StartWithSrpAuthAsync fails with a parse exception

[efess]

I have a cognito user pool built using the email as a sign-in alias. When I use user_1@someemail.com as a username using StartWithSrpAuthAsync, the library throws an exception "The value could not be parsed."

I narrowed this down to the fact the salt string is a negative hex value, which the lib is assuming is always unsigned. This error is occuring in AuthenticationHelper.cs:

var salt = BigIntegerExtensions.FromLittleEndianHex(saltString);

Is it possible to support signed salt values here? I tried this in nodejs Amplify and they seem to handle it w/o an issue.

[efess]

OK I guess this happens when trying to initiateAuth using an email which hasn't been verified yet.

The fix for me is to specify email_verified = true on user creation, then the SRP authentication works as intended.

Not sure if any action needs to be taken to handle that particular case, otherwise I can close this

[klaytaybai]

Thanks for the feedback. I'll look into whether we can use the signed salt values. I don't want to recommend setting email_verified = true unless it has been verified or isn't critical for you.

[timcromarty]

Getting the same issue. However, do not want to set email_verified as true as I need to log in to obtain a session from which I can call ResponseToNewPasswordRequiredAsync in order to change the temporary password (and confirm the email)

[dtarczynski]

Having the same issue where I use Email as UserName for not activated accounts. This way I can't response to challenge and require to validate Email by providing validation code in next step.

[vazquezbonilla]

I have email_verified as true and I'm getting the same issue

[DevonHansen]

Getting this issue as well on a user that has been verified and has been able to log in prior. Edit: This is when a user doesn't exist on the database. So what I think may be happening is that a user has an email such as "bob@gmail.com", and is also using "bob+1@gmail.com". This is the only thing that separates between this format exception and an unknown user error, and the format issue is because the salt hex is negative. Stack trace below

at System.Numerics.BigNumber.ParseBigInteger (System.ReadOnlySpan'1[T] value, System.Globalization.NumberStyles style, System.Globalization.NumberFormatInfo info) [0x0001e] in /Library/Frameworks/Xamarin.iOS.framework/Versions/Current/src/Xamarin.iOS/external/corefx/src/System.Runtime.Numerics/src/System/Numerics/BigNumber.cs:386 
  at System.Numerics.BigNumber.ParseBigInteger (System.String value, System.Globalization.NumberStyles style, System.Globalization.NumberFormatInfo info) [0x0000e] in /Library/Frameworks/Xamarin.iOS.framework/Versions/Current/src/Xamarin.iOS/external/corefx/src/System.Runtime.Numerics/src/System/Numerics/BigNumber.cs:374 
  at System.Numerics.BigInteger.Parse (System.String value, System.Globalization.NumberStyles style, System.IFormatProvider provider) [0x00000] in /Library/Frameworks/Xamarin.iOS.framework/Versions/Current/src/Xamarin.iOS/external/corefx/src/System.Runtime.Numerics/src/System/Numerics/BigInteger.cs:675 
  at System.Numerics.BigInteger.Parse (System.String value, System.Globalization.NumberStyles style) [0x00000] in /Library/Frameworks/Xamarin.iOS.framework/Versions/Current/src/Xamarin.iOS/external/corefx/src/System.Runtime.Numerics/src/System/Numerics/BigInteger.cs:665 
  at Amazon.Extensions.CognitoAuthentication.Util.BigIntegerExtensions.FromUnsignedLittleEndianHex (System.String hex) [0x0000b] in <bfb077a8c7a341ef900f115d002a1c51>:0 
  at Amazon.Extensions.CognitoAuthentication.Util.AuthenticationHelper.AuthenticateUser (System.String username, System.String password, System.String poolName, System.Tuple`2[T1,T2] tupleAa, System.String saltString, System.String srpbString, System.String secretBlockBase64, System.String formattedTimestamp) [0x0003b] in <bfb077a8c7a341ef900f115d002a1c51>:0 
  at Amazon.Extensions.CognitoAuthentication.CognitoUser.CreateSrpPasswordVerifierAuthRequest (Amazon.CognitoIdentityProvider.Model.InitiateAuthResponse challenge, System.String password, System.Tuple`2[T1,T2] tupleAa) [0x000a8] in <bfb077a8c7a341ef900f115d002a1c51>:0 
  at Amazon.Extensions.CognitoAuthentication.CognitoUser.StartWithSrpAuthAsync (Amazon.Extensions.CognitoAuthentication.InitiateSrpAuthRequest srpRequest) [0x000f2] in <bfb077a8c7a341ef900f115d002a1c51>:0 
  <ommited project specific stack>

[ashishdhingra]

Hi @efess,

Good afternoon.

I was going through the issue backlog and came across this issue. I tested the functionality and it appears that StartWithSrpAuthAsync() works when a verified email address (e.g. testemail@somedomain.com) having special character ``, is used in place of user name. Also, for un-verified email address, I didn't got any parse exception, it didn't allowed me to login with an invalid username/password exception.

AWSSDK.Extensions.CognitoAuthentication Version: 0.9.4

Please confirm if we could close this issue.

Thanks, Ashish

[efess]

@ashishdhingra the issue is when you try to initiate auth using an email address which has not been verified yet. This will throw an exception within the library rather than any useful information telling the user that the email address needs to be verified first.

Edit: If it's not reproducible, please close it. I'm off the project which I originally experienced this issue so I cannot test myself.

[ashishdhingra]

Hi @timcromarty / @dtarczynski / @vazquezbonilla / @DevonHansen,

Good afternoon.

Please review the above comments and let me know if this is still an issue. Else, since the issue is not reproducible, we could close this issue.

Thanks, Ashish

[mattmapadmi]

This seems to have fixed itself for me overnight. I don't manage our Cognito instance so can't say for certain if something has changed there.

I was previously testing with test@test.com and password and getting the FormatException, but now getting NotAuthorizedException as you'd expect.

[DevonHansen]

I'll look to see if I can replicate sometime today. We have a workaround where we assume that FormatException is a reason to not log the person in for invalid details.

[github-actions[bot]]

This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.