search

jonsaw / amazon-cognito-identity-dart

Unofficial Amazon Cognito Identity Provider Dart SDK, to easily add user sign-up and sign-in to your mobile and web apps with AWS.
MIT License
204 stars 93 forks source link

Fixed the bug that made DEVICE_PASSWORD_VERIFIER for remembered device fail #62

Open LudySu opened 4 years ago

LudySu commented 4 years ago

If you have enabled device remembering feature in you User Pool, this SDK will fail in response to DEVICE_PASSWORD_VERIFIER challenge, which occurs on the second time you login with the same device. Here is the error response from AWS:

HTTP/1.1 400 Bad Request
x-amzn-ErrorType: NotAuthorizedException:
x-amzn-ErrorMessage: Incorrect username or password.

{
  "__type": "NotAuthorizedException",
  "message": "Incorrect username or password."
}

This is because when you first time login with this device, it sends the WRONG PasswordVerifier JSON parameter in the AWSCognitoIdentityProviderService.ConfirmDevice request. This doesn't fail, which means you will be able to login the first time, but it is sending a WRONG parameter (hash based of the combination of device key, device group key and a random string), so AWS Cognito remembers the WRONG information. Consequently, the second time when the SDK sends a parameter PASSWORD_CLAIM_SIGNATURE in the DEVICE_PASSWORD_VERIFIER phase using the CORRECT device key and device group key to generate that hash, hence the conflict.

More details from my blog if anyone is interested.

furaiev commented 4 years ago

Hi, I've copied this project in a separate package (because this one isn't supported anymore) https://pub.dev/packages/amazon_cognito_identity_dart_2 Welcome to contribute.

isaiahtaylorhh commented 4 years ago

Hi, thanks for your work on this. Unfortunately I am still getting this error even with the merged fix.