diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f9eb17..d722440 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### Added - AWS api-change: Added `PasswordHistoryPolicyViolationException` exception. +- AWS api-change: Added email MFA option to user pools with advanced security features. ### Changed diff --git a/src/CognitoIdentityProviderClient.php b/src/CognitoIdentityProviderClient.php index ae4e31a..57ee3d1 100644 --- a/src/CognitoIdentityProviderClient.php +++ b/src/CognitoIdentityProviderClient.php @@ -99,6 +99,7 @@ use AsyncAws\CognitoIdentityProvider\ValueObject\AnalyticsMetadataType; use AsyncAws\CognitoIdentityProvider\ValueObject\AttributeType; use AsyncAws\CognitoIdentityProvider\ValueObject\ContextDataType; +use AsyncAws\CognitoIdentityProvider\ValueObject\EmailMfaSettingsType; use AsyncAws\CognitoIdentityProvider\ValueObject\SMSMfaSettingsType; use AsyncAws\CognitoIdentityProvider\ValueObject\SoftwareTokenMfaSettingsType; use AsyncAws\CognitoIdentityProvider\ValueObject\UserContextDataType; @@ -236,11 +237,11 @@ public function adminConfirmSignUp($input): AdminConfirmSignUpResponse * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^3] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^3] in + * > the *Amazon Cognito Developer Guide*. * * This message is based on a template that you configured in your call to create or update a user pool. This template * includes your custom sign-up instructions and placeholders for user name and temporary password. @@ -522,11 +523,11 @@ public function adminGetUser($input): AdminGetUserResponse * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^3] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^3] in + * > the *Amazon Cognito Developer Guide*. * * > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this * > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM @@ -569,6 +570,7 @@ public function adminGetUser($input): AdminGetUserResponse * @throws InvalidLambdaResponseException * @throws MFAMethodNotFoundException * @throws InvalidSmsRoleAccessPolicyException + * @throws InvalidEmailRoleAccessPolicyException * @throws InvalidSmsRoleTrustRelationshipException * @throws PasswordResetRequiredException * @throws UserNotFoundException @@ -589,6 +591,7 @@ public function adminInitiateAuth($input): AdminInitiateAuthResponse 'InvalidLambdaResponseException' => InvalidLambdaResponseException::class, 'MFAMethodNotFoundException' => MFAMethodNotFoundException::class, 'InvalidSmsRoleAccessPolicyException' => InvalidSmsRoleAccessPolicyException::class, + 'InvalidEmailRoleAccessPolicyException' => InvalidEmailRoleAccessPolicyException::class, 'InvalidSmsRoleTrustRelationshipException' => InvalidSmsRoleTrustRelationshipException::class, 'PasswordResetRequiredException' => PasswordResetRequiredException::class, 'UserNotFoundException' => UserNotFoundException::class, @@ -658,11 +661,11 @@ public function adminRemoveUserFromGroup($input): Result * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^4] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^4] in + * > the *Amazon Cognito Developer Guide*. * * Deactivates a user's password, requiring them to change it. If a user tries to sign in after the API is called, * Amazon Cognito responds with a `PasswordResetRequiredException` error. Your app must then perform the actions that @@ -810,11 +813,11 @@ public function adminSetUserPassword($input): AdminSetUserPasswordResponse * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^3] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^3] in + * > the *Amazon Cognito Developer Guide*. * * Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user. To * delete an attribute from your user, submit the attribute in your API request with a blank value. @@ -1283,11 +1286,11 @@ public function createGroup($input): CreateGroupResponse * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^6]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^7] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^6]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^7] in + * > the *Amazon Cognito Developer Guide*. * * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html @@ -1414,11 +1417,11 @@ public function getUser($input): GetUserResponse * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^5] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^5] in + * > the *Amazon Cognito Developer Guide*. * * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html @@ -1452,6 +1455,7 @@ public function getUser($input): GetUserResponse * @throws UserNotConfirmedException * @throws InternalErrorException * @throws InvalidSmsRoleAccessPolicyException + * @throws InvalidEmailRoleAccessPolicyException * @throws InvalidSmsRoleTrustRelationshipException * @throws ForbiddenException */ @@ -1472,6 +1476,7 @@ public function initiateAuth($input): InitiateAuthResponse 'UserNotConfirmedException' => UserNotConfirmedException::class, 'InternalErrorException' => InternalErrorException::class, 'InvalidSmsRoleAccessPolicyException' => InvalidSmsRoleAccessPolicyException::class, + 'InvalidEmailRoleAccessPolicyException' => InvalidEmailRoleAccessPolicyException::class, 'InvalidSmsRoleTrustRelationshipException' => InvalidSmsRoleTrustRelationshipException::class, 'ForbiddenException' => ForbiddenException::class, ]])); @@ -1587,11 +1592,11 @@ public function listUsers($input): ListUsersResponse * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^4] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^4] in + * > the *Amazon Cognito Developer Guide*. * * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * [^2]: https://console.aws.amazon.com/pinpoint/home/ @@ -1671,11 +1676,11 @@ public function resendConfirmationCode($input): ResendConfirmationCodeResponse * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^5] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^5] in + * > the *Amazon Cognito Developer Guide*. * * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html @@ -1715,6 +1720,7 @@ public function resendConfirmationCode($input): ResendConfirmationCodeResponse * @throws UserNotConfirmedException * @throws InvalidSmsRoleAccessPolicyException * @throws InvalidSmsRoleTrustRelationshipException + * @throws InvalidEmailRoleAccessPolicyException * @throws AliasExistsException * @throws InternalErrorException * @throws SoftwareTokenMFANotFoundException @@ -1742,6 +1748,7 @@ public function respondToAuthChallenge($input): RespondToAuthChallengeResponse 'UserNotConfirmedException' => UserNotConfirmedException::class, 'InvalidSmsRoleAccessPolicyException' => InvalidSmsRoleAccessPolicyException::class, 'InvalidSmsRoleTrustRelationshipException' => InvalidSmsRoleTrustRelationshipException::class, + 'InvalidEmailRoleAccessPolicyException' => InvalidEmailRoleAccessPolicyException::class, 'AliasExistsException' => AliasExistsException::class, 'InternalErrorException' => InternalErrorException::class, 'SoftwareTokenMFANotFoundException' => SoftwareTokenMFANotFoundException::class, @@ -1822,6 +1829,7 @@ public function revokeToken($input): RevokeTokenResponse * @param array{ * SMSMfaSettings?: null|SMSMfaSettingsType|array, * SoftwareTokenMfaSettings?: null|SoftwareTokenMfaSettingsType|array, + * EmailMfaSettings?: null|EmailMfaSettingsType|array, * AccessToken: string, * '@region'?: string|null, * }|SetUserMFAPreferenceRequest $input @@ -1866,11 +1874,11 @@ public function setUserMfaPreference($input): SetUserMFAPreferenceResponse * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^4] in the *Amazon Cognito Developer Guide*. + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple + * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send messages + * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the + * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^4] in + * > the *Amazon Cognito Developer Guide*. * * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * [^2]: https://console.aws.amazon.com/pinpoint/home/ diff --git a/src/Enum/ChallengeNameType.php b/src/Enum/ChallengeNameType.php index a7a87fd..cafb176 100644 --- a/src/Enum/ChallengeNameType.php +++ b/src/Enum/ChallengeNameType.php @@ -8,6 +8,7 @@ final class ChallengeNameType public const CUSTOM_CHALLENGE = 'CUSTOM_CHALLENGE'; public const DEVICE_PASSWORD_VERIFIER = 'DEVICE_PASSWORD_VERIFIER'; public const DEVICE_SRP_AUTH = 'DEVICE_SRP_AUTH'; + public const EMAIL_OTP = 'EMAIL_OTP'; public const MFA_SETUP = 'MFA_SETUP'; public const NEW_PASSWORD_REQUIRED = 'NEW_PASSWORD_REQUIRED'; public const PASSWORD_VERIFIER = 'PASSWORD_VERIFIER'; @@ -22,6 +23,7 @@ public static function exists(string $value): bool self::CUSTOM_CHALLENGE => true, self::DEVICE_PASSWORD_VERIFIER => true, self::DEVICE_SRP_AUTH => true, + self::EMAIL_OTP => true, self::MFA_SETUP => true, self::NEW_PASSWORD_REQUIRED => true, self::PASSWORD_VERIFIER => true, diff --git a/src/Input/RespondToAuthChallengeRequest.php b/src/Input/RespondToAuthChallengeRequest.php index 4ad6004..6e02bcd 100644 --- a/src/Input/RespondToAuthChallengeRequest.php +++ b/src/Input/RespondToAuthChallengeRequest.php @@ -55,9 +55,16 @@ final class RespondToAuthChallengeRequest extends Input * * - `SMS_MFA`: * - * `"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[SMS_code]", "USERNAME": "[username]"}` + * `"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}` + * - `EMAIL_OTP`: + * + * `"ChallengeName": "EMAIL_OTP", "ChallengeResponses": {"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}` * - `PASSWORD_VERIFIER`: * + * This challenge response is part of the SRP flow. Amazon Cognito requires that your application respond to this + * challenge within a few seconds. When the response time exceeds this period, your user pool returns a + * `NotAuthorizedException` error. + * * `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", * "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}` * diff --git a/src/Input/SetUserMFAPreferenceRequest.php b/src/Input/SetUserMFAPreferenceRequest.php index 098bd19..a0944fa 100644 --- a/src/Input/SetUserMFAPreferenceRequest.php +++ b/src/Input/SetUserMFAPreferenceRequest.php @@ -2,6 +2,7 @@ namespace AsyncAws\CognitoIdentityProvider\Input; +use AsyncAws\CognitoIdentityProvider\ValueObject\EmailMfaSettingsType; use AsyncAws\CognitoIdentityProvider\ValueObject\SMSMfaSettingsType; use AsyncAws\CognitoIdentityProvider\ValueObject\SoftwareTokenMfaSettingsType; use AsyncAws\Core\Exception\InvalidArgument; @@ -12,19 +13,32 @@ final class SetUserMFAPreferenceRequest extends Input { /** - * The SMS text message multi-factor authentication (MFA) settings. + * User preferences for SMS message MFA. Activates or deactivates SMS MFA and sets it as the preferred MFA method when + * multiple methods are available. * * @var SMSMfaSettingsType|null */ private $smsMfaSettings; /** - * The time-based one-time password (TOTP) software token MFA settings. + * User preferences for time-based one-time password (TOTP) MFA. Activates or deactivates TOTP MFA and sets it as the + * preferred MFA method when multiple methods are available. * * @var SoftwareTokenMfaSettingsType|null */ private $softwareTokenMfaSettings; + /** + * User preferences for email message MFA. Activates or deactivates email MFA and sets it as the preferred MFA method + * when multiple methods are available. To activate this setting, advanced security features [^1] must be active in your + * user pool. + * + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html + * + * @var EmailMfaSettingsType|null + */ + private $emailMfaSettings; + /** * A valid access token that Amazon Cognito issued to the user whose MFA preference you want to set. * @@ -38,6 +52,7 @@ final class SetUserMFAPreferenceRequest extends Input * @param array{ * SMSMfaSettings?: null|SMSMfaSettingsType|array, * SoftwareTokenMfaSettings?: null|SoftwareTokenMfaSettingsType|array, + * EmailMfaSettings?: null|EmailMfaSettingsType|array, * AccessToken?: string, * '@region'?: string|null, * } $input @@ -46,6 +61,7 @@ public function __construct(array $input = []) { $this->smsMfaSettings = isset($input['SMSMfaSettings']) ? SMSMfaSettingsType::create($input['SMSMfaSettings']) : null; $this->softwareTokenMfaSettings = isset($input['SoftwareTokenMfaSettings']) ? SoftwareTokenMfaSettingsType::create($input['SoftwareTokenMfaSettings']) : null; + $this->emailMfaSettings = isset($input['EmailMfaSettings']) ? EmailMfaSettingsType::create($input['EmailMfaSettings']) : null; $this->accessToken = $input['AccessToken'] ?? null; parent::__construct($input); } @@ -54,6 +70,7 @@ public function __construct(array $input = []) * @param array{ * SMSMfaSettings?: null|SMSMfaSettingsType|array, * SoftwareTokenMfaSettings?: null|SoftwareTokenMfaSettingsType|array, + * EmailMfaSettings?: null|EmailMfaSettingsType|array, * AccessToken?: string, * '@region'?: string|null, * }|SetUserMFAPreferenceRequest $input @@ -68,6 +85,11 @@ public function getAccessToken(): ?string return $this->accessToken; } + public function getEmailMfaSettings(): ?EmailMfaSettingsType + { + return $this->emailMfaSettings; + } + public function getSmsMfaSettings(): ?SMSMfaSettingsType { return $this->smsMfaSettings; @@ -111,6 +133,13 @@ public function setAccessToken(?string $value): self return $this; } + public function setEmailMfaSettings(?EmailMfaSettingsType $value): self + { + $this->emailMfaSettings = $value; + + return $this; + } + public function setSmsMfaSettings(?SMSMfaSettingsType $value): self { $this->smsMfaSettings = $value; @@ -134,6 +163,9 @@ private function requestBody(): array if (null !== $v = $this->softwareTokenMfaSettings) { $payload['SoftwareTokenMfaSettings'] = $v->requestBody(); } + if (null !== $v = $this->emailMfaSettings) { + $payload['EmailMfaSettings'] = $v->requestBody(); + } if (null === $v = $this->accessToken) { throw new InvalidArgument(\sprintf('Missing parameter "AccessToken" for "%s". The value cannot be null.', __CLASS__)); } diff --git a/src/Result/AdminGetUserResponse.php b/src/Result/AdminGetUserResponse.php index 28712ff..1e2da15 100644 --- a/src/Result/AdminGetUserResponse.php +++ b/src/Result/AdminGetUserResponse.php @@ -81,7 +81,7 @@ class AdminGetUserResponse extends Result private $preferredMfaSetting; /** - * The MFA options that are activated for the user. The possible values in this list are `SMS_MFA` and + * The MFA options that are activated for the user. The possible values in this list are `SMS_MFA`, `EMAIL_OTP`, and * `SOFTWARE_TOKEN_MFA`. * * @var string[] diff --git a/src/Result/AdminInitiateAuthResponse.php b/src/Result/AdminInitiateAuthResponse.php index ad5751e..f5c1734 100644 --- a/src/Result/AdminInitiateAuthResponse.php +++ b/src/Result/AdminInitiateAuthResponse.php @@ -19,9 +19,10 @@ class AdminInitiateAuthResponse extends Result * * - `MFA_SETUP`: If MFA is required, users who don't have at least one of the MFA methods set up are presented with an * `MFA_SETUP` challenge. The user must set up at least one MFA type to continue to authenticate. - * - `SELECT_MFA_TYPE`: Selects the MFA type. Valid MFA options are `SMS_MFA` for text SMS MFA, and `SOFTWARE_TOKEN_MFA` - * for time-based one-time password (TOTP) software token MFA. - * - `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`, delivered via SMS. + * - `SELECT_MFA_TYPE`: Selects the MFA type. Valid MFA options are `SMS_MFA` for SMS message MFA, `EMAIL_OTP` for email + * message MFA, and `SOFTWARE_TOKEN_MFA` for time-based one-time password (TOTP) software token MFA. + * - `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your user pool delivered in an SMS message. + * - `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that your user pool delivered in an email message. * - `PASSWORD_VERIFIER`: Next challenge is to supply `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and * `TIMESTAMP` after the client-side SRP calculations. * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass diff --git a/src/Result/GetUserResponse.php b/src/Result/GetUserResponse.php index d7a8940..1334cb1 100644 --- a/src/Result/GetUserResponse.php +++ b/src/Result/GetUserResponse.php @@ -45,7 +45,7 @@ class GetUserResponse extends Result private $preferredMfaSetting; /** - * The MFA options that are activated for the user. The possible values in this list are `SMS_MFA` and + * The MFA options that are activated for the user. The possible values in this list are `SMS_MFA`, `EMAIL_OTP`, and * `SOFTWARE_TOKEN_MFA`. * * @var string[] diff --git a/src/Result/InitiateAuthResponse.php b/src/Result/InitiateAuthResponse.php index e599693..d6b2b6e 100644 --- a/src/Result/InitiateAuthResponse.php +++ b/src/Result/InitiateAuthResponse.php @@ -21,7 +21,8 @@ class InitiateAuthResponse extends Result * * > All of the following challenges require `USERNAME` and `SECRET_HASH` (if applicable) in the parameters. * - * - `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`, delivered via SMS. + * - `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your user pool delivered in an SMS message. + * - `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that your user pool delivered in an email message. * - `PASSWORD_VERIFIER`: Next challenge is to supply `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and * `TIMESTAMP` after the client-side SRP calculations. * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass diff --git a/src/ValueObject/EmailMfaSettingsType.php b/src/ValueObject/EmailMfaSettingsType.php new file mode 100644 index 0000000..09bdc51 --- /dev/null +++ b/src/ValueObject/EmailMfaSettingsType.php @@ -0,0 +1,78 @@ +enabled = $input['Enabled'] ?? null; + $this->preferredMfa = $input['PreferredMfa'] ?? null; + } + + /** + * @param array{ + * Enabled?: null|bool, + * PreferredMfa?: null|bool, + * }|EmailMfaSettingsType $input + */ + public static function create($input): self + { + return $input instanceof self ? $input : new self($input); + } + + public function getEnabled(): ?bool + { + return $this->enabled; + } + + public function getPreferredMfa(): ?bool + { + return $this->preferredMfa; + } + + /** + * @internal + */ + public function requestBody(): array + { + $payload = []; + if (null !== $v = $this->enabled) { + $payload['Enabled'] = (bool) $v; + } + if (null !== $v = $this->preferredMfa) { + $payload['PreferredMfa'] = (bool) $v; + } + + return $payload; + } +} diff --git a/src/ValueObject/SMSMfaSettingsType.php b/src/ValueObject/SMSMfaSettingsType.php index 13204a2..e12600a 100644 --- a/src/ValueObject/SMSMfaSettingsType.php +++ b/src/ValueObject/SMSMfaSettingsType.php @@ -12,8 +12,8 @@ final class SMSMfaSettingsType { /** - * Specifies whether SMS text message MFA is activated. If an MFA type is activated for a user, the user will be - * prompted for MFA during all sign-in attempts, unless device tracking is turned on and the device has been trusted. + * Specifies whether SMS message MFA is activated. If an MFA type is activated for a user, the user will be prompted for + * MFA during all sign-in attempts, unless device tracking is turned on and the device has been trusted. * * @var bool|null */