Cognito Login MFA SMS Verification Problem

2
votes

I’m new to AWS Cognito and currently having 2 problems with it:

  1. in making the login using MFA SMS to work.
  2. in setting the SMS MFA flag to enabled/disabled

I’m using Node.js and Amazon Cognito Identity SDK for JavaScript [1][2]

My app login flow:

  1. User submits a mobile number (then is redirected to TOTP verification form)

    1. At this time, the app hits my API endpoint
    2. and in turn, invokes the function to send TOTP if the number is registered
    3. User receives the TOTP code via SMS
  2. User input TOTP code
    1. The app hits my API endpoint
    2. and then invokes the function to verify the TOTP
  3. If TOTP verified, then my API returns Cognito Token to the app

I have managed to send the TOTP via SMS but I can't find a way to verify the TOTP it in order to get the Cognito Token. The sample[3] shown in the Github page uses a prompt, so everything is contained within that function. However, I cannot do that in my case since the 2 calls need to happen on 2 different screens. I've tried separating the sendMFACode() function, but instead of verifying the TOTP, it sends another SMS.

I'm hitting the wall and there is limited docs/resources I've found so far.

Reference:

  1. https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js
  2. https://github.com/amazon-archives/amazon-cognito-identity-js/blob/master/src/CognitoUser.js
  3. https://stackoverflow.com/a/51394500

My user pool settings is 'MFA optional' so I can accommodate login by email method (doesn’t send SMS for login by email. I know that’s odd.) So far, I've managed to set the MFA to required in the code using enableMFA() function. However, the Github page says that function enableMFA() is now deprecated, instead, use setUserMfaPreference() instead. I tried that and got a "SUCCESS" but when I open it in AWS web console, it still states SMS MFA disabled. Is there something I'm missing here?

Here’s my code:

cognitoUser.sendMFACode(VerificationCode, {
     onSuccess: (result) => {
         console.log(result)
     },
     onFailure: (error) => {
         console.log(error)
     }
})

debug result:
{
    "code": "InvalidParameterException",
    "Name": "InvalidParameterException",
    "Message" "Invalid Parameter Required Session"
}

Note: I received the invalid params exception although successfully getting the SMS.

1
node.jsamazon-cognito

1 Answers

0
votes

I'm struggling with the MFA process myself at the moment, but for the enabling/disabling of MFA via the SDK I've found a way to get that to work with the following code.

setUserSettings: (req, res) => {
    const { access_token, enable } = req.body;
    /* ISOLATE START HERE */
    const params = {
      AccessToken: access_token,
      MFAOptions: [
        {
          AttributeName: "phone_number",
          DeliveryMedium: enable == "true" ? "SMS" : null
        }
      ]
    };

    cognitoIdentityServiceProvider.setUserSettings(params, (err, data) => {
      if (err) {
        console.log(err);
        res.status(400).json({ message: err.message });
      } else {
        console.log(data);
        res.status(200).json(data);
      }
    });
    /* ISOLATE END HERE */

  },

This is using Node and Express. You could isolate the main functionality and get it to work in the context you like, I've marked the place to cut the code for isolation. The documentation for this call is located here https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#setUserSettings-property.

I'll circle back if I get the MFA working appropriately.