ExpiredCodeException in confirmPassword request with just recieved code.


Hello. I have been implementing forgot password functionality for our js application working with this documentation - (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html). Verification code is properly sent to user email but when I try to finalize operation with next request(confirmPassword) I always get ExpiredCodeException with message: "Invalid code provided, please request a code again." Is there any way to check/set code lifetime or way to debug that feature? I'm not sure if I'm having some implementation issue or that is on Cognito side. Any help would be great.

  • The timeout is 24 hours and not configurable.


    Is the user email address confirmed before you try? Do you have a secret key on the userpool?

  • Yes, email address that I was testing with is confirmed. There is no secret key set on user pool.

  • Can you give any details on what Lambda triggers you implemented?

  • I did not implement any lambda triggers for this feature. Te only one trigger I see in project now launches after user is created. I used CognitoUser class with its .forgotPassword and .confirmPassword from https://www.npmjs.com/package/amazon-cognito-identity-js. Do I need any lambda functions for this to work?

  • No I was just wondering if it didn't work because of triggers that were not properly configured. Now I'm thinking maybe your Cognito user pool is not configured properly. If you used CloudFormation or Terraform to created it would help seeing the properties.

asked a year ago1512 views
1 Answer

The codes generated by the API ForgotPassword are valid for 1 hour[1].

The error ExpiredCodeException normally occurs when you have already successfully used a valid code from a ForgotPassword API call with ConfirmForgotPassword and you attempt to make another ConfirmForgotPassword API call[2]. Once a code generated from ForgotPassword has been used once, it will be marked as no longer valid and you will begin to receive the ExpiredCodeException error. While a valid ForgotPassword Code is currently active for a Cognito User(e.g., a ForgotPassword API call has been made for that user in the past hour and the code has not been successfully used yet), the error you will get when an invalid code is provided to a ConfirmForgotPassword API Call is CodeMismatchException[3]. This error will continue to occur until either the code generated from ForgotPassword expires or is successfully used with a ConfirmForgotPassword API Call and is marked as no longer valid.

Both ForgotPassword and ConfirmForgotPassword are logged in CloudTrail, so to debug this I would recommend that you go through your current ForgotPassword flow. Then check CloudTrail for the API Calls, first find the ForgotPassword API Call for the user you are testing, then look for any subsequent ConfirmForgotPassword API Calls. If there are multiple ConfirmForgotPassword API calls occurring after the ForgotPassword API Call and one of the ConfirmForgotPassword API calls is successful, then this would potentially be a possible cause of the ExpiredCodeException error. You can match Cognito users between the CloudTrail events by confirming the "sub" value in the "additionalEventData" is the same across all ForgotPassword/ConfirmForgotPassword CloudTrail events.

[1] Quotas in Amazon Cognito - Non-adjustable resource quotas - https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html#limits-hard

[2] ConfirmForgotPassword - https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html

[3] ConfirmForgotPassword - Errors - https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html#API_ConfirmForgotPassword_Errors

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions