@de-otio/trellis 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/env.d.ts +21 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +12 -0
- package/dist/env.js.map +1 -1
- package/dist/lambda/nightly-cron.d.ts.map +1 -1
- package/dist/lambda/nightly-cron.js +5 -2
- package/dist/lambda/nightly-cron.js.map +1 -1
- package/dist/lambda/post-confirmation.d.ts +30 -0
- package/dist/lambda/post-confirmation.d.ts.map +1 -1
- package/dist/lambda/post-confirmation.js +333 -29
- package/dist/lambda/post-confirmation.js.map +1 -1
- package/dist/lambda/pre-token-generation.d.ts +20 -0
- package/dist/lambda/pre-token-generation.d.ts.map +1 -1
- package/dist/lambda/pre-token-generation.js +233 -48
- package/dist/lambda/pre-token-generation.js.map +1 -1
- package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
- package/dist/lib/activitypub/activity-processor.js +2 -1
- package/dist/lib/activitypub/activity-processor.js.map +1 -1
- package/dist/lib/activitypub/group-service.d.ts +2 -2
- package/dist/lib/activitypub/group-service.d.ts.map +1 -1
- package/dist/lib/activitypub/group-service.js +5 -2
- package/dist/lib/activitypub/group-service.js.map +1 -1
- package/dist/lib/age-tier-transition.d.ts.map +1 -1
- package/dist/lib/age-tier-transition.js +19 -10
- package/dist/lib/age-tier-transition.js.map +1 -1
- package/dist/lib/audit/csv-export.d.ts +25 -0
- package/dist/lib/audit/csv-export.d.ts.map +1 -0
- package/dist/lib/audit/csv-export.js +54 -0
- package/dist/lib/audit/csv-export.js.map +1 -0
- package/dist/lib/audit/emit.d.ts +56 -0
- package/dist/lib/audit/emit.d.ts.map +1 -0
- package/dist/lib/audit/emit.js +124 -0
- package/dist/lib/audit/emit.js.map +1 -0
- package/dist/lib/audit/event-types.d.ts +36 -0
- package/dist/lib/audit/event-types.d.ts.map +1 -0
- package/dist/lib/audit/event-types.js +69 -0
- package/dist/lib/audit/event-types.js.map +1 -0
- package/dist/lib/audit/pii-filter.d.ts +22 -0
- package/dist/lib/audit/pii-filter.d.ts.map +1 -0
- package/dist/lib/audit/pii-filter.js +51 -0
- package/dist/lib/audit/pii-filter.js.map +1 -0
- package/dist/lib/audit-logger.js +1 -1
- package/dist/lib/audit-logger.js.map +1 -1
- package/dist/lib/auth/auth-context.d.ts +34 -0
- package/dist/lib/auth/auth-context.d.ts.map +1 -0
- package/dist/lib/auth/auth-context.js +10 -0
- package/dist/lib/auth/auth-context.js.map +1 -0
- package/dist/lib/auth/auth-middleware.d.ts +50 -0
- package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
- package/dist/lib/auth/auth-middleware.js +153 -0
- package/dist/lib/auth/auth-middleware.js.map +1 -0
- package/dist/lib/auth/capabilities.d.ts +40 -0
- package/dist/lib/auth/capabilities.d.ts.map +1 -0
- package/dist/lib/auth/capabilities.js +44 -0
- package/dist/lib/auth/capabilities.js.map +1 -0
- package/dist/lib/auth/claims-cache.d.ts +70 -0
- package/dist/lib/auth/claims-cache.d.ts.map +1 -0
- package/dist/lib/auth/claims-cache.js +139 -0
- package/dist/lib/auth/claims-cache.js.map +1 -0
- package/dist/lib/auth/cognito-jwt.d.ts +6 -0
- package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
- package/dist/lib/auth/cognito-jwt.js.map +1 -1
- package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
- package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
- package/dist/lib/auth/idp-redirect-builder.js +48 -0
- package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
- package/dist/lib/auth/require.d.ts +51 -0
- package/dist/lib/auth/require.d.ts.map +1 -0
- package/dist/lib/auth/require.js +99 -0
- package/dist/lib/auth/require.js.map +1 -0
- package/dist/lib/auth/role-grants.d.ts +18 -0
- package/dist/lib/auth/role-grants.d.ts.map +1 -0
- package/dist/lib/auth/role-grants.js +62 -0
- package/dist/lib/auth/role-grants.js.map +1 -0
- package/dist/lib/cognito/idp-sdk.d.ts +80 -0
- package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
- package/dist/lib/cognito/idp-sdk.js +186 -0
- package/dist/lib/cognito/idp-sdk.js.map +1 -0
- package/dist/lib/cognito/issuer-probe.d.ts +47 -0
- package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
- package/dist/lib/cognito/issuer-probe.js +319 -0
- package/dist/lib/cognito/issuer-probe.js.map +1 -0
- package/dist/lib/comment-handler.d.ts +7 -7
- package/dist/lib/comment-handler.d.ts.map +1 -1
- package/dist/lib/comment-handler.js +23 -20
- package/dist/lib/comment-handler.js.map +1 -1
- package/dist/lib/compliance/baseline.d.ts +15 -0
- package/dist/lib/compliance/baseline.d.ts.map +1 -0
- package/dist/lib/compliance/baseline.js +205 -0
- package/dist/lib/compliance/baseline.js.map +1 -0
- package/dist/lib/compliance/tenant-merge.d.ts +35 -0
- package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
- package/dist/lib/compliance/tenant-merge.js +80 -0
- package/dist/lib/compliance/tenant-merge.js.map +1 -0
- package/dist/lib/compliance/types.d.ts +135 -0
- package/dist/lib/compliance/types.d.ts.map +1 -0
- package/dist/lib/compliance/types.js +9 -0
- package/dist/lib/compliance/types.js.map +1 -0
- package/dist/lib/connection-code-handler.d.ts +4 -4
- package/dist/lib/connection-code-handler.d.ts.map +1 -1
- package/dist/lib/connection-code-handler.js +21 -11
- package/dist/lib/connection-code-handler.js.map +1 -1
- package/dist/lib/feed-handler.d.ts +2 -2
- package/dist/lib/feed-handler.d.ts.map +1 -1
- package/dist/lib/feed-handler.js +5 -9
- package/dist/lib/feed-handler.js.map +1 -1
- package/dist/lib/middleware/idempotency-store.d.ts +86 -0
- package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency-store.js +109 -0
- package/dist/lib/middleware/idempotency-store.js.map +1 -0
- package/dist/lib/middleware/idempotency.d.ts +37 -0
- package/dist/lib/middleware/idempotency.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency.js +358 -0
- package/dist/lib/middleware/idempotency.js.map +1 -0
- package/dist/lib/net/trusted-client-ip.d.ts +39 -0
- package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
- package/dist/lib/net/trusted-client-ip.js +100 -0
- package/dist/lib/net/trusted-client-ip.js.map +1 -0
- package/dist/lib/notification-handler.d.ts +5 -5
- package/dist/lib/notification-handler.d.ts.map +1 -1
- package/dist/lib/notification-handler.js +11 -9
- package/dist/lib/notification-handler.js.map +1 -1
- package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
- package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
- package/dist/lib/oauth/cognito-issuer.js +53 -0
- package/dist/lib/oauth/cognito-issuer.js.map +1 -0
- package/dist/lib/oauth/device-authorization.d.ts +145 -0
- package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
- package/dist/lib/oauth/device-authorization.js +312 -0
- package/dist/lib/oauth/device-authorization.js.map +1 -0
- package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
- package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
- package/dist/lib/oauth/envelope-crypto.js +223 -0
- package/dist/lib/oauth/envelope-crypto.js.map +1 -0
- package/dist/lib/oauth/refresh-detection.d.ts +126 -0
- package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
- package/dist/lib/oauth/refresh-detection.js +248 -0
- package/dist/lib/oauth/refresh-detection.js.map +1 -0
- package/dist/lib/openapi/generator.d.ts +78 -0
- package/dist/lib/openapi/generator.d.ts.map +1 -0
- package/dist/lib/openapi/generator.js +201 -0
- package/dist/lib/openapi/generator.js.map +1 -0
- package/dist/lib/post-handler.d.ts +1 -1
- package/dist/lib/post-handler.d.ts.map +1 -1
- package/dist/lib/post-handler.js +4 -15
- package/dist/lib/post-handler.js.map +1 -1
- package/dist/lib/rate-limit.d.ts.map +1 -1
- package/dist/lib/rate-limit.js +11 -3
- package/dist/lib/rate-limit.js.map +1 -1
- package/dist/lib/routes/agent-authorize.d.ts +32 -0
- package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
- package/dist/lib/routes/agent-authorize.js +479 -0
- package/dist/lib/routes/agent-authorize.js.map +1 -0
- package/dist/lib/routes/agent-sessions.d.ts +20 -0
- package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
- package/dist/lib/routes/agent-sessions.js +124 -0
- package/dist/lib/routes/agent-sessions.js.map +1 -0
- package/dist/lib/routes/agent-surface.d.ts +37 -0
- package/dist/lib/routes/agent-surface.d.ts.map +1 -0
- package/dist/lib/routes/agent-surface.js +208 -0
- package/dist/lib/routes/agent-surface.js.map +1 -0
- package/dist/lib/routes/auth-discover.d.ts +18 -0
- package/dist/lib/routes/auth-discover.d.ts.map +1 -0
- package/dist/lib/routes/auth-discover.js +177 -0
- package/dist/lib/routes/auth-discover.js.map +1 -0
- package/dist/lib/routes/comments.d.ts.map +1 -1
- package/dist/lib/routes/comments.js +36 -7
- package/dist/lib/routes/comments.js.map +1 -1
- package/dist/lib/routes/connection-codes.d.ts.map +1 -1
- package/dist/lib/routes/connection-codes.js +21 -4
- package/dist/lib/routes/connection-codes.js.map +1 -1
- package/dist/lib/routes/content-discovery.d.ts.map +1 -1
- package/dist/lib/routes/content-discovery.js +18 -13
- package/dist/lib/routes/content-discovery.js.map +1 -1
- package/dist/lib/routes/dashboard.js +1 -1
- package/dist/lib/routes/dashboard.js.map +1 -1
- package/dist/lib/routes/employees.d.ts.map +1 -1
- package/dist/lib/routes/employees.js +57 -15
- package/dist/lib/routes/employees.js.map +1 -1
- package/dist/lib/routes/entities.d.ts.map +1 -1
- package/dist/lib/routes/entities.js +35 -19
- package/dist/lib/routes/entities.js.map +1 -1
- package/dist/lib/routes/errors.d.ts +34 -0
- package/dist/lib/routes/errors.d.ts.map +1 -0
- package/dist/lib/routes/errors.js +57 -0
- package/dist/lib/routes/errors.js.map +1 -0
- package/dist/lib/routes/feeds.d.ts.map +1 -1
- package/dist/lib/routes/feeds.js +12 -2
- package/dist/lib/routes/feeds.js.map +1 -1
- package/dist/lib/routes/index.d.ts.map +1 -1
- package/dist/lib/routes/index.js +50 -0
- package/dist/lib/routes/index.js.map +1 -1
- package/dist/lib/routes/mfa.d.ts.map +1 -1
- package/dist/lib/routes/mfa.js +1 -0
- package/dist/lib/routes/mfa.js.map +1 -1
- package/dist/lib/routes/notifications.d.ts.map +1 -1
- package/dist/lib/routes/notifications.js +21 -4
- package/dist/lib/routes/notifications.js.map +1 -1
- package/dist/lib/routes/oauth.d.ts +15 -0
- package/dist/lib/routes/oauth.d.ts.map +1 -0
- package/dist/lib/routes/oauth.js +139 -0
- package/dist/lib/routes/oauth.js.map +1 -0
- package/dist/lib/routes/posts.d.ts.map +1 -1
- package/dist/lib/routes/posts.js +30 -19
- package/dist/lib/routes/posts.js.map +1 -1
- package/dist/lib/routes/products.d.ts.map +1 -1
- package/dist/lib/routes/products.js +19 -22
- package/dist/lib/routes/products.js.map +1 -1
- package/dist/lib/routes/setup-status.d.ts +34 -0
- package/dist/lib/routes/setup-status.d.ts.map +1 -0
- package/dist/lib/routes/setup-status.js +87 -0
- package/dist/lib/routes/setup-status.js.map +1 -0
- package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy-analytics.js +15 -14
- package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
- package/dist/lib/routes/taxonomy.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy.js +19 -16
- package/dist/lib/routes/taxonomy.js.map +1 -1
- package/dist/lib/routes/tenant-audit.d.ts +19 -0
- package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
- package/dist/lib/routes/tenant-audit.js +244 -0
- package/dist/lib/routes/tenant-audit.js.map +1 -0
- package/dist/lib/routes/tenant-compliance.d.ts +21 -0
- package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
- package/dist/lib/routes/tenant-compliance.js +122 -0
- package/dist/lib/routes/tenant-compliance.js.map +1 -0
- package/dist/lib/routes/tenant-domains.d.ts +11 -0
- package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
- package/dist/lib/routes/tenant-domains.js +95 -0
- package/dist/lib/routes/tenant-domains.js.map +1 -0
- package/dist/lib/routes/tenant-idp.d.ts +3 -0
- package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
- package/dist/lib/routes/tenant-idp.js +89 -0
- package/dist/lib/routes/tenant-idp.js.map +1 -0
- package/dist/lib/routes/tenant-members.d.ts +13 -0
- package/dist/lib/routes/tenant-members.d.ts.map +1 -0
- package/dist/lib/routes/tenant-members.js +75 -0
- package/dist/lib/routes/tenant-members.js.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.js +90 -0
- package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
- package/dist/lib/routes/tenants.d.ts +13 -0
- package/dist/lib/routes/tenants.d.ts.map +1 -0
- package/dist/lib/routes/tenants.js +121 -0
- package/dist/lib/routes/tenants.js.map +1 -0
- package/dist/lib/routes/types.d.ts +9 -0
- package/dist/lib/routes/types.d.ts.map +1 -1
- package/dist/lib/schemas.d.ts +2 -2
- package/dist/lib/secrets/idp-secrets.d.ts +51 -0
- package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
- package/dist/lib/secrets/idp-secrets.js +111 -0
- package/dist/lib/secrets/idp-secrets.js.map +1 -0
- package/dist/lib/security-monitor.d.ts.map +1 -1
- package/dist/lib/security-monitor.js +6 -1
- package/dist/lib/security-monitor.js.map +1 -1
- package/dist/lib/session-manager.d.ts +1 -0
- package/dist/lib/session-manager.d.ts.map +1 -1
- package/dist/lib/session-manager.js.map +1 -1
- package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
- package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
- package/dist/lib/taxonomy-handler-factory.js +8 -7
- package/dist/lib/taxonomy-handler-factory.js.map +1 -1
- package/dist/lib/tenant/audit-emit.d.ts +18 -0
- package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
- package/dist/lib/tenant/audit-emit.js +16 -0
- package/dist/lib/tenant/audit-emit.js.map +1 -0
- package/dist/lib/tenant/derive-domain.d.ts +19 -0
- package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
- package/dist/lib/tenant/derive-domain.js +38 -0
- package/dist/lib/tenant/derive-domain.js.map +1 -0
- package/dist/lib/tenant/domain-handler.d.ts +42 -0
- package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
- package/dist/lib/tenant/domain-handler.js +344 -0
- package/dist/lib/tenant/domain-handler.js.map +1 -0
- package/dist/lib/tenant/domain-validator.d.ts +28 -0
- package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
- package/dist/lib/tenant/domain-validator.js +145 -0
- package/dist/lib/tenant/domain-validator.js.map +1 -0
- package/dist/lib/tenant/domain-verifier.d.ts +30 -0
- package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
- package/dist/lib/tenant/domain-verifier.js +53 -0
- package/dist/lib/tenant/domain-verifier.js.map +1 -0
- package/dist/lib/tenant/idp-handler.d.ts +29 -0
- package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
- package/dist/lib/tenant/idp-handler.js +693 -0
- package/dist/lib/tenant/idp-handler.js.map +1 -0
- package/dist/lib/tenant/idp-name.d.ts +2 -0
- package/dist/lib/tenant/idp-name.d.ts.map +1 -0
- package/dist/lib/tenant/idp-name.js +20 -0
- package/dist/lib/tenant/idp-name.js.map +1 -0
- package/dist/lib/tenant/member-handler.d.ts +31 -0
- package/dist/lib/tenant/member-handler.d.ts.map +1 -0
- package/dist/lib/tenant/member-handler.js +343 -0
- package/dist/lib/tenant/member-handler.js.map +1 -0
- package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
- package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
- package/dist/lib/tenant/reserved-slugs.js +116 -0
- package/dist/lib/tenant/reserved-slugs.js.map +1 -0
- package/dist/lib/tenant/resolve-role.d.ts +39 -0
- package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
- package/dist/lib/tenant/resolve-role.js +60 -0
- package/dist/lib/tenant/resolve-role.js.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.js +260 -0
- package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
- package/dist/lib/tenant/setup-status.d.ts +83 -0
- package/dist/lib/tenant/setup-status.d.ts.map +1 -0
- package/dist/lib/tenant/setup-status.js +201 -0
- package/dist/lib/tenant/setup-status.js.map +1 -0
- package/dist/lib/tenant/slug-validator.d.ts +31 -0
- package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
- package/dist/lib/tenant/slug-validator.js +42 -0
- package/dist/lib/tenant/slug-validator.js.map +1 -0
- package/dist/lib/tenant/tenant-handler.d.ts +49 -0
- package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
- package/dist/lib/tenant/tenant-handler.js +377 -0
- package/dist/lib/tenant/tenant-handler.js.map +1 -0
- package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
- package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
- package/dist/lib/tenant/transfer-ownership.js +66 -0
- package/dist/lib/tenant/transfer-ownership.js.map +1 -0
- package/dist/lib/user/derive-handle.d.ts +29 -0
- package/dist/lib/user/derive-handle.d.ts.map +1 -0
- package/dist/lib/user/derive-handle.js +65 -0
- package/dist/lib/user/derive-handle.js.map +1 -0
- package/dist/lib/user-deprovisioning.d.ts +11 -1
- package/dist/lib/user-deprovisioning.d.ts.map +1 -1
- package/dist/lib/user-deprovisioning.js +46 -2
- package/dist/lib/user-deprovisioning.js.map +1 -1
- package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
- package/package.json +6 -3
- package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
- package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
- package/prisma/schema.prisma +324 -74
- package/src/lambda/nightly-cron.ts +4 -1
- package/src/lambda/post-confirmation.ts +405 -29
- package/src/lambda/pre-token-generation.ts +300 -59
|
@@ -1,93 +1,334 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
1
|
+
/**
|
|
2
|
+
* Cognito PreTokenGeneration trigger (V2 access-token override).
|
|
3
|
+
*
|
|
4
|
+
* Runs on every token issuance and refresh. Responsibilities:
|
|
5
|
+
* 1. Read the cached claims from DynamoDB.
|
|
6
|
+
* 2. On miss: load from RDS (User + active TenantMember + Tenant slug).
|
|
7
|
+
* 3. For federated users: re-resolve the tenant role from the current
|
|
8
|
+
* `custom:idpGroups` against `TenantRoleMapping`. This catches admin-side
|
|
9
|
+
* group changes within the access-token TTL.
|
|
10
|
+
* 4. Write the (possibly refreshed) claims back to DDB.
|
|
11
|
+
* 5. Override the access-token claims via the V2 response shape.
|
|
12
|
+
*
|
|
13
|
+
* Failure modes:
|
|
14
|
+
* - User row missing (drift after RDS restore): return minimal claims —
|
|
15
|
+
* the API responds 403 to tenant-scoped endpoints, never a 500 at sign-in.
|
|
16
|
+
* - DDB or RDS error: bubble up; Cognito treats the issuance as failed.
|
|
17
|
+
*
|
|
18
|
+
* No PII is logged. We log counts and decisions ("cache_hit", "drift",
|
|
19
|
+
* "role_refreshed") and the opaque cognitoSub.
|
|
20
|
+
*/
|
|
6
21
|
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
22
|
+
import type {
|
|
23
|
+
PreTokenGenerationV2TriggerEvent,
|
|
24
|
+
PreTokenGenerationV2TriggerHandler,
|
|
25
|
+
} from "aws-lambda";
|
|
26
|
+
import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";
|
|
27
|
+
import { PrismaClient, type TenantRole } from "@prisma/client";
|
|
28
|
+
import {
|
|
29
|
+
ClaimsCache,
|
|
30
|
+
createClaimsCacheFromEnv,
|
|
31
|
+
DEFAULT_CACHE_TTL_SECONDS,
|
|
32
|
+
type CachedClaims,
|
|
33
|
+
} from "../lib/auth/claims-cache";
|
|
34
|
+
import { resolveTenantRole, type RoleMappingInput } from "../lib/tenant/resolve-role";
|
|
10
35
|
|
|
11
36
|
const secretsClient = new SecretsManagerClient({ region: process.env.AWS_REGION });
|
|
12
37
|
let prisma: PrismaClient | null = null;
|
|
38
|
+
let cache: ClaimsCache | null = null;
|
|
13
39
|
|
|
14
40
|
async function getPrisma(): Promise<PrismaClient> {
|
|
15
41
|
if (prisma) return prisma;
|
|
16
|
-
const secret = await secretsClient.send(
|
|
42
|
+
const secret = await secretsClient.send(
|
|
43
|
+
new GetSecretValueCommand({ SecretId: process.env.DB_SECRET_ARN! }),
|
|
44
|
+
);
|
|
17
45
|
const { username, password, host, port, dbname } = JSON.parse(secret.SecretString!);
|
|
18
46
|
prisma = new PrismaClient({
|
|
19
|
-
datasources: {
|
|
47
|
+
datasources: {
|
|
48
|
+
db: {
|
|
49
|
+
url: `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${dbname}?connection_limit=1`,
|
|
50
|
+
},
|
|
51
|
+
},
|
|
20
52
|
});
|
|
21
53
|
return prisma;
|
|
22
54
|
}
|
|
23
55
|
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
handle: string;
|
|
56
|
+
function getCache(): ClaimsCache {
|
|
57
|
+
if (!cache) cache = createClaimsCacheFromEnv();
|
|
58
|
+
return cache;
|
|
28
59
|
}
|
|
29
60
|
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
61
|
+
const DRIFT_CLAIMS: CachedClaims = {
|
|
62
|
+
userId: "",
|
|
63
|
+
globalRole: "",
|
|
64
|
+
activeTenantId: "",
|
|
65
|
+
tenantSlug: "",
|
|
66
|
+
tenantRole: "",
|
|
67
|
+
handle: "",
|
|
68
|
+
};
|
|
69
|
+
|
|
70
|
+
function parseIdpGroups(raw: string | undefined | null): string[] {
|
|
71
|
+
if (!raw) return [];
|
|
72
|
+
return raw
|
|
73
|
+
.split(/[,;]+/)
|
|
74
|
+
.map((s) => s.trim())
|
|
75
|
+
.filter(Boolean);
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
function isFederatedEvent(event: PreTokenGenerationV2TriggerEvent): boolean {
|
|
79
|
+
const identitiesRaw = event.request.userAttributes["identities"];
|
|
80
|
+
if (!identitiesRaw) return false;
|
|
81
|
+
try {
|
|
82
|
+
const parsed = JSON.parse(identitiesRaw);
|
|
83
|
+
return Array.isArray(parsed) && parsed.length > 0;
|
|
84
|
+
} catch {
|
|
85
|
+
return false;
|
|
42
86
|
}
|
|
87
|
+
}
|
|
43
88
|
|
|
44
|
-
|
|
45
|
-
|
|
89
|
+
interface RdsClaimsLoad {
|
|
90
|
+
user: {
|
|
91
|
+
id: string;
|
|
92
|
+
role: string;
|
|
93
|
+
handle: string | null;
|
|
94
|
+
suspended: boolean;
|
|
95
|
+
suspendedAt: Date | null;
|
|
96
|
+
} | null;
|
|
97
|
+
activeMembership: {
|
|
98
|
+
tenantId: string;
|
|
99
|
+
role: TenantRole;
|
|
100
|
+
tenant: { slug: string; status: string };
|
|
101
|
+
} | null;
|
|
102
|
+
}
|
|
103
|
+
|
|
104
|
+
async function loadFromRds(
|
|
105
|
+
db: PrismaClient,
|
|
106
|
+
cognitoSub: string,
|
|
107
|
+
preferOrgTenant: boolean,
|
|
108
|
+
preferredTenantId: string | null,
|
|
109
|
+
): Promise<RdsClaimsLoad> {
|
|
46
110
|
const user = await db.user.findUnique({
|
|
47
111
|
where: { cognitoSub },
|
|
48
|
-
select: {
|
|
112
|
+
select: {
|
|
113
|
+
id: true,
|
|
114
|
+
role: true,
|
|
115
|
+
handle: true,
|
|
116
|
+
suspended: true,
|
|
117
|
+
suspendedAt: true,
|
|
118
|
+
personalTenantId: true,
|
|
119
|
+
},
|
|
49
120
|
});
|
|
121
|
+
if (!user) return { user: null, activeMembership: null };
|
|
50
122
|
|
|
51
|
-
|
|
123
|
+
const memberships = await db.tenantMember.findMany({
|
|
124
|
+
where: { userId: user.id, status: "ACTIVE" },
|
|
125
|
+
include: { tenant: { select: { id: true, slug: true, status: true, type: true } } },
|
|
126
|
+
});
|
|
52
127
|
|
|
53
|
-
//
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
128
|
+
// Honor an explicit user choice (from a prior switch-tenant call) above
|
|
129
|
+
// any heuristic, provided the membership is still active.
|
|
130
|
+
let active = preferredTenantId
|
|
131
|
+
? memberships.find(
|
|
132
|
+
(m) => m.tenant.id === preferredTenantId && m.tenant.status === "ACTIVE",
|
|
133
|
+
)
|
|
134
|
+
: undefined;
|
|
135
|
+
if (!active) {
|
|
136
|
+
active = memberships.find(
|
|
137
|
+
(m) =>
|
|
138
|
+
preferOrgTenant && m.tenant.type === "ORGANIZATION" && m.tenant.status === "ACTIVE",
|
|
139
|
+
);
|
|
140
|
+
}
|
|
141
|
+
if (!active) {
|
|
142
|
+
active = memberships.find(
|
|
143
|
+
(m) => m.tenant.id === user.personalTenantId && m.tenant.status === "ACTIVE",
|
|
144
|
+
);
|
|
145
|
+
}
|
|
146
|
+
if (!active) {
|
|
147
|
+
active = memberships.find((m) => m.tenant.status === "ACTIVE");
|
|
57
148
|
}
|
|
58
149
|
|
|
59
|
-
|
|
150
|
+
return {
|
|
151
|
+
user: {
|
|
152
|
+
id: user.id,
|
|
153
|
+
role: user.role,
|
|
154
|
+
handle: user.handle,
|
|
155
|
+
suspended: user.suspended,
|
|
156
|
+
suspendedAt: user.suspendedAt,
|
|
157
|
+
},
|
|
158
|
+
activeMembership: active
|
|
159
|
+
? {
|
|
160
|
+
tenantId: active.tenantId,
|
|
161
|
+
role: active.role,
|
|
162
|
+
tenant: { slug: active.tenant.slug, status: active.tenant.status },
|
|
163
|
+
}
|
|
164
|
+
: null,
|
|
165
|
+
};
|
|
166
|
+
}
|
|
60
167
|
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
}
|
|
70
|
-
})
|
|
168
|
+
async function maybeRefreshFederatedRole(
|
|
169
|
+
db: PrismaClient,
|
|
170
|
+
tenantId: string,
|
|
171
|
+
idpGroups: string[],
|
|
172
|
+
currentRole: string,
|
|
173
|
+
): Promise<TenantRole | null> {
|
|
174
|
+
const mappings = await db.tenantRoleMapping.findMany({
|
|
175
|
+
where: { tenantId },
|
|
176
|
+
select: { idpGroupName: true, tenantRole: true, priority: true },
|
|
177
|
+
});
|
|
178
|
+
const idp = await db.tenantIdentityProvider.findUnique({
|
|
179
|
+
where: { tenantId },
|
|
180
|
+
select: { defaultRole: true, status: true },
|
|
181
|
+
});
|
|
182
|
+
if (!idp || idp.status !== "ACTIVE") return null;
|
|
71
183
|
|
|
72
|
-
|
|
184
|
+
const resolved = resolveTenantRole(
|
|
185
|
+
idpGroups,
|
|
186
|
+
mappings as RoleMappingInput[],
|
|
187
|
+
idp.defaultRole,
|
|
188
|
+
);
|
|
189
|
+
if (!resolved || resolved === currentRole) return null;
|
|
190
|
+
return resolved;
|
|
73
191
|
}
|
|
74
192
|
|
|
75
193
|
export const handler: PreTokenGenerationV2TriggerHandler = async (event) => {
|
|
76
|
-
const
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
194
|
+
const cognitoSub = event.userName;
|
|
195
|
+
const claimsCache = getCache();
|
|
196
|
+
const federated = isFederatedEvent(event);
|
|
197
|
+
const idpGroups = parseIdpGroups(event.request.userAttributes["custom:idpGroups"]);
|
|
198
|
+
|
|
199
|
+
// Cache hits skip the user-suspension and tenant-status checks below
|
|
200
|
+
// (RDS is only consulted on miss). The mitigation is *active invalidation*:
|
|
201
|
+
// - User suspension paths MUST call `claimsCache.invalidate(cognitoSub)`.
|
|
202
|
+
// - TODO(T3): tenant-suspension API must invalidate caches for all members.
|
|
203
|
+
// Without invalidation, suspended users keep valid claims for up to one
|
|
204
|
+
// cache TTL (DEFAULT_CACHE_TTL_SECONDS = 3600s). Tracked as G2 finding H3.
|
|
205
|
+
let claims = await claimsCache.get(cognitoSub);
|
|
206
|
+
let cacheHit = !!claims;
|
|
207
|
+
|
|
208
|
+
if (!claims) {
|
|
209
|
+
const db = await getPrisma();
|
|
210
|
+
// Read the user's last explicit tenant preference, even from an expired
|
|
211
|
+
// cache row, so an admin-side switch-tenant call survives cache TTL.
|
|
212
|
+
let preferredTenantId: string | null = null;
|
|
213
|
+
try {
|
|
214
|
+
preferredTenantId = await claimsCache.getActiveTenantPreference(cognitoSub);
|
|
215
|
+
} catch (err) {
|
|
216
|
+
console.warn(
|
|
217
|
+
JSON.stringify({
|
|
218
|
+
event: "pretoken.preference_lookup_failed",
|
|
219
|
+
cognitoSub,
|
|
220
|
+
error: (err as { code?: string })?.code ?? "unknown",
|
|
221
|
+
}),
|
|
222
|
+
);
|
|
223
|
+
}
|
|
224
|
+
const loaded = await loadFromRds(db, cognitoSub, federated, preferredTenantId);
|
|
225
|
+
|
|
226
|
+
if (!loaded.user) {
|
|
227
|
+
console.warn(JSON.stringify({ event: "pretoken.drift", cognitoSub }));
|
|
228
|
+
claims = { ...DRIFT_CLAIMS };
|
|
229
|
+
writeAccessTokenClaims(event, claims);
|
|
230
|
+
return event;
|
|
231
|
+
}
|
|
232
|
+
|
|
233
|
+
// `suspended` is the authoritative flag set by user-deprovisioning + admin
|
|
234
|
+
// dashboard; `suspendedAt` is the timestamp of the action (always a past
|
|
235
|
+
// value when present). Treat either signal as suspension. Defense-in-depth:
|
|
236
|
+
// even if a writer forgets one column, the other still blocks issuance.
|
|
237
|
+
if (loaded.user.suspended || loaded.user.suspendedAt !== null) {
|
|
238
|
+
console.warn(JSON.stringify({ event: "pretoken.suspended", cognitoSub }));
|
|
239
|
+
claims = { ...DRIFT_CLAIMS };
|
|
240
|
+
writeAccessTokenClaims(event, claims);
|
|
241
|
+
return event;
|
|
242
|
+
}
|
|
243
|
+
|
|
244
|
+
claims = {
|
|
245
|
+
userId: loaded.user.id,
|
|
246
|
+
globalRole: loaded.user.role,
|
|
247
|
+
activeTenantId: loaded.activeMembership?.tenantId ?? "",
|
|
248
|
+
tenantSlug: loaded.activeMembership?.tenant.slug ?? "",
|
|
249
|
+
tenantRole: loaded.activeMembership?.role ?? "",
|
|
250
|
+
handle: loaded.user.handle ?? "",
|
|
89
251
|
};
|
|
90
252
|
}
|
|
91
253
|
|
|
254
|
+
if (federated && claims.activeTenantId && idpGroups.length > 0) {
|
|
255
|
+
try {
|
|
256
|
+
const db = await getPrisma();
|
|
257
|
+
const refreshed = await maybeRefreshFederatedRole(
|
|
258
|
+
db,
|
|
259
|
+
claims.activeTenantId,
|
|
260
|
+
idpGroups,
|
|
261
|
+
claims.tenantRole,
|
|
262
|
+
);
|
|
263
|
+
if (refreshed) {
|
|
264
|
+
// Only emit the new role into the JWT after the DB persist succeeds.
|
|
265
|
+
// Otherwise a transient DB error would oscillate the user's effective
|
|
266
|
+
// role between cached-old and JWT-new on alternating refreshes (G2 H2).
|
|
267
|
+
let persisted = false;
|
|
268
|
+
try {
|
|
269
|
+
await db.tenantMember.update({
|
|
270
|
+
where: {
|
|
271
|
+
tenantId_userId: { tenantId: claims.activeTenantId, userId: claims.userId },
|
|
272
|
+
},
|
|
273
|
+
data: { role: refreshed },
|
|
274
|
+
});
|
|
275
|
+
persisted = true;
|
|
276
|
+
} catch (err) {
|
|
277
|
+
console.warn(
|
|
278
|
+
JSON.stringify({
|
|
279
|
+
event: "pretoken.role_refresh_persist_failed",
|
|
280
|
+
cognitoSub,
|
|
281
|
+
error: (err as { code?: string })?.code ?? "unknown",
|
|
282
|
+
}),
|
|
283
|
+
);
|
|
284
|
+
}
|
|
285
|
+
if (persisted) {
|
|
286
|
+
claims = { ...claims, tenantRole: refreshed };
|
|
287
|
+
cacheHit = false;
|
|
288
|
+
console.log(
|
|
289
|
+
JSON.stringify({
|
|
290
|
+
event: "pretoken.role_refreshed",
|
|
291
|
+
cognitoSub,
|
|
292
|
+
tenantId: claims.activeTenantId,
|
|
293
|
+
}),
|
|
294
|
+
);
|
|
295
|
+
}
|
|
296
|
+
}
|
|
297
|
+
} catch (err) {
|
|
298
|
+
console.warn(
|
|
299
|
+
JSON.stringify({
|
|
300
|
+
event: "pretoken.role_refresh_failed",
|
|
301
|
+
cognitoSub,
|
|
302
|
+
error: (err as { code?: string }).code ?? "unknown",
|
|
303
|
+
}),
|
|
304
|
+
);
|
|
305
|
+
}
|
|
306
|
+
}
|
|
307
|
+
|
|
308
|
+
if (!cacheHit && claims.userId) {
|
|
309
|
+
await claimsCache.put(cognitoSub, claims, DEFAULT_CACHE_TTL_SECONDS);
|
|
310
|
+
}
|
|
311
|
+
|
|
312
|
+
writeAccessTokenClaims(event, claims);
|
|
92
313
|
return event;
|
|
93
314
|
};
|
|
315
|
+
|
|
316
|
+
function writeAccessTokenClaims(
|
|
317
|
+
event: PreTokenGenerationV2TriggerEvent,
|
|
318
|
+
claims: CachedClaims,
|
|
319
|
+
): void {
|
|
320
|
+
event.response = {
|
|
321
|
+
claimsAndScopeOverrideDetails: {
|
|
322
|
+
accessTokenGeneration: {
|
|
323
|
+
claimsToAddOrOverride: {
|
|
324
|
+
"custom:userId": claims.userId,
|
|
325
|
+
"custom:globalRole": claims.globalRole,
|
|
326
|
+
"custom:activeTenantId": claims.activeTenantId,
|
|
327
|
+
"custom:tenantSlug": claims.tenantSlug,
|
|
328
|
+
"custom:tenantRole": claims.tenantRole,
|
|
329
|
+
"custom:handle": claims.handle,
|
|
330
|
+
},
|
|
331
|
+
},
|
|
332
|
+
},
|
|
333
|
+
};
|
|
334
|
+
}
|