Update generated code (#1807)

* update generated code

* fix psalm

---------

Co-authored-by: Jérémy Derussé <[email protected]>

Author: async-aws-bot

manifest.json

@@ -1,6 +1,6 @@
 {
     "variables": {
-        "${LATEST}": "3.329.0"
+        "${LATEST}": "3.330.0"
     },
     "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json",
     "services": {

psalm.baseline.xml

@@ -312,4 +312,12 @@
       <code><![CDATA[list<Architecture::*>]]></code>
     </MoreSpecificReturnType>
   </file>
+  <file src="src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php">
+    <LessSpecificReturnStatement>
+      <code><![CDATA[$items]]></code>
+    </LessSpecificReturnStatement>
+    <MoreSpecificReturnType>
+      <code><![CDATA[list<ChallengeNameType::*>]]></code>
+    </MoreSpecificReturnType>
+  </file>
 </files>

src/Service/CognitoIdentityProvider/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## NOT RELEASED
 
+### Added
+
+- AWS api-change: Add support for users to sign up and sign in without passwords, using email and SMS OTPs and Passkeys. Add support for Passkeys based on WebAuthn. Add support for enhanced branding customization for hosted authentication pages with Amazon Cognito Managed Login. Add feature tiers with new pricing.
+
 ### Changed
 
 - use strict comparison `null !==` instead of `!`

src/Service/CognitoIdentityProvider/composer.json

@@ -28,7 +28,7 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-master": "1.9-dev"
+            "dev-master": "1.10-dev"
         }
     }
 }

src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php

@@ -9,6 +9,7 @@ final class AuthFlowType
     public const CUSTOM_AUTH = 'CUSTOM_AUTH';
     public const REFRESH_TOKEN = 'REFRESH_TOKEN';
     public const REFRESH_TOKEN_AUTH = 'REFRESH_TOKEN_AUTH';
+    public const USER_AUTH = 'USER_AUTH';
     public const USER_PASSWORD_AUTH = 'USER_PASSWORD_AUTH';
     public const USER_SRP_AUTH = 'USER_SRP_AUTH';
 
@@ -20,6 +21,7 @@ public static function exists(string $value): bool
             self::CUSTOM_AUTH => true,
             self::REFRESH_TOKEN => true,
             self::REFRESH_TOKEN_AUTH => true,
+            self::USER_AUTH => true,
             self::USER_PASSWORD_AUTH => true,
             self::USER_SRP_AUTH => true,
         ][$value]);

src/Service/CognitoIdentityProvider/src/Enum/AuthFlowType.php

@@ -11,10 +11,15 @@ final class ChallengeNameType
     public const EMAIL_OTP = 'EMAIL_OTP';
     public const MFA_SETUP = 'MFA_SETUP';
     public const NEW_PASSWORD_REQUIRED = 'NEW_PASSWORD_REQUIRED';
+    public const PASSWORD = 'PASSWORD';
+    public const PASSWORD_SRP = 'PASSWORD_SRP';
     public const PASSWORD_VERIFIER = 'PASSWORD_VERIFIER';
+    public const SELECT_CHALLENGE = 'SELECT_CHALLENGE';
     public const SELECT_MFA_TYPE = 'SELECT_MFA_TYPE';
     public const SMS_MFA = 'SMS_MFA';
+    public const SMS_OTP = 'SMS_OTP';
     public const SOFTWARE_TOKEN_MFA = 'SOFTWARE_TOKEN_MFA';
+    public const WEB_AUTHN = 'WEB_AUTHN';
 
     public static function exists(string $value): bool
     {
@@ -26,10 +31,15 @@ public static function exists(string $value): bool
             self::EMAIL_OTP => true,
             self::MFA_SETUP => true,
             self::NEW_PASSWORD_REQUIRED => true,
+            self::PASSWORD => true,
+            self::PASSWORD_SRP => true,
             self::PASSWORD_VERIFIER => true,
+            self::SELECT_CHALLENGE => true,
             self::SELECT_MFA_TYPE => true,
             self::SMS_MFA => true,
+            self::SMS_OTP => true,
             self::SOFTWARE_TOKEN_MFA => true,
+            self::WEB_AUTHN => true,
         ][$value]);
     }
 }

src/Service/CognitoIdentityProvider/src/Enum/ChallengeNameType.php

@@ -3,10 +3,29 @@
 namespace AsyncAws\CognitoIdentityProvider\Exception;
 
 use AsyncAws\Core\Exception\Http\ClientException;
+use Symfony\Contracts\HttpClient\ResponseInterface;
 
 /**
  * This exception is thrown when the Amazon Cognito service encounters an invalid parameter.
  */
 final class InvalidParameterException extends ClientException
 {
+    /**
+     * The reason code of the exception.
+     *
+     * @var string|null
+     */
+    private $reasonCode;
+
+    public function getReasonCode(): ?string
+    {
+        return $this->reasonCode;
+    }
+
+    protected function populateResult(ResponseInterface $response): void
+    {
+        $data = $response->toArray(false);
+
+        $this->reasonCode = isset($data['reasonCode']) ? (string) $data['reasonCode'] : null;
+    }
 }

src/Service/CognitoIdentityProvider/src/Exception/InvalidParameterException.php

@@ -11,7 +11,7 @@
 use AsyncAws\Core\Stream\StreamFactory;
 
 /**
- * Represents the request to create a user in the specified user pool.
+ * Creates a new user in the specified user pool.
  */
 final class AdminCreateUserRequest extends Input
 {
@@ -55,6 +55,10 @@ final class AdminCreateUserRequest extends Input
      * this in your call to AdminCreateUser or in the **Users** tab of the Amazon Cognito console for managing your user
      * pools.
      *
+     * You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an
+     * email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you
+     * don't submit a `TemporaryPassword`.
+     *
      * In your call to `AdminCreateUser`, you can set the `email_verified` attribute to `True`, and you can set the
      * `phone_number_verified` attribute to `True`. You can also do this by calling AdminUpdateUserAttributes [^1].
      *
@@ -92,15 +96,25 @@ final class AdminCreateUserRequest extends Input
      * The user's temporary password. This password must conform to the password policy that you specified when you created
      * the user pool.
      *
+     * The exception to the requirement for a password is when your user pool supports passwordless sign-in with email or
+     * SMS OTPs. To create a user with no password, omit this parameter or submit a blank value. You can only create a
+     * passwordless user when passwordless sign-in is available. See the SignInPolicyType [^1] property of CreateUserPool
+     * [^2] and UpdateUserPool [^3].
+     *
      * The temporary password is valid only once. To complete the Admin Create User flow, the user must enter the temporary
      * password in the sign-in page, along with a new password to be used in all future sign-ins.
      *
-     * This parameter isn't required. If you don't specify a value, Amazon Cognito generates one for you.
+     * If you don't specify a value, Amazon Cognito generates one for you unless you have passwordless options active for
+     * your user pool.
      *
      * The temporary password can only be used until the user account expiration limit that you set for your user pool. To
      * reset the account after that time limit, you must call `AdminCreateUser` again and specify `RESEND` for the
      * `MessageAction` parameter.
      *
+     * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html
+     * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html
+     * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html
+     *
      * @var string|null
      */
     private $temporaryPassword;

src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php

@@ -34,24 +34,48 @@ final class AdminInitiateAuthRequest extends Input
     private $clientId;
 
     /**
-     * The authentication flow for this call to run. The API action will depend on this value. For example:
+     * The authentication flow that you want to initiate. The `AuthParameters` that you must submit are linked to the flow
+     * that you submit. For example:
      *
-     * - `REFRESH_TOKEN_AUTH` will take in a valid refresh token and return new tokens.
-     * - `USER_SRP_AUTH` will take in `USERNAME` and `SRP_A` and return the Secure Remote Password (SRP) protocol variables
-     *   to be used for next challenge execution.
-     * - `ADMIN_USER_PASSWORD_AUTH` will take in `USERNAME` and `PASSWORD` and return the next challenge or tokens.
+     * - `USER_AUTH`: Request a preferred authentication type or review available authentication types. From the offered
+     *   authentication types, select one in a challenge response and then authenticate with that method in an additional
+     *   challenge response.
+     * - `REFRESH_TOKEN_AUTH`: Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid
+     *   refresh token as the value.
+     * - `USER_SRP_AUTH`: Receive secure remote password (SRP) variables for the next challenge, `PASSWORD_VERIFIER`, when
+     *   you pass `USERNAME` and `SRP_A` parameters..
+     * - `ADMIN_USER_PASSWORD_AUTH`: Receive new tokens or the next challenge, for example `SOFTWARE_TOKEN_MFA`, when you
+     *   pass `USERNAME` and `PASSWORD` parameters.
      *
-     * Valid values include:
+     * Valid values include the following:
      *
-     * - `USER_SRP_AUTH`: Authentication flow for the Secure Remote Password (SRP) protocol.
-     * - `REFRESH_TOKEN_AUTH`/`REFRESH_TOKEN`: Authentication flow for refreshing the access token and ID token by supplying
-     *   a valid refresh token.
-     * - `CUSTOM_AUTH`: Custom authentication flow.
-     * - `ADMIN_NO_SRP_AUTH`: Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is
-     *   enabled for calling the app client.
-     * - `ADMIN_USER_PASSWORD_AUTH`: Admin-based user password authentication. This replaces the `ADMIN_NO_SRP_AUTH`
-     *   authentication flow. In this flow, Amazon Cognito receives the password in the request instead of using the SRP
-     *   process to verify passwords.
+     * - `USER_AUTH`:
+     *
+     *   The entry point for sign-in with passwords, one-time passwords, biometric devices, and security keys.
+     * - `USER_SRP_AUTH`:
+     *
+     *   Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP
+     *   password verification in custom authentication flow [^1].
+     * - `REFRESH_TOKEN_AUTH and REFRESH_TOKEN`:
+     *
+     *   Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh
+     *   token [^2].
+     * - `CUSTOM_AUTH`:
+     *
+     *   Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda
+     *   triggers [^3].
+     * - `ADMIN_USER_PASSWORD_AUTH`:
+     *
+     *   Username-password authentication with the password sent directly in the request. For more information, see Admin
+     *   authentication flow [^4].
+     *
+     * `USER_PASSWORD_AUTH` is a flow type of InitiateAuth [^5] and isn't valid for AdminInitiateAuth.
+     *
+     * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow
+     * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html
+     * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
+     * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges
+     * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
      *
      * @required
      *
@@ -63,6 +87,9 @@ final class AdminInitiateAuthRequest extends Input
      * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. The required
      * values depend on the value of `AuthFlow`:
      *
+     * - For `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for
+     *   `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the
+     *   available sign-in methods.
      * - For `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is
      *   configured with a client secret), `DEVICE_KEY`.
      * - For `ADMIN_USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app
@@ -107,6 +134,8 @@ final class AdminInitiateAuthRequest extends Input
      * - Pre token generation
      * - Create auth challenge
      * - Define auth challenge
+     * - Custom email sender
+     * - Custom SMS sender
      *
      * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer
      * Guide*.
@@ -142,6 +171,14 @@ final class AdminInitiateAuthRequest extends Input
      */
     private $contextData;
 
+    /**
+     * The optional session ID from a `ConfirmSignUp` API request. You can sign in a user directly from the sign-up process
+     * with the `USER_AUTH` authentication flow.
+     *
+     * @var string|null
+     */
+    private $session;
+
     /**
      * @param array{
      *   UserPoolId?: string,
@@ -151,6 +188,7 @@ final class AdminInitiateAuthRequest extends Input
      *   ClientMetadata?: null|array<string, string>,
      *   AnalyticsMetadata?: null|AnalyticsMetadataType|array,
      *   ContextData?: null|ContextDataType|array,
+     *   Session?: null|string,
      *   '@region'?: string|null,
      * } $input
      */
@@ -163,6 +201,7 @@ public function __construct(array $input = [])
         $this->clientMetadata = $input['ClientMetadata'] ?? null;
         $this->analyticsMetadata = isset($input['AnalyticsMetadata']) ? AnalyticsMetadataType::create($input['AnalyticsMetadata']) : null;
         $this->contextData = isset($input['ContextData']) ? ContextDataType::create($input['ContextData']) : null;
+        $this->session = $input['Session'] ?? null;
         parent::__construct($input);
     }
 
@@ -175,6 +214,7 @@ public function __construct(array $input = [])
      *   ClientMetadata?: null|array<string, string>,
      *   AnalyticsMetadata?: null|AnalyticsMetadataType|array,
      *   ContextData?: null|ContextDataType|array,
+     *   Session?: null|string,
      *   '@region'?: string|null,
      * }|AdminInitiateAuthRequest $input
      */
@@ -222,6 +262,11 @@ public function getContextData(): ?ContextDataType
         return $this->contextData;
     }
 
+    public function getSession(): ?string
+    {
+        return $this->session;
+    }
+
     public function getUserPoolId(): ?string
     {
         return $this->userPoolId;
@@ -304,6 +349,13 @@ public function setContextData(?ContextDataType $value): self
         return $this;
     }
 
+    public function setSession(?string $value): self
+    {
+        $this->session = $value;
+
+        return $this;
+    }
+
     public function setUserPoolId(?string $value): self
     {
         $this->userPoolId = $value;
@@ -355,6 +407,9 @@ private function requestBody(): array
         if (null !== $v = $this->contextData) {
             $payload['ContextData'] = $v->requestBody();
         }
+        if (null !== $v = $this->session) {
+            $payload['Session'] = $v;
+        }
 
         return $payload;
     }