- Newest
- Most votes
- Most comments
The codes generated by the API ForgotPassword are valid for 1 hour[1].
The error ExpiredCodeException normally occurs when you have already successfully used a valid code from a ForgotPassword API call with ConfirmForgotPassword and you attempt to make another ConfirmForgotPassword API call[2]. Once a code generated from ForgotPassword has been used once, it will be marked as no longer valid and you will begin to receive the ExpiredCodeException error. While a valid ForgotPassword Code is currently active for a Cognito User(e.g., a ForgotPassword API call has been made for that user in the past hour and the code has not been successfully used yet), the error you will get when an invalid code is provided to a ConfirmForgotPassword API Call is CodeMismatchException[3]. This error will continue to occur until either the code generated from ForgotPassword expires or is successfully used with a ConfirmForgotPassword API Call and is marked as no longer valid.
Both ForgotPassword and ConfirmForgotPassword are logged in CloudTrail, so to debug this I would recommend that you go through your current ForgotPassword flow. Then check CloudTrail for the API Calls, first find the ForgotPassword API Call for the user you are testing, then look for any subsequent ConfirmForgotPassword API Calls. If there are multiple ConfirmForgotPassword API calls occurring after the ForgotPassword API Call and one of the ConfirmForgotPassword API calls is successful, then this would potentially be a possible cause of the ExpiredCodeException error. You can match Cognito users between the CloudTrail events by confirming the "sub" value in the "additionalEventData" is the same across all ForgotPassword/ConfirmForgotPassword CloudTrail events.
[1] Quotas in Amazon Cognito - Non-adjustable resource quotas - https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html#limits-hard
[2] ConfirmForgotPassword - https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html
[3] ConfirmForgotPassword - Errors - https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html#API_ConfirmForgotPassword_Errors
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
The timeout is 24 hours and not configurable.
https://github.com/amazon-archives/amazon-cognito-identity-js/issues/380
Is the user email address confirmed before you try? Do you have a secret key on the userpool?
Yes, email address that I was testing with is confirmed. There is no secret key set on user pool.
Can you give any details on what Lambda triggers you implemented?
I did not implement any lambda triggers for this feature. Te only one trigger I see in project now launches after user is created. I used CognitoUser class with its .forgotPassword and .confirmPassword from https://www.npmjs.com/package/amazon-cognito-identity-js. Do I need any lambda functions for this to work?
No I was just wondering if it didn't work because of triggers that were not properly configured. Now I'm thinking maybe your Cognito user pool is not configured properly. If you used CloudFormation or Terraform to created it would help seeing the properties.