@aws-amplify/backend-notifications 0.0.0-test-20260708085627
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +235 -0
- package/lib/campaign-association-asset/index.js +48413 -0
- package/lib/constants.d.ts +122 -0
- package/lib/constants.js +125 -0
- package/lib/construct.d.ts +283 -0
- package/lib/construct.js +824 -0
- package/lib/factory.d.ts +53 -0
- package/lib/factory.js +158 -0
- package/lib/handler-asset/index.js +530 -0
- package/lib/index.d.ts +7 -0
- package/lib/index.js +5 -0
- package/lib/lambda/campaign-association/handler.d.ts +29 -0
- package/lib/lambda/campaign-association/handler.js +80 -0
- package/lib/lambda/campaign-association/integration.d.ts +59 -0
- package/lib/lambda/campaign-association/integration.js +108 -0
- package/lib/lambda/campaign-association/onboarding.d.ts +25 -0
- package/lib/lambda/campaign-association/onboarding.js +74 -0
- package/lib/lambda/identify/device_resolver.d.ts +18 -0
- package/lib/lambda/identify/device_resolver.js +56 -0
- package/lib/lambda/identify/handler.d.ts +17 -0
- package/lib/lambda/identify/handler.js +124 -0
- package/lib/lambda/identify/mapping.d.ts +61 -0
- package/lib/lambda/identify/mapping.js +171 -0
- package/lib/lambda/identify/merge_resolver.d.ts +26 -0
- package/lib/lambda/identify/merge_resolver.js +36 -0
- package/lib/lambda/identify/principal.d.ts +68 -0
- package/lib/lambda/identify/principal.js +48 -0
- package/lib/lambda/identify/profile_resolver.d.ts +35 -0
- package/lib/lambda/identify/profile_resolver.js +65 -0
- package/lib/lambda/identify/types.d.ts +90 -0
- package/lib/lambda/identify/types.js +10 -0
- package/lib/lambda/identify/validation.d.ts +15 -0
- package/lib/lambda/identify/validation.js +99 -0
- package/lib/lambda/push/delivery.d.ts +49 -0
- package/lib/lambda/push/delivery.js +120 -0
- package/lib/lambda/push/device_lookup.d.ts +35 -0
- package/lib/lambda/push/device_lookup.js +88 -0
- package/lib/lambda/push/eum_client.d.ts +31 -0
- package/lib/lambda/push/eum_client.js +140 -0
- package/lib/lambda/push/event.d.ts +32 -0
- package/lib/lambda/push/event.js +122 -0
- package/lib/lambda/push/fixtures/real_journey_event.d.ts +19 -0
- package/lib/lambda/push/fixtures/real_journey_event.js +22 -0
- package/lib/lambda/push/handler.d.ts +15 -0
- package/lib/lambda/push/handler.js +86 -0
- package/lib/lambda/push/message_template.d.ts +72 -0
- package/lib/lambda/push/message_template.js +270 -0
- package/lib/lambda/push/payload.d.ts +25 -0
- package/lib/lambda/push/payload.js +53 -0
- package/lib/lambda/push/types.d.ts +153 -0
- package/lib/lambda/push/types.js +4 -0
- package/lib/lambda/shared/retry.d.ts +18 -0
- package/lib/lambda/shared/retry.js +45 -0
- package/lib/object_types.d.ts +63 -0
- package/lib/object_types.js +131 -0
- package/lib/push-handler-asset/index.js +75517 -0
- package/lib/types.d.ts +125 -0
- package/lib/types.js +2 -0
- package/package.json +49 -0
package/README.md
ADDED
|
@@ -0,0 +1,235 @@
|
|
|
1
|
+
# @aws-amplify/backend-notifications
|
|
2
|
+
|
|
3
|
+
> **Preview:** this package is in preview / prerelease. Its API and generated
|
|
4
|
+
> resources may change in a future release.
|
|
5
|
+
|
|
6
|
+
An Amplify Gen2 backend factory (`defineNotifications`) that adds an
|
|
7
|
+
Amazon Connect Customer Profiles–backed **identify-user** API (for both
|
|
8
|
+
authenticated and guest users) and a **push-delivery** Lambda to your app. It
|
|
9
|
+
replaces the deprecated Pinpoint `identifyUser` / `UpdateEndpoint` flow with
|
|
10
|
+
per-user Customer Profiles storage plus device registration.
|
|
11
|
+
|
|
12
|
+
## Installation
|
|
13
|
+
|
|
14
|
+
```bash
|
|
15
|
+
npm i @aws-amplify/backend-notifications
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
It has peer dependencies on `aws-cdk-lib` (`^2.234.1`) and `constructs`
|
|
19
|
+
(`^10.0.0`), which an Amplify Gen2 project already provides via
|
|
20
|
+
`@aws-amplify/backend`.
|
|
21
|
+
|
|
22
|
+
## Prerequisites
|
|
23
|
+
|
|
24
|
+
- An Amplify Gen2 backend defined with `defineBackend`.
|
|
25
|
+
- An **`auth` resource** (Cognito) in that backend. `defineNotifications`
|
|
26
|
+
throws a `NotificationsMissingAuthError` if no auth resource is present — the
|
|
27
|
+
HTTP API's JWT authorizer is bound to your app's Cognito user pool.
|
|
28
|
+
- For **guest** (unauthenticated) identification, your auth resource must allow
|
|
29
|
+
unauthenticated (guest) access on its Cognito Identity Pool (see
|
|
30
|
+
[guest support](#guest-unauthenticated-support) below).
|
|
31
|
+
|
|
32
|
+
## What it provisions
|
|
33
|
+
|
|
34
|
+
- Three Customer Profiles object types:
|
|
35
|
+
- `AmplifyProfile` — an authenticated person profile, keyed by the verified
|
|
36
|
+
Cognito `sub`.
|
|
37
|
+
- `AmplifyGuestProfile` — a guest profile, keyed by the unauthenticated
|
|
38
|
+
Cognito Identity Pool `identityId`.
|
|
39
|
+
- `AmplifyDevice` — a device object (keyed by a stable `deviceId`).
|
|
40
|
+
- An HTTP API + `identify-user` Lambda that find-or-creates the caller's profile
|
|
41
|
+
and registers their device, exposing two routes:
|
|
42
|
+
- `POST /identify-user` — authenticated, authorized by a **Cognito user-pool
|
|
43
|
+
JWT** authorizer.
|
|
44
|
+
- `POST /identify-user-guest` — guest, authorized by **IAM/SigV4** (callable
|
|
45
|
+
with unauthenticated Cognito Identity Pool credentials).
|
|
46
|
+
- A push-delivery Lambda (a Connect **Journey Custom-action** target) plus a
|
|
47
|
+
minimal **AWS End User Messaging (Pinpoint)** application, so Connect can
|
|
48
|
+
deliver mobile push through `SendMessages`.
|
|
49
|
+
|
|
50
|
+
## Modes
|
|
51
|
+
|
|
52
|
+
`defineNotifications` operates in one of two modes, chosen by whether you pass
|
|
53
|
+
`domainName`:
|
|
54
|
+
|
|
55
|
+
### Create-from-scratch (default — no `domainName`)
|
|
56
|
+
|
|
57
|
+
Calling `defineNotifications()` with no `domainName` is the zero-config default.
|
|
58
|
+
It provisions, from scratch and with generated stable names:
|
|
59
|
+
|
|
60
|
+
- a new Amazon Connect instance (`CONNECT_MANAGED`) and a new Customer Profiles
|
|
61
|
+
domain, with the object types registered into it;
|
|
62
|
+
- an automatic **Outbound Campaigns v2** association of the new domain with the
|
|
63
|
+
new instance (via a Lambda-backed CDK custom resource at deploy time), so
|
|
64
|
+
Connect Journeys can target these profiles;
|
|
65
|
+
- a **message-templates knowledge base** associated with the instance, so push
|
|
66
|
+
templates are authorable in the Amazon Connect console.
|
|
67
|
+
|
|
68
|
+
No pre-existing Connect setup is required.
|
|
69
|
+
|
|
70
|
+
### Attach (`domainName` provided)
|
|
71
|
+
|
|
72
|
+
Passing an existing `domainName` **attaches** to that Customer Profiles domain:
|
|
73
|
+
it registers the object types into the domain additively and never creates a
|
|
74
|
+
Connect instance or a domain. It does not touch the domain's other integrations
|
|
75
|
+
(CTR, Outbound Campaigns) or its Identity Resolution setting. Associating a
|
|
76
|
+
pre-existing domain with Outbound Campaigns remains your responsibility.
|
|
77
|
+
|
|
78
|
+
## Usage
|
|
79
|
+
|
|
80
|
+
### Zero-config (create from scratch)
|
|
81
|
+
|
|
82
|
+
```ts
|
|
83
|
+
import { defineBackend } from '@aws-amplify/backend';
|
|
84
|
+
import { defineNotifications } from '@aws-amplify/backend-notifications';
|
|
85
|
+
import { auth } from './auth/resource';
|
|
86
|
+
|
|
87
|
+
defineBackend({
|
|
88
|
+
auth,
|
|
89
|
+
// Creates a new Connect instance + Customer Profiles domain and wires
|
|
90
|
+
// everything up — no pre-existing Connect setup required.
|
|
91
|
+
notifications: defineNotifications(),
|
|
92
|
+
});
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
### Attach to an existing Customer Profiles domain
|
|
96
|
+
|
|
97
|
+
```ts
|
|
98
|
+
import { defineBackend } from '@aws-amplify/backend';
|
|
99
|
+
import { defineNotifications } from '@aws-amplify/backend-notifications';
|
|
100
|
+
import { auth } from './auth/resource';
|
|
101
|
+
|
|
102
|
+
defineBackend({
|
|
103
|
+
auth,
|
|
104
|
+
notifications: defineNotifications({
|
|
105
|
+
// OPTIONAL: attach to an EXISTING Customer Profiles domain — e.g. the
|
|
106
|
+
// domain Amazon Connect auto-creates for your instance. Omit to create
|
|
107
|
+
// from scratch (the default above).
|
|
108
|
+
domainName: 'amazon-connect-amplify',
|
|
109
|
+
// OPTIONAL: object-type record expiration in days (default 366).
|
|
110
|
+
// expirationDays: 366,
|
|
111
|
+
}),
|
|
112
|
+
});
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
`domainName` is **optional**: omit it for the create-from-scratch default, or
|
|
116
|
+
provide it to attach to an existing domain. All properties of
|
|
117
|
+
`defineNotifications` are optional; an `auth` resource, however, is required.
|
|
118
|
+
|
|
119
|
+
### Guest (unauthenticated) support
|
|
120
|
+
|
|
121
|
+
Guests register through the IAM/SigV4 `POST /identify-user-guest` route using
|
|
122
|
+
unauthenticated Cognito Identity Pool credentials, creating an
|
|
123
|
+
`AmplifyGuestProfile` (keyed by the Identity Pool `identityId`) plus their
|
|
124
|
+
device. When the user later signs in and calls the authenticated
|
|
125
|
+
`POST /identify-user` route with their prior guest `identityId`, the guest
|
|
126
|
+
profile — and its devices — is folded into the authenticated profile via a
|
|
127
|
+
Customer Profiles `MergeProfiles`, so a pre-login device keeps its registration
|
|
128
|
+
through sign-in.
|
|
129
|
+
|
|
130
|
+
The construct exposes the guest route's `execute-api:Invoke` ARN as
|
|
131
|
+
`guestRouteInvokeArn` (and as a stack output) so the app can grant it to the
|
|
132
|
+
Cognito Identity Pool **unauthenticated** role.
|
|
133
|
+
|
|
134
|
+
## Client configuration output
|
|
135
|
+
|
|
136
|
+
The API invoke endpoint and region are surfaced under the fixed custom-output
|
|
137
|
+
key `CustomerProfiles` in `amplify_outputs.json`:
|
|
138
|
+
|
|
139
|
+
```json
|
|
140
|
+
{
|
|
141
|
+
"custom": {
|
|
142
|
+
"CustomerProfiles": {
|
|
143
|
+
"endpoint": "https://<api-id>.execute-api.<region>.amazonaws.com",
|
|
144
|
+
"region": "<region>"
|
|
145
|
+
}
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
```
|
|
149
|
+
|
|
150
|
+
Clients reach the routes by convention — `POST {endpoint}/identify-user`
|
|
151
|
+
(authenticated) and `POST {endpoint}/identify-user-guest` (guest).
|
|
152
|
+
|
|
153
|
+
## Enabling push channels (APNS / GCM)
|
|
154
|
+
|
|
155
|
+
The APNS (Apple) and GCM/FCM (Android) channels require **platform credentials
|
|
156
|
+
that are secrets** (an APNS `.p8` token signing key, or an FCM service-account
|
|
157
|
+
JSON). There are two ways to enable them.
|
|
158
|
+
|
|
159
|
+
### Option A — declarative, via Amplify `secret()` (recommended)
|
|
160
|
+
|
|
161
|
+
Pass an optional `apns` and/or `fcm` config to `defineNotifications`. The secret
|
|
162
|
+
key material is supplied with Amplify's `secret()` and resolved at deploy time —
|
|
163
|
+
it is never written into the CloudFormation template as plain text (it flows
|
|
164
|
+
through the same secret custom-resource token Amplify uses for external-auth
|
|
165
|
+
provider secrets in `defineAuth`). Non-secret identifiers are plain props.
|
|
166
|
+
|
|
167
|
+
First store the secrets:
|
|
168
|
+
|
|
169
|
+
```bash
|
|
170
|
+
npx ampx sandbox secret set APNS_SIGNING_KEY # paste the AuthKey_XXXX.p8 contents
|
|
171
|
+
npx ampx sandbox secret set FCM_SERVICE_ACCOUNT_JSON # paste the service-account JSON
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
Then wire them into the resource:
|
|
175
|
+
|
|
176
|
+
```ts
|
|
177
|
+
import { defineBackend, secret } from '@aws-amplify/backend';
|
|
178
|
+
import { defineNotifications } from '@aws-amplify/backend-notifications';
|
|
179
|
+
import { auth } from './auth/resource';
|
|
180
|
+
|
|
181
|
+
defineBackend({
|
|
182
|
+
auth,
|
|
183
|
+
notifications: defineNotifications({
|
|
184
|
+
domainName: 'amazon-connect-amplify',
|
|
185
|
+
// APNs token (.p8) auth. Set `sandbox: true` for development builds.
|
|
186
|
+
apns: {
|
|
187
|
+
keySecret: secret('APNS_SIGNING_KEY'),
|
|
188
|
+
keyId: 'ABC123DEFG',
|
|
189
|
+
teamId: 'DEF456GHIJ',
|
|
190
|
+
bundleId: 'com.example.app',
|
|
191
|
+
},
|
|
192
|
+
// FCM HTTP v1 (Google deprecated the legacy server key). The credential is
|
|
193
|
+
// the service-account JSON; the construct sets DefaultAuthenticationMethod=TOKEN.
|
|
194
|
+
fcm: {
|
|
195
|
+
credentialsSecret: secret('FCM_SERVICE_ACCOUNT_JSON'),
|
|
196
|
+
},
|
|
197
|
+
}),
|
|
198
|
+
});
|
|
199
|
+
```
|
|
200
|
+
|
|
201
|
+
When `apns`/`fcm` are omitted the channels are left unset (the End User
|
|
202
|
+
Messaging application is still created, but no channel is enabled) — unchanged
|
|
203
|
+
behavior.
|
|
204
|
+
|
|
205
|
+
> Note: `SendMessages` will only deliver once a channel is enabled **and** the
|
|
206
|
+
> credentials are valid for a real Apple/Google project. A placeholder/dummy
|
|
207
|
+
> secret enables the channel-configuration path but will not deliver to a device.
|
|
208
|
+
|
|
209
|
+
### Option B — enable the channels yourself after deploy
|
|
210
|
+
|
|
211
|
+
If you prefer to keep credentials entirely out of the backend definition, omit
|
|
212
|
+
`apns`/`fcm` and enable the channels on the created application with **your own
|
|
213
|
+
credentials**, via the console or CLI:
|
|
214
|
+
|
|
215
|
+
- **Console:** AWS End User Messaging → your application → **Push notifications**
|
|
216
|
+
→ enable APNS and/or FCM and upload your credentials.
|
|
217
|
+
- **CLI (FCM/GCM):**
|
|
218
|
+
|
|
219
|
+
```bash
|
|
220
|
+
aws pinpoint update-gcm-channel \
|
|
221
|
+
--application-id <APP_ID> \
|
|
222
|
+
--gcm-channel-request 'Enabled=true,DefaultAuthenticationMethod=TOKEN,ServiceJson=<FCM_SERVICE_ACCOUNT_JSON>'
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
- **CLI (APNS):**
|
|
226
|
+
|
|
227
|
+
```bash
|
|
228
|
+
aws pinpoint update-apns-channel \
|
|
229
|
+
--application-id <APP_ID> \
|
|
230
|
+
--apns-channel-request 'Enabled=true,TokenKey=<KEY>,TokenKeyId=<KEY_ID>,TeamId=<TEAM_ID>,BundleId=<BUNDLE_ID>'
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
The application id is exported by the construct as `eumApplicationId` (and via
|
|
234
|
+
the `PushHandlerFunctionArn` / stack outputs for wiring the Journey
|
|
235
|
+
Custom-action).
|