AWS cognito documentation change
Summary
Added Swift SDK code example for AdminRespondToAuthChallenge API with MFA handling
Security assessment
The change documents MFA challenge response implementation, which is a security feature. However, it simply demonstrates existing MFA functionality rather than addressing a specific vulnerability or introducing new security controls.
Diff
diff --git a/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md b/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md index 97205af82..6141cfc1f 100644 --- a//cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md +++ b//cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md @@ -372,0 +373,79 @@ Respond to an MFA challenge by providing a code generated by an associated MFA a +Swift + + +**SDK for Swift** + + +###### Note + +There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples). + + + import AWSCognitoIdentityProvider + + /// Respond to the authentication challenge received from Cognito after + /// initiating an authentication session. This involves sending a current + /// MFA code to the service. + /// + /// - Parameters: + /// - cipClient: The `CognitoIdentityProviderClient` to use. + /// - userName: The user's username. + /// - clientId: The app client ID. + /// - userPoolId: The user pool to sign into. + /// - mfaCode: The 6-digit MFA code currently displayed by the user's + /// authenticator. + /// - session: The authentication session to continue processing. + func adminRespondToAuthChallenge(cipClient: CognitoIdentityProviderClient, userName: String, + clientId: String, userPoolId: String, mfaCode: String, + session: String) async { + print("=====> SOFTWARE_TOKEN_MFA challenge is generated...") + + var challengeResponsesOb: [String: String] = [:] + challengeResponsesOb["USERNAME"] = userName + challengeResponsesOb["SOFTWARE_TOKEN_MFA_CODE"] = mfaCode + + do { + let output = try await cipClient.adminRespondToAuthChallenge( + input: AdminRespondToAuthChallengeInput( + challengeName: CognitoIdentityProviderClientTypes.ChallengeNameType.softwareTokenMfa, + challengeResponses: challengeResponsesOb, + clientId: clientId, + session: session, + userPoolId: userPoolId + ) + ) + + guard let authenticationResult = output.authenticationResult else { + print("*** Unable to get authentication result.") + return + } + + print("=====> Authentication result (JWTs are redacted):") + print(authenticationResult) + } catch _ as SoftwareTokenMFANotFoundException { + print("*** The specified user pool isn't configured for MFA.") + return + } catch _ as CodeMismatchException { + print("*** The specified MFA code doesn't match the expected value.") + return + } catch _ as UserNotFoundException { + print("*** The specified username, \(userName), doesn't exist.") + return + } catch _ as UserNotConfirmedException { + print("*** The user \(userName) has not been confirmed.") + return + } catch let error as NotAuthorizedException { + print("*** Unauthorized access. Reason: \(error.properties.message ?? "<unknown>")") + } catch { + print("*** Error responding to the MFA challenge.") + return + } + } + + + + * For API details, see [AdminRespondToAuthChallenge](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/adminrespondtoauthchallenge\(input:\)) in _AWS SDK for Swift API reference_. + + + +