aws-amplify / amplify-ui

Amplify UI is a collection of accessible, themeable, performant React (and more!) components that can connect directly to the cloud.
https://ui.docs.amplify.aws
Apache License 2.0
931 stars 297 forks source link

Authenticator navigates back to SignUp when new account verification code is entered after 3 minutes even though Cognito fully activates the account #5851

Closed user381137 closed 2 months ago

user381137 commented 2 months ago

Before creating a new issue, please confirm:

On which framework/platform are you having an issue?

React Native

Which UI component?

Authenticator

How is your app built?

Create React-Native App

What browsers are you seeing the problem on?

Android (React Native)

Which region are you seeing the problem in?

us-east-1

Please describe your bug.

In react-native when using Amplify Gen 2 flow: When the user creates a new account and takes longer than 3 minutes to enter their emailed verification code on the ConfirmSignUp page, Authenticator navigates back to the SignUp page. Cognito marks the new account as 'Confirmed' and the email is marked as 'Verified' in the Cognito console, even though the account creation verification appears to time out. The user has to navigate back to the SignIn page to sign in, which results in a successful authentication and the main app loads. However, this is confusing for the user to be taken back to the SignUp page when the account was fully created in Cognito.

What's the expected behaviour?

This scenario needs error/navigation handling. If 3 minutes is the maximum time a user has to enter the emailed verification code, then an error message should be displayed and the user should be required to request a new verification code and Cognito should not mark the account as verified/confirmed. If 3 minutes is not the maximum, then the Authenticator should navigate to the main app in the same way it does if the user enters the code in less than 3 minutes. I tried increasing the "Authentication flow session duration" in the Coginto console from 3 to 15 minutes, but this had no impact. Even if it did increase the time to 15 minutes, error/navigation handling would still be required. I haven't been able to test yet with SMS verification, but if the same issue exists with SMS codes, it would also be need to be resolved.

Help us reproduce the bug!

index.js: import { Amplify } from 'aws-amplify'; import amplifyconfig from './src/amplifyconfiguration.json'; Amplify.configure(amplifyconfig);

App.tsx: import {Authenticator, ThemeProvider} from '@aws-amplify/ui-react-native';

"dependencies": { "@aws-amplify/auth": "^6.4.2", "@aws-amplify/react-native": "^1.1.5", "@aws-amplify/ui-react": "^6.0.6", "@aws-amplify/ui-react-native": "^2.0.6", "@aws-sdk/client-dynamodb": "^3.554.0", "@aws-sdk/lib-dynamodb": "^3.554.0", "aws-amplify": "^6.6.2", "react": "18.2.0", "react-native": "0.73.0",

Code Snippet

// Put your code below this line.

function App() { return (

) export default App;

Console log output

No response

Additional information and screenshots

No response

user381137 commented 2 months ago

Corrected code snippet:

    <RootSiblingParent>
      <ThemeProvider>
      <Authenticator.Provider>
        <Authenticator>
            <AppContent />
          </Authenticator>
        </Authenticator.Provider>
      </ThemeProvider>
    </RootSiblingParent>
thaddmt commented 2 months ago

Thanks for the code snippet, will try to reproduce this and see if we can reproduce. Could you also send over your gen2 authentication setup?

user381137 commented 2 months ago

Thanks - The setup I used was through Amplify CLI (amplify add auth). This appears to be Gen 1 - apologies for the confusion. I'm also experiencing the same issue when I try withAuthenticator(App).

This is most of the redacted setup code - let me know if you need anything else:

App.tsx:

import { Amplify } from "aws-amplify";
import { Authenticator, useAuthenticator } from "@aws-amplify/ui-react-native";
import amplifyconfig from './src/amplifyconfiguration.json';
Amplify.configure(amplifyconfig);

amplifyconfiguration.json:

{
  "aws_project_region": "us-east-1",
  "aws_cognito_identity_pool_id": "us-east-1:",
  "aws_cognito_region": "us-east-1",
  "aws_user_pools_id": "us-east-1_",
  "aws_user_pools_web_client_id": "",
  "oauth": {},
  "aws_cognito_username_attributes": [
    "EMAIL"
  ],
  "aws_cognito_social_providers": [],
  "aws_cognito_signup_attributes": [
    "EMAIL",
    "PHONE_NUMBER"
  ],
  "aws_cognito_mfa_configuration": "OPTIONAL",
  "aws_cognito_mfa_types": [
    "TOTP"
  ],
  "aws_cognito_password_protection_settings": {
    "passwordPolicyMinLength": 8,
    "passwordPolicyCharacters": []
  },
  "aws_cognito_verification_mechanisms": [
    "EMAIL"
  ],
  "aws_appsync_graphqlEndpoint": ".appsync-api.us-east-1.amazonaws.com/graphql",
  "aws_appsync_region": "us-east-1",
  "aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS"

cli-inputs.json:

{
  "version": "1",
  "cognitoConfig": {
    "identityPoolName": "",
    "allowUnauthenticatedIdentities": false,
    "resourceNameTruncated": "",
    "userPoolName": "",
    "autoVerifiedAttributes": [
      "email"
    ],
    "mfaConfiguration": "OPTIONAL",
    "mfaTypes": [
      "TOTP"
    ],
    "smsAuthenticationMessage": "Your authentication code is {####}",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "Your verification code",
    "emailVerificationMessage": "Your verification code is {####}",
    "defaultPasswordPolicy": true,
    "passwordPolicyMinLength": 8,
    "passwordPolicyCharacters": [],
    "requiredAttributes": [
      "email",
      "phone_number"
    ],
    "aliasAttributes": [],
    "userpoolClientGenerateSecret": false,
    "userpoolClientRefreshTokenValidity": 30,
    "userpoolClientWriteAttributes": [
      "email"
    ],
    "userpoolClientReadAttributes": [
      "email"
    ],
    "userpoolClientLambdaRole": "",
    "userpoolClientSetAttributes": false,
    "sharedId": "",
    "resourceName": "",
    "authSelections": "",
    "useDefault": "manual",
    "thirdPartyAuth": false,
    "usernameAttributes": [
      "email"
    ],
    "userPoolGroups": false,
    "adminQueries": false,
    "triggers": {},
    "hostedUI": false,
    "userPoolGroupList": [],
    "serviceName": "Cognito",
    "usernameCaseSensitive": false,
    "useEnabledMfas": true
  }
}
thaddmt commented 2 months ago

Was able to reproduce this, out of curiosity @user381137 can you tell me where you were able to set the confirmation code expiry? I noticed in the docs it says it's set to 24 hours https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#:~:text=The%20verification%20code%20or%20link,when%20a%20user%20signs%20up.

user381137 commented 2 months ago

The field I tried changing in the console was: User pools > App integration > App client list > App clients and analytics > App client information > Edit > Authentication flow session duration. This didn't seem to have an impact though. I also tried using a timer to navigate back to the signIn page after 3 minutes so at least the user would know to try to log in with their newly created, but unverified, account. After signing in, it correctly navigated to the ConfirmationSignUp page, emailed them a new code, but even if the new code was immediately entered within 3 minutes, it still took them back to the SignUp page. So it wasn't re-establishing a new 3 minute timeout auth flow.

This is the console page:

image

thaddmt commented 2 months ago

After looking into it more it seems like this is actually expected behavior and there is a limit for performing an autoSignIn after a confirmation code coming from the Auth APIs code ref - https://github.com/aws-amplify/amplify-js/blob/main/packages/auth/src/providers/cognito/utils/signUpHelpers.ts#L15C7-L15C32

It seems like you can probably file a feature request with the JS library to see if they can make it configurable - https://github.com/aws-amplify/amplify-js/issues

user381137 commented 2 months ago

I assumed the 3 minute limit was the expected behavior, but shouldn't Authenticator handle the timeout better? The user can still create the account after 3 minutes. When autosignin times out, it shouldn't just load the create account / sign up page again. That is the issue.

thaddmt commented 2 months ago

@user381137 I believe the issue here is the Authenticator just follows whatever the Auth API in the JS library does. In the default case after 3 minutes it still allows account creation, but it does not allow auto sign in. It seems like that is expected behavior from their API