chore: Stop using the secret code (MFA setup code) as an access token, …

…#390
open-contracting · Oct 31, 2024 · a20f147 · a20f147
1 parent 6c6eb6d
commit a20f147
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 17 deletions.
diff --git a/app/aws.py b/app/aws.py
@@ -111,44 +111,43 @@ def respond_to_auth_challenge(
         match challenge_name:
             case "NEW_PASSWORD_REQUIRED":
                 return self.cognito.respond_to_auth_challenge(
+                    Session=session,
                     ClientId=app_settings.cognito_client_id,
                     ChallengeName=challenge_name,
                     ChallengeResponses={
                         "USERNAME": username,
-                        "NEW_PASSWORD": new_password,
                         "SECRET_HASH": secret_hash,
+                        "NEW_PASSWORD": new_password,
                     },
-                    Session=session,
                 )
             case "MFA_SETUP":
                 associate_response = self.cognito.associate_software_token(Session=session)
 
                 verify_response = self.cognito.verify_software_token(
-                    AccessToken=associate_response["SecretCode"],
                     Session=associate_response["Session"],
                     UserCode=mfa_code,
                 )
 
                 return self.cognito.respond_to_auth_challenge(
+                    Session=verify_response["Session"],
                     ClientId=app_settings.cognito_client_id,
                     ChallengeName=challenge_name,
                     ChallengeResponses={
                         "USERNAME": username,
-                        "NEW_PASSWORD": new_password,
                         "SECRET_HASH": secret_hash,
+                        "NEW_PASSWORD": new_password,
                     },
-                    Session=verify_response["Session"],
                 )
             case "SOFTWARE_TOKEN_MFA":
                 return self.cognito.respond_to_auth_challenge(
+                    Session=session,
                     ClientId=app_settings.cognito_client_id,
                     ChallengeName=challenge_name,
                     ChallengeResponses={
                         "USERNAME": username,
-                        "SOFTWARE_TOKEN_MFA_CODE": mfa_code,
                         "SECRET_HASH": secret_hash,
+                        "SOFTWARE_TOKEN_MFA_CODE": mfa_code,
                     },
-                    Session=session,
                 )
             case _:
                 raise HTTPException(

diff --git a/app/parsers.py b/app/parsers.py
@@ -21,7 +21,7 @@ class ResetPassword(BaseModel):
 class SetupMFA(BaseModel):
     temp_password: str
     session: str
-    secret: str
+    secret: str | None = None
 
 
 class AwardUpdate(BaseModel):

diff --git a/app/routers/users.py b/app/routers/users.py
@@ -112,17 +112,10 @@ def setup_mfa(
     payload: parsers.SetupMFA,
     client: aws.Client = Depends(dependencies.get_aws_client),
 ) -> serializers.ResponseBase:
-    """
-    Set up multi-factor authentication (MFA) for the user.
-
-    This endpoint allows users to set up MFA using a software token. It verifies the software
-    token with the provided secret, session, and temporary password.
-    """
+    """Set up multi-factor authentication (MFA) for the user."""
     try:
         # https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp/client/verify_software_token.html
-        client.cognito.verify_software_token(
-            AccessToken=payload.secret, Session=payload.session, UserCode=payload.temp_password
-        )
+        client.cognito.verify_software_token(Session=payload.session, UserCode=payload.temp_password)
     except client.cognito.exceptions.NotAuthorizedException:
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,