Cannot check if email is unconfirmed without password

[opqpop]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React, Next.js

Amplify APIs

Authentication

Describe the bug

Is there a way to pass ONLY an email and check if that email is confirmed?

I am trying to handle this case:

• user creates account with email and does not verify, account remains unconfirmed
• user forgets password and tries to reset password, but cognito doesn't send password code for unconfirmed account
• I would like to detect if the email is unconfirmed, and tell user to first verify the email before trying to reset the password.

From browsing around, it seems like the only way to check if an email is confirmed is to also have the password to catch the UserNotConfirmedException during sign-in.

Expected behavior

A way to handle above scenario somehow, without confusing user why they aren't getting a reset email for being unconfirmed.

[elorzafe]

@opqpop What happen if you try Auth.resendSignUp for that user as a workaround?

[tommulkins]

@elorzafe That really isn't a solution though because you don't know if the user is confirmed or not. If you use Auth.resendSignUpon an email already confirmed it still sends a verification code.

Either there needs to be a way to lookup a user by username or email to find out if it's confirmed or functions like Auth.forgotPassword should include unconfirmed users to both reset the password and confirm the account.

[geauser]

Any solution to this issue in sight?

[Namstel]

I found this comment:
#7253 (comment)

When you set PreventUserExistenceErrors to 'LEGACY' or false in your User Pool Client/App client, you will get more errors.

[nadetastic]

Hi @geauser @tommulkins @opqpop

As mentioned by @Namstel allowing "user exist errors" (by disabling Prevent user existence errors) will return more help full errors to the client that can guide users through the process better.

For example, trying to reset the password of a user that doesn't have their email/phone verified will result with the following error:

Cannot reset password for the user as there is no registered/verified email or phone_number

Which you can catch and use to redirect the user to resend a verification code.

[luisabtrace]

Hi all, we've just been hit by this issue. User registers, verification email goes to spam, user wonders what happened and then tries to reset the password but never receives the e-mail or sees any sign that something went wrong.

Changing PreventUserExistenceErrors to LEGACY it not an option because I think the LEGACY behaviour is a bad practice and I prefer the non-legacy one.

The obvious option here is to create some sort of endpoint in our backend that checks if the account is verified and then either sends the recovery code email or the account verification one, but it would be nice if there was an easier solution.