aws-amplify
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 1 deletion b/‎.gitignore‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎Amplify/Categories/Auth/AuthCategory+ClientBehavior.swift‎
Lines changed: 12 additions & 0 deletions b/‎Amplify/Categories/Auth/AuthCategory+ClientBehavior.swift‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎Amplify/Categories/Auth/AuthCategoryBehavior.swift‎
Lines changed: 21 additions & 0 deletions b/‎Amplify/Categories/Auth/AuthCategoryBehavior.swift‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎Amplify/Categories/Auth/Models/AuthSignInStep.swift‎
Lines changed: 16 additions & 0 deletions b/‎Amplify/Categories/Auth/Models/AuthSignInStep.swift‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎Amplify/Categories/Auth/Models/MFAType.swift‎
Lines changed: 15 additions & 0 deletions b/‎Amplify/Categories/Auth/Models/MFAType.swift‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎Amplify/Categories/Auth/Models/TOTPSetupDetails.swift‎
Lines changed: 42 additions & 0 deletions b/‎Amplify/Categories/Auth/Models/TOTPSetupDetails.swift‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎Amplify/Categories/Auth/Request/VerifyTOTPSetupRequest.swift‎
Lines changed: 40 additions & 0 deletions b/‎Amplify/Categories/Auth/Request/VerifyTOTPSetupRequest.swift‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/AWSCognitoAuthPlugin+Configure.swift‎
Lines changed: 0 additions & 1 deletion b/‎AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/AWSCognitoAuthPlugin+Configure.swift‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/AWSCognitoAuthPlugin+EscapeHatch.swift‎
Lines changed: 0 additions & 20 deletions b/‎AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/AWSCognitoAuthPlugin+EscapeHatch.swift‎
Lines changed: 0 additions & 20 deletions
diff --git a/‎AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/AWSCognitoAuthPlugin+PluginSpecificAPI.swift‎
Lines changed: 55 additions & 0 deletions b/‎AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/AWSCognitoAuthPlugin+PluginSpecificAPI.swift‎
Lines changed: 55 additions & 0 deletions
@@ -86,4 +86,5 @@ GraphQLModelBasedTests-amplifyconfiguration.json
 GraphQLWithIAMIntegrationTests-amplifyconfiguration.json
 GraphQLWithIAMIntegrationTests-credentials.json
 
-AWSDataStoreCategoryPluginIntegrationTests-amplifyconfiguration.json
+AWSDataStoreCategoryPluginIntegrationTests-amplifyconfiguration.json
+*.code-workspace
@@ -74,4 +74,16 @@ extension AuthCategory: AuthCategoryBehavior {
     ) async throws {
         try await plugin.confirmResetPassword(for: username, with: newPassword, confirmationCode: confirmationCode, options: options)
     }
+
+    public func setUpTOTP() async throws -> TOTPSetupDetails {
+        try await plugin.setUpTOTP()
+    }
+
+    public func verifyTOTPSetup(
+        code: String,
+        options: VerifyTOTPSetupRequest.Options? = nil
+    ) async throws {
+        try await plugin.verifyTOTPSetup(code: code, options: options)
+    }
+
 }
@@ -124,4 +124,25 @@ public protocol AuthCategoryBehavior: AuthCategoryUserBehavior, AuthCategoryDevi
     ///   - options: Parameters specific to plugin behavior
     func confirmResetPassword(for username: String, with newPassword: String, confirmationCode: String, options: AuthConfirmResetPasswordRequest.Options?) async throws
 
+    /// Initiates TOTP Setup
+    /// 
+    /// Invoke this operation to setup TOTP for the user while signed in.
+    /// Calling this method will initiate TOTP setup process and returns a shared secret that can be used to generate QR code. 
+    /// The setup details also contains a URI generator helper that can be used to retireve a TOTP Setup URI.
+    ///
+    func setUpTOTP() async throws -> TOTPSetupDetails
+
+    /// Verifies TOTP Setup
+    ///
+    /// Invoke this operation to verify TOTP setup for the user while signed in.
+    /// Calling this method with the verification code from the associated Authenticator app will complete the TOTP setup process.
+    ///
+    /// - Parameters:
+    ///   - code: verification code from the associated Authenticator app
+    ///   - options: Parameters specific to plugin behavior
+    func verifyTOTPSetup(
+        code: String,
+        options: VerifyTOTPSetupRequest.Options?
+    ) async throws
+
 }
@@ -5,6 +5,9 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+/// Set of allowed MFA types that would be used for continuing sign in during MFA selection step
+public typealias AllowedMFATypes = Set<MFAType>
+
 /// Auth SignIn flow steps
 ///
 ///
@@ -23,6 +26,19 @@ public enum AuthSignInStep {
     ///
     case confirmSignInWithNewPassword(AdditionalInfo?)
 
+    /// Auth step is TOTP multi factor authentication.
+    ///
+    /// Confirmation code for the MFA will be retrieved from the associated Authenticator app
+    case confirmSignInWithTOTPCode
+
+    /// Auth step is for continuing sign in by setting up TOTP multi factor authentication.
+    ///
+    case continueSignInWithTOTPSetup(TOTPSetupDetails)
+
+    /// Auth step is for continuing sign in by selecting multi factor authentication type
+    ///
+    case continueSignInWithMFASelection(AllowedMFATypes)
+
     /// Auth step required the user to change their password.
     ///
     case resetPassword(AdditionalInfo?)
 
@@ -0,0 +1,15 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+public enum MFAType: String {
+
+    /// Short Messaging Service linked with a phone number
+    case sms
+
+    /// Time-based One Time Password linked with an authenticator app
+    case totp
+}
@@ -0,0 +1,42 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import Foundation
+
+public struct TOTPSetupDetails {
+
+    /// Secret code returned by the service to help setting up TOTP
+    public let sharedSecret: String
+
+    /// username that will be used to construct the URI
+    public let username: String
+
+    public init(sharedSecret: String, username: String) {
+        self.sharedSecret = sharedSecret
+        self.username = username
+    }
+    /// Returns a TOTP setup URI that can help the customers avoid barcode scanning and use native password manager to handle TOTP association
+    /// Example: On iOS and MacOS, URI will redirect to associated Password Manager for the platform
+    ///
+    /// throws AuthError.validation if a `URL` cannot be formed with the supplied parameters
+    /// (for example, if the parameter string contains characters that are illegal in a URL, or is an empty string).
+    public func getSetupURI(
+        appName: String,
+        accountName: String? = nil) throws -> URL {
+            guard let URL = URL(
+                string: "otpauth://totp/\(appName):\(accountName ?? username)?secret=\(sharedSecret)&issuer=\(appName)") else {
+
+                throw AuthError.validation(
+                    "appName or accountName",
+                    "Invalid Parameters. Cannot form URL from the supplied appName or accountName",
+                    "Please make sure that the supplied parameters don't contain any characters that are illegal in a URL or is an empty String",
+                    nil)
+            }
+            return URL
+        }
+
+}
@@ -0,0 +1,40 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import Foundation
+
+/// Request to verify TOTP setup
+public struct VerifyTOTPSetupRequest: AmplifyOperationRequest {
+
+    /// Code from the associated Authenticator app that will be used for verification
+    public var code: String
+
+    /// Extra request options defined in `VerifyTOTPSetupRequest.Options`
+    public var options: Options
+
+    public init(
+        code: String,
+        options: Options) {
+            self.code = code
+            self.options = options
+    }
+}
+
+public extension VerifyTOTPSetupRequest {
+
+    struct Options {
+
+        /// Extra plugin specific options, only used in special circumstances when the existing options do not provide
+        /// a way to utilize the underlying auth plugin functionality. See plugin documentation for expected
+        /// key/values
+        public let pluginOptions: Any?
+
+        public init(pluginOptions: Any? = nil) {
+            self.pluginOptions = pluginOptions
+        }
+    }
+}
@@ -11,7 +11,6 @@ import Amplify
 import AWSCognitoIdentity
 import AWSCognitoIdentityProvider
 import AWSPluginsCore
-
 import ClientRuntime
 
 extension AWSCognitoAuthPlugin {
 
@@ -12,26 +12,6 @@ import AWSCognitoIdentityProvider
 
 public extension AWSCognitoAuthPlugin {
 
-    func federateToIdentityPool(
-        withProviderToken: String,
-        for provider: AuthProvider,
-        options: AuthFederateToIdentityPoolRequest.Options? = nil
-    ) async throws -> FederateToIdentityPoolResult {
-
-        let options = options ?? AuthFederateToIdentityPoolRequest.Options()
-        let request = AuthFederateToIdentityPoolRequest(token: withProviderToken, provider: provider, options: options)
-        let task = AWSAuthFederateToIdentityPoolTask(request, authStateMachine: authStateMachine)
-        return try await task.value
-
-    }
-
-    func clearFederationToIdentityPool(options: AuthClearFederationToIdentityPoolRequest.Options? = nil) async throws {
-        let options = options ?? AuthClearFederationToIdentityPoolRequest.Options()
-        let request = AuthClearFederationToIdentityPoolRequest(options: options)
-        let task = AWSAuthClearFederationToIdentityPoolTask(request, authStateMachine: authStateMachine)
-        try await task.value
-    }
-
     func getEscapeHatch() -> AWSCognitoAuthService {
         var service: AWSCognitoAuthService?
         switch authConfiguration {
 
@@ -0,0 +1,55 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import Amplify
+import AWSCognitoIdentity
+import AWSCognitoIdentityProvider
+
+public extension AWSCognitoAuthPlugin {
+
+    func federateToIdentityPool(
+        withProviderToken: String,
+        for provider: AuthProvider,
+        options: AuthFederateToIdentityPoolRequest.Options? = nil
+    ) async throws -> FederateToIdentityPoolResult {
+
+        let options = options ?? AuthFederateToIdentityPoolRequest.Options()
+        let request = AuthFederateToIdentityPoolRequest(token: withProviderToken, provider: provider, options: options)
+        let task = AWSAuthFederateToIdentityPoolTask(request, authStateMachine: authStateMachine)
+        return try await task.value
+
+    }
+
+    func clearFederationToIdentityPool(
+        options: AuthClearFederationToIdentityPoolRequest.Options? = nil
+    ) async throws {
+        let options = options ?? AuthClearFederationToIdentityPoolRequest.Options()
+        let request = AuthClearFederationToIdentityPoolRequest(options: options)
+        let task = AWSAuthClearFederationToIdentityPoolTask(request, authStateMachine: authStateMachine)
+        try await task.value
+    }
+
+    func fetchMFAPreference() async throws -> UserMFAPreference {
+        let task = FetchMFAPreferenceTask(
+            authStateMachine: authStateMachine,
+            userPoolFactory: authEnvironment.cognitoUserPoolFactory)
+        return try await task.value
+    }
+
+    func updateMFAPreference(
+        sms: MFAPreference?,
+        totp: MFAPreference?
+    ) async throws {
+        let task = UpdateMFAPreferenceTask(
+            smsPreference: sms,
+            totpPreference: totp,
+            authStateMachine: authStateMachine,
+            userPoolFactory: authEnvironment.cognitoUserPoolFactory)
+        return try await task.value
+    }
+    
+}