I'm using Cognito with a SPA and leveraging the Hosted UI to handle all the user interface/authentication logic (i.e. the SPA is only redirecting to Cognito and handling callbacks from Cognito). Sign ups are disabled and users are pre-created using AdminCreateUser so that the new user is in the FORCE_CHANGE_PASSWORD state.
Unfortunately, many users do not sign in before their temporary password expires. Once this happens the user cannot sign in and also cannot reset their password. This is obviously not a great user experience and the two ways I've seen to unblock the user both require an administrator to first be notified of the issue and then to manually intervene (either using AdminCreateUser with the RESEND MessageAction or via the console to delete and create the user again). This just doesn't scale with hundreds or thousands of users in this state.
Is there an alternate method or workaround to automatically reset the user's password expiration? Ideally this would be in response to a user attempting to sign in with an expired password (perhaps using a Lambda Trigger?) and not an out of band process to RESEND credentials for all users with expired passwords but I'm open to other creative ideas.