refactor: organize MFA classes into authentication.mfa package

Author: utkrishtsahu

EXAMPLES.md

@@ -5,6 +5,7 @@ import androidx.annotation.VisibleForTesting
 import com.auth0.android.Auth0
 import com.auth0.android.Auth0Exception
 import com.auth0.android.NetworkErrorException
+import com.auth0.android.authentication.mfa.MfaApiClient
 import com.auth0.android.dpop.DPoP
 import com.auth0.android.dpop.DPoPException
 import com.auth0.android.dpop.SenderConstraining

auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt

@@ -1,9 +1,10 @@
-package com.auth0.android.authentication
+package com.auth0.android.authentication.mfa
 
 import androidx.annotation.VisibleForTesting
 import com.auth0.android.Auth0
 import com.auth0.android.Auth0Exception
-import com.auth0.android.authentication.MfaException.*
+import com.auth0.android.authentication.ParameterBuilder
+import com.auth0.android.authentication.mfa.MfaException.*
 import com.auth0.android.request.ErrorAdapter
 import com.auth0.android.request.JsonAdapter
 import com.auth0.android.request.Request
@@ -26,7 +27,7 @@ import java.io.Reader
  * API client for handling Multi-Factor Authentication (MFA) flows.
  *
  * This client provides methods to handle MFA challenges and enrollments following
- * the Auth0 MFA API. It is typically obtained from [AuthenticationAPIClient.mfaClient]
+ * the Auth0 MFA API. It is typically obtained from [com.auth0.android.authentication.AuthenticationAPIClient.mfaClient]
  * after receiving an `mfa_required` error during authentication.
  *
  * ## Usage
@@ -46,7 +47,7 @@ import java.io.Reader
  * }
  * ```
  *
- * @see AuthenticationAPIClient.mfaClient
+ * @see com.auth0.android.authentication.AuthenticationAPIClient.mfaClient
  * @see [MFA API Documentation](https://auth0.com/docs/api/authentication#multi-factor-authentication)
  */
 public class MfaApiClient @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE) internal constructor(

…0/android/authentication/MfaApiClient.kt …droid/authentication/mfa/MfaApiClient.ktauth0/src/main/java/com/auth0/android/authentication/MfaApiClient.kt renamed to auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt auth0/src/main/java/com/auth0/android/authentication/MfaApiClient.kt renamed to auth0/src/main/java/com/auth0/android/authentication/mfa/MfaApiClient.kt

@@ -1,4 +1,4 @@
-package com.auth0.android.authentication
+package com.auth0.android.authentication.mfa
 
 import com.auth0.android.Auth0Exception
 import com.auth0.android.Auth0Exception.Companion.UNKNOWN_ERROR

…0/android/authentication/MfaException.kt …droid/authentication/mfa/MfaException.ktauth0/src/main/java/com/auth0/android/authentication/MfaException.kt renamed to auth0/src/main/java/com/auth0/android/authentication/mfa/MfaException.kt auth0/src/main/java/com/auth0/android/authentication/MfaException.kt renamed to auth0/src/main/java/com/auth0/android/authentication/mfa/MfaException.kt

@@ -1,4 +1,4 @@
-package com.auth0.android.authentication
+package com.auth0.android.authentication.mfa
 
 /**
  * Represents the type of MFA enrollment to perform.

…auth0/android/authentication/MfaTypes.kt …0/android/authentication/mfa/MfaTypes.ktauth0/src/main/java/com/auth0/android/authentication/MfaTypes.kt renamed to auth0/src/main/java/com/auth0/android/authentication/mfa/MfaTypes.kt auth0/src/main/java/com/auth0/android/authentication/MfaTypes.kt renamed to auth0/src/main/java/com/auth0/android/authentication/mfa/MfaTypes.kt

@@ -1,9 +1,10 @@
 package com.auth0.android.authentication
 
 import com.auth0.android.Auth0
-import com.auth0.android.authentication.MfaEnrollmentType
-import com.auth0.android.authentication.MfaVerificationType
-import com.auth0.android.authentication.MfaException.*
+import com.auth0.android.authentication.mfa.MfaApiClient
+import com.auth0.android.authentication.mfa.MfaEnrollmentType
+import com.auth0.android.authentication.mfa.MfaVerificationType
+import com.auth0.android.authentication.mfa.MfaException.*
 import com.auth0.android.callback.Callback
 import com.auth0.android.request.internal.ThreadSwitcherShadow
 import com.auth0.android.result.Authenticator

auth0/src/test/java/com/auth0/android/authentication/MfaApiClientTest.kt

@@ -1,6 +1,7 @@
 package com.auth0.android.authentication
 
-import com.auth0.android.authentication.MfaException.*
+import com.auth0.android.authentication.mfa.MfaException
+import com.auth0.android.authentication.mfa.MfaException.*
 import org.hamcrest.MatcherAssert.assertThat
 import org.hamcrest.Matchers.*
 import org.junit.Test

auth0/src/test/java/com/auth0/android/authentication/MfaExceptionTest.kt

@@ -1878,6 +1878,245 @@ public class SecureCredentialsManagerTest {
         )
     }
 
+    // ========== MFA Required During Token Renewal Tests ==========
+
+    @Test
+    public fun shouldFailWithMfaRequiredWhenRenewingExpiredCredentials() {
+        // Arrange: Set up local authentication to pass
+        Mockito.`when`(localAuthenticationManager.authenticate()).then {
+            localAuthenticationManager.resultCallback.onSuccess(true)
+        }
+        // Arrange: Set up expired credentials that need renewal
+        val expiresAt = Date(CredentialsMock.CURRENT_TIME_MS)
+        insertTestCredentials(false, true, true, expiresAt, "scope")
+        Mockito.`when`(client.renewAuth("refreshToken")).thenReturn(request)
+
+        // Create an AuthenticationException that simulates MFA required response
+        val mfaRequiredValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required",
+            "mfa_token" to "test-mfa-token-12345",
+            "mfa_requirements" to mapOf(
+                "challenge" to listOf(
+                    mapOf("type" to "otp"),
+                    mapOf("type" to "oob")
+                )
+            )
+        )
+        val mfaRequiredException = AuthenticationException(mfaRequiredValues, 403)
+        Mockito.`when`(request.execute()).thenThrow(mfaRequiredException)
+
+        // Act: Try to get credentials, which triggers renewal
+        manager.getCredentials(callback)
+
+        // Assert: Verify the callback receives MFA_REQUIRED exception with payload
+        verify(callback).onFailure(exceptionCaptor.capture())
+        val exception = exceptionCaptor.firstValue
+        MatcherAssert.assertThat(exception, Is.`is`(Matchers.notNullValue()))
+        // Note: CredentialsManager uses error.message which is the DEFAULT_MESSAGE from AuthenticationException
+        MatcherAssert.assertThat(exception.message, Matchers.containsString("authenticate"))
+        MatcherAssert.assertThat(exception.cause, Is.`is`(mfaRequiredException))
+        
+        // Verify MFA payload is properly passed through
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.mfaToken, Is.`is`("test-mfa-token-12345"))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.challenge, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.challenge?.size, Is.`is`(2))
+    }
+
+    @Test
+    public fun shouldFailWithMfaRequiredWithEnrollmentOptionsWhenRenewingCredentials() {
+        // Arrange: Set up local authentication to pass
+        Mockito.`when`(localAuthenticationManager.authenticate()).then {
+            localAuthenticationManager.resultCallback.onSuccess(true)
+        }
+        // Arrange: Set up expired credentials that need renewal
+        val expiresAt = Date(CredentialsMock.CURRENT_TIME_MS)
+        insertTestCredentials(false, true, true, expiresAt, "scope")
+        Mockito.`when`(client.renewAuth("refreshToken")).thenReturn(request)
+
+        // Create an AuthenticationException with enrollment options (user needs to enroll MFA)
+        val mfaRequiredValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required",
+            "mfa_token" to "enroll-mfa-token",
+            "mfa_requirements" to mapOf(
+                "enroll" to listOf(
+                    mapOf("type" to "otp"),
+                    mapOf("type" to "sms"),
+                    mapOf("type" to "push-notification")
+                )
+            )
+        )
+        val mfaRequiredException = AuthenticationException(mfaRequiredValues, 403)
+        Mockito.`when`(request.execute()).thenThrow(mfaRequiredException)
+
+        // Act: Try to get credentials
+        manager.getCredentials(callback)
+
+        // Assert: Verify MFA required with enrollment options
+        verify(callback).onFailure(exceptionCaptor.capture())
+        val exception = exceptionCaptor.firstValue
+        // Note: CredentialsManager uses error.message which is the DEFAULT_MESSAGE from AuthenticationException
+        MatcherAssert.assertThat(exception.message, Matchers.containsString("authenticate"))
+        MatcherAssert.assertThat(exception.mfaToken, Is.`is`("enroll-mfa-token"))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.enroll, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.enroll?.size, Is.`is`(3))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.challenge, Is.`is`(Matchers.nullValue()))
+    }
+
+    @Test
+    public fun shouldNotStoreMfaPayloadWhenNonMfaApiErrorOccurs() {
+        // Arrange: Set up local authentication to pass
+        Mockito.`when`(localAuthenticationManager.authenticate()).then {
+            localAuthenticationManager.resultCallback.onSuccess(true)
+        }
+        // Arrange: Set up expired credentials that need renewal
+        val expiresAt = Date(CredentialsMock.CURRENT_TIME_MS)
+        insertTestCredentials(false, true, true, expiresAt, "scope")
+        Mockito.`when`(client.renewAuth("refreshToken")).thenReturn(request)
+
+        // Create a regular API error (not MFA required)
+        val regularApiError = AuthenticationException(
+            mapOf(
+                "error" to "invalid_grant",
+                "error_description" to "Invalid refresh token"
+            ),
+            400
+        )
+        Mockito.`when`(request.execute()).thenThrow(regularApiError)
+
+        // Act: Try to get credentials
+        manager.getCredentials(callback)
+
+        // Assert: Verify no MFA payload is present for non-MFA errors
+        verify(callback).onFailure(exceptionCaptor.capture())
+        val exception = exceptionCaptor.firstValue
+        // For non-MFA API errors, message is "An error occurred while processing the request."
+        MatcherAssert.assertThat(exception.message, Matchers.containsString("processing the request"))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload, Is.`is`(Matchers.nullValue()))
+        MatcherAssert.assertThat(exception.mfaToken, Is.`is`(Matchers.nullValue()))
+    }
+
+    @Test
+    @ExperimentalCoroutinesApi
+    public fun shouldThrowMfaRequiredExceptionWhenAwaitingExpiredCredentials(): Unit = runTest {
+        // Arrange: Set up local authentication to pass
+        Mockito.`when`(localAuthenticationManager.authenticate()).then {
+            localAuthenticationManager.resultCallback.onSuccess(true)
+        }
+        // Arrange: Set up expired credentials that need renewal
+        val expiresAt = Date(CredentialsMock.CURRENT_TIME_MS)
+        insertTestCredentials(false, true, true, expiresAt, "scope")
+        Mockito.`when`(client.renewAuth("refreshToken")).thenReturn(request)
+
+        // Create an AuthenticationException that simulates MFA required response
+        val mfaRequiredValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required",
+            "mfa_token" to "await-mfa-token-12345",
+            "mfa_requirements" to mapOf(
+                "challenge" to listOf(
+                    mapOf("type" to "otp")
+                )
+            )
+        )
+        val mfaRequiredException = AuthenticationException(mfaRequiredValues, 403)
+        Mockito.`when`(request.execute()).thenThrow(mfaRequiredException)
+
+        // Act & Assert: Verify awaitCredentials throws CredentialsManagerException with MFA payload
+        val exception = assertThrows(CredentialsManagerException::class.java) {
+            runBlocking { manager.awaitCredentials() }
+        }
+        MatcherAssert.assertThat(exception, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.cause, Is.`is`(mfaRequiredException))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.mfaToken, Is.`is`("await-mfa-token-12345"))
+    }
+
+    @Test
+    public fun shouldFailWithMfaRequiredContainingBothChallengeAndEnrollOptions() {
+        // Arrange: Set up local authentication to pass
+        Mockito.`when`(localAuthenticationManager.authenticate()).then {
+            localAuthenticationManager.resultCallback.onSuccess(true)
+        }
+        // Arrange: Set up expired credentials that need renewal
+        val expiresAt = Date(CredentialsMock.CURRENT_TIME_MS)
+        insertTestCredentials(false, true, true, expiresAt, "scope")
+        Mockito.`when`(client.renewAuth("refreshToken")).thenReturn(request)
+
+        // Create MFA required with BOTH challenge (existing factors) AND enroll (can add more factors)
+        val mfaRequiredValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "Multifactor authentication required",
+            "mfa_token" to "combined-mfa-token",
+            "mfa_requirements" to mapOf(
+                "challenge" to listOf(
+                    mapOf("type" to "otp")
+                ),
+                "enroll" to listOf(
+                    mapOf("type" to "sms"),
+                    mapOf("type" to "push-notification")
+                )
+            )
+        )
+        val mfaRequiredException = AuthenticationException(mfaRequiredValues, 403)
+        Mockito.`when`(request.execute()).thenThrow(mfaRequiredException)
+
+        // Act: Try to get credentials
+        manager.getCredentials(callback)
+
+        // Assert: Verify both challenge and enroll are present in the payload
+        verify(callback).onFailure(exceptionCaptor.capture())
+        val exception = exceptionCaptor.firstValue
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.mfaToken, Is.`is`("combined-mfa-token"))
+        
+        // Verify challenge factors
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.challenge, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.challenge?.size, Is.`is`(1))
+        
+        // Verify enroll factors
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.enroll, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.mfaRequiredErrorPayload?.mfaRequirements?.enroll?.size, Is.`is`(2))
+    }
+
+    @Test
+    public fun shouldPreserveOriginalAuthenticationExceptionAsCauseForMfaRequired() {
+        // Arrange: Set up local authentication to pass
+        Mockito.`when`(localAuthenticationManager.authenticate()).then {
+            localAuthenticationManager.resultCallback.onSuccess(true)
+        }
+        // Arrange: Set up expired credentials that need renewal
+        val expiresAt = Date(CredentialsMock.CURRENT_TIME_MS)
+        insertTestCredentials(false, true, true, expiresAt, "scope")
+        Mockito.`when`(client.renewAuth("refreshToken")).thenReturn(request)
+
+        val mfaRequiredValues = mapOf(
+            "error" to "mfa_required",
+            "error_description" to "MFA is required for this action",
+            "mfa_token" to "cause-test-token"
+        )
+        val originalException = AuthenticationException(mfaRequiredValues, 403)
+        Mockito.`when`(request.execute()).thenThrow(originalException)
+
+        // Act
+        manager.getCredentials(callback)
+
+        // Assert: Verify the original exception is preserved as cause
+        verify(callback).onFailure(exceptionCaptor.capture())
+        val exception = exceptionCaptor.firstValue
+        
+        // The cause should be the original AuthenticationException
+        MatcherAssert.assertThat(exception.cause, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(exception.cause, IsInstanceOf.instanceOf(AuthenticationException::class.java))
+        
+        val causeException = exception.cause as AuthenticationException
+        MatcherAssert.assertThat(causeException.getCode(), Is.`is`("mfa_required"))
+        MatcherAssert.assertThat(causeException.isMultifactorRequired, Is.`is`(true))
+        MatcherAssert.assertThat(causeException.getDescription(), Is.`is`("MFA is required for this action"))
+    }
+
     /**
      * Testing that getCredentials execution from multiple threads via multiple instances of SecureCredentialsManager should trigger only one network request.
      */