@aws-amplify/backend-notifications 0.0.0-test-20260708085627

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/README.md +235 -0
  2. package/lib/campaign-association-asset/index.js +48413 -0
  3. package/lib/constants.d.ts +122 -0
  4. package/lib/constants.js +125 -0
  5. package/lib/construct.d.ts +283 -0
  6. package/lib/construct.js +824 -0
  7. package/lib/factory.d.ts +53 -0
  8. package/lib/factory.js +158 -0
  9. package/lib/handler-asset/index.js +530 -0
  10. package/lib/index.d.ts +7 -0
  11. package/lib/index.js +5 -0
  12. package/lib/lambda/campaign-association/handler.d.ts +29 -0
  13. package/lib/lambda/campaign-association/handler.js +80 -0
  14. package/lib/lambda/campaign-association/integration.d.ts +59 -0
  15. package/lib/lambda/campaign-association/integration.js +108 -0
  16. package/lib/lambda/campaign-association/onboarding.d.ts +25 -0
  17. package/lib/lambda/campaign-association/onboarding.js +74 -0
  18. package/lib/lambda/identify/device_resolver.d.ts +18 -0
  19. package/lib/lambda/identify/device_resolver.js +56 -0
  20. package/lib/lambda/identify/handler.d.ts +17 -0
  21. package/lib/lambda/identify/handler.js +124 -0
  22. package/lib/lambda/identify/mapping.d.ts +61 -0
  23. package/lib/lambda/identify/mapping.js +171 -0
  24. package/lib/lambda/identify/merge_resolver.d.ts +26 -0
  25. package/lib/lambda/identify/merge_resolver.js +36 -0
  26. package/lib/lambda/identify/principal.d.ts +68 -0
  27. package/lib/lambda/identify/principal.js +48 -0
  28. package/lib/lambda/identify/profile_resolver.d.ts +35 -0
  29. package/lib/lambda/identify/profile_resolver.js +65 -0
  30. package/lib/lambda/identify/types.d.ts +90 -0
  31. package/lib/lambda/identify/types.js +10 -0
  32. package/lib/lambda/identify/validation.d.ts +15 -0
  33. package/lib/lambda/identify/validation.js +99 -0
  34. package/lib/lambda/push/delivery.d.ts +49 -0
  35. package/lib/lambda/push/delivery.js +120 -0
  36. package/lib/lambda/push/device_lookup.d.ts +35 -0
  37. package/lib/lambda/push/device_lookup.js +88 -0
  38. package/lib/lambda/push/eum_client.d.ts +31 -0
  39. package/lib/lambda/push/eum_client.js +140 -0
  40. package/lib/lambda/push/event.d.ts +32 -0
  41. package/lib/lambda/push/event.js +122 -0
  42. package/lib/lambda/push/fixtures/real_journey_event.d.ts +19 -0
  43. package/lib/lambda/push/fixtures/real_journey_event.js +22 -0
  44. package/lib/lambda/push/handler.d.ts +15 -0
  45. package/lib/lambda/push/handler.js +86 -0
  46. package/lib/lambda/push/message_template.d.ts +72 -0
  47. package/lib/lambda/push/message_template.js +270 -0
  48. package/lib/lambda/push/payload.d.ts +25 -0
  49. package/lib/lambda/push/payload.js +53 -0
  50. package/lib/lambda/push/types.d.ts +153 -0
  51. package/lib/lambda/push/types.js +4 -0
  52. package/lib/lambda/shared/retry.d.ts +18 -0
  53. package/lib/lambda/shared/retry.js +45 -0
  54. package/lib/object_types.d.ts +63 -0
  55. package/lib/object_types.js +131 -0
  56. package/lib/push-handler-asset/index.js +75517 -0
  57. package/lib/types.d.ts +125 -0
  58. package/lib/types.js +2 -0
  59. package/package.json +49 -0
package/README.md ADDED
@@ -0,0 +1,235 @@
1
+ # @aws-amplify/backend-notifications
2
+
3
+ > **Preview:** this package is in preview / prerelease. Its API and generated
4
+ > resources may change in a future release.
5
+
6
+ An Amplify Gen2 backend factory (`defineNotifications`) that adds an
7
+ Amazon Connect Customer Profiles–backed **identify-user** API (for both
8
+ authenticated and guest users) and a **push-delivery** Lambda to your app. It
9
+ replaces the deprecated Pinpoint `identifyUser` / `UpdateEndpoint` flow with
10
+ per-user Customer Profiles storage plus device registration.
11
+
12
+ ## Installation
13
+
14
+ ```bash
15
+ npm i @aws-amplify/backend-notifications
16
+ ```
17
+
18
+ It has peer dependencies on `aws-cdk-lib` (`^2.234.1`) and `constructs`
19
+ (`^10.0.0`), which an Amplify Gen2 project already provides via
20
+ `@aws-amplify/backend`.
21
+
22
+ ## Prerequisites
23
+
24
+ - An Amplify Gen2 backend defined with `defineBackend`.
25
+ - An **`auth` resource** (Cognito) in that backend. `defineNotifications`
26
+ throws a `NotificationsMissingAuthError` if no auth resource is present — the
27
+ HTTP API's JWT authorizer is bound to your app's Cognito user pool.
28
+ - For **guest** (unauthenticated) identification, your auth resource must allow
29
+ unauthenticated (guest) access on its Cognito Identity Pool (see
30
+ [guest support](#guest-unauthenticated-support) below).
31
+
32
+ ## What it provisions
33
+
34
+ - Three Customer Profiles object types:
35
+ - `AmplifyProfile` — an authenticated person profile, keyed by the verified
36
+ Cognito `sub`.
37
+ - `AmplifyGuestProfile` — a guest profile, keyed by the unauthenticated
38
+ Cognito Identity Pool `identityId`.
39
+ - `AmplifyDevice` — a device object (keyed by a stable `deviceId`).
40
+ - An HTTP API + `identify-user` Lambda that find-or-creates the caller's profile
41
+ and registers their device, exposing two routes:
42
+ - `POST /identify-user` — authenticated, authorized by a **Cognito user-pool
43
+ JWT** authorizer.
44
+ - `POST /identify-user-guest` — guest, authorized by **IAM/SigV4** (callable
45
+ with unauthenticated Cognito Identity Pool credentials).
46
+ - A push-delivery Lambda (a Connect **Journey Custom-action** target) plus a
47
+ minimal **AWS End User Messaging (Pinpoint)** application, so Connect can
48
+ deliver mobile push through `SendMessages`.
49
+
50
+ ## Modes
51
+
52
+ `defineNotifications` operates in one of two modes, chosen by whether you pass
53
+ `domainName`:
54
+
55
+ ### Create-from-scratch (default — no `domainName`)
56
+
57
+ Calling `defineNotifications()` with no `domainName` is the zero-config default.
58
+ It provisions, from scratch and with generated stable names:
59
+
60
+ - a new Amazon Connect instance (`CONNECT_MANAGED`) and a new Customer Profiles
61
+ domain, with the object types registered into it;
62
+ - an automatic **Outbound Campaigns v2** association of the new domain with the
63
+ new instance (via a Lambda-backed CDK custom resource at deploy time), so
64
+ Connect Journeys can target these profiles;
65
+ - a **message-templates knowledge base** associated with the instance, so push
66
+ templates are authorable in the Amazon Connect console.
67
+
68
+ No pre-existing Connect setup is required.
69
+
70
+ ### Attach (`domainName` provided)
71
+
72
+ Passing an existing `domainName` **attaches** to that Customer Profiles domain:
73
+ it registers the object types into the domain additively and never creates a
74
+ Connect instance or a domain. It does not touch the domain's other integrations
75
+ (CTR, Outbound Campaigns) or its Identity Resolution setting. Associating a
76
+ pre-existing domain with Outbound Campaigns remains your responsibility.
77
+
78
+ ## Usage
79
+
80
+ ### Zero-config (create from scratch)
81
+
82
+ ```ts
83
+ import { defineBackend } from '@aws-amplify/backend';
84
+ import { defineNotifications } from '@aws-amplify/backend-notifications';
85
+ import { auth } from './auth/resource';
86
+
87
+ defineBackend({
88
+ auth,
89
+ // Creates a new Connect instance + Customer Profiles domain and wires
90
+ // everything up — no pre-existing Connect setup required.
91
+ notifications: defineNotifications(),
92
+ });
93
+ ```
94
+
95
+ ### Attach to an existing Customer Profiles domain
96
+
97
+ ```ts
98
+ import { defineBackend } from '@aws-amplify/backend';
99
+ import { defineNotifications } from '@aws-amplify/backend-notifications';
100
+ import { auth } from './auth/resource';
101
+
102
+ defineBackend({
103
+ auth,
104
+ notifications: defineNotifications({
105
+ // OPTIONAL: attach to an EXISTING Customer Profiles domain — e.g. the
106
+ // domain Amazon Connect auto-creates for your instance. Omit to create
107
+ // from scratch (the default above).
108
+ domainName: 'amazon-connect-amplify',
109
+ // OPTIONAL: object-type record expiration in days (default 366).
110
+ // expirationDays: 366,
111
+ }),
112
+ });
113
+ ```
114
+
115
+ `domainName` is **optional**: omit it for the create-from-scratch default, or
116
+ provide it to attach to an existing domain. All properties of
117
+ `defineNotifications` are optional; an `auth` resource, however, is required.
118
+
119
+ ### Guest (unauthenticated) support
120
+
121
+ Guests register through the IAM/SigV4 `POST /identify-user-guest` route using
122
+ unauthenticated Cognito Identity Pool credentials, creating an
123
+ `AmplifyGuestProfile` (keyed by the Identity Pool `identityId`) plus their
124
+ device. When the user later signs in and calls the authenticated
125
+ `POST /identify-user` route with their prior guest `identityId`, the guest
126
+ profile — and its devices — is folded into the authenticated profile via a
127
+ Customer Profiles `MergeProfiles`, so a pre-login device keeps its registration
128
+ through sign-in.
129
+
130
+ The construct exposes the guest route's `execute-api:Invoke` ARN as
131
+ `guestRouteInvokeArn` (and as a stack output) so the app can grant it to the
132
+ Cognito Identity Pool **unauthenticated** role.
133
+
134
+ ## Client configuration output
135
+
136
+ The API invoke endpoint and region are surfaced under the fixed custom-output
137
+ key `CustomerProfiles` in `amplify_outputs.json`:
138
+
139
+ ```json
140
+ {
141
+ "custom": {
142
+ "CustomerProfiles": {
143
+ "endpoint": "https://<api-id>.execute-api.<region>.amazonaws.com",
144
+ "region": "<region>"
145
+ }
146
+ }
147
+ }
148
+ ```
149
+
150
+ Clients reach the routes by convention — `POST {endpoint}/identify-user`
151
+ (authenticated) and `POST {endpoint}/identify-user-guest` (guest).
152
+
153
+ ## Enabling push channels (APNS / GCM)
154
+
155
+ The APNS (Apple) and GCM/FCM (Android) channels require **platform credentials
156
+ that are secrets** (an APNS `.p8` token signing key, or an FCM service-account
157
+ JSON). There are two ways to enable them.
158
+
159
+ ### Option A — declarative, via Amplify `secret()` (recommended)
160
+
161
+ Pass an optional `apns` and/or `fcm` config to `defineNotifications`. The secret
162
+ key material is supplied with Amplify's `secret()` and resolved at deploy time —
163
+ it is never written into the CloudFormation template as plain text (it flows
164
+ through the same secret custom-resource token Amplify uses for external-auth
165
+ provider secrets in `defineAuth`). Non-secret identifiers are plain props.
166
+
167
+ First store the secrets:
168
+
169
+ ```bash
170
+ npx ampx sandbox secret set APNS_SIGNING_KEY # paste the AuthKey_XXXX.p8 contents
171
+ npx ampx sandbox secret set FCM_SERVICE_ACCOUNT_JSON # paste the service-account JSON
172
+ ```
173
+
174
+ Then wire them into the resource:
175
+
176
+ ```ts
177
+ import { defineBackend, secret } from '@aws-amplify/backend';
178
+ import { defineNotifications } from '@aws-amplify/backend-notifications';
179
+ import { auth } from './auth/resource';
180
+
181
+ defineBackend({
182
+ auth,
183
+ notifications: defineNotifications({
184
+ domainName: 'amazon-connect-amplify',
185
+ // APNs token (.p8) auth. Set `sandbox: true` for development builds.
186
+ apns: {
187
+ keySecret: secret('APNS_SIGNING_KEY'),
188
+ keyId: 'ABC123DEFG',
189
+ teamId: 'DEF456GHIJ',
190
+ bundleId: 'com.example.app',
191
+ },
192
+ // FCM HTTP v1 (Google deprecated the legacy server key). The credential is
193
+ // the service-account JSON; the construct sets DefaultAuthenticationMethod=TOKEN.
194
+ fcm: {
195
+ credentialsSecret: secret('FCM_SERVICE_ACCOUNT_JSON'),
196
+ },
197
+ }),
198
+ });
199
+ ```
200
+
201
+ When `apns`/`fcm` are omitted the channels are left unset (the End User
202
+ Messaging application is still created, but no channel is enabled) — unchanged
203
+ behavior.
204
+
205
+ > Note: `SendMessages` will only deliver once a channel is enabled **and** the
206
+ > credentials are valid for a real Apple/Google project. A placeholder/dummy
207
+ > secret enables the channel-configuration path but will not deliver to a device.
208
+
209
+ ### Option B — enable the channels yourself after deploy
210
+
211
+ If you prefer to keep credentials entirely out of the backend definition, omit
212
+ `apns`/`fcm` and enable the channels on the created application with **your own
213
+ credentials**, via the console or CLI:
214
+
215
+ - **Console:** AWS End User Messaging → your application → **Push notifications**
216
+ → enable APNS and/or FCM and upload your credentials.
217
+ - **CLI (FCM/GCM):**
218
+
219
+ ```bash
220
+ aws pinpoint update-gcm-channel \
221
+ --application-id <APP_ID> \
222
+ --gcm-channel-request 'Enabled=true,DefaultAuthenticationMethod=TOKEN,ServiceJson=<FCM_SERVICE_ACCOUNT_JSON>'
223
+ ```
224
+
225
+ - **CLI (APNS):**
226
+
227
+ ```bash
228
+ aws pinpoint update-apns-channel \
229
+ --application-id <APP_ID> \
230
+ --apns-channel-request 'Enabled=true,TokenKey=<KEY>,TokenKeyId=<KEY_ID>,TeamId=<TEAM_ID>,BundleId=<BUNDLE_ID>'
231
+ ```
232
+
233
+ The application id is exported by the construct as `eumApplicationId` (and via
234
+ the `PushHandlerFunctionArn` / stack outputs for wiring the Journey
235
+ Custom-action).