amplify-js: Invalid challenge code of sendCustomChallengeAnswer results in session not longer valid

Describe the bug I’m using the custom auth flow to login a user. This works perfectly with sign-in and then a successful sendCustomChallengeAnswer. When the user is entering an invalid challenge code - amplify provides me with the right feedback: “Incorrect username or password”.

However when I enter the right challenge code on the second attempt, amplify won’t accept it anymore as it comes back with an “Invalid session for the user.” message. The same applies for two trying to enter an invalide code twice.

Expected behavior I was expecting to use the sendCustomChallengeAnswer function again for the second and third attempt without leading to an “Invalid session for the user.” message.

Code Snippet try { const challenge = await this.amplifyService.auth().sendCustomChallengeAnswer(cognitoUser, challengeResponse); console.log(challenge); return challenge; } catch (err) { console.log('Apparently the user did not enter the right code'); return throwError(err); }

I’m developing in Angular 9 and using the latest amplify-js libraries. I just quickly want to double check if I’m using the standard function of sendCustomChallengeAnswer correctly or not. I haven’t read anywhere that I need to do something with the session before I sent a second attempt.

I hope you guys have an answer. Otherwise a workaround is to send the user another fresh code for every attempt. 😃

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 6
  • Comments: 19 (9 by maintainers)

Most upvoted comments

I’m running into the same issue, except with React.JS. The first time a user enters a wrong challenge code the error is as it should be “Incorrect username or password.” Then, submitting either a correct or incorrect challenge code then gives the error “Invalid session for the user”.

+4
hiBrett on Jul 28, 2020

@adamlbailey sharing what I have found so far. I use postman to send out the request, and check the cloudwatch log of the “VerifyAuthChallenge” lambda, and notice that the retry on RespondToAuthChallenge triggers that lambda without input from the ChallengeResponses parameter.

I need to check more on the cognito/ambda side, will keep you updated. Screen Shot 2021-11-17 at 10 52 12 AM

+2
hkjpotato on Nov 17, 2021

I was facing the issue but it appeared to be an issue with my code. If a user enters the incorrect code, they need to be sent a new one.

Here is the code for defineAuthChallenge trigger that solved my issue:

exports.handler = (event, context, callback) => {
  console.log('event', JSON.stringify(event));
  if (event.request.session.length === 0) {
    // new request to log in
    event.response.issueTokens = false;
    event.response.failAuthentication = false;
    event.response.challengeName = 'CUSTOM_CHALLENGE';
  } else if (
    event.request.session.length >= 3 &&
    event.request.session[ event.request.session.length - 1 ].challengeResult === false) {
    // user has incorrectly entered OTP 3 times
    event.response.issueTokens = false;
    event.response.failAuthentication = true;
  } else if (
    event.request.session.length >= 1 &&
    event.request.session[ event.request.session.length - 1 ].challengeName === 'CUSTOM_CHALLENGE' &&
    event.request.session[ event.request.session.length - 1 ].challengeResult === true
  ) {
    // user correctly entered OTP
    event.response.issueTokens = true;
    event.response.failAuthentication = false;
  } else {
    // user incorrectly entered OTP - resend code
    event.response.issueTokens = false;
    event.response.failAuthentication = false;
    event.response.challengeName = 'CUSTOM_CHALLENGE';
  }

  console.log('Finalised event:', JSON.stringify(event));
  callback(null, event);
};
+1
dylan-westbury on Feb 1, 2021
Read more comments on GitHub
← amplify-js: In production datastore doesn't sync
amplify-js: "Invalid identity pool configuration. Check assigned IAM roles for this pool." →