-
Notifications
You must be signed in to change notification settings - Fork 243
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(auth): TOTP MFA #3146
feat(auth): TOTP MFA #3146
Conversation
8d6f87b
to
282b1c0
Compare
@dnys1 Thanks for taking care of this! When do you think this feature will be released? |
@Kaspear I don't have any firm timeframe yet, but it is one of our highest priority issues! |
80ba8b4
to
76c343b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Totally crushed this one. I've been using this branch for the past couple weeks and it's worked great 🎉
Still needing to test the multiple MFA selection workflow, but here's some feedback in the meantime 😁
packages/auth/amplify_auth_cognito_dart/example/bin/example.dart
Outdated
Show resolved
Hide resolved
packages/test/amplify_auth_integration_test/lib/src/mfa_environments.dart
Outdated
Show resolved
Hide resolved
packages/auth/amplify_auth_cognito_dart/lib/src/state/machines/sign_in_state_machine.dart
Outdated
Show resolved
Hide resolved
packages/auth/amplify_auth_cognito_dart/lib/src/state/machines/sign_in_state_machine.dart
Outdated
Show resolved
Hide resolved
packages/auth/amplify_auth_cognito_dart/lib/src/state/machines/totp_setup_state_machine.dart
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love all these test 🎉
Can we make this test file more digestible and easier to maintain? Maybe consider adding contextual comments to each scenario or breaking it up into two at least two files based on the testRunners
. Either case I think would help provide better maintainer DX imo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've split the tests into multiple files. I've tried to leave rationale for many of the expectations. Given they all follow the same pattern (lots of copy/paste between the tests), I think grokking one test makes the rest simple to understand.
that looks great! I also sit for last couple of week on branch feat/auth/totp and seem like totp with authenticator app is all working so can't wait for release. Thank you for your hard work @dnys1 |
c19fd2e
to
d06e6b0
Compare
const UserMfaPreference({ | ||
Set<MfaType>? enabled, | ||
this.preferred, | ||
}) : enabled = enabled ?? const {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I am missing something. Why not:
const UserMfaPreference({
this.enabled = const {},
this.preferred,
});
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was wanting passing null
before because it makes things like list?.map(...).toSet()
cleaner if I don't have to duplicate ?? const {}
everywhere. But I changed it since I'm not doing that any more.
|
||
@override | ||
Map<String, Object?> toJson() => { | ||
'enabled': enabled.map((typ) => typ.name.toUpperCase()).toList(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this supposed to be type
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either way. Updated to type.
/// Initiates setup of a time-based one-time passcode (TOTP) MFA method for the | ||
/// current user. | ||
/// | ||
/// Your backend must be set up with TOTP MFA enabled prior to calling this method. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What exception is thrown if the back end isn't set up for totp mfa?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SoftwareTokenMFANotFoundException
String? accountName, | ||
}) => | ||
Uri( | ||
scheme: 'otpauth', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This scheme is used by all authenticator apps (or, at least all popular ones - MS, Google, Authy, Last Pass, etc.)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, while there isn't a formal specification for otp URIs, this is the commonly used schema. The popular apps recognize this schema, this is made clear by their apps opening via native platform API calls with this schema. Which is exactly what we are doing in our Authenticator TOTP work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed offline. Here is my fix for the infra script failures
Hi, we are deciding if we are going to use Amplify - Flutter and MFA with TOTP is a requirement, do you guys have an ETA for this feature to be deployed? if not I think we will not be able to use Amplify for our project. thanks! |
Hi @luigi198 - we are getting really close to shipping this, we are doing our internal rounds of reviews. When would you like this to be available by? |
@abdallahshaban557 We are working on a PoC to prove we can use this tech, we will be implementing MFA probably in September, we noticed you guys deployed a new version today, that's a good sign for my boss, if I can get a written confirmation MFA TOTP will be supported for September (we are flexible with the month, we can work on other features meanwhile), we are probably good to go |
Hi @luigi198 - we should have it ready by then. Thank you for letting us know! |
72f11e9
to
263ae08
Compare
Expands E2E backends for all TOTP/SMS MFA combinations.
Fix casing when mapping SDK exceptions.
Adds TOTP MFA support to the `signIn` and `confirmSignIn` flows and adds two new methods to the Cognito plugin for fetching and updating the user's MFA preferences: `fetchMfaPreference` and `updateMfaPreference`.
Adds E2E tests for TOTP MFA and splits existing MFA tests by backend configuration: SMS, TOTP, and SMS/TOTP.
@@ -199,6 +215,23 @@ Future<void> confirmMfaUser(String mfaCode) async { | |||
} | |||
// #enddocregion confirm-signin | |||
|
|||
// #docregion handle-mfa-selection | |||
Future<MfaType> _promptUserPreference(Set<MfaType> allowedTypes) async { | |||
throw UnimplementedError(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be implemented?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in favor of // ...
@@ -155,7 +155,7 @@ | |||
97C146E61CF9000F007C117D /* Project object */ = { | |||
isa = PBXProject; | |||
attributes = { | |||
LastUpgradeCheck = 1300; | |||
LastUpgradeCheck = 1430; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Been seeing this change locally. Does this typically get committed? If so, what's the significance?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it should be committed. Flutter and Xcode updates can modify the project settings.
/// The [TotpSetupDetails] returned contains a [TotpSetupDetails.getSetupUri] | ||
/// method which can be used to display a QR code or render a button to open | ||
/// the user's installed authenticator app. After setup is complete on the user's | ||
/// end, call [verifyTotpSetup] with a one-time code to complete registration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might reword this section to make it clear TotpSetupDetails.getSetupUri
return's the URI. Right now it reads like it shows the relevant QR code.
/// The [TotpSetupDetails] returned contains a [TotpSetupDetails.getSetupUri] | |
/// method which can be used to display a QR code or render a button to open | |
/// the user's installed authenticator app. After setup is complete on the user's | |
/// end, call [verifyTotpSetup] with a one-time code to complete registration. | |
/// The [TotpSetupDetails] returned contains a [TotpSetupDetails.getSetupUri] | |
/// method for retrieving the setup URI. Which can be used to build a QR code or | |
/// a button to open the user's installed authenticator app. After setup is complete | |
/// on the user's end, call [verifyTotpSetup] with a one-time code to complete registration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done 👍
@Kaspear @mikolaj1982 @luigi198 - Just wanted to make sure you are aware that this feature has now been launched! It is available from the Amplify Flutter library and the Authenticator UI component. |
@dnys1 |
signIn
flow.signIn
flow.