confirmResetPassword returns generic error message if incorrect verificationCode is provided.

[ashwani-trivediat]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin

Amplify Categories

Authentication

Gradle script dependencies

// Put output below this line

implementation 'com.amplifyframework:aws-api:2.19.1'

Environment information

# Put output below this line

------------------------------------------------------------
Gradle 8.0
------------------------------------------------------------

Build time:   2023-02-13 13:15:21 UTC
Revision:     62ab9b7c7f884426cf79fbedcf07658b2dbe9e97

Kotlin:       1.8.10
Groovy:       3.0.13
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          17.0.9 (JetBrains s.r.o. 17.0.9+8-b1166.2)
OS:           Mac OS X 14.4.1 x86_64

Please include any relevant guides or documentation you're referencing

https://docs.amplify.aws/gen1/android/build-a-backend/auth/manage-passwords/#reset-password

Describe the bug

Amplify SDK authentication version 2.19.1 seems to throw and generic error message if user types incorrect verificationCode while trying to reset password. Here are the steps:

1. User request a verification code by calling:

Amplify.Auth.resetPassword(
   "username",
   result -> Log.i("AuthQuickstart", result.toString()),
   error -> Log.e("AuthQuickstart", error.toString())
);

2. User types incorrect verificationCode and new password and re-enters new password, and call amplify SDK confirmResetPassword method:

Amplify.Auth.confirmResetPassword(
   "Username",
   "NewPassword123",
   "confirmation code you received",
   () -> Log.i("AuthQuickstart", "New password confirmed"),
   error -> Log.e("AuthQuickstart", error.toString())
);

3. Following error message is displayed to the user:
   

On investigating the root cause it appears that inside RealAWSCognitoAuthPlugin whenever any type of error is encountered a generic error message is returned, here is the message:
"There is a possibility that there is a bug if this error persists. Please take a look at \n" +
"https://github.com/aws-amplify/amplify-android/issues to see if there are any existing issues that \n" +
"match your scenario, and file an issue with the details of the bug if there isn't.";
Following appears to be problematic code:

Reproduction steps (if applicable)

No response

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

amplifyconfiguration.json

No response

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response

[mattcreaser]

The described steps are supposed to result in a CodeMismatchException from Kotlin SDK. We will have to check if it is returning an incorrect exception type.

[ashwani-trivediat]

I looked into the error a bit more, looks like there is CodeMismatchException in the headers.

Here is the stack trace:

Error message is as follows:
{AttributeKey(aws.smithy.kotlin#ProtocolResponse)=DefaultHttpResponse(status=400: Bad Request, headers=aws.smithy.kotlin.runtime.http.engine.okhttp.OkHttpHeadersAdapter@f2c480f, body=aws.smithy.kotlin.runtime.http.content.ByteArrayContent@e69709c)}

aws.sdk.kotlin.services.cognitoidentityprovider.model.CognitoIdentityProviderException: Failed to parse response as 'awsJson1_1' error

Hope it helps.

[mattcreaser]

Thanks for the additional info @ashwani-trivediat, that is very helpful. There's definitely something odd going on here - the stack trace indicates that the Kotlin SDK actually couldn't parse the response. That explains why the generic error message was returned instead of the correct code mismatch exception.

To double check, I used the Authenticator Sample App and the returned exception has the correct type and message:

The difference appears to be that my backend returned a body in the response, while yours did not:

You can see in your headers that the content-length is specified as 100 bytes, but the body has an actual contentLength of 0. This explains the error, but I'm not sure why the body would be missing.

Can you double check what values you are sending for the confirmation code? Does your backend have any custom lambda triggers involved in the reset password process?

[ashwani-trivediat]

Hi @vincetran, we don't have any custom trigger for password reset. We have following two lembda triggers, will reset password trigger them?

[ashwani-trivediat]

@mattcreaser @vincetran do you need more information on this, I need to identify why my AWS instance is returning null body after migrating to V2 API, it was working fine with V1 API.

[mattcreaser]

Sorry for the slow reply @ashwani-trivediat.

There may or may not be any actual change in what your backend is returning between V1 and V2, instead it could just be that the AWS Android SDK (what V1 was built on) is tolerant of the missing response body, while AWS Kotlin SDK (What V2 is built on) is not.

According to the Cognito docs, the pre sign-up trigger will be invoked during a password reset, so it's possible that is the source of the error. Can you temporarily delete that trigger and see if the issue persists?

[ashwani-trivediat]

@mattcreaser I tried with deleting pre sign-up flow, but the issue still remains the same.

[mattcreaser]

We may need to engage someone from the Kotlin SDK or Cognito teams here to determine why the response is empty.