moto icon indicating copy to clipboard operation
moto copied to clipboard
verified publisher icon getmoto

Validate user password in `respond_to_auth_challenge` when the challenge name is `PASSWORD_VERIFIER`

Open serozhenka opened this issue 1 year ago • 6 comments

In Cognito's respond_to_auth_challenge method I can see that the only things that are validated are the challenge_name and the challenge_responses payload. The content of challenge_responses is not used to validate the user's password, hence no UnauthorizedException is raised when logging in with an invalid password. Wish to have support for that soon.

Moto version: 5.0.4

serozhenka avatar Apr 04 '24 13:04 serozhenka

Hi @serozhenka!

From the docs: the challenge_responses needs four parts:

"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]"
"PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]"
"TIMESTAMP": [timestamp]
"USERNAME": "[username]"

As an enhancement, we can verify whether all four values exist, and we can easily verify that username and secret_block have the correct value.

I haven't found any official AWS documentation on how to calculate the signature though. There are various open source implementations (like pycognito for Python), but without any official documentation, I'm hesitant to add any other checks on these values, without having 100% certainty that there is only one possible value/calculation.

bblommers avatar Apr 09 '24 20:04 bblommers

@bblommers gotcha, I will have a look in my spare time and let you know if I find anything.

serozhenka avatar Apr 09 '24 20:04 serozhenka

@bblommers I haven't found any official docs either, but there is an amplify-js repository maintained officially by AWS. And there is the code that does signature generation right here. It should be fairly easy to reverse-engineer what they are doing there and transfer it into Python (which was probably the way all the SRP auth implementations took). Just to note, I have a Python version of that which we have been using in production for over half a year now and it works smoothly.

If you give the green light, I can try to prepare a draft PR for that in my spare time by carefully reverse-engineering what AWS does in the amplify-js repo.

serozhenka avatar Apr 12 '24 21:04 serozhenka

@serozhenka I don't want to break this for users who use a different signature that happens to be supported as well. So if you want to add the basic checks, that would be very welcome - but I don't want to go any further.

As an enhancement, we can verify whether all four values exist, and we can easily verify that username and secret_block have the correct value.

bblommers avatar Apr 20 '24 19:04 bblommers

@bblommers I respect your choice, but at the same time I see a discrepancy between Moto and AWS (that can be objectively treated as a bug), which was the initial reason I opened this issue. This mismatch doesn't allow us (and in general Moto users) to make tests for failures in the authentication service when the user passes an incorrect password or just our signature generation logic is broken, hence we just commented it out :.

I don't want to break this for users who use a different signature

This can still be released in the next major version where the breaking changes are allowed, but the final call is yours.

serozhenka avatar Apr 20 '24 20:04 serozhenka

Hi,

I just came across this thread while looking into the same issue. And I think verifying the password would be a nice feature to add.

minh-le-q avatar Jun 12 '24 23:06 minh-le-q