@aws-amplify/data-schema 0.15.0 → 0.16.0

package/dist/esm/Authorization.mjs

@@ -0,0 +1,446 @@
+const __data = Symbol('data');
+/**
+ * All possible providers.
+ *
+ * This list should not be used if you need to restrict available providers
+ * according to an auth strategcy. E.g., `public` auth can only be facilitated
+ * by `apiKey` and `iam` providers.
+ */
+const Providers = [
+    'apiKey',
+    'iam',
+    'userPools',
+    'oidc',
+    'function',
+];
+/**
+ * The subset of auth providers that can facilitate `public` auth.
+ */
+const PublicProviders = ['apiKey', 'iam'];
+/**
+ * The subset of auth providers that can facilitate `private` auth.
+ */
+const PrivateProviders = ['userPools', 'oidc', 'iam'];
+/**
+ * The subset of auth providers that can facilitate `owner` auth.
+ */
+const OwnerProviders = ['userPools', 'oidc'];
+/**
+ * The subset of auth providers that can facilitate `group` auth.
+ */
+const GroupProviders = ['userPools', 'oidc'];
+/**
+ * The subset of auth providers that can facilitate `custom` auth.
+ */
+const CustomProviders = ['function'];
+const Strategies = [
+    'public',
+    'private',
+    'owner',
+    'groups',
+    'custom',
+];
+/**
+ * The operations that can be performed against an API.
+ */
+const Operations = [
+    'create',
+    'update',
+    'delete',
+    'read',
+    'get',
+    'list',
+    'sync',
+    'listen',
+    'search',
+];
+/**
+ * The operations that can be performed against an API by a Lambda function.
+ */
+const ResourceOperations = ['query', 'mutate', 'listen'];
+/**
+ * Creates a shallow copy of an object with an individual field pruned away.
+ *
+ * @param original The original object to prune.
+ * @param without The field to prune.
+ * @returns The pruned object.
+ */
+function omit(original, without) {
+    const pruned = { ...original };
+    delete pruned[without];
+    return pruned;
+}
+function to(operations) {
+    this[__data].operations = operations;
+    return omit(this, 'to');
+}
+/**
+ * Specifies a property of the identity JWT to use in place of `sub::username`
+ * as the value to match against the owner field for authorization.
+ *
+ * @param this Authorization object to operate against.
+ * @param property A property of identity JWT.
+ * @returns A copy of the Authorization object with the claim attached.
+ */
+function identityClaim(property) {
+    this[__data].identityClaim = property;
+    return omit(this, 'identityClaim');
+}
+function withClaimIn(property) {
+    this[__data].groupClaim = property;
+    return omit(this, 'withClaimIn');
+}
+function validateProvider(needle, haystack) {
+    if (needle && !haystack.includes(needle)) {
+        throw new Error(`Invalid provider (${needle}) given!`);
+    }
+}
+function authData(defaults, builderMethods) {
+    return {
+        [__data]: {
+            strategy: 'public',
+            provider: undefined,
+            operations: undefined,
+            groupOrOwnerField: undefined,
+            multiOwner: false,
+            identityClaim: undefined,
+            groups: undefined,
+            ...defaults,
+        },
+        ...builderMethods,
+    };
+}
+/**
+ * Defines an authorization rule for your data models and fields. First choose an authorization strategy (`public`,
+ * `private`, `owner`, `group`, or `custom`), then choose an auth provider (`apiKey`, `iam`, `userPools`, `oidc`, or `function`)
+ * and optionally use `.to(...)` to specify the operations that can be performed against your data models and fields.
+ */
+const allow = {
+    /**
+     * Authorize unauthenticated users by using API key based authorization.
+     * @returns an authorization rule for unauthenticated users
+     */
+    publicApiKey() {
+        return authData({
+            strategy: 'public',
+            provider: 'apiKey',
+        }, {
+            to,
+        });
+    },
+    /**
+     * Authorize unauthenticated users by using IAM based authorization.
+     * @returns an authorization rule for unauthenticated users
+     */
+    guest() {
+        return authData({
+            strategy: 'public',
+            provider: 'iam',
+        }, {
+            to,
+        });
+    },
+    /**
+     * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.authenticated("iam")` or `.authenticated("oidc")` to use IAM or OIDC based authorization for authenticated users.
+     * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
+     * @returns an authorization rule for authenticated users
+     */
+    authenticated(provider) {
+        validateProvider(provider, PrivateProviders);
+        return authData({
+            strategy: 'private',
+            provider,
+        }, {
+            to,
+        });
+    },
+    /**
+     * Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new `owner: a.string()`
+     * field will be added to the model to store which user "owns" the item. Upon item creation, the "owner field" is
+     * auto-populated with the authenticated user's information. If you want to specify which field should be used as
+     * the owner field, you can use the `ownerDefinedIn` builder function instead.
+     *
+     * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.owner("oidc")` to use OIDC based authentication to designate the owner.
+     *
+     * To change the specific claim that should be used as the user identifier within the owner field, chain the
+     * `.identityClaim(...)` method.
+     *
+     * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
+     * @returns an authorization rule for authenticated users
+     */
+    owner(provider) {
+        validateProvider(provider, OwnerProviders);
+        return authData({
+            strategy: 'owner',
+            provider,
+            groupOrOwnerField: 'owner',
+        }, {
+            to,
+            identityClaim,
+        });
+    },
+    /**
+     * Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field.
+     *
+     * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.ownerDefinedIn("owner", "oidc")` to use OIDC based authentication to designate the owner.
+     *
+     * To change the specific claim that should be used as the user identifier within the owner field, chain the
+     * `.identityClaim(...)` method.
+     *
+     * @param ownerField the field that contains the owner information
+     * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
+     * @returns an authorization rule for authenticated users
+     */
+    ownerDefinedIn(ownerField, provider) {
+        validateProvider(provider, OwnerProviders);
+        return authData({
+            strategy: 'owner',
+            provider,
+            groupOrOwnerField: ownerField,
+        }, {
+            to,
+            identityClaim,
+        });
+    },
+    /**
+     * Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new `owners: a.string().array()`
+     * field will be added to the model to store which users "own" the item. Upon item creation, the "owners field" is
+     * auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the `owners` array.
+     *
+     * You can specify which field should be used as the owners field by passing the `ownersField` parameter.
+     *
+     * By default, `.ownersDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.ownersDefinedIn("owners", "oidc")` to use OIDC based authentication to designate the owner.
+     *
+     * To change the specific claim that should be used as the user identifier within the owners field, chain the
+     * `.identityClaim(...)` method.
+     *
+     * @param ownersField the field that contains the owners information
+     * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
+     * @returns an authorization rule for authenticated users
+     */
+    ownersDefinedIn(ownersField, provider) {
+        validateProvider(provider, OwnerProviders);
+        return authData({
+            strategy: 'owner',
+            provider,
+            groupOrOwnerField: ownersField,
+            multiOwner: true,
+        }, {
+            to,
+            identityClaim,
+        });
+    },
+    /**
+     * Authorize a specific user group. Provide the name of the specific user group to have access.
+     *
+     * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.group("group-name", "oidc")` to use OIDC based authentication to designate the user group.
+     *
+     * To change the specific claim that should be used as the user group identifier, chain the
+     * `.withClaimIn(...)` method.
+     * @param group the name of the group to authorize
+     * @param provider the authentication provider - supports "userPools" or "oidc"
+     * @returns an authorization rule to grant access by a specific group
+     */
+    group(group, provider) {
+        return authData({
+            strategy: 'groups',
+            provider,
+            groups: [group],
+        }, {
+            to,
+            withClaimIn,
+        });
+    },
+    /**
+     * Authorize multiple specific user groups. Provide the names of the specific user groups to have access.
+     *
+     * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.groups(["group-a", "group-b"], "oidc")` to use OIDC based authentication to designate the user group.
+     *
+     * To change the specific claim that should be used as the user group identifier, chain the
+     * `.withClaimIn(...)` method.
+     * @param groups the names of the group to authorize defined as an array
+     * @param provider the authentication provider - supports "userPools" or "oidc"
+     * @returns an authorization rule to grant access by a specific group
+     */
+    groups(groups, provider) {
+        return authData({
+            strategy: 'groups',
+            provider,
+            groups,
+        }, {
+            to,
+            withClaimIn,
+        });
+    },
+    /**
+     * Authorize if a user is part of a group defined in a data model field.
+     *
+     * By default, `.groupDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.groupDefinedIn("field-name", "oidc")` to use OIDC based authentication to designate the user group.
+     *
+     * To change the specific claim that should be used as the user group identifier within the groups field, chain the
+     * `.withClaimIn(...)` method.
+     * @param groupsField the field that should store the authorized user group information
+     * @param provider the authentication provider - supports "userPools" or "oidc"
+     * @returns an authorization rule to grant access by a specific group
+     */
+    groupDefinedIn(groupsField, provider) {
+        return authData({
+            strategy: 'groups',
+            provider,
+            groupOrOwnerField: groupsField,
+        }, {
+            to,
+            withClaimIn,
+        });
+    },
+    /**
+     * Authorize if a user is part of a one of the groups defined in a data model field.
+     *
+     * By default, `.groupsDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.groupsDefinedIn("field-name", "oidc")` to use OIDC based authentication to designate the user group.
+     *
+     * To change the specific claim that should be used as the user group identifier within the groups field, chain the
+     * `.withClaimIn(...)` method.
+     * @param groupsField the field that should store the list of authorized user groups
+     * @param provider the authentication provider - supports "userPools" or "oidc"
+     * @returns an authorization rule to grant access by a specific group
+     */
+    groupsDefinedIn(groupsField, provider) {
+        return authData({
+            strategy: 'groups',
+            provider,
+            groupOrOwnerField: groupsField,
+            multiOwner: true,
+        }, {
+            to,
+            withClaimIn,
+        });
+    },
+    custom(provider) {
+        return authData({
+            strategy: 'custom',
+            provider,
+        }, {
+            to,
+        });
+    },
+    resource(fn) {
+        return resourceAuthData(fn, {
+            to: resourceTo,
+        });
+    },
+};
+/**
+ * This is a copy of the {@link allow} defined above, with modifications for custom operations.
+ *
+ * Removed builder methods:
+ *
+ * * `owner`
+ * * `ownerDefinedIn`
+ * * `ownersDefinedIn`
+ * * `groupDefinedIn`
+ * * `groupsDefinedIn`
+ * * `resource`
+ * * `.to()` builder method from each available rule builder
+ */
+const allowForCustomOperations = {
+    /**
+     * Authorize unauthenticated users by using API key based authorization.
+     * @returns an authorization rule for unauthenticated users
+     */
+    publicApiKey() {
+        return authData({
+            strategy: 'public',
+            provider: 'apiKey',
+        }, {});
+    },
+    /**
+     * Authorize unauthenticated users by using IAM based authorization.
+     * @returns an authorization rule for unauthenticated users
+     */
+    guest() {
+        return authData({
+            strategy: 'public',
+            provider: 'iam',
+        }, {});
+    },
+    /**
+     * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.authenticated("iam")` or `.authenticated("oidc")` to use IAM or OIDC based authorization for authenticated users.
+     * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
+     * @returns an authorization rule for authenticated users
+     */
+    authenticated(provider) {
+        validateProvider(provider, PrivateProviders);
+        return authData({
+            strategy: 'private',
+            provider,
+        }, {});
+    },
+    /**
+     * Authorize a specific user group. Provide the name of the specific user group to have access.
+     *
+     * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.group("group-name", "oidc")` to use OIDC based authentication to designate the user group.
+     *
+     * @param group the name of the group to authorize
+     * @param provider the authentication provider - supports "userPools" or "oidc"
+     * @returns an authorization rule to grant access by a specific group
+     */
+    group(group, provider) {
+        return authData({
+            strategy: 'groups',
+            provider,
+            groups: [group],
+        }, {});
+    },
+    /**
+     * Authorize multiple specific user groups. Provide the names of the specific user groups to have access.
+     *
+     * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally
+     * use `.groups(["group-a", "group-b"], "oidc")` to use OIDC based authentication to designate the user group.
+     *
+     * @param groups the names of the group to authorize defined as an array
+     * @param provider the authentication provider - supports "userPools" or "oidc"
+     * @returns an authorization rule to grant access by a specific group
+     */
+    groups(groups, provider) {
+        return authData({
+            strategy: 'groups',
+            provider,
+            groups,
+        }, {});
+    },
+    custom(provider) {
+        return authData({
+            strategy: 'custom',
+            provider,
+        }, {});
+    },
+};
+function resourceTo(operations) {
+    this[__data].operations = operations;
+    return omit(this, 'to');
+}
+function resourceAuthData(resource, builderMethods) {
+    return {
+        [__data]: {
+            strategy: 'resource',
+            resource,
+        },
+        ...builderMethods,
+    };
+}
+const accessData = (authorization) => authorization[__data];
+// TODO: delete when we make resource auth available at each level in the schema (model, field)
+const accessSchemaData = (authorization) => authorization[__data];
+
+export { CustomProviders, GroupProviders, Operations, OwnerProviders, PrivateProviders, Providers, PublicProviders, ResourceOperations, Strategies, accessData, accessSchemaData, allow, allowForCustomOperations };
+//# sourceMappingURL=Authorization.mjs.map

package/dist/esm/Authorization.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"Authorization.mjs","sources":["../../src/Authorization.ts"],"sourcesContent":["const __data = Symbol('data');\n/**\n * All possible providers.\n *\n * This list should not be used if you need to restrict available providers\n * according to an auth strategcy. E.g., `public` auth can only be facilitated\n * by `apiKey` and `iam` providers.\n */\nexport const Providers = [\n    'apiKey',\n    'iam',\n    'userPools',\n    'oidc',\n    'function',\n];\n/**\n * The subset of auth providers that can facilitate `public` auth.\n */\nexport const PublicProviders = ['apiKey', 'iam'];\n/**\n * The subset of auth providers that can facilitate `private` auth.\n */\nexport const PrivateProviders = ['userPools', 'oidc', 'iam'];\n/**\n * The subset of auth providers that can facilitate `owner` auth.\n */\nexport const OwnerProviders = ['userPools', 'oidc'];\n/**\n * The subset of auth providers that can facilitate `group` auth.\n */\nexport const GroupProviders = ['userPools', 'oidc'];\n/**\n * The subset of auth providers that can facilitate `custom` auth.\n */\nexport const CustomProviders = ['function'];\nexport const Strategies = [\n    'public',\n    'private',\n    'owner',\n    'groups',\n    'custom',\n];\n/**\n * The operations that can be performed against an API.\n */\nexport const Operations = [\n    'create',\n    'update',\n    'delete',\n    'read',\n    'get',\n    'list',\n    'sync',\n    'listen',\n    'search',\n];\n/**\n * The operations that can be performed against an API by a Lambda function.\n */\nexport const ResourceOperations = ['query', 'mutate', 'listen'];\n/**\n * Creates a shallow copy of an object with an individual field pruned away.\n *\n * @param original The original object to prune.\n * @param without The field to prune.\n * @returns The pruned object.\n */\nfunction omit(original, without) {\n    const pruned = { ...original };\n    delete pruned[without];\n    return pruned;\n}\nfunction to(operations) {\n    this[__data].operations = operations;\n    return omit(this, 'to');\n}\n/**\n * Specifies a property of the identity JWT to use in place of `sub::username`\n * as the value to match against the owner field for authorization.\n *\n * @param this Authorization object to operate against.\n * @param property A property of identity JWT.\n * @returns A copy of the Authorization object with the claim attached.\n */\nfunction identityClaim(property) {\n    this[__data].identityClaim = property;\n    return omit(this, 'identityClaim');\n}\nfunction withClaimIn(property) {\n    this[__data].groupClaim = property;\n    return omit(this, 'withClaimIn');\n}\nfunction validateProvider(needle, haystack) {\n    if (needle && !haystack.includes(needle)) {\n        throw new Error(`Invalid provider (${needle}) given!`);\n    }\n}\nfunction authData(defaults, builderMethods) {\n    return {\n        [__data]: {\n            strategy: 'public',\n            provider: undefined,\n            operations: undefined,\n            groupOrOwnerField: undefined,\n            multiOwner: false,\n            identityClaim: undefined,\n            groups: undefined,\n            ...defaults,\n        },\n        ...builderMethods,\n    };\n}\n/**\n * Defines an authorization rule for your data models and fields. First choose an authorization strategy (`public`,\n * `private`, `owner`, `group`, or `custom`), then choose an auth provider (`apiKey`, `iam`, `userPools`, `oidc`, or `function`)\n * and optionally use `.to(...)` to specify the operations that can be performed against your data models and fields.\n */\nexport const allow = {\n    /**\n     * Authorize unauthenticated users by using API key based authorization.\n     * @returns an authorization rule for unauthenticated users\n     */\n    publicApiKey() {\n        return authData({\n            strategy: 'public',\n            provider: 'apiKey',\n        }, {\n            to,\n        });\n    },\n    /**\n     * Authorize unauthenticated users by using IAM based authorization.\n     * @returns an authorization rule for unauthenticated users\n     */\n    guest() {\n        return authData({\n            strategy: 'public',\n            provider: 'iam',\n        }, {\n            to,\n        });\n    },\n    /**\n     * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.authenticated(\"iam\")` or `.authenticated(\"oidc\")` to use IAM or OIDC based authorization for authenticated users.\n     * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n     * @returns an authorization rule for authenticated users\n     */\n    authenticated(provider) {\n        validateProvider(provider, PrivateProviders);\n        return authData({\n            strategy: 'private',\n            provider,\n        }, {\n            to,\n        });\n    },\n    /**\n     * Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new `owner: a.string()`\n     * field will be added to the model to store which user \"owns\" the item. Upon item creation, the \"owner field\" is\n     * auto-populated with the authenticated user's information. If you want to specify which field should be used as\n     * the owner field, you can use the `ownerDefinedIn` builder function instead.\n     *\n     * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.owner(\"oidc\")` to use OIDC based authentication to designate the owner.\n     *\n     * To change the specific claim that should be used as the user identifier within the owner field, chain the\n     * `.identityClaim(...)` method.\n     *\n     * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n     * @returns an authorization rule for authenticated users\n     */\n    owner(provider) {\n        validateProvider(provider, OwnerProviders);\n        return authData({\n            strategy: 'owner',\n            provider,\n            groupOrOwnerField: 'owner',\n        }, {\n            to,\n            identityClaim,\n        });\n    },\n    /**\n     * Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field.\n     *\n     * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.ownerDefinedIn(\"owner\", \"oidc\")` to use OIDC based authentication to designate the owner.\n     *\n     * To change the specific claim that should be used as the user identifier within the owner field, chain the\n     * `.identityClaim(...)` method.\n     *\n     * @param ownerField the field that contains the owner information\n     * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n     * @returns an authorization rule for authenticated users\n     */\n    ownerDefinedIn(ownerField, provider) {\n        validateProvider(provider, OwnerProviders);\n        return authData({\n            strategy: 'owner',\n            provider,\n            groupOrOwnerField: ownerField,\n        }, {\n            to,\n            identityClaim,\n        });\n    },\n    /**\n     * Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new `owners: a.string().array()`\n     * field will be added to the model to store which users \"own\" the item. Upon item creation, the \"owners field\" is\n     * auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the `owners` array.\n     *\n     * You can specify which field should be used as the owners field by passing the `ownersField` parameter.\n     *\n     * By default, `.ownersDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.ownersDefinedIn(\"owners\", \"oidc\")` to use OIDC based authentication to designate the owner.\n     *\n     * To change the specific claim that should be used as the user identifier within the owners field, chain the\n     * `.identityClaim(...)` method.\n     *\n     * @param ownersField the field that contains the owners information\n     * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n     * @returns an authorization rule for authenticated users\n     */\n    ownersDefinedIn(ownersField, provider) {\n        validateProvider(provider, OwnerProviders);\n        return authData({\n            strategy: 'owner',\n            provider,\n            groupOrOwnerField: ownersField,\n            multiOwner: true,\n        }, {\n            to,\n            identityClaim,\n        });\n    },\n    /**\n     * Authorize a specific user group. Provide the name of the specific user group to have access.\n     *\n     * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.group(\"group-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n     *\n     * To change the specific claim that should be used as the user group identifier, chain the\n     * `.withClaimIn(...)` method.\n     * @param group the name of the group to authorize\n     * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n     * @returns an authorization rule to grant access by a specific group\n     */\n    group(group, provider) {\n        return authData({\n            strategy: 'groups',\n            provider,\n            groups: [group],\n        }, {\n            to,\n            withClaimIn,\n        });\n    },\n    /**\n     * Authorize multiple specific user groups. Provide the names of the specific user groups to have access.\n     *\n     * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.groups([\"group-a\", \"group-b\"], \"oidc\")` to use OIDC based authentication to designate the user group.\n     *\n     * To change the specific claim that should be used as the user group identifier, chain the\n     * `.withClaimIn(...)` method.\n     * @param groups the names of the group to authorize defined as an array\n     * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n     * @returns an authorization rule to grant access by a specific group\n     */\n    groups(groups, provider) {\n        return authData({\n            strategy: 'groups',\n            provider,\n            groups,\n        }, {\n            to,\n            withClaimIn,\n        });\n    },\n    /**\n     * Authorize if a user is part of a group defined in a data model field.\n     *\n     * By default, `.groupDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.groupDefinedIn(\"field-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n     *\n     * To change the specific claim that should be used as the user group identifier within the groups field, chain the\n     * `.withClaimIn(...)` method.\n     * @param groupsField the field that should store the authorized user group information\n     * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n     * @returns an authorization rule to grant access by a specific group\n     */\n    groupDefinedIn(groupsField, provider) {\n        return authData({\n            strategy: 'groups',\n            provider,\n            groupOrOwnerField: groupsField,\n        }, {\n            to,\n            withClaimIn,\n        });\n    },\n    /**\n     * Authorize if a user is part of a one of the groups defined in a data model field.\n     *\n     * By default, `.groupsDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.groupsDefinedIn(\"field-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n     *\n     * To change the specific claim that should be used as the user group identifier within the groups field, chain the\n     * `.withClaimIn(...)` method.\n     * @param groupsField the field that should store the list of authorized user groups\n     * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n     * @returns an authorization rule to grant access by a specific group\n     */\n    groupsDefinedIn(groupsField, provider) {\n        return authData({\n            strategy: 'groups',\n            provider,\n            groupOrOwnerField: groupsField,\n            multiOwner: true,\n        }, {\n            to,\n            withClaimIn,\n        });\n    },\n    custom(provider) {\n        return authData({\n            strategy: 'custom',\n            provider,\n        }, {\n            to,\n        });\n    },\n    resource(fn) {\n        return resourceAuthData(fn, {\n            to: resourceTo,\n        });\n    },\n};\n/**\n * This is a copy of the {@link allow} defined above, with modifications for custom operations.\n *\n * Removed builder methods:\n *\n * * `owner`\n * * `ownerDefinedIn`\n * * `ownersDefinedIn`\n * * `groupDefinedIn`\n * * `groupsDefinedIn`\n * * `resource`\n * * `.to()` builder method from each available rule builder\n */\nexport const allowForCustomOperations = {\n    /**\n     * Authorize unauthenticated users by using API key based authorization.\n     * @returns an authorization rule for unauthenticated users\n     */\n    publicApiKey() {\n        return authData({\n            strategy: 'public',\n            provider: 'apiKey',\n        }, {});\n    },\n    /**\n     * Authorize unauthenticated users by using IAM based authorization.\n     * @returns an authorization rule for unauthenticated users\n     */\n    guest() {\n        return authData({\n            strategy: 'public',\n            provider: 'iam',\n        }, {});\n    },\n    /**\n     * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.authenticated(\"iam\")` or `.authenticated(\"oidc\")` to use IAM or OIDC based authorization for authenticated users.\n     * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n     * @returns an authorization rule for authenticated users\n     */\n    authenticated(provider) {\n        validateProvider(provider, PrivateProviders);\n        return authData({\n            strategy: 'private',\n            provider,\n        }, {});\n    },\n    /**\n     * Authorize a specific user group. Provide the name of the specific user group to have access.\n     *\n     * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.group(\"group-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n     *\n     * @param group the name of the group to authorize\n     * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n     * @returns an authorization rule to grant access by a specific group\n     */\n    group(group, provider) {\n        return authData({\n            strategy: 'groups',\n            provider,\n            groups: [group],\n        }, {});\n    },\n    /**\n     * Authorize multiple specific user groups. Provide the names of the specific user groups to have access.\n     *\n     * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally\n     * use `.groups([\"group-a\", \"group-b\"], \"oidc\")` to use OIDC based authentication to designate the user group.\n     *\n     * @param groups the names of the group to authorize defined as an array\n     * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n     * @returns an authorization rule to grant access by a specific group\n     */\n    groups(groups, provider) {\n        return authData({\n            strategy: 'groups',\n            provider,\n            groups,\n        }, {});\n    },\n    custom(provider) {\n        return authData({\n            strategy: 'custom',\n            provider,\n        }, {});\n    },\n};\nfunction resourceTo(operations) {\n    this[__data].operations = operations;\n    return omit(this, 'to');\n}\nfunction resourceAuthData(resource, builderMethods) {\n    return {\n        [__data]: {\n            strategy: 'resource',\n            resource,\n        },\n        ...builderMethods,\n    };\n}\nexport const accessData = (authorization) => authorization[__data];\n// TODO: delete when we make resource auth available at each level in the schema (model, field)\nexport const accessSchemaData = (authorization) => authorization[__data];\n"],"names":[],"mappings":"AAAA,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AAC9B;AACA;AACA;AACA;AACA;AACA;AACA;AACY,MAAC,SAAS,GAAG;AACzB,IAAI,QAAQ;AACZ,IAAI,KAAK;AACT,IAAI,WAAW;AACf,IAAI,MAAM;AACV,IAAI,UAAU;AACd,EAAE;AACF;AACA;AACA;AACY,MAAC,eAAe,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE;AACjD;AACA;AACA;AACY,MAAC,gBAAgB,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE;AAC7D;AACA;AACA;AACY,MAAC,cAAc,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE;AACpD;AACA;AACA;AACY,MAAC,cAAc,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE;AACpD;AACA;AACA;AACY,MAAC,eAAe,GAAG,CAAC,UAAU,EAAE;AAChC,MAAC,UAAU,GAAG;AAC1B,IAAI,QAAQ;AACZ,IAAI,SAAS;AACb,IAAI,OAAO;AACX,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,EAAE;AACF;AACA;AACA;AACY,MAAC,UAAU,GAAG;AAC1B,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,IAAI,MAAM;AACV,IAAI,KAAK;AACT,IAAI,MAAM;AACV,IAAI,MAAM;AACV,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,EAAE;AACF;AACA;AACA;AACY,MAAC,kBAAkB,GAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE;AAChE;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE;AACjC,IAAI,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;AACnC,IAAI,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;AAC3B,IAAI,OAAO,MAAM,CAAC;AAClB,CAAC;AACD,SAAS,EAAE,CAAC,UAAU,EAAE;AACxB,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC;AACzC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5B,CAAC;AACD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,aAAa,CAAC,QAAQ,EAAE;AACjC,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,aAAa,GAAG,QAAQ,CAAC;AAC1C,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACvC,CAAC;AACD,SAAS,WAAW,CAAC,QAAQ,EAAE;AAC/B,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC;AACvC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;AACrC,CAAC;AACD,SAAS,gBAAgB,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC5C,IAAI,IAAI,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;AAC9C,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,kBAAkB,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC/D,KAAK;AACL,CAAC;AACD,SAAS,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE;AAC5C,IAAI,OAAO;AACX,QAAQ,CAAC,MAAM,GAAG;AAClB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,UAAU,EAAE,SAAS;AACjC,YAAY,iBAAiB,EAAE,SAAS;AACxC,YAAY,UAAU,EAAE,KAAK;AAC7B,YAAY,aAAa,EAAE,SAAS;AACpC,YAAY,MAAM,EAAE,SAAS;AAC7B,YAAY,GAAG,QAAQ;AACvB,SAAS;AACT,QAAQ,GAAG,cAAc;AACzB,KAAK,CAAC;AACN,CAAC;AACD;AACA;AACA;AACA;AACA;AACY,MAAC,KAAK,GAAG;AACrB;AACA;AACA;AACA;AACA,IAAI,YAAY,GAAG;AACnB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,QAAQ;AAC9B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA,IAAI,KAAK,GAAG;AACZ,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,KAAK;AAC3B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,aAAa,CAAC,QAAQ,EAAE;AAC5B,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;AACrD,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,QAAQ;AACpB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,QAAQ,EAAE;AACpB,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;AACnD,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,OAAO;AACtC,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,CAAC,UAAU,EAAE,QAAQ,EAAE;AACzC,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;AACnD,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,UAAU;AACzC,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC3C,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;AACnD,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,YAAY,UAAU,EAAE,IAAI;AAC5B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE;AAC3B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM,EAAE,CAAC,KAAK,CAAC;AAC3B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC7B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM;AAClB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC1C,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC3C,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,YAAY,UAAU,EAAE,IAAI;AAC5B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL,IAAI,MAAM,CAAC,QAAQ,EAAE;AACrB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL,IAAI,QAAQ,CAAC,EAAE,EAAE;AACjB,QAAQ,OAAO,gBAAgB,CAAC,EAAE,EAAE;AACpC,YAAY,EAAE,EAAE,UAAU;AAC1B,SAAS,CAAC,CAAC;AACX,KAAK;AACL,EAAE;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACY,MAAC,wBAAwB,GAAG;AACxC;AACA;AACA;AACA;AACA,IAAI,YAAY,GAAG;AACnB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,QAAQ;AAC9B,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA,IAAI,KAAK,GAAG;AACZ,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,KAAK;AAC3B,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,aAAa,CAAC,QAAQ,EAAE;AAC5B,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;AACrD,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,QAAQ;AACpB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE;AAC3B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM,EAAE,CAAC,KAAK,CAAC;AAC3B,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC7B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM;AAClB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL,IAAI,MAAM,CAAC,QAAQ,EAAE;AACrB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL,EAAE;AACF,SAAS,UAAU,CAAC,UAAU,EAAE;AAChC,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC;AACzC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5B,CAAC;AACD,SAAS,gBAAgB,CAAC,QAAQ,EAAE,cAAc,EAAE;AACpD,IAAI,OAAO;AACX,QAAQ,CAAC,MAAM,GAAG;AAClB,YAAY,QAAQ,EAAE,UAAU;AAChC,YAAY,QAAQ;AACpB,SAAS;AACT,QAAQ,GAAG,cAAc;AACzB,KAAK,CAAC;AACN,CAAC;AACW,MAAC,UAAU,GAAG,CAAC,aAAa,KAAK,aAAa,CAAC,MAAM,EAAE;AACnE;AACY,MAAC,gBAAgB,GAAG,CAAC,aAAa,KAAK,aAAa,CAAC,MAAM;;;;"}

package/{lib-esm/src → dist/esm}/ClientSchema.d.ts

@@ -1,4 +1,4 @@
-import type { __modelMeta__ } from '@aws-amplify/data-schema-types';
+import type { __modelMeta__ } from './runtime/client';
 import type { GenericModelSchema, RDSModelSchema } from './ModelSchema';
 import type { ResolveSchema, SchemaTypes } from './MappedTypes/ResolveSchema';
 import type { ResolveFieldProperties, ResolveStaticFieldProperties } from './MappedTypes/ResolveFieldProperties';
@@ -45,4 +45,3 @@ type InternalCombinedSchema<Combined extends CombinedModelSchema<any>, ClientSch
     }>;
 };
 export {};
-//# sourceMappingURL=ClientSchema.d.ts.map

package/dist/esm/ClientSchema.mjs

@@ -0,0 +1,2 @@
+
+//# sourceMappingURL=ClientSchema.mjs.map

package/dist/esm/ClientSchema.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"ClientSchema.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":""}

package/{lib-esm/src → dist/esm}/CombineSchema.d.ts

@@ -16,4 +16,3 @@ export type CombinedModelSchema<Schemas extends GenericModelSchema<any>[]> = Com
  */
 export declare function combine<Schema extends GenericModelSchema<any>[]>(schemas: [...Schema]): CombinedModelSchema<Schema>;
 export {};
-//# sourceMappingURL=CombineSchema.d.ts.map

package/dist/esm/CombineSchema.mjs

@@ -0,0 +1,39 @@
+import { brand } from './util/Brand.mjs';
+
+const CombinedSchemaBrandName = 'CombinedSchema';
+const combinedSchemaBrand = brand(CombinedSchemaBrandName);
+/**
+ * The interface for merging up to 50 schemas into a single API.
+ * @param schemas The schemas to combine into a single API
+ * @returns An API and data model definition to be deployed with Amplify (Gen 2) experience (`processSchema(...)`)
+ * or with the Amplify Data CDK construct (`@aws-amplify/data-construct`)
+ */
+function combine(schemas) {
+    return internalCombine(schemas);
+}
+function internalCombine(schemas) {
+    validateDuplicateTypeNames(schemas);
+    return {
+        ...combinedSchemaBrand,
+        schemas: schemas,
+    };
+}
+function validateDuplicateTypeNames(schemas) {
+    const allSchemaKeys = schemas.flatMap((s) => Object.keys(s.data.types));
+    const keySet = new Set();
+    const duplicateKeySet = new Set();
+    allSchemaKeys.forEach((key) => {
+        if (keySet.has(key)) {
+            duplicateKeySet.add(key);
+        }
+        else {
+            keySet.add(key);
+        }
+    });
+    if (duplicateKeySet.size > 0) {
+        throw new Error(`The schemas you are attempting to combine have a name collision. Please remove or rename ${Array.from(duplicateKeySet).join(', ')}.`);
+    }
+}
+
+export { combine, combinedSchemaBrand };
+//# sourceMappingURL=CombineSchema.mjs.map

package/dist/esm/CombineSchema.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"CombineSchema.mjs","sources":["../../src/CombineSchema.ts"],"sourcesContent":["import { brand } from './util';\nconst COMBINED_SCHEMA_LIMIT = 50;\nconst CombinedSchemaBrandName = 'CombinedSchema';\nexport const combinedSchemaBrand = brand(CombinedSchemaBrandName);\n/**\n * The interface for merging up to 50 schemas into a single API.\n * @param schemas The schemas to combine into a single API\n * @returns An API and data model definition to be deployed with Amplify (Gen 2) experience (`processSchema(...)`)\n * or with the Amplify Data CDK construct (`@aws-amplify/data-construct`)\n */\nexport function combine(schemas) {\n    return internalCombine(schemas);\n}\nfunction internalCombine(schemas) {\n    validateDuplicateTypeNames(schemas);\n    return {\n        ...combinedSchemaBrand,\n        schemas: schemas,\n    };\n}\nfunction validateDuplicateTypeNames(schemas) {\n    const allSchemaKeys = schemas.flatMap((s) => Object.keys(s.data.types));\n    const keySet = new Set();\n    const duplicateKeySet = new Set();\n    allSchemaKeys.forEach((key) => {\n        if (keySet.has(key)) {\n            duplicateKeySet.add(key);\n        }\n        else {\n            keySet.add(key);\n        }\n    });\n    if (duplicateKeySet.size > 0) {\n        throw new Error(`The schemas you are attempting to combine have a name collision. Please remove or rename ${Array.from(duplicateKeySet).join(', ')}.`);\n    }\n}\n"],"names":[],"mappings":";;AAEA,MAAM,uBAAuB,GAAG,gBAAgB,CAAC;AACrC,MAAC,mBAAmB,GAAG,KAAK,CAAC,uBAAuB,EAAE;AAClE;AACA;AACA;AACA;AACA;AACA;AACO,SAAS,OAAO,CAAC,OAAO,EAAE;AACjC,IAAI,OAAO,eAAe,CAAC,OAAO,CAAC,CAAC;AACpC,CAAC;AACD,SAAS,eAAe,CAAC,OAAO,EAAE;AAClC,IAAI,0BAA0B,CAAC,OAAO,CAAC,CAAC;AACxC,IAAI,OAAO;AACX,QAAQ,GAAG,mBAAmB;AAC9B,QAAQ,OAAO,EAAE,OAAO;AACxB,KAAK,CAAC;AACN,CAAC;AACD,SAAS,0BAA0B,CAAC,OAAO,EAAE;AAC7C,IAAI,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAC5E,IAAI,MAAM,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;AAC7B,IAAI,MAAM,eAAe,GAAG,IAAI,GAAG,EAAE,CAAC;AACtC,IAAI,aAAa,CAAC,OAAO,CAAC,CAAC,GAAG,KAAK;AACnC,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;AAC7B,YAAY,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AACrC,SAAS;AACT,aAAa;AACb,YAAY,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAC5B,SAAS;AACT,KAAK,CAAC,CAAC;AACP,IAAI,IAAI,eAAe,CAAC,IAAI,GAAG,CAAC,EAAE;AAClC,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,yFAAyF,EAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC/J,KAAK;AACL;;;;"}

package/{lib-esm/src → dist/esm}/CustomOperation.d.ts

@@ -1,7 +1,7 @@
 import { SetTypeSubArg } from '@aws-amplify/data-schema-types';
 import { Brand } from './util';
 import { ModelField, InternalField } from './ModelField';
-import { Authorization } from './Authorization';
+import { AllowModifierForCustomOperation, Authorization } from './Authorization';
 import { RefType, InternalRef } from './RefType';
 import { EnumType, EnumTypeParamShape } from './EnumType';
 import { CustomType } from './CustomType';
@@ -56,7 +56,7 @@ export type CustomOperation<T extends CustomOperationParamShape, K extends keyof
      * Use `.handler(a.handler.function())` instead
      */
     function<FunctionRef extends CustomFunctionRefType>(functionRefOrName: FunctionRef): CustomOperation<SetTypeSubArg<T, 'functionRef', FunctionRef>, K | 'function', B>;
-    authorization<AuthRuleType extends Authorization<any, any, any>>(rules: AuthRuleType[]): CustomOperation<SetTypeSubArg<T, 'authorization', AuthRuleType[]>, K | 'authorization', B>;
+    authorization<AuthRuleType extends Authorization<any, any, any>>(callback: (allow: AllowModifierForCustomOperation) => AuthRuleType | AuthRuleType[]): CustomOperation<SetTypeSubArg<T, 'authorization', AuthRuleType[]>, K | 'authorization', B>;
     handler<H extends HandlerInputType>(handlers: H): CustomOperation<T, K | 'handler', B>;
     for<Source extends SubscriptionSource>(source: Source | Source[]): CustomOperation<T['typeName'] extends 'Subscription' ? SetTypeSubArg<T, 'returnType', Source extends SubscriptionSource[] ? Source[number] : Source> : T, K | 'for', B>;
 }, K> & Brand<B>;
@@ -95,4 +95,3 @@ export declare function subscription(): CustomOperation<{
     handlers: null;
 }, 'returns', typeof subscriptionBrand>;
 export {};
-//# sourceMappingURL=CustomOperation.d.ts.map

package/dist/esm/CustomOperation.mjs

@@ -0,0 +1,67 @@
+import { brand } from './util/Brand.mjs';
+import { allowForCustomOperations } from './Authorization.mjs';
+
+const queryBrand = 'queryCustomOperation';
+const mutationBrand = 'mutationCustomOperation';
+const subscriptionBrand = 'subscriptionCustomOperation';
+const CustomOperationNames = [
+    'Query',
+    'Mutation',
+    'Subscription',
+];
+function brandedBuilder(builder, brandValue) {
+    return { ...builder, ...brand(brandValue) };
+}
+function _custom(typeName, brand) {
+    const data = {
+        arguments: {},
+        returnType: null,
+        functionRef: null,
+        authorization: [],
+        typeName: typeName,
+        handlers: null,
+        subscriptionSource: [],
+    };
+    const builder = brandedBuilder({
+        arguments(args) {
+            data.arguments = args;
+            return this;
+        },
+        returns(returnType) {
+            data.returnType = returnType;
+            return this;
+        },
+        function(functionRefOrName) {
+            data.functionRef = functionRefOrName;
+            return this;
+        },
+        authorization(callback) {
+            const rules = callback(allowForCustomOperations);
+            data.authorization = Array.isArray(rules) ? rules : [rules];
+            return this;
+        },
+        handler(handlers) {
+            data.handlers = Array.isArray(handlers)
+                ? handlers
+                : [handlers];
+            return this;
+        },
+        for(source) {
+            data.subscriptionSource = Array.isArray(source) ? source : [source];
+            return this;
+        },
+    }, brand);
+    return { ...builder, data };
+}
+function query() {
+    return _custom('Query', queryBrand);
+}
+function mutation() {
+    return _custom('Mutation', mutationBrand);
+}
+function subscription() {
+    return _custom('Subscription', subscriptionBrand);
+}
+
+export { CustomOperationNames, mutation, query, subscription };
+//# sourceMappingURL=CustomOperation.mjs.map