Amplify-js: Cannot set MFA to `NOMFA` immediately after setting it to `SMS` or `TOTP`

Created on 30 Jan 2019  路  3Comments  路  Source: aws-amplify/amplify-js

Describe the bug
If I try to set MFA type to NOMFA immediately after setting it to SMS or TOTP via Auth.setPreferredMFA, the preferred MFA method of the user doesn't change.

To Reproduce
Steps to reproduce the behavior:

  1. Sign in with a user who hasn't configured MFA
  2. Immediately set his MFA method to SMS or TOTP via Auth.setPreferredMFA(user, "SMS")
  3. Set his MFA method to NOMFA via Auth.setPreferredMFA(user, "NOMFA")
  4. MFA method is always set to SMS (or TOTP)

And I get the following error: No change for mfa type

Expected behavior
The MFA type should be set to NOMFA.

Desktop (please complete the following information):

  • OS: macOS Sierra
  • Browser: Chrome
  • Version: 71.0.3578.98

Notes

After some research and debug, I noticed that the bug doesn't occur for a user that have already set hist MFA method to SMS or TOTP (the bug also doesn't occur anymore after sign out/sign in).

I also noticed that Auth.getPreferredMFA always returns the same MFA method.

So I inspected the source code and noticed that Auth.getPreferredMFA and Auth.setPreferredMFA call the user.getUserData method that try to get user data (and preferred MFA method) in the local storage!

https://github.com/aws-amplify/amplify-js/blob/38ea2fc1780135ea6041053be3f5ed8f84edbff8/packages/amazon-cognito-identity-js/src/CognitoUser.js#L1070

So:

  1. A user who hasn't configured MFA signs in
    -> No preferred MFA method is stored in the local storage
    -> Auth.getPreferredMFA returns NOMFA

  1. He sets his MFA method to SMS or TOTP
    -> MFA method is successfully updated but the local storage isn't updated
    -> Auth.getPreferredMFA returns NOMFA

  2. He immediately sets his MFA method to NOMFA
    -> Auth.setPreferredMFA(user, "SMS") try to get the current preferred MFA method in the local storage but local storage is empty
    -> Auth.getPreferredMFA returns NOMFA

  3. MFA method is always set to SMS (or TOTP) and we get the error No change for mfa type.

A solution to avoid this behavior

We can use the option bypassCache of the user.getUserData method to bypass local storage.

If you're ok with this, I can make a PR 馃槃

Could be related to https://github.com/aws-amplify/amplify-js/issues/2519 馃槈

Auth bug
Source
picture Gautierrr
👍7

Most helpful comment

Thank you for the detailed report @Gautierrr !

A PR is always welcome 馃槃

picture manueliglesias on 31 Jan 2019
🚀1 😄1

All 3 comments

I'm facing a lot of broken behavior that gets fixed by the bypassCache option. Without that option, updating MFA with TOTP/SMS is broken, updating the email is broken, etc. By broken, I mean performing a read after write always returns the old value, not the new value. With { bypassCache: true }, I receive the new value.

guanzo picture guanzo on 31 Jan 2019
👍2

Thank you for the detailed report @Gautierrr !

A PR is always welcome 馃槃

manueliglesias picture manueliglesias on 31 Jan 2019
🚀1 😄1

Hello, I am having the same issue with Atuh.setPreferredMFA(user, 'SMS'), it says success when calling it but in cognito the user still has the MFA disabled and Auth.currentAuthenticatedUser({ bypassCache: true }) is not helping. I see there's a PR to add bypassCache to setPreferredMFA, but is there any other workaround to make it work in the meantime?

d-olivas picture d-olivas on 9 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lucasmike picture lucasmike  路  3Comments
benevolentprof picture benevolentprof  路  3Comments
DougWoodCDS picture DougWoodCDS  路  3Comments
rayhaanq picture rayhaanq  路  3Comments
cgarvis picture cgarvis  路  3Comments