Auth Cognito user without temporary password

Hello there,

Greeting from AWS!

I gather that you are using Amazon Cognito for storing and authenticating users against your Angular application, and are encountering roadblocks in sending out a custom welcome email which shouldn't contain the temporary password.

To illustrate the desired flow;

(A) Invoke AdminCreateUser API to create the new user & the temporary password is stored in backend Redis cache.

(B) Cognito to send out an email to the new user, which contains the username and the link to the angular front end which takes in 'just' the new password.

(C) On submit, request is be sent to your Lambda backend, that fetches the temporary password from the Redis cache and the new password from the user.

(D) Backend Lambda sets the user's password via series of API calls - InitiateAuth[1]/AdminInitiateAuth[2] & RespondToAuthChallenge[3]/AdminRespondToAuthChallenge[4].

As you you have mentioned, when Cognito sends out an invitation message to a newly created user(AdminCreateUser), both the username and temporary password need to be present within the verification message's body(regardless of whether you are customising the email verification messages on the Cognito console, or tweaking the Custom message Lambda trigger[5]). If the required parameters are not present in the message template, Cognito will default to Your username is {username} and temporary password is {####}.

--- W O R K A R O U N D ---

The workaround for this case would include the following changes:

1. Phase I : Send out the welcome email

• Instead of depending on Cognito to send a welcome email when a user is created(AdminCreateUser), suppress the action of sending out the welcome email by setting "MessageAction" to "SUPPRESS"[6] in the AdminCreateUser API call. Additionally, the same action can be done through console as well. To add a user, go under General Settings –> Users and groups –> Create user. In the create user dialog box, uncheck the "Send an invitation to this new user?" in the console.
• To automate the process of sending an email to the created user, utilize the Pre sign-up Lambda trigger[7] to send out the welcome email manually. The Pre sign-up Lambda trigger will be invoked with triggerSource 'PreSignUp_AdminCreateUser' when the user is created via AdminCreateUser API. The task of sending out the welcome email needs to be managed within the code of the Pre sign-up Lambda trigger. The core pseudo code that needs to go into the Pre sign-up Lambda function is:

if event['triggerSource'] == "PreSignUp_AdminCreateUser":
 	USERNAME = event['userName']
 	EMAIL = event['request']['userAttributes']['email']
 	LOGIN_PORTAL = 'YOUR_ANGULAR_FRONT_END_PAGE_LINK'
 	MESSAGE = "Welcome to `Application__XXXX`. Your user-name is `{USERNAME}`. Set your password here : {LOGIN_PORTAL}"

 	# Use your custom email sender, or Amazon SES [8], to send the above 'MESSAGE' to the user's 'EMAIL'
 return event

2. Phase II : Resetting the password at the Lambda Backend

• You can create an Amazon API Gateway REST API integration with your Lambda function, and embed the REST API's URL within your Angular front end JS code. The idea here is, your Angular front end collects the new password string from the newly created user, and passes the "username" and "new password" within the request body(POST) to this REST API's URL. The REST API will forward/proxy the same to your backend Lambda function.
• When the backend Lambda function is invoked by the REST API, it ought to;
  • Execute the InitiateAuth[1]/AdminInitiateAuth[2] API with the "username" value present in the event payload, and temporary password from the Redis cache. The response will be a "NEW_PASSWORD_REQUIRED" challenge.
  • From the above API call's response, use the RespondToAuthChallenge[3]/AdminRespondToAuthChallenge[4] API call to respond to the "NEW_PASSWORD_REQUIRED" challenge, where the new password is present in the Lambda function's event payload.

Kindly refer to this article[9] to understand Lambda - API Gateway REST API integration. API Gateway endpoints are secured with SSL/TLS certificates, hence the transmitted password will be encrypted in-transit.

I hope that the above details are helpful. Please feel free to raise a support case with us if you require further guidance.

==============

References:

[1]. InitiateAuth https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html

[2]. AdminInitiateAuth https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html

[3]. RespondToAuthChallenge https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html

[4]. AdminRespondToAuthChallenge https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html

[5]. Custom message Lambda trigger - Custom message for admin create user example https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html#aws-lambda-triggers-custom-message-admin-example

[6]. AdminCreateUser - MessageAction https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html#CognitoUserPools-AdminCreateUser-request-MessageAction

[7]. Pre sign-up Lambda trigger https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html

[8]. Sending email through Amazon SES using an AWS SDK - Code examples https://docs.aws.amazon.com/ses/latest/dg/send-an-email-using-sdk-programmatically.html#send-an-email-using-sdk-programmatically-examples

[9] Tutorial: Build a Hello World REST API with Lambda proxy integration https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-lambda.html