@aws-amplify/data-schema 0.18.0 → 0.18.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/dist/cjs/Authorization.js +17 -17
  2. package/dist/cjs/Authorization.js.map +1 -1
  3. package/dist/cjs/SchemaProcessor.js +6 -1
  4. package/dist/cjs/SchemaProcessor.js.map +1 -1
  5. package/dist/esm/Authorization.d.ts +16 -16
  6. package/dist/esm/Authorization.mjs +17 -17
  7. package/dist/esm/Authorization.mjs.map +1 -1
  8. package/dist/esm/CustomOperation.d.ts +2 -2
  9. package/dist/esm/SchemaProcessor.mjs +6 -1
  10. package/dist/esm/SchemaProcessor.mjs.map +1 -1
  11. package/dist/esm/runtime/bridge-types.d.ts +1 -1
  12. package/dist/esm/runtime/client/index.d.ts +1 -1
  13. package/dist/meta/cjs.tsbuildinfo +1 -1
  14. package/package.json +1 -1
  15. package/src/Authorization.ts +17 -17
  16. package/src/CustomOperation.ts +2 -2
  17. package/src/SchemaProcessor.ts +9 -1
  18. package/src/runtime/bridge-types.ts +1 -0
  19. package/src/runtime/client/index.ts +1 -0
package/dist/cjs/Authorization.js CHANGED
@@ -8,11 +8,11 @@ const __data = Symbol('data');
8
8
  *
9
9
  * This list should not be used if you need to restrict available providers
10
10
  * according to an auth strategcy. E.g., `public` auth can only be facilitated
11
- * by `apiKey` and `iam` providers.
11
+ * by `apiKey` and `identityPool` providers.
12
12
  */
13
13
  exports.Providers = [
14
14
  'apiKey',
15
- 'iam',
15
+ 'identityPool',
16
16
  'userPools',
17
17
  'oidc',
18
18
  'function',
@@ -20,11 +20,11 @@ exports.Providers = [
20
20
  /**
21
21
  * The subset of auth providers that can facilitate `public` auth.
22
22
  */
23
- exports.PublicProviders = ['apiKey', 'iam'];
23
+ exports.PublicProviders = ['apiKey', 'identityPool'];
24
24
  /**
25
25
  * The subset of auth providers that can facilitate `private` auth.
26
26
  */
27
- exports.PrivateProviders = ['userPools', 'oidc', 'iam'];
27
+ exports.PrivateProviders = ['userPools', 'oidc', 'identityPool'];
28
28
  /**
29
29
  * The subset of auth providers that can facilitate `owner` auth.
30
30
  */
@@ -116,7 +116,7 @@ function authData(defaults, builderMethods) {
116
116
  }
117
117
  /**
118
118
  * Defines an authorization rule for your data models and fields. First choose an authorization strategy (`public`,
119
- * `private`, `owner`, `group`, or `custom`), then choose an auth provider (`apiKey`, `iam`, `userPools`, `oidc`, or `function`)
119
+ * `private`, `owner`, `group`, or `custom`), then choose an auth provider (`apiKey`, `identitypool`, `userPools`, `oidc`, or `function`)
120
120
  * and optionally use `.to(...)` to specify the operations that can be performed against your data models and fields.
121
121
  */
122
122
  exports.allow = {
@@ -133,21 +133,21 @@ exports.allow = {
133
133
  });
134
134
  },
135
135
  /**
136
- * Authorize unauthenticated users by using IAM based authorization.
136
+ * Authorize unauthenticated users by using IDENTITYPOOL based authorization.
137
137
  * @returns an authorization rule for unauthenticated users
138
138
  */
139
139
  guest() {
140
140
  return authData({
141
141
  strategy: 'public',
142
- provider: 'iam',
142
+ provider: 'identityPool',
143
143
  }, {
144
144
  to,
145
145
  });
146
146
  },
147
147
  /**
148
- * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally
149
- * use `.authenticated("iam")` or `.authenticated("oidc")` to use IAM or OIDC based authorization for authenticated users.
150
- * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
148
+ * Authorize authenticated users. By default, `.authenticated()` uses an Amazon Cognito user pool based authorization. You can additionally
149
+ * use `.authenticated("identityPool")` or `.authenticated("oidc")` to use identityPool or OIDC based authorization for authenticated users.
150
+ * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc"
151
151
  * @returns an authorization rule for authenticated users
152
152
  */
153
153
  authenticated(provider) {
@@ -171,7 +171,7 @@ exports.allow = {
171
171
  * To change the specific claim that should be used as the user identifier within the owner field, chain the
172
172
  * `.identityClaim(...)` method.
173
173
  *
174
- * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
174
+ * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc"
175
175
  * @returns an authorization rule for authenticated users
176
176
  */
177
177
  owner(provider) {
@@ -195,7 +195,7 @@ exports.allow = {
195
195
  * `.identityClaim(...)` method.
196
196
  *
197
197
  * @param ownerField the field that contains the owner information
198
- * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
198
+ * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc"
199
199
  * @returns an authorization rule for authenticated users
200
200
  */
201
201
  ownerDefinedIn(ownerField, provider) {
@@ -223,7 +223,7 @@ exports.allow = {
223
223
  * `.identityClaim(...)` method.
224
224
  *
225
225
  * @param ownersField the field that contains the owners information
226
- * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
226
+ * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc"
227
227
  * @returns an authorization rule for authenticated users
228
228
  */
229
229
  ownersDefinedIn(ownersField, provider) {
@@ -366,19 +366,19 @@ exports.allowForCustomOperations = {
366
366
  }, {});
367
367
  },
368
368
  /**
369
- * Authorize unauthenticated users by using IAM based authorization.
369
+ * Authorize unauthenticated users by using identityPool based authorization.
370
370
  * @returns an authorization rule for unauthenticated users
371
371
  */
372
372
  guest() {
373
373
  return authData({
374
374
  strategy: 'public',
375
- provider: 'iam',
375
+ provider: 'identityPool',
376
376
  }, {});
377
377
  },
378
378
  /**
379
379
  * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally
380
- * use `.authenticated("iam")` or `.authenticated("oidc")` to use IAM or OIDC based authorization for authenticated users.
381
- * @param provider the authentication provider - supports "userPools", "iam", or "oidc"
380
+ * use `.authenticated("identityPool")` or `.authenticated("oidc")` to use Identity Pool or OIDC based authorization for authenticated users.
381
+ * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc"
382
382
  * @returns an authorization rule for authenticated users
383
383
  */
384
384
  authenticated(provider) {
package/dist/cjs/Authorization.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"Authorization.js","sources":["../../src/Authorization.ts"],"sourcesContent":["\"use strict\";\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.accessSchemaData = exports.accessData = exports.allowForCustomOperations = exports.allow = exports.ResourceOperations = exports.Operations = exports.Strategies = exports.CustomProviders = exports.GroupProviders = exports.OwnerProviders = exports.PrivateProviders = exports.PublicProviders = exports.Providers = void 0;\nconst __data = Symbol('data');\n/**\n * All possible providers.\n *\n * This list should not be used if you need to restrict available providers\n * according to an auth strategcy. E.g., `public` auth can only be facilitated\n * by `apiKey` and `iam` providers.\n */\nexports.Providers = [\n 'apiKey',\n 'iam',\n 'userPools',\n 'oidc',\n 'function',\n];\n/**\n * The subset of auth providers that can facilitate `public` auth.\n */\nexports.PublicProviders = ['apiKey', 'iam'];\n/**\n * The subset of auth providers that can facilitate `private` auth.\n */\nexports.PrivateProviders = ['userPools', 'oidc', 'iam'];\n/**\n * The subset of auth providers that can facilitate `owner` auth.\n */\nexports.OwnerProviders = ['userPools', 'oidc'];\n/**\n * The subset of auth providers that can facilitate `group` auth.\n */\nexports.GroupProviders = ['userPools', 'oidc'];\n/**\n * The subset of auth providers that can facilitate `custom` auth.\n */\nexports.CustomProviders = ['function'];\nexports.Strategies = [\n 'public',\n 'private',\n 'owner',\n 'groups',\n 'custom',\n];\n/**\n * The operations that can be performed against an API.\n */\nexports.Operations = [\n 'create',\n 'update',\n 'delete',\n 'read',\n 'get',\n 'list',\n 'sync',\n 'listen',\n 'search',\n];\n/**\n * The operations that can be performed against an API by a Lambda function.\n */\nexports.ResourceOperations = ['query', 'mutate', 'listen'];\n/**\n * Creates a shallow copy of an object with an individual field pruned away.\n *\n * @param original The original object to prune.\n * @param without The field to prune.\n * @returns The pruned object.\n */\nfunction omit(original, without) {\n const pruned = { ...original };\n delete pruned[without];\n return pruned;\n}\nfunction to(operations) {\n this[__data].operations = operations;\n return omit(this, 'to');\n}\n/**\n * Specifies a property of the identity JWT to use in place of `sub::username`\n * as the value to match against the owner field for authorization.\n *\n * @param this Authorization object to operate against.\n * @param property A property of identity JWT.\n * @returns A copy of the Authorization object with the claim attached.\n */\nfunction identityClaim(property) {\n this[__data].identityClaim = property;\n return omit(this, 'identityClaim');\n}\nfunction withClaimIn(property) {\n this[__data].groupClaim = property;\n return omit(this, 'withClaimIn');\n}\nfunction validateProvider(needle, haystack) {\n if (needle && !haystack.includes(needle)) {\n throw new Error(`Invalid provider (${needle}) given!`);\n }\n}\nfunction authData(defaults, builderMethods) {\n return {\n [__data]: {\n strategy: 'public',\n provider: undefined,\n operations: undefined,\n groupOrOwnerField: undefined,\n multiOwner: false,\n identityClaim: undefined,\n groups: undefined,\n ...defaults,\n },\n ...builderMethods,\n };\n}\n/**\n * Defines an authorization rule for your data models and fields. First choose an authorization strategy (`public`,\n * `private`, `owner`, `group`, or `custom`), then choose an auth provider (`apiKey`, `iam`, `userPools`, `oidc`, or `function`)\n * and optionally use `.to(...)` to specify the operations that can be performed against your data models and fields.\n */\nexports.allow = {\n /**\n * Authorize unauthenticated users by using API key based authorization.\n * @returns an authorization rule for unauthenticated users\n */\n publicApiKey() {\n return authData({\n strategy: 'public',\n provider: 'apiKey',\n }, {\n to,\n });\n },\n /**\n * Authorize unauthenticated users by using IAM based authorization.\n * @returns an authorization rule for unauthenticated users\n */\n guest() {\n return authData({\n strategy: 'public',\n provider: 'iam',\n }, {\n to,\n });\n },\n /**\n * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.authenticated(\"iam\")` or `.authenticated(\"oidc\")` to use IAM or OIDC based authorization for authenticated users.\n * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n authenticated(provider) {\n validateProvider(provider, exports.PrivateProviders);\n return authData({\n strategy: 'private',\n provider,\n }, {\n to,\n });\n },\n /**\n * Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new `owner: a.string()`\n * field will be added to the model to store which user \"owns\" the item. Upon item creation, the \"owner field\" is\n * auto-populated with the authenticated user's information. If you want to specify which field should be used as\n * the owner field, you can use the `ownerDefinedIn` builder function instead.\n *\n * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.owner(\"oidc\")` to use OIDC based authentication to designate the owner.\n *\n * To change the specific claim that should be used as the user identifier within the owner field, chain the\n * `.identityClaim(...)` method.\n *\n * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n owner(provider) {\n validateProvider(provider, exports.OwnerProviders);\n return authData({\n strategy: 'owner',\n provider,\n groupOrOwnerField: 'owner',\n }, {\n to,\n identityClaim,\n });\n },\n /**\n * Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field.\n *\n * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.ownerDefinedIn(\"owner\", \"oidc\")` to use OIDC based authentication to designate the owner.\n *\n * To change the specific claim that should be used as the user identifier within the owner field, chain the\n * `.identityClaim(...)` method.\n *\n * @param ownerField the field that contains the owner information\n * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n ownerDefinedIn(ownerField, provider) {\n validateProvider(provider, exports.OwnerProviders);\n return authData({\n strategy: 'owner',\n provider,\n groupOrOwnerField: ownerField,\n }, {\n to,\n identityClaim,\n });\n },\n /**\n * Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new `owners: a.string().array()`\n * field will be added to the model to store which users \"own\" the item. Upon item creation, the \"owners field\" is\n * auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the `owners` array.\n *\n * You can specify which field should be used as the owners field by passing the `ownersField` parameter.\n *\n * By default, `.ownersDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.ownersDefinedIn(\"owners\", \"oidc\")` to use OIDC based authentication to designate the owner.\n *\n * To change the specific claim that should be used as the user identifier within the owners field, chain the\n * `.identityClaim(...)` method.\n *\n * @param ownersField the field that contains the owners information\n * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n ownersDefinedIn(ownersField, provider) {\n validateProvider(provider, exports.OwnerProviders);\n return authData({\n strategy: 'owner',\n provider,\n groupOrOwnerField: ownersField,\n multiOwner: true,\n }, {\n to,\n identityClaim,\n });\n },\n /**\n * Authorize a specific user group. Provide the name of the specific user group to have access.\n *\n * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.group(\"group-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * To change the specific claim that should be used as the user group identifier, chain the\n * `.withClaimIn(...)` method.\n * @param group the name of the group to authorize\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n group(group, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groups: [group],\n }, {\n to,\n withClaimIn,\n });\n },\n /**\n * Authorize multiple specific user groups. Provide the names of the specific user groups to have access.\n *\n * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.groups([\"group-a\", \"group-b\"], \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * To change the specific claim that should be used as the user group identifier, chain the\n * `.withClaimIn(...)` method.\n * @param groups the names of the group to authorize defined as an array\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n groups(groups, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groups,\n }, {\n to,\n withClaimIn,\n });\n },\n /**\n * Authorize if a user is part of a group defined in a data model field.\n *\n * By default, `.groupDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.groupDefinedIn(\"field-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * To change the specific claim that should be used as the user group identifier within the groups field, chain the\n * `.withClaimIn(...)` method.\n * @param groupsField the field that should store the authorized user group information\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n groupDefinedIn(groupsField, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groupOrOwnerField: groupsField,\n }, {\n to,\n withClaimIn,\n });\n },\n /**\n * Authorize if a user is part of a one of the groups defined in a data model field.\n *\n * By default, `.groupsDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.groupsDefinedIn(\"field-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * To change the specific claim that should be used as the user group identifier within the groups field, chain the\n * `.withClaimIn(...)` method.\n * @param groupsField the field that should store the list of authorized user groups\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n groupsDefinedIn(groupsField, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groupOrOwnerField: groupsField,\n multiOwner: true,\n }, {\n to,\n withClaimIn,\n });\n },\n custom(provider) {\n return authData({\n strategy: 'custom',\n provider,\n }, {\n to,\n });\n },\n resource(fn) {\n return resourceAuthData(fn, {\n to: resourceTo,\n });\n },\n};\n/**\n * This is a copy of the {@link allow} defined above, with modifications for custom operations.\n *\n * Removed builder methods:\n *\n * * `owner`\n * * `ownerDefinedIn`\n * * `ownersDefinedIn`\n * * `groupDefinedIn`\n * * `groupsDefinedIn`\n * * `resource`\n * * `.to()` builder method from each available rule builder\n */\nexports.allowForCustomOperations = {\n /**\n * Authorize unauthenticated users by using API key based authorization.\n * @returns an authorization rule for unauthenticated users\n */\n publicApiKey() {\n return authData({\n strategy: 'public',\n provider: 'apiKey',\n }, {});\n },\n /**\n * Authorize unauthenticated users by using IAM based authorization.\n * @returns an authorization rule for unauthenticated users\n */\n guest() {\n return authData({\n strategy: 'public',\n provider: 'iam',\n }, {});\n },\n /**\n * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.authenticated(\"iam\")` or `.authenticated(\"oidc\")` to use IAM or OIDC based authorization for authenticated users.\n * @param provider the authentication provider - supports \"userPools\", \"iam\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n authenticated(provider) {\n validateProvider(provider, exports.PrivateProviders);\n return authData({\n strategy: 'private',\n provider,\n }, {});\n },\n /**\n * Authorize a specific user group. Provide the name of the specific user group to have access.\n *\n * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.group(\"group-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * @param group the name of the group to authorize\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n group(group, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groups: [group],\n }, {});\n },\n /**\n * Authorize multiple specific user groups. Provide the names of the specific user groups to have access.\n *\n * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.groups([\"group-a\", \"group-b\"], \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * @param groups the names of the group to authorize defined as an array\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n groups(groups, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groups,\n }, {});\n },\n custom(provider) {\n return authData({\n strategy: 'custom',\n provider,\n }, {});\n },\n};\nfunction resourceTo(operations) {\n this[__data].operations = operations;\n return omit(this, 'to');\n}\nfunction resourceAuthData(resource, builderMethods) {\n return {\n [__data]: {\n strategy: 'resource',\n resource,\n },\n ...builderMethods,\n };\n}\nconst accessData = (authorization) => authorization[__data];\nexports.accessData = accessData;\n// TODO: delete when we make resource auth available at each level in the schema (model, field)\nconst accessSchemaData = (authorization) => authorization[__data];\nexports.accessSchemaData = accessSchemaData;\n"],"names":[],"mappings":";;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,gBAAgB,GAAG,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,wBAAwB,GAAG,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,kBAAkB,GAAG,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,eAAe,GAAG,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,gBAAgB,GAAG,OAAO,CAAC,eAAe,GAAG,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC;AACtU,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AAC9B;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,CAAC,SAAS,GAAG;AACpB,IAAI,QAAQ;AACZ,IAAI,KAAK;AACT,IAAI,WAAW;AACf,IAAI,MAAM;AACV,IAAI,UAAU;AACd,CAAC,CAAC;AACF;AACA;AACA;AACA,OAAO,CAAC,eAAe,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC5C;AACA;AACA;AACA,OAAO,CAAC,gBAAgB,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AACxD;AACA;AACA;AACA,OAAO,CAAC,cAAc,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;AAC/C;AACA;AACA;AACA,OAAO,CAAC,cAAc,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;AAC/C;AACA;AACA;AACA,OAAO,CAAC,eAAe,GAAG,CAAC,UAAU,CAAC,CAAC;AACvC,OAAO,CAAC,UAAU,GAAG;AACrB,IAAI,QAAQ;AACZ,IAAI,SAAS;AACb,IAAI,OAAO;AACX,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,CAAC,CAAC;AACF;AACA;AACA;AACA,OAAO,CAAC,UAAU,GAAG;AACrB,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,IAAI,MAAM;AACV,IAAI,KAAK;AACT,IAAI,MAAM;AACV,IAAI,MAAM;AACV,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,CAAC,CAAC;AACF;AACA;AACA;AACA,OAAO,CAAC,kBAAkB,GAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC3D;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE;AACjC,IAAI,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;AACnC,IAAI,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;AAC3B,IAAI,OAAO,MAAM,CAAC;AAClB,CAAC;AACD,SAAS,EAAE,CAAC,UAAU,EAAE;AACxB,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC;AACzC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5B,CAAC;AACD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,aAAa,CAAC,QAAQ,EAAE;AACjC,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,aAAa,GAAG,QAAQ,CAAC;AAC1C,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACvC,CAAC;AACD,SAAS,WAAW,CAAC,QAAQ,EAAE;AAC/B,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC;AACvC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;AACrC,CAAC;AACD,SAAS,gBAAgB,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC5C,IAAI,IAAI,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;AAC9C,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,kBAAkB,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC/D,KAAK;AACL,CAAC;AACD,SAAS,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE;AAC5C,IAAI,OAAO;AACX,QAAQ,CAAC,MAAM,GAAG;AAClB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,UAAU,EAAE,SAAS;AACjC,YAAY,iBAAiB,EAAE,SAAS;AACxC,YAAY,UAAU,EAAE,KAAK;AAC7B,YAAY,aAAa,EAAE,SAAS;AACpC,YAAY,MAAM,EAAE,SAAS;AAC7B,YAAY,GAAG,QAAQ;AACvB,SAAS;AACT,QAAQ,GAAG,cAAc;AACzB,KAAK,CAAC;AACN,CAAC;AACD;AACA;AACA;AACA;AACA;AACA,OAAO,CAAC,KAAK,GAAG;AAChB;AACA;AACA;AACA;AACA,IAAI,YAAY,GAAG;AACnB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,QAAQ;AAC9B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA,IAAI,KAAK,GAAG;AACZ,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,KAAK;AAC3B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,aAAa,CAAC,QAAQ,EAAE;AAC5B,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;AAC7D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,QAAQ;AACpB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,QAAQ,EAAE;AACpB,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;AAC3D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,OAAO;AACtC,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,CAAC,UAAU,EAAE,QAAQ,EAAE;AACzC,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;AAC3D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,UAAU;AACzC,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC3C,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;AAC3D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,YAAY,UAAU,EAAE,IAAI;AAC5B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE;AAC3B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM,EAAE,CAAC,KAAK,CAAC;AAC3B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC7B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM;AAClB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC1C,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC3C,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,YAAY,UAAU,EAAE,IAAI;AAC5B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL,IAAI,MAAM,CAAC,QAAQ,EAAE;AACrB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL,IAAI,QAAQ,CAAC,EAAE,EAAE;AACjB,QAAQ,OAAO,gBAAgB,CAAC,EAAE,EAAE;AACpC,YAAY,EAAE,EAAE,UAAU;AAC1B,SAAS,CAAC,CAAC;AACX,KAAK;AACL,CAAC,CAAC;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,CAAC,wBAAwB,GAAG;AACnC;AACA;AACA;AACA;AACA,IAAI,YAAY,GAAG;AACnB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,QAAQ;AAC9B,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA,IAAI,KAAK,GAAG;AACZ,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,KAAK;AAC3B,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,aAAa,CAAC,QAAQ,EAAE;AAC5B,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;AAC7D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,QAAQ;AACpB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE;AAC3B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM,EAAE,CAAC,KAAK,CAAC;AAC3B,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC7B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM;AAClB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL,IAAI,MAAM,CAAC,QAAQ,EAAE;AACrB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL,CAAC,CAAC;AACF,SAAS,UAAU,CAAC,UAAU,EAAE;AAChC,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC;AACzC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5B,CAAC;AACD,SAAS,gBAAgB,CAAC,QAAQ,EAAE,cAAc,EAAE;AACpD,IAAI,OAAO;AACX,QAAQ,CAAC,MAAM,GAAG;AAClB,YAAY,QAAQ,EAAE,UAAU;AAChC,YAAY,QAAQ;AACpB,SAAS;AACT,QAAQ,GAAG,cAAc;AACzB,KAAK,CAAC;AACN,CAAC;AACD,MAAM,UAAU,GAAG,CAAC,aAAa,KAAK,aAAa,CAAC,MAAM,CAAC,CAAC;AAC5D,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;AAChC;AACA,MAAM,gBAAgB,GAAG,CAAC,aAAa,KAAK,aAAa,CAAC,MAAM,CAAC,CAAC;AAClE,OAAO,CAAC,gBAAgB,GAAG,gBAAgB;;"}
1
+ {"version":3,"file":"Authorization.js","sources":["../../src/Authorization.ts"],"sourcesContent":["\"use strict\";\nObject.defineProperty(exports, \"__esModule\", { value: true });\nexports.accessSchemaData = exports.accessData = exports.allowForCustomOperations = exports.allow = exports.ResourceOperations = exports.Operations = exports.Strategies = exports.CustomProviders = exports.GroupProviders = exports.OwnerProviders = exports.PrivateProviders = exports.PublicProviders = exports.Providers = void 0;\nconst __data = Symbol('data');\n/**\n * All possible providers.\n *\n * This list should not be used if you need to restrict available providers\n * according to an auth strategcy. E.g., `public` auth can only be facilitated\n * by `apiKey` and `identityPool` providers.\n */\nexports.Providers = [\n 'apiKey',\n 'identityPool',\n 'userPools',\n 'oidc',\n 'function',\n];\n/**\n * The subset of auth providers that can facilitate `public` auth.\n */\nexports.PublicProviders = ['apiKey', 'identityPool'];\n/**\n * The subset of auth providers that can facilitate `private` auth.\n */\nexports.PrivateProviders = ['userPools', 'oidc', 'identityPool'];\n/**\n * The subset of auth providers that can facilitate `owner` auth.\n */\nexports.OwnerProviders = ['userPools', 'oidc'];\n/**\n * The subset of auth providers that can facilitate `group` auth.\n */\nexports.GroupProviders = ['userPools', 'oidc'];\n/**\n * The subset of auth providers that can facilitate `custom` auth.\n */\nexports.CustomProviders = ['function'];\nexports.Strategies = [\n 'public',\n 'private',\n 'owner',\n 'groups',\n 'custom',\n];\n/**\n * The operations that can be performed against an API.\n */\nexports.Operations = [\n 'create',\n 'update',\n 'delete',\n 'read',\n 'get',\n 'list',\n 'sync',\n 'listen',\n 'search',\n];\n/**\n * The operations that can be performed against an API by a Lambda function.\n */\nexports.ResourceOperations = ['query', 'mutate', 'listen'];\n/**\n * Creates a shallow copy of an object with an individual field pruned away.\n *\n * @param original The original object to prune.\n * @param without The field to prune.\n * @returns The pruned object.\n */\nfunction omit(original, without) {\n const pruned = { ...original };\n delete pruned[without];\n return pruned;\n}\nfunction to(operations) {\n this[__data].operations = operations;\n return omit(this, 'to');\n}\n/**\n * Specifies a property of the identity JWT to use in place of `sub::username`\n * as the value to match against the owner field for authorization.\n *\n * @param this Authorization object to operate against.\n * @param property A property of identity JWT.\n * @returns A copy of the Authorization object with the claim attached.\n */\nfunction identityClaim(property) {\n this[__data].identityClaim = property;\n return omit(this, 'identityClaim');\n}\nfunction withClaimIn(property) {\n this[__data].groupClaim = property;\n return omit(this, 'withClaimIn');\n}\nfunction validateProvider(needle, haystack) {\n if (needle && !haystack.includes(needle)) {\n throw new Error(`Invalid provider (${needle}) given!`);\n }\n}\nfunction authData(defaults, builderMethods) {\n return {\n [__data]: {\n strategy: 'public',\n provider: undefined,\n operations: undefined,\n groupOrOwnerField: undefined,\n multiOwner: false,\n identityClaim: undefined,\n groups: undefined,\n ...defaults,\n },\n ...builderMethods,\n };\n}\n/**\n * Defines an authorization rule for your data models and fields. First choose an authorization strategy (`public`,\n * `private`, `owner`, `group`, or `custom`), then choose an auth provider (`apiKey`, `identitypool`, `userPools`, `oidc`, or `function`)\n * and optionally use `.to(...)` to specify the operations that can be performed against your data models and fields.\n */\nexports.allow = {\n /**\n * Authorize unauthenticated users by using API key based authorization.\n * @returns an authorization rule for unauthenticated users\n */\n publicApiKey() {\n return authData({\n strategy: 'public',\n provider: 'apiKey',\n }, {\n to,\n });\n },\n /**\n * Authorize unauthenticated users by using IDENTITYPOOL based authorization.\n * @returns an authorization rule for unauthenticated users\n */\n guest() {\n return authData({\n strategy: 'public',\n provider: 'identityPool',\n }, {\n to,\n });\n },\n /**\n * Authorize authenticated users. By default, `.authenticated()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.authenticated(\"identityPool\")` or `.authenticated(\"oidc\")` to use identityPool or OIDC based authorization for authenticated users.\n * @param provider the authentication provider - supports \"userPools\", \"identityPool\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n authenticated(provider) {\n validateProvider(provider, exports.PrivateProviders);\n return authData({\n strategy: 'private',\n provider,\n }, {\n to,\n });\n },\n /**\n * Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new `owner: a.string()`\n * field will be added to the model to store which user \"owns\" the item. Upon item creation, the \"owner field\" is\n * auto-populated with the authenticated user's information. If you want to specify which field should be used as\n * the owner field, you can use the `ownerDefinedIn` builder function instead.\n *\n * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.owner(\"oidc\")` to use OIDC based authentication to designate the owner.\n *\n * To change the specific claim that should be used as the user identifier within the owner field, chain the\n * `.identityClaim(...)` method.\n *\n * @param provider the authentication provider - supports \"userPools\", \"identityPool\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n owner(provider) {\n validateProvider(provider, exports.OwnerProviders);\n return authData({\n strategy: 'owner',\n provider,\n groupOrOwnerField: 'owner',\n }, {\n to,\n identityClaim,\n });\n },\n /**\n * Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field.\n *\n * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.ownerDefinedIn(\"owner\", \"oidc\")` to use OIDC based authentication to designate the owner.\n *\n * To change the specific claim that should be used as the user identifier within the owner field, chain the\n * `.identityClaim(...)` method.\n *\n * @param ownerField the field that contains the owner information\n * @param provider the authentication provider - supports \"userPools\", \"identityPool\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n ownerDefinedIn(ownerField, provider) {\n validateProvider(provider, exports.OwnerProviders);\n return authData({\n strategy: 'owner',\n provider,\n groupOrOwnerField: ownerField,\n }, {\n to,\n identityClaim,\n });\n },\n /**\n * Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new `owners: a.string().array()`\n * field will be added to the model to store which users \"own\" the item. Upon item creation, the \"owners field\" is\n * auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the `owners` array.\n *\n * You can specify which field should be used as the owners field by passing the `ownersField` parameter.\n *\n * By default, `.ownersDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.ownersDefinedIn(\"owners\", \"oidc\")` to use OIDC based authentication to designate the owner.\n *\n * To change the specific claim that should be used as the user identifier within the owners field, chain the\n * `.identityClaim(...)` method.\n *\n * @param ownersField the field that contains the owners information\n * @param provider the authentication provider - supports \"userPools\", \"identityPool\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n ownersDefinedIn(ownersField, provider) {\n validateProvider(provider, exports.OwnerProviders);\n return authData({\n strategy: 'owner',\n provider,\n groupOrOwnerField: ownersField,\n multiOwner: true,\n }, {\n to,\n identityClaim,\n });\n },\n /**\n * Authorize a specific user group. Provide the name of the specific user group to have access.\n *\n * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.group(\"group-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * To change the specific claim that should be used as the user group identifier, chain the\n * `.withClaimIn(...)` method.\n * @param group the name of the group to authorize\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n group(group, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groups: [group],\n }, {\n to,\n withClaimIn,\n });\n },\n /**\n * Authorize multiple specific user groups. Provide the names of the specific user groups to have access.\n *\n * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.groups([\"group-a\", \"group-b\"], \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * To change the specific claim that should be used as the user group identifier, chain the\n * `.withClaimIn(...)` method.\n * @param groups the names of the group to authorize defined as an array\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n groups(groups, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groups,\n }, {\n to,\n withClaimIn,\n });\n },\n /**\n * Authorize if a user is part of a group defined in a data model field.\n *\n * By default, `.groupDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.groupDefinedIn(\"field-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * To change the specific claim that should be used as the user group identifier within the groups field, chain the\n * `.withClaimIn(...)` method.\n * @param groupsField the field that should store the authorized user group information\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n groupDefinedIn(groupsField, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groupOrOwnerField: groupsField,\n }, {\n to,\n withClaimIn,\n });\n },\n /**\n * Authorize if a user is part of a one of the groups defined in a data model field.\n *\n * By default, `.groupsDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.groupsDefinedIn(\"field-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * To change the specific claim that should be used as the user group identifier within the groups field, chain the\n * `.withClaimIn(...)` method.\n * @param groupsField the field that should store the list of authorized user groups\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n groupsDefinedIn(groupsField, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groupOrOwnerField: groupsField,\n multiOwner: true,\n }, {\n to,\n withClaimIn,\n });\n },\n custom(provider) {\n return authData({\n strategy: 'custom',\n provider,\n }, {\n to,\n });\n },\n resource(fn) {\n return resourceAuthData(fn, {\n to: resourceTo,\n });\n },\n};\n/**\n * This is a copy of the {@link allow} defined above, with modifications for custom operations.\n *\n * Removed builder methods:\n *\n * * `owner`\n * * `ownerDefinedIn`\n * * `ownersDefinedIn`\n * * `groupDefinedIn`\n * * `groupsDefinedIn`\n * * `resource`\n * * `.to()` builder method from each available rule builder\n */\nexports.allowForCustomOperations = {\n /**\n * Authorize unauthenticated users by using API key based authorization.\n * @returns an authorization rule for unauthenticated users\n */\n publicApiKey() {\n return authData({\n strategy: 'public',\n provider: 'apiKey',\n }, {});\n },\n /**\n * Authorize unauthenticated users by using identityPool based authorization.\n * @returns an authorization rule for unauthenticated users\n */\n guest() {\n return authData({\n strategy: 'public',\n provider: 'identityPool',\n }, {});\n },\n /**\n * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.authenticated(\"identityPool\")` or `.authenticated(\"oidc\")` to use Identity Pool or OIDC based authorization for authenticated users.\n * @param provider the authentication provider - supports \"userPools\", \"identityPool\", or \"oidc\"\n * @returns an authorization rule for authenticated users\n */\n authenticated(provider) {\n validateProvider(provider, exports.PrivateProviders);\n return authData({\n strategy: 'private',\n provider,\n }, {});\n },\n /**\n * Authorize a specific user group. Provide the name of the specific user group to have access.\n *\n * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.group(\"group-name\", \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * @param group the name of the group to authorize\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n group(group, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groups: [group],\n }, {});\n },\n /**\n * Authorize multiple specific user groups. Provide the names of the specific user groups to have access.\n *\n * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally\n * use `.groups([\"group-a\", \"group-b\"], \"oidc\")` to use OIDC based authentication to designate the user group.\n *\n * @param groups the names of the group to authorize defined as an array\n * @param provider the authentication provider - supports \"userPools\" or \"oidc\"\n * @returns an authorization rule to grant access by a specific group\n */\n groups(groups, provider) {\n return authData({\n strategy: 'groups',\n provider,\n groups,\n }, {});\n },\n custom(provider) {\n return authData({\n strategy: 'custom',\n provider,\n }, {});\n },\n};\nfunction resourceTo(operations) {\n this[__data].operations = operations;\n return omit(this, 'to');\n}\nfunction resourceAuthData(resource, builderMethods) {\n return {\n [__data]: {\n strategy: 'resource',\n resource,\n },\n ...builderMethods,\n };\n}\nconst accessData = (authorization) => authorization[__data];\nexports.accessData = accessData;\n// TODO: delete when we make resource auth available at each level in the schema (model, field)\nconst accessSchemaData = (authorization) => authorization[__data];\nexports.accessSchemaData = accessSchemaData;\n"],"names":[],"mappings":";;AACA,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9D,OAAO,CAAC,gBAAgB,GAAG,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,wBAAwB,GAAG,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,kBAAkB,GAAG,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,GAAG,OAAO,CAAC,eAAe,GAAG,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,gBAAgB,GAAG,OAAO,CAAC,eAAe,GAAG,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC;AACtU,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AAC9B;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,CAAC,SAAS,GAAG;AACpB,IAAI,QAAQ;AACZ,IAAI,cAAc;AAClB,IAAI,WAAW;AACf,IAAI,MAAM;AACV,IAAI,UAAU;AACd,CAAC,CAAC;AACF;AACA;AACA;AACA,OAAO,CAAC,eAAe,GAAG,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;AACrD;AACA;AACA;AACA,OAAO,CAAC,gBAAgB,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;AACjE;AACA;AACA;AACA,OAAO,CAAC,cAAc,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;AAC/C;AACA;AACA;AACA,OAAO,CAAC,cAAc,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;AAC/C;AACA;AACA;AACA,OAAO,CAAC,eAAe,GAAG,CAAC,UAAU,CAAC,CAAC;AACvC,OAAO,CAAC,UAAU,GAAG;AACrB,IAAI,QAAQ;AACZ,IAAI,SAAS;AACb,IAAI,OAAO;AACX,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,CAAC,CAAC;AACF;AACA;AACA;AACA,OAAO,CAAC,UAAU,GAAG;AACrB,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,IAAI,MAAM;AACV,IAAI,KAAK;AACT,IAAI,MAAM;AACV,IAAI,MAAM;AACV,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,CAAC,CAAC;AACF;AACA;AACA;AACA,OAAO,CAAC,kBAAkB,GAAG,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC3D;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE;AACjC,IAAI,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;AACnC,IAAI,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;AAC3B,IAAI,OAAO,MAAM,CAAC;AAClB,CAAC;AACD,SAAS,EAAE,CAAC,UAAU,EAAE;AACxB,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC;AACzC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5B,CAAC;AACD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,aAAa,CAAC,QAAQ,EAAE;AACjC,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,aAAa,GAAG,QAAQ,CAAC;AAC1C,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;AACvC,CAAC;AACD,SAAS,WAAW,CAAC,QAAQ,EAAE;AAC/B,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,QAAQ,CAAC;AACvC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;AACrC,CAAC;AACD,SAAS,gBAAgB,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC5C,IAAI,IAAI,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;AAC9C,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,kBAAkB,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC/D,KAAK;AACL,CAAC;AACD,SAAS,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE;AAC5C,IAAI,OAAO;AACX,QAAQ,CAAC,MAAM,GAAG;AAClB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,UAAU,EAAE,SAAS;AACjC,YAAY,iBAAiB,EAAE,SAAS;AACxC,YAAY,UAAU,EAAE,KAAK;AAC7B,YAAY,aAAa,EAAE,SAAS;AACpC,YAAY,MAAM,EAAE,SAAS;AAC7B,YAAY,GAAG,QAAQ;AACvB,SAAS;AACT,QAAQ,GAAG,cAAc;AACzB,KAAK,CAAC;AACN,CAAC;AACD;AACA;AACA;AACA;AACA;AACA,OAAO,CAAC,KAAK,GAAG;AAChB;AACA;AACA;AACA;AACA,IAAI,YAAY,GAAG;AACnB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,QAAQ;AAC9B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA,IAAI,KAAK,GAAG;AACZ,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,cAAc;AACpC,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,aAAa,CAAC,QAAQ,EAAE;AAC5B,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;AAC7D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,QAAQ;AACpB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,QAAQ,EAAE;AACpB,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;AAC3D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,OAAO;AACtC,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,CAAC,UAAU,EAAE,QAAQ,EAAE;AACzC,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;AAC3D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,UAAU;AACzC,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC3C,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;AAC3D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,OAAO;AAC7B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,YAAY,UAAU,EAAE,IAAI;AAC5B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,aAAa;AACzB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE;AAC3B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM,EAAE,CAAC,KAAK,CAAC;AAC3B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC7B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM;AAClB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,cAAc,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC1C,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,eAAe,CAAC,WAAW,EAAE,QAAQ,EAAE;AAC3C,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,iBAAiB,EAAE,WAAW;AAC1C,YAAY,UAAU,EAAE,IAAI;AAC5B,SAAS,EAAE;AACX,YAAY,EAAE;AACd,YAAY,WAAW;AACvB,SAAS,CAAC,CAAC;AACX,KAAK;AACL,IAAI,MAAM,CAAC,QAAQ,EAAE;AACrB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,SAAS,EAAE;AACX,YAAY,EAAE;AACd,SAAS,CAAC,CAAC;AACX,KAAK;AACL,IAAI,QAAQ,CAAC,EAAE,EAAE;AACjB,QAAQ,OAAO,gBAAgB,CAAC,EAAE,EAAE;AACpC,YAAY,EAAE,EAAE,UAAU;AAC1B,SAAS,CAAC,CAAC;AACX,KAAK;AACL,CAAC,CAAC;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,CAAC,wBAAwB,GAAG;AACnC;AACA;AACA;AACA;AACA,IAAI,YAAY,GAAG;AACnB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,QAAQ;AAC9B,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA,IAAI,KAAK,GAAG;AACZ,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ,EAAE,cAAc;AACpC,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,aAAa,CAAC,QAAQ,EAAE;AAC5B,QAAQ,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;AAC7D,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,SAAS;AAC/B,YAAY,QAAQ;AACpB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,KAAK,CAAC,KAAK,EAAE,QAAQ,EAAE;AAC3B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM,EAAE,CAAC,KAAK,CAAC;AAC3B,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE;AAC7B,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,YAAY,MAAM;AAClB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL,IAAI,MAAM,CAAC,QAAQ,EAAE;AACrB,QAAQ,OAAO,QAAQ,CAAC;AACxB,YAAY,QAAQ,EAAE,QAAQ;AAC9B,YAAY,QAAQ;AACpB,SAAS,EAAE,EAAE,CAAC,CAAC;AACf,KAAK;AACL,CAAC,CAAC;AACF,SAAS,UAAU,CAAC,UAAU,EAAE;AAChC,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,GAAG,UAAU,CAAC;AACzC,IAAI,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5B,CAAC;AACD,SAAS,gBAAgB,CAAC,QAAQ,EAAE,cAAc,EAAE;AACpD,IAAI,OAAO;AACX,QAAQ,CAAC,MAAM,GAAG;AAClB,YAAY,QAAQ,EAAE,UAAU;AAChC,YAAY,QAAQ;AACpB,SAAS;AACT,QAAQ,GAAG,cAAc;AACzB,KAAK,CAAC;AACN,CAAC;AACD,MAAM,UAAU,GAAG,CAAC,aAAa,KAAK,aAAa,CAAC,MAAM,CAAC,CAAC;AAC5D,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;AAChC;AACA,MAAM,gBAAgB,GAAG,CAAC,aAAa,KAAK,aAAa,CAAC,MAAM,CAAC,CAAC;AAClE,OAAO,CAAC,gBAAgB,GAAG,gBAAgB;;"}
package/dist/cjs/SchemaProcessor.js CHANGED
@@ -378,7 +378,9 @@ function calculateAuth(authorization) {
378
378
  };
379
379
  }
380
380
  if (rule.provider) {
381
- ruleParts.push(`provider: ${rule.provider}`);
381
+ // identityPool maps to iam in the transform
382
+ const provider = rule.provider === 'identityPool' ? 'iam' : rule.provider;
383
+ ruleParts.push(`provider: ${provider}`);
382
384
  }
383
385
  if (rule.operations) {
384
386
  ruleParts.push(`operations: [${rule.operations.join(', ')}]`);
@@ -775,6 +777,9 @@ function validateCustomOperations(typeDef, typeName, authRules, getRefType) {
775
777
  throw new Error(`Field handlers must be of the same type. ${typeName} has been configured with ${configuredHandlersStr}`);
776
778
  }
777
779
  }
780
+ if (opType !== 'Subscription' && subscriptionSource.length > 0) {
781
+ throw new Error(`The .for() modifier function can only be used with a custom subscription. ${typeName} is not a custom subscription.`);
782
+ }
778
783
  if (opType === 'Subscription') {
779
784
  if (subscriptionSource.length < 1) {
780
785
  throw new Error(`${typeName} is missing a mutation source. Custom subscriptions must reference a mutation source via subscription().for(a.ref('ModelOrOperationName')) `);