add restart flow for select auth factor

Author: harsh62

Sources/Authenticator/Models/Internal/Credentials.swift

@@ -13,4 +13,9 @@ class Credentials: ObservableObject {
     @Published var password: String?
 
     @Published var message: AuthenticatorMessage?
+    
+    /// Tracks the currently selected auth factor during sign-in.
+    /// Used to detect when user changes their auth factor selection after already selecting one.
+    /// When non-nil, subsequent factor selections require restarting the sign-in flow.
+    @Published var selectedAuthFactor: AuthFactor?
 }

Sources/Authenticator/States/SignInSelectAuthFactorState.swift

@@ -38,6 +38,11 @@ public class SignInSelectAuthFactorState: AuthenticatorBaseState {
     ///
     /// Automatically sets the Authenticator's next step accordingly, as well as the
     /// ``AuthenticatorBaseState/isBusy`` and ``AuthenticatorBaseState/message`` properties.
+    ///
+    /// If the user has already selected an auth factor previously (tracked via `credentials.selectedAuthFactor`),
+    /// this method will restart the sign-in flow with the new factor as the preferred first factor.
+    /// This is necessary because Cognito doesn't allow changing the auth factor selection once made.
+    ///
     /// - Throws: An `Amplify.AuthenticationError` if the operation fails
     public func selectAuthFactor() async throws {
         guard let factor = selectedAuthFactor else {
@@ -51,50 +56,28 @@ public class SignInSelectAuthFactorState: AuthenticatorBaseState {
         do {
             log.verbose("Selecting auth factor: \(factor)")
 
+            // Check if user has already selected an auth factor previously
+            // If so, we need to restart the sign-in flow instead of calling confirmSignIn
+            let flowRestartRequired = credentials.selectedAuthFactor != nil
+            
+            // Update password in credentials if password factor is selected
+            if factor.isPassword {
+                credentials.password = password
+            }
+            
+            // Track the selected auth factor
+            credentials.selectedAuthFactor = factor
+            
             let result: AuthSignInResult
 
-            switch factor {
-            case .password:
-                // Password requires 2-step flow, use dedicated method
-                // Step 1: Select password factor → confirmSignIn("PASSWORD") → .confirmSignInWithPassword
-                // Step 2: Send password → confirmSignIn("Pass@123") → .done
-                result = try await signInWithPassword()
-                
-            case .emailOtp, .smsOtp:
-                // Select the auth factor and move to appropriate next step
-                // Use the AuthFactor extension to get the challenge response
-                let challengeResponse = factor.toAuthFactorType().challengeResponse
-                
-                result = try await authenticationService.confirmSignIn(
-                    challengeResponse: challengeResponse,
-                    options: nil
-                )
-                
-            case .webAuthn:
-                // WebAuthn sign-in - Amplify handles the native UI
-                #if os(iOS) || os(macOS) || os(visionOS)
-                guard #available(iOS 17.4, macOS 13.5, visionOS 1.0, *) else {
-                    setBusy(false)
-                    log.error("WebAuthn requires iOS 17.4+, macOS 13.5+, or visionOS 1.0+")
-                    setMessage(.error(message: "Passkey is not available"))
-                    return
-                }
-                
-                log.verbose("Initiating WebAuthn sign-in")
-                
-                // Select WebAuthn as the auth factor
-                let challengeResponse = factor.toAuthFactorType().challengeResponse
-                
-                result = try await authenticationService.confirmSignIn(
-                    challengeResponse: challengeResponse,
-                    options: nil
-                )
-                #else
-                setBusy(false)
-                log.error("WebAuthn is not available on this platform")
-                setMessage(.error(message: "Passkey is not available"))
-                return
-                #endif
+            if flowRestartRequired {
+                // User has already selected an auth factor before
+                // Restart sign-in flow with the new factor as preferred
+                log.verbose("Restarting sign-in flow with preferred factor: \(factor)")
+                result = try await restartSignInWithPreferredFactor(factor)
+            } else {
+                // First-time selection - use confirmSignIn as normal
+                result = try await confirmSignInWithFactor(factor)
             }
 
             let nextStep = try await nextStep(for: result)
@@ -108,6 +91,69 @@ public class SignInSelectAuthFactorState: AuthenticatorBaseState {
         }
     }
 
+    /// Confirms sign-in with the selected auth factor (first-time selection)
+    /// - Parameter factor: The auth factor to use
+    /// - Returns: The `AuthSignInResult` from the confirmation
+    private func confirmSignInWithFactor(_ factor: AuthFactor) async throws -> AuthSignInResult {
+        switch factor {
+        case .password:
+            // Password requires 2-step flow, use dedicated method
+            // Step 1: Select password factor → confirmSignIn("PASSWORD") → .confirmSignInWithPassword
+            // Step 2: Send password → confirmSignIn("Pass@123") → .done
+            return try await signInWithPassword()
+            
+        case .emailOtp, .smsOtp:
+            // Select the auth factor and move to appropriate next step
+            // Use the AuthFactor extension to get the challenge response
+            let challengeResponse = factor.toAuthFactorType().challengeResponse
+            
+            return try await authenticationService.confirmSignIn(
+                challengeResponse: challengeResponse,
+                options: nil
+            )
+            
+        case .webAuthn:
+            // WebAuthn sign-in - Amplify handles the native UI
+            #if os(iOS) || os(macOS) || os(visionOS)
+            guard #available(iOS 17.4, macOS 13.5, visionOS 1.0, *) else {
+                log.error("WebAuthn requires iOS 17.4+, macOS 13.5+, or visionOS 1.0+")
+                throw AuthError.unknown("Passkey is not available", nil)
+            }
+            
+            log.verbose("Initiating WebAuthn sign-in")
+            
+            // Select WebAuthn as the auth factor
+            let challengeResponse = factor.toAuthFactorType().challengeResponse
+            
+            return try await authenticationService.confirmSignIn(
+                challengeResponse: challengeResponse,
+                options: nil
+            )
+            #else
+            log.error("WebAuthn is not available on this platform")
+            throw AuthError.unknown("Passkey is not available", nil)
+            #endif
+        }
+    }
+    
+    /// Restarts the sign-in flow with the specified factor as the preferred first factor.
+    /// This is used when the user changes their auth factor selection after already selecting one.
+    /// - Parameter factor: The auth factor to use as the preferred first factor
+    /// - Returns: The `AuthSignInResult` from the sign-in attempt
+    private func restartSignInWithPreferredFactor(_ factor: AuthFactor) async throws -> AuthSignInResult {
+        let options = AuthSignInRequest.Options(
+            pluginOptions: AWSAuthSignInOptions(
+                authFlowType: .userAuth(preferredFirstFactor: factor.toAuthFactorType())
+            )
+        )
+        
+        return try await authenticationService.signIn(
+            username: credentials.username,
+            password: factor.isPassword ? credentials.password : nil,
+            options: options
+        )
+    }
+    
     /// Signs in with password using the multi-step flow
     ///
     /// Password flow:

Sources/Authenticator/States/SignInState.swift

@@ -31,6 +31,9 @@ public class SignInState: AuthenticatorBaseState {
     /// - Throws: An `Amplify.AuthenticationError` if the operation fails
     public func signIn() async throws {
         setBusy(true)
+        
+        // Reset selected auth factor tracking for new sign-in flow
+        credentials.selectedAuthFactor = nil
 
         do {
             log.verbose("Attempting to Sign In")

Sources/Authenticator/Views/SignInSelectAuthFactorView.swift

@@ -127,9 +127,8 @@ public struct SignInSelectAuthFactorView<Header: View,
             log.verbose("Password auth factor not available")
             return
         }
-
-        state.selectedAuthFactor = passwordFactor
-        try? await state.selectAuthFactor()
+        
+        await selectAuthFactor(passwordFactor)
     }
 
     private func selectAuthFactor(_ factor: AuthFactor) async {