CUSTOM_AUTH error when using USER_SRP_AUTH

[rfakoya]

aws-amplify / auth with cognito user pool
I using a aws-amplify manual config (without using cli) and withAuthenticator HOC in a react web app for authentication. In my user pool app client settings, I have Enable SRP (secure remote password) protocol based authentication (ALLOW_USER_SRP_AUTH) checked.

However, when I attempt to sign in providing a username but not providing a password (leave password field blank) I get an error saying CUSTOM_AUTH is not enabled for the client instead of a password is required error.

I inspected the network request and noticed that the AuthFlow is CUSTOM_AUTH in spite of my config / settings.

In my index.tsx file, I have:

import Amplify from 'aws-amplify';

Amplify.configure({
  Auth: {
    region: 'XX-XXXX-X',
    userPoolId: 'XX-XXXX-X_XXXX',
    userPoolWebClientId: 'XXX',
    authenticationFlowType: 'USER_SRP_AUTH',
    mandatorySignIn: true
  }
});

I'm using aws-amplify version 2.2.4 and aws-amplify-react 3.1.5

[deekay00]

I have the same issue with the following version:
"aws-amplify": "^2.2.6",
"aws-amplify-react": "^3.1.7",

When the password is missing on the login page the error shows up.

[ObedAmpah]

Hello, I'm having the same issue after following this post on your docs:

https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:520945424137:applications~amazon-cognito-passwordless-email-auth

I can't sign in without a password.

[ObedAmpah]

To elaborate...

let cognitoUser: CognitoUser; // Track authentication flow state in this object

My signup:
` const signUp = async (e: NativeSyntheticEvent) => {
if (!text) { return null; }

    // console.log('e: ', e.target)

    const params = {
        username: text,
        password: currentPassword,
        attributes: {
            name: text,
        },
    }

    if (e.target) {
        return await Auth.signUp(params)
            // .then((data:any) => console.log('data: ', data))
            .catch((err:any) => console.log('error: ', err))
        // userNavigation();
    }
}`

My signIn:

` const signInCog = async (e: NativeSyntheticEvent) => {
if (!text) { return null; }

    // console.log('e: ', e.target)

    console.log('cognitoUser: ', cognitoUser)


    if (e.target) {

        console.log('e: ', text)
        
        cognitoUser = await Auth.signIn(text);
    }

}`

My returned error message from signIn (I am using the sample passwordless auth deployment listed in the link above):

"CreateAuthChallenge failed with error 2020-04-29T15:32:36.320Z 92a989ac-5f4e-45dd-9e0a-0717aa1ac8cb Task timed out after 3.00 seconds."

Event: "signIn_failure"

*Also, my cognitoUser comes back as defined (I am logging it to the console prior to the Auth.signIn request)

Any suggestions?

[Amplifiyer]

@rfakoya, @deekay00 this is currently expected behavior. Amplify library doesn't require the config property authenticationFlowType on AuthConfig and is set on CognitoUser when provided by the client. However amplify doesn't validate it or make validations based on it.

amplify-js/packages/auth/src/Auth.ts

Lines 1949 to 1955 in 9b05aee

	const { authenticationFlowType } = this._config;
	const user = new CognitoUser(userData);
	if (authenticationFlowType) {
	user.setAuthenticationFlowType(authenticationFlowType);
	}
	return user;

If the password field is empty, it's expected that the client wants a passwordless signin and so it follows the custom_auth flow

amplify-js/packages/auth/src/Auth.ts

Lines 453 to 457 in 9b05aee

	if (password) {
	return this.signInWithPassword(authDetails);
	} else {
	return this.signInWithoutPassword(authDetails);
	}

which then sets the authentication flow to be of Custom_Type

amplify-js/packages/auth/src/Auth.ts

Lines 578 to 583 in 9b05aee

	private signInWithoutPassword(
	authDetails: AuthenticationDetails
	): Promise<CognitoUser | any> {
	const user = this.createCognitoUser(authDetails.getUsername());
	user.setAuthenticationFlowType('CUSTOM_AUTH');

This validation is expected to happen in the client with appropriate error messages to the user.

[antoinebrault]

I get the same error message. How are we supposed to enforce a required password error message ?

This is the default behavior of the sign-in component: password field is marked as required*

[cbishop-fv]

Work around I am using:

import Amplify, { I18n } from 'aws-amplify';

const authLabels = {
  en: {
    'CUSTOM_AUTH is not enabled for the client.': 'Password cannot be empty.',
  },
};
I18n.setLanguage('en');
I18n.putVocabularies(authLabels);

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.