Amplify-js: SMS Verification Resend

Created on 11 Sep 2018  路  11Comments  路  Source: aws-amplify/amplify-js

Describe the bug

Resending the verification code for a user during MFA using SMS seems to be broken.

As for some context, we're currently using this Amplify function:
https://github.com/aws-amplify/amplify-js/blob/master/packages/auth/src/Auth.ts#L269

To Reproduce

Say we have the flow of:
1: User signs up with an email/password, they confirm they own the email and login
2: Once logged in, User requests to setup MFA via SMS
3: User types in phone number which is saved against cognito under 'phone_number'
4: We dispatch a text message to check ownership of the phone as 'phone_number_verified' is false
5: User enters the code, changing 'phone_number_verified' to true if correct.
6: Everytime the user logs in, they are prompted for verification over SMS

If the user however closes the session AT step 5, they need to be able to request resending of the code (as it may expire or never got to them). At this stage, we have a 'phone_number' field populated and a 'phone_number_verified' field which is false (as they never received the code).

However, on this stage where 'phone_number_verified' is false with a populated 'phone_number', we receive from the 'resendSignUp' function:
{"__type":"InvalidParameterException","message":"User is already confirmed."}

Expected behavior
We should receive a text message again once clicking 'resend' if there is a false value on either 'email_verified' or 'phone_number_verified' being false. If 'email_verified' is false, send an email... if 'phone_number_verified' is false, send an SMS

Cognito pending-close-response-required
Source
picture CHR15-
👍11

All 11 comments

@CHR15- Thanks for reporting. We will talk to Cognito team about this issue.

powerful23 picture powerful23 on 11 Sep 2018

@CHR15- by the way, maybe you can try verifyUserAttribute: https://github.com/aws-amplify/amplify-js/blob/master/packages/auth/src/Auth.ts#L1030 and verifyUserAttributeSubmit: https://github.com/aws-amplify/amplify-js/blob/master/packages/auth/src/Auth.ts#L1052 to verify the phone number.

powerful23 picture powerful23 on 11 Sep 2018

@powerful23 thanks for the swift reply, much appreciated as always.

So the order of functions we run is:

1) updateUserAttribute('phone_number')
2) verifyCurrentUserAttributeSubmit(PHONE_NUMBER_KEY, codeFromSMS)
3) getCurrentAuthenticatedUser()
4) setPreferredMFA(user, SMS)

I guess I'm saying something more explicit inbetween steps 1-2 would be beneficial. It's not quite clear how to dispatch the first event again if it didn't come through. I've attempted to rerun updateUserAttribute('phone_number') again but the API just seems to confirm the change with no text. I'll give verifyUserAttribute another go in the meantime.

CHR15- picture CHR15- on 12 Sep 2018

@CHR15- the flow should be like:

  1. The user has the attribute updated: 'phone_number'. At that time the 'phone_number' is not verified.
  2. The user wants to verify the phone_number, at that time, call 
Auth.verifyCurrentUserAttributes('phone_number')
.then(() => {
     console.log('a verification code is sent');
}).catch(e) => {
     console.log('failed with error', e);
});
  1. The user inputs the verification code, call
Auth.verifyCurrentUserAttributeSubmit('phone_number', 'the_verification_code')
.then(() => {
     console.log('phone_number verified');
}).catch(e) => {
     console.log('failed with error', e);
});
  1. Now you can get the current authenticated user and set mfa to sms
powerful23 picture powerful23 on 12 Sep 2018
👍1

This is for verifying the phone number, but what about resending the MFA after the phone has already been a verified attribute (say, user is on a new device)? I cannot find anything.

mrowles picture mrowles on 10 Oct 2018

@mrowles you mean resending the code when signing in?

powerful23 picture powerful23 on 10 Oct 2018

@powerful23 Yeah, when authorizing a new device and, for whatever reason, the user
wants to manually resend themselves a code:

1) user signs in
2) new device, user is sent SMS and needs to confirm challenge
3) for whatever reason, let鈥檚 say user didn鈥檛 receive initial SMS, they
want to be able to resend it to themselves
4) user uses second code and successfully completes MFA challenge,
effectively registering a new device

The old library had a hook for this, can鈥檛 see how we do it in Amplify though?

mrowles picture mrowles on 10 Oct 2018

@powerful23 So....should I open a new request for this or?

mrowles picture mrowles on 29 Oct 2018

@mrowles yeah pls, I think that would be a feature request.

powerful23 picture powerful23 on 29 Oct 2018
😕3

Is this issue safe to close? It seems the original question was answered.

@CHR15-

jordanranz picture jordanranz on 14 Mar 2019

Closing this issue due to inactivity. Please open new issue if needed.

haverchuck picture haverchuck on 16 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

romainquellec picture romainquellec  路  3Comments
ddemoll picture ddemoll  路  3Comments
simon998yang picture simon998yang  路  3Comments
guanzo picture guanzo  路  3Comments
lucasmike picture lucasmike  路  3Comments