Search code examples
amazon-cognitoaws-sdk-js

AWS Cognito Respond to New_Password_Required challenge returns "Cannot modify an already provided email"

An app that has been working successfully for a couple years has started throwing the following error whenever trying to respond to the NEW_PASSWORD_REQUIRED challenge with AWS Cognito:

{"__type":"NotAuthorizedException","message":"Cannot modify an already provided email"}

I'm sending the below, which all seems to match the docs.

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ClientId": <client_id>,
    "ChallengeResponses": {
        "userAttributes.email": "test@example.com",
        "NEW_PASSWORD": "testP@55w0rd",
        "USERNAME": "testfake"
    },
    "Session": <session_id>
}

Nothing has changed on the front end; is there a configuration change we might have done on the Cognito/AWS side that might cause this error?

Solution

  • I started getting the same error recently. I'm following Use case 23 Authenticate a user and set new password for a user. After some investigation, I found that it is the email attribute in userAttributes that's causing completeNewPasswordChallenge to throw the error. The userAttributes I get from authenticateUser used to be an empty object {}, but it now looks like this:

    { email_verified: 'true', email: 'test@example.com' }

    I had to delete the email attribute (as well as the email_verified attribute as shown in the example code in Use case 23) before using the userAttribute for a completeNewPasswordChallenge. So my code is now like this:

    cognitoUser.authenticateUser(authenticationDetails, {

    ...

    newPasswordRequired: function(userAttributes, requiredAttributes) {
        // the api doesn't accept this field back
        delete userAttributes.email_verified;
        delete userAttributes.email; // <--- add this line

        // store userAttributes on global variable
        sessionUserAttributes = userAttributes;
    }
});

// ... handle new password flow on your app
handleNewPassword(newPassword) {
  cognitoUser.completeNewPasswordChallenge(newPassword, sessionUserAttributes);
}

    I guess aws changed their api recently, but I haven't found any doc about this change. Even though the value of the email attribute is the same as the actual email of the user, it throws the Cannot modify an already provided email error if you include it in the request. Deleting it solves the issue.