Restore password for FORCE_CHANGE_PASSWORD status

Question

I need to restore or reset user password when his status is FORCE_CHANGE_PASSWORD. This situation happened when user try to restore password using "forgot password" feature and he lost email with temporary password. Now he can't do anything because he don't remember password and he can't reset password again

This code handle forgot password

return CognitoIdentitySP.forgotPassword(params, (err, resp) => {
  if (err) { ... }
  ...
})

And I receive error (in case of FORCE_CHANGE_PASSWORD status)

NotAuthorizedException: User password cannot be reset in the current state.

Is there any way to reset password in such state?

Answer 1

You can use aws-cli to do it. Here is a sample command, replace POOL_ID and EMAIL_ADDRESS accordingly:

aws cognito-idp admin-create-user --user-pool-id <POOL_ID> --username <EMAIL_ADDRESS> --message-action RESEND --profile <AWS_PROFILE>

Answer 2

You can also use the admin-set-user-password command in this situation of the temporary password being lost or expired:

aws cognito-idp admin-set-user-password --user-pool-id <POOL_ID> --username <USERNAME> --password <PASSWORD> --no-permanent

This will set a new temporary password of whatever you set the password to be but importantly will force the user to set a new password as soon as they log in, so security is maintained.

You will need to communicate this to the user but we found this extremely useful when your company's security policies prevent you from being able to run the create user command.