I'm working with a custom auth flow that follows this flow:
SRP -> New password (if it's the user's first login) -> SMS MFA -> custom challenge to accept T&Cs
The flow works properly when there's no new password required step, but when I respond to the SMS_MFA challenge right after having changed the password in the NEW_PASSWORD_CHANGE challenge, I get this error:
"Invalid session for the user, session can only be used once mfa cognito"
In the RespondToAuthChallange call that responds to the SMS_MFA challenge I'm passing the Session token that was returned by the NEW_PASSWORD_CHANGE response. I've also tried passing no Session token in the SMS_MFA request but that triggers an error stating that the Session field is missing. I also thought about returning the user to the initial login screen right after they change their password so that the auth flow is started from scratch, but I haven't found a way to stop the custom auth flow from sending the SMS OTP message after the new password change (the DefineAuthChallenge Lambda is only called after the SRP_A challenge and after the SMS_MFA challenge are responded to, the NEW
_PASSWORD_CHANGE response doesn't trigger said lambda).
I'm using the Javascript v3 SDK.