verifySoftwareToken fails with InvalidParameterException

[jamie-digital]

I'm trying to enable MFA with a TOTP software device for a signed-in user.

• MFA is optional for the UserPool, with TOTP only (not SMS; the phone number is not stored).
• After the user has signed in, they can click to enable MFA, which invokes cognitoUser.associateSoftwareToken, which is working fine; the call returns the secret, which the user uses to configure their TOTP device.
• After this the user enters their TOTP code, which invokes cognitoUser.verifySoftwareToken, which is returning an error.
• Looking at the network traffic, both calls are using an AccessToken, rather than a Session, but that seems to work fine.
• The API calls to AssociateSoftwareToken and VerifySoftwareToken both succeed, but neither returns a Session in their response.
• After cognitoUser.verifySoftwareToken invokes VerifySoftwareToken, it calls RespondToAuthChallenge.
• As before, this doesn't contain a Session, as one hasn't been returned.
• This call to RespondToAuthChallenge returns a 400 response saying InvalidParameterException: Missing required parameter Session.
• From the documentation here, the Session parameter should be optional, and as the previous call didn't return one, it looks like the SDK is fine not to offer one.

In summary either:

• the SDK shouldn't be invoking RespondToAuthChallenge or,
• the API should be honouring RespondToAuthChallenge without the Session parameter.

Happy to provide more info if it would be useful.

[itrestian]

I think I understand what the issue is and adding a check for session being returned after the verify software token call should solve the issue (it wouldn't respond to auth challenge after) as you pointed out. Does the verifySoftwareToken API fail consistently or only once in a while as would be expected from a time based OTP?

[jamie-digital]

cognitoUser.verifySoftwareToken fails consistently when adding the TOTP device. The API call to VerifySoftwareToken is succeeding every time, but cognitoUser.verifySoftwareToken is always performing the RespondToAuthChallenge API call, which fails. It's worth noting that I'm not seeing an auth challenge everywhere, so I'm not sure what the RespondToAuthChallenge is in response to.

I'm afraid I don't quite understand what you mean by adding a check for session being returned; is this in my code or within the SDK?

Thanks for your help.

[itrestian]

Got it! This should be fixed in the newest version 1.29.0. Fix is within the SDK that was making the unnecessary call.

[jamie-digital]

Fantastic! This fixes the issue for me. Thanks a lot for your help.