search

aws-samples / amazon-cognito-passwordless-auth

Passwordless authentication with Amazon Cognito: FIDO2 (WebAuthn, support for Passkeys), Magic Link, SMS OTP Step Up
Apache License 2.0
365 stars 63 forks source link

Bug: SMS OTP sent to unverified phone #199

Open mdesousa opened 4 days ago

mdesousa commented 4 days ago

hi, noticed this bug in sms-otp-stepup.ts

in the lines below:

  let phoneNumber = event.request.userAttributes.phone_number_verified
    ? event.request.userAttributes.phone_number
    : undefined;

phoneNumber is populated if phone_number_verified is "false" (which is a string and is truthy)

ottokruse commented 1 day ago

TIL Just confirmed it.

Thanks for the report. Are you interested in sending a PR for it?

ottokruse commented 1 day ago

(Sidenote: in the JWT ID token the field is boolean, not string. But in the Cognito triggers, it is string, so "true" or "false".)

mdesousa commented 1 day ago

hi @ottokruse submitted PR #201

ottokruse commented 1 day ago

Thanks for the PR. We'll close the issue once we have published a new version to npm