aws-sdk-js AdminSetUserMFAPreference doesn't make an effect to users MFA options

Confirm by changing [ ] to [x] below to ensure that it's a bug:

[x] I've gone through Developer Guide and API reference
[x] I've checked AWS Forums and StackOverflow for answers
[x] I've searched for previous similar issues and didn't find any solution
[x] This is an issue with version 2.x of the SDK

Describe the bug AdminSetUserMFAPreference method doesn't enable MFA (SMS) for user. It returns 200 OK, but doesn't make an effect. I mean MFAOptions and UserMFASettingList doesn't change. Same time the same method called from AWS CLI with same params made changes. Moreover, the same time the same method from aws-sdk v3 (@aws-sdk/client-cognito-identity-provider) with exactly the same params(I haven't changed a line of code params) makes those changes.

So the problem is definitely in this method in v2 SDK lib.

P.S. User pool MFA settings are set to Optional. P.P.S. Users I'm trying to apply SMS MFA has valid and verified phone number. P.P.P.S. adminSetUserSettings also have no effect to user (I know, it's deprecating now)

Is the issue in the browser/Node.js? Node.js

If on Node.js, are you running this on AWS Lambda? I've tried both - local Node.js server and for testing purposes, I've tried it on lambda

Details of the browser/Node.js version Output of npx envinfo --browsers or node -v

node -v
v12.13.1

SDK version number I've tried three versions:

v2.396.0
v2.501.0
v2.1111.0 (latest available)

To Reproduce (observed behavior) Steps to reproduce the behavior:

async function setMfa () {
    const userPoolId = process.env.AWS_USER_POOL_ID;

    const cognito = new AWS.CognitoIdentityServiceProvider({
        region: process.env.AWS_REGION,
    });
    
    const baseParams = {
            Username: 'st*******@gmail.com',
            UserPoolId: userPoolId
    };
    
    const mfaParams = {
        ...baseParams,
        SMSMfaSettings: {
            Enabled: true,
            PreferredMfa: true
        },
        SoftwareTokenMfaSettings: {
            Enabled: false,
            PreferredMfa: false
        }
    }
    
    console.log('Create user MFA ' + JSON.stringify(mfaParams))
    await cognito.adminSetUserMFAPreference(mfaParams);
    console.log('Created user MFA')
}

Expected behavior I expect to see SMS MFA enabled via set options to user: MFAOptions or UserMFASettingList

Apr 12 '22 11:04 staradayev

Also happened in aws-sdk-php-laravel

Apr 15 '22 09:04 damphan

@staradayev apologies for late reply, can you please share you httpRequest thats being sent?

//v2
var req = await cognito.adminSetUserMFAPreference(mfaParams);
console.log(req.httpRequest)

//v3
 const client = new CognitoIdentityProviderClient({
        region: 'us-west-2'
    });
    const input = {
        Username: 'xd',
        UserPoolId: "xd",
        SMSMfaSettings: {
            Enabled: true,
            PreferredMfa: true
        },
        SoftwareTokenMfaSettings: {
            Enabled: false,
            PreferredMfa: false
        }
    }
    const command = new AdminSetUserMFAPreferenceCommand(input);

    client.middlewareStack.add(next => async(args) => {
        console.log("User input: ", args.input);
        console.log("HTTP Request: ", args.request); //request is optional
        const result = await next(args);
        // Output is also optional
        // console.log("Deserialized Output: ", result.output); // same to the return of client.send(command). 
        // console.log("HTTP response: ", result.response);
        return result;
    }, {
        step: "build"
    });

    try {
        var result = await client.send(command);
        console.log(result);
    } catch (err) {
        console.log(err)
    }

Jun 13 '22 15:06 ajredniwja

I'm also facing same issue, Anyone have the solution for this

Jul 19 '22 19:07 Harshil230197

@ajredniwja here is the httpRequest,

HttpRequest { method: 'POST', path: '/', headers: { 'User-Agent': 'aws-sdk-nodejs/2.1101.0 darwin/v12.13.0' }, body: '', endpoint: Endpoint { protocol: 'https:', host: 'cognito-idp.us-east-1.amazonaws.com', port: 443, hostname: 'cognito-idp.us-east-1.amazonaws.com', pathname: '/', path: '/', href: 'https://cognito-idp.us-east-1.amazonaws.com/', constructor: [Function: Endpoint] { __super__: [Function: Object] } }, region: 'us-east-1', _userAgent: 'aws-sdk-nodejs/2.1101.0 darwin/v12.13.0' }

Jul 20 '22 11:07 Harshil230197

Hey @staradayev, Have you found a solution or alternative for this?

Jul 21 '22 06:07 Harshil230197

@ajredniwja , You added the tag, Workaround is available, can you give me some idea about how it worked for you?

Aug 03 '22 09:08 Harshil230197

@ajredniwja what is the work around ? Did any figure out how a solution ?

Aug 11 '22 10:08 jay3dec

@Harshil230197 @jay3dec the information I was asking was specific to my findings at that time. Can you please open a new issue with latest details specific to your use case?

Aug 22 '22 08:08 ajredniwja

My issue is also the same: trying to update the userMFAPeferance with the below command but not seeing any data getting updated. @ajredniwja

await cognito.adminSetUserMFAPreference(mfaParams);

Aug 24 '22 08:08 Harshil230197

I can confirm same issue, MFA is configured as optional in cognito console

Nov 16 '22 19:11 LYevhen

await cognito.adminSetUserMFAPreference(mfaParams);

Should be

await cognito.adminSetUserMFAPreference(mfaParams).promise();

And then I found out that I was missing "cognito-idp:AdminSetUserMFAPreference" in my PolicyDocument

Nov 27 '22 17:11 RoyBS

Seems like @RoyBS , comment solved the issue for a number of folks. If the problem persists, please open a separate issue.

Thanks, Ran~

Nov 28 '23 22:11 RanVaknin

aws-sdk-js aws-sdk-js copied to clipboard

AdminSetUserMFAPreference doesn't make an effect to users MFA options

aws-sdk-js
aws-sdk-js copied to clipboard