Manage passwords
Amplify Auth provides a secure way for your users to change their password or recover a forgotten password.
Understand password default settings
By default, your users can retrieve access to their accounts if they forgot their password by using either their phone or email. The following are the default account recovery methods used when either phone
or email
are used as login options.
Login option | User account verification channel |
---|---|
phone | Phone Number |
email | |
email and phone |
Reset Password
To reset a user's password, use the resetPassword
API which will send a reset code to the destination (e.g. email or SMS) based on the user's settings.
import { resetPassword } from 'aws-amplify/auth';
const output = await resetPassword({ username: "hello@mycompany.com"});
const { nextStep } = output;switch (nextStep.resetPasswordStep) { case 'CONFIRM_RESET_PASSWORD_WITH_CODE': const codeDeliveryDetails = nextStep.codeDeliveryDetails; console.log( `Confirmation code was sent to ${codeDeliveryDetails.deliveryMedium}` ); // Collect the confirmation code from the user and pass to confirmResetPassword. break; case 'DONE': console.log('Successfully reset password.'); break;}
To complete the password reset process, invoke the confirmResetPassword
API with the code your user received and the new password they want to set.
import { confirmResetPassword } from 'aws-amplify/auth';
await confirmResetPassword({ username: "hello@mycompany.com", confirmationCode: "123456", newPassword: "hunter3",});
Update password
You can update a signed in user's password using the updatePassword
API.
import { updatePassword } from 'aws-amplify/auth';
await updatePassword({ oldPassword: "hunter2", newPassword: "hunter3",});
Override default user account verification channel
You can always change the channel used by your authentication resources by overriding the following setting.
import { defineAuth } from '@aws-amplify/backend';
export const auth = defineAuth({ loginWith: { email: true }, accountRecovery: 'EMAIL_ONLY'});
Override default password policy
You can customize the password format acceptable by your auth backend. By default your password policy is set to the following:
MinLength
: 8 charactersrequireLowercase
: truerequireUppercase
: truerequireDigits
: truetempPasswordValidity
: 3 days
// amplify/backend.tsimport { defineBackend } from '@aws-amplify/backend';import { auth } from './auth/resource';import { data } from './data/resource';
const backend = defineBackend({ auth, data});
// extract L1 UserPool constructconst { cfnUserPool } = backend.auth.resources.cfnResources;// from the CDK use `addPropertyOverride` to modify properties directlycfnUserPool.addPropertyOverride('Policies.PasswordPolicy.MinimumLength', 32);