search

aws-amplify / amplify-flutter

A declarative library with an easy-to-use interface for building Flutter applications on AWS.
https://docs.amplify.aws
Apache License 2.0
1.32k stars 247 forks source link

Successfully Authorised with Wrong Password when `globalSignout` is disabled. #2588

Closed HappyMakadiyaS closed 1 year ago

HappyMakadiyaS commented 1 year ago

Description

This is a very critical Issue. Need to be fixed on the Highest Priority.

My Project contains social-sign-in, email/pass(UserSrpAuth), phone-OTP (customAuthFlow). There is some specific steps through which I am able to successfully sign in with the wrong password which is describe in Steps to Reproduce section.

I have two projects having amplify configured. In the both cases I am facing this issue. I have checked this issue on a couple of android devices and in the emulator as well. Issue it's reproducing. It's not replicated in iOS devices and simulator devices.

There is no any glitch on the Coding side as I have debugged with a single step. It successfully executes the below code in the 6th step without throwing NotAuthorizedException.

Amplify.Auth.signIn(
     username: email,
     password: password,
     options: CognitoSignInOptions(
        authFlowType: AuthenticationFlowType.userSrpAuth,
     ),
);
Amplify.Auth.signInWithWebUI(
     provider: AuthProvider.google,
     options: const CognitoSignInWithWebUIOptions(
          /// This flag has been set to eliminate alerts in iOS device.
          /// Github Ref: https://github.com/aws-amplify/amplify-flutter/issues/1452#issuecomment-1065515122
          isPreferPrivateSession: true,
     ),
);
/// Here global signOut is disabled as true is causing problems prompting multiple google 
/// accounts in the browser
/// Issue: https://github.com/aws-amplify/amplify-flutter/issues/2525
/// https://github.com/aws-amplify/amplify-flutter/issues/401#issuecomment-1153059455
Amplify.Auth.signOut(
     options: SignOutOptions(
            globalSignOut:  false,
     ),
);

The strange thing is that it's occurring only when global sign-out is disabled. and Works fine when it's enabled.

So there is many Issue related to globalSignOut that need to be fixed. If true:

  1. Unnecessary Browser Redirection -> Resolved.
  2. Having Wrong Password -> Issue
  3. Having automatically registers Google / Facebook account without asking to choose another account -> Issue.

If False:

  1. Unnecessary Browser Redirection -> Issue
  2. Wrong Password -> Resolved
  3. Auto register social account -> Resolved

Categories

Steps to Reproduce

Note: Disable globalSignOut while Amplify.Auth.signOut.

  1. Do a Fresh Install of the App
  2. First do Social Sign In (Successfully Done)
  3. Do Sign Out
  4. Do Email/Password Sign In with any registered User with the correct Password (Successfully Done) (In this Step wrong pass will not be allowed)
  5. Do Sign Out
  6. Do Email/Password Sign in with any registered User with the WRONG Password (Successfully Done)

In the 6th step though the authentication is done using the wrong password. You will get the correct user ID and data associated with provided email.

Screenshots

No response

Platforms

Android Device/Emulator API Level

API 32+

Environment

Doctor summary (to see all details, run flutter doctor -v):
[✓] Flutter (Channel stable, 3.3.8, on macOS 13.0.1 22A400 darwin-arm, locale en-IN)
[✓] Android toolchain - develop for Android devices (Android SDK version 33.0.0)
[✓] Xcode - develop for iOS and macOS (Xcode 14.1)
[✓] Chrome - develop for the web
[✓] Android Studio (version 2022.1)
[✓] VS Code (version 1.74.3)
[✓] Connected device (2 available)
[✓] HTTP Host Availability

• No issues found!

Dependencies

Dart SDK 2.18.4
Flutter SDK 3.3.8

dependencies:
- amplify_auth_cognito 0.6.10 [amplify_auth_cognito_android amplify_auth_cognito_ios amplify_core aws_common collection flutter meta plugin_platform_interface]
- amplify_flutter 0.6.10 [amplify_core amplify_datastore_plugin_interface amplify_flutter_android amplify_flutter_ios aws_common collection flutter meta plugin_platform_interface]
- badges 2.0.3 [flutter]
- bot_toast 4.0.3 [flutter]
- cached_network_image 3.2.3 [flutter flutter_cache_manager octo_image cached_network_image_platform_interface cached_network_image_web]
- connectivity_plus 3.0.2 [flutter flutter_web_plugins connectivity_plus_platform_interface js meta nm]
- contacts_service 0.6.3 [flutter collection quiver]
- cupertino_icons 1.0.5
- device_info_plus 8.0.0 [device_info_plus_platform_interface ffi file flutter flutter_web_plugins meta win32]
- dio 4.0.6 [http_parser path]
- dotted_border 2.0.0+3 [flutter path_drawing]
- dropdown_button2 1.9.2 [flutter]
- file_picker 5.2.4 [flutter flutter_web_plugins flutter_plugin_android_lifecycle plugin_platform_interface ffi path win32]
- flutter 0.0.0 [characters collection material_color_utilities meta vector_math sky_engine]
- flutter_keyboard_visibility 5.4.0 [meta flutter_keyboard_visibility_platform_interface flutter_keyboard_visibility_linux flutter_keyboard_visibility_macos flutter_keyboard_visibility_web flutter_keyboard_visibility_windows flutter]
- flutter_localizations 0.0.0 [flutter intl characters clock collection material_color_utilities meta path vector_math]
- flutter_mobx 2.0.6+5 [flutter mobx]
- flutter_screenutil 5.6.0 [flutter]
- flutter_secure_storage 6.1.0 [flutter flutter_secure_storage_linux flutter_secure_storage_macos flutter_secure_storage_platform_interface flutter_secure_storage_web flutter_secure_storage_windows meta]
- flutter_spinkit 5.1.0 [flutter]
- flutter_staggered_grid_view 0.6.2 [flutter]
- flutter_svg 1.1.6 [flutter meta path_drawing vector_math xml]
- flutter_switch 0.3.2 [flutter]
- geolocator 9.0.2 [flutter geolocator_platform_interface geolocator_android geolocator_apple geolocator_web geolocator_windows]
- image_cropper 3.0.0 [flutter image_cropper_platform_interface image_cropper_for_web]
- image_picker 0.8.6 [flutter image_picker_android image_picker_for_web image_picker_ios image_picker_platform_interface]
- infinite_scroll_pagination 3.2.0 [flutter sliver_tools]
- intl 0.17.0 [clock path]
- json_annotation 4.7.0 [meta]
- lottie 2.0.0 [archive flutter path vector_math]
- mapbox_gl 0.16.0 [flutter mapbox_gl_platform_interface mapbox_gl_web collection]
- mime 1.0.3
- mobx 2.1.3 [meta]
- open_filex 4.3.1 [flutter ffi]
- path_provider 2.0.11 [flutter path_provider_android path_provider_ios path_provider_linux path_provider_macos path_provider_platform_interface path_provider_windows]
- permission_handler 10.2.0 [flutter meta permission_handler_android permission_handler_apple permission_handler_windows permission_handler_platform_interface]
- persistent_bottom_nav_bar 5.0.2 [flutter]
- pinput 2.2.16 [flutter smart_auth]
- platform_device_id 1.0.1 [flutter platform_device_id_platform_interface platform_device_id_macos platform_device_id_linux platform_device_id_web platform_device_id_windows device_info]
- provider 6.0.4 [collection flutter nested]
- retrofit 3.3.1 [dio meta]
- screwdriver 2.1.1 [characters meta intl collection]
- sentry_flutter 6.18.1 [flutter flutter_web_plugins sentry package_info_plus meta]
- shared_preferences 2.0.15 [flutter shared_preferences_android shared_preferences_ios shared_preferences_linux shared_preferences_macos shared_preferences_platform_interface shared_preferences_web shared_preferences_windows]
- shimmer 2.0.0 [flutter]
- spider 4.0.0 [path yaml args dart_style logging watcher http html sprintf meta ansicolor collection]
- video_thumbnail 0.5.3 [flutter]

transitive dependencies:
- _fe_analyzer_shared 50.0.0 [meta]
- amplify_auth_cognito_android 0.6.10 [flutter]
- amplify_auth_cognito_ios 0.6.10 [amplify_core flutter]
- amplify_core 0.6.10 [aws_common collection flutter intl json_annotation meta plugin_platform_interface uuid]
- amplify_datastore_plugin_interface 0.6.10 [amplify_core collection flutter meta]
- amplify_flutter_android 0.6.10 [flutter]
- amplify_flutter_ios 0.6.10 [amplify_core flutter]
- analyzer 5.2.0 [_fe_analyzer_shared collection convert crypto glob meta package_config path pub_semver source_span watcher yaml]
- ansicolor 2.0.1
- archive 3.3.5 [crypto path pointycastle]
- args 2.3.1
- async 2.9.0 [collection meta]
- aws_common 0.1.1 [async collection http meta stream_transform uuid]
- cached_network_image_platform_interface 2.0.0 [flutter flutter_cache_manager]
- cached_network_image_web 1.0.2 [flutter flutter_cache_manager cached_network_image_platform_interface]
- characters 1.2.1
- clock 1.1.1
- collection 1.16.0
- connectivity_plus_platform_interface 1.2.3 [flutter meta plugin_platform_interface]
- convert 3.1.1 [typed_data]
- cross_file 0.3.3+2 [js meta]
- crypto 3.0.2 [typed_data]
- csslib 0.17.2 [source_span]
- dart_style 2.2.4 [analyzer args path pub_semver source_span]
- dbus 0.7.8 [args ffi meta xml]
- device_info 2.0.3 [flutter device_info_platform_interface]
- device_info_platform_interface 2.0.1 [flutter meta plugin_platform_interface]
- device_info_plus_platform_interface 7.0.0 [flutter meta plugin_platform_interface]
- ffi 2.0.1
- file 6.1.4 [meta path]
- flutter_blurhash 0.7.0 [flutter]
- flutter_cache_manager 3.3.0 [clock collection file flutter http path path_provider pedantic rxdart sqflite uuid]
- flutter_keyboard_visibility_linux 1.0.0 [flutter_keyboard_visibility_platform_interface flutter]
- flutter_keyboard_visibility_macos 1.0.0 [flutter_keyboard_visibility_platform_interface flutter]
- flutter_keyboard_visibility_platform_interface 2.0.0 [flutter meta plugin_platform_interface]
- flutter_keyboard_visibility_web 2.0.0 [flutter_keyboard_visibility_platform_interface flutter_web_plugins flutter]
- flutter_keyboard_visibility_windows 1.0.0 [flutter_keyboard_visibility_platform_interface flutter]
- flutter_plugin_android_lifecycle 2.0.7 [flutter]
- flutter_secure_storage_linux 1.1.2 [flutter flutter_secure_storage_platform_interface]
- flutter_secure_storage_macos 1.1.2 [flutter flutter_secure_storage_platform_interface]
- flutter_secure_storage_platform_interface 1.0.1 [flutter plugin_platform_interface]
- flutter_secure_storage_web 1.1.1 [flutter flutter_secure_storage_platform_interface flutter_web_plugins js]
- flutter_secure_storage_windows 1.1.3 [flutter flutter_secure_storage_platform_interface]
- flutter_web_plugins 0.0.0 [flutter js characters collection material_color_utilities meta vector_math]
- geolocator_android 4.1.4 [flutter geolocator_platform_interface]
- geolocator_apple 2.2.3 [flutter geolocator_platform_interface]
- geolocator_platform_interface 4.0.7 [flutter plugin_platform_interface vector_math meta]
- geolocator_web 2.1.6 [flutter flutter_web_plugins geolocator_platform_interface]
- geolocator_windows 0.1.1 [flutter geolocator_platform_interface]
- glob 2.1.1 [async collection file path string_scanner]
- html 0.15.1 [csslib source_span]
- http 0.13.5 [async http_parser meta path]
- http_parser 4.0.2 [collection source_span string_scanner typed_data]
- image 3.2.2 [archive meta xml]
- image_cropper_for_web 1.0.3 [flutter flutter_web_plugins image_cropper_platform_interface js]
- image_cropper_platform_interface 3.0.3 [flutter plugin_platform_interface http]
- image_picker_android 0.8.5+3 [flutter flutter_plugin_android_lifecycle image_picker_platform_interface]
- image_picker_for_web 2.1.10 [flutter flutter_web_plugins image_picker_platform_interface]
- image_picker_ios 0.8.6+1 [flutter image_picker_platform_interface]
- image_picker_platform_interface 2.6.2 [cross_file flutter http plugin_platform_interface]
- js 0.6.4
- logging 1.1.0
- mapbox_gl_dart 0.2.1 [js]
- mapbox_gl_platform_interface 0.16.0 [flutter meta]
- mapbox_gl_web 0.16.0 [flutter flutter_web_plugins meta mapbox_gl_platform_interface mapbox_gl_dart image]
- matcher 0.12.12 [stack_trace]
- material_color_utilities 0.1.5
- meta 1.8.0
- nested 1.0.0 [flutter]
- nm 0.5.0 [dbus]
- octo_image 1.0.2 [flutter flutter_blurhash]
- package_config 2.1.0 [path]
- package_info_plus 3.0.2 [ffi flutter flutter_web_plugins http meta path package_info_plus_platform_interface win32]
- package_info_plus_platform_interface 2.0.1 [flutter meta plugin_platform_interface]
- path 1.8.2
- path_drawing 1.0.1 [vector_math meta path_parsing flutter]
- path_parsing 1.0.1 [vector_math meta]
- path_provider_android 2.0.22 [flutter path_provider_platform_interface]
- path_provider_ios 2.0.11 [flutter path_provider_platform_interface]
- path_provider_linux 2.1.7 [ffi flutter path path_provider_platform_interface xdg_directories]
- path_provider_macos 2.0.6 [flutter path_provider_platform_interface]
- path_provider_platform_interface 2.0.5 [flutter platform plugin_platform_interface]
- path_provider_windows 2.1.3 [ffi flutter path path_provider_platform_interface win32]
- pedantic 1.11.1
- permission_handler_android 10.2.0 [flutter permission_handler_platform_interface]
- permission_handler_apple 9.0.7 [flutter permission_handler_platform_interface]
- permission_handler_platform_interface 3.9.0 [flutter meta plugin_platform_interface]
- permission_handler_windows 0.1.2 [flutter permission_handler_platform_interface]
- petitparser 5.1.0 [meta]
- platform 3.1.0
- platform_device_id_linux 1.0.0 [flutter]
- platform_device_id_macos 1.0.0 [flutter]
- platform_device_id_platform_interface 1.0.0 [flutter plugin_platform_interface]
- platform_device_id_web 1.0.0 [flutter flutter_web_plugins platform_device_id_platform_interface]
- platform_device_id_windows 1.0.0 [flutter]
- plugin_platform_interface 2.1.3 [meta]
- pointycastle 3.6.2 [collection convert js]
- process 4.2.4 [file path platform]
- pub_semver 2.1.3 [collection meta]
- quiver 3.2.1 [matcher]
- rxdart 0.27.7
- sentry 6.18.1 [http meta stack_trace uuid intl]
- shared_preferences_android 2.0.14 [flutter shared_preferences_platform_interface]
- shared_preferences_ios 2.1.1 [flutter shared_preferences_platform_interface]
- shared_preferences_linux 2.1.1 [file flutter path path_provider_linux path_provider_platform_interface shared_preferences_platform_interface]
- shared_preferences_macos 2.0.4 [flutter shared_preferences_platform_interface]
- shared_preferences_platform_interface 2.1.0 [flutter plugin_platform_interface]
- shared_preferences_web 2.0.4 [flutter flutter_web_plugins shared_preferences_platform_interface]
- shared_preferences_windows 2.1.1 [file flutter path path_provider_platform_interface path_provider_windows shared_preferences_platform_interface]
- sky_engine 0.0.99
- sliver_tools 0.2.8 [flutter]
- smart_auth 1.0.6 [flutter flutter_web_plugins]
- source_span 1.9.0 [collection path term_glyph]
- sprintf 6.0.2
- sqflite 2.2.2 [flutter sqflite_common path]
- sqflite_common 2.4.0+2 [synchronized path meta]
- stack_trace 1.10.0 [path]
- stream_transform 2.1.0
- string_scanner 1.1.1 [source_span]
- synchronized 3.0.0+3
- term_glyph 1.2.1
- typed_data 1.3.1 [collection]
- uuid 3.0.6 [crypto]
- vector_math 2.1.2
- watcher 1.0.2 [async path]
- win32 3.1.2 [ffi]
- xdg_directories 0.2.0+2 [meta path process]
- xml 6.1.0 [collection meta petitparser]
- yaml 3.1.1 [collection source_span string_scanner]

Device

Any Android Devices

OS

Android

Deployment Method

Amplify CLI

CLI Version

10.6.2

Additional Context

No response

Amplify Config

const amplifyconfig = '''
 {
    "UserAgent": "aws-amplify-cli/2.0",
    "Version": "1.0",
    "auth": {
        "plugins": {
            "awsCognitoAuthPlugin": {
                "UserAgent": "aws-amplify-cli/0.1.0",
                "Version": "0.1.0",
                "IdentityManager": {
                    "Default": {}
                },
                "CognitoUserPool": {
                    "Default": {
                        "PoolId": "us-east-1_******",
                        "AppClientId": "******",
                        "Region": "us-east-1"
                    }
                },
                "Auth": {
                    "Default": {
                        "OAuth": {
                            "WebDomain": "******.auth.us-east-1.amazoncognito.com",
                            "AppClientId": "******",
                            "SignInRedirectURI": "******://",
                            "SignOutRedirectURI": "******://",
                            "Scopes": [
                                "aws.cognito.signin.user.admin",
                                "email",
                                "openid",
                                "phone",
                                "profile"
                            ]
                        },
                        "authenticationFlowType": "CUSTOM_AUTH",
                        "socialProviders": [
                            "FACEBOOK",
                            "GOOGLE",
                            "APPLE"
                        ],
                        "usernameAttributes": [],
                        "signupAttributes": [],
                        "passwordProtectionSettings": {
                            "passwordPolicyMinLength": 8,
                            "passwordPolicyCharacters": [
                                "REQUIRES_LOWERCASE",
                                "REQUIRES_NUMBERS",
                                "REQUIRES_SYMBOLS"
                            ]
                        },
                        "mfaConfiguration": "OPTIONAL",
                        "mfaTypes": [
                            "SMS",
                            "TOTP"
                        ],
                        "verificationMechanisms": []
                    }
                }
            }
        }
    }
}''';
Jordan-Nelson commented 1 year ago

Thank you for your patience while we investigated your report. We have confirmed that the behavior you were seeing was due to an issue in the AWS SDK for Android and has been fixed in this Pull Request. We have updated our dependency to the latest version of the AWS SDK for Android with the Amplify Flutter v0.6.12 release. Please update to this version and let us know if you see additional issues.

HappyMakadiyaS commented 1 year ago

Thanks, @Jordan-Nelson, v0.6.12 release has resolved this issue.