Closed moonshinephoenix closed 1 year ago
I found out that when the phone number is verified sendMFACode works as expected and I can authenticate. Since https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-text-message.html stated that 'When a user successfully goes through the SMS text message MFA flow, their phone number is also marked as verified.' I thought it was not necessary but i guess it is.
To avoid such a problem (the error message from cognito is extremely missleading) in future it would be good to do at least one of the following
@moonshinephoenix thank you for your investigation. Could you please create a PR to readme and code?
@furaiev I will but please be a bit patient with me. This is my first time to contribute to open source and using git so it might take me a little to get it right.
The change itself seems easy enough though. Do you have any preferrences as to which route I should go with the code change? I think i prefer the second one throwing a qualified exception when entering a state in which the process is incomplete (similar to initAuth).
When sending a SMS-MFA code using sendMFACode authentication fails even when providing the correct code.
Providing the autogenerated GUID-like username instead of the email as USERNAME in the ChallengeResponse for the RespondToAuthChallenge request works like a charm. When looking at the SMS-MFA challenge the username was also provided in the GUID-like style and not an email. Maybe these values have to correspond. I did not find any information on this but trying to respond to a SOFTWARE_TOKEN_MFA challenge it workt with the GUID-like username as well as with the email.