in src/Amazon.AspNetCore.Identity.Cognito/CognitoSigninManager.cs [239:292]
public override async Task<SignInResult> CheckPasswordSignInAsync(TUser user, string password, bool lockoutOnFailure)
{
if (lockoutOnFailure)
{
throw new NotSupportedException("Lockout is not enabled for the CognitoUserManager.");
}
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
// Prechecks if the user password needs to be changed or reset
var error = await PreSignInCheck(user).ConfigureAwait(false);
if (error != null)
{
return error;
}
var checkPasswordResult = await _userManager.CheckPasswordAsync(user, password).ConfigureAwait(false);
SignInResult signinResult;
if (checkPasswordResult == null)
{
signinResult = SignInResult.Failed;
}
else if (checkPasswordResult.ChallengeName == ChallengeNameType.SMS_MFA ||
checkPasswordResult.ChallengeName == ChallengeNameType.SOFTWARE_TOKEN_MFA)
{
signinResult = SignInResult.TwoFactorRequired;
var userPrincipal = new ClaimsPrincipal();
userPrincipal.AddIdentity(new ClaimsIdentity(new List<Claim>() {
new Claim(ClaimTypes.Name, user.UserID),
new Claim(Cognito2FAAuthWorkflowKey, checkPasswordResult.SessionID),
new Claim(ClaimTypes.AuthenticationMethod, Cognito2FAProviderKey),
new Claim(Cognito2FAChallengeNameType, checkPasswordResult.ChallengeName),
}, IdentityConstants.ApplicationScheme));
// This signs in the user in the context of 2FA only.
await Context.SignInAsync(IdentityConstants.TwoFactorUserIdScheme, userPrincipal).ConfigureAwait(false);
}
else if (user.SessionTokens != null && user.SessionTokens.IsValid())
{
signinResult = SignInResult.Success;
}
else
{
signinResult = SignInResult.Failed;
}
return signinResult;
}