aws-amplify
bug with SOFTWARE_TOKEN_MFA if you use `CUSTOM_AUTH` flow
Before opening, please confirm:
- [X] I have searched for duplicate or closed issues and discussions.
- [X] I have read the guide for submitting bug reports.
- [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
JavaScript Framework
React
Amplify APIs
Authentication
Amplify Categories
auth
Environment information
System:
OS: macOS 12.0.1
CPU: (8) x64 Apple M1
Memory: 25.52 MB / 8.00 GB
Shell: 5.8 - /bin/zsh
Binaries:
Node: 14.18.0 - ~/.nvm/versions/node/v14.18.0/bin/node
Yarn: 1.22.11 - /usr/local/bin/yarn
npm: 6.14.15 - ~/.nvm/versions/node/v14.18.0/bin/npm
Browsers:
Chrome: 98.0.4758.80
Safari: 15.1
npmPackages:
@aws-amplify/auth: ^4.4.1 => 4.4.1
@babel/core: 7.15.5 => 7.15.5 (7.16.0, 7.12.3, 7.13.8)
@babel/node: ^7.0.0 => 7.16.0
@babel/plugin-proposal-class-properties: 7.14.5 => 7.14.5 (7.16.0, 7.12.1)
@babel/preset-env: 7.15.6 => 7.15.6 (7.12.1)
@babel/preset-react: ^7.0.0 => 7.16.0 (7.12.1)
@fortawesome/fontawesome-svg-core: ^1.2.0-14 => 1.2.36
@fortawesome/free-solid-svg-icons: ^5.12.0 => 5.15.4
@fortawesome/react-fontawesome: 0.1.15 => 0.1.15
@freshes/jsdoc-template: ^1.0.0 => 1.0.0
@hookform/resolvers: ^2.8.5 => 2.8.5
@lingui/babel-preset-react: ^2.9.2 => 2.9.2
@lingui/cli: ^2.9.0 => 2.9.2
@lingui/core: ^2.9.0 => 2.9.2
@lingui/react: ^2.9.0 => 2.9.2
@testing-library/react: ^12.1.0 => 12.1.2
@wojtekmaj/enzyme-adapter-react-17: ^0.6.3 => 0.6.5
amazon-cognito-identity-js: ^5.1.0 => 5.2.3 (5.2.6)
apollo-link: ^1.2.4 => 1.2.14
apollo-link-http: ^1.5.7 => 1.5.17
babel-core: ^7.0.0-bridge.0 => 7.0.0-bridge.0
babel-eslint: ^10.1.0 => 10.1.0
babel-jest: ^27.1.1 => 27.3.1
babel-loader: ^8.1.0 => 8.2.3
babel-plugin-dynamic-import-node: ^2.3.3 => 2.3.3
babel-plugin-lodash: ^3.3.2 => 3.3.4
babel-plugin-named-asset-import: ^0.3.7 => 0.3.7
babel-plugin-styled-components: ^1.11.1 => 1.13.3
babel-plugin-syntax-dynamic-import: 6.18.0 => 6.18.0
babel-preset-react-app: ^10.0.0 => 10.0.0
bfj: ^7.0.2 => 7.0.2
big.js: ^6.1.1 => 6.1.1 (5.2.2, 3.2.0)
bip39: ^3.0.4 => 3.0.4
camelize: ^1.0.0 => 1.0.0
case-sensitive-paths-webpack-plugin: ^2.1.2 => 2.4.0
chokidar: ^3.5.2 => 3.5.2 (2.1.8)
class-validator: 1.0.0
clipboard: ^2.0.1 => 2.0.8
computed-types: 1.0.0
copy-webpack-plugin: ^6.4.1 => 6.4.1
cross-env: ^7.0.3 => 7.0.3
cypress: ^8.3.1 => 8.7.0
decamelize: ^4.0.0 => 4.0.0 (1.2.0)
docdash: 1.2.0 => 1.2.0
docs: 0.0.0
dotenv: ^10.0.0 => 10.0.0
dotenv-expand: ^5.1.0 => 5.1.0
effector: ^22.1.1 => 22.1.2
effector-logger: ^0.10.0 => 0.10.0
effector-react: ^22.0.4 => 22.0.4
enzyme: ^3.11.0 => 3.11.0
eslint: ^7.32.0 => 7.32.0
eslint-config-airbnb: ^18.2.1 => 18.2.1
eslint-config-prettier: ^8.3.0 => 8.3.0
eslint-config-react-app: ^6.0.0 => 6.0.0
eslint-config-standard: ^16.0.3 => 16.0.3
eslint-import-resolver-webpack: 0.13.1 => 0.13.1
eslint-loader: ^4.0.2 => 4.0.2
eslint-plugin-flowtype: ^5.9.2 => 5.10.0
eslint-plugin-import: ^2.14.0 => 2.25.3
eslint-plugin-jsx-a11y: ^6.1.1 => 6.5.1
eslint-plugin-node: ^11.1.0 => 11.1.0
eslint-plugin-prettier: ^4.0.0 => 4.0.0
eslint-plugin-promise: ^5.1.0 => 5.1.1
eslint-plugin-react: ^7.11.1 => 7.27.0
eslint-plugin-react-hooks: ^1.6.1 => 1.7.0
eslint-plugin-standard: ^5.0.0 => 5.0.0
file-loader: ^6.1.1 => 6.2.0
fs-extra: ^10.0.0 => 10.0.0 (9.1.0, 8.1.0, 7.0.1)
graphql: ^15.5.3 => 15.7.2
graphql-tag: ^2.10.0 => 2.12.6
history: ^5.0.1 => 5.1.0 (4.10.1)
html-webpack-plugin: ^4.5.2 => 4.5.2 (3.2.0)
husky: ^3.1.0 => 3.1.0
io-ts: 1.0.0
isomorphic-unfetch: ^3.0.0 => 3.1.0
jest: ^27.1.1 => 27.3.1
jest-canvas-mock: ^2.2.0 => 2.3.1
joi: 1.0.0
jsdoc: ^3.5.5 => 3.6.7
jsdoc-babel: 0.5.0 => 0.5.0
jsdom: ^17.0.0 => 17.0.0 (16.7.0)
lint-staged: ^11.1.2 => 11.2.6
live-server: ^1.2.0 => 1.2.1
lodash: ^4.17.21 => 4.17.21
markdown-jsx-loader: ^3.0.2 => 3.0.2
moment: ^2.21.0 => 2.29.1
nope: 1.0.0
numeral: ^2.0.6 => 2.0.6
opn: ^6.0.0 => 6.0.0 (5.5.0)
path: 0.12.7 => 0.12.7
plop: ^2.7.4 => 2.7.6
plop-example: undefined ()
prettier: ^2.2.1 => 2.4.1
prop-types: ^15.6.0 => 15.7.2
qrcode.react: 1.0.1 => 1.0.1
query-string: ^7.0.1 => 7.0.1 (6.14.1, 5.1.1)
rc-tooltip: ^5.1.1 => 5.1.1
react: ^17.0.2 => 17.0.2
react-dev-utils: ^11.0.3 => 11.0.4
react-document-title: ^2.0.3 => 2.0.3
react-dom: ^17.0.2 => 17.0.2
react-flip-move: ^3.0.4 => 3.0.4
react-google-recaptcha-v3: 1.9.7 => 1.9.7
react-hook-form: ^7.23.0 => 7.23.0
react-hot-loader: ^4.3.3 => 4.13.0
react-modal: ^3.4.5 => 3.14.4
react-on-screen: ^2.1.0 => 2.1.1
react-redux: ^7.2.5 => 7.2.6
react-router-dom: ^5.3.0 => 5.3.0
react-svg-loader: 3.0.3 => 3.0.3
react-transition-group: ^4.4.2 => 4.4.2 (2.9.0)
react-transition-group/CSSTransition: undefined ()
react-transition-group/ReplaceTransition: undefined ()
react-transition-group/SwitchTransition: undefined ()
react-transition-group/Transition: undefined ()
react-transition-group/TransitionGroup: undefined ()
react-transition-group/TransitionGroupContext: undefined ()
react-transition-group/config: undefined ()
redux: ^4.1.1 => 4.1.2
redux-mock-store: ^1.5.1 => 1.5.4
redux-thunk: ^2.2.0 => 2.4.0
reselect: ^4.0.0 => 4.1.4
style-loader: ^3.2.1 => 3.3.1
styled-components: ^5.3.1 => 5.3.3
styled-components/macro: undefined ()
styled-components/native: undefined ()
styled-components/primitives: undefined ()
styled-normalize: ^8.0.7 => 8.0.7
stylelint: ^13.13.1 => 13.13.1
stylelint-config-standard: ^22.0.0 => 22.0.0
stylelint-config-styled-components: 0.1.1 => 0.1.1
stylelint-processor-styled-components: ^1.10.0 => 1.10.0
superstruct: 1.0.0
terser-webpack-plugin: ^4.2.3 => 4.2.3 (1.4.5)
tinycolor2: ^1.4.1 => 1.4.2
tweetnacl: ^1.0.0 => 1.0.3 (0.14.5)
tweetnacl-util: 0.15.1 => 0.15.1
typanion: 1.0.0
ua-parser-js: 0.7.28 => 0.7.28
uglifyjs-webpack-plugin: ^2.2.0 => 2.2.0
url-loader: ^4.1.1 => 4.1.1
url-polyfill: ^1.0.13 => 1.1.12
vest: 1.0.0
webpack: ^4.44.2 => 4.46.0
webpack-bundle-analyzer: ^4.4.2 => 4.5.0
webpack-cli: 4.2.0 => 4.2.0
webpack-dev-server: ^3.11.1 => 3.11.3
webpack-manifest-plugin: ^2.2.0 => 2.2.0
yup: ^0.32.11 => 0.32.11 (1.0.0)
zod: 1.0.0
npmGlobalPackages:
npm: 6.14.15
Describe the bug
The main problem is in Custom Auth Challenge Lambda Triggers
On the project we use Amplify.js (Auth library) on frontend (react) and AWS Cognito User Pool (as a part of infrastructure) on the server side.
As you can see here at docs, AWS Cognito provides different ways how to use its authentication functional:
Auth Flows Configurations:
-
ALLOW_ADMIN_USER_PASSWORD_AUTH -
ALLOW_CUSTOM_AUTH -
ALLOW_USER_PASSWORD_AUTH -
ALLOW_USER_SRP_AUTH -
ALLOW_REFRESH_TOKEN_AUTH
There was ALLOW_USER_SRP_AUTH by default, which provide users to use SOFTWARE MFA as the 2th authentication factor.
later we ran into a problem with bruteforcing our users accounts.
So at first we'd like to try setup Firewall for our Cognito User Pool (but we discovered that in our case it's impossible to setup custom domain for Cognito User Pool with CloudFlare (for example), or somehow override setup Cognito's default Firewall, cause we relize that default Cognito's Firewall is quite silly and fails to do its job). So, the idea with firewall seems not work.
Ok, next one what we decided to try was to add Google recaptcha v3. Frontend requests google for a recaptcha and then puts it to a metadata at Auth.signIn .On the server side recaptcha is processed at PreAuth Lambda trigger. It only worked for a couple of months, cause we got situation:
when attackers try to bruteforce our app with thousands of request from hundreds IPs, recaptcha v3 goes crazy and returns very low score (from 0.1 to 0.3) for all requests (good users also get low score and can't login)
So, we decide to try to implement Custom Auth Challenge Lambda Triggers, cause this allows us to move recaptcha validation to a next steps and to implement our custom DDOS protection mechanism at PreAuth trigger.
So, the SignIn request flow will be like this:
-
Frontend call
Auth.signInand send first request to Cognito with actionAWSCognitoIdentityProviderService.InitiateAuth. CognitoPreAuthtrigger validates this request with our custom DDOS protection mechanism, if everything is ok, request processing will be continue, otherwise auth flow will be stopped with error. -
After
PreAuthtrigger this request will be processed atDefineAuthChallengetrigger, which will recognize that this is an initial request (cause it has onlychallengeName === "SRP_A") and answer with a resposne:
response = {
issueTokens: false,
failAuthentication: false,
challengeName: "PASSWORD_VERIFIER",
};
- Frontend will process this response under the hood with help of Amplify.auth and send next request to Cognito with action
AWSCognitoIdentityProviderService.RespondToAuthChallengewithchallengeName: "PASSWORD_VERIFIER". This request will be processed atDefineAuthChallengetrigger again, but will response with:
response = {
issueTokens: false,
failAuthentication: false,
challengeName: "CUSTOM_CHALLENGE",
};
And then (cause we return challengeName: "CUSTOM_CHALLENGE" ) CreateAuthChallenge trigger will intercept this response to create our custom challenge.
-
Frontend will process this response with
challengeName: "CUSTOM_CHALLENGE, use recaptcha as an answer and send request to Cognito with actionAWSCognitoIdentityProviderService.RespondToAuthChallengewithchallengeName: "CUSTOM_CHALLENGE. -
This request will be processed at
VerifyAuthChallengeResponsetrigger (just recaptcha v3 server side validation based on score)
SO, the whole flow works fine if users use only one factor for authentication, in our case its login with password.
BUT if user has a second authentication factor (in our case it's optional for users) such as SOFTWARE_TOKEN_MFA, the flow will be broken on step, when the client receives a response from Cognito! (even if the MFA validation was successful) with Error Cannot read properties of undefined (reading 'NewDeviceMetadata').
BTW: Some time ago, we received an advice from AWS Support about how to protect from bruteforcing: just use our Adding advanced security feature with additional charges and everything will be fine!
BUT:
- it looks like magic pandora box
- we tested it on staging for a half of year and it doesn't work so well as they said
Also there is a question on stackoverflow.
Expected behavior
Just to add that we're seeing exactly the same issue here.
- Configure the User Pool Client auth flow configuration to use
ALLOW_CUSTOM_AUTH - Configure the User Pool to remember users' devices
- Create user.
- Enable MFA (Software Token)
- Logout
- Clear local browser cache
- Auth.signIn (with
ChallengeName: "PASSWORD_VERIFIER") - Auth.confirmSignIn (with
ChallengeName: "SOFTWARE_TOKEN_MFA") - Auth.sendCustomChallengeAnswer (with
ChallengeName: "SOFTWARE_TOKEN_MFA") - Succes login, receive id, access and refresh tokens
Reproduction steps
- Configure the User Pool Client auth flow configuration to use
ALLOW_CUSTOM_AUTH - Configure the User Pool to remember users' devices
- Create user.
- Enable MFA (Software Token)
- Logout
- Clear local browser cache
- Auth.signIn (with
ChallengeName: "PASSWORD_VERIFIER") - Auth.confirmSignIn (with
ChallengeName: "SOFTWARE_TOKEN_MFA") - Receive error:
Cannot read properties of undefined (reading 'NewDeviceMetadata')
CognitoUser.js:808 Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'NewDeviceMetadata')
at CognitoUser.js:808:49
at Client.js:140:31
Code Snippet
DefineAuthChallenge trigger:
export const handler: Handler<DefineAuthChallengeTriggerEvent> = (
event: DefineAuthChallengeTriggerEvent,
context: Context,
callback: Callback<DefineAuthChallengeTriggerEvent>,
) => {
if (
event.request.session.length == 1 &&
event.request.session[0].challengeName == "SRP_A"
) {
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = "PASSWORD_VERIFIER";
} else if (
event.request.session.length == 2 &&
event.request.session[1].challengeName == "PASSWORD_VERIFIER" &&
event.request.session[1].challengeResult == true
) {
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = "CUSTOM_CHALLENGE";
} else if (
event.request.session.length == 3 &&
event.request.session[2].challengeName == "CUSTOM_CHALLENGE" &&
event.request.session[2].challengeResult == true
) {
event.response.issueTokens = true;
event.response.failAuthentication = false;
// CUSTOM FOR MFA
} else if (
event.request.session.length === 3 &&
event.request.session[2].challengeName === "SOFTWARE_TOKEN_MFA" &&
event.request.session[2].challengeResult === true
) {
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = "CUSTOM_CHALLENGE";
} else if (
event.request.session.length == 4 &&
event.request.session[3].challengeName == "CUSTOM_CHALLENGE" &&
event.request.session[3].challengeResult == true
) {
event.response.issueTokens = true;
event.response.failAuthentication = false;
} else {
event.response.issueTokens = false;
event.response.failAuthentication = true;
}
callback(null, event);
};
CreateAuthChallenge trigger:
export const handler: CreateAuthChallengeTriggerHandler = (
event: CreateAuthChallengeTriggerEvent,
context: Context,
callback: Callback<CreateAuthChallengeTriggerEvent>,
) => {
if (event.request.challengeName == "CUSTOM_CHALLENGE") {
event.response.publicChallengeParameters = {};
event.response.publicChallengeParameters.captchaUrl = "url/123.jpg";
event.response.privateChallengeParameters = {};
event.response.privateChallengeParameters.answer = "5";
event.response.challengeMetadata = "RECAPTCHA_CHALLENGE";
}
callback(null, event);
};
VerifyAuthChallengeResponse trigger:
export const handler: VerifyAuthChallengeResponseTriggerHandler = async (
event: VerifyAuthChallengeResponseTriggerEvent,
context: Context,
callback: Callback<VerifyAuthChallengeResponseTriggerEvent>,
) => {
try {
const { recaptchaToken: token } = JSON.parse(
event.request.challengeAnswer,
);
if(token !== "recaptchaToken") { throw new Error(); }
event.response.answerCorrect = true;
} catch (error) {
logger.error(error);
event.response.answerCorrect = false;
} finally {
callback(null, event);
}
};
Log output
// Put your logs below this line
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response
Hi @Fomin2402 , thank you for your patience. We are currently working on reproducing the issue on our side to fully understand the scope of the problem and pinpoint the root cause.
I'll reach back out when I have a working sample representing the exact flow you've described here. Thanks!
@nickarocho 20 days passed from your last update. This issue is open from 15 Feb 2022.
Ok, as I can see there are no options for Custom Auth flow with SOFTWARE_TOKEN_MFA challenge due to this link [1].
BUT, as you can see here [2], Custom Auth Flow allows developers to use Custom Auth Flow with SRP.
And if SOFTWARE_TOKEN_MFA is a necessary part of SRP Auth, why does it not available in Custom Auth Flow? For us, it's a real problem, cause we need to set up Custom Auth Flow on our production project with more than 100.000 users who can have an optional SOFTWARE MFA step.
Please tell us why this is so and what to do?
[1] Define Auth challenge Lambda trigger - Define Auth challenge request parameters
Yes, also this is the runtime error in Amplify lib
CognitoUser.js:808 Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'NewDeviceMetadata')
at CognitoUser.js:808:49
at Client.js:140:31
Another member of our team was able to reproduce the problem. We have this issue triaged internally and will be working on a fix. Thanks again for bringing this to our attention.
Hi @Fomin2402 - we do not have an update on this from our end. We will reply back on this issue when we have updates!
We are looking into this issue to determine the root cause of where the bug comes from and will update this issue soon.
Any news? This is a very important topic, I hope the team can decide to prioritize this fix ASAP. The difference is that instead of CAPTCHA I'm implementing a custom authentication flow with e-mail validation.
That's exactly the flow breaking for me:
import { Amplify, Auth } from 'aws-amplify'
import pkg from 'prompt-sync'
const prompt = pkg({ sigint: true })
const region = 'xx-xxxx-x'
const pool_id = 'xx-xxxx-x_xxxxxxxx'
const client_id = 'xxxxxxxxxxxxxxxxxxxxxxxx'
const username = 'xxxxx'
const password = 'xxxxx'
Amplify.configure({
Auth: {
region: region,
userPoolId: pool_id,
userPoolWebClientId: client_id,
mandatorySignIn: false,
authenticationFlowType: 'CUSTOM_AUTH'
}
})
async function login() {
var resp = await Auth.signIn(username, password)
console.log(resp)
if (resp?.challengeName === 'SOFTWARE_TOKEN_MFA') {
const mfa_code = prompt("Enter MFA code: ")
resp = await Auth.confirmSignIn(resp, mfa_code, 'SOFTWARE_TOKEN_MFA')
console.log(resp)
}
if (resp?.challengeName === 'CUSTOM_CHALLENGE') {
const email_code = prompt("Enter the EMAIL code: ")
// breakes with the mentioned error:
// TypeError: Cannot read properties of undefined (reading 'NewDeviceMetadata')
resp = await Auth.sendCustomChallengeAnswer(resp, email_code)
console.log(resp)
}
console.log(`Access token: ${resp?.signInUserSession?.accessToken?.jwtToken}`)
}
await login()
I have the exact same problem with the amazon-coginto-identity-js library. The error occurs while calling cognitoUser.sendMFACode(). None of the callback methods are called (onSuccess/onError), but an error is thrown instead:
TypeError: Cannot read properties of undefined (reading 'NewDeviceMetadata')
This is breaking my login flow logic, where I need to use a CUSTOM_CHALLENGE after MFA. I also hope this issue will be prioritized.
Hello, I'm getting the same issue while implementing the custom auth flow, is there any update on this one?
Hi, also getting the same issue when trying to implement CUSTOM_CHALLENGE -> SOFTWARE_TOKEN_MFA. I'm getting the error "Invalid code or auth state for the user" even though the MFA code is correct.
