address comments

ykethan · ykethan · commit baed20b79445 · 2025-03-27T23:23:55.000-04:00
diff --git a/src/pages/[platform]/deploy-and-host/sandbox-environments/seed/index.mdx b/src/pages/[platform]/deploy-and-host/sandbox-environments/seed/index.mdx
@@ -218,7 +218,7 @@ const user = await createAndSignUpUser({
 
 console.log(`User ${user.username} was created`);
 
-// Wait for a moment to ensure we get a fresh TOTP code
+// Wait for a moment to get a fresh TOTP code
 await new Promise((resolve) => setTimeout(resolve, 35000));
 
 const signIn = await signInUser({
@@ -245,6 +245,66 @@ Run the seed script
 npx ampx sandbox seed
 ```
 
+### Auth with Email MFA
+
+For example, if you would like to seed your auth with a user with Email MFA enabled:
+
+```typescript title="amplify/seed/seed.ts"
+import {
+  createAndSignUpUser,
+  getSecret,
+  signInUser
+} from "@aws-amplify/seed";
+import { Amplify } from "aws-amplify";
+import * as auth from "aws-amplify/auth";
+import { readFile } from 'node:fs/promises';
+
+// this is used to get the amplify_outputs.json file as the file will not exist until sandbox is created
+const url = new URL("../../amplify_outputs.json", import.meta.url);
+const outputs = JSON.parse(await readFile(url, { encoding: "utf8" }));
+Amplify.configure(outputs);
+
+const username = await getSecret("username");
+const password = await getSecret("password");
+
+// Set mfaPreference to EMAIL when using email-only MFA
+const user = await createAndSignUpUser({
+  username: username,
+  password: password,
+  signInAfterCreation: false,
+  signInFlow: "MFA",
+  mfaPreference: "EMAIL",
+});
+
+// Sign in will prompt for MFA code in command line
+await signInUser({
+  username: username,
+  password: password,
+  signInFlow: "MFA",
+});
+
+auth.signOut();
+```
+
+This will create a user with the username and password with Email MFA enabled. The user will then be signed in and prompted for the MFA code in the command line.
+
+```bash title="Terminal" showLineNumbers={false}
+npx ampx sandbox seed
+seed is running...
+✔ Please input one-time password from EMAIL for myUser@test.com:
+User myUser@test.com was created
+✔ Please input one-time password from EMAIL for myUser@test.com:
+User was signed in: true
+```
+
+SMS MFA follows the same pattern as Email MFA, using command line prompts for verification. Just replace `mfaPreference: "EMAIL"` with `mfaPreference: "SMS"` in your configuration. The command line experience will be identical, prompting for the SMS code instead of the email code.
+
+<Callout info>
+**Note:** Email-based MFA is currently not supported with `defineAuth`. We are working towards supporting this feature. For more information, visit the [feature request in GitHub](https://github.com/aws-amplify/amplify-backend/issues/2159).
+
+To take advantage of this feature with an Amplify generated backend, the underlying CDK construct can be extended manually. See [overriding Cognito User Pool multi-factor authentication options](/[platform]/build-a-backend/auth/modify-resources-with-cdk/#override-cognito-userpool-multi-factor-authentication-options) for more information.
+</Callout>
+
 ### Data
 
 For example, if you like to seed your Data API, lets start by creating a GraphQL API with a `Todo` model with authorization mode set to `userPool`:
@@ -459,14 +519,16 @@ This behavior is particularly important when seeding multiple users in your appl
 
 ### MFA Challenge Handling
 
-- For sign-up challenges, each MFA type has its specific challenge callback:
+- For sign-up challenges, each MFA type has its own specific challenge callback:
   - TOTP: `totpSignUpChallenge`
   - Email: `emailSignUpChallenge`
-  
-- For sign-in, there's a single `signInChallenge` callback that works for all MFA types
+  - SMS: `smsSignUpChallenge`
+
+- For sign-in, there's a single universal `signInChallenge` callback that works with all MFA types (TOTP, Email, or SMS)
 
-- Command line prompts work with all forms of MFA during sign-in
-- For sign-up, command line prompts work with EMAIL and SMS, but not with TOTP
+Important behaviors:
+- Command line prompts work with all MFA types during sign-in
+- During sign-up, command line will prompt for EMAIL and SMS MFA, but not for TOTP MFA
 - When MFA is set to "Optional" in a user pool, users will be sent through the Password flow
 
 ### TOTP Considerations
@@ -530,20 +592,17 @@ Auth APIs allow you to create and manage users in your sandbox environment and a
   }, 'GroupName');
   ```
 
-### Additional APIs
+### Additional Types
 
-The `@aws-amplify/seed` package additionally provides the following APIs:
+The `@aws-amplify/seed` package provides these essential types:
 
-- `AuthSignUp` - API for user sign-up configuration
-- `AuthUser` - API for user authentication information
-- `ChallengeResponse` - API for MFA challenge responses
-- `StandardUserAttributes` - API for managing user attributes during sign-up
-- `PasswordSignInFlow` - API for password-based authentication
-- `MfaSignUpFlow` - API for MFA during sign-up
-- `MfaSignInFlow` - API for MFA during sign-in
-- `MfaWithTotpSignUpFlow` - API for TOTP-specific MFA during sign-up
+- `AuthSignUp` - Type for user sign-up configuration
+- `AuthUser` - Type for user authentication information
+- `ChallengeResponse` - Type for MFA challenge responses
+- `StandardUserAttributes` - Type for managing user attributes during sign-up
+- `AuthOutputs` - Type for user sign-up output
 
-The following challenge callback APIs are available for MFA flows:
+MFA challenge callback types:
 - `emailSignUpChallenge` - Handles Email MFA during sign-up
 - `smsSignUpChallenge` - Handles SMS MFA during sign-up
 - `totpSignUpChallenge` - Handles TOTP MFA during sign-up
