amazon-web-services - 用户登录时,登录会引发“用户名或密码不正确”错误
问题描述
我创建了一个 Cognito 用户池,用户可以在其中注册但不能再登录。我尝试了许多不同的配置,例如禁用 MFA、关闭我看到的可能导致此问题的设备的记忆,但无济于事。
最奇怪的是,这在本地运行良好(localhost:5000
)。我可以创建帐户并登录没有任何戏剧性,但是当我尝试登录我的网站https://example.com
(托管在 S3 上)时,它会引发上述错误。如果我注册,用户实际上似乎也是在 Cognito 中创建的 - 这样就可以了,但是登录只能在本地工作。
我对每个设置、环境变量、重新创建用户池等进行了两次、三次检查。
错误
这是我尝试登录时抛出的模棱两可的错误:
{
__type: "NotAuthorizedException",
message: "Incorrect username or password."
}
注册前触发的 lambda
在用户通过 lambda 注册之前,我正在确认用户:
import {INTERNAL_SERVER_ERROR} from 'http-status-codes';
export async function validateHumanViaSns(
event: CognitoUserPoolTriggerEvent,
context: Context,
callback: Callback
): Promise<CognitoUserPoolTriggerHandler> {
try {
event.response.autoConfirmUser = true;
callback(null, event);
return;
} catch (error) {
console.error(error);
callback(null, new Response(INTERNAL_SERVER_ERROR, {message: 'Something went wrong'}));
return;
}
}
包.json
我的客户正在使用最新的amplify-js库。
dependencies: {
"amplify": "1.1.19" // broken since 1.1.18
}
CloudFormation Cognito 模板
UserPool:
Type: 'AWS::Cognito::UserPool'
Properties:
UserPoolName: myapp-${self:provider.stage}-user-pool
SmsVerificationMessage: 'Your verification code is {####}.'
AutoVerifiedAttributes:
- email
MfaConfiguration: 'OFF'
EmailVerificationSubject: 'Your MyApp verification code'
EmailVerificationMessage: 'Your MyApp verification code is {####}.'
SmsAuthenticationMessage: 'Your MyApp authentication code is {####}.'
Schema:
- Name: name
AttributeDataType: String
Mutable: true
Required: false
- Name: email
AttributeDataType: String
Mutable: false
Required: false
- Name: phone_number
AttributeDataType: String
Mutable: true
Required: false
Policies:
PasswordPolicy:
RequireLowercase: true
RequireSymbols: false
RequireNumbers: true
MinimumLength: 8
RequireUppercase: true
AdminCreateUserConfig:
InviteMessageTemplate:
EmailMessage: 'Your MyApp username is {username} and temporary password is {####}.'
EmailSubject: 'Your temporary MyApp password'
SMSMessage: 'Your MyApp username is {username} and temporary password is {####}.'
UnusedAccountValidityDays: 7
AllowAdminCreateUserOnly: false
# Creates a User Pool Client to be used by the identity pool
UserPoolClient:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
ClientName: myapp-${self:provider.stage}-web-client
GenerateSecret: false
UserPoolId:
Ref: UserPool
# Creates a federeated Identity pool
IdentityPool:
Type: 'AWS::Cognito::IdentityPool'
Properties:
IdentityPoolName: MyApp{self:provider.stage}Identity
AllowUnauthenticatedIdentities: true
CognitoIdentityProviders:
- ClientId:
Ref: UserPoolClient
ProviderName:
'Fn::GetAtt': [ UserPool, ProviderName ]
# Create a role for unauthorized access to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
CognitoUnAuthorizedRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Federated: 'cognito-identity.amazonaws.com '
Action:
- 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com :aud':
Ref: IdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com :amr': unauthenticated
Policies:
- PolicyName: 'CognitoUnauthorizedPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- 'mobileanalytics:PutEvents'
- 'cognito-sync:*'
Resource: '*'
# Create a role for authorized access to AWS resources. Control what your user can access. This example only allows Lambda invokation
# Only allows users in the previously created Identity Pool
CognitoAuthorizedRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Federated: 'cognito-identity.amazonaws.com '
Action:
- 'sts:AssumeRoleWithWebIdentity'
Condition:
StringEquals:
'cognito-identity.amazonaws.com :aud':
Ref: IdentityPool
'ForAnyValue:StringLike':
'cognito-identity.amazonaws.com :amr': authenticated
Policies:
- PolicyName: 'CognitoAuthorizedPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- 'mobileanalytics:PutEvents'
- 'cognito-sync:*'
- 'cognito-identity:*'
Resource: '*'
- Effect: 'Allow'
Action:
- 'lambda:InvokeFunction'
Resource: '*'
# Assigns the roles to the Identity Pool
IdentityPoolRoleMapping:
Type: 'AWS::Cognito::IdentityPoolRoleAttachment'
Properties:
IdentityPoolId:
Ref: IdentityPool
Roles:
authenticated:
'Fn::GetAtt': [ CognitoAuthorizedRole, Arn ]
unauthenticated:
'Fn::GetAtt': [ CognitoUnAuthorizedRole, Arn ]
有没有人知道为什么会抛出这个特定的错误(我认为它具有误导性)甚至更好,如何解决这个问题?
解决方案
这已在 AWS Amplify Github 问题积压中修复,更多上下文请参见此处。
crypto-js
由于 amplify-js 库中的 Typescript 编译问题,无论您在何处导入 amplify,都需要直接导入依赖项:
import 'crypto-js/lib-typedarrays'; // add this line
import Amplify, {Auth} from 'aws-amplify';
看起来这将是未来拉取请求中的永久修复,因此根据您何时登陆此处,尝试将aws-amplify
包更新为 > 1.1.19
first,看看它是否已首先在主包中修复。
推荐阅读
- python - 使用 python 和 pandas 回测交易策略 - 一次只识别一个未平仓头寸
- docker - 无法在 Artifactory 中登录 docker 注册表
- php - 如何在 PHP 中生成具有不同元素编号的多个数组中的所有项目组合
- r - 循环许多结果变量 - R 中的 Synth() 包
- sql - HIVE SQL将连续范围折叠成单行
- django - 想要解析一个字典,其键是模型中的一个字段
- npm - 在 Gulp 中重命名 `dist` 目录后仍在生成它
- html - Python jupyter notebook 转换为 html 后,markdown 的编号消失了
- xpath - 如果主题被 javascript 隐藏,如何获取 XPath
- assembly - 如何在 WinMIPS64 中计算除法的余数