Description
Before opening, please confirm:
- I have searched for duplicate or closed issues and discussions.
- I have read the guide for submitting bug reports.
- I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
JavaScript Framework
React Native
Amplify APIs
Authentication
Amplify Version
v6
Amplify Categories
auth
Backend
None
Environment information
# Put output below this line
System:
OS: macOS 13.3.1
CPU: (8) arm64 Apple M1 Pro
Memory: 95.55 MB / 16.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 20.11.1 - ~/.volta/tools/image/node/20.11.1/bin/node
Yarn: 1.22.18 - ~/.volta/tools/image/yarn/1.22.18/bin/yarn
npm: 10.2.4 - ~/.volta/tools/image/node/20.11.1/bin/npm
bun: 0.6.3 - ~/.bun/bin/bun
Browsers:
Chrome: 126.0.6478.127
Safari: 16.4
npmPackages:
aws-amplify: ^6.3.8 => 6.3.8
aws-amplify/adapter-core: undefined ()
aws-amplify/analytics: undefined ()
aws-amplify/analytics/kinesis: undefined ()
aws-amplify/analytics/kinesis-firehose: undefined ()
aws-amplify/analytics/personalize: undefined ()
aws-amplify/analytics/pinpoint: undefined ()
aws-amplify/api: undefined ()
aws-amplify/api/server: undefined ()
aws-amplify/auth: undefined ()
aws-amplify/auth/cognito: undefined ()
aws-amplify/auth/cognito/server: undefined ()
aws-amplify/auth/enable-oauth-listener: undefined ()
aws-amplify/auth/server: undefined ()
aws-amplify/data: undefined ()
aws-amplify/data/server: undefined ()
aws-amplify/datastore: undefined ()
aws-amplify/in-app-messaging: undefined ()
aws-amplify/in-app-messaging/pinpoint: undefined ()
aws-amplify/push-notifications: undefined ()
aws-amplify/push-notifications/pinpoint: undefined ()
aws-amplify/storage: undefined ()
aws-amplify/storage/s3: undefined ()
aws-amplify/storage/s3/server: undefined ()
aws-amplify/storage/server: undefined ()
aws-amplify/utils: undefined ()
crypto-browserify: ^3.12.0 => 3.12.0
inquirer: ^9.2.10 => 9.2.22
npmGlobalPackages:
corepack: 0.23.0
npm: 10.2.4
Describe the bug
In signIn()
, when MFA is enabled, Cognito sends a verification sms to phone number even if it's in wrong format with leading zero after country code.
Example:
Country code: +421 (Slovakia)
National phone number format: 09xx xxx xxx
International phone number format: +421 9xx xxx xxx - the leading zero is removed from national format
Sometimes, users enter the number with leading zeros as "+421 09xx xxx xxx".
Actual behaviour:
We sign-up and sign-in users by phone number in out React Native app. We use static password for sign-up and sign-in and MFA verification SMS as one-time-password for sign-in.
The signup/signin flow is roughly as follows:
- When user enters the phone number for the first time, we call
signUp
- we use custom lamba function in "Pre sign-up Lamba trigger" that sets
autoConfirmUser = true
(so the SMS is not sent).
- we use custom lamba function in "Pre sign-up Lamba trigger" that sets
- After the sign-up, we directly call
signIn
that sends the verification SMS. - Then the
confirmSignIn
is triggered with the verification code the users obtains in SMS and enters into the input.
Even if the users enters wrong number "+421 09xx xxx xxx", the SMS is sent to correct number "+421 9xx xxx xxx", but user is signed in with number "+421 09xx xxx xxx".
This leads to situation, when user is able to sign in into two different accounts (with and without the zero) with the same phone number. Obviously, it happens, and users are confused when they do not see their data (when accidentally signed in with zero).
Expected behavior
Expected behaviour:
Cognito should not send a verification SMS to wrongly formatted phone number, instead, it should throw an error in signUp
step when user enters the number in wrong format with "leading" zero ("+421 09xx xxx xxx").
Reproduction steps
- Install
aws-amplify
latest version (6.3.8 at this time). - Configure Cognito
Amplify.configure({
Auth: {
Cognito: {
region: AWS_REGION,
userPoolId: AWS_USER_POOL_ID,
userPoolClientId: AWS_USER_POOL_WEB_CLIENT_ID,
},
},
});
- Enter any string into
STATIC_PASS
const. - Enter the phone number in correct format into
PHONE
const (+421 9xx xxx xxx - any phone number in this format). - Run
await signUp({ username: PHONE, password: STATIC_PASS })
. - Run
await signIn({ username: PHONE, password: STATIC_PASS })
. - You should get the SMS with verification code.
- Run
await confirmSignIn({ challengeResponse: CODE });
whereCODE
is the verification code you received in SMS. - Run
await getCurrentUser()
and you should get your user info.
Repeat this with the same phone number but in incorrect format with zero after country code (+421 09xx xxx xxx).
You should obtain the SMS on the same phone number, but get completely different user info.
In the code snippet, we use inquirer
library to prompt the user to enter the verification code into the console.
This happens in our React Native app but also in this minimal reproduction example provided.
Code Snippet
import inquirer from "inquirer";
import { Amplify } from "aws-amplify";
import { confirmSignIn, getCurrentUser, signIn, signUp } from "aws-amplify/auth";
import { AWS_REGION, AWS_USER_POOL_ID, AWS_USER_POOL_WEB_CLIENT_ID, STATIC_PASS, } from "./constants.mjs";
const PHONE = "+421"; // Enter the phone number here
Amplify.configure({
Auth: {
Cognito: {
region: AWS_REGION,
userPoolId: AWS_USER_POOL_ID,
userPoolClientId: AWS_USER_POOL_WEB_CLIENT_ID,
},
},
});
const QUESTIONS = [
{
type: "input",
name: "code",
message: "What's your authentication code?",
},
];
try {
const signUpOutput = await signUp({
username: PHONE,
password: STATIC_PASS,
})
console.log('User registered', signUpOutput)
await signIn({
username: PHONE,
password: STATIC_PASS,
});
const { code } = await inquirer.prompt(QUESTIONS);
await confirmSignIn({ challengeResponse: code });
console.log('Current user', await getCurrentUser());
} catch (error) {
console.log(error)
}
package.json:
{
"name": "amplify-example",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"dependencies": {
"aws-amplify": "^6.3.8",
"inquirer": "^9.2.10"
}
}
Our custom "Pre sign-up Lamba trigger":
export const handler = async (event) => {
event.response.autoConfirmUser = true;
return event;
};
Log output
// Put your logs below this line
aws-exports.js
No response
Manual configuration
Amplify.configure({
Auth: {
Cognito: {
region: AWS_REGION,
userPoolId: AWS_USER_POOL_ID,
userPoolClientId: AWS_USER_POOL_WEB_CLIENT_ID,
},
},
});
export const AWS_REGION = "eu-central-1";
export const AWS_USER_POOL_ID = "eu-central-1_pXpE6zBM0";
export const AWS_USER_POOL_WEB_CLIENT_ID = "2f8othmrjillbteieffsknuh1e";
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response