amazon-cognito-identity-js: Error: Only radix 2, 4, 8, 16, 32 are supported

[julamb]

I am using amazon-cognito-identity-js (v 3.2.0).

My Cognito UserPool is set up to allow users to connect with a verified email address. Logging-in with a username or a verified email address works fine. However, when I try to log in with an unverified email address, I get the following error in the console. This happens whether or not the entered password is correct.

Error: Only radix 2, 4, 8, 16, 32 are supported
    at BigInteger.bnToString [as toString] (BigInteger.js:221)
    at BigInteger.bnToString [as toString] (BigInteger.js:219)
    at AuthenticationHelper.padHex (AuthenticationHelper.js:346)
    at AuthenticationHelper.getPasswordAuthenticationKey (AuthenticationHelper.js:288)
    at CognitoUser.js:301
    at Client.js:63
    at ZoneDelegate.invoke (zone-evergreen.js:359)
    at Object.onInvoke (core.js:39699)
    at ZoneDelegate.invoke (zone-evergreen.js:358)
    at Zone.run (zone-evergreen.js:124)

In the network tab, the corresponding call has the x-amz-target: AWSCognitoIdentityProviderService.InitiateAuth header, and the response is a json with ChallengeName: "PASSWORD_VERIFIER" and a ChallengeParameters object. I would share it here but I'm not sure if it contains sensitive information.

I'd be happy to provide more information if needed.

Edit

One thing that looks odd about the ChallengeParameters object, the salt seems to be a negative hex: SALT: "-55d8411fb9c566437988f9dca451e61d".

[ofirm93]

The issue is fixed in #4427. Once it is merged should be resolved.

[vietduong-agilityio]

@ofirm93 Still got this error :((

[ebaizel]

Is there a workaround until #4427 is fixed? Is there a prior version that works?

[reejeshkv]

Still got this error

[vietduong-agilityio]

@ebaizel There is a dump way for temp, you can open the BinInteger.js after install node and update bnToString(b) method into:
if (this.s < 0) return '-' + this.negate().toString(); => if (this.s < 0) return '-' + this.negate().toString(b);

[allencart]

The issue is fixed in #4427. Once it is merged should be resolved.

Hi, I'm new to AWS Cognito and I'm having this issue as well. Would this fixed can cover my case also? Here's my policy, I don't even have an email and phone number attributes. Only username, password, and two custom attributes. I did a pre-sign up lamba trigger to autoConfirm the user.

Then when I tested my Cognito sign in lambda, these are the wrong credential combinations that I tried when the error occurs.

1. Both username and password are wrong
2. Only username is wrong, and the password is correct

[zcmgyu]

1. Go to User Pools
2. Open App Clients
3. Click Show Details
4. Change Prevent User Existence Errors from Enabled (Recommended) to Legacy

[tohjg]

Fixed in #4427. Release on @aws-amplify/auth@2.1.2

[ericclemmons]

@julamb @allencart We merged down fixes with #4520 and released it a few days later via 2.2.1.

This issue should be resolved, but if you update to latest and still experience problems, please comment so we can re-open!

[JxDarkAngel]

I solved it by chasing the mail in lowercase letters and using a trim. and in the same way when reading the email that the user enters when they log in. It caused me the error if the user wrote it, it was case sensitive

[rilian]

on "amazon-cognito-identity-js": "^3.2.0"

getting this error when trying to authenticate using email of user that does not exist in user pool

UPD: will check if updating to latest versions will fix the issue..

[ELRuncho]

Hi everyone. I starting getting this error when authenticating any user on my userpool, it started showing up all of a sudden. Has updating to the latest version worked for anybody here?

[Jmedders]

This is occurring on 2.2.6. It seems to be only specific strings of un-authenticated accounts that this occurs with. For example: rope@example.com yields a not authorized exception with message Incorrect username or password, but rope@examplez.com returns the error OP described (Only radix 2, 4, 8, 16, 32 are supported). Of course these are only examples, this is occurring for more valid looking emails.

Pulling off Auth from "aws-amplify": "^2.2.6",

[PaulBurridge]

I have tracked this down to an issue with Cognito returning a bad value for SALT which is for some reason preceded with a minus sign for some email addresses and not others.

I have raised a support ticket with AWS, but in the meantime would it be possible to handle this in Amplify by cleaning the SALT value? Assuming that would be quicker than waiting for a Cognito bug fix?

Request URL: https://cognito-idp.eu-west-1.amazonaws.com/
Request Method: POST
Status Code: 200 

# Bad Example (rope@examplez.com)

{
  "AuthFlow": "USER_SRP_AUTH",
  "ClientId": "1e...06",
  "AuthParameters": {
    "USERNAME": "rope@examplez.com",
    "SRP_A": "***"
  },
  "ClientMetadata": {}
}

{
  "ChallengeName":"PASSWORD_VERIFIER",
  "ChallengeParameters":{
    "SALT":"-7e6c89a610ada13205836f7df5da14db", <-- Minus sign in front of salt value????
    ...
  }
}

# Good Example (rope@example.com)

{
  "AuthFlow": "USER_SRP_AUTH",
  "ClientId": "1e...06",
  "AuthParameters": {
    "USERNAME": "rope@example.com",
    "SRP_A": "***"
  },
  "ClientMetadata": {}
}

{
  "ChallengeName":"PASSWORD_VERIFIER",
  "ChallengeParameters":{
    "SALT":"41d247d8d39d08e9e20ab9ad42c831ab",
    ...
  }
}

[Jmedders]

Hey @ELRuncho, I updated from "aws-amplify": "^2.2.6", to "@aws-amplify/auth": "^3.2.6", and no longer have this error.

If anybody comes across this & is importing the entire aws-amplify package for simple auth as I was instead of the modularized @aws-amplify/auth and @aws-amplify/core I highly recommend trying the modular packages instead. Was able to reduce react bundle size by over 2mb with this simple change. See #122

[ELRuncho]

Hey @ELRuncho, I updated from "aws-amplify": "^2.2.6", to "@aws-amplify/auth": "^3.2.6", and no longer have this error.

If anybody comes across this & is importing the entire aws-amplify package for simple auth as I was instead of the modularized @aws-amplify/auth and @aws-amplify/core I highly recommend trying the modular packages instead. Was able to reduce react bundle size by over 2mb with this simple change. See #122

Yep, that did the trick for me

[tarasowski]

I'm receiving the same error message: "Only radix 2, 4, 8, 16, 32 are supported". It gets shown for usernames (emails) that are not registered / not in cognito user pool. "@aws-amplify/auth": "^2.1.6". The interesting thing is that I have two different apps and only in one of them the error gets shown! Both apps have the same version of aws-amplify. The first app shows the error: "Incorrect username or password", the other one shows "Only radix 2, 4, 8, 16, 32 are supported".

[katerinaonair]

I'm receiving the same error message: "Only radix 2, 4, 8, 16, 32 are supported". It gets shown for usernames (emails) that are not registered / not in cognito user pool. "@aws-amplify/auth": "^2.1.6". The interesting thing is that I have two different apps and only in one of them the error gets shown! Both apps have the same version of aws-amplify. The first app shows the error: "Incorrect username or password", the other one shows "Only radix 2, 4, 8, 16, 32 are supported".

I have the same issue

[ericclemmons]

@katerinaonair If you've updated your aws-amplify dependencies to latest, cleared lock files, node_modules, and are still experiencing this, can you open a new issue with a reproducible sample?

[katerinaonair]

@katerinaonair If you've updated your aws-amplify dependencies to latest, cleared lock files, node_modules, and are still experiencing this, can you open a new issue with a reproducible sample?

Resolved with "Legacy", many thanks to @zcmgyu

[ericclemmons]

Thanks for the update @katerinaonair!

[Saeger]

Hi @katerinaonair , just came here to remind you that switching to "Legacy" isn't the best option other than bumping the lib to the latest version which fixes the issue.
The reason is, because the "Legacy" User Errors will send too much information from the Cognito pool endpoint, that could potentially make attacker's life easier. I know this sounds "too much preventive", but updating the library seems safer here.

[paulie4]

@PaulBurridge-kcom, in your comment, you said you raised a support ticket with AWS. Did they ever get back to you about whether the negative salt value is actually correct?

[PaulBurridge]

@paulie4 AWS Support said they had fixed this in Amplify, basically they altered Amplify to work around the Coignito bug without acknowledging (or fixing) the bug in Cognito.

[paulie4]

Yeah, the negative salt value definitely seems like a bug, and it looks like the code in this project is just working by luck. AuthenticationHelper.getPasswordAuthenticationKey() calls AuthenticationHelper.hexHash(), which does new util.Buffer(hexStr, 'hex'), and a variable name of hexStr for a buffer would imply that there should not be any characters besides 0-9 and a-f in the string. The lucky thing is that Buffer.hexWrite() calls parseInt(string.substr(i * 2, 2), 16), and the negative symbol is the second character, so parseInt() just ignores it.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.