Skip to content

Feat/mfa recover self serve#1014

Merged
isabeleliassen merged 49 commits intocsg-org:developmentfrom
InspiringApps:feat/mfa-recover-self-serve
Aug 26, 2025
Merged

Feat/mfa recover self serve#1014
isabeleliassen merged 49 commits intocsg-org:developmentfrom
InspiringApps:feat/mfa-recover-self-serve

Conversation

@landonshumway-ia
Copy link
Copy Markdown
Collaborator

@landonshumway-ia landonshumway-ia commented Aug 14, 2025
edited by coderabbitai Bot
Loading

We are planning on enforcing MFA for practitioners in the system. In the event that a practitioner loses their MFA device (ie their phone breaks) they will need a way to recover their account and reset their MFA. AWS Cognito does not support this out of the box. We need to implement a custom solution for this which will delete the old Cognito user account and recreate them with a new invite/temporary password. From there they can log in and reset a new password as well as their MFA option.

This recovery process includes the following steps:

User requests MFA reset by submitting username / password and license info
Backend verifies the provided license data matches one of the license records.
That endpoint attempts the first leg of authentication server-to-server against Cognito; validates that the password authentication step was successful
Backend then sends a link to the user's email confirming they want to reset their MFA. The link includes a recovery token, which has a 15 minute expiry.
The link lands the user on a frontend page that attempts to validate the recovery token against the backend. If successful, the backend deletes and then recreates the user's Cognito account, which sends a new invitation email
From there the user can use the invitation email with the temp password to continue and setup their new account

Closes #982

Summary by CodeRabbit

  • New Features

    • Provider account recovery: initiate & verify endpoints, emailed recovery link with expiry, reCAPTCHA protection, per-provider rate limits, automatic account-recreation flow, password hashing/verification, and MFA recovery notices in emails.

  • Chores

    • Consolidated provider-user Lambdas into a dedicated API Lambda stack; CI now enforces updating the OpenAPI spec when endpoints change; dependency upgrades; enforced password history; small registration processing delay; WAF body-size override; refreshed Postman collection.

  • Documentation

    • PR template reminder to update the OpenAPI spec when API endpoints are modified.

  • Tests

    • New unit, function, integration, and smoke tests covering recovery flows, emails, tokens, rate limits, and error cases.

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@jlkravitz jlkravitz jlkravitz approved these changes

@isabeleliassen isabeleliassen Awaiting requested review from isabeleliassen

+1 more reviewer

@jusdino jusdino jusdino approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Practitioner Self-Serve Account Recovery for lost MFA - BE

4 participants

@landonshumway-ia @jlkravitz @jusdino @isabeleliassen