emphasize *user* verification

aws · Dec 6, 2024 · 3ce032f · 3ce032f
1 parent a6f16d8
commit 3ce032f
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 23 deletions.
diff --git a/...es/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-passwordless.ts b/...es/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-passwordless.ts
@@ -1,14 +1,14 @@
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { App, CfnOutput, RemovalPolicy, Stack } from 'aws-cdk-lib';
-import { PasskeyVerification, UserPool } from 'aws-cdk-lib/aws-cognito';
+import { PasskeyUserVerification, UserPool } from 'aws-cdk-lib/aws-cognito';
 
 const app = new App();
 const stack = new Stack(app, 'integ-user-pool-passwordless');
 
 const userpool = new UserPool(stack, 'myuserpool', {
   allowedFirstAuthFactors: { emailOtp: true, passkey: true },
   passkeyRelyingPartyId: 'example.com',
-  passkeyVerification: PasskeyVerification.REQUIRED,
+  passkeyUserVerification: PasskeyUserVerification.REQUIRED,
   removalPolicy: RemovalPolicy.DESTROY,
   deletionProtection: false,
 });

diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts
@@ -485,7 +485,7 @@ export interface AuthFactor {
  * The user-pool treatment for MFA with a passkey
  * @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey
  */
-export enum PasskeyVerification {
+export enum PasskeyUserVerification {
   /** Passkey MFA is preferred */
   PREFERRED = 'preferred',
   /** Passkey MFA is required */
@@ -753,9 +753,9 @@ export interface UserPoolProps {
    * You can override other MFA options and require passkey MFA, or you can set it as preferred.
    * When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in.
    *
-   * @default PasskeyVerification.PREFERRED
+   * @default PasskeyUserVerification.PREFERRED
    */
-  readonly passkeyVerification?: PasskeyVerification;
+  readonly passkeyUserVerification?: PasskeyUserVerification;
 
   /**
    * Email settings for a user pool.
@@ -1102,7 +1102,7 @@ export class UserPool extends UserPoolBase {
       enabledMfas: this.mfaConfiguration(props),
       policies: undefinedIfNoKeys({ passwordPolicy, signInPolicy }),
       webAuthnRelyingPartyId: props.passkeyRelyingPartyId,
-      webAuthnUserVerification: props.passkeyVerification,
+      webAuthnUserVerification: props.passkeyUserVerification,
       emailConfiguration,
       usernameConfiguration: undefinedIfNoKeys({
         caseSensitive: props.signInCaseSensitive,

diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool.test.ts
@@ -5,7 +5,7 @@ import { Role, ServicePrincipal } from '../../aws-iam';
 import * as kms from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
 import { CfnParameter, Duration, Stack, Tags } from '../../core';
-import { AccountRecovery, Mfa, NumberAttribute, StringAttribute, UserPool, UserPoolIdentityProvider, UserPoolOperation, VerificationEmailStyle, UserPoolEmail, AdvancedSecurityMode, LambdaVersion, PasskeyVerification } from '../lib';
+import { AccountRecovery, Mfa, NumberAttribute, StringAttribute, UserPool, UserPoolIdentityProvider, UserPoolOperation, VerificationEmailStyle, UserPoolEmail, AdvancedSecurityMode, LambdaVersion, PasskeyUserVerification } from '../lib';
 
 describe('User Pool', () => {
   test('default setup', () => {
@@ -2102,27 +2102,29 @@ describe('User Pool', () => {
     });
   });
 
-  test.each([
-    ['blank', {}, ['PASSWORD']],
-    ['email OTP', { emailOtp: true }, ['PASSWORD', 'EMAIL_OTP']],
-    ['SMS OTP', { smsOtp: true }, ['PASSWORD', 'SMS_OTP']],
-    ['passkey', { passkey: true }, ['PASSWORD', 'WEB_AUTHN']],
-    ['email OTP and SMS OTP', { emailOtp: true, smsOtp: true }, ['PASSWORD', 'EMAIL_OTP', 'SMS_OTP']],
-    ['email OTP and passkey', { emailOtp: true, passkey: true }, ['PASSWORD', 'EMAIL_OTP', 'WEB_AUTHN']],
-    ['SMS OTP and passkey', { smsOtp: true, passkey: true }, ['PASSWORD', 'SMS_OTP', 'WEB_AUTHN']],
-    ['all enabled', { emailOtp: true, smsOtp: true, passkey: true }, ['PASSWORD', 'EMAIL_OTP', 'SMS_OTP', 'WEB_AUTHN']],
-  ])('allowFirstAuthFactors is configured correctly when set to %s', (_, allowedFirstAuthFactors, compareArray) => {
+  test('allowFirstAuthFactors are correctly named', () => {
     // GIVEN
     const stack = new Stack();
 
     // WHEN
-    new UserPool(stack, 'Pool', { allowedFirstAuthFactors });
+    new UserPool(stack, 'Pool', {
+      allowedFirstAuthFactors: {
+        emailOtp: true,
+        smsOtp: true,
+        passkey: true,
+      },
+    });
 
     // THEN
     Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', {
       Policies: {
         SignInPolicy: {
-          AllowedFirstAuthFactors: compareArray,
+          AllowedFirstAuthFactors: [
+            'PASSWORD',
+            'EMAIL_OTP',
+            'SMS_OTP',
+            'WEB_AUTHN',
+          ],
         },
       },
     });
@@ -2157,14 +2159,14 @@ describe('User Pool', () => {
   });
 
   test.each([
-    [PasskeyVerification.PREFERRED, 'preferred'],
-    [PasskeyVerification.REQUIRED, 'required'],
-  ])('passkeyVerification is configured correctly when set to (%s)', (passkeyVerification, compareString) => {
+    [PasskeyUserVerification.PREFERRED, 'preferred'],
+    [PasskeyUserVerification.REQUIRED, 'required'],
+  ])('passkeyUserVerification is configured correctly when set to (%s)', (passkeyUserVerification, compareString) => {
     // GIVEN
     const stack = new Stack();
 
     // WHEN
-    new UserPool(stack, 'Pool', { passkeyVerification });
+    new UserPool(stack, 'Pool', { passkeyUserVerification });
 
     // THEN
     Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', {