Amplify throws UserNotConfirmedException even if the password provided is incorrect

[noickare]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React Native

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

``` # Put output below this line System: OS: macOS 13.2.1 CPU: (8) arm64 Apple M1 Pro Memory: 75.25 MB / 16.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 16.18.1 - ~/.nvm/versions/node/v16.18.1/bin/node Yarn: 1.22.19 - ~/.nvm/versions/node/v16.18.1/bin/yarn npm: 8.19.2 - ~/.nvm/versions/node/v16.18.1/bin/npm Watchman: 2023.04.03.00 - /opt/homebrew/bin/watchman Browsers: Brave Browser: 109.1.47.186 Chrome: 112.0.5615.49 Firefox Developer Edition: 112.0 Safari: 16.3 npmPackages: @apollo/client: ^3.7.10 => 3.7.11 @apollo/client/cache: undefined () @apollo/client/core: undefined () @apollo/client/errors: undefined () @apollo/client/link/batch: undefined () @apollo/client/link/batch-http: undefined () @apollo/client/link/context: undefined () @apollo/client/link/core: undefined () @apollo/client/link/error: undefined () @apollo/client/link/http: undefined () @apollo/client/link/persisted-queries: undefined () @apollo/client/link/retry: undefined () @apollo/client/link/schema: undefined () @apollo/client/link/subscriptions: undefined () @apollo/client/link/utils: undefined () @apollo/client/link/ws: undefined () @apollo/client/react: undefined () @apollo/client/react/components: undefined () @apollo/client/react/context: undefined () @apollo/client/react/hoc: undefined () @apollo/client/react/hooks: undefined () @apollo/client/react/parser: undefined () @apollo/client/react/ssr: undefined () @apollo/client/testing: undefined () @apollo/client/testing/core: undefined () @apollo/client/utilities: undefined () @apollo/client/utilities/globals: undefined () @babel/core: ^7.20.0 => 7.21.4 @babel/preset-env: ^7.20.0 => 7.21.4 @babel/runtime: ^7.20.0 => 7.21.0 @gorhom/bottom-sheet: ^4 => 4.4.5 @graphql-codegen/cli: ^3.2.2 => 3.3.0 @graphql-codegen/client-preset: ^2.1.1 => 2.1.1 @graphql-codegen/fragment-matcher: ^4.0.1 => 4.0.1 @graphql-codegen/typescript: ^3.0.2 => 3.0.3 @graphql-codegen/typescript-document-nodes: ^3.0.2 => 3.0.3 @graphql-codegen/typescript-operations: ^3.0.2 => 3.0.3 @graphql-codegen/typescript-react-apollo: ^3.3.7 => 3.3.7 @hookform/resolvers: ^2.9.11 => 2.9.11 @hookform/resolvers/ajv: 1.0.0 @hookform/resolvers/class-validator: 1.0.0 @hookform/resolvers/computed-types: 1.0.0 @hookform/resolvers/io-ts: 1.0.0 @hookform/resolvers/joi: 1.0.0 @hookform/resolvers/nope: 1.0.0 @hookform/resolvers/superstruct: 1.0.0 @hookform/resolvers/typanion: 1.0.0 @hookform/resolvers/vest: 1.0.0 @hookform/resolvers/yup: 1.0.0 @hookform/resolvers/zod: 1.0.0 @react-native-async-storage/async-storage: 1.17.11 => 1.17.11 @react-native-community/eslint-config: ^3.2.0 => 3.2.0 @react-native-community/netinfo: 9.3.7 => 9.3.7 @react-native-community/slider: 4.4.2 => 4.4.2 @react-navigation/bottom-tabs: ^6.5.7 => 6.5.7 @react-navigation/core: ^6.4.7 => 6.4.8 @react-navigation/material-bottom-tabs: ^6.2.15 => 6.2.15 @react-navigation/material-top-tabs: ^6.6.2 => 6.6.2 @react-navigation/native: ^6.1.5 => 6.1.6 @react-navigation/native-stack: ^6.9.11 => 6.9.12 @react-navigation/stack: ^6.3.15 => 6.3.16 @tsconfig/react-native: ^2.0.2 => 2.0.3 @types/crypto-js: ^4.1.1 => 4.1.1 @types/invariant: ^2.2.35 => 2.2.35 @types/jest: ^29.2.1 => 29.5.0 @types/lodash.debounce: ^4.0.7 => 4.0.7 @types/node-fetch: ^2.6.3 => 2.6.3 @types/qs: ^6.9.7 => 6.9.7 @types/react: ^18.0.24 => 18.0.33 @types/react-native: ^0.71.3 => 0.71.5 (0.70.13) @types/react-native-vector-icons: ^6.4.13 => 6.4.13 @types/react-test-renderer: ^18.0.0 => 18.0.0 @typescript-eslint/eslint-plugin: ^5.57.0 => 5.57.1 HelloWorld: 0.0.1 amazon-cognito-identity-js: ^6.1.2 => 6.2.0 aws-amplify: ^5.0.16 => 5.0.25 aws-appsync-auth-link: ^3.0.7 => 3.0.7 aws-appsync-subscription-link: ^3.1.2 => 3.1.2 axios: ^1.3.4 => 1.3.5 (0.26.0) babel-jest: ^29.2.1 => 29.5.0 buffer: ^6.0.3 => 6.0.3 (4.9.2, 5.7.1) crypto-js: ^4.1.1 => 4.1.1 currency-symbol-map: ^5.1.0 => 5.1.0 date-fns: ^2.29.3 => 2.29.3 deepmerge: ^4.3.0 => 4.3.1 (3.3.0) eslint: ^8.19.0 => 8.38.0 eslint-config-prettier: ^8.8.0 => 8.8.0 graphql: ^16.6.0 => 16.6.0 (15.8.0) graphql-import-node: ^0.0.5 => 0.0.5 graphql-tag: ^2.12.6 => 2.12.6 husky: ^8.0.0 => 8.0.3 invariant: ^2.2.4 => 2.2.4 jest: ^29.2.1 => 29.5.0 lint-staged: ^13.2.0 => 13.2.1 lodash.debounce: ^4.0.8 => 4.0.8 metro-react-native-babel-preset: 0.73.9 => 0.73.9 nativewind: ^2.0.11 => 2.0.11 node-fetch: ^2.6.9 => 2.6.9 (2.6.7) polished: ^4.2.2 => 4.2.2 prettier: ^2.4.1 => 2.8.7 prettier-plugin-organize-imports: ^3.2.2 => 3.2.2 qs: ^6.11.0 => 6.11.1 react: 18.2.0 => 18.2.0 react-dom: 18.2.0 => 18.2.0 react-hook-form: ^7.43.2 => 7.43.9 react-native: 0.71.6 => 0.71.6 react-native-curved-bottom-bar: ^3.2.4 => 3.2.5 react-native-gesture-handler: ~2.9.0 => 2.9.0 react-native-get-random-values: ~1.8.0 => 1.8.0 react-native-gifted-chat: ^1.1.1 => 1.1.1 react-native-keyboard-aware-scroll-view: ^0.9.5 => 0.9.5 react-native-logs: ^5.0.1 => 5.0.1 react-native-pager-view: 6.1.2 => 6.1.2 react-native-paper: ^5.2.0 => 5.6.0 react-native-paper-dropdown: ^1.0.7 => 1.0.7 react-native-reanimated: ~2.14.4 => 2.14.4 react-native-safe-area-context: ^4.5.0 => 4.5.0 react-native-screens: ~3.20.0 => 3.20.0 react-native-svg: 13.4.0 => 13.4.0 react-native-tab-view: ^3.5.1 => 3.5.1 react-native-toast-message: ^2.1.5 => 2.1.6 react-native-vector-icons: ^9.2.0 => 9.2.0 react-native-video: ^6.0.0-alpha.6 => 6.0.0-alpha.6 react-native-web: ~0.18.10 => 0.18.12 react-native-webview: 11.26.0 => 11.26.0 react-test-renderer: 18.2.0 => 18.2.0 tailwind-merge: ^1.10.0 => 1.12.0 tailwindcss: ^3.2.7 => 3.3.1 typescript: 4.8.4 => 4.8.4 yup: ^1.0.0 => 1.0.2 npmGlobalPackages: @aws-amplify/cli: 10.7.3 @nestjs/cli: 9.2.0 aws-cdk: 2.69.0 aws-sdk: 2.1329.0 corepack: 0.14.1 create-expo-app: 1.3.2 eas-cli: 3.8.1 expo-cli: 6.3.2 firebase-tools: 11.24.1 forever: 4.0.3 json-server: 0.17.1 npm: 8.19.2 serverless: 3.28.1 yarn: 1.22.19 ```

Describe the bug

Trying to authenticate a user after email confirmation. The best recommended approach as I saw from other issues is storing the the password field in a local state and then doing Auth.signIn to signin the user once more. The problem comes in when a user exists the app after signup without verification and next time they signin am redirecting them to the verification screen if UserNotConfirmedException is thrown. The problem comes in where UserNotConfirmedException is thrown even if the password input is wrong instead of NotAuthorizedException exception and Auth.signIn fails after verification.

Expected behavior

NotAuthorizedException should be thrown before UserNotConfirmedException if the password is wrong

Reproduction steps

1. call Auth.signUp()
2. call Auth.signIn() before verifying email passing in invalid password.

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[nadetastic]

Hi @noickare thank you for opening this issue.

What you described is the expected behavior since a user account needs to be confirmed before any authentication can be performed.

Could you describe more of your use case, and why you are expecting authentication to be performed before a user is confirmed?

[noickare]

Thanks for the response @nadetastic. When a user exits the authentication flow before completing account confirmation, the next time they try to log in UserNotConfirmedException will be thrown and can be redirected to an account confirmation flow where they will enter a verification code. The problem comes in when we want to automatically sign in the user after confirmation. Seems the only way to do this at the moment is to store the credentials entered during login on local state and try to use the same credentials to login the user after verification, incase the credentials entered were incorrect, the account will be confirmed indeed but the login will fail due to the incorrect credentials.

[nadetastic]

@noickare thanks for providing the context. In order to have NotAuthorizedException be thrown before UserNotConfirmedException if the password is wrong, first verify that your AppCient has "Prevent user existence errors" enabled. With this enabled UserNotConfirmedException will only be thrown if the password is incorrect. Can you verify you have this enabled? and if not could you enable it?

[noickare]

Thank you so much @nadetastic after enabling Prevent user existence errors it works as expected

[nadetastic]

@noickare glad we work able to get this configured and working as expected. I'll go ahead and close out this issue.

Thank you!