search

open-contracting / credere-backend

A tool that facilitates the participation of Micro, Small, and Medium businesses (MSMEs) in the Colombian public procurement market.
https://credere.readthedocs.io
BSD 3-Clause "New" or "Revised" License
5 stars 0 forks source link

Tidy Cognito MFA implementation #390

Open jpmckinney opened 3 weeks ago

jpmckinney commented 3 weeks ago

This doesn't cause an error, but also doesn't make sense.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp/client/associate_software_token.html returns a SecretCode (basically, the QR code).

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp/client/verify_software_token.html then requires EITHER an AccessToken (we don't have one) OR a Session (we have that) and then a UserCode (the six digits that change frequently) based on the SecretCode.

Presently, the frontend sends back the SecretCode (for no reason) and the backend then uses it as the AccessToken (no point).

We can first stop setting AccessToken= in the backend, and relax SetupMFA.secret to allow None. Then, later, we can stop sending the secret from the frontend. Finally, we can remove secret from SetupMFA.

This should be tested in staging, just in case I missed something.

jpmckinney commented 3 weeks ago

Separately, we are the only code on GitHub to reference ExpiredTemporaryPasswordException. It's not in boto docs. It's not in AWS docs. It's not on the internet.

I don't know where it came from in 755a3b84405283fc1c5f15959521fced078ad266