Cognito ForgotPassword Console, API & Amplify Console returns "InvalidParameterException: Cannot reset password for the user as there is no registered/verified email or phone_number" — even though the email is already verified.

[howking]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

This is the same bug as #7101, which has not been resolved yet.

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-amplify/backend@1.16.1

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v22.17.0

Reproduction Steps

1. Deploy the backend with the following configuration (with EMAIL_OTP enabled):

// auth/resource.ts
export const auth = defineAuth({
  loginWith: {
    email: true
  },
  multifactor: {
    mode: 'OPTIONAL',
    sms: false,
  },...

2. Use the Amplify API to sign up (set a password and verify the email address with the confirmation code).
3. Select password reset at the user on Amplify Web Console or call resetPassword() api

Observed Behavior

For users without MFA enabled, password reset works both via API and the console.
For users with MFA enabled, attempting to reset the password via API or the console results in an error.

Expected Behavior

The verification code is emailed to the user.

Possible Solution

No response

Additional Information/Context

No response

[aBurmeseDev]

Hi @howking - thanks for reaching out.

As previously mentioned in #7101, this's service Exception where the email isn't verified. I reached out to service team for insight and here's what they said:

InvalidParameterException was being thrown because the end user was making a valid request with the proper credentials against a user that does exist, but the email could not be sent because the email is not verified. Fake code delivery details would be returned if PreventUserExistenceErrors=ENABLED and the end user makes a request against a user that does not exist or against a valid user but with the wrong credentials. If the customer wants to see the actual error message that the user is not found (and it meets their security needs) they can try setting PreventUserExistenceErrors to LEGACY.

Since this isn't a bug in SDK or service, I'm going to set this to auto-close. Let us know if you have any other question.