@awsless/awsless 0.0.76 → 0.0.78

package/dist/bin.js

@@ -212,6 +212,7 @@ var LogGroup = class extends Resource {
 };
 
 // src/formation/resource/iam/inline-policy.ts
+import { capitalCase } from "change-case";
 var InlinePolicy = class {
   name;
   statements;
@@ -229,7 +230,7 @@ var InlinePolicy = class {
       PolicyDocument: {
         Version: "2012-10-17",
         Statement: this.statements.map((statement) => ({
-          Effect: statement.effect || "Allow",
+          Effect: capitalCase(statement.effect || "allow"),
           Action: statement.actions,
           Resource: statement.resources
         }))
@@ -1330,6 +1331,12 @@ var RetryAttemptsSchema = z6.number().int().min(0).max(2);
 var RuntimeSchema = z6.enum([
   "nodejs18.x"
 ]);
+var PermissionSchema = z6.object({
+  effect: z6.enum(["allow", "deny"]).default("allow"),
+  actions: z6.string().array(),
+  resources: z6.string().array()
+});
+var PermissionsSchema = z6.union([PermissionSchema, PermissionSchema.array()]);
 var LogSchema = z6.union([
   z6.boolean(),
   DurationSchema.refine(durationMin(Duration.days(1)), "Minimum log retention is 1 day")
@@ -1404,8 +1411,17 @@ var FunctionSchema = z6.union([
      *   }
      * }
      */
-    environment: EnvironmentSchema.optional()
-    // onFailure: ResourceIdSchema.optional(),
+    environment: EnvironmentSchema.optional(),
+    /** Add IAM permissions to your function.
+     * @example
+     * {
+     *   permissions: {
+     *     actions: [ 's3:PutObject' ],
+     *     resources: [ '*' ]
+     *   }
+     * }
+     */
+    permissions: PermissionsSchema.optional()
   })
 ]);
 var isFunctionProps = (input) => {
@@ -1477,8 +1493,17 @@ var schema = z6.object({
        *   }
        * }
        */
-      environment: EnvironmentSchema.optional()
-      // onFailure: ResourceIdSchema.optional(),
+      environment: EnvironmentSchema.optional(),
+      /** Add IAM permissions to your function.
+       * @example
+       * {
+       *   permissions: {
+       *     actions: [ 's3:PutObject' ],
+       *     resources: [ '*' ]
+       *   }
+       * }
+       */
+      permissions: PermissionsSchema.optional()
     }).default({})
   }).default({}),
   stacks: z6.object({
@@ -1500,9 +1525,9 @@ var typeGenCode = `
 import { InvokeOptions } from '@awsless/lambda'
 
 type Invoke<Name extends string, Func extends (...args: any[]) => any> = {
-	name: Name
+	readonly name: Name
+	readonly async: (payload: Parameters<Func>[0], options?: Omit<InvokeOptions, 'name' | 'payload' | 'type'>) => ReturnType<Func>
 	(payload: Parameters<Func>[0], options?: Omit<InvokeOptions, 'name' | 'payload'>): ReturnType<Func>
-	async: (payload: Parameters<Func>[0], options?: Omit<InvokeOptions, 'name' | 'payload' | 'type'>) => ReturnType<Func>
 }`;
 var functionPlugin = definePlugin({
   name: "function",
@@ -1558,6 +1583,12 @@ var toLambdaFunction = (ctx, id, fileOrProps) => {
     ...props,
     vpc: void 0
   });
+  if (config.defaults?.function?.permissions) {
+    lambda.addPermissions(config.defaults?.function?.permissions);
+  }
+  if (typeof fileOrProps === "object" && fileOrProps.permissions) {
+    lambda.addPermissions(fileOrProps.permissions);
+  }
   lambda.addEnvironment("APP", config.name).addEnvironment("STAGE", config.stage).addEnvironment("STACK", stack.name);
   if (props.log) {
     lambda.enableLogs(props.log instanceof Duration ? props.log : void 0);
@@ -1769,8 +1800,8 @@ import { SendMessageOptions, SendMessageBatchOptions, BatchItem } from '@awsless
 type Payload<Func extends (...args: any[]) => any> = Parameters<Func>[0]['Records'][number]['body']
 
 type Send<Name extends string, Func extends (...args: any[]) => any> = {
-	name: Name
-	batch(items:BatchItem<Payload<Func>>[], options?:Omit<SendMessageBatchOptions, 'queue' | 'items'>): Promise<void>
+	readonly name: Name
+	readonly batch(items:BatchItem<Payload<Func>>[], options?:Omit<SendMessageBatchOptions, 'queue' | 'items'>): Promise<void>
 	(payload: Payload<Func>, options?: Omit<SendMessageOptions, 'queue' | 'payload'>): Promise<void>
 }`;
 var queuePlugin = definePlugin({
@@ -2166,7 +2197,7 @@ var tablePlugin = definePlugin({
       const list3 = new TypeObject();
       for (const name of Object.keys(stack.tables || {})) {
         const tableName = formatName(`${config.name}-${stack.name}-${name}`);
-        list3.addType(name, `{ name: '${tableName}' }`);
+        list3.addType(name, `{ readonly name: '${tableName}' }`);
       }
       types2.addType(stack.name, list3.toString());
     }
@@ -2298,7 +2329,7 @@ var storePlugin = definePlugin({
       const list3 = new TypeObject();
       for (const name of stack.stores || []) {
         const storeName = formatName(`${config.name}-${stack.name}-${name}`);
-        list3.addType(name, `{ name: '${storeName}' }`);
+        list3.addType(name, `{ readonly name: '${storeName}' }`);
       }
       types2.addType(stack.name, list3.toString());
     }
@@ -2397,8 +2428,8 @@ var typeGenCode3 = `
 import { PublishOptions } from '@awsless/sns'
 
 type Publish<Name extends string> = {
-	name: Name
-	(payload: unknown, options?: Omit<PublishOptions, 'topic' | 'payload'>): Promise<void>
+	readonly name: Name
+	readonly (payload: unknown, options?: Omit<PublishOptions, 'topic' | 'payload'>): Promise<void>
 }`;
 var topicPlugin = definePlugin({
   name: "topic",
@@ -2620,16 +2651,17 @@ var toArray = (value) => {
 import { paramCase as paramCase4 } from "change-case";
 
 // src/formation/resource/appsync/graphql-api.ts
-import { constantCase as constantCase7 } from "change-case";
 var GraphQLApi = class extends Resource {
+  // private lambdaAuthProviders: { arn: string, ttl: Duration }[] = []
   constructor(logicalId, props) {
     super("AWS::AppSync::GraphQLApi", logicalId);
     this.props = props;
     this.name = formatName(this.props.name || logicalId);
+    this.defaultAuthorization = props.defaultAuthorization;
     this.tag("name", this.name);
   }
   name;
-  lambdaAuthProviders = [];
+  defaultAuthorization;
   get arn() {
     return ref(this.logicalId);
   }
@@ -2642,24 +2674,67 @@ var GraphQLApi = class extends Resource {
   get dns() {
     return getAtt(this.logicalId, "GraphQLDns");
   }
-  addLambdaAuthProvider(lambdaAuthorizerArn, resultTTL = Duration.seconds(0)) {
-    this.lambdaAuthProviders.push({
-      arn: lambdaAuthorizerArn,
-      ttl: resultTTL
-    });
+  setDefaultAuthorization(auth) {
+    this.defaultAuthorization = auth;
     return this;
   }
+  // addLambdaAuthProvider(lambdaAuthorizerArn: string, resultTTL: Duration = Duration.seconds(0)) {
+  // 	this.lambdaAuthProviders.push({
+  // 		arn: lambdaAuthorizerArn,
+  // 		ttl: resultTTL,
+  // 	})
+  // 	return this
+  // }
+  // addCognitoAuthProvider(lambdaAuthorizerArn: string, resultTTL: Duration = Duration.seconds(0)) {
+  // 	this.lambdaAuthProviders.push({
+  // 		arn: lambdaAuthorizerArn,
+  // 		ttl: resultTTL,
+  // 	})
+  // 	return this
+  // }
   properties() {
     return {
       Name: this.name,
-      AuthenticationType: constantCase7(this.props.authenticationType || "api-key"),
-      AdditionalAuthenticationProviders: this.lambdaAuthProviders.map((provider) => ({
-        AuthenticationType: "AWS_LAMBDA",
-        LambdaAuthorizerConfig: {
-          AuthorizerUri: provider.arn,
-          AuthorizerResultTtlInSeconds: provider.ttl.toSeconds()
-        }
-      }))
+      ...this.defaultAuthorization?.toJSON() ?? {}
+      // AuthenticationType: constantCase(this.props.authenticationType || 'api-key'),
+      // AdditionalAuthenticationProviders: this.lambdaAuthProviders.map(provider => ({
+      // 	AuthenticationType: 'AWS_LAMBDA',
+      // 	LambdaAuthorizerConfig: {
+      // 		AuthorizerUri: provider.arn,
+      // 		AuthorizerResultTtlInSeconds: provider.ttl.toSeconds(),
+      // 	}
+      // }))
+    };
+  }
+};
+var GraphQLAuthorization = class {
+  static withCognito(props) {
+    return new GraphQLCognitoAuthorization(props);
+  }
+  static withApiKey() {
+    return new GraphQLApiKeyAuthorization();
+  }
+};
+var GraphQLCognitoAuthorization = class {
+  constructor(props) {
+    this.props = props;
+  }
+  toJSON() {
+    return {
+      AuthenticationType: "AMAZON_COGNITO_USER_POOLS",
+      UserPoolConfig: {
+        UserPoolId: this.props.userPoolId,
+        ...this.props.region ? { AwsRegion: this.props.region } : {},
+        ...this.props.defaultAction ? { DefaultAction: this.props.defaultAction } : {},
+        ...this.props.appIdClientRegex ? { AppIdClientRegex: this.props.appIdClientRegex } : {}
+      }
+    };
+  }
+};
+var GraphQLApiKeyAuthorization = class {
+  toJSON() {
+    return {
+      AuthenticationType: "API_KEY"
     };
   }
 };
@@ -2967,10 +3042,11 @@ var graphqlPlugin = definePlugin({
       graphql: z14.record(ResourceIdSchema, z14.object({
         domain: z14.string().optional(),
         subDomain: z14.string().optional(),
-        authorization: z14.object({
-          authorizer: FunctionSchema,
-          ttl: DurationSchema.default("1 hour")
-        }).optional(),
+        auth: ResourceIdSchema.optional(),
+        // authorization: z.object({
+        // 	authorizer: FunctionSchema,
+        // 	ttl: DurationSchema.default('1 hour'),
+        // }).optional(),
         resolver: LocalFileSchema.optional()
       })).optional()
     }).default({}),
@@ -3014,7 +3090,7 @@ var graphqlPlugin = definePlugin({
       }
       const api = new GraphQLApi(id, {
         name: `${config.name}-${id}`,
-        authenticationType: "api-key"
+        defaultAuthorization: GraphQLAuthorization.withApiKey()
       });
       const schema2 = new GraphQLSchema(id, {
         apiId: api.id,
@@ -3025,10 +3101,12 @@ var graphqlPlugin = definePlugin({
       if (!props) {
         continue;
       }
-      if (props.authorization) {
-        const lambda = toLambdaFunction(ctx, `${id}-authorizer`, props.authorization.authorizer);
-        api.addLambdaAuthProvider(lambda.arn, props.authorization.ttl);
-        bootstrap2.add(lambda);
+      if (props.auth) {
+        api.setDefaultAuthorization(GraphQLAuthorization.withCognito({
+          userPoolId: bootstrap2.import(`auth-${props.auth}-user-pool-id`),
+          region: bootstrap2.region,
+          defaultAction: "ALLOW"
+        }));
       }
       if (props.domain) {
         const domainName = props.subDomain ? `${props.subDomain}.${props.domain}` : props.domain;
@@ -3183,36 +3261,38 @@ var DomainNameSchema = z15.string().regex(/[a-z\-\_\.]/g, "Invalid domain name")
 var domainPlugin = definePlugin({
   name: "domain",
   schema: z15.object({
-    /** Define the domains for your application.
-     * @example
-     * {
-     *   domains: {
-     *     'example.com': [{
-     *       name: 'www',
-     *       type: 'TXT',
-     *       ttl: '60 seconds',
-     *       records: [ 'value' ]
-     *     }]
-     *   }
-     * }
-     */
-    domains: z15.record(DomainNameSchema, z15.object({
-      /** Enter a fully qualified domain name, for example, www.example.com.
-       * You can optionally include a trailing dot.
-       * If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified.
-       * This means that Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical.
+    defaults: z15.object({
+      /** Define the domains for your application.
+       * @example
+       * {
+       *   domains: {
+       *     'example.com': [{
+       *       name: 'www',
+       *       type: 'TXT',
+       *       ttl: '60 seconds',
+       *       records: [ 'value' ]
+       *     }]
+       *   }
+       * }
        */
-      name: DomainNameSchema.optional(),
-      /** The DNS record type. */
-      type: z15.enum(["A", "AAAA", "CAA", "CNAME", "DS", "MX", "NAPTR", "NS", "PTR", "SOA", "SPF", "SRV", "TXT"]),
-      /** The resource record cache time to live (TTL). */
-      ttl: DurationSchema,
-      /** One or more values that correspond with the value that you specified for the Type property. */
-      records: z15.string().array()
-    }).array()).optional()
+      domains: z15.record(DomainNameSchema, z15.object({
+        /** Enter a fully qualified domain name, for example, www.example.com.
+         * You can optionally include a trailing dot.
+         * If you omit the trailing dot, Amazon Route 53 assumes that the domain name that you specify is fully qualified.
+         * This means that Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical.
+         */
+        name: DomainNameSchema.optional(),
+        /** The DNS record type. */
+        type: z15.enum(["A", "AAAA", "CAA", "CNAME", "DS", "MX", "NAPTR", "NS", "PTR", "SOA", "SPF", "SRV", "TXT"]),
+        /** The resource record cache time to live (TTL). */
+        ttl: DurationSchema,
+        /** One or more values that correspond with the value that you specified for the Type property. */
+        records: z15.string().array()
+      }).array()).optional()
+    }).default({})
   }),
   onApp({ config, bootstrap: bootstrap2, usEastBootstrap }) {
-    const domains = Object.entries(config.domains || {});
+    const domains = Object.entries(config.defaults.domains || {});
     if (domains.length === 0) {
       return;
     }
@@ -3660,7 +3740,7 @@ var LoadBalancer = class extends Resource {
 };
 
 // src/formation/resource/elb/listener.ts
-import { constantCase as constantCase8 } from "change-case";
+import { constantCase as constantCase7 } from "change-case";
 var Listener = class extends Resource {
   constructor(logicalId, props) {
     super("AWS::ElasticLoadBalancingV2::Listener", logicalId);
@@ -3676,11 +3756,16 @@ var Listener = class extends Resource {
     return {
       LoadBalancerArn: this.props.loadBalancerArn,
       Port: this.props.port,
-      Protocol: constantCase8(this.props.protocol),
+      Protocol: constantCase7(this.props.protocol),
       Certificates: this.props.certificates.map((arn) => ({
         CertificateArn: arn
       })),
-      ...this.attr("DefaultActions", this.props.defaultActions?.map((action) => action.toJSON()))
+      ...this.attr("DefaultActions", this.props.defaultActions?.map((action, i) => {
+        return {
+          Order: i + 1,
+          ...action.toJSON()
+        };
+      }))
     };
   }
 };
@@ -3688,6 +3773,12 @@ var ListenerAction = class _ListenerAction {
   constructor(props) {
     this.props = props;
   }
+  static authCognito(props) {
+    return new _ListenerAction({
+      type: "authenticate-cognito",
+      ...props
+    });
+  }
   static fixedResponse(statusCode, props = {}) {
     return new _ListenerAction({
       type: "fixed-response",
@@ -3729,6 +3820,17 @@ var ListenerAction = class _ListenerAction {
             TargetGroupArn: target
           }))
         }
+      } : {},
+      ...this.props.type === "authenticate-cognito" ? {
+        AuthenticateCognitoConfig: {
+          OnUnauthenticatedRequest: this.props.onUnauthenticated ?? "deny",
+          Scope: this.props.scope ?? "openid",
+          SessionCookieName: this.props.session?.cookieName ?? "AWSELBAuthSessionCookie",
+          SessionTimeout: this.props.session?.timeout?.toSeconds() ?? 604800,
+          UserPoolArn: this.props.userPool.arn,
+          UserPoolClientId: this.props.userPool.clientId,
+          UserPoolDomain: this.props.userPool.domain
+        }
       } : {}
     };
   }
@@ -3751,7 +3853,13 @@ var ListenerRule = class extends Resource {
       ListenerArn: this.props.listenerArn,
       Priority: this.props.priority,
       Conditions: this.props.conditions.map((condition) => condition.toJSON()),
-      Actions: this.props.actions.map((action) => action.toJSON())
+      // Actions: this.props.actions.map(action => action.toJSON()),
+      Actions: this.props.actions?.map((action, i) => {
+        return {
+          Order: i + 1,
+          ...action.toJSON()
+        };
+      })
     };
   }
 };
@@ -3830,11 +3938,16 @@ var ElbEventSource = class extends Group {
       type: "lambda",
       targets: [lambda.arn]
     }).dependsOn(lambda, permission);
+    const actions = [];
+    if (props.auth?.cognito) {
+      actions.push(ListenerAction.authCognito(props.auth.cognito));
+    }
     const rule = new ListenerRule(id, {
       listenerArn: props.listenerArn,
       priority: props.priority,
       conditions: props.conditions,
       actions: [
+        ...actions,
         ListenerAction.forward([target.arn])
       ]
     }).dependsOn(target);
@@ -3880,7 +3993,8 @@ var httpPlugin = definePlugin({
         z17.object({
           /** The domain to link your api with. */
           domain: z17.string(),
-          subDomain: z17.string().optional()
+          subDomain: z17.string().optional(),
+          auth: ResourceIdSchema.optional()
         })
       ).optional()
     }).default({}),
@@ -3953,18 +4067,28 @@ var httpPlugin = definePlugin({
     }
   },
   onStack(ctx) {
-    const { stack, stackConfig, bootstrap: bootstrap2 } = ctx;
+    const { config, stack, stackConfig, bootstrap: bootstrap2 } = ctx;
     for (const [id, routes] of Object.entries(stackConfig.http || {})) {
-      for (const [route, props] of Object.entries(routes)) {
+      const props = config.defaults.http[id];
+      for (const [route, routeProps] of Object.entries(routes)) {
         const { method, path } = parseRoute(route);
-        const lambda = toLambdaFunction(ctx, `http-${id}`, props);
+        const lambda = toLambdaFunction(ctx, `http-${id}`, routeProps);
         const source = new ElbEventSource(`http-${id}-${route}`, lambda, {
           listenerArn: bootstrap2.import(`http-${id}-listener-arn`),
           priority: generatePriority(stackConfig.name, route),
           conditions: [
             ListenerCondition.httpRequestMethods([method]),
             ListenerCondition.pathPatterns([path])
-          ]
+          ],
+          auth: props.auth ? {
+            cognito: {
+              userPool: {
+                arn: bootstrap2.import(`auth-${props.auth}-user-pool-arn`),
+                clientId: bootstrap2.import(`auth-${props.auth}-client-id`),
+                domain: bootstrap2.import(`auth-${props.auth}-domain`)
+              }
+            }
+          } : void 0
         });
         stack.add(lambda, source);
       }
@@ -4028,7 +4152,7 @@ var searchPlugin = definePlugin({
       const list3 = new TypeObject();
       for (const id of stack.searchs || []) {
         const name = formatName(`${config.name}-${stack.name}-${id}`);
-        list3.addType(name, `{ name: '${name}' }`);
+        list3.addType(name, `{ readonly name: '${name}' }`);
       }
       gen.addType(stack.name, list3.toString());
     }
@@ -4115,7 +4239,7 @@ var SubnetGroup = class extends Resource {
 };
 
 // src/plugins/cache.ts
-import { constantCase as constantCase9 } from "change-case";
+import { constantCase as constantCase8 } from "change-case";
 var TypeSchema = z19.enum([
   "t4g.small",
   "t4g.medium",
@@ -4168,7 +4292,7 @@ var cachePlugin = definePlugin({
     for (const stack of config.stacks) {
       const list3 = new TypeObject();
       for (const name of Object.keys(stack.caches || {})) {
-        list3.addType(name, `{ host: string, port: number }`);
+        list3.addType(name, `{ readonly host: string, readonly port: number }`);
       }
       gen.addType(stack.name, list3.toString());
     }
@@ -4201,7 +4325,7 @@ var cachePlugin = definePlugin({
       }).dependsOn(subnetGroup, securityGroup);
       stack.add(subnetGroup, securityGroup, cluster);
       bind((lambda) => {
-        lambda.addEnvironment(`CACHE_${constantCase9(stack.name)}_${constantCase9(id)}_HOST`, cluster.address).addEnvironment(`CACHE_${constantCase9(stack.name)}_${constantCase9(id)}_PORT`, props.port.toString());
+        lambda.addEnvironment(`CACHE_${constantCase8(stack.name)}_${constantCase8(id)}_HOST`, cluster.address).addEnvironment(`CACHE_${constantCase8(stack.name)}_${constantCase8(id)}_PORT`, props.port.toString());
       });
     }
   }
@@ -4891,7 +5015,7 @@ var Files = class extends Asset {
 };
 
 // src/formation/resource/s3/bucket-policy.ts
-import { capitalCase } from "change-case";
+import { capitalCase as capitalCase2 } from "change-case";
 var BucketPolicy = class extends Resource {
   constructor(logicalId, props) {
     super("AWS::S3::BucketPolicy", logicalId);
@@ -4903,7 +5027,7 @@ var BucketPolicy = class extends Resource {
       PolicyDocument: {
         Version: this.props.version ?? "2012-10-17",
         Statement: this.props.statements.map((statement) => ({
-          Effect: capitalCase(statement.effect ?? "allow"),
+          Effect: capitalCase2(statement.effect ?? "allow"),
           ...statement.principal ? {
             Principal: {
               Service: statement.principal
@@ -5374,6 +5498,399 @@ var featurePlugin = definePlugin({
   }
 });
 
+// src/plugins/auth.ts
+import { z as z25 } from "zod";
+
+// src/formation/resource/cognito/user-pool.ts
+import { constantCase as constantCase9 } from "change-case";
+
+// src/formation/resource/cognito/user-pool-client.ts
+var UserPoolClient = class extends Resource {
+  constructor(logicalId, props) {
+    super("AWS::Cognito::UserPoolClient", logicalId);
+    this.props = props;
+    this.name = formatName(this.props.name || logicalId);
+  }
+  name;
+  get id() {
+    return ref(this.logicalId);
+  }
+  formatAuthFlows() {
+    const authFlows = [];
+    if (this.props.authFlows?.userPassword) {
+      authFlows.push("ALLOW_USER_PASSWORD_AUTH");
+    }
+    if (this.props.authFlows?.adminUserPassword) {
+      authFlows.push("ALLOW_ADMIN_USER_PASSWORD_AUTH");
+    }
+    if (this.props.authFlows?.custom) {
+      authFlows.push("ALLOW_CUSTOM_AUTH");
+    }
+    if (this.props.authFlows?.userSrp) {
+      authFlows.push("ALLOW_USER_SRP_AUTH");
+    }
+    authFlows.push("ALLOW_REFRESH_TOKEN_AUTH");
+    return authFlows;
+  }
+  formatIdentityProviders() {
+    const supported = this.props.supportedIdentityProviders ?? [];
+    const providers = [];
+    if (supported.length === 0) {
+      return void 0;
+    }
+    if (supported.includes("amazon")) {
+      providers.push("LoginWithAmazon");
+    }
+    if (supported.includes("apple")) {
+      providers.push("SignInWithApple");
+    }
+    if (supported.includes("cognito")) {
+      providers.push("COGNITO");
+    }
+    if (supported.includes("facebook")) {
+      providers.push("Facebook");
+    }
+    if (supported.includes("google")) {
+      providers.push("Google");
+    }
+    return providers;
+  }
+  properties() {
+    return {
+      ClientName: this.name,
+      UserPoolId: this.props.userPoolId,
+      ExplicitAuthFlows: this.formatAuthFlows(),
+      EnableTokenRevocation: this.props.enableTokenRevocation ?? false,
+      GenerateSecret: this.props.generateSecret ?? false,
+      PreventUserExistenceErrors: this.props.preventUserExistenceErrors ?? true ? "ENABLED" : "LEGACY",
+      ...this.attr("SupportedIdentityProviders", this.formatIdentityProviders()),
+      AllowedOAuthFlows: ["code"],
+      AllowedOAuthScopes: ["openid"],
+      AllowedOAuthFlowsUserPoolClient: true,
+      CallbackURLs: ["https://example.com"],
+      LogoutURLs: ["https://example.com"],
+      // DefaultRedirectURI: String
+      // EnablePropagateAdditionalUserContextData
+      ...this.attr("ReadAttributes", this.props.readAttributes),
+      ...this.attr("WriteAttributes", this.props.writeAttributes),
+      ...this.attr("AuthSessionValidity", this.props.validity?.authSession?.toMinutes()),
+      ...this.attr("AccessTokenValidity", this.props.validity?.accessToken?.toHours()),
+      ...this.attr("IdTokenValidity", this.props.validity?.idToken?.toHours()),
+      ...this.attr("RefreshTokenValidity", this.props.validity?.refreshToken?.toDays()),
+      TokenValidityUnits: {
+        ...this.attr("AccessToken", this.props.validity?.accessToken && "hours"),
+        ...this.attr("IdToken", this.props.validity?.idToken && "hours"),
+        ...this.attr("RefreshToken", this.props.validity?.refreshToken && "days")
+      }
+    };
+  }
+};
+
+// src/formation/resource/cognito/user-pool-domain.ts
+var UserPoolDomain = class extends Resource {
+  constructor(logicalId, props) {
+    super("AWS::Cognito::UserPoolDomain", logicalId);
+    this.props = props;
+  }
+  get domain() {
+    return ref(this.logicalId);
+  }
+  get cloudFrontDistribution() {
+    return getAtt(this.logicalId, "CloudFrontDistribution");
+  }
+  properties() {
+    return {
+      UserPoolId: this.props.userPoolId,
+      Domain: formatName(this.props.domain)
+    };
+  }
+};
+
+// src/formation/resource/cognito/user-pool.ts
+var UserPool = class extends Resource {
+  constructor(logicalId, props) {
+    super("AWS::Cognito::UserPool", logicalId);
+    this.props = props;
+    this.name = formatName(this.props.name || logicalId);
+  }
+  name;
+  get id() {
+    return ref(this.logicalId);
+  }
+  get arn() {
+    return getAtt(this.logicalId, "Arn");
+  }
+  get providerName() {
+    return getAtt(this.logicalId, "ProviderName");
+  }
+  get providerUrl() {
+    return getAtt(this.logicalId, "ProviderURL");
+  }
+  addDomain(props) {
+    const domain = new UserPoolDomain(this.logicalId, {
+      ...props,
+      userPoolId: this.id
+    }).dependsOn(this);
+    this.addChild(domain);
+    return domain;
+  }
+  addClient(props = {}) {
+    const client = new UserPoolClient(this.logicalId, {
+      ...props,
+      userPoolId: this.id
+    }).dependsOn(this);
+    this.addChild(client);
+    return client;
+  }
+  // get permissions() {
+  // 	const permissions = [{
+  // 		actions: [
+  // 			'dynamodb:DescribeTable',
+  // 			'dynamodb:PutItem',
+  // 			'dynamodb:GetItem',
+  // 			'dynamodb:DeleteItem',
+  // 			'dynamodb:TransactWrite',
+  // 			'dynamodb:BatchWriteItem',
+  // 			'dynamodb:BatchGetItem',
+  // 			'dynamodb:ConditionCheckItem',
+  // 			'dynamodb:Query',
+  // 			'dynamodb:Scan',
+  // 		],
+  // 		resources: [
+  // 			formatArn({
+  // 				service: 'dynamodb',
+  // 				resource: 'table',
+  // 				resourceName: this.name,
+  // 			}),
+  // 		 ],
+  // 	}]
+  // }
+  properties() {
+    return {
+      UserPoolName: this.name,
+      // UserPoolTags: [],
+      ...this.props.username?.emailAlias ? {
+        AliasAttributes: ["email"],
+        // UsernameAttributes: [ 'email' ],
+        AutoVerifiedAttributes: ["email"],
+        Schema: [{
+          AttributeDataType: "String",
+          Name: "email",
+          Required: true,
+          Mutable: false,
+          StringAttributeConstraints: {
+            MinLength: 5,
+            MaxLength: 100
+          }
+        }]
+      } : {},
+      UsernameConfiguration: {
+        CaseSensitive: this.props.username?.caseSensitive ?? false
+      },
+      ...this.attr("EmailConfiguration", this.props.email?.toJSON()),
+      // DeviceConfiguration: {
+      // 	ChallengeRequiredOnNewDevice: {},
+      // 	DeviceOnlyRememberedOnUserPrompt: {},
+      // },
+      AdminCreateUserConfig: {
+        AllowAdminCreateUserOnly: !(this.props.allowUserRegistration ?? true)
+      },
+      Policies: {
+        PasswordPolicy: {
+          MinimumLength: this.props.password?.minLength ?? 8,
+          RequireUppercase: this.props.password?.uppercase ?? false,
+          RequireLowercase: this.props.password?.lowercase ?? false,
+          RequireNumbers: this.props.password?.numbers ?? false,
+          RequireSymbols: this.props.password?.symbols ?? false,
+          TemporaryPasswordValidityDays: this.props.password?.temporaryPasswordValidity?.toDays() ?? 7
+        }
+      },
+      LambdaConfig: {
+        ...this.attr("PreAuthentication", this.props.events?.preLogin),
+        ...this.attr("PostAuthentication", this.props.events?.postLogin),
+        ...this.attr("PostConfirmation", this.props.events?.postRegister),
+        ...this.attr("PreSignUp", this.props.events?.preRegister),
+        ...this.attr("PreTokenGeneration", this.props.events?.preToken),
+        ...this.attr("CustomMessage", this.props.events?.customMessage),
+        ...this.attr("UserMigration", this.props.events?.userMigration),
+        ...this.attr("DefineAuthChallenge", this.props.events?.defineChallange),
+        ...this.attr("CreateAuthChallenge", this.props.events?.createChallange),
+        ...this.attr("VerifyAuthChallengeResponse", this.props.events?.verifyChallange)
+      }
+    };
+  }
+};
+
+// src/plugins/auth.ts
+var authPlugin = definePlugin({
+  name: "auth",
+  schema: z25.object({
+    defaults: z25.object({
+      /** Define the authenticatable users in your app.
+       * @example
+       * {
+       *   auth: {
+       *     AUTH_NAME: {
+       *       password: {
+       *         minLength: 10,
+       *       },
+       *       validity: {
+       *         refreshToken: '30 days',
+       *       }
+       *     }
+       *   }
+       * }
+       */
+      auth: z25.record(
+        ResourceIdSchema,
+        z25.object({
+          /** Specifies whether users can create an user account or if only the administrator can.
+           * @default true
+           */
+          allowUserRegistration: z25.boolean().default(true),
+          /** The username policy. */
+          username: z25.object({
+            /** Allow the user email to be used as username.
+             * @default true
+             */
+            emailAlias: z25.boolean().default(true),
+            /** Specifies whether username case sensitivity will be enabled.
+             * When usernames and email addresses are case insensitive,
+             * users can sign in as the same user when they enter a different capitalization of their user name.
+             * @default false
+             */
+            caseSensitive: z25.boolean().default(false)
+          }).default({}),
+          /** The password policy. */
+          password: z25.object({
+            /** Required users to have at least the minimum password length.
+             * @default 8
+             */
+            minLength: z25.number().int().min(6).max(99).default(8),
+            /** Required users to use at least one uppercase letter in their password.
+             * @default true
+             */
+            uppercase: z25.boolean().default(true),
+            /** Required users to use at least one lowercase letter in their password.
+             * @default true
+             */
+            lowercase: z25.boolean().default(true),
+            /** Required users to use at least one number in their password.
+             * @default true
+             */
+            numbers: z25.boolean().default(true),
+            /** Required users to use at least one symbol in their password.
+             * @default true
+             */
+            symbols: z25.boolean().default(true),
+            /** The duration a temporary password is valid.
+             * If the user doesn't sign in during this time, an administrator must reset their password.
+             * @default '7 days'
+             */
+            temporaryPasswordValidity: DurationSchema.default("7 days")
+          }).default({}),
+          /** Specifies the validity duration for every JWT token. */
+          validity: z25.object({
+            /** The ID token time limit.
+             * After this limit expires, your user can't use their ID token.
+             * @default '1 hour'
+             */
+            idToken: DurationSchema.default("1 hour"),
+            /** The access token time limit.
+             * After this limit expires, your user can't use their access token.
+             * @default '1 hour'
+             */
+            accessToken: DurationSchema.default("1 hour"),
+            /** The refresh token time limit.
+             * After this limit expires, your user can't use their refresh token.
+             * @default '365 days'
+             */
+            refreshToken: DurationSchema.default("365 days")
+          }).default({}),
+          /** Specifies the configuration for AWS Lambda triggers. */
+          events: z25.object({
+            /** A pre jwt token generation AWS Lambda trigger. */
+            preToken: FunctionSchema.optional(),
+            /** A pre user login AWS Lambda trigger. */
+            preLogin: FunctionSchema.optional(),
+            /** A post user login AWS Lambda trigger. */
+            postLogin: FunctionSchema.optional(),
+            /** A pre user register AWS Lambda trigger. */
+            preRegister: FunctionSchema.optional(),
+            /** A post user register AWS Lambda trigger. */
+            postRegister: FunctionSchema.optional(),
+            /** A custom message AWS Lambda trigger. */
+            customMessage: FunctionSchema.optional(),
+            /** Defines the authentication challenge. */
+            defineChallenge: FunctionSchema.optional(),
+            /** Creates an authentication challenge. */
+            createChallenge: FunctionSchema.optional(),
+            /** Verifies the authentication challenge response. */
+            verifyChallenge: FunctionSchema.optional()
+          }).optional()
+        })
+      ).default({})
+    }).default({})
+  }),
+  onTypeGen({ config }) {
+    const gen = new TypeGen("@awsless/awsless", "AuthResources");
+    for (const name of Object.keys(config.defaults.auth)) {
+      gen.addType(name, `{ readonly name: '${formatName(`${config.name}-${name}`)}' }`);
+    }
+    return gen.toString();
+  },
+  onApp(ctx) {
+    const { config, bootstrap: bootstrap2, bind } = ctx;
+    for (const [id, props] of Object.entries(config.defaults.auth)) {
+      const functions = /* @__PURE__ */ new Map();
+      const events = {};
+      for (const [event, fnProps] of Object.entries(props.events ?? {})) {
+        const lambda = toLambdaFunction(ctx, `auth-${id}-${event}`, fnProps);
+        functions.set(event, lambda);
+        events[event] = lambda.arn;
+      }
+      const userPool = new UserPool(id, {
+        name: `${config.name}-${id}`,
+        allowUserRegistration: props.allowUserRegistration,
+        username: props.username,
+        password: props.password,
+        events
+      });
+      const client = userPool.addClient({
+        name: `${config.name}-${id}`,
+        validity: props.validity,
+        generateSecret: true,
+        supportedIdentityProviders: ["cognito"],
+        authFlows: {
+          userSrp: true
+        }
+      });
+      const domain = userPool.addDomain({
+        domain: `${config.name}-${id}`
+      });
+      bootstrap2.add(userPool).export(`auth-${id}-user-pool-arn`, userPool.arn).export(`auth-${id}-user-pool-id`, userPool.id).export(`auth-${id}-client-id`, client.id).export(`auth-${id}-domain`, domain.domain);
+      for (const [event, lambda] of functions) {
+        const permission = new Permission(`auth-${id}-${event}`, {
+          action: "lambda:InvokeFunction",
+          principal: "cognito-idp.amazonaws.com",
+          functionArn: lambda.arn,
+          sourceArn: userPool.arn
+        }).dependsOn(lambda);
+        bootstrap2.add(
+          lambda,
+          permission
+        );
+      }
+    }
+    bind((lambda) => {
+      lambda.addPermissions({
+        actions: ["cognito:*"],
+        resources: ["*"]
+      });
+    });
+  }
+});
+
 // src/plugins/index.ts
 var defaultPlugins = [
   extendPlugin,
@@ -5390,6 +5907,7 @@ var defaultPlugins = [
   topicPlugin,
   pubsubPlugin,
   searchPlugin,
+  authPlugin,
   graphqlPlugin,
   httpPlugin,
   restPlugin,
@@ -5546,17 +6064,17 @@ var getCredentials = (profile) => {
 };
 
 // src/schema/app.ts
-import { z as z28 } from "zod";
+import { z as z29 } from "zod";
 
 // src/schema/stack.ts
-import { z as z25 } from "zod";
-var StackSchema = z25.object({
+import { z as z26 } from "zod";
+var StackSchema = z26.object({
   name: ResourceIdSchema,
-  depends: z25.array(z25.lazy(() => StackSchema)).optional()
+  depends: z26.array(z26.lazy(() => StackSchema)).optional()
 });
 
 // src/schema/region.ts
-import { z as z26 } from "zod";
+import { z as z27 } from "zod";
 var US = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"];
 var AF = ["af-south-1"];
 var AP = ["ap-east-1", "ap-south-2", "ap-southeast-3", "ap-southeast-4", "ap-south-1", "ap-northeast-3", "ap-northeast-2", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1"];
@@ -5573,41 +6091,41 @@ var regions = [
   ...ME,
   ...SA
 ];
-var RegionSchema = z26.enum(regions);
+var RegionSchema = z27.enum(regions);
 
 // src/schema/plugin.ts
-import { z as z27 } from "zod";
-var PluginSchema = z27.object({
-  name: z27.string(),
-  schema: z27.custom().optional(),
+import { z as z28 } from "zod";
+var PluginSchema = z28.object({
+  name: z28.string(),
+  schema: z28.custom().optional(),
   // depends: z.array(z.lazy(() => PluginSchema)).optional(),
-  onApp: z27.function().returns(z27.void()).optional(),
-  onStack: z27.function().returns(z27.any()).optional(),
-  onResource: z27.function().returns(z27.any()).optional()
+  onApp: z28.function().returns(z28.void()).optional(),
+  onStack: z28.function().returns(z28.any()).optional(),
+  onResource: z28.function().returns(z28.any()).optional()
   // bind: z.function().optional(),
 });
 
 // src/schema/app.ts
-var AppSchema = z28.object({
+var AppSchema = z29.object({
   /** App name */
   name: ResourceIdSchema,
   /** The AWS region to deploy to. */
   region: RegionSchema,
   /** The AWS profile to deploy to. */
-  profile: z28.string(),
+  profile: z29.string(),
   /** The deployment stage.
    * @default 'prod'
    */
-  stage: z28.string().regex(/^[a-z]+$/).default("prod"),
+  stage: z29.string().regex(/^[a-z]+$/).default("prod"),
   /** Default properties. */
-  defaults: z28.object({}).default({}),
+  defaults: z29.object({}).default({}),
   /** The application stacks. */
-  stacks: z28.array(StackSchema).min(1).refine((stacks) => {
+  stacks: z29.array(StackSchema).min(1).refine((stacks) => {
     const unique = new Set(stacks.map((stack) => stack.name));
     return unique.size === stacks.length;
   }, "Must be an array of unique stacks"),
   /** Custom plugins. */
-  plugins: z28.array(PluginSchema).optional()
+  plugins: z29.array(PluginSchema).optional()
 });
 
 // src/util/import.ts
@@ -5704,7 +6222,7 @@ var watchFile = (path) => {
 };
 
 // src/config.ts
-import { z as z29 } from "zod";
+import { z as z30 } from "zod";
 var ConfigError = class extends Error {
   constructor(error, data) {
     super(error.message);
@@ -5737,7 +6255,7 @@ var importConfig = async (options) => {
   try {
     config = await schema2.parseAsync(appConfig);
   } catch (error) {
-    if (error instanceof z29.ZodError) {
+    if (error instanceof z30.ZodError) {
       throw new ConfigError(error, appConfig);
     }
     throw error;
@@ -5778,7 +6296,7 @@ var watchConfig = async function* (options) {
     try {
       config = await schema2.parseAsync(appConfig);
     } catch (error) {
-      if (error instanceof z29.ZodError) {
+      if (error instanceof z30.ZodError) {
         throw new ConfigError(error, appConfig);
       }
       throw error;