-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate user password in respond_to_auth_challenge
when the challenge name is PASSWORD_VERIFIER
#7562
Comments
Hi @serozhenka! From the docs: the
As an enhancement, we can verify whether all four values exist, and we can easily verify that I haven't found any official AWS documentation on how to calculate the signature though. There are various open source implementations (like |
@bblommers gotcha, I will have a look in my spare time and let you know if I find anything. |
@bblommers I haven't found any official docs either, but there is an amplify-js repository maintained officially by AWS. And there is the code that does signature generation right here. It should be fairly easy to reverse-engineer what they are doing there and transfer it into Python (which was probably the way all the SRP auth implementations took). Just to note, I have a Python version of that which we have been using in production for over half a year now and it works smoothly. If you give the green light, I can try to prepare a draft PR for that in my spare time by carefully reverse-engineering what AWS does in the amplify-js repo. |
@serozhenka I don't want to break this for users who use a different signature that happens to be supported as well. So if you want to add the basic checks, that would be very welcome - but I don't want to go any further.
|
@bblommers I respect your choice, but at the same time I see a discrepancy between Moto and AWS (that can be objectively treated as a bug), which was the initial reason I opened this issue. This mismatch doesn't allow us (and in general Moto users) to make tests for failures in the authentication service when the user passes an incorrect password or just our signature generation logic is broken, hence we just commented it out :.
This can still be released in the next major version where the breaking changes are allowed, but the final call is yours. |
Hi, I just came across this thread while looking into the same issue. And I think verifying the password would be a nice feature to add. |
In Cognito's respond_to_auth_challenge method I can see that the only things that are validated are the
challenge_name
and thechallenge_responses
payload. The content ofchallenge_responses
is not used to validate the user's password, hence noUnauthorizedException
is raised when logging in with an invalid password. Wish to have support for that soon.Moto version: 5.0.4
The text was updated successfully, but these errors were encountered: