chore: fast fail if loginWith phone is enabled but sms mfa is not (#1523)

Author: Amplifiyer

.changeset/wise-dragons-marry.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/auth-construct': patch
+---
+
+chore: fast fail if loginWith phone is enabled but sms mfa is not

packages/auth-construct/src/construct.test.ts

@@ -515,6 +515,41 @@ void describe('Auth construct', () => {
     );
   });
 
+  void it('throws error if sms MFA is not enabled with phone login', () => {
+    assert.throws(
+      () =>
+        new AmplifyAuth(new Stack(new App()), 'test', {
+          loginWith: {
+            phone: true,
+          },
+          multifactor: {
+            mode: 'OPTIONAL',
+            totp: true,
+          },
+        }),
+      {
+        message:
+          'Invalid MFA settings. SMS must be enabled in multiFactor if loginWith phone is enabled',
+      }
+    );
+    assert.throws(
+      () =>
+        new AmplifyAuth(new Stack(new App()), 'test', {
+          loginWith: {
+            phone: true,
+          },
+          multifactor: {
+            mode: 'REQUIRED',
+            totp: true,
+          },
+        }),
+      {
+        message:
+          'Invalid MFA settings. SMS must be enabled in multiFactor if loginWith phone is enabled',
+      }
+    );
+  });
+
   void it('requires email attribute if email is enabled', () => {
     const app = new App();
     const stack = new Stack(app);

packages/auth-construct/src/construct.ts

@@ -11,6 +11,7 @@ import {
   CfnUserPoolClient,
   CfnUserPoolGroup,
   Mfa,
+  MfaSecondFactor,
   OAuthScope,
   OidcAttributeRequestMethod,
   ProviderAttribute,
@@ -375,6 +376,16 @@ export class AmplifyAuth
         smsMessage: smsMessage,
       };
     }
+    const mfaType = this.getMFAType(props.multifactor);
+    const mfaMode = this.getMFAMode(props.multifactor);
+
+    // If phone login is enabled along with MFA, cognito requires that mfa SMS type to be enabled.
+    if (phoneEnabled && mfaMode && mfaMode !== 'OFF' && !mfaType?.sms) {
+      throw Error(
+        'Invalid MFA settings. SMS must be enabled in multiFactor if loginWith phone is enabled'
+      );
+    }
+
     const userPoolProps: UserPoolProps = {
       signInCaseSensitive: DEFAULTS.SIGN_IN_CASE_SENSITIVE,
       signInAliases: {
@@ -397,16 +408,9 @@ export class AmplifyAuth
         ...(props.userAttributes ? props.userAttributes : {}),
       },
       selfSignUpEnabled: DEFAULTS.ALLOW_SELF_SIGN_UP,
-      mfa: this.getMFAMode(props.multifactor),
+      mfa: mfaMode,
       mfaMessage: this.getMFAMessage(props.multifactor),
-      mfaSecondFactor:
-        typeof props.multifactor === 'object' &&
-        props.multifactor.mode !== 'OFF'
-          ? {
-              sms: props.multifactor.sms ? true : false,
-              otp: props.multifactor.totp ? true : false,
-            }
-          : undefined,
+      mfaSecondFactor: mfaType,
       accountRecovery: this.getAccountRecoverySetting(
         emailEnabled,
         phoneEnabled,
@@ -542,10 +546,10 @@ export class AmplifyAuth
   };
 
   /**
-   * Convert user friendly Mfa mode to cognito Mfa type.
+   * Convert user friendly Mfa mode to cognito Mfa Mode.
    * This eliminates the need for users to import cognito.Mfa.
    * @param mfa - MFA settings
-   * @returns cognito MFA enforcement type
+   * @returns cognito MFA enforcement mode
    */
   private getMFAMode = (mfa: AuthProps['multifactor']): Mfa | undefined => {
     if (mfa) {
@@ -561,6 +565,23 @@ export class AmplifyAuth
     return undefined;
   };
 
+  /**
+   * Convert user friendly Mfa type to cognito Mfa type.
+   * This eliminates the need for users to import cognito.Mfa.
+   * @param mfa - MFA settings
+   * @returns cognito MFA type (sms or totp)
+   */
+  private getMFAType = (
+    mfa: AuthProps['multifactor']
+  ): MfaSecondFactor | undefined => {
+    return typeof mfa === 'object' && mfa.mode !== 'OFF'
+      ? {
+          sms: mfa.sms ? true : false,
+          otp: mfa.totp ? true : false,
+        }
+      : undefined;
+  };
+
   /**
    * Convert user friendly account recovery method to cognito AccountRecover enum.
    * This eliminates the need for users to import cognito.AccountRecovery.