So i have this confirm activity. In the activity i have two buttons (submit & resend code). You press the submit button when you typed in the code you got via email or phone number through cognito. And you press "resend" when you have not received any code and would cognito to resend the verification code.
Question:
Is there a line of code to resend a verification code to aws cognito via android?
If not:
currently, i have this line of code:
cognitoUser.deleteUser(handler);
And then, I would recreate the user in cognito.
userPool.signUpInBackground(username, password, userAttributes, null, signupCallback);
But the exception that it throws when i try to delete user, is that the user is not authorized. So i cannot delete the user.
How do i handle the "resend code"? A reference to a documentation or the line(s) of code would be helpful!
You should be able to resend the confirmation code (if we are talking about the signup confirmation code) by calling resendConfirmationCodeInBackground on a cognitoUser
https://github.com/awslabs/aws-sdk-android-samples/blob/8957e9402cf7490bfa9c3939eabc92f1b7d4572e/AmazonCognitoYourUserPoolsDemo/app/src/main/java/com/amazonaws/youruserpools/SignUpConfirm.java#L199
deleteUser is an authenticated operation so you would need to authenticate the user first before calling deleteUser.
If you are talking about an attribute verification code, calling getUserAttributeVerificationCode would send the code and verifyUserAttribute would verify the sent code.
Related
Is there any problem with Firebase authentication?
I am not receiving any email (verification or reset) from yesterday.
I can't even send reset email from console manually
I have checked spam folder also.
Here is my code
FirebaseAuth.getInstance().sendPasswordResetEmail(email)
.addOnSuccessListener(unused -> {
//is called
})
.addOnFailureListener(e -> {
});
Above code worked before, but recently I am facing this issue. I have tried to send reset password to an email through firebase authentication manually, but it's not working even.
More info:
If I add user manually and send email, it shows email sent successfully. But I don't receive any mail.
If the API call succeeds, the email was sent successfully. If it doesn't show up where you expect it, it got lost along the way - typically in a spam filter or a spam folder.
Spam filters are common on large company infrastructure. To check whether the message got caught in such a spam filter, you'll have to check with any IT team that owns part of the delivery infrastructure along the way.
An easier way to check might be to send to a public mail provider, such as Gmail. If the message shows up in the spam folder there, you know your code is working correctly. To prevent it getting caught as spam, have a look at my answer here: Why did this code fail to send password reset link in firebase?
I create a Firebase Auth user with an email and password
User logs in
User decides to add a phone number to their profile
I call verifyPhoneNumber with an intent to receive a code, call PhoneAuthProvider.getCredential(...) and link resulting AuthCredential to the email and password.
Instead, Android auto retrieves the code, user automatically sign-ins with phone number, their UID changes (it's a new user) and there's no way to link phone credentials back to the original email/password user. To perform a successful link I need to see the SMS code, which is nowhere to be found in case of successful auto sign-in.
????
NO PROFIT.
Any ideas? I tried to set the timeout to 0 for verifyPhoneNumber but auto login still works. Accepting defeat and just link EmailAndPassword credentials to phone number instead of vice versa is not an option, because it will require a massive copying of data from old user record into new, changing all references to this UID everywhere, etc.
verifyPhoneNumber resolves with a PhoneAuthCredential.
It doesn't matter whether the code is auto-retrieved or instant validation occurs. A PhoneAuthCredential is outputted on verifyPhoneNumber completion.
That credential can either be used to signInWithCredential for sign-in or to link to an existing user via linkWithCredential.
I have communicate with API using retrofit. When the user is log in, I save account to database and when the user go to app next time, I get data from database (so I skipped login screen). Problem is when user's token expires.
How to handle the situation?
in login fragment
PSEUDOCODE
user = ... //get user from database
if(user != null) {
startActivityAccountActivity();
}
//onButtonClick
emailLogin();
Don't go to your "logged in" activity just because you have a token saved, because as you have correctly noticed, it may be invalid. Try authenticating with the API when you get the token, and only go to the "logged in" activity if it indeed worked. Otherwise proceed as if there was no token saved (and remove the expired one from the database).
You should also note that the token may expire when the user is in the "logged in" activity. For example, the user logged in, used the app and then went to another app from the recents screen. A week later he/she returns to your app with the "logged in" activity open, but in the mean time the token has expired and nothing will work. So you should also check if the token still works there, maybe in the onStart() of the activity.
As indramurari said, you can also handle it on the backend if you control it. But keep in mind that it doesn't solve your inherent problem of handling expired tokens, a refresh token may also expire and you are back to square one. If you make refresh tokens not expire you can just make the login tokens not expire. (This paragraph would be a comment on his answer, but I don't have enough reputation.)
It depends on your back end security level. You have two options to handle this situation.
Build some mechanism on back end side so that your server will send some refresh-token along with the user's token at the time of login to Android device. Whenever user's token get expired then request from Android device to your server to obtain new user's token by sending old user's token along with refresh-token. And you can use that new user's token for future. Repeat this whenever user's token get expired.
Note - refresh-token is for validating if it is valid resource who is requesting for a user's token.
You can delete the user account from database and tell user to Re-Login.
I encountered a very strange error when signing up a user using android 6 on a specific device.
The signup process works perfectly and the user is registered on Parse database. The code checks and if ParseUser.getCurrentUser() != null then the app sends the user to the main page and this all works till here.
However, I noticed that user is not able to send any requests to the server and it all rejects in the main activity and user can't even logout. The error I receive when logging out is:
com.parse.ParseRequest $ParseRequestException: This user is not allowed to add a field to _User. You can change this setting in the Data Browser.
It seems like the authenticated user object is not matched with the original user's token on server and that is why this user get ACL errors.
I am using Parse default signup and login functions and this has happened only on one device using android 6 so far. Any guess on what could cause this issue and how can I resolve this issue?
ParseACL roleACL = new ParseACL();
roleACL.setPublicReadAccess(true);
Add these lines after the user Parse.initialize() function. It allow user to create column in the table from mobile. Make sure the user is logged in otherwise it gives error.
I am writing an Android 2.2 app for my company. The app simply sends http get/put/post requests to perform certain operations. There is no real login procedure as the username and password have to be included in each http request.
I could see that there is AccountManager in Android. But since the username and password (instead of some auth token) are needed for each http request, how can it fit in? Obviously, I want to make it similar to other Android apps so that the user only needs to login once for the very first time and it won't prompt for username/password again when the app is re-launched.
Any suggestion is appreciated. Thanks!
I have developed an application like that, so here is how I solved it, in psuedocode.
But since the username and password
(instead of some auth token) are
needed for each http request, how can
it fit in?
1#: Make a first page, a login page. Let this View include two EditTexts (username and password) and one Button (login button).
2#: Make a login request on the Button click to see if you're getting a correct Cookie with HTTP header names that is corresponding with the values you are getting when you're logged in. Locate valid information via a network tool, like WireShark. For more information about the login procedure, check out my other answer here.
3#: If the username and password resulted in correct Cookie information, save the username and password in a SharedPreferences and make their values available through your application by assigning it into an Application class, read this for more info regarding global variables. If the values were incorrect and you did not get a valid Cookie, show it to the user via a message (Toast?).
4#: When you are trying to reach the authorized information, make a request by using the saved information in the Application class.
5#: Next time you're starting your application, make a check in onCreate() where you are checking if SharedPreferences contains user information, if so: see step 6#, otherwise wait for the user to start entering information.
6#: If the login page has determined user information, assign the SharedPreferences to the global Application state, finish the login Activity and start the authorized Activity instead. This will happen very fast, so the user wouldn't notice that the "login page" was displayed.
7# (extra step): In the authorized Activity, make sure to grab the user information from the Application instance. When doing the first request towards authorized content, validate the task as you did in step #3 in order to control if the user has changed the password on the website. If the user hasn't changed any information, start grabbing the response and you are free to do whatever you want.