Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate user password in respond_to_auth_challenge when the challenge name is PASSWORD_VERIFIER #7562

Open
serozhenka opened this issue Apr 4, 2024 · 6 comments

Comments

@serozhenka
Copy link
Contributor

In Cognito's respond_to_auth_challenge method I can see that the only things that are validated are the challenge_name and the challenge_responses payload. The content of challenge_responses is not used to validate the user's password, hence no UnauthorizedException is raised when logging in with an invalid password. Wish to have support for that soon.

Moto version: 5.0.4

@bblommers
Copy link
Collaborator

Hi @serozhenka!

From the docs: the challenge_responses needs four parts:

"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]"
"PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]"
"TIMESTAMP": [timestamp]
"USERNAME": "[username]"

As an enhancement, we can verify whether all four values exist, and we can easily verify that username and secret_block have the correct value.

I haven't found any official AWS documentation on how to calculate the signature though. There are various open source implementations (like pycognito for Python), but without any official documentation, I'm hesitant to add any other checks on these values, without having 100% certainty that there is only one possible value/calculation.

@serozhenka
Copy link
Contributor Author

@bblommers gotcha, I will have a look in my spare time and let you know if I find anything.

@serozhenka
Copy link
Contributor Author

@bblommers I haven't found any official docs either, but there is an amplify-js repository maintained officially by AWS. And there is the code that does signature generation right here. It should be fairly easy to reverse-engineer what they are doing there and transfer it into Python (which was probably the way all the SRP auth implementations took). Just to note, I have a Python version of that which we have been using in production for over half a year now and it works smoothly.

If you give the green light, I can try to prepare a draft PR for that in my spare time by carefully reverse-engineering what AWS does in the amplify-js repo.

@bblommers
Copy link
Collaborator

@serozhenka I don't want to break this for users who use a different signature that happens to be supported as well. So if you want to add the basic checks, that would be very welcome - but I don't want to go any further.

As an enhancement, we can verify whether all four values exist, and we can easily verify that username and secret_block have the correct value.

@serozhenka
Copy link
Contributor Author

serozhenka commented Apr 20, 2024

@bblommers I respect your choice, but at the same time I see a discrepancy between Moto and AWS (that can be objectively treated as a bug), which was the initial reason I opened this issue. This mismatch doesn't allow us (and in general Moto users) to make tests for failures in the authentication service when the user passes an incorrect password or just our signature generation logic is broken, hence we just commented it out :.

I don't want to break this for users who use a different signature

This can still be released in the next major version where the breaking changes are allowed, but the final call is yours.

@minh-le-q
Copy link

Hi,

I just came across this thread while looking into the same issue. And I think verifying the password would be a nice feature to add.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants