@awsless/awsless 0.0.400 → 0.0.402

package/dist/bin.js

@@ -8024,19 +8024,22 @@ var DomainSchema = ResourceIdSchema.describe("The domain id to link your Pubsub
 var PubSubDefaultSchema = z14.record(
   ResourceIdSchema,
   z14.object({
+    auth: FunctionSchema,
     domain: DomainSchema.optional(),
-    subDomain: z14.string().optional(),
-    auth: z14.union([
-      ResourceIdSchema,
-      z14.object({
-        authorizer: FunctionSchema
-        // ttl: AuthorizerTtl.default('1 hour'),
-      })
-    ]),
-    policy: z14.object({
-      publish: z14.array(z14.string()).optional(),
-      subscribe: z14.array(z14.string()).optional()
-    }).optional()
+    subDomain: z14.string().optional()
+    // auth: z.union([
+    // 	ResourceIdSchema,
+    // 	z.object({
+    // 		authorizer: FunctionSchema,
+    // 		// ttl: AuthorizerTtl.default('1 hour'),
+    // 	}),
+    // ]),
+    // policy: z
+    // 	.object({
+    // 		publish: z.array(z.string()).optional(),
+    // 		subscribe: z.array(z.string()).optional(),
+    // 	})
+    // 	.optional(),
   })
 ).optional().describe("Define the pubsub subscriber in your stack.");
 var PubSubSchema = z14.record(
@@ -12276,10 +12279,7 @@ var pubsubFeature = defineFeature({
   onApp(ctx) {
     for (const [id, props] of Object.entries(ctx.appConfig.defaults.pubsub ?? {})) {
       const group = new Node12(ctx.base, "pubsub", id);
-      const functionProps = typeof props.auth === "string" ? { file: "" } : props.auth.authorizer;
-      const { lambda } = createLambdaFunction(group, ctx, "pubsub-authorizer", id, functionProps);
-      lambda.addEnvironment("PUBSUB_POLICY", JSON.stringify(props.policy));
-      lambda.addEnvironment("AWS_ACCOUNT_ID", ctx.accountId);
+      const { lambda } = createLambdaFunction(group, ctx, "pubsub-authorizer", id, props.auth);
       const name = formatGlobalResourceName({
         appName: ctx.app.name,
         resourceType: "pubsub",
@@ -12288,6 +12288,7 @@ var pubsubFeature = defineFeature({
       const authorizer = new aws13.iot.Authorizer(group, "authorizer", {
         name,
         functionArn: lambda.arn
+        // enableSigning: false,
       });
       new aws13.lambda.Permission(group, "permission", {
         functionArn: lambda.arn,
@@ -12324,7 +12325,11 @@ var pubsubFeature = defineFeature({
     ctx.onGlobalPolicy((policy) => {
       policy.addStatement({
         actions: [`iot:Publish`],
-        resources: [`arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/*`]
+        resources: [
+          //
+          `arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/*`,
+          `arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/${ctx.app.name}/pubsub/*`
+        ]
         // resources: [`arn:aws:iot:${ctx.appConfig.region}:${ctx.accountId}:topic/${ctx.app.name}/*`],
       });
     });

package/dist/build-json-schema.js

@@ -566,19 +566,22 @@ var DomainSchema = ResourceIdSchema.describe("The domain id to link your Pubsub
 var PubSubDefaultSchema = z17.record(
   ResourceIdSchema,
   z17.object({
+    auth: FunctionSchema,
     domain: DomainSchema.optional(),
-    subDomain: z17.string().optional(),
-    auth: z17.union([
-      ResourceIdSchema,
-      z17.object({
-        authorizer: FunctionSchema
-        // ttl: AuthorizerTtl.default('1 hour'),
-      })
-    ]),
-    policy: z17.object({
-      publish: z17.array(z17.string()).optional(),
-      subscribe: z17.array(z17.string()).optional()
-    }).optional()
+    subDomain: z17.string().optional()
+    // auth: z.union([
+    // 	ResourceIdSchema,
+    // 	z.object({
+    // 		authorizer: FunctionSchema,
+    // 		// ttl: AuthorizerTtl.default('1 hour'),
+    // 	}),
+    // ]),
+    // policy: z
+    // 	.object({
+    // 		publish: z.array(z.string()).optional(),
+    // 		subscribe: z.array(z.string()).optional(),
+    // 	})
+    // 	.optional(),
   })
 ).optional().describe("Define the pubsub subscriber in your stack.");
 var PubSubSchema = z17.record(

package/dist/client.d.ts

@@ -61,7 +61,7 @@ type ClientProps = {
     token?: string;
 };
 type ClientPropsProvider = () => Promise<ClientProps> | ClientProps;
-declare const createPubSubClient: (props: ClientProps | ClientPropsProvider) => {
+declare const createPubSubClient: (app: string, props: ClientProps | ClientPropsProvider) => {
     publish(topic: string, event: string, payload: unknown, qos: QoS): Promise<void>;
     subscribe(topic: string, event: string, callback: MessageCallback): Promise<_awsless_mqtt.Unsubscribe>;
     connected: boolean;

package/dist/client.js

@@ -80,7 +80,7 @@ var createHttpClient = (fetcher) => {
 
 // src/lib/client/pubsub.ts
 import { createClient } from "@awsless/mqtt";
-var createPubSubClient = (props) => {
+var createPubSubClient = (app, props) => {
   const mqtt = createClient(async () => {
     const config = typeof props === "function" ? await props() : props;
     return {
@@ -89,13 +89,16 @@ var createPubSubClient = (props) => {
       password: config.token
     };
   });
+  const getPubSubTopic = (name) => {
+    return `${app}/pubsub/${name}`;
+  };
   return {
     ...mqtt,
     publish(topic, event, payload, qos) {
-      return mqtt.publish(topic, JSON.stringify([event, payload]), qos);
+      return mqtt.publish(getPubSubTopic(topic), JSON.stringify([event, payload]), qos);
     },
     subscribe(topic, event, callback) {
-      return mqtt.subscribe(topic, (message) => {
+      return mqtt.subscribe(getPubSubTopic(topic), (message) => {
         const [eventName, payload] = JSON.parse(message.toString("utf8"));
         if (event === eventName) {
           callback(payload);

package/dist/server.d.ts

@@ -1,8 +1,9 @@
 import { AwsCredentialIdentityProvider } from '@aws-sdk/types';
 import { Mock } from 'vitest';
+import { Duration, DurationFormat } from '@awsless/duration';
 import { QoS } from '@awsless/iot';
 export { QoS } from '@awsless/iot';
-import { DurationFormat } from '@awsless/duration';
+import { IoTCustomAuthorizerResult } from 'aws-lambda';
 
 declare const regions: readonly ["us-east-2", "us-east-1", "us-west-1", "us-west-2", "af-south-1", "ap-east-1", "ap-south-2", "ap-southeast-3", "ap-southeast-4", "ap-south-1", "ap-northeast-3", "ap-northeast-2", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1", "ca-central-1", "eu-central-1", "eu-west-1", "eu-west-2", "eu-south-1", "eu-west-3", "eu-south-2", "eu-north-1", "eu-central-2", "me-south-1", "me-central-1", "sa-east-1"];
 type Region = (typeof regions)[number];
@@ -89,6 +90,23 @@ type PublishOptions = {
 declare const PubSub: {
     publish(topic: string, event: string, payload: unknown, opts?: PublishOptions): Promise<void>;
 };
+type PubsubAuthorizerResponse = {
+    authorized: boolean;
+    principalId?: string;
+    publish?: string[];
+    subscribe?: string[];
+    disconnectAfter?: Duration;
+    refreshAfter?: Duration;
+};
+type PubsubAuthorizerEvent = {
+    protocolData: {
+        mqtt?: {
+            password?: string;
+        };
+    };
+};
+declare const pubsubAuthorizerHandle: (cb: (token: string) => PubsubAuthorizerResponse | Promise<PubsubAuthorizerResponse>) => Promise<(event: PubsubAuthorizerEvent) => Promise<IoTCustomAuthorizerResult>>;
+declare const pubsubAuthorizerResponse: (props: PubsubAuthorizerResponse) => IoTCustomAuthorizerResult;
 
 declare const getQueueName: <N extends string, S extends string = "stack">(resourceName: N, stackName?: S) => `app--${S}--queue--${N}`;
 declare const getQueueUrl: (name: string, stack?: string) => string | undefined;
@@ -137,4 +155,4 @@ declare const Topic: TopicResources;
 declare const APP: "app";
 declare const STACK: "stack";
 
-export { APP, Auth, type AuthResources, Cache, type CacheResources, type CommandContext, type CommandHandler, CommandOptions, Config, type ConfigResources, Fn, Function, type FunctionMock, type FunctionMockResponse, type FunctionResources, PubSub, type PublishOptions, Queue, type QueueMock, type QueueMockResponse, type QueueResources, type RpcAuthorizerResponse, STACK, Search, type SearchResources, Store, type StoreResources, Table, type TableResources, Task, type TaskMock, type TaskMockResponse, type TaskResources, Topic, type TopicMock, type TopicMockResponse, type TopicResources, getAuthProps, getCacheProps, getConfigName, getConfigValue, getFunctionName, getPubSubTopic, getQueueName, getQueueUrl, getSearchName, getSearchProps, getSiteBucketName, getStoreName, getTableName, getTaskName, getTopicName, mockFunction, mockPubSub, mockQueue, mockTask, mockTopic, setConfigValue };
+export { APP, Auth, type AuthResources, Cache, type CacheResources, type CommandContext, type CommandHandler, CommandOptions, Config, type ConfigResources, Fn, Function, type FunctionMock, type FunctionMockResponse, type FunctionResources, PubSub, type PublishOptions, Queue, type QueueMock, type QueueMockResponse, type QueueResources, type RpcAuthorizerResponse, STACK, Search, type SearchResources, Store, type StoreResources, Table, type TableResources, Task, type TaskMock, type TaskMockResponse, type TaskResources, Topic, type TopicMock, type TopicMockResponse, type TopicResources, getAuthProps, getCacheProps, getConfigName, getConfigValue, getFunctionName, getPubSubTopic, getQueueName, getQueueUrl, getSearchName, getSearchProps, getSiteBucketName, getStoreName, getTableName, getTaskName, getTopicName, mockFunction, mockPubSub, mockQueue, mockTask, mockTopic, pubsubAuthorizerHandle, pubsubAuthorizerResponse, setConfigValue };

package/dist/server.js

@@ -363,6 +363,7 @@ var Config = /* @__PURE__ */ new Proxy(
 );
 
 // src/lib/server/pubsub.ts
+import { hours, toSeconds } from "@awsless/duration";
 import { publish as publish2, QoS } from "@awsless/iot";
 var getPubSubTopic = (name) => {
   return `${APP}/pubsub/${name}`;
@@ -376,6 +377,65 @@ var PubSub = {
     });
   }
 };
+var pubsubAuthorizerHandle = async (cb) => {
+  return async (event) => {
+    const token = Buffer.from(event.protocolData.mqtt?.password ?? "", "base64").toString();
+    const response = await cb(token);
+    return pubsubAuthorizerResponse(response);
+  };
+};
+var pubsubAuthorizerResponse = (props) => {
+  const region = process.env.AWS_REGION;
+  const accountId = process.env.AWS_ACCOUNT_ID;
+  const prefix = `arn:aws:iot:${region}:${accountId}`;
+  const statements = [];
+  if (props.publish) {
+    statements.push({
+      Action: "iot:Publish",
+      Effect: "Allow",
+      Resource: props.publish.map((topic) => {
+        return `${prefix}:topic/${topic}`;
+      })
+    });
+  }
+  if (props.subscribe) {
+    statements.push(
+      {
+        Action: "iot:Subscribe",
+        Effect: "Allow",
+        Resource: props.subscribe.map((topic) => {
+          return `${prefix}:topicfilter/${topic}`;
+        })
+      },
+      {
+        Action: "iot:Receive",
+        Effect: "Allow",
+        Resource: props.subscribe.map((topic) => {
+          return `${prefix}:topic/${topic}`;
+        })
+      }
+    );
+  }
+  return {
+    isAuthenticated: props.authorized,
+    principalId: props.principalId ?? Date.now().toString(),
+    disconnectAfterInSeconds: Number(toSeconds(props.disconnectAfter ?? hours(1))),
+    refreshAfterInSeconds: Number(toSeconds(props.disconnectAfter ?? hours(1))),
+    policyDocuments: [
+      {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Action: "iot:Connect",
+            Effect: "Allow",
+            Resource: `${prefix}:client/\${iot:ClientId}`
+          },
+          ...statements
+        ]
+      }
+    ]
+  };
+};
 
 // src/lib/server/search.ts
 import { define, searchClient } from "@awsless/open-search";
@@ -483,5 +543,7 @@ export {
   mockQueue,
   mockTask,
   mockTopic,
+  pubsubAuthorizerHandle,
+  pubsubAuthorizerResponse,
   setConfigValue
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@awsless/awsless",
-  "version": "0.0.400",
+  "version": "0.0.402",
   "license": "MIT",
   "type": "module",
   "sideEffects": false,
@@ -28,17 +28,17 @@
     }
   },
   "peerDependencies": {
-    "@awsless/iot": "^0.0.2",
     "@awsless/lambda": "^0.0.27",
     "@awsless/mqtt": "^0.0.2",
     "@awsless/open-search": "^0.0.15",
+    "@awsless/iot": "^0.0.2",
     "@awsless/redis": "^0.0.13",
-    "@awsless/s3": "^0.0.18",
-    "@awsless/sns": "^0.0.7",
-    "@awsless/validate": "^0.0.16",
+    "@awsless/ssm": "^0.0.7",
     "@awsless/weak-cache": "^0.0.1",
+    "@awsless/validate": "^0.0.16",
+    "@awsless/s3": "^0.0.18",
     "@awsless/sqs": "^0.0.7",
-    "@awsless/ssm": "^0.0.7"
+    "@awsless/sns": "^0.0.7"
   },
   "dependencies": {
     "@arcanyx/cidr-slicer": "^0.3.0",
@@ -113,12 +113,12 @@
     "zod": "^3.21.4",
     "zod-to-json-schema": "^3.22.3",
     "@awsless/duration": "^0.0.1",
+    "@awsless/size": "^0.0.1",
     "@awsless/formation": "^0.0.57",
-    "@awsless/code": "^0.0.10",
     "@awsless/validate": "^0.0.16",
-    "@awsless/graphql": "^0.0.9",
+    "@awsless/code": "^0.0.10",
     "@awsless/ts-file-cache": "^0.0.10",
-    "@awsless/size": "^0.0.1"
+    "@awsless/graphql": "^0.0.9"
   },
   "devDependencies": {
     "@node-rs/bcrypt": "^1.10.5"