feat: add passwordless authentication support

Author: Ahmed Hamouda

.changeset/wise-crews-think.md

@@ -0,0 +1,8 @@
+---
+'@aws-amplify/integration-tests': minor
+'@aws-amplify/auth-construct': minor
+'@aws-amplify/backend-auth': minor
+'@aws-amplify/backend': minor
+---
+
+Added support for passwordless authentication

.eslint_dictionary.json

@@ -6,6 +6,7 @@
   "aggregator",
   "amazonaws",
   "amazoncognito",
+  "amplifyapp",
   "amplifyconfiguration",
   "ampx",
   "anonymize",
@@ -18,8 +19,10 @@
   "argv",
   "arn",
   "arns",
+  "authn",
   "aws",
   "backends",
+  "biometric",
   "birthdate",
   "bundler",
   "callee",
@@ -140,6 +143,7 @@
   "orchestrator",
   "outdir",
   "passthrough",
+  "passwordless",
   "pathname",
   "pipelined",
   "pnpm",
@@ -217,6 +221,7 @@
   "verifier",
   "versioned",
   "versioning",
+  "webauthn",
   "whoami",
   "wildcard",
   "wildcards",

package-lock.json

@@ -45,6 +45,7 @@ export type AuthProps = {
     loginWith: {
         email?: EmailLogin;
         phone?: PhoneNumberLogin;
+        webAuthn?: WebAuthnLogin;
         externalProviders?: ExternalProviderOptions;
     };
     senders?: {
@@ -108,6 +109,7 @@ export type EmailLoginSettings = (VerificationEmailWithLink | VerificationEmailW
         emailBody?: (username: () => string, code: () => string) => string;
         smsMessage?: (username: () => string, code: () => string) => string;
     };
+    otpLogin?: boolean;
 };
 
 // @public
@@ -178,6 +180,7 @@ export type OidcProviderProps = Omit<aws_cognito.UserPoolIdentityProviderOidcPro
 // @public
 export type PhoneNumberLogin = true | {
     verificationMessage?: (createCode: () => string) => string;
+    otpLogin?: boolean;
 };
 
 // @public
@@ -217,6 +220,15 @@ export type VerificationEmailWithLink = {
     verificationEmailSubject?: string;
 };
 
+// @public
+export type WebAuthnLogin = true | WebAuthnOptions;
+
+// @public
+export type WebAuthnOptions = {
+    relyingPartyId: string;
+    userVerification?: 'required' | 'preferred';
+};
+
 // (No @packageDocumentation comment for this package)
 
 ```

packages/auth-construct/API.md

@@ -25,6 +25,7 @@
   "dependencies": {
     "@aws-amplify/backend-output-schemas": "^1.7.1",
     "@aws-amplify/backend-output-storage": "^1.3.2",
+    "@aws-amplify/platform-core": "^1.10.2",
     "@aws-amplify/plugin-types": "^1.11.1",
     "@aws-sdk/util-arn-parser": "^3.723.0"
   },

packages/auth-construct/package.json

@@ -3144,4 +3144,190 @@ void describe('Auth construct', () => {
       UserPoolName: Match.absent(),
     });
   });
+
+  void describe('passwordless authentication', () => {
+    void it('configures email OTP when otpLogin is enabled', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          email: {
+            otpLogin: true,
+          },
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        Policies: {
+          SignInPolicy: {
+            AllowedFirstAuthFactors: ['PASSWORD', 'EMAIL_OTP'],
+          },
+        },
+      });
+      template.hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ExplicitAuthFlows: Match.arrayWith(['ALLOW_USER_AUTH']),
+      });
+    });
+
+    void it('configures SMS OTP when otpLogin is enabled', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          phone: {
+            otpLogin: true,
+          },
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        Policies: {
+          SignInPolicy: {
+            AllowedFirstAuthFactors: ['PASSWORD', 'SMS_OTP'],
+          },
+        },
+      });
+      template.hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ExplicitAuthFlows: Match.arrayWith(['ALLOW_USER_AUTH']),
+      });
+    });
+
+    void it('configures WebAuthn with default settings', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      stack.node.setContext('amplify-backend-type', 'sandbox');
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          email: true,
+          webAuthn: true,
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        Policies: {
+          SignInPolicy: {
+            AllowedFirstAuthFactors: ['PASSWORD', 'WEB_AUTHN'],
+          },
+        },
+        WebAuthnRelyingPartyID: 'localhost',
+        WebAuthnUserVerification: 'preferred',
+      });
+      template.hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ExplicitAuthFlows: Match.arrayWith(['ALLOW_USER_AUTH']),
+      });
+    });
+
+    void it('configures WebAuthn with custom settings', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          email: true,
+          webAuthn: {
+            relyingPartyId: 'example.com',
+            userVerification: 'required',
+          },
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        Policies: {
+          SignInPolicy: {
+            AllowedFirstAuthFactors: ['PASSWORD', 'WEB_AUTHN'],
+          },
+        },
+        WebAuthnRelyingPartyID: 'example.com',
+        WebAuthnUserVerification: 'required',
+      });
+    });
+
+    void it('configures all passwordless factors together', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          email: {
+            otpLogin: true,
+          },
+          phone: {
+            otpLogin: true,
+          },
+          webAuthn: {
+            relyingPartyId: 'example.com',
+          },
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        Policies: {
+          SignInPolicy: {
+            AllowedFirstAuthFactors: [
+              'PASSWORD',
+              'EMAIL_OTP',
+              'SMS_OTP',
+              'WEB_AUTHN',
+            ],
+          },
+        },
+        WebAuthnRelyingPartyID: 'example.com',
+        WebAuthnUserVerification: 'preferred',
+      });
+      template.hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ExplicitAuthFlows: Match.arrayWith(['ALLOW_USER_AUTH']),
+      });
+    });
+
+    void it('resolves AUTO to localhost in sandbox mode', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      stack.node.setContext('amplify-backend-type', 'sandbox');
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          email: true,
+          webAuthn: true,
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        WebAuthnRelyingPartyID: 'localhost',
+      });
+    });
+
+    void it('resolves AUTO to Amplify domain in branch mode', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      stack.node.setContext('amplify-backend-type', 'branch');
+      stack.node.setContext('amplify-backend-namespace', 'testProjectName');
+      stack.node.setContext('amplify-backend-name', 'main');
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          email: true,
+          webAuthn: true,
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        WebAuthnRelyingPartyID: 'main.testProjectName.amplifyapp.com',
+      });
+    });
+
+    void it('does not configure passwordless when not enabled', () => {
+      const app = new App();
+      const stack = new Stack(app);
+      new AmplifyAuth(stack, 'test', {
+        loginWith: {
+          email: true,
+        },
+      });
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::Cognito::UserPool', {
+        Policies: {
+          PasswordPolicy: Match.objectLike({}),
+          SignInPolicy: Match.absent(),
+        },
+        WebAuthnRelyingPartyID: Match.absent(),
+        WebAuthnUserVerification: Match.absent(),
+      });
+    });
+  });
 });