Open tinti opened 1 week ago
Very interested in that.
That similar to this implementation?: https://github.com/aws-samples/amazon-cognito-passwordless-email-auth
But using dynamodb again, like magic links, for rate limiting? Implementing OTP is easier than magic link because you don't have to deal with the link being opened in a different browser. On the other hand, I'd like to include the option to send the OTP using either email or SMS, depending on the user's choice at the time of signing in.
Very interested in that.
That similar to this implementation?: https://github.com/aws-samples/amazon-cognito-passwordless-email-auth
I would say that is closer to the magic link implementation. I have copied most of the code from it. The idea is the same.
But using dynamodb again, like magic links, for rate limiting?
Yes.
Implementing OTP is easier than magic link because you don't have to deal with the link being opened in a different browser. On the other hand, I'd like to include the option to send the OTP using either email or SMS, depending on the user's choice at the time of signing in.
It is doable. I can adjust.
What to you think of this proposal?
For (1) does Cognito provides a "guest" session that I can use?
Thanks.
Not sure what you mean with guest session. You shouldn't need it I think ?
Maybe we should implement this as 2 separate flows. Email OTP and SMS OTP.
Even though they share a lot of code, may be beneficial for implementation simplicity to keep it separate
Not sure what you mean with guest session. You shouldn't need it I think ?
I mean is there a way I can guarantee that given an authentication flow X that called the define authentication challenge requesting an OTP code, only X can use the OTP?
Maybe we should implement this as 2 separate flows. Email OTP and SMS OTP.
Even though they share a lot of code, may be beneficial for implementation simplicity to keep it separate
Agree.
I mean is there a way I can guarantee that given an authentication flow X that called the define authentication challenge requesting an OTP code, only X can use the OTP?
That's what Cognito takes care of for you (it's tied to the session, which is the very long string Cognito returns to you in custom auth calls, that you must provide back again in respondtoauthchallenge)
I have a fully working SMS OTP authentication patch. Would it be accepted or SMS OTP authentication is too insecure to be merged in this project?
It is basically a copy of magic-link implementation but without using KMS to generate and validate the OTP codes. From a security perspective I was thinking in storing some validation in to compensate:
https://github.com/aws-samples/amazon-cognito-passwordless-auth/blob/5bfdab2b13a07be24020cb4f8032337f242e48ee/cdk/custom-auth/magic-link.ts#L138-L140
This way the only one who could use the OTP is the one who requested it.