result => {
console.log(`Succesfully invited ${result.user.username}`);
return result
} catch (err) {
console.log('error signing up: ', err);
return err
}
}
Hope this helps!
gkpty
on 8 Oct 2019
Hey
I was concerned about the security issues pointed out in https://github.com/aws-amplify/amplify-js/issues/2582#issue-401015157, so I've been attempting to edit another user's password using an Auth.completeNewPassword equivalent request. The process has been:
- Create a new user using an invitation message and set its new password as recommended.
- Check the request sent to Cognito by Amplify. It doesn't have any authentication headers, all the authentication-related info is sent in the
Sessionfield, which according to the documentation seems to be optional. - I've tried an attack by sending a request to Cognito without the
Sessionfield attempting to edit an arbitrary user's password. I got aMissing parameter sessionerror. - I've tried setting an arbitrary session value, and it didn't go through either. The error response was
Invalid session for the user.
So a potential attacker would need to know the user sub and the session value to actually edit this field. Seems secure enough.
asungomez
on 17 Nov 2020
Related issues
simon998yang
路
3Comments
DougWoodCDS
路
3Comments
rayhaanq
路
3Comments
cgarvis
路
3Comments
ddemoll
路
3Comments
Most helpful comment
adminCreateUser should be incorporated into Amplify. I am running into the same issue where I have to use the Cognito SDK for adminCreateUser