Auth.confirmSignIn {"__type":"CodeMismatchException","message":"Invalid code or auth state for the user."}

[githubgogogo]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

``` # Put output below this line System: OS: macOS 12.6.2 CPU: (4) x64 Intel(R) Core(TM) i5-6267U CPU @ 2.90GHz Memory: 38.34 MB / 8.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 16.18.1 - ~/.nvm/versions/node/v16.18.1/bin/node npm: 8.19.2 - ~/.nvm/versions/node/v16.18.1/bin/npm Browsers: Chrome: 110.0.5481.177 Safari: 16.2 npmPackages: @ant-design/colors: ^4.0.4 => 4.0.4 (3.2.2, 6.0.0) @ant-design/compatible: ^1.0.2 => 1.0.2 @ant-design/icons: ^4.2.1 => 4.2.1 (4.8.0) @ant-design/maps: ^1.0.4 => 1.0.4 @ant-design/plots: ^1.2.1 => 1.2.1 @ant-design/pro-layout: ^5.0.15 => 5.0.17 @antv/data-set: ^0.11.4 => 0.11.4 @antv/util: ^3.2.3 => 3.2.3 (2.0.17) @aws-amplify/auth: ^5.0.3 => 5.0.3 @types/history: ^4.7.6 => 4.7.6 (4.7.11) @types/react: ^16.9.35 => 16.9.37 (16.14.34) @types/react-dom: ^16.9.8 => 16.9.8 @umijs/plugin-blocks: ^2.1.3 => 2.1.4 @umijs/plugin-esbuild: ^1.4.2 => 1.4.2 @umijs/preset-ant-design-pro: ^1.2.2 => 1.2.2 @umijs/preset-react: ^1.8.31 => 1.8.31 antd: ^4.17.0 => 4.17.0 array-move: ^2.2.2 => 2.2.2 axios: ^0.19.2 => 0.19.2 babel-eslint: ^10.1.0 => 10.1.0 chalk: ^2.4.2 => 2.4.2 (4.1.2, 4.1.0, 4.0.0, 1.1.3) classnames: ^2.2.6 => 2.2.6 cross-env: ^7.0.2 => 7.0.2 cross-port-killer: ^1.2.1 => 1.2.1 crypto-js: ^4.1.1 => 4.1.1 enzyme: ^3.11.0 => 3.11.0 eslint: ^7.6.0 => 7.6.0 (5.16.0) eslint-config-airbnb: ^18.2.0 => 18.2.0 (17.1.1) eslint-config-prettier: ^6.11.0 => 6.11.0 (4.3.0) eslint-plugin-babel: ^5.3.0 => 5.3.0 eslint-plugin-compat: ^2.6.3 => 2.7.0 (3.7.0) eslint-plugin-import: ^2.21.1 => 2.21.2 eslint-plugin-jsx-a11y: ^6.2.3 => 6.2.3 eslint-plugin-markdown: ^1.0.2 => 1.0.2 eslint-plugin-prettier: ^3.1.3 => 3.1.4 eslint-plugin-react: ^7.20.0 => 7.20.0 eslint-plugin-react-hooks: ^4.0.8 => 4.0.8 (1.7.0) exceljs: ^4.3.0 => 4.3.0 gh-pages: ^2.2.0 => 2.2.0 husky: ^4.2.5 => 4.2.5 immer: ^1.10.0 => 1.12.1 (7.0.5, 7.0.15) import-module: 1.0.0 jest: ^26.0.1 => 26.0.1 (26.6.3) jsdom-global: ^3.0.2 => 3.0.2 less: ^3.11.3 => 3.11.3 less-bundle-promise: ^1.0.7 => 1.0.7 lodash: ^4.17.19 => 4.17.19 (4.17.21, 4.17.15) lodash-decorators: ^6.0.1 => 6.0.1 memo-parser: 0.2.1 memoize-one: ^5.1.1 => 5.1.1 merge-umi-mock-data: ^2.0.6 => 2.0.6 mockjs: ^1.1.0 => 1.1.0 moment: ^2.26.0 => 2.26.0 (2.29.4) moment-timezone: ^0.5.31 => 0.5.31 numeral: ^2.0.6 => 2.0.6 nzh: ^1.0.4 => 1.0.4 omit.js: ^1.0.0 => 1.0.2 path-to-regexp: ^3.2.0 => 3.2.0 (2.4.0, 1.8.0, 0.1.7) pinyin-match: ^1.1.1 => 1.1.1 prettier: ^2.0.5 => 2.0.5 (1.18.2, 2.2.1, 1.19.1, 1.15.3) prop-types: ^15.6.2 => 15.7.2 qs: ^6.9.4 => 6.9.4 (6.7.0, 6.5.2) rc-animate: ^2.11.1 => 2.11.1 react: ^16.13.1 => 16.13.1 react-container-query: ^0.11.2 => 0.11.2 react-contenteditable: ^3.3.6 => 3.3.6 react-copy-to-clipboard: ^5.0.2 => 5.0.2 react-document-title: ^2.0.3 => 2.0.3 react-dom: ^16.13.1 => 16.13.1 react-fittext: ^1.0.0 => 1.0.0 react-lazy-load-image-component: ^1.5.0 => 1.5.0 react-media: ^1.10.0 => 1.10.0 react-router-dom: ^6.0.1 => 6.0.1 (5.1.2, 5.2.0, 5.3.3) react-sortable-hoc: ^1.11.0 => 1.11.0 slash2: ^2.0.0 => 2.0.0 stylelint: ^13.6.0 => 13.6.0 (10.1.0, 9.10.1) stylelint-config-css-modules: ^2.2.0 => 2.2.0 (1.5.0) stylelint-config-prettier: ^8.0.1 => 8.0.1 (5.3.0) stylelint-config-rational-order: ^0.1.2 => 0.1.2 stylelint-config-standard: ^20.0.0 => 20.0.0 (18.3.0) stylelint-declaration-block-no-ignored-properties: ^2.3.0 => 2.3.0 stylelint-order: ^4.1.0 => 4.1.0 (3.1.1, 2.2.1) test: undefined () tldjs: ^2.3.1 => 2.3.1 tslint: ^6.1.2 => 6.1.2 tslint-config-prettier: ^1.18.0 => 1.18.0 tslint-react: ^5.0.0 => 5.0.0 umi: ^3.5.20 => 3.5.35 umi-request: ^1.3.3 => 1.3.5 uuid: ^8.3.2 => 8.3.2 (3.4.0, 7.0.3) webpack: ^4.43.0 => 4.46.0 npmGlobalPackages: corepack: 0.14.1 npm: 8.19.2 ```

Describe the bug

I am implimenting the MFA in our application, I am currently trying the SMS_MFA with below code. It successfully passed the signIn with credentials, but in Auth.confirmSignIn step, it got 400 error.

   const user = await Auth.signIn(userName, password);

    if (user?.challengeName === 'NEW_PASSWORD_REQUIRED') {
      return { status: 'changePassword', user };
    } else if (user?.challengeName === 'SMS_MFA' ||
      user?.challengeName === 'SOFTWARE_TOKEN_MFA') {
        if (mfaCode) {
          try {
            user.username = userName;
            const loggedUser = await Auth.confirmSignIn(user, mfaCode, user?.challengeName);
            return { status: 'signin', user: loggedUser };   
          } catch (e) {
            console.error('cognitoConfirmSignIn error', e);
            return { status: 'error', errorCode: e.code };
          }
        } else {
          return { status: 'mfa', user }; 
        }
    }
    return { status: 'signin', user };

The error response is {"__type":"CodeMismatchException","message":"Invalid code or auth state for the user."}

Expected behavior

Sign in with the mfaCode.

Reproduction steps

1. In the login page, enter the credential and submit, it will pass const user = await Auth.signIn(userName, password); and return return { status: 'mfa', user };, then redirect to the MFA code input page
2. enter the SMS code received, and submit same credential and SMS code, it will pass const user = await Auth.signIn(userName, password); and trigger const loggedUser = await Auth.confirmSignIn(user, mfaCode, user?.challengeName);
3. then we will get the failed response

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[elilambnz]

I was also experiencing this issue on version 5.0.19.

To fix it, I am explicitly passing in the mfaType to Auth.confirmSignIn:

const data = await Auth.confirmSignIn(cognitoUser, code, cognitoUser.challengeName);

[cwomack]

@githubgogogo, I've been able to reproduce the code mismatch exception consistently when using the SMS_MFA challenge type. I'll mark this as a bug for the time being while I review it with the team internally.

[cwomack]

@githubgogogo, I think we might be able to resolve this with some refactoring of the code actually. It seems this might be more related to how the methods are being called rather than a bug.

In both my reproduction app and your example above, Auth.confirmSignIn() is being called at the same time as the Auth.signIn() method. This makes the MFA code that's sent each time be 1 code "behind" what the Cognito session is expecting, hence the mismatch. You should be able to see this if you console.log(mfaCode) just before your Auth.confirmSignIn.

Can you try separating the two methods by either putting them in different components, pages, or buttons (not sure if you have them tied to the same "sign in button" for example) so that they are called at different times?

[cwomack]

Closing this issue as we have not heard back from you. If you are still experiencing this, please review the comment above to see if it resolves the code mismatch exception. If it doesn't, we can reopen the issue or dig deeper to see what else might be causing the exception.

Thank you!