Cognito reset password weird behaviour for the new users: wrong email in CodeDeliveryDetails

Question

I created a new user in AWS Cognito using the AWS Console, and it's currently in a "Force change password" state.

I want to trigger the 'forgotten password' flow immediately without inserting a username and password. So, I executed this Postman request:

curl --location 'https://cognito-idp.eu-central-1.amazonaws.com/' \
--header 'X-Amz-Target: AWSCognitoIdentityProviderService.ForgotPassword' \
--header 'Content-Type: application/x-amz-json-1.1' \
--data '{
    "ClientId":"aaaaaaaaabbbbbbbbcccccccdd",
    "Username":"brandnewuser"
}'

However, I received this response:

{
    "CodeDeliveryDetails": {
        "AttributeName": "email",
        "DeliveryMedium": "EMAIL",
        "Destination": "t***@y***"
    }
}

The issue is that the (masked) email is incorrect; it should be something like a***@a*** instead of t***@y***. This can confuse our clients.

Do you have any insights into why this is happening or have you encountered a similar problem? What steps should I take, such as opening a ticket with AWS?

Thank you for your assistance. Ennio

Answer 1

When a user is in the FORCE_CHANGE_PASSWORD state it's not possible to use the ForgotPassword API, as per AWS re:Post Knowledge Center:

The user isn't in a CONFIRMED status

Users created by administrators are in a FORCE_CHANGE_PASSWORD status by default until they sign in with the password provided. Then, users are prompted to change the password.

If the user status is FORCE_CHANGE_PASSWORD, then the ForgotPassword API call can't be used and the verification code isn't sent.

The reason why you are seeing the t***@y*** email address is a security feature to avoid user enumeration (more info on this answer and Cognito Developer Guide), if you disable PreventUserExistenceErrors you'll see the actual error message: {"__type":"NotAuthorizedException","message":"User password cannot be reset in the current state."}