-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug with SOFTWARE_TOKEN_MFA if you use CUSTOM_AUTH
flow
#9592
Comments
@sammartinez any news? |
@sammartinez any news? |
@sammartinez @Fomin2402 @robbevan @calavera any news? |
Cognito's team is unreliable |
@sammartinez any news? Bug/issue is still actual |
@nickarocho |
Hi @Fomin2402 , thank you for your patience. We are currently working on reproducing the issue on our side to fully understand the scope of the problem and pinpoint the root cause. I'll reach back out when I have a working sample representing the exact flow you've described here. Thanks! |
@nickarocho Ok, as I can see there are no options for Custom Auth flow with BUT, as you can see here [2], Custom Auth Flow allows developers to use Custom Auth Flow with SRP. Please tell us why this is so and what to do? [1] Define Auth challenge Lambda trigger - Define Auth challenge request parameters |
Yes, also this is the runtime error in Amplify lib
|
Another member of our team was able to reproduce the problem. We have this issue triaged internally and will be working on a fix. Thanks again for bringing this to our attention. |
@nickarocho |
Hi @Fomin2402 - we do not have an update on this from our end. We will reply back on this issue when we have updates! |
Any news? |
Do anyone knows of a solution for this? |
There are any updates? @nickarocho |
We are looking into this issue to determine the root cause of where the bug comes from and will update this issue soon. |
Updates? |
Any news? That's exactly the flow breaking for me: import { Amplify, Auth } from 'aws-amplify'
import pkg from 'prompt-sync'
const prompt = pkg({ sigint: true })
const region = 'xx-xxxx-x'
const pool_id = 'xx-xxxx-x_xxxxxxxx'
const client_id = 'xxxxxxxxxxxxxxxxxxxxxxxx'
const username = 'xxxxx'
const password = 'xxxxx'
Amplify.configure({
Auth: {
region: region,
userPoolId: pool_id,
userPoolWebClientId: client_id,
mandatorySignIn: false,
authenticationFlowType: 'CUSTOM_AUTH'
}
})
async function login() {
var resp = await Auth.signIn(username, password)
console.log(resp)
if (resp?.challengeName === 'SOFTWARE_TOKEN_MFA') {
const mfa_code = prompt("Enter MFA code: ")
resp = await Auth.confirmSignIn(resp, mfa_code, 'SOFTWARE_TOKEN_MFA')
console.log(resp)
}
if (resp?.challengeName === 'CUSTOM_CHALLENGE') {
const email_code = prompt("Enter the EMAIL code: ")
// breakes with the mentioned error:
// TypeError: Cannot read properties of undefined (reading 'NewDeviceMetadata')
resp = await Auth.sendCustomChallengeAnswer(resp, email_code)
console.log(resp)
}
console.log(`Access token: ${resp?.signInUserSession?.accessToken?.jwtToken}`)
}
await login() |
I have the exact same problem with the
This is breaking my login flow logic, where I need to use a CUSTOM_CHALLENGE after MFA. |
Hello, I'm getting the same issue while implementing the custom auth flow, is there any update on this one? |
Hi, also getting the same issue when trying to implement CUSTOM_CHALLENGE -> SOFTWARE_TOKEN_MFA. I'm getting the error "Invalid code or auth state for the user" even though the MFA code is correct. |
For anyone following this issue, this issue has been replicated on v5 but is resolved in v6 of Amplify. Can anyone migrate to v6 and let us know if they still run into the issue? |
I'm trying to implement email 2FA with TOTP using Amplify v6, but the sign-in process always returns CONFIRM_SIGN_IN_WITH_TOTP_CODE even though the auth flow is set to CUSTOM_WITH_SRP. After disabling 2FA from the Cognito pool, it returns CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE. How can we enable 2FA with TOTP using the default flow and email 2FA with the custom flow?
|
I also have a need for this use case and have though of a possible workaround. Since I am already using custom auth for SMS and returning that answer via Amplify Auth.sendCustomChallengeAnswer(cognitoUser, code) which is received by my verifyAuthChallenge Lambda trigger and verified. Why not use the same Amplify method to send the TOTP code to the verifyAuthChallenge Lambda and have it call the Cognito API respondToAuthChallenge method to validate the code. Doing a quick test with the following payload from Lambda successfully returned the AccessToken, RefreshToken and IdToken. { Anyone see any issues with doing this? |
I have updated to Amplify V6 and continue to experience this same issue. |
Before opening, please confirm:
JavaScript Framework
React
Amplify APIs
Authentication
Amplify Categories
auth
Environment information
Describe the bug
The main problem is in Custom Auth Challenge Lambda Triggers
On the project we use Amplify.js (Auth library) on frontend (react) and AWS Cognito User Pool (as a part of infrastructure) on the server side.
As you can see here at docs, AWS Cognito provides different ways how to use its authentication functional:
Auth Flows Configurations:
ALLOW_ADMIN_USER_PASSWORD_AUTH
ALLOW_CUSTOM_AUTH
ALLOW_USER_PASSWORD_AUTH
ALLOW_USER_SRP_AUTH
ALLOW_REFRESH_TOKEN_AUTH
There was
ALLOW_USER_SRP_AUTH
by default, which provide users to use SOFTWARE MFA as the 2th authentication factor.later we ran into a problem with bruteforcing our users accounts.
So at first we'd like to try setup Firewall for our Cognito User Pool (but we discovered that in our case it's impossible to setup custom domain for Cognito User Pool with CloudFlare (for example), or somehow override setup Cognito's default Firewall, cause we relize that default Cognito's Firewall is quite silly and fails to do its job). So, the idea with firewall seems not work.
Ok, next one what we decided to try was to add Google recaptcha v3. Frontend requests google for a recaptcha and then puts it to a metadata at
Auth.signIn
.On the server side recaptcha is processed atPreAuth
Lambda trigger. It only worked for a couple of months, cause we got situation:when attackers try to bruteforce our app with thousands of request from hundreds IPs, recaptcha v3 goes crazy and returns very low score (from 0.1 to 0.3) for all requests (good users also get low score and can't login)
So, we decide to try to implement Custom Auth Challenge Lambda Triggers, cause this allows us to move recaptcha validation to a next steps and to implement our custom DDOS protection mechanism at
PreAuth
trigger.So, the SignIn request flow will be like this:
Frontend call
Auth.signIn
and send first request to Cognito with actionAWSCognitoIdentityProviderService.InitiateAuth
. CognitoPreAuth
trigger validates this request with our custom DDOS protection mechanism, if everything is ok, request processing will be continue, otherwise auth flow will be stopped with error.After
PreAuth
trigger this request will be processed atDefineAuthChallenge
trigger, which will recognize that this is an initial request (cause it has onlychallengeName === "SRP_A"
) and answer with a resposne:AWSCognitoIdentityProviderService.RespondToAuthChallenge
withchallengeName: "PASSWORD_VERIFIER"
.This request will be processed at
DefineAuthChallenge
trigger again, but will response with:And then (cause we return
challengeName: "CUSTOM_CHALLENGE"
)CreateAuthChallenge
trigger will intercept this response to create our custom challenge.Frontend will process this response with
challengeName: "CUSTOM_CHALLENGE
, use recaptcha as an answer and send request to Cognito with actionAWSCognitoIdentityProviderService.RespondToAuthChallenge
withchallengeName: "CUSTOM_CHALLENGE
.This request will be processed at
VerifyAuthChallengeResponse
trigger (just recaptcha v3 server side validation based on score)SO, the whole flow works fine if users use only one factor for authentication, in our case its login with password.
BUT if user has a second authentication factor (in our case it's optional for users) such as
SOFTWARE_TOKEN_MFA
, the flow will be broken on step, when the client receives a response from Cognito! (even if the MFA validation was successful) with ErrorCannot read properties of undefined (reading 'NewDeviceMetadata')
.BTW:
Some time ago, we received an advice from AWS Support about how to protect from bruteforcing:
just use our Adding advanced security feature with additional charges and everything will be fine!
BUT:
Also there is a question on stackoverflow.
Expected behavior
Just to add that we're seeing exactly the same issue here.
ALLOW_CUSTOM_AUTH
ChallengeName: "PASSWORD_VERIFIER"
)ChallengeName: "SOFTWARE_TOKEN_MFA"
)ChallengeName: "SOFTWARE_TOKEN_MFA"
)Reproduction steps
ALLOW_CUSTOM_AUTH
ChallengeName: "PASSWORD_VERIFIER"
)ChallengeName: "SOFTWARE_TOKEN_MFA"
)Cannot read properties of undefined (reading 'NewDeviceMetadata')
Code Snippet
DefineAuthChallenge trigger:
CreateAuthChallenge trigger:
VerifyAuthChallengeResponse trigger:
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response
The text was updated successfully, but these errors were encountered: