First, have seen:
- https://github.com/amazon-archives/amazon-cognito-identity-js/issues/228
AWS Cognito User Pool without a password : This solution seems overengineered, generating, storing, referencing user passwords in dynamodb or implementing SMS MFA manually
and definitely the fine examples by Buggy@Github over at: https://github.com/buggy/project-x-server/tree/master/shopify/src
However, all passwordless flows I've seen so far seem to also use custom auth, like captcha. I'm looking to use AWS's built-in SMS MFA, which has otherwise been working great for me.
Using:
- Amplify
- React (vanilla)
Things that work:
Login with phonenumber and password, with confirmation code. Ie, this:
const user = await Auth.signIn(this.state.phoneNumber, this.state.password) ...then... const data = await Auth.confirmSignIn(this.state.user, this.state.confirmationCode, 'SMS_MFA');
Passwordless login without any MFA, using a Preauthentication Lambda trigger (obviously not a viable solution):
event.response.issueTokens = true; event.response.failAuthentication = false;
The Problem: When I try to log in to a user account sending just the username like this:
const user = await Auth.signIn(this.state.phoneNumber)
Amplify gives the (misspelled) error message:
null failed with error Generate callenges lambda cannot be called..
That is with no lambda triggers set for the user pool.
If I set a defineAuthChallenge trigger that includes the following:
event.response.issueTokens = true;
event.response.failAuthentication = false;
It, of course, just logs me in without MFA. But if I set issueTokens
to false, the auth flow fails, and I get an error from amplify on the next page load about missing an ID Token.
If I set event.response.challengeName = 'SMS_MFA'
, the errors go away, but the SMS doesn't get sent, and I don't authenticate.
Is there a way to (a) actually set SMS MFA as my 'custom challenge' in a way that works? (b) better yet, not use any lambda triggers at all and get amplify & the user pool to go along without passwords?
As it stands, the only workarounds I can see:
- implement SMS MFA manually (no thanks)
- hard-code passwords for users on the client side for signup and signin