时间戳

首页 > 解决方案 > 用户登录时,登录会引发“用户名或密码不正确”错误

amazon-web-services - 用户登录时,登录会引发“用户名或密码不正确”错误

问题描述

我创建了一个 Cognito 用户池,用户可以在其中注册但不能再登录。我尝试了许多不同的配置,例如禁用 MFA、关闭我看到的可能导致此问题的设备的记忆,但无济于事。

最奇怪的是,这在本地运行良好(localhost:5000)。我可以创建帐户并登录没有任何戏剧性,但是当我尝试登录我的网站https://example.com(托管在 S3 上)时,它会引发上述错误。如果我注册,用户实际上似乎也是在 Cognito 中创建的 - 这样就可以了,但是登录只能在本地工作。

我对每个设置、环境变量、重新创建用户池等进行了两次、三次检查。

错误

这是我尝试登录时抛出的模棱两可的错误:

{
  __type: "NotAuthorizedException", 
  message: "Incorrect username or password."
}

注册前触发的 lambda

在用户通过 lambda 注册之前,我正在确认用户:

import {INTERNAL_SERVER_ERROR} from 'http-status-codes';

export async function validateHumanViaSns(
    event: CognitoUserPoolTriggerEvent,
    context: Context,
    callback: Callback
): Promise<CognitoUserPoolTriggerHandler> {
    try {
        event.response.autoConfirmUser = true;

        callback(null, event);

        return;
    } catch (error) {
        console.error(error);
        callback(null, new Response(INTERNAL_SERVER_ERROR, {message: 'Something went wrong'}));

        return;
    }
}

包.json

我的客户正在使用最新的amplify-js库。

dependencies: {
  "amplify": "1.1.19" // broken since 1.1.18
}

CloudFormation Cognito 模板

UserPool:
  Type: 'AWS::Cognito::UserPool'
  Properties:
    UserPoolName: myapp-${self:provider.stage}-user-pool
    SmsVerificationMessage: 'Your verification code is {####}.'
    AutoVerifiedAttributes:
      - email
    MfaConfiguration: 'OFF'
    EmailVerificationSubject: 'Your MyApp verification code'
    EmailVerificationMessage: 'Your MyApp verification code is {####}.'
    SmsAuthenticationMessage: 'Your MyApp authentication code is {####}.'
    Schema:
      - Name: name
        AttributeDataType: String
        Mutable: true
        Required: false
      - Name: email
        AttributeDataType: String
        Mutable: false
        Required: false
      - Name: phone_number
        AttributeDataType: String
        Mutable: true
        Required: false
    Policies:
      PasswordPolicy:
        RequireLowercase: true
        RequireSymbols: false
        RequireNumbers: true
        MinimumLength: 8
        RequireUppercase: true
    AdminCreateUserConfig:
      InviteMessageTemplate:
        EmailMessage: 'Your MyApp username is {username} and temporary password is {####}.'
        EmailSubject: 'Your temporary MyApp password'
        SMSMessage: 'Your MyApp username is {username} and temporary password is {####}.'
      UnusedAccountValidityDays: 7
      AllowAdminCreateUserOnly: false

# Creates a User Pool Client to be used by the identity pool
UserPoolClient:
  Type: 'AWS::Cognito::UserPoolClient'
  Properties:
    ClientName: myapp-${self:provider.stage}-web-client
    GenerateSecret: false
    UserPoolId:
      Ref: UserPool

# Creates a federeated Identity pool
IdentityPool:
  Type: 'AWS::Cognito::IdentityPool'
  Properties:
    IdentityPoolName: MyApp{self:provider.stage}Identity
    AllowUnauthenticatedIdentities: true
    CognitoIdentityProviders:
      - ClientId:
          Ref: UserPoolClient
        ProviderName:
          'Fn::GetAtt': [ UserPool, ProviderName ]

# Create a role for unauthorized access to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
CognitoUnAuthorizedRole:
  Type: 'AWS::IAM::Role'
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: 'Allow'
          Principal:
            Federated: 'cognito-identity.amazonaws.com '
          Action:
            - 'sts:AssumeRoleWithWebIdentity'
          Condition:
            StringEquals:
              'cognito-identity.amazonaws.com :aud':
                Ref: IdentityPool
            'ForAnyValue:StringLike':
              'cognito-identity.amazonaws.com :amr': unauthenticated
    Policies:
      - PolicyName: 'CognitoUnauthorizedPolicy'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Action:
                - 'mobileanalytics:PutEvents'
                - 'cognito-sync:*'
              Resource: '*'

# Create a role for authorized access to AWS resources. Control what your user can access. This example only allows Lambda invokation
# Only allows users in the previously created Identity Pool
CognitoAuthorizedRole:
  Type: 'AWS::IAM::Role'
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: 'Allow'
          Principal:
            Federated: 'cognito-identity.amazonaws.com '
          Action:
            - 'sts:AssumeRoleWithWebIdentity'
          Condition:
            StringEquals:
              'cognito-identity.amazonaws.com :aud':
                Ref: IdentityPool
            'ForAnyValue:StringLike':
              'cognito-identity.amazonaws.com :amr': authenticated
    Policies:
      - PolicyName: 'CognitoAuthorizedPolicy'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Action:
                - 'mobileanalytics:PutEvents'
                - 'cognito-sync:*'
                - 'cognito-identity:*'
              Resource: '*'
            - Effect: 'Allow'
              Action:
                - 'lambda:InvokeFunction'
              Resource: '*'

# Assigns the roles to the Identity Pool
IdentityPoolRoleMapping:
  Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
  Properties:
    IdentityPoolId:
      Ref: IdentityPool
    Roles:
      authenticated:
        'Fn::GetAtt': [ CognitoAuthorizedRole, Arn ]
      unauthenticated:
        'Fn::GetAtt': [ CognitoUnAuthorizedRole, Arn ]

有没有人知道为什么会抛出这个特定的错误(我认为它具有误导性)甚至更好,如何解决这个问题?

标签: amazon-web-servicesauthenticationaws-sdkamazon-cloudformationamazon-cognito

解决方案

这已在 AWS Amplify Github 问题积压中修复,更多上下文请参见此处

crypto-js由于 amplify-js 库中的 Typescript 编译问题,无论您在何处导入 amplify,都需要直接导入依赖项:

import 'crypto-js/lib-typedarrays'; // add this line
import Amplify, {Auth} from 'aws-amplify';

看起来这将是未来拉取请求中的永久修复,因此根据您何时登陆此处,尝试将aws-amplify包更新为 > 1.1.19first,看看它是否已首先在主包中修复。

推荐阅读