search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.44k stars 2.13k forks source link

Unable to pass SECRET_HASH value to cognito user pool from Gen 2 auth library signIn() method #13568

Open sagshar5 opened 4 months ago

sagshar5 commented 4 months ago

Environment information

System:
  OS: macOS 14.4.1
  CPU: (8) arm64 Apple M1 Pro
  Memory: 154.64 MB / 16.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 20.15.0 - /usr/local/bin/node
  Yarn: 1.22.22 - /usr/local/bin/yarn
  npm: 10.7.0 - /usr/local/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/backend: 1.0.4
  @aws-amplify/backend-cli: 1.1.0
  aws-amplify: 6.3.8
  aws-cdk: 2.147.3
  aws-cdk-lib: 2.147.3
  typescript: 5.5.3
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Description

An Amazon Cognito user pool enabled with Client secret is imported to Amplify Gen 2 project.

    import { defineBackend } from '@aws-amplify/backend';
    import { auth } from './auth/resource';
    import { data } from './data/resource';

    /**
     * @see https://docs.amplify.aws/react/build-a-backend/ to add storage, functions, and more
     */
    const backend = defineBackend({
    });

    backend.addOutput({
      auth: {
        aws_region: "REGION",
        user_pool_id: "USER_POOL_ID",
        user_pool_client_id: "CLIENT_ID",
        identity_pool_id: "IDENTITY_POOL_ID",
        username_attributes: ["email"],
        standard_required_attributes: ["email"],
        user_verification_types: ["email"],
        unauthenticated_identities_enabled: true,
        password_policy: {
          min_length: 8,
          require_lowercase: true,
          require_uppercase: true,
          require_numbers: true,
          require_symbols: true,
        }
      }
    })

Unable to find any way to pass Secret_hash value to cognito using auth library signIn() or signUp() method.

Sample signIn()

    import type { FormEvent } from "react"
    import { Amplify } from "aws-amplify"

    import { signIn } from "aws-amplify/auth"
    import outputs from "../amplify_outputs.json"

    Amplify.configure(outputs)

    interface SignInFormElements extends HTMLFormControlsCollection {
      email: HTMLInputElement
      password: HTMLInputElement
    }

    interface SignInForm extends HTMLFormElement {
      readonly elements: SignInFormElements
    }

    export default function App() {
      async function handleSubmit(event: FormEvent<SignInForm>) {
        event.preventDefault()
        const form = event.currentTarget
        // ... validate inputs
        await signIn({
          username: [form.elements.email](http://form.elements.email/).value,
          password: form.elements.password.value,

          options: {
            authFlowType: "CUSTOM_WITH_SRP",
            clientMetadata: {
              secretHash: "IyW/XXX+pvk="
            }
          }
        })
      }

      return (
        <form onSubmit={handleSubmit}>
          <label htmlFor="email">Email:</label>
          <input type="text" id="email" name="email" />
          <label htmlFor="password">Password:</label>
          <input type="password" id="password" name="password" />
          <input type="submit" />
        </form>
      )
    }

Using above signUp() method, can see in browser console that the secretHash value is passed. However, still getting :

    400 Bad Request :: Client is configured with secret but SECRET_HASH was not received".

Can you please advise if we can use Amplify Gen 2 with Cognito user pool having client enabled client secret ?

ykethan commented 4 months ago

Hey👋 thanks for raising this! I'm going to transfer this over to our JS repository for better assistance 🙂

cwomack commented 4 months ago

Hello, @sagshar5 and thanks for creating this issue. To address the question on Gen 2 support, this is NOT currently supported out of the box at this time. As such, we'll mark this as a feature request.

We'll follow up with any additional questions or updates we have on this from here, but feel free to add any additional context for use cases or implementations you're looking for in Gen 2 as well. Thanks!

cwomack commented 4 months ago

@sagshar5, did you run into this only after upgrading to v6 or using Gen2?

anyaname commented 4 months ago

Having same issue, does anyone know a workaround?

alexandreomiranda commented 4 months ago

You have to disable the client secret when you create the userPool. Unfortunately you cannot disable the client secret for a created userPool as far as I can see.

ndueber commented 2 months ago

This is very frustrating! Can't believe that amplify doesn't support the SECRET_HASH. With modern frameworks like NEXT.js that have a FE servers where the auth interactions occur.

The workaround we used was to use

import {
  CognitoIdentityProviderClient,
  InitiateAuthCommand,
} from "@aws-sdk/client-cognito-identity-provider"