@auth-craft/aws-cf-stack 1.0.1 → 1.1.1

package/README.md

@@ -46,7 +46,7 @@ So `outputs`/`gateway` look up the api stack `<app>-<stage>-api`. The CDK output
 | `admin`   | Create the super-admin (idempotent; **skips** if `LAMBDA_SUPER_ADMIN_*` / `LAMBDA_AUTH_SETUP_TOKEN` unset; "already exists" = success). |
 | `gateway` | Deploy the 3 gateway workers. Re-reads the Lambda outputs from CloudFormation if run as a separate invocation. |
 | `all`     | `lambda` → `admin` → `gateway`, one run. |
-| `outputs` | Print the live api-stack outputs as JSON (no deploy), incl. derived `backendUrl`. For self-driving callers. |
+| `outputs` | Print the live api-stack outputs as JSON (no deploy): `backendUrl`, `apiBasePath`, `dynamodbTable`, and the auth keys read **from the live Lambda config** (`jwtPublicKey`, `jwtIssuer`, `jwtAlgorithm`, `serviceJwtPublicKey`) + `gatewayUrls`/`routePrefixes`. Self-contained — works standalone (no env), so an orchestrator can auto-fill its `*_AUTH_*` vars. |
 
 ## Requirements (on the deploying machine)
 

package/lib/common.sh

@@ -166,6 +166,17 @@ cfn_output() {
     --output text --region "$AWS_REGION" 2>/dev/null || true
 }
 
+# Read one environment variable from a deployed Lambda's live config. Lets `outputs`
+# be self-contained (read what the Lambda actually runs with) instead of depending on
+# the caller's process env. Note the runtime var names differ from the LAMBDA_* inputs
+# (e.g. JWT_PUBLIC_KEY, not LAMBDA_JWT_PUBLIC_KEY).
+lambda_env() {
+  local fn="$1" key="$2"
+  require_cmd aws
+  aws lambda get-function-configuration --function-name "$fn" --region "$AWS_REGION" \
+    --query "Environment.Variables.${key}" --output text 2>/dev/null | sed 's/^None$//' || true
+}
+
 # Derive a gateway worker URL for a scope (custom domain > workers.dev > empty).
 gateway_url_for() {
   local scope="$1" upper dom_var custom
@@ -183,31 +194,46 @@ gateway_url_for() {
 
 # Print the live deploy outputs of the existing api stack as JSON, for an
 # orchestrator that drives its own steps between stages and wants to AUTO-FILL its
-# own *_AUTH_* vars without copying anything by hand. Includes:
+# own *_AUTH_* vars without copying anything by hand. SELF-CONTAINED: the JWT keys /
+# issuer / alg are read from the LIVE Lambda config (get-function-configuration), so it
+# works when run standalone (no env), falling back to process env only if the read is
+# empty. Includes:
 #   - lambdaFunctionUrl, apiBasePath, authSystemName, dynamodbTable
 #   - backendUrl (= functionUrl + basePath, the anti-drift value)
-#   - jwtPublicKey + jwtIssuer (what verifiers need; issuer = LAMBDA_JWT_ISSUER || authSystemName)
+#   - jwtPublicKey + jwtIssuer + jwtAlgorithm + serviceJwtPublicKey (from the Lambda)
 #   - gatewayUrls{system,tenant,customer} + routePrefixes{...}
 print_outputs_json() {
   require_cmd aws; require_cmd jq
   require_aws_identity
   local api_stack="${APP_NAME}-${STAGE}-api"
-  local url base name table backend issuer
+  local url base name table fn backend issuer
   url="$(cfn_output "$api_stack" LambdaFunctionUrl)"
   base="$(cfn_output "$api_stack" ApiBasePath)"
   name="$(cfn_output "$api_stack" AuthSystemName)"
   table="$(cfn_output "$api_stack" DynamoDBTableName)"
+  fn="$(cfn_output "$api_stack" LambdaFunctionName)"
   [[ -n "$url" && "$url" != "None" ]] \
     || die "No outputs for stack $api_stack in $AWS_REGION — deploy the lambda stage first."
   backend="${url%/}${base}"
-  issuer="${LAMBDA_JWT_ISSUER:-$name}"
+
+  # Read the auth-relevant values from the LIVE Lambda config so `outputs` is
+  # self-contained (works when run standalone, e.g. deploying the BFF later in a
+  # separate process). Fall back to the caller's process env if the Lambda read is
+  # empty. Runtime var names differ from the LAMBDA_* inputs.
+  local jwtPub jwtIssuer jwtAlg svcPub
+  [[ -n "$fn" && "$fn" != "None" ]] || fn="$name"
+  jwtPub="$(lambda_env "$fn" JWT_PUBLIC_KEY)";            jwtPub="${jwtPub:-${LAMBDA_JWT_PUBLIC_KEY:-}}"
+  jwtIssuer="$(lambda_env "$fn" JWT_ISSUER)";             jwtIssuer="${jwtIssuer:-${LAMBDA_JWT_ISSUER:-$name}}"
+  jwtAlg="$(lambda_env "$fn" JWT_ALGORITHM)";             jwtAlg="${jwtAlg:-${LAMBDA_JWT_ALGORITHM:-EdDSA}}"
+  svcPub="$(lambda_env "$fn" INTERNAL_JWT_PUBLIC_KEY)";   svcPub="${svcPub:-${LAMBDA_INTERNAL_JWT_PUBLIC_KEY:-}}"
+
   jq -n \
     --arg url "$url" --arg base "$base" --arg name "$name" \
     --arg table "$table" --arg backend "$backend" \
     --arg stage "$STAGE" --arg project "${PROJECT:-default}" --arg region "$AWS_REGION" \
-    --arg jwtPub "${LAMBDA_JWT_PUBLIC_KEY:-}" --arg jwtIssuer "$issuer" \
-    --arg jwtAlg "${LAMBDA_JWT_ALGORITHM:-EdDSA}" \
-    --arg svcPub "${LAMBDA_INTERNAL_JWT_PUBLIC_KEY:-}" \
+    --arg jwtPub "$jwtPub" --arg jwtIssuer "$jwtIssuer" \
+    --arg jwtAlg "$jwtAlg" \
+    --arg svcPub "$svcPub" \
     --arg gwSystem "$(gateway_url_for system)" \
     --arg gwTenant "$(gateway_url_for tenant)" \
     --arg gwCustomer "$(gateway_url_for customer)" \

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth-craft/aws-cf-stack",
-  "version": "1.0.1",
+  "version": "1.1.1",
   "description": "Self-contained, versioned distribution of the Auth Craft AWS (DynamoDB + Lambda) + Cloudflare gateway stack. Bundles prebuilt Lambda/worker artifacts + CDK app so consumers deploy without cloning auth-craft.",
   "type": "module",
   "bin": {
@@ -16,17 +16,17 @@
     ".env.example"
   ],
   "dependencies": {
-    "aws-cdk-lib": "^2.258.1",
+    "aws-cdk-lib": "^2.260.0",
     "constructs": "^10.6.0"
   },
   "devDependencies": {
-    "@types/node": "^25.9.2",
+    "@types/node": "^25.9.3",
     "tsx": "^4.22.4",
     "typescript": "^6.0.3"
   },
   "peerDependencies": {
-    "aws-cdk": "^2.1126.0",
-    "wrangler": "^4.99.0"
+    "aws-cdk": "^2.1128.0",
+    "wrangler": "^4.101.0"
   },
   "peerDependenciesMeta": {
     "aws-cdk": {