Amplify Auth - Password forget when not confirmed

[claudiorebernig]

Describe the bug
When I sing-up a new user into my Congito userpool and not confirm him and then try to reset the password before confirming I am not getting an error, that the user is not confirmed. Rather I get a message that the code for the password reset was delivered, which is not the case.

To Reproduce
Steps to reproduce the behavior:

1. Sign-up a new user into a congito userpool via web, android or ios amplify library
2. Don't confirm the user
3. Go for a password reset
4. Success message that the password reset code was delivered when it was not

Expected behavior
Either I should get back an error like: "User needs to be confirmed first." or that the code is delivered and auto-confirms the account together with the new password.

Code Snippet
Web:
Auth.forgotPassword($phonenumber$)
.then((data) => {
....
})
.catch(err => ....)

Log from iOS
Optional(AWSMobileClient.SignUpResult(codeDeliveryDetails: Optional(AWSMobileClient.UserCodeDeliveryDetails(deliveryMedium: AWSMobileClient.UserCodeDeliveryMedium.sms, destination: Optional("+********XXXX"), attributeName: Optional("phone_number"))), signUpConfirmationState: AWSMobileClient.SignUpConfirmationState.unconfirmed))

What is Configured?
const cognito = {
REGION: "eu-central-1",
USER_POOL_ID: "XXX",
APP_CLIENT_ID: "XXX",
IDENTITY_POOL_ID: "XXX"
}

Amplify.configure({
Auth: {
mandatorySignIn: true,
region: cognito.REGION,
userPoolId: cognito.USER_POOL_ID,
userPoolWebClientId: cognito.APP_CLIENT_ID,
identityPoolId: cognito.IDENTITY_POOL_ID,
authenticationFlowType: 'USER_PASSWORD_AUTH'
}
})

Further info
I implemented user migration on the userpool.

I am using SMS to confirm the phonenumber of the user.

Smartphone (please complete the following information):
I have the problem on iOS & web, a collegue also got the problem on android

• Device: iPhone XR
• OS: iOS13
• Browser: Google Chrome

[vigneshvpai]

I can confirm this. When an unconfirmed user tries to reset his password he receives an OTP but when he submits the OTP he receives an ExpiredCodeException.

[harrysolovay]

This is the correct behavior. One needs first confirm the sign up. As for the delivery message––I believe you're looking for the PreventUserExistenceErrors flag. Setting this User Pool config flag to false will allow you to see that the user does not exist (or is not verified) from the client.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.