Users with special characters in their passwords (e.g. !, @, #) receive an invalid credentials error despite the password being correct. We confirmed removing special characters from the password resolves the issue.
Root cause hypothesis:
Cognito's SRP flow derives an x value by hashing:
H(salt | H(userPoolId + username + ":" + password))
All inputs must be byte-encoded consistently between client and server. If WarrantLite encodes the password string to bytes using anything other than UTF-8, special characters produce a different byte sequence → wrong hash → silent auth failure.
What to investigate:
Audit WarrantLite's get_auth_params() and process_challenge() for how the password is encoded to bytes before hashing. Confirm it matches the UTF-8 encoding Cognito expects.
Note: PR #162 (USER_PASSWORD_AUTH via boto3) is not a viable fix — USER_PASSWORD_AUTH flow is not enabled on this Cognito client (InvalidParameterException).
Reported by:
User comment on issue 155:
#155 (comment)
Users with special characters in their passwords (e.g.
!,@,#) receive an invalid credentials error despite the password being correct. We confirmed removing special characters from the password resolves the issue.Root cause hypothesis:
Cognito's SRP flow derives an x value by hashing:
H(salt | H(userPoolId + username + ":" + password))
All inputs must be byte-encoded consistently between client and server. If WarrantLite encodes the password string to bytes using anything other than UTF-8, special characters produce a different byte sequence → wrong hash → silent auth failure.
What to investigate:
Audit WarrantLite's
get_auth_params()andprocess_challenge()for how the password is encoded to bytes before hashing. Confirm it matches the UTF-8 encoding Cognito expects.Note: PR #162 (USER_PASSWORD_AUTH via boto3) is not a viable fix —
USER_PASSWORD_AUTHflow is not enabled on this Cognito client (InvalidParameterException).Reported by:
User comment on issue 155:
#155 (comment)