search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.42k stars 2.13k forks source link

Check if User Has MFA on Server (Amplify v6) #12708

Open Meags27 opened 10 months ago

Meags27 commented 10 months ago

Is this related to a new or existing framework?

Next.js

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

I need to check on a server component if a user has MFA preference turned on to enforce on login to set up their MFA. I can check await fetchMFAPreference() but it only works on the client, so easily bypassable.

As I can't use "required MFA" otherwise there's issues if a user loses their device (and I don't want to force a user to setup SMS)

fetchUserAttributes() just returns sub, custom attributes and email and getCurrentUser() just returns username and userid.

Edit: I also need this as if a user goes to the /setup page to setup their MFA and two-factor with a QR code, if they visit this page again, it allows them to setup MFA on another device and replace the old one. I want to prevent that from happening as otherwise a hacker could swap someone's MFA to theirs. So I need to check on the server if they've already setup MFA, and if so, prevent them from viewing this page.

Describe the solution you'd like

Perhaps getCurrentUser() on the server can return the MFA preference.

Describe alternatives you've considered

Running it on the client, but it's bypassable

Additional context

No response

Is this something that you'd be interested in working on?

nadetastic commented 10 months ago

Hi @Meags27 thank you for opening this issue. I've marked it as a feature request and will discuss with the team and follow up soon. Let me know if you have any other questions in the meantime.

Meags27 commented 10 months ago

Thanks Nade, I realized I can get this info if I call AdminGetUser from Cognito directly, which I may do in the meantime, but I feel others may want to be able to get all the info on the server that this call returns in Amplify instead such as "enabled, preferredmfasetting, usercreatedate, userlastmodifieddate, userstatus" etc.

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetUser.html