I’ve spent some time looking around the docs for this but haven’t found anything related to customizing this. For context, we’ve started with a trickle migration and are now looking to get our remaining users bulk migrated so we can disconnect our custom database.
When testing the migrated user login, I noticed the logs show a “Password change required”. This is because our custom hash is not valid. Because of this, we are looking to have users change their passwords after being bulk migrated. Is there a way to surface this error message in the universal login? I know we can trigger the password reset emails on our end, but people miss emails all the time and it would be nice for them to get feedback on the login page if possible. Thanks in advance and I appreciate the help!
There isn’t a way to display the error directly on the Universal Login page.
However, you could workaround this by using a post login action. With a post login action, you could check for the event.user.last_password_reset timestamp to see if they have changed their password since they were migrated. If not, you can inform them about resetting their passwords.
There are a couple of ways to approach this, either by denying their login and displaying the message on the callback URL or by redirecting them to another page to let them know about resetting their passwords.
Here is an example:
exports.onExecutePostLogin = async (event, api) => {
if (new Date(event.user.last_password_reset).valueOf() > new Date('2024-03-19T15:41:33.529Z').valueOf()){
api.access.deny("Please change your password before continuing.")
}
};
Thanks for the quick response. I tried your suggestion and should add that we are unable to migrate the users’ passwords due to the hashing mechanism in our previous database.
This prevents the post-login action from running for a user since the password cannot be validated. Here is a more detailed screenshot of the error message from above:
The “Password change required” error message happens when a user logs in with the wrong credentials after a password hash import and before a successful login.
In this case, there’s an inherent issue with the imported users’ password hashes. Either the user submitted the wrong credentials, or the password hash import is incorrect.
I would suggest investigating this further to reduce the number of affected users from logging in.
As for checking for the user_metadata before validating the password, this won’t be possible since the post-login action will only execute after a user submits the correct credentials.
