Auth0 Home Blog Docs

Allow user to change their password and enable / disable MFA from within a single page react app?

I want to allow a user to edit their password and enable/disable MFA from within their account settings page in my single page react app.

Is it required to proxy these requests through my own backend service?

I found this post Allow the user to change their password from a profile screen and it sounds like it I have to implement this myself using my own backend…?

I currently use Cognito, which allows a client to do this, see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ChangePassword.html

I don’t understand why such a common feature would not be supported by auth0… Implementing this myself is certainly possible, but it just adds one more surface for attack, or someone to accidentally log passwords, etc… isn’t this the whole reason for using a service like auth0?

Hello @knap1930,

Welcome to the Community!

Changing a password in an SPA is a Very Bad Idea. If your user’s device / browser is compromised, you have to assume their password is compromised as well. This would also be true of an SPA in front of Cognito. Using a backend allows you to handle these sorts of things securely (and solves the general issues with the implicit grant as well). Even then, I would suggest using Auth0’s native change / reset password email functionality, which removes all password handling from your own apps.

hey @markd, thanks for the response! just have a few questions :slight_smile:

Changing a password in an SPA is a Very Bad Idea. If your user’s device / browser is compromised, you have to assume their password is compromised as well.

How is this any different if it wasn’t a SPA?

This would also be true of an SPA in front of Cognito. Using a backend allows you to handle these sorts of things securely (and solves the general issues with the implicit grant as well). Even then, I would suggest using Auth0’s native change / reset password email functionality, which removes all password handling from your own apps.

I don’t understand. Cognito has just provided the backend endpoint for you, instead of having to implement in my own backend service.

In my SPA, I would send the user over to auth0’s hosted login page, which after successful login, redirects back to my SPA, where I now have a valid token.

If auth0 would have an endpoint that takes in this token, their old password, and new password (this is what Cognito’s endpoint requires). I fail to see how this is less secure than me adding my own endpoint, which in turns calls auth0’s endpoint? I’d argue me implementing this myself is less secure… now my backend has to deal with a users password.