I'm setting up an authentication where MFA is not optional, which means from the very first login attempt after registration, the user will be asked to set up MFA (in this case I will be using Time Based One Time Passcode, or TOPT). For this, I can see that following steps would be reasonable:
1)Get user information via the login form - Auth.signUp()
2)Determine from the user data retrieved in step 1) whether TOPT-based MFA is set for the user already. If not, go to step 3) or else step 4)
3)If TOPT is not set, redirect to a form where a QRCode will be generated in order to set up this MFA feature. After verifying the code, log the user in.
4)If TOPT is set, ask for the passcode. After verifying, log the user in.
My dilemma: It seems I cannot get the information in Step 2), i.e, whether TOPT-based MFA is set for the user already without the user already being authenticated. The flag challengeName retrieved in the payload via Auth.signUp() in step 1) only gives me info on whether MFA is enabled or not ('MFA_SETUP'), and not whether TOTP-based MFA has been set up already. For that, the method Auth.getPreferredMFA() is what would do the trick, but it only works if the user object being passed to it represents an authenticated (or already logged in) user. Is there a way to determine if TOTP MFA is set up for a user trying to log in (but not logged in yet)?
Also, any other solutions to tackle this problem would be welcome. There must be somebody out there who has run into the same scenario I have, where MFA is mandatory from the first log in itself.
I am facing the same issue. If the MFA is required, I open up a modal to get QR code displayed and setup the mfa for the user.
code: "NotAuthorizedException"
message: "Invalid session for the user."
name: "NotAuthorizedException"
But getting this error because the user hasn't logged in and created any access token yet.
My idea of solving this is actually logging in the user but making their permissions to not go beyond the SetupMFA screen so they only gain some permissions when they have completed the setup.
Have you made any progress yourself? I'd like to hear any solutions.
Related
I have a Desktop Application developed with python and pyqt5.
I want to implement a login system for some reasons.
the scenario will be like this (this section is done so far):
Client has created an account on my website and downloaded my desktop application.
They run the application for the first time => A login window displayed asking users to input their data.
The application made a request to URL: http://ip/api/login with a JSON object {username, plaim_pw} (the API developed with Flask).
The API will process that request and check whether that user's data inside that request exist or not and if that PW is correct or not then it will return a response.
If the user successfully logged in then every run time the app will not ask the user again about his/her data, it will be stored somewhere in their machine.
What I want is:
If user ' A' successfully Logged in with account ' X', And at the same time user 'B' trying to log in with the same account that user ' A' is using => Then I want to tell user 'B': "can't log-in at the time because another user using the same account" or something like that. in short description: only one user can use the same account at the same time.
My questions are:
How to accomplish that mechanism? is it good or bad?
I read about JWT, could it be helpful in my case? If so, Then how should I implemented it?
Here is extra information:
I don't have many APIs, I only have a route for "login" nothing more for now, And I want the login system for some reason.
And in the future, I will be using HTTPS instead of HTTP.
Once the user has logged in write this down on the server. Then the subsequent login attempt can check this. When checking consider an expiration timestamp. This can easily solve the first question. Consider looking at topics such as session management: https://en.wikipedia.org/wiki/Session_(computer_science), https://en.wikipedia.org/wiki/Session_ID.
JWT is not necessary for your scenario yet.
We have multistep register form where user can set their password in step 2.
(User register should happen in step1 itself) So, we will set random password during step 1 and registering user details in Cognito user pool.
But end user submitting actual password from step 2.
Cognito will not update password (from step 2) without sending old password (random generated from step1). Cognito considers this process will be password update.
So how we need to handle this situation? or Is there any option / tricks which amplify provides to overcome this case?
More context is needed to fully understand why a random password is necessary for the user in this situation.
For example, if you are trying to create a multi-screen signup process and you don't want the user to get to the end of the process only to find out their password doesn't meet standards, e-mail already exists, etc., it may be more conducive to the user experience to check if the user already exists in the user pool first using ListUsers, collect the data as they move through the steps, and finally call the SignUp API call.
While I would highly recommend reconsidering the approach taken, the AdminSetUserPassword is a backend API call that can be used to set a permanent password for the user, although extreme care should be taken with this method to prevent the API call from being used maliciously on another user.
I am making an app where I need to have the user log in into their spotify account.
I would like to know how can I know if the user is already logged in or not into Spotify?
What I am trying to do in my application is ask to log in only if I have never logged in before and take the user through the authentication process.
If I have logged in before I want to skip the part where I ask the user to log in. This would have to work also if the user has logged in, left the app for some time and came back to it, I don't want to have to require a re-login by the user. How can I get that status from Spotify ?
I appreciate any guidance with this, thank you.
Since it's very likely that the access token has expired by the time you want to use it again, you would need to use the Authorization Code flow, storing the access token and refresh token of the user.
You can try making a request to an endpoint like Get Current User's Profile passing your current access token.
Should it fails, try refreshing it. If you get an access token back, then you know the user is logged in and you have a valid token you can use. Otherwise, consider the user is not logged in.
Where to store the refresh_token and access_token is up to you. You could do it in localStorage, or even better, in a database.
Using the Yodlee API, if I have a successfully connected site_account, and then something changes (say the user updates the answers to their MFA questions) causing refresh to give Yodlee an error, how do I force it to refresh so that I can retry entering MFA information? Using startSiteRefresh I can't get it to force refresh, even with forceRefresh on RefreshParameters set to True. All I get back is SiteRefreshStatus=None with the previous error code, and it doesn't let me ask for new mfa questions at all.
To update the credentials you should use updateSiteAccountCredentials.
But to refresh you should be using startSiteRefresh and check for refresh mode
(siteRefreshInfo.getSiteRefreshMode()) if the refresh mode is MFA_REFRESH_MODE then you should start the MFA flow.
Based on the error, if you want to change the values like username, password, Q&A for MFA, you can use the updateCredentialsForItem call to edit the item. You can then refresh the account.
More details on this page.
You are correct, for site the API is different.
First you would need to call getSiteAccountCredentials or getSiteAccountMfaQuestionsAndAnswers to get login form or MFA QnA as needed, and then updateSiteAccountCredentials.
If the changes worked, refresh would be triggered.
Well, you type username and password in form, hit "OK" button. Then data going to server side and check users database if that user is existed. Then it return user id. And what next?
That data is saved in cookies?
Does it mean, that with every clicked link, site login you to website again?
I mean,
you click some link on site
browser redirect you to that page
site checks your cookies
site grab username and password from cookies
site checks is that data is valid (via connecting to database)
show page to you
Is that correct?
User enters credential.
System validates credential.
Upon successful authentication, server saves user object into session.
System grabs user info from session.
System displays webpage.
Tadaa!! :)
UPDATE
To add a little more...
User visits the secured webpage.
System checks if session contains a user object.
If user object exists in session, allow user through to visit the page.
If user object doesn't exists, redirect user to login page.
You don't need to store user password in the session. In fact, it is highly discouraged. Checking to make sure the user object exists in the session is sufficient.
When the user clicks the logout page, then proceed to invalidate the session... that's it. :)
Almost correct. You rarely go to the database with every request. You usually set a cookie with a expiry date and save the user session and info in memory. So every time a request is made, if the user is not authenticated, you authenticate him, generate and send him a cookie with, say, 5h expiry. So, in the next 5 hours, whenever a request comes in with that cookie, you trust that the user is an authenticated, valid user and you don't have to check the database.
It's not how every site does it nor it is the only way to manage session and cookies but I think it is the most widely used.
You should probably use sessions, but that's pretty much the gist of it. That way the data doesn't accidentally persist.
I mean, for my simple site at home, that's how I do it. But it's still locally hosted, so the security is guaranteed to be crap.
Oh, and no need to check with the database whenever you click on another link -- too much time wasted.
Typically, an application takes advantage of the session that is established between the browser and the web server, and makes a note that that session is "authenticated". "session" is a built in feature of HTTP. If the browser is closed, or after a certain period of time passes, the session is automatically closed. If the user does an explicit logout, the application marks the session as not-authenticated.