Update generated code

manifest.json

@@ -1,6 +1,6 @@
 {
     "variables": {
-        "${LATEST}": "3.329.0"
+        "${LATEST}": "3.330.0"
     },
     "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json",
     "services": {

psalm.baseline.xml

@@ -312,4 +312,12 @@
       <code><![CDATA[list<Architecture::*>]]></code>
     </MoreSpecificReturnType>
   </file>
+  <file src="src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php">
+    <LessSpecificReturnStatement>
+      <code><![CDATA[$items]]></code>
+    </LessSpecificReturnStatement>
+    <MoreSpecificReturnType>
+      <code><![CDATA[list<ChallengeNameType::*>]]></code>
+    </MoreSpecificReturnType>
+  </file>
 </files>

src/Service/CognitoIdentityProvider/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## NOT RELEASED
 
+### Added
+
+- AWS api-change: Add support for users to sign up and sign in without passwords, using email and SMS OTPs and Passkeys. Add support for Passkeys based on WebAuthn. Add support for enhanced branding customization for hosted authentication pages with Amazon Cognito Managed Login. Add feature tiers with new pricing.
+
 ### Changed
 
 - use strict comparison `null !==` instead of `!`

src/Service/CognitoIdentityProvider/composer.json

@@ -28,7 +28,7 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-master": "1.9-dev"
+            "dev-master": "1.10-dev"
         }
     }
 }

src/Service/CognitoIdentityProvider/src/Enum/AuthFlowType.php

@@ -9,6 +9,7 @@ final class AuthFlowType
     public const CUSTOM_AUTH = 'CUSTOM_AUTH';
     public const REFRESH_TOKEN = 'REFRESH_TOKEN';
     public const REFRESH_TOKEN_AUTH = 'REFRESH_TOKEN_AUTH';
+    public const USER_AUTH = 'USER_AUTH';
     public const USER_PASSWORD_AUTH = 'USER_PASSWORD_AUTH';
     public const USER_SRP_AUTH = 'USER_SRP_AUTH';
 
@@ -20,6 +21,7 @@ public static function exists(string $value): bool
             self::CUSTOM_AUTH => true,
             self::REFRESH_TOKEN => true,
             self::REFRESH_TOKEN_AUTH => true,
+            self::USER_AUTH => true,
             self::USER_PASSWORD_AUTH => true,
             self::USER_SRP_AUTH => true,
         ][$value]);

src/Service/CognitoIdentityProvider/src/Enum/ChallengeNameType.php

@@ -11,10 +11,15 @@ final class ChallengeNameType
     public const EMAIL_OTP = 'EMAIL_OTP';
     public const MFA_SETUP = 'MFA_SETUP';
     public const NEW_PASSWORD_REQUIRED = 'NEW_PASSWORD_REQUIRED';
+    public const PASSWORD = 'PASSWORD';
+    public const PASSWORD_SRP = 'PASSWORD_SRP';
     public const PASSWORD_VERIFIER = 'PASSWORD_VERIFIER';
+    public const SELECT_CHALLENGE = 'SELECT_CHALLENGE';
     public const SELECT_MFA_TYPE = 'SELECT_MFA_TYPE';
     public const SMS_MFA = 'SMS_MFA';
+    public const SMS_OTP = 'SMS_OTP';
     public const SOFTWARE_TOKEN_MFA = 'SOFTWARE_TOKEN_MFA';
+    public const WEB_AUTHN = 'WEB_AUTHN';
 
     public static function exists(string $value): bool
     {
@@ -26,10 +31,15 @@ public static function exists(string $value): bool
             self::EMAIL_OTP => true,
             self::MFA_SETUP => true,
             self::NEW_PASSWORD_REQUIRED => true,
+            self::PASSWORD => true,
+            self::PASSWORD_SRP => true,
             self::PASSWORD_VERIFIER => true,
+            self::SELECT_CHALLENGE => true,
             self::SELECT_MFA_TYPE => true,
             self::SMS_MFA => true,
+            self::SMS_OTP => true,
             self::SOFTWARE_TOKEN_MFA => true,
+            self::WEB_AUTHN => true,
         ][$value]);
     }
 }

src/Service/CognitoIdentityProvider/src/Exception/InvalidParameterException.php

@@ -3,10 +3,29 @@
 namespace AsyncAws\CognitoIdentityProvider\Exception;
 
 use AsyncAws\Core\Exception\Http\ClientException;
+use Symfony\Contracts\HttpClient\ResponseInterface;
 
 /**
  * This exception is thrown when the Amazon Cognito service encounters an invalid parameter.
  */
 final class InvalidParameterException extends ClientException
 {
+    /**
+     * The reason code of the exception.
+     *
+     * @var string|null
+     */
+    private $reasonCode;
+
+    public function getReasonCode(): ?string
+    {
+        return $this->reasonCode;
+    }
+
+    protected function populateResult(ResponseInterface $response): void
+    {
+        $data = $response->toArray(false);
+
+        $this->reasonCode = isset($data['reasonCode']) ? (string) $data['reasonCode'] : null;
+    }
 }

src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php

@@ -11,7 +11,7 @@
 use AsyncAws\Core\Stream\StreamFactory;
 
 /**
- * Represents the request to create a user in the specified user pool.
+ * Creates a new user in the specified user pool.
  */
 final class AdminCreateUserRequest extends Input
 {
@@ -55,6 +55,10 @@ final class AdminCreateUserRequest extends Input
      * this in your call to AdminCreateUser or in the **Users** tab of the Amazon Cognito console for managing your user
      * pools.
      *
+     * You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an
+     * email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you
+     * don't submit a `TemporaryPassword`.
+     *
      * In your call to `AdminCreateUser`, you can set the `email_verified` attribute to `True`, and you can set the
      * `phone_number_verified` attribute to `True`. You can also do this by calling AdminUpdateUserAttributes [^1].
      *
@@ -92,15 +96,25 @@ final class AdminCreateUserRequest extends Input
      * The user's temporary password. This password must conform to the password policy that you specified when you created
      * the user pool.
      *
+     * The exception to the requirement for a password is when your user pool supports passwordless sign-in with email or
+     * SMS OTPs. To create a user with no password, omit this parameter or submit a blank value. You can only create a
+     * passwordless user when passwordless sign-in is available. See the SignInPolicyType [^1] property of CreateUserPool
+     * [^2] and UpdateUserPool [^3].
+     *
      * The temporary password is valid only once. To complete the Admin Create User flow, the user must enter the temporary
      * password in the sign-in page, along with a new password to be used in all future sign-ins.
      *
-     * This parameter isn't required. If you don't specify a value, Amazon Cognito generates one for you.
+     * If you don't specify a value, Amazon Cognito generates one for you unless you have passwordless options active for
+     * your user pool.
      *
      * The temporary password can only be used until the user account expiration limit that you set for your user pool. To
      * reset the account after that time limit, you must call `AdminCreateUser` again and specify `RESEND` for the
      * `MessageAction` parameter.
      *
+     * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html
+     * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html
+     * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html
+     *
      * @var string|null
      */
     private $temporaryPassword;

src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php

@@ -34,24 +34,48 @@ final class AdminInitiateAuthRequest extends Input
     private $clientId;
 
     /**
-     * The authentication flow for this call to run. The API action will depend on this value. For example:
+     * The authentication flow that you want to initiate. The `AuthParameters` that you must submit are linked to the flow
+     * that you submit. For example:
      *
-     * - `REFRESH_TOKEN_AUTH` will take in a valid refresh token and return new tokens.
-     * - `USER_SRP_AUTH` will take in `USERNAME` and `SRP_A` and return the Secure Remote Password (SRP) protocol variables
-     *   to be used for next challenge execution.
-     * - `ADMIN_USER_PASSWORD_AUTH` will take in `USERNAME` and `PASSWORD` and return the next challenge or tokens.
+     * - `USER_AUTH`: Request a preferred authentication type or review available authentication types. From the offered
+     *   authentication types, select one in a challenge response and then authenticate with that method in an additional
+     *   challenge response.
+     * - `REFRESH_TOKEN_AUTH`: Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid
+     *   refresh token as the value.
+     * - `USER_SRP_AUTH`: Receive secure remote password (SRP) variables for the next challenge, `PASSWORD_VERIFIER`, when
+     *   you pass `USERNAME` and `SRP_A` parameters..
+     * - `ADMIN_USER_PASSWORD_AUTH`: Receive new tokens or the next challenge, for example `SOFTWARE_TOKEN_MFA`, when you
+     *   pass `USERNAME` and `PASSWORD` parameters.
      *
-     * Valid values include:
+     * Valid values include the following:
      *
-     * - `USER_SRP_AUTH`: Authentication flow for the Secure Remote Password (SRP) protocol.
-     * - `REFRESH_TOKEN_AUTH`/`REFRESH_TOKEN`: Authentication flow for refreshing the access token and ID token by supplying
-     *   a valid refresh token.
-     * - `CUSTOM_AUTH`: Custom authentication flow.
-     * - `ADMIN_NO_SRP_AUTH`: Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is
-     *   enabled for calling the app client.
-     * - `ADMIN_USER_PASSWORD_AUTH`: Admin-based user password authentication. This replaces the `ADMIN_NO_SRP_AUTH`
-     *   authentication flow. In this flow, Amazon Cognito receives the password in the request instead of using the SRP
-     *   process to verify passwords.
+     * - `USER_AUTH`:
+     *
+     *   The entry point for sign-in with passwords, one-time passwords, biometric devices, and security keys.
+     * - `USER_SRP_AUTH`:
+     *
+     *   Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP
+     *   password verification in custom authentication flow [^1].
+     * - `REFRESH_TOKEN_AUTH and REFRESH_TOKEN`:
+     *
+     *   Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh
+     *   token [^2].
+     * - `CUSTOM_AUTH`:
+     *
+     *   Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda
+     *   triggers [^3].
+     * - `ADMIN_USER_PASSWORD_AUTH`:
+     *
+     *   Username-password authentication with the password sent directly in the request. For more information, see Admin
+     *   authentication flow [^4].
+     *
+     * `USER_PASSWORD_AUTH` is a flow type of InitiateAuth [^5] and isn't valid for AdminInitiateAuth.
+     *
+     * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow
+     * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html
+     * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
+     * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges
+     * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
      *
      * @required
      *
@@ -63,6 +87,9 @@ final class AdminInitiateAuthRequest extends Input
      * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. The required
      * values depend on the value of `AuthFlow`:
      *
+     * - For `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for
+     *   `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the
+     *   available sign-in methods.
      * - For `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is
      *   configured with a client secret), `DEVICE_KEY`.
      * - For `ADMIN_USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app
@@ -107,6 +134,8 @@ final class AdminInitiateAuthRequest extends Input
      * - Pre token generation
      * - Create auth challenge
      * - Define auth challenge
+     * - Custom email sender
+     * - Custom SMS sender
      *
      * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer
      * Guide*.
@@ -142,6 +171,14 @@ final class AdminInitiateAuthRequest extends Input
      */
     private $contextData;
 
+    /**
+     * The optional session ID from a `ConfirmSignUp` API request. You can sign in a user directly from the sign-up process
+     * with the `USER_AUTH` authentication flow.
+     *
+     * @var string|null
+     */
+    private $session;
+
     /**
      * @param array{
      *   UserPoolId?: string,
@@ -151,6 +188,7 @@ final class AdminInitiateAuthRequest extends Input
      *   ClientMetadata?: null|array<string, string>,
      *   AnalyticsMetadata?: null|AnalyticsMetadataType|array,
      *   ContextData?: null|ContextDataType|array,
+     *   Session?: null|string,
      *   '@region'?: string|null,
      * } $input
      */
@@ -163,6 +201,7 @@ public function __construct(array $input = [])
         $this->clientMetadata = $input['ClientMetadata'] ?? null;
         $this->analyticsMetadata = isset($input['AnalyticsMetadata']) ? AnalyticsMetadataType::create($input['AnalyticsMetadata']) : null;
         $this->contextData = isset($input['ContextData']) ? ContextDataType::create($input['ContextData']) : null;
+        $this->session = $input['Session'] ?? null;
         parent::__construct($input);
     }
 
@@ -175,6 +214,7 @@ public function __construct(array $input = [])
      *   ClientMetadata?: null|array<string, string>,
      *   AnalyticsMetadata?: null|AnalyticsMetadataType|array,
      *   ContextData?: null|ContextDataType|array,
+     *   Session?: null|string,
      *   '@region'?: string|null,
      * }|AdminInitiateAuthRequest $input
      */
@@ -222,6 +262,11 @@ public function getContextData(): ?ContextDataType
         return $this->contextData;
     }
 
+    public function getSession(): ?string
+    {
+        return $this->session;
+    }
+
     public function getUserPoolId(): ?string
     {
         return $this->userPoolId;
@@ -304,6 +349,13 @@ public function setContextData(?ContextDataType $value): self
         return $this;
     }
 
+    public function setSession(?string $value): self
+    {
+        $this->session = $value;
+
+        return $this;
+    }
+
     public function setUserPoolId(?string $value): self
     {
         $this->userPoolId = $value;
@@ -355,6 +407,9 @@ private function requestBody(): array
         if (null !== $v = $this->contextData) {
             $payload['ContextData'] = $v->requestBody();
         }
+        if (null !== $v = $this->session) {
+            $payload['Session'] = $v;
+        }
 
         return $payload;
     }

src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php

@@ -43,10 +43,10 @@ final class AdminUpdateUserAttributesRequest extends Input
      * responds to a verification message to verify the new value, Amazon Cognito updates the attribute value. Your user can
      * sign in and receive messages with the original attribute value until they verify the new value.
      *
-     * To update the value of an attribute that requires verification in the same API request, include the `email_verified`
-     * or `phone_number_verified` attribute, with a value of `true`. If you set the `email_verified` or
-     * `phone_number_verified` value for an `email` or `phone_number` attribute that requires verification to `true`, Amazon
-     * Cognito doesn’t send a verification message to your user.
+     * To skip the verification message and update the value of an attribute that requires verification in the same API
+     * request, include the `email_verified` or `phone_number_verified` attribute, with a value of `true`. If you set the
+     * `email_verified` or `phone_number_verified` value for an `email` or `phone_number` attribute that requires
+     * verification to `true`, Amazon Cognito doesn’t send a verification message to your user.
      *
      * @required
      *

src/Service/CognitoIdentityProvider/src/Input/ChangePasswordRequest.php

@@ -13,9 +13,8 @@
 final class ChangePasswordRequest extends Input
 {
     /**
-     * The old password.
-     *
-     * @required
+     * The user's previous password. Required if the user has a password. If the user has no password and only signs in with
+     * passwordless authentication options, you can omit this parameter.
      *
      * @var string|null
      */
@@ -41,7 +40,7 @@ final class ChangePasswordRequest extends Input
 
     /**
      * @param array{
-     *   PreviousPassword?: string,
+     *   PreviousPassword?: null|string,
      *   ProposedPassword?: string,
      *   AccessToken?: string,
      *   '@region'?: string|null,
@@ -57,7 +56,7 @@ public function __construct(array $input = [])
 
     /**
      * @param array{
-     *   PreviousPassword?: string,
+     *   PreviousPassword?: null|string,
      *   ProposedPassword?: string,
      *   AccessToken?: string,
      *   '@region'?: string|null,
@@ -133,10 +132,9 @@ public function setProposedPassword(?string $value): self
     private function requestBody(): array
     {
         $payload = [];
-        if (null === $v = $this->previousPassword) {
-            throw new InvalidArgument(\sprintf('Missing parameter "PreviousPassword" for "%s". The value cannot be null.', __CLASS__));
+        if (null !== $v = $this->previousPassword) {
+            $payload['PreviousPassword'] = $v;
         }
-        $payload['PreviousPassword'] = $v;
         if (null === $v = $this->proposedPassword) {
             throw new InvalidArgument(\sprintf('Missing parameter "ProposedPassword" for "%s". The value cannot be null.', __CLASS__));
         }