Shopify Question posted in
The Shopify help center can be found here.

Passwordless Cognito with SMS MFA – Shopify

First, have seen:

and definitely the fine examples by Buggy@Github over at:
https://github.com/buggy/project-x-server/tree/master/shopify/src

However, all passwordless flows I’ve seen so far seem to also use custom auth, like captcha. I’m looking to use AWS’s built-in SMS MFA, which has otherwise been working great for me.

Using:

  • Amplify
  • React (vanilla)

Things that work:

  • Login with phonenumber and password, with confirmation code. Ie, this:

    const user = await Auth.signIn(this.state.phoneNumber, this.state.password)
...then...
const data = await Auth.confirmSignIn(this.state.user, this.state.confirmationCode, 'SMS_MFA');

  • Passwordless login without any MFA, using a Preauthentication Lambda trigger (obviously not a viable solution):

    event.response.issueTokens = true;
event.response.failAuthentication = false;

The Problem:
When I try to log in to a user account sending just the username like this:

const user = await Auth.signIn(this.state.phoneNumber)

Amplify gives the (misspelled) error message:

null failed with error Generate callenges lambda cannot be called..

That is with no lambda triggers set for the user pool.

If I set a defineAuthChallenge trigger that includes the following:

event.response.issueTokens = true;
event.response.failAuthentication = false;

It, of course, just logs me in without MFA. But if I set issueTokens to false, the auth flow fails, and I get an error from amplify on the next page load about missing an ID Token.

If I set event.response.challengeName = 'SMS_MFA', the errors go away, but the SMS doesn’t get sent, and I don’t authenticate.

Is there a way to
(a) actually set SMS MFA as my ‘custom challenge’ in a way that works?
(b) better yet, not use any lambda triggers at all and get amplify & the user pool to go along without passwords?

As it stands, the only workarounds I can see:

  • implement SMS MFA manually (no thanks)
  • hard-code passwords for users on the client side for signup and signin
Tags:

2

Answers


  1. 0

    I’ve implemented passwordless Cognito by:

    1. Setting refresh token expiration to a really long time
    2. When user signs up, generate a throwaway password and use the regular Cognito signUp API to create the user
    3. Never store or show the user the throwaway password – rely on Cognito session refresh to keep user “logged in”
    4. If refresh token expires or something else goes wrong, abuse the Cognito reset password flow by sending the user a verification code and generating another throwaway password.

    This has worked for us, but it is kind of hacky. However it doesn’t rely on any custom triggers and uses the regular Cognito client APIs. Have not tried it with MFA though

    Login or Signup to reply.
  2. 0

    Might be useful:
    Password-free SMS Authentication with AWS Cognito, Lambda Node.js & iOS Swift

    It suggests using SNS directly instead of via Cognito’s MFA.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search