chore: change state machine and auth bloc to automatically move states if only one mfa method is allowed

Author: khatruong2009

packages/auth/amplify_auth_cognito_dart/lib/src/state/machines/sign_in_state_machine.dart

@@ -330,8 +330,56 @@ final class SignInStateMachine
         createEmailMfaRequest(event),
       ChallengeNameType.selectMfaType when hasUserResponse =>
         createSelectMfaRequest(event),
-      ChallengeNameType.mfaSetup when hasUserResponse =>
-        createMfaSetupRequest(event),
+      ChallengeNameType.mfaSetup =>
+      (() async {
+        final allowedMfaTypes = _allowedMfaTypes;
+        if (allowedMfaTypes == null || allowedMfaTypes.isEmpty) {
+          throw const InvalidUserPoolConfigurationException(
+            'No MFA types are allowed for setup.',
+            recoverySuggestion: 'Check your user pool MFA configuration.',
+          );
+        }
+        // Exclude MfaType.sms from consideration
+        final mfaTypesForSetup = allowedMfaTypes.difference({MfaType.sms});
+        if (mfaTypesForSetup.isEmpty) {
+          throw const InvalidUserPoolConfigurationException(
+            'No eligible MFA types are available for setup.',
+            recoverySuggestion: 'Check your user pool MFA configuration.',
+          );
+        }
+        if (mfaTypesForSetup.length == 1) {
+          final mfaType = mfaTypesForSetup.first;
+          if (mfaType == MfaType.totp) {
+            _enableMfaType = MfaType.totp;
+            _totpSetupResult ??= await associateSoftwareToken();
+            if (hasUserResponse) {
+              return createMfaSetupRequest(event);
+            } else {
+              // Need to prompt user for the TOTP code
+              return null;
+            }
+          } else if (mfaType == MfaType.email) {
+            _enableMfaType = MfaType.email;
+            if (hasUserResponse) {
+              return createEmailMfaSetupRequest(event);
+            } else {
+              // Need to prompt user for the email verification code
+              return null;
+            }
+          } else {
+            throw InvalidUserPoolConfigurationException(
+              'Unsupported MFA type: ${mfaType.name}',
+              recoverySuggestion: 'Check your user pool MFA configuration.',
+            );
+          }
+        } else if (hasUserResponse) {
+          // Handle user's selection
+          return createMfaSetupRequest(event);
+        } else {
+          // Need to prompt user to select an MFA type
+          return null;
+        }
+      })(),
       ChallengeNameType.newPasswordRequired when hasUserResponse =>
         createNewPasswordRequest(event),
       _ => null,
@@ -674,6 +722,24 @@ final class SignInStateMachine
     });
   }
 
+  /// Compeletes set up of an email MFA.
+  @protected
+  Future<RespondToAuthChallengeRequest> createEmailMfaSetupRequest(
+    SignInRespondToChallenge event,
+  ) async {
+    _enableMfaType = MfaType.email;
+    return RespondToAuthChallengeRequest.build((b) {
+      b
+        ..challengeName = ChallengeNameType.emailOtp
+        ..challengeResponses.addAll({
+          CognitoConstants.challengeParamUsername: cognitoUsername,
+          CognitoConstants.challengeParamEmailMfaCode: event.answer,
+        })
+        ..clientId = _authOutputs.userPoolClientId
+        ..clientMetadata.addAll(event.clientMetadata);
+    });
+  }
+
   /// Selects an MFA type to use for sign-in.
   @protected
   Future<RespondToAuthChallengeRequest> createSelectMfaRequest(

packages/authenticator/amplify_authenticator/lib/src/blocs/auth/auth_bloc.dart

@@ -227,10 +227,16 @@ class StateMachineBloc
           yield UnauthenticatedState.confirmSignInNewPassword;
         case AuthSignInStep.confirmSignInWithTotpMfaCode:
           yield UnauthenticatedState.confirmSignInWithTotpMfaCode;
+        case AuthSignInStep.confirmSignInWithEmailMfaCode:
+          yield UnauthenticatedState.confirmSignInWithEmailMfaCode;
         case AuthSignInStep.continueSignInWithMfaSelection:
           yield ContinueSignInWithMfaSelection(
             allowedMfaTypes: result.nextStep.allowedMfaTypes,
           );
+        case AuthSignInStep.continueSignInWithMfaSetupSelection:
+          yield ContinueSignInWithMfaSetupSelection(
+            allowedMfaTypes: result.nextStep.allowedMfaTypes,
+          );
         case AuthSignInStep.continueSignInWithTotpSetup:
           assert(
             result.nextStep.totpSetupDetails != null,
@@ -333,6 +339,43 @@ class StateMachineBloc
             allowedMfaTypes: result.nextStep.allowedMfaTypes,
           ),
         );
+      case AuthSignInStep.continueSignInWithMfaSetupSelection:
+        final allowedMfaTypes = result.nextStep.allowedMfaTypes;
+        if (allowedMfaTypes != null) {
+          final mfaTypesForSetup = allowedMfaTypes.toSet()..remove(MfaType.sms);
+          if (mfaTypesForSetup.length == 1) {
+            final mfaType = mfaTypesForSetup.first;
+            if (mfaType == MfaType.totp) {
+              assert(
+                result.nextStep.totpSetupDetails != null,
+                'Sign In Result should have totpSetupDetails',
+              );
+              _emit(await ContinueSignInTotpSetup.setupURI(
+                result.nextStep.totpSetupDetails!,
+                totpOptions,
+              ),);
+            } else if (mfaType == MfaType.email) {
+              _emit(UnauthenticatedState.continueSignInWithEmailMfaSetup);
+            } else {
+              throw InvalidUserPoolConfigurationException(
+                'Unsupported MFA type: ${mfaType.name}',
+                recoverySuggestion: 'Check your user pool MFA configuration.',
+              );
+            }
+          } else {
+            _emit(
+              ContinueSignInWithMfaSetupSelection(
+                allowedMfaTypes: result.nextStep.allowedMfaTypes,
+              ),
+            );
+          }
+        } else {
+          _emit(
+            ContinueSignInWithMfaSetupSelection(
+              allowedMfaTypes: result.nextStep.allowedMfaTypes,
+            ),
+          );
+        }
       case AuthSignInStep.continueSignInWithTotpSetup:
         assert(
           result.nextStep.totpSetupDetails != null,
@@ -344,8 +387,13 @@ class StateMachineBloc
             totpOptions,
           ),
         );
+      case AuthSignInStep.continueSignInWithEmailMfaSetup:
+        _emit(UnauthenticatedState.continueSignInWithEmailMfaSetup);
       case AuthSignInStep.confirmSignInWithTotpMfaCode:
         _emit(UnauthenticatedState.confirmSignInWithTotpMfaCode);
+      case AuthSignInStep.confirmSignInWithEmailMfaCode:
+        _notifyCodeSent(result.nextStep.codeDeliveryDetails?.destination);
+        _emit(UnauthenticatedState.confirmSignInWithEmailMfaCode);
       case AuthSignInStep.resetPassword:
         _emit(UnauthenticatedState.confirmResetPassword);
       case AuthSignInStep.confirmSignUp: