AWS Cognito - Users lost “non-mutable” attribute “email_verified”

社会主义新天地 提交于 2019-12-24 08:05:11

问题


After using Cognito for a few months, some users in a user pool have now lost the "email_verified" attribute. I can't understand how it is missing or how to recover.

Symptoms are:

  • Users can still login
  • User password can not change (eg via JS SDK - changePassword), produces error: "x-amzn-errormessage: Cannot reset password for the user as there is no registered/verified email or phone_number"
  • Getting the user attributes for the user with the list-users CLI shows the attribute is missing

    aws cognito-idp list-users --user-pool-id MYID-123 --query 'Users[?Username==`error@bla.com`].[*]'
    [
      [
        [
            "error@bla.com", 
            true, 
            "CONFIRMED", 
            1522127817.526, 
            1522127819.369, 
            [
                {
                    "Name": "sub", 
                    "Value": "123123123341241238"
                }, 
                {
                    "Name": "email", 
                    "Value": "bla@bla.com"
                }
            ]
         ]
      ]
    ]
    

    vs. one with the attribute in place

    aws cognito-idp list-users --user-pool-id MYID-123 --query 'Users[?Username==`bla@bla.com`].[*]'
    [
      [
        [
            "bla@bla.com", 
            true, 
            "CONFIRMED", 
            1524048734.588, 
            1524048737.777, 
            [
                {
                    "Name": "sub", 
                    "Value": "1231231231231235"
                }, 
                {
                    "Name": "email_verified", 
                    "Value": "true"
                }, 
                {
                    "Name": "email", 
                    "Value": "bla@bla.com"
                }
            ]
          ]
       ]
     ]
    

If I try deleting the attribute (with enough permissions), it fails - as one would expect - explaining it is not mutable.

aws cognito-idp admin-delete-user-attributes --user-pool-id MYID-123 --username test2@test.com --user-attribute-names email_verified

An error occurred (InvalidParameterException) when calling the AdminDeleteUserAttributes operation: Cannot modify the non-mutable attribute email_verified

回答1:


I can not find the cause for this problem, other than blaming AWS Cognito.

A workaround/hack/patch is to add the attribute back, this time, the non-mutable check is not a problem

aws cognito-idp admin-update-user-attributes --user-pool-id MYID-123 --username error@bla.com --user-attributes Name=email_verified,Value=true

And now the user has the attribute again and I can reset the password.




回答2:


If there are 2 users with same email address, and email_verified is true for one and not the other, it is possible it is an issue with your client code.

When you call confirmRegistration the first parameter is the confirmation code and the second is a boolean: forceAliasCreation. If set to true, then if a user already exists with the email address that is being used to register with, the new user "steals" the email address of the existing user.

It's not obvious this is a problem cause the Cognito API docs show examples of confirmRegistration with forceAliasCreation as true and not explaining what the parameter does (https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js - Use Case 2, assuming you are using JS). We ran into this problem with our app and this was the culprit.



来源:https://stackoverflow.com/questions/51718209/aws-cognito-users-lost-non-mutable-attribute-email-verified

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!