Open jpmckinney opened 3 weeks ago
Separately, we are the only code on GitHub to reference ExpiredTemporaryPasswordException. It's not in boto docs. It's not in AWS docs. It's not on the internet.
I don't know where it came from in 755a3b84405283fc1c5f15959521fced078ad266
This doesn't cause an error, but also doesn't make sense.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp/client/associate_software_token.html returns a SecretCode (basically, the QR code).
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp/client/verify_software_token.html then requires EITHER an AccessToken (we don't have one) OR a Session (we have that) and then a UserCode (the six digits that change frequently) based on the SecretCode.
Presently, the frontend sends back the SecretCode (for no reason) and the backend then uses it as the AccessToken (no point).
We can first stop setting
AccessToken=
in the backend, and relax SetupMFA.secret to allow None. Then, later, we can stop sending the secret from the frontend. Finally, we can remove secret from SetupMFA.This should be tested in staging, just in case I missed something.