I want to allow a user to edit their password and enable/disable MFA from within their account settings page in my single page react app.
Is it required to proxy these requests through my own backend service?
I found this post Allow the user to change their password from a profile screen and it sounds like it I have to implement this myself using my own backend…?
I currently use Cognito, which allows a client to do this, see ChangePassword - Amazon Cognito User Pools
I don’t understand why such a common feature would not be supported by auth0… Implementing this myself is certainly possible, but it just adds one more surface for attack, or someone to accidentally log passwords, etc… isn’t this the whole reason for using a service like auth0?
Hello @knap1930,
Welcome to the Community!
Changing a password in an SPA is a Very Bad Idea. If your user’s device / browser is compromised, you have to assume their password is compromised as well. This would also be true of an SPA in front of Cognito. Using a backend allows you to handle these sorts of things securely (and solves the general issues with the implicit grant as well). Even then, I would suggest using Auth0’s native change / reset password email functionality, which removes all password handling from your own apps.
hey @markd, thanks for the response! just have a few questions 
Changing a password in an SPA is a Very Bad Idea. If your user’s device / browser is compromised, you have to assume their password is compromised as well.
How is this any different if it wasn’t a SPA?
This would also be true of an SPA in front of Cognito. Using a backend allows you to handle these sorts of things securely (and solves the general issues with the implicit grant as well). Even then, I would suggest using Auth0’s native change / reset password email functionality, which removes all password handling from your own apps.
I don’t understand. Cognito has just provided the backend endpoint for you, instead of having to implement in my own backend service.
In my SPA, I would send the user over to auth0’s hosted login page, which after successful login, redirects back to my SPA, where I now have a valid token.
If auth0 would have an endpoint that takes in this token, their old password, and new password (this is what Cognito’s endpoint requires). I fail to see how this is less secure than me adding my own endpoint, which in turns calls auth0’s endpoint? I’d argue me implementing this myself is less secure… now my backend has to deal with a users password.
Update Password (without sending pwd reset email) and Reset Multifactor operations are both available only via Management API. Since the following are the only scopes available for Management API via a non confidential client (like SPA), the above operations are not possible (or recommended) via SPA for security reasons.
2 Likes
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.