Open celica-vladimir opened 7 months ago
@cwomack just to share that I think that this is a issue on Cognito API, because in failed request to cognito contains appropriate. Do you have a way to check with someone on Cognito API side?
Hello, @celica-vladimir 👋 and apologies on the delay in response here! Just to confirm, is this with a Gen1 (CLI generated backend) app or is this on a Gen2 (currently in Developer Preview)? Also, if you could share any relevant frontend code that's making the Auth API calls as well as your package.json
, that would be extremely helpful!
As for what's not working, is it that you get the Invalid session for the user, session can only be used once.
error when you're attempting to sign in?
Hey @cwomack, we did not generated backend via CLI. We are using Amplify Auth component only for authorization with Cognito.
Package file: package.json
Amplify config:
import { Amplify } from 'aws-amplify';
Amplify.configure({
Auth: {
Cognito: {
// OPTIONAL - Amazon Cognito User Pool ID
userPoolId: process.env.REACT_APP_COGNITO_USER_POOL_ID,
// OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
userPoolClientId: process.env.REACT_APP_COGNITO_WEB_CLIENT_ID,
// REQUIRED only for Federated Authentication - Amazon Cognito Identity Pool ID
identityPoolId: process.env.REACT_APP_COGNITO_IDENTITY_POOL_ID,
authenticationFlowType: "CUSTOM_AUTH",
loginWith: {
// OPTIONAL - Hosted UI configuration
oauth: {
domain: process.env.REACT_APP_OAUTH_DOMAIN,
scopes: ['openid'],
redirectSignIn: [process.env.REACT_APP_OAUTH_CALLBACK_URL],
redirectSignOut: [process.env.REACT_APP_OAUTH_CALLBACK_URL],
responseType: 'code',
},
},
},
},
});
export default Amplify.getConfig();
Code signIn:
async handleSignIn(formData) {
const payload = {
...formData,
options: {
authFlowType: 'CUSTOM_WITH_SRP',
},
};
const user = await signIn(payload);
console.log('user?.nextStep', 'user?.nextStep');
if (
user?.nextStep?.signInStep === 'CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE'
) {
if (user?.nextStep?.additionalInfo.siteKey) {
updateSiteKey(user.nextStep.additionalInfo.siteKey);
}
} else if (
user?.nextStep?.signInStep === 'CONTINUE_SIGN_IN_WITH_MFA_SELECTION'
) {
try {
return await handleMFASelect(user);
} catch (error) {
window.location.reload();
}
}
return user;
}
Code handleMFASelect:
import { confirmSignIn } from 'aws-amplify/auth';
import MFASelectModal from './MFASelectModal';
const handleMFASelect = async ({ nextStep }) => {
const mfaType = await MFASelectModal({
allowedMFATypes: nextStep.allowedMFATypes,
});
return confirmSignIn({
challengeResponse: mfaType,
});
};
export default handleMFASelect;
@cwomack Regarding 'Invalid session for the user, session can only be used once' it happens when user's enter SMS MFA code (please note that user SMS MFA and TOTP MFA and none is preferred on cognito side). What is weird is that login works in case if TOTP MFA is chosed. When error happen, we compared Session value from previous request's response and from error request payload and they are the same. Another weird thing is that if user have only one MFA device assigned, both SMS and TOTP are working. Also, if user have only SMS MFA and there is no preferred MFA, it is working.
In past everything worked fine until we switched from SRP_A to CUSTOM_FLOW.
@celica-vladimir when you state that your users have more than one device assigned, can you confirm if you have device tracking enabled for this user pool?
@cwomack It is not, option "Don’t remember" is selected.
Marking as feature request.
Before opening, please confirm:
JavaScript Framework
React
Amplify APIs
Authentication
Amplify Version
v6
Amplify Categories
auth
Backend
None
Environment information
Describe the bug
We have a custom authentication flow with cognito triggers/lambdas. We created a user and enabled both MFA's, SMS and TOTP. We don't set preffered MFA because we want to allow user to choose appropriate MFA. When users select SMS MFA user get's error "Invalid session for the user, session can only be used once."
Expected behavior
In case of USER_SRP_AUTH, login works with user who have SMS and TOTP MFA enabled. When switch to CUSTOM_WITH_SRP, only TOTP works, but not SMS MFA.
Reproduction steps
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response