11

An app that has been working successfully for a couple years has started throwing the following error whenever trying to respond to the NEW_PASSWORD_REQUIRED challenge with AWS Cognito:

{"__type":"NotAuthorizedException","message":"Cannot modify an already provided email"}

I'm sending the below, which all seems to match the docs.

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ClientId": <client_id>,
    "ChallengeResponses": {
        "userAttributes.email": "test@example.com",
        "NEW_PASSWORD": "testP@55w0rd",
        "USERNAME": "testfake"
    },
    "Session": <session_id>
}

Nothing has changed on the front end; is there a configuration change we might have done on the Cognito/AWS side that might cause this error?

Noelle Bott
  • 152
  • 1
  • 9

1 Answers1

17

I started getting the same error recently. I'm following Use case 23 Authenticate a user and set new password for a user. After some investigation, I found that it is the email attribute in userAttributes that's causing completeNewPasswordChallenge to throw the error. The userAttributes I get from authenticateUser used to be an empty object {}, but it now looks like this:

{ email_verified: 'true', email: 'test@example.com' }

I had to delete the email attribute (as well as the email_verified attribute as shown in the example code in Use case 23) before using the userAttribute for a completeNewPasswordChallenge. So my code is now like this:

cognitoUser.authenticateUser(authenticationDetails, {

    ...

    newPasswordRequired: function(userAttributes, requiredAttributes) {
        // the api doesn't accept this field back
        delete userAttributes.email_verified;
        delete userAttributes.email; // <--- add this line

        // store userAttributes on global variable
        sessionUserAttributes = userAttributes;
    }
});

// ... handle new password flow on your app
handleNewPassword(newPassword) {
  cognitoUser.completeNewPasswordChallenge(newPassword, sessionUserAttributes);
}

I guess aws changed their api recently, but I haven't found any doc about this change. Even though the value of the email attribute is the same as the actual email of the user, it throws the Cannot modify an already provided email error if you include it in the request. Deleting it solves the issue.

dqrjz
  • 186
  • 1
  • 3
  • 2
    This post and answer saved me just now -- I'm in exact same situation. I have no idea what changed, but can confirm that removing email attribute fixed it for me. This is my code: ``` // Removing email attribute; something on AWS side has borked here export async function completeNewPassword({ user, newPassword, name }) { const data = await Auth.completeNewPassword(user, newPassword, { name }); return data; } ``` – user2761669 Mar 31 '22 at 02:35
  • 4
    This works and it's very irresponsible of AWS to change the API and doesn't publish any updates and logs. – Himanshu Saini Mar 31 '22 at 10:53
  • 1
    You my friend are a lifesaver! It's amazing that even now nearly a year later https://www.npmjs.com/package/amazon-cognito-identity-js still hasn't updated with this. Really bad documentation. – Sublow Mar 08 '23 at 11:10