Cognito Sign Up not returning Session

[leonardoalifraco]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

The documentation for the SignUp operation, indicates that the response will include a Session attribute that you can pass to ConfirmSignUp when you want to immediately sign in your user with the USER_AUTH flow after they complete sign-up.

However the Session attribute is returned always as null.

Tried different configurations in Cognito, allowing all Authentication Flows, but the session still returns as null (or doesn't return at all when called from AWS CLI).

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html#API_SignUp_ResponseSyntax

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node v20.11.1

Reproduction Steps

1. Call Sign Up
2. Inspect response, Session is null

Observed Behavior

Session attribute from the SignUpCommandOutput is always null.

Expected Behavior

Session attribute from the SignUpCommand should have a value that can be persisted locally and eventually included in the ConfirmSignUpCommand.

Possible Solution

No response

Additional Information/Context

No response

[aBurmeseDev]

Hi @leonardoalifraco - thanks for reaching out.

According to service model, Session may not always return but I'm going to reach out to service team to verify that (ref P179073426). In the meantime, could you please provide your code snippet along with the response you're receiving?

[leonardoalifraco]

Hi @aBurmeseDev, thank you very much.

Adding code snippet below, exec instructions and response below.
I'm using @aws-sdk/client-cognito-identity-provider version 3.710.0

import { CognitoIdentityProviderClient, SignUpCommand, SignUpCommandInput } from "@aws-sdk/client-cognito-identity-provider";
import { createHmac } from 'crypto';

const generateSecretHash = (username: string) => {
  const message = username + process.env.COGNITO_CLIENT_ID;
  return createHmac('sha256', process.env.COGNITO_CLIENT_SECRET || '')
    .update(message)
    .digest('base64');
};

const signUp = async (
  username: string,
  password: string,
  userAttributes: {
    email: string;
    name: string;
  },
) => {
  const cognitoClient = new CognitoIdentityProviderClient();
  const params: SignUpCommandInput = {
    ClientId: process.env.COGNITO_CLIENT_ID,
    Username: username,
    Password: password,
    SecretHash: generateSecretHash(username),
    UserAttributes: [
      { Name: 'email', Value: userAttributes.email },
      { Name: 'name', Value: userAttributes.name },
    ],
  };
  const command = new SignUpCommand(params);
  return await cognitoClient.send(command);
};

const main = async () => {
  try {
    const response = await signUp("username", "Password01!", {
      email: "[email protected]",
      name: "Leo",
    });
    console.log("Sign-up successful:", JSON.stringify(response, null, 2));
  } catch (error) {
    console.error("Failed to sign up:", error);
  }
};

main().catch((error) => {
  console.error("Unhandled error in main:", error);
});

Run with:
COGNITO_CLIENT_ID=<client_id_here> COGNITO_CLIENT_SECRET=<client_secret_here> npx ts-node snippet.ts

Response was:

{
  "$metadata": {
    "httpStatusCode": 200,
    "requestId": "c8309cca-a36d-4dde-954b-d9e1a81c4c34",
    "attempts": 1,
    "totalRetryDelay": 0
  },
  "CodeDeliveryDetails": {
    "AttributeName": "email",
    "DeliveryMedium": "EMAIL",
    "Destination": "t***@d***"
  },
  "UserConfirmed": false,
  "UserSub": "44a8a4c8-e0f1-70f5-7faa-1e6675e36647"
}

[baraya]

Ran into the same missing Session attribute yesterday but on the ConfirmSignUpCommand

  new ConfirmSignUpCommand({
    ClientId: process.env.COGNITO_CLIENT_ID,
    SecretHash: secretHash(email),
    Username: email,
    ConfirmationCode: code
  })
);

Response is missing the Session

{
    "$metadata":{"httpStatusCode":200,"requestId":"c2fbe131-a18d-4869-953f-981f1194aa6a","attempts":1,"totalRetryDelay":0}
}

[sjaghori]

same issue

[sjaghori]

any updates on this one? @aBurmeseDev

[leonardoalifraco]

Hi @aBurmeseDev, did you have any updates from the Service team?

[aBurmeseDev]

Hi @leonardoalifraco - sorry for the wait. I just heard back from service team member and here's the response

SignUp only will return "Session" when the client has turned on User_Auth. Client setting link: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html#CognitoUserPools-CreateUserPoolClient-request-ExplicitAuthFlows
The reason of this behavior is because only User_Auth flow can use this session from SignUp to authenticate directly after sign up. All other auth flows, the session can not be used / will not take any effect. This is intended behavior.

If you've turned on User_Auth and Session hasn't returned, please let me know and I'll contact service team again.

cc: @sjaghori @baraya

[leonardoalifraco]

Thank you very much @aBurmeseDev.

I have enabled USER_AUTH for the Cognito App Client and it worked perfectly.

For reference, I am attaching test code on how I am confirming a user and initiating auth using the sign up session, and later the confirm sign up session.

This code runs after #6724 (comment) and is returning auth tokens without the need of other user credentials but the session.

import { CognitoIdentityProviderClient, ConfirmSignUpCommand, ConfirmSignUpCommandInput, AuthFlowType, InitiateAuthCommand, InitiateAuthCommandInput} from "@aws-sdk/client-cognito-identity-provider";
import { createHmac } from 'crypto';

const generateSecretHash = (username: string) => {
  const message = username + process.env.COGNITO_CLIENT_ID;
  return createHmac('sha256', process.env.COGNITO_CLIENT_SECRET || '')
    .update(message)
    .digest('base64');
};

const confirmSignUp = async (
  username: string,
  confirmationCode: string,
  session: string,
) => {
  const cognitoClient = new CognitoIdentityProviderClient();
  const params: ConfirmSignUpCommandInput = {
    ClientId: process.env.COGNITO_CLIENT_ID,
    Username: username,
    SecretHash: generateSecretHash(username),
    ConfirmationCode: confirmationCode,
    Session: session,
  };
  const command = new ConfirmSignUpCommand(params);
  return await cognitoClient.send(command);
};

const initiateAuth = async (
  username: string,
  session: string,
) => {
  const cognitoClient = new CognitoIdentityProviderClient();
  const params: InitiateAuthCommandInput = {
    ClientId: process.env.COGNITO_CLIENT_ID,
    AuthFlow: AuthFlowType.USER_AUTH,
    AuthParameters: {
      USERNAME: username,
      SECRET_HASH: generateSecretHash(username),
    },
    Session: session,
  };
  const command = new InitiateAuthCommand(params);
  return await cognitoClient.send(command);
};

const main = async () => {
  try {
    const username = ""; // username here
    const confirmationCode = ""; // confirmation code here
    const session = ""; // sign-up session here
    const response = await confirmSignUp(username, confirmationCode, session);
    console.log("Confirm Sign-Up successful:", JSON.stringify(response, null, 2));

    const initiateAuthResponse = await initiateAuth(username, response.Session || "");
    console.log("InitiateAuth successful:", JSON.stringify(initiateAuthResponse, null, 2));
  } catch (error) {
    console.error("Failed:", error);
  }
};

main().catch((error) => {
  console.error("Unhandled error in main:", error);
});