Existing password provided workflow

Trigger: user:existing_password_provided

This trigger fires after an existing password is entered in the sign-in flow.

Security considerations

Link to this section

Security is at the heart of our technical decisions at Kinde, and keeping user passwords safe is a huge part of this. Therefore:

• Any attempt to log the password out to the console in this workflow will be redacted
• API calls can only be made from these workflows using the Kinde provided secureFetch method which secures the payload with an encryption key

Example use cases

Link to this section

Drip feed migration

Link to this section

For gradual migrations to Kinde where you wish to check the password against an external database before creating the user in Kinde.

Workflow code

Link to this section

The event object

Link to this section

The main argument provided to your code is the Kinde workflow event object which has two keys request and context. This gives you access to the reason the workflow was triggered. Here’s an example:

{
  "request": {},
  "context": {
    "domains": {
      "kindeDomain": "https://example.kinde.com" // Your Kinde domain
    },
    "auth": {
          "provided email": x_provided_email, // the email provided by the user
          "password":"someSecurePassword", // the raw password
          "hashedPassword": "someHash", // the hashed password,
           "hasUserRecordInKinde":  false // whether the user exists already in Kinde
       },
    "user": {
      "id": "kp_1234566" // only provided in password reset flows as otherwise new user
    }
}

Workflow settings

Link to this section

export const workflowSettings = {
  id: "verifyPassword",
  name: "Verify password",
  failurePolicy: {
    action: "stop",
  },
  trigger: "user:existing_password_provided",
  bindings: {
    "kinde.secureFetch": {}, // Required for external API calls
    "kinde.widget": {}, // Required to invalidate the form
  },
};

Secure fetch binding

Link to this section

When an API call is made using kinde.secureFetch() the body is automatically encrypted with the active encryption key for the workflow. This can be generated under Workflow > Encryption keys.

You will need to use the same encryption key in your own code to decrypt the payload on arrival. This ensures secure transfer of the password.

We handle the encryption for you so your code might look like:

const response = await kinde.secureFetch(`<YOUR_EXTERNAL_PASSWORD_DATABASE_ENDPOINT`, {
        method: 'POST',
        responseFormat: 'json',
        headers: {
            'content-type': 'application/json'
        body: {
        email: event.context.auth.providedEmail,
        password: event.context.auth.password
    }
    });

Widget binding

Link to this section

The kinde.widget binding gives you access to the Kinde widget, which is the central form on the page. In this case the form with the two password fields.

It exposes a method for invalidating a form field invalidateFormField

kinde.widget.invalidateFormField(fieldName, message);

Example

const isMinCharacters = context.auth.Password.length >= 50;

kinde.widget.invalidateFormField("p_password", "Nope");

The field names for this workflow are

Field name	Description
p_password	The password field