@de-otio/trellis 0.6.1 → 0.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/env.d.ts +21 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +12 -0
- package/dist/env.js.map +1 -1
- package/dist/lambda/nightly-cron.d.ts.map +1 -1
- package/dist/lambda/nightly-cron.js +5 -2
- package/dist/lambda/nightly-cron.js.map +1 -1
- package/dist/lambda/post-confirmation.d.ts +30 -0
- package/dist/lambda/post-confirmation.d.ts.map +1 -1
- package/dist/lambda/post-confirmation.js +333 -29
- package/dist/lambda/post-confirmation.js.map +1 -1
- package/dist/lambda/pre-token-generation.d.ts +20 -0
- package/dist/lambda/pre-token-generation.d.ts.map +1 -1
- package/dist/lambda/pre-token-generation.js +233 -48
- package/dist/lambda/pre-token-generation.js.map +1 -1
- package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
- package/dist/lib/activitypub/activity-processor.js +2 -1
- package/dist/lib/activitypub/activity-processor.js.map +1 -1
- package/dist/lib/activitypub/group-service.d.ts +2 -2
- package/dist/lib/activitypub/group-service.d.ts.map +1 -1
- package/dist/lib/activitypub/group-service.js +5 -2
- package/dist/lib/activitypub/group-service.js.map +1 -1
- package/dist/lib/age-tier-transition.d.ts.map +1 -1
- package/dist/lib/age-tier-transition.js +19 -10
- package/dist/lib/age-tier-transition.js.map +1 -1
- package/dist/lib/audit/csv-export.d.ts +25 -0
- package/dist/lib/audit/csv-export.d.ts.map +1 -0
- package/dist/lib/audit/csv-export.js +54 -0
- package/dist/lib/audit/csv-export.js.map +1 -0
- package/dist/lib/audit/emit.d.ts +56 -0
- package/dist/lib/audit/emit.d.ts.map +1 -0
- package/dist/lib/audit/emit.js +124 -0
- package/dist/lib/audit/emit.js.map +1 -0
- package/dist/lib/audit/event-types.d.ts +36 -0
- package/dist/lib/audit/event-types.d.ts.map +1 -0
- package/dist/lib/audit/event-types.js +69 -0
- package/dist/lib/audit/event-types.js.map +1 -0
- package/dist/lib/audit/pii-filter.d.ts +22 -0
- package/dist/lib/audit/pii-filter.d.ts.map +1 -0
- package/dist/lib/audit/pii-filter.js +51 -0
- package/dist/lib/audit/pii-filter.js.map +1 -0
- package/dist/lib/audit-logger.js +1 -1
- package/dist/lib/audit-logger.js.map +1 -1
- package/dist/lib/auth/auth-context.d.ts +34 -0
- package/dist/lib/auth/auth-context.d.ts.map +1 -0
- package/dist/lib/auth/auth-context.js +10 -0
- package/dist/lib/auth/auth-context.js.map +1 -0
- package/dist/lib/auth/auth-middleware.d.ts +50 -0
- package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
- package/dist/lib/auth/auth-middleware.js +153 -0
- package/dist/lib/auth/auth-middleware.js.map +1 -0
- package/dist/lib/auth/capabilities.d.ts +40 -0
- package/dist/lib/auth/capabilities.d.ts.map +1 -0
- package/dist/lib/auth/capabilities.js +44 -0
- package/dist/lib/auth/capabilities.js.map +1 -0
- package/dist/lib/auth/claims-cache.d.ts +70 -0
- package/dist/lib/auth/claims-cache.d.ts.map +1 -0
- package/dist/lib/auth/claims-cache.js +139 -0
- package/dist/lib/auth/claims-cache.js.map +1 -0
- package/dist/lib/auth/cognito-jwt.d.ts +6 -0
- package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
- package/dist/lib/auth/cognito-jwt.js.map +1 -1
- package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
- package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
- package/dist/lib/auth/idp-redirect-builder.js +48 -0
- package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
- package/dist/lib/auth/require.d.ts +51 -0
- package/dist/lib/auth/require.d.ts.map +1 -0
- package/dist/lib/auth/require.js +99 -0
- package/dist/lib/auth/require.js.map +1 -0
- package/dist/lib/auth/role-grants.d.ts +18 -0
- package/dist/lib/auth/role-grants.d.ts.map +1 -0
- package/dist/lib/auth/role-grants.js +62 -0
- package/dist/lib/auth/role-grants.js.map +1 -0
- package/dist/lib/cognito/idp-sdk.d.ts +80 -0
- package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
- package/dist/lib/cognito/idp-sdk.js +186 -0
- package/dist/lib/cognito/idp-sdk.js.map +1 -0
- package/dist/lib/cognito/issuer-probe.d.ts +47 -0
- package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
- package/dist/lib/cognito/issuer-probe.js +319 -0
- package/dist/lib/cognito/issuer-probe.js.map +1 -0
- package/dist/lib/comment-handler.d.ts +7 -7
- package/dist/lib/comment-handler.d.ts.map +1 -1
- package/dist/lib/comment-handler.js +23 -20
- package/dist/lib/comment-handler.js.map +1 -1
- package/dist/lib/compliance/baseline.d.ts +15 -0
- package/dist/lib/compliance/baseline.d.ts.map +1 -0
- package/dist/lib/compliance/baseline.js +205 -0
- package/dist/lib/compliance/baseline.js.map +1 -0
- package/dist/lib/compliance/tenant-merge.d.ts +35 -0
- package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
- package/dist/lib/compliance/tenant-merge.js +80 -0
- package/dist/lib/compliance/tenant-merge.js.map +1 -0
- package/dist/lib/compliance/types.d.ts +135 -0
- package/dist/lib/compliance/types.d.ts.map +1 -0
- package/dist/lib/compliance/types.js +9 -0
- package/dist/lib/compliance/types.js.map +1 -0
- package/dist/lib/connection-code-handler.d.ts +4 -4
- package/dist/lib/connection-code-handler.d.ts.map +1 -1
- package/dist/lib/connection-code-handler.js +21 -11
- package/dist/lib/connection-code-handler.js.map +1 -1
- package/dist/lib/feed-handler.d.ts +2 -2
- package/dist/lib/feed-handler.d.ts.map +1 -1
- package/dist/lib/feed-handler.js +5 -9
- package/dist/lib/feed-handler.js.map +1 -1
- package/dist/lib/middleware/idempotency-store.d.ts +86 -0
- package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency-store.js +109 -0
- package/dist/lib/middleware/idempotency-store.js.map +1 -0
- package/dist/lib/middleware/idempotency.d.ts +37 -0
- package/dist/lib/middleware/idempotency.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency.js +358 -0
- package/dist/lib/middleware/idempotency.js.map +1 -0
- package/dist/lib/net/trusted-client-ip.d.ts +39 -0
- package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
- package/dist/lib/net/trusted-client-ip.js +100 -0
- package/dist/lib/net/trusted-client-ip.js.map +1 -0
- package/dist/lib/notification-handler.d.ts +5 -5
- package/dist/lib/notification-handler.d.ts.map +1 -1
- package/dist/lib/notification-handler.js +11 -9
- package/dist/lib/notification-handler.js.map +1 -1
- package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
- package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
- package/dist/lib/oauth/cognito-issuer.js +53 -0
- package/dist/lib/oauth/cognito-issuer.js.map +1 -0
- package/dist/lib/oauth/device-authorization.d.ts +145 -0
- package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
- package/dist/lib/oauth/device-authorization.js +312 -0
- package/dist/lib/oauth/device-authorization.js.map +1 -0
- package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
- package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
- package/dist/lib/oauth/envelope-crypto.js +223 -0
- package/dist/lib/oauth/envelope-crypto.js.map +1 -0
- package/dist/lib/oauth/refresh-detection.d.ts +126 -0
- package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
- package/dist/lib/oauth/refresh-detection.js +248 -0
- package/dist/lib/oauth/refresh-detection.js.map +1 -0
- package/dist/lib/openapi/generator.d.ts +78 -0
- package/dist/lib/openapi/generator.d.ts.map +1 -0
- package/dist/lib/openapi/generator.js +201 -0
- package/dist/lib/openapi/generator.js.map +1 -0
- package/dist/lib/post-handler.d.ts +1 -1
- package/dist/lib/post-handler.d.ts.map +1 -1
- package/dist/lib/post-handler.js +4 -15
- package/dist/lib/post-handler.js.map +1 -1
- package/dist/lib/rate-limit.d.ts.map +1 -1
- package/dist/lib/rate-limit.js +11 -3
- package/dist/lib/rate-limit.js.map +1 -1
- package/dist/lib/routes/agent-authorize.d.ts +32 -0
- package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
- package/dist/lib/routes/agent-authorize.js +479 -0
- package/dist/lib/routes/agent-authorize.js.map +1 -0
- package/dist/lib/routes/agent-sessions.d.ts +20 -0
- package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
- package/dist/lib/routes/agent-sessions.js +124 -0
- package/dist/lib/routes/agent-sessions.js.map +1 -0
- package/dist/lib/routes/agent-surface.d.ts +37 -0
- package/dist/lib/routes/agent-surface.d.ts.map +1 -0
- package/dist/lib/routes/agent-surface.js +208 -0
- package/dist/lib/routes/agent-surface.js.map +1 -0
- package/dist/lib/routes/auth-discover.d.ts +18 -0
- package/dist/lib/routes/auth-discover.d.ts.map +1 -0
- package/dist/lib/routes/auth-discover.js +177 -0
- package/dist/lib/routes/auth-discover.js.map +1 -0
- package/dist/lib/routes/comments.d.ts.map +1 -1
- package/dist/lib/routes/comments.js +36 -7
- package/dist/lib/routes/comments.js.map +1 -1
- package/dist/lib/routes/connection-codes.d.ts.map +1 -1
- package/dist/lib/routes/connection-codes.js +21 -4
- package/dist/lib/routes/connection-codes.js.map +1 -1
- package/dist/lib/routes/content-discovery.d.ts.map +1 -1
- package/dist/lib/routes/content-discovery.js +18 -13
- package/dist/lib/routes/content-discovery.js.map +1 -1
- package/dist/lib/routes/dashboard.js +1 -1
- package/dist/lib/routes/dashboard.js.map +1 -1
- package/dist/lib/routes/employees.d.ts.map +1 -1
- package/dist/lib/routes/employees.js +57 -15
- package/dist/lib/routes/employees.js.map +1 -1
- package/dist/lib/routes/entities.d.ts.map +1 -1
- package/dist/lib/routes/entities.js +35 -19
- package/dist/lib/routes/entities.js.map +1 -1
- package/dist/lib/routes/errors.d.ts +34 -0
- package/dist/lib/routes/errors.d.ts.map +1 -0
- package/dist/lib/routes/errors.js +57 -0
- package/dist/lib/routes/errors.js.map +1 -0
- package/dist/lib/routes/feeds.d.ts.map +1 -1
- package/dist/lib/routes/feeds.js +12 -2
- package/dist/lib/routes/feeds.js.map +1 -1
- package/dist/lib/routes/index.d.ts.map +1 -1
- package/dist/lib/routes/index.js +50 -0
- package/dist/lib/routes/index.js.map +1 -1
- package/dist/lib/routes/mfa.d.ts.map +1 -1
- package/dist/lib/routes/mfa.js +1 -0
- package/dist/lib/routes/mfa.js.map +1 -1
- package/dist/lib/routes/notifications.d.ts.map +1 -1
- package/dist/lib/routes/notifications.js +21 -4
- package/dist/lib/routes/notifications.js.map +1 -1
- package/dist/lib/routes/oauth.d.ts +15 -0
- package/dist/lib/routes/oauth.d.ts.map +1 -0
- package/dist/lib/routes/oauth.js +139 -0
- package/dist/lib/routes/oauth.js.map +1 -0
- package/dist/lib/routes/posts.d.ts.map +1 -1
- package/dist/lib/routes/posts.js +30 -19
- package/dist/lib/routes/posts.js.map +1 -1
- package/dist/lib/routes/products.d.ts.map +1 -1
- package/dist/lib/routes/products.js +19 -22
- package/dist/lib/routes/products.js.map +1 -1
- package/dist/lib/routes/setup-status.d.ts +34 -0
- package/dist/lib/routes/setup-status.d.ts.map +1 -0
- package/dist/lib/routes/setup-status.js +87 -0
- package/dist/lib/routes/setup-status.js.map +1 -0
- package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy-analytics.js +15 -14
- package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
- package/dist/lib/routes/taxonomy.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy.js +19 -16
- package/dist/lib/routes/taxonomy.js.map +1 -1
- package/dist/lib/routes/tenant-audit.d.ts +19 -0
- package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
- package/dist/lib/routes/tenant-audit.js +244 -0
- package/dist/lib/routes/tenant-audit.js.map +1 -0
- package/dist/lib/routes/tenant-compliance.d.ts +21 -0
- package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
- package/dist/lib/routes/tenant-compliance.js +122 -0
- package/dist/lib/routes/tenant-compliance.js.map +1 -0
- package/dist/lib/routes/tenant-domains.d.ts +11 -0
- package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
- package/dist/lib/routes/tenant-domains.js +95 -0
- package/dist/lib/routes/tenant-domains.js.map +1 -0
- package/dist/lib/routes/tenant-idp.d.ts +3 -0
- package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
- package/dist/lib/routes/tenant-idp.js +89 -0
- package/dist/lib/routes/tenant-idp.js.map +1 -0
- package/dist/lib/routes/tenant-members.d.ts +13 -0
- package/dist/lib/routes/tenant-members.d.ts.map +1 -0
- package/dist/lib/routes/tenant-members.js +75 -0
- package/dist/lib/routes/tenant-members.js.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.js +90 -0
- package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
- package/dist/lib/routes/tenants.d.ts +13 -0
- package/dist/lib/routes/tenants.d.ts.map +1 -0
- package/dist/lib/routes/tenants.js +121 -0
- package/dist/lib/routes/tenants.js.map +1 -0
- package/dist/lib/routes/types.d.ts +9 -0
- package/dist/lib/routes/types.d.ts.map +1 -1
- package/dist/lib/schemas.d.ts +2 -2
- package/dist/lib/secrets/idp-secrets.d.ts +51 -0
- package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
- package/dist/lib/secrets/idp-secrets.js +111 -0
- package/dist/lib/secrets/idp-secrets.js.map +1 -0
- package/dist/lib/security-monitor.d.ts.map +1 -1
- package/dist/lib/security-monitor.js +6 -1
- package/dist/lib/security-monitor.js.map +1 -1
- package/dist/lib/session-manager.d.ts +1 -0
- package/dist/lib/session-manager.d.ts.map +1 -1
- package/dist/lib/session-manager.js.map +1 -1
- package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
- package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
- package/dist/lib/taxonomy-handler-factory.js +8 -7
- package/dist/lib/taxonomy-handler-factory.js.map +1 -1
- package/dist/lib/tenant/audit-emit.d.ts +18 -0
- package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
- package/dist/lib/tenant/audit-emit.js +16 -0
- package/dist/lib/tenant/audit-emit.js.map +1 -0
- package/dist/lib/tenant/derive-domain.d.ts +19 -0
- package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
- package/dist/lib/tenant/derive-domain.js +38 -0
- package/dist/lib/tenant/derive-domain.js.map +1 -0
- package/dist/lib/tenant/domain-handler.d.ts +42 -0
- package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
- package/dist/lib/tenant/domain-handler.js +344 -0
- package/dist/lib/tenant/domain-handler.js.map +1 -0
- package/dist/lib/tenant/domain-validator.d.ts +28 -0
- package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
- package/dist/lib/tenant/domain-validator.js +145 -0
- package/dist/lib/tenant/domain-validator.js.map +1 -0
- package/dist/lib/tenant/domain-verifier.d.ts +30 -0
- package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
- package/dist/lib/tenant/domain-verifier.js +53 -0
- package/dist/lib/tenant/domain-verifier.js.map +1 -0
- package/dist/lib/tenant/idp-handler.d.ts +29 -0
- package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
- package/dist/lib/tenant/idp-handler.js +693 -0
- package/dist/lib/tenant/idp-handler.js.map +1 -0
- package/dist/lib/tenant/idp-name.d.ts +2 -0
- package/dist/lib/tenant/idp-name.d.ts.map +1 -0
- package/dist/lib/tenant/idp-name.js +20 -0
- package/dist/lib/tenant/idp-name.js.map +1 -0
- package/dist/lib/tenant/member-handler.d.ts +31 -0
- package/dist/lib/tenant/member-handler.d.ts.map +1 -0
- package/dist/lib/tenant/member-handler.js +343 -0
- package/dist/lib/tenant/member-handler.js.map +1 -0
- package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
- package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
- package/dist/lib/tenant/reserved-slugs.js +116 -0
- package/dist/lib/tenant/reserved-slugs.js.map +1 -0
- package/dist/lib/tenant/resolve-role.d.ts +39 -0
- package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
- package/dist/lib/tenant/resolve-role.js +60 -0
- package/dist/lib/tenant/resolve-role.js.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.js +260 -0
- package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
- package/dist/lib/tenant/setup-status.d.ts +83 -0
- package/dist/lib/tenant/setup-status.d.ts.map +1 -0
- package/dist/lib/tenant/setup-status.js +201 -0
- package/dist/lib/tenant/setup-status.js.map +1 -0
- package/dist/lib/tenant/slug-validator.d.ts +31 -0
- package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
- package/dist/lib/tenant/slug-validator.js +42 -0
- package/dist/lib/tenant/slug-validator.js.map +1 -0
- package/dist/lib/tenant/tenant-handler.d.ts +49 -0
- package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
- package/dist/lib/tenant/tenant-handler.js +377 -0
- package/dist/lib/tenant/tenant-handler.js.map +1 -0
- package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
- package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
- package/dist/lib/tenant/transfer-ownership.js +66 -0
- package/dist/lib/tenant/transfer-ownership.js.map +1 -0
- package/dist/lib/user/derive-handle.d.ts +29 -0
- package/dist/lib/user/derive-handle.d.ts.map +1 -0
- package/dist/lib/user/derive-handle.js +65 -0
- package/dist/lib/user/derive-handle.js.map +1 -0
- package/dist/lib/user-deprovisioning.d.ts +11 -1
- package/dist/lib/user-deprovisioning.d.ts.map +1 -1
- package/dist/lib/user-deprovisioning.js +46 -2
- package/dist/lib/user-deprovisioning.js.map +1 -1
- package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
- package/package.json +7 -5
- package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
- package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
- package/prisma/schema.prisma +324 -74
- package/src/lambda/nightly-cron.ts +4 -1
- package/src/lambda/post-confirmation.ts +405 -29
- package/src/lambda/pre-token-generation.ts +300 -59
|
@@ -1,20 +1,64 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Cognito PostConfirmation trigger.
|
|
4
|
+
*
|
|
5
|
+
* Fires once per user-pool record after Cognito accepts a sign-up
|
|
6
|
+
* (`PostConfirmation_ConfirmSignUp`) or a forgotten-password confirmation
|
|
7
|
+
* (`PostConfirmation_ConfirmForgotPassword`). For federated identities the
|
|
8
|
+
* same trigger source is `PostConfirmation_ConfirmSignUp`; the
|
|
9
|
+
* `request.userAttributes.identities` JSON string is the disambiguator.
|
|
10
|
+
*
|
|
11
|
+
* Responsibilities (atomic, single Prisma transaction):
|
|
12
|
+
* 1. Upsert the `User` row (link `cognitoSub` to an existing email match,
|
|
13
|
+
* otherwise create with a derived handle).
|
|
14
|
+
* 2. Ensure a personal `Tenant` of `type=PERSONAL` exists for the user,
|
|
15
|
+
* plus a `TenantMember` with `role=OWNER`.
|
|
16
|
+
* 3. For federated users: exact-match the email domain against
|
|
17
|
+
* `tenant_domains` (verified only). If the domain belongs to a tenant
|
|
18
|
+
* with an `ACTIVE` IdP, resolve the user's role from `TenantRoleMapping`
|
|
19
|
+
* (against the `custom:idpGroups` attribute) and create / refresh a
|
|
20
|
+
* `TenantMember` row with `isJitProvisioned=true`.
|
|
21
|
+
* 4. Preserve the existing `ageTier` + parental-link logic from the v0.6
|
|
22
|
+
* stub (B2C requirement).
|
|
23
|
+
*
|
|
24
|
+
* Idempotency: every write is an upsert. Cognito retries up to 3 times.
|
|
25
|
+
*
|
|
26
|
+
* Cross-tenant isolation: domain lookup is exact-match-only. No substring,
|
|
27
|
+
* no wildcard. See sec finding #8 in
|
|
28
|
+
* plans/mvp/10-trellis-stages/02-cognito-triggers.md.
|
|
29
|
+
*
|
|
30
|
+
* No PII (email body, group claim contents, raw IdP attributes) is logged.
|
|
31
|
+
*/
|
|
2
32
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
33
|
exports.handler = void 0;
|
|
4
34
|
const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
|
|
5
35
|
const client_1 = require("@prisma/client");
|
|
36
|
+
const claims_cache_1 = require("../lib/auth/claims-cache");
|
|
37
|
+
const derive_domain_1 = require("../lib/tenant/derive-domain");
|
|
38
|
+
const resolve_role_1 = require("../lib/tenant/resolve-role");
|
|
39
|
+
const derive_handle_1 = require("../lib/user/derive-handle");
|
|
6
40
|
const secretsClient = new client_secrets_manager_1.SecretsManagerClient({ region: process.env.AWS_REGION });
|
|
7
41
|
let prisma = null;
|
|
42
|
+
let cache = null;
|
|
8
43
|
async function getPrisma() {
|
|
9
44
|
if (prisma)
|
|
10
45
|
return prisma;
|
|
11
46
|
const secret = await secretsClient.send(new client_secrets_manager_1.GetSecretValueCommand({ SecretId: process.env.DB_SECRET_ARN }));
|
|
12
47
|
const { username, password, host, port, dbname } = JSON.parse(secret.SecretString);
|
|
13
48
|
prisma = new client_1.PrismaClient({
|
|
14
|
-
datasources: {
|
|
49
|
+
datasources: {
|
|
50
|
+
db: {
|
|
51
|
+
url: `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${dbname}?connection_limit=1`,
|
|
52
|
+
},
|
|
53
|
+
},
|
|
15
54
|
});
|
|
16
55
|
return prisma;
|
|
17
56
|
}
|
|
57
|
+
function getCache() {
|
|
58
|
+
if (!cache)
|
|
59
|
+
cache = (0, claims_cache_1.createClaimsCacheFromEnv)();
|
|
60
|
+
return cache;
|
|
61
|
+
}
|
|
18
62
|
function computeAgeTier(dateOfBirth) {
|
|
19
63
|
const now = new Date();
|
|
20
64
|
let age = now.getUTCFullYear() - dateOfBirth.getUTCFullYear();
|
|
@@ -28,52 +72,312 @@ function computeAgeTier(dateOfBirth) {
|
|
|
28
72
|
return "TEEN";
|
|
29
73
|
return "ADULT";
|
|
30
74
|
}
|
|
75
|
+
function isFederatedEvent(event) {
|
|
76
|
+
const identitiesRaw = event.request.userAttributes["identities"];
|
|
77
|
+
if (!identitiesRaw)
|
|
78
|
+
return false;
|
|
79
|
+
try {
|
|
80
|
+
const parsed = JSON.parse(identitiesRaw);
|
|
81
|
+
return Array.isArray(parsed) && parsed.length > 0;
|
|
82
|
+
}
|
|
83
|
+
catch {
|
|
84
|
+
// Malformed `identities` is not a federation signal we can act on. Return
|
|
85
|
+
// false rather than over-classifying as federated, which would set
|
|
86
|
+
// role=B2B_PARTNER and run the org-tenant resolution path. (G2 M2)
|
|
87
|
+
return false;
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
function parseIdpGroups(raw) {
|
|
91
|
+
if (!raw)
|
|
92
|
+
return [];
|
|
93
|
+
// Split on `,` and `;` only — IdPs (notably Okta in displayName mode) may
|
|
94
|
+
// emit group names containing whitespace. Cognito's custom-attribute
|
|
95
|
+
// serialization is comma-separated; we accept semicolon as a defensive
|
|
96
|
+
// fallback. (G2 L1)
|
|
97
|
+
return raw
|
|
98
|
+
.split(/[,;]+/)
|
|
99
|
+
.map((s) => s.trim())
|
|
100
|
+
.filter(Boolean);
|
|
101
|
+
}
|
|
102
|
+
const SUPPORTED_TRIGGERS = new Set([
|
|
103
|
+
"PostConfirmation_ConfirmSignUp",
|
|
104
|
+
"PostConfirmation_ConfirmForgotPassword",
|
|
105
|
+
]);
|
|
31
106
|
const handler = async (event) => {
|
|
32
|
-
if (event.triggerSource
|
|
107
|
+
if (!SUPPORTED_TRIGGERS.has(event.triggerSource))
|
|
33
108
|
return event;
|
|
34
|
-
const { email, "custom:handle": handle, "custom:dateOfBirth": dateOfBirthStr } = event.request.userAttributes;
|
|
35
109
|
const cognitoSub = event.userName;
|
|
36
|
-
const
|
|
37
|
-
|
|
110
|
+
const attrs = event.request.userAttributes;
|
|
111
|
+
const email = attrs.email?.toLowerCase();
|
|
112
|
+
if (!email) {
|
|
113
|
+
console.warn(JSON.stringify({ event: "postconfirm.no_email", cognitoSub }));
|
|
114
|
+
return event;
|
|
115
|
+
}
|
|
116
|
+
const federated = isFederatedEvent(event);
|
|
117
|
+
const idpGroups = parseIdpGroups(attrs["custom:idpGroups"]);
|
|
118
|
+
const dobStr = attrs["custom:dateOfBirth"];
|
|
38
119
|
let dateOfBirth;
|
|
39
120
|
let ageTier = "ADULT";
|
|
40
|
-
if (
|
|
41
|
-
|
|
42
|
-
if (!isNaN(
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
else {
|
|
46
|
-
dateOfBirth = undefined;
|
|
121
|
+
if (dobStr) {
|
|
122
|
+
const parsed = new Date(dobStr);
|
|
123
|
+
if (!isNaN(parsed.getTime()) && parsed < new Date()) {
|
|
124
|
+
dateOfBirth = parsed;
|
|
125
|
+
ageTier = computeAgeTier(parsed);
|
|
47
126
|
}
|
|
48
127
|
}
|
|
49
|
-
const
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
},
|
|
61
|
-
});
|
|
62
|
-
// If child account, create a pending parental link if guardian email is provided
|
|
128
|
+
const db = await getPrisma();
|
|
129
|
+
const result = await db.$transaction(async (tx) => provisionUserAndTenancy(tx, {
|
|
130
|
+
cognitoSub,
|
|
131
|
+
email,
|
|
132
|
+
emailVerified: attrs.email_verified,
|
|
133
|
+
federated,
|
|
134
|
+
idpGroups,
|
|
135
|
+
dateOfBirth,
|
|
136
|
+
ageTier,
|
|
137
|
+
providedHandle: attrs["custom:handle"],
|
|
138
|
+
}), { timeout: 8000 });
|
|
63
139
|
if (ageTier === "CHILD") {
|
|
64
|
-
const guardianEmail =
|
|
140
|
+
const guardianEmail = attrs["custom:guardianEmail"]?.toLowerCase();
|
|
65
141
|
if (guardianEmail) {
|
|
66
142
|
const guardian = await db.user.findUnique({ where: { email: guardianEmail } });
|
|
67
143
|
if (guardian) {
|
|
68
144
|
await db.parentalLink.upsert({
|
|
69
|
-
where: { childId_guardianId: { childId:
|
|
70
|
-
create: { childId:
|
|
145
|
+
where: { childId_guardianId: { childId: result.userId, guardianId: guardian.id } },
|
|
146
|
+
create: { childId: result.userId, guardianId: guardian.id, status: "PENDING" },
|
|
71
147
|
update: {},
|
|
72
148
|
});
|
|
73
149
|
}
|
|
74
150
|
}
|
|
75
151
|
}
|
|
152
|
+
await primeClaimsCache(cognitoSub, result);
|
|
153
|
+
console.log(JSON.stringify({
|
|
154
|
+
event: "postconfirm.ok",
|
|
155
|
+
cognitoSub,
|
|
156
|
+
userId: result.userId,
|
|
157
|
+
personalTenantId: result.personalTenantId,
|
|
158
|
+
orgTenantId: result.orgTenantId,
|
|
159
|
+
federated,
|
|
160
|
+
}));
|
|
76
161
|
return event;
|
|
77
162
|
};
|
|
78
163
|
exports.handler = handler;
|
|
164
|
+
async function provisionUserAndTenancy(tx, input) {
|
|
165
|
+
const { cognitoSub, email, federated, idpGroups, dateOfBirth, ageTier, providedHandle, } = input;
|
|
166
|
+
const existing = await tx.user.findFirst({
|
|
167
|
+
where: { OR: [{ cognitoSub }, { email }] },
|
|
168
|
+
});
|
|
169
|
+
let user = existing;
|
|
170
|
+
if (!user) {
|
|
171
|
+
const initialHandle = (providedHandle && providedHandle.trim()) ||
|
|
172
|
+
(await (0, derive_handle_1.deriveHandle)(email, async (h) => {
|
|
173
|
+
const found = await tx.user.findFirst({ where: { handle: h }, select: { id: true } });
|
|
174
|
+
return !!found;
|
|
175
|
+
}));
|
|
176
|
+
user = await tx.user.create({
|
|
177
|
+
data: {
|
|
178
|
+
cognitoSub,
|
|
179
|
+
email,
|
|
180
|
+
handle: initialHandle,
|
|
181
|
+
role: federated ? "B2B_PARTNER" : "END_USER",
|
|
182
|
+
...(dateOfBirth && { dateOfBirth, ageTier }),
|
|
183
|
+
},
|
|
184
|
+
});
|
|
185
|
+
}
|
|
186
|
+
else {
|
|
187
|
+
const updates = {};
|
|
188
|
+
if (!user.cognitoSub)
|
|
189
|
+
updates.cognitoSub = cognitoSub;
|
|
190
|
+
if (!user.handle) {
|
|
191
|
+
updates.handle = await (0, derive_handle_1.deriveHandle)(email, async (h) => {
|
|
192
|
+
const found = await tx.user.findFirst({
|
|
193
|
+
where: { handle: h, NOT: { id: user.id } },
|
|
194
|
+
select: { id: true },
|
|
195
|
+
});
|
|
196
|
+
return !!found;
|
|
197
|
+
});
|
|
198
|
+
}
|
|
199
|
+
if (Object.keys(updates).length > 0) {
|
|
200
|
+
user = await tx.user.update({ where: { id: user.id }, data: updates });
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
let personalTenantId = user.personalTenantId;
|
|
204
|
+
let personalTenantSlug = "";
|
|
205
|
+
if (!personalTenantId) {
|
|
206
|
+
const personalSlug = `personal-${user.id}`;
|
|
207
|
+
const personalTenant = await tx.tenant.create({
|
|
208
|
+
data: {
|
|
209
|
+
slug: personalSlug,
|
|
210
|
+
displayName: user.handle ?? "personal",
|
|
211
|
+
type: "PERSONAL",
|
|
212
|
+
personalOwnerUserId: user.id,
|
|
213
|
+
},
|
|
214
|
+
});
|
|
215
|
+
personalTenantId = personalTenant.id;
|
|
216
|
+
personalTenantSlug = personalTenant.slug;
|
|
217
|
+
await tx.tenantMember.upsert({
|
|
218
|
+
where: { tenantId_userId: { tenantId: personalTenant.id, userId: user.id } },
|
|
219
|
+
create: {
|
|
220
|
+
tenantId: personalTenant.id,
|
|
221
|
+
userId: user.id,
|
|
222
|
+
role: "OWNER",
|
|
223
|
+
status: "ACTIVE",
|
|
224
|
+
joinedAt: new Date(),
|
|
225
|
+
},
|
|
226
|
+
update: { status: "ACTIVE" },
|
|
227
|
+
});
|
|
228
|
+
await tx.user.update({
|
|
229
|
+
where: { id: user.id },
|
|
230
|
+
data: { personalTenantId: personalTenant.id },
|
|
231
|
+
});
|
|
232
|
+
}
|
|
233
|
+
else {
|
|
234
|
+
const personal = await tx.tenant.findUnique({
|
|
235
|
+
where: { id: personalTenantId },
|
|
236
|
+
select: { slug: true },
|
|
237
|
+
});
|
|
238
|
+
personalTenantSlug = personal?.slug ?? "";
|
|
239
|
+
await tx.tenantMember.upsert({
|
|
240
|
+
where: { tenantId_userId: { tenantId: personalTenantId, userId: user.id } },
|
|
241
|
+
create: {
|
|
242
|
+
tenantId: personalTenantId,
|
|
243
|
+
userId: user.id,
|
|
244
|
+
role: "OWNER",
|
|
245
|
+
status: "ACTIVE",
|
|
246
|
+
joinedAt: new Date(),
|
|
247
|
+
},
|
|
248
|
+
update: {},
|
|
249
|
+
});
|
|
250
|
+
}
|
|
251
|
+
let orgTenantId = null;
|
|
252
|
+
let orgTenantSlug = null;
|
|
253
|
+
let orgTenantRole = null;
|
|
254
|
+
if (federated) {
|
|
255
|
+
// Defensive: only resolve org-tenant membership when Cognito asserts the
|
|
256
|
+
// email is verified by the IdP. Native Cognito sign-ups always reach this
|
|
257
|
+
// trigger with email_verified=true; for federated identities the value
|
|
258
|
+
// depends on the IdP's attribute mapping. Without this check, an IdP
|
|
259
|
+
// misconfigured to skip verification would let a user claim any
|
|
260
|
+
// domain-bound tenant by self-asserting an email. Personal-tenant
|
|
261
|
+
// creation above is unaffected — Cognito has already authenticated them.
|
|
262
|
+
const emailVerified = input.emailVerified === "true";
|
|
263
|
+
if (!emailVerified) {
|
|
264
|
+
console.warn(JSON.stringify({ event: "postconfirm.federated.email_unverified", cognitoSub }));
|
|
265
|
+
return {
|
|
266
|
+
userId: user.id,
|
|
267
|
+
globalRole: user.role,
|
|
268
|
+
handle: user.handle ?? "",
|
|
269
|
+
personalTenantId: personalTenantId,
|
|
270
|
+
personalTenantSlug,
|
|
271
|
+
orgTenantId: null,
|
|
272
|
+
orgTenantSlug: null,
|
|
273
|
+
orgTenantRole: null,
|
|
274
|
+
};
|
|
275
|
+
}
|
|
276
|
+
const domain = (0, derive_domain_1.deriveEmailDomain)(email);
|
|
277
|
+
if (!domain) {
|
|
278
|
+
console.warn(JSON.stringify({ event: "postconfirm.federated.invalid_email", cognitoSub }));
|
|
279
|
+
}
|
|
280
|
+
else {
|
|
281
|
+
const tenantDomain = await tx.tenantDomain.findUnique({
|
|
282
|
+
where: { domain },
|
|
283
|
+
include: {
|
|
284
|
+
tenant: {
|
|
285
|
+
include: {
|
|
286
|
+
identityProvider: {
|
|
287
|
+
select: { status: true, defaultRole: true },
|
|
288
|
+
},
|
|
289
|
+
roleMappings: {
|
|
290
|
+
select: { idpGroupName: true, tenantRole: true, priority: true },
|
|
291
|
+
},
|
|
292
|
+
},
|
|
293
|
+
},
|
|
294
|
+
},
|
|
295
|
+
});
|
|
296
|
+
if (!tenantDomain) {
|
|
297
|
+
console.warn(JSON.stringify({ event: "postconfirm.federated.no_domain_match", cognitoSub }));
|
|
298
|
+
}
|
|
299
|
+
else if (!tenantDomain.verifiedAt) {
|
|
300
|
+
console.warn(JSON.stringify({
|
|
301
|
+
event: "postconfirm.federated.unverified_domain",
|
|
302
|
+
cognitoSub,
|
|
303
|
+
tenantId: tenantDomain.tenantId,
|
|
304
|
+
}));
|
|
305
|
+
}
|
|
306
|
+
else if (!tenantDomain.tenant.identityProvider ||
|
|
307
|
+
tenantDomain.tenant.identityProvider.status !== "ACTIVE") {
|
|
308
|
+
console.warn(JSON.stringify({
|
|
309
|
+
event: "postconfirm.federated.inactive_idp",
|
|
310
|
+
cognitoSub,
|
|
311
|
+
tenantId: tenantDomain.tenantId,
|
|
312
|
+
}));
|
|
313
|
+
}
|
|
314
|
+
else {
|
|
315
|
+
const role = (0, resolve_role_1.resolveTenantRole)(idpGroups, tenantDomain.tenant.roleMappings, tenantDomain.tenant.identityProvider.defaultRole);
|
|
316
|
+
if (!role) {
|
|
317
|
+
console.warn(JSON.stringify({
|
|
318
|
+
event: "postconfirm.federated.no_role",
|
|
319
|
+
cognitoSub,
|
|
320
|
+
tenantId: tenantDomain.tenantId,
|
|
321
|
+
}));
|
|
322
|
+
}
|
|
323
|
+
else {
|
|
324
|
+
await tx.tenantMember.upsert({
|
|
325
|
+
where: {
|
|
326
|
+
tenantId_userId: { tenantId: tenantDomain.tenantId, userId: user.id },
|
|
327
|
+
},
|
|
328
|
+
create: {
|
|
329
|
+
tenantId: tenantDomain.tenantId,
|
|
330
|
+
userId: user.id,
|
|
331
|
+
role,
|
|
332
|
+
status: "ACTIVE",
|
|
333
|
+
joinedAt: new Date(),
|
|
334
|
+
isJitProvisioned: true,
|
|
335
|
+
},
|
|
336
|
+
update: {
|
|
337
|
+
role,
|
|
338
|
+
status: "ACTIVE",
|
|
339
|
+
lastActiveAt: new Date(),
|
|
340
|
+
},
|
|
341
|
+
});
|
|
342
|
+
orgTenantId = tenantDomain.tenantId;
|
|
343
|
+
orgTenantSlug = tenantDomain.tenant.slug;
|
|
344
|
+
orgTenantRole = role;
|
|
345
|
+
}
|
|
346
|
+
}
|
|
347
|
+
}
|
|
348
|
+
}
|
|
349
|
+
return {
|
|
350
|
+
userId: user.id,
|
|
351
|
+
globalRole: user.role,
|
|
352
|
+
handle: user.handle ?? "",
|
|
353
|
+
personalTenantId: personalTenantId,
|
|
354
|
+
personalTenantSlug,
|
|
355
|
+
orgTenantId,
|
|
356
|
+
orgTenantSlug,
|
|
357
|
+
orgTenantRole,
|
|
358
|
+
};
|
|
359
|
+
}
|
|
360
|
+
async function primeClaimsCache(cognitoSub, result) {
|
|
361
|
+
const activeTenantId = result.orgTenantId ?? result.personalTenantId;
|
|
362
|
+
const activeTenantSlug = result.orgTenantSlug ?? result.personalTenantSlug;
|
|
363
|
+
const activeTenantRole = result.orgTenantRole ?? "OWNER";
|
|
364
|
+
const claims = {
|
|
365
|
+
userId: result.userId,
|
|
366
|
+
globalRole: result.globalRole,
|
|
367
|
+
activeTenantId,
|
|
368
|
+
tenantSlug: activeTenantSlug,
|
|
369
|
+
tenantRole: activeTenantRole,
|
|
370
|
+
handle: result.handle,
|
|
371
|
+
};
|
|
372
|
+
try {
|
|
373
|
+
await getCache().put(cognitoSub, claims);
|
|
374
|
+
}
|
|
375
|
+
catch (err) {
|
|
376
|
+
console.warn(JSON.stringify({
|
|
377
|
+
event: "postconfirm.cache_prime_failed",
|
|
378
|
+
cognitoSub,
|
|
379
|
+
error: err.code ?? "unknown",
|
|
380
|
+
}));
|
|
381
|
+
}
|
|
382
|
+
}
|
|
79
383
|
//# sourceMappingURL=post-confirmation.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"post-confirmation.js","sourceRoot":"","sources":["../../src/lambda/post-confirmation.ts"],"names":[],"mappings":";;;AACA,4EAA8F;AAC9F,2CAA4D;AAE5D,MAAM,aAAa,GAAG,IAAI,6CAAoB,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;AACnF,IAAI,MAAM,GAAwB,IAAI,CAAC;AAEvC,KAAK,UAAU,SAAS;IACtB,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,IAAI,8CAAqB,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,aAAc,EAAE,CAAC,CAAC,CAAC;IAC7G,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAa,CAAC,CAAC;IACpF,MAAM,GAAG,IAAI,qBAAY,CAAC;QACxB,WAAW,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,gBAAgB,QAAQ,IAAI,kBAAkB,CAAC,QAAQ,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,MAAM,qBAAqB,EAAE,EAAE;KACtI,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,WAAiB;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,GAAG,CAAC,cAAc,EAAE,GAAG,WAAW,CAAC,cAAc,EAAE,CAAC;IAC9D,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IAChE,IAAI,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,GAAG,CAAC,UAAU,EAAE,GAAG,WAAW,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC;QACtF,GAAG,EAAE,CAAC;IACR,CAAC;IACD,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,OAAO,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,MAAM,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAEM,MAAM,OAAO,GAAmC,KAAK,EAAE,KAAK,EAAE,EAAE;IACrE,IAAI,KAAK,CAAC,aAAa,KAAK,gCAAgC;QAAE,OAAO,KAAK,CAAC;IAE3E,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,oBAAoB,EAAE,cAAc,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;IAC9G,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC;IAElC,MAAM,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;IAE7B,kDAAkD;IAClD,IAAI,WAA6B,CAAC;IAClC,IAAI,OAAO,GAAY,OAAO,CAAC;IAC/B,IAAI,cAAc,EAAE,CAAC;QACnB,WAAW,GAAG,IAAI,IAAI,CAAC,cAAc,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,IAAI,WAAW,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAC9D,OAAO,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,WAAW,GAAG,SAAS,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChC,KAAK,EAAE,EAAE,UAAU,EAAE;QACrB,MAAM,EAAE;YACN,UAAU;YACV,KAAK;YACL,MAAM,EAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACrC,IAAI,EAAE,UAAU;YAChB,GAAG,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;SAC7C;QACD,MAAM,EAAE;YACN,KAAK;SACN;KACF,CAAC,CAAC;IAEH,iFAAiF;IACjF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,sBAAsB,CAAC,CAAC;QAC3E,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;YAC/E,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;oBAC3B,KAAK,EAAE,EAAE,kBAAkB,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE;oBAC5E,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE;oBACxE,MAAM,EAAE,EAAE;iBACX,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAlDW,QAAA,OAAO,WAkDlB"}
|
|
1
|
+
{"version":3,"file":"post-confirmation.js","sourceRoot":"","sources":["../../src/lambda/post-confirmation.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;;;AAMH,4EAA8F;AAC9F,2CAMwB;AACxB,2DAAoG;AACpG,+DAAgE;AAChE,6DAAsF;AACtF,6DAAyD;AAEzD,MAAM,aAAa,GAAG,IAAI,6CAAoB,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;AACnF,IAAI,MAAM,GAAwB,IAAI,CAAC;AACvC,IAAI,KAAK,GAAuB,IAAI,CAAC;AAErC,KAAK,UAAU,SAAS;IACtB,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CACrC,IAAI,8CAAqB,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,aAAc,EAAE,CAAC,CACpE,CAAC;IACF,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAa,CAAC,CAAC;IACpF,MAAM,GAAG,IAAI,qBAAY,CAAC;QACxB,WAAW,EAAE;YACX,EAAE,EAAE;gBACF,GAAG,EAAE,gBAAgB,QAAQ,IAAI,kBAAkB,CAAC,QAAQ,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,MAAM,qBAAqB;aAC7G;SACF;KACF,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,QAAQ;IACf,IAAI,CAAC,KAAK;QAAE,KAAK,GAAG,IAAA,uCAAwB,GAAE,CAAC;IAC/C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,WAAiB;IACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,GAAG,CAAC,cAAc,EAAE,GAAG,WAAW,CAAC,cAAc,EAAE,CAAC;IAC9D,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IAChE,IAAI,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,GAAG,CAAC,UAAU,EAAE,GAAG,WAAW,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC;QACtF,GAAG,EAAE,CAAC;IACR,CAAC;IACD,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,OAAO,CAAC;IAC7B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,MAAM,CAAC;IAC5B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAmC;IAC3D,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,YAAY,CAAC,CAAC;IACjE,IAAI,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QACzC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;QAC1E,mEAAmE;QACnE,mEAAmE;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAA8B;IACpD,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,0EAA0E;IAC1E,qEAAqE;IACrE,uEAAuE;IACvE,oBAAoB;IACpB,OAAO,GAAG;SACP,KAAK,CAAC,OAAO,CAAC;SACd,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAaD,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,gCAAgC;IAChC,wCAAwC;CACzC,CAAC,CAAC;AAEI,MAAM,OAAO,GAAmC,KAAK,EAAE,KAAK,EAAE,EAAE;IACrE,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,aAAa,CAAC;QAAE,OAAO,KAAK,CAAC;IAE/D,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC;IAClC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;IAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC;IACzC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAE3C,IAAI,WAA6B,CAAC;IAClC,IAAI,OAAO,GAAY,OAAO,CAAC;IAC/B,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;QAChC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,IAAI,MAAM,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YACpD,WAAW,GAAG,MAAM,CAAC;YACrB,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC;IAE7B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,YAAY,CAClC,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,EAAE;QACxC,UAAU;QACV,KAAK;QACL,aAAa,EAAE,KAAK,CAAC,cAAc;QACnC,SAAS;QACT,SAAS;QACT,WAAW;QACX,OAAO;QACP,cAAc,EAAE,KAAK,CAAC,eAAe,CAAC;KACvC,CAAC,EACF,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;IAEF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,MAAM,aAAa,GAAG,KAAK,CAAC,sBAAsB,CAAC,EAAE,WAAW,EAAE,CAAC;QACnE,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;YAC/E,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;oBAC3B,KAAK,EAAE,EAAE,kBAAkB,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,EAAE;oBAClF,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE;oBAC9E,MAAM,EAAE,EAAE;iBACX,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAE3C,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC;QACb,KAAK,EAAE,gBAAgB;QACvB,UAAU;QACV,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;QACzC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS;KACV,CAAC,CACH,CAAC;IAEF,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AArEW,QAAA,OAAO,WAqElB;AAaF,KAAK,UAAU,uBAAuB,CACpC,EAA4B,EAC5B,KAAwB;IAExB,MAAM,EACJ,UAAU,EACV,KAAK,EACL,SAAS,EACT,SAAS,EACT,WAAW,EACX,OAAO,EACP,cAAc,GACf,GAAG,KAAK,CAAC;IAEV,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;QACvC,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE;KAC3C,CAAC,CAAC;IAEH,IAAI,IAAI,GAAG,QAAQ,CAAC;IACpB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,aAAa,GACjB,CAAC,cAAc,IAAI,cAAc,CAAC,IAAI,EAAE,CAAC;YACzC,CAAC,MAAM,IAAA,4BAAY,EAAC,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;gBACrC,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;gBACtF,OAAO,CAAC,CAAC,KAAK,CAAC;YACjB,CAAC,CAAC,CAAC,CAAC;QACN,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YAC1B,IAAI,EAAE;gBACJ,UAAU;gBACV,KAAK;gBACL,MAAM,EAAE,aAAa;gBACrB,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU;gBAC5C,GAAG,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;aAC7C;SACF,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;QACtD,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,MAAM,GAAG,MAAM,IAAA,4BAAY,EAAC,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;gBACrD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;oBACpC,KAAK,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,IAAK,CAAC,EAAE,EAAE,EAAE;oBAC3C,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;iBACrB,CAAC,CAAC;gBACH,OAAO,CAAC,CAAC,KAAK,CAAC;YACjB,CAAC,CAAC,CAAC;QACL,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;IAC7C,IAAI,kBAAkB,GAAG,EAAE,CAAC;IAC5B,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,YAAY,GAAG,YAAY,IAAI,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,cAAc,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;YAC5C,IAAI,EAAE;gBACJ,IAAI,EAAE,YAAY;gBAClB,WAAW,EAAE,IAAI,CAAC,MAAM,IAAI,UAAU;gBACtC,IAAI,EAAE,UAAU;gBAChB,mBAAmB,EAAE,IAAI,CAAC,EAAE;aAC7B;SACF,CAAC,CAAC;QACH,gBAAgB,GAAG,cAAc,CAAC,EAAE,CAAC;QACrC,kBAAkB,GAAG,cAAc,CAAC,IAAI,CAAC;QACzC,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;YAC3B,KAAK,EAAE,EAAE,eAAe,EAAE,EAAE,QAAQ,EAAE,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE;YAC5E,MAAM,EAAE;gBACN,QAAQ,EAAE,cAAc,CAAC,EAAE;gBAC3B,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE,IAAI,IAAI,EAAE;aACrB;YACD,MAAM,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE;SAC7B,CAAC,CAAC;QACH,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACnB,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;YACtB,IAAI,EAAE,EAAE,gBAAgB,EAAE,cAAc,CAAC,EAAE,EAAE;SAC9C,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC;YAC1C,KAAK,EAAE,EAAE,EAAE,EAAE,gBAAgB,EAAE;YAC/B,MAAM,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;SACvB,CAAC,CAAC;QACH,kBAAkB,GAAG,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC;QAC1C,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;YAC3B,KAAK,EAAE,EAAE,eAAe,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE;YAC3E,MAAM,EAAE;gBACN,QAAQ,EAAE,gBAAgB;gBAC1B,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE,IAAI,IAAI,EAAE;aACrB;YACD,MAAM,EAAE,EAAE;SACX,CAAC,CAAC;IACL,CAAC;IAED,IAAI,WAAW,GAAkB,IAAI,CAAC;IACtC,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,IAAI,aAAa,GAAsB,IAAI,CAAC;IAC5C,IAAI,SAAS,EAAE,CAAC;QACd,yEAAyE;QACzE,0EAA0E;QAC1E,uEAAuE;QACvE,qEAAqE;QACrE,gEAAgE;QAChE,kEAAkE;QAClE,yEAAyE;QACzE,MAAM,aAAa,GAAG,KAAK,CAAC,aAAa,KAAK,MAAM,CAAC;QACrD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,wCAAwC,EAAE,UAAU,EAAE,CAAC,CAChF,CAAC;YACF,OAAO;gBACL,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,UAAU,EAAE,IAAI,CAAC,IAAI;gBACrB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;gBACzB,gBAAgB,EAAE,gBAAiB;gBACnC,kBAAkB;gBAClB,WAAW,EAAE,IAAI;gBACjB,aAAa,EAAE,IAAI;gBACnB,aAAa,EAAE,IAAI;aACpB,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,IAAA,iCAAiB,EAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qCAAqC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QAC7F,CAAC;aAAM,CAAC;YACN,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC;gBACpD,KAAK,EAAE,EAAE,MAAM,EAAE;gBACjB,OAAO,EAAE;oBACP,MAAM,EAAE;wBACN,OAAO,EAAE;4BACP,gBAAgB,EAAE;gCAChB,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;6BAC5C;4BACD,YAAY,EAAE;gCACZ,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;6BACjE;yBACF;qBACF;iBACF;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,UAAU,EAAE,CAAC,CAC/E,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,CAAC;gBACpC,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,yCAAyC;oBAChD,UAAU;oBACV,QAAQ,EAAE,YAAY,CAAC,QAAQ;iBAChC,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,IACL,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB;gBACrC,YAAY,CAAC,MAAM,CAAC,gBAAgB,CAAC,MAAM,KAAK,QAAQ,EACxD,CAAC;gBACD,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;oBACb,KAAK,EAAE,oCAAoC;oBAC3C,UAAU;oBACV,QAAQ,EAAE,YAAY,CAAC,QAAQ;iBAChC,CAAC,CACH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,GAAG,IAAA,gCAAiB,EAC5B,SAAS,EACT,YAAY,CAAC,MAAM,CAAC,YAAkC,EACtD,YAAY,CAAC,MAAM,CAAC,gBAAgB,CAAC,WAAW,CACjD,CAAC;gBACF,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;wBACb,KAAK,EAAE,+BAA+B;wBACtC,UAAU;wBACV,QAAQ,EAAE,YAAY,CAAC,QAAQ;qBAChC,CAAC,CACH,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,MAAM,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC;wBAC3B,KAAK,EAAE;4BACL,eAAe,EAAE,EAAE,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE;yBACtE;wBACD,MAAM,EAAE;4BACN,QAAQ,EAAE,YAAY,CAAC,QAAQ;4BAC/B,MAAM,EAAE,IAAI,CAAC,EAAE;4BACf,IAAI;4BACJ,MAAM,EAAE,QAAQ;4BAChB,QAAQ,EAAE,IAAI,IAAI,EAAE;4BACpB,gBAAgB,EAAE,IAAI;yBACvB;wBACD,MAAM,EAAE;4BACN,IAAI;4BACJ,MAAM,EAAE,QAAQ;4BAChB,YAAY,EAAE,IAAI,IAAI,EAAE;yBACzB;qBACF,CAAC,CAAC;oBACH,WAAW,GAAG,YAAY,CAAC,QAAQ,CAAC;oBACpC,aAAa,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC;oBACzC,aAAa,GAAG,IAAI,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,UAAU,EAAE,IAAI,CAAC,IAAI;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;QACzB,gBAAgB,EAAE,gBAAiB;QACnC,kBAAkB;QAClB,WAAW;QACX,aAAa;QACb,aAAa;KACd,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA0B;IAC5E,MAAM,cAAc,GAAG,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,gBAAgB,CAAC;IACrE,MAAM,gBAAgB,GAAG,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,kBAAkB,CAAC;IAC3E,MAAM,gBAAgB,GAAG,MAAM,CAAC,aAAa,IAAI,OAAO,CAAC;IACzD,MAAM,MAAM,GAAiB;QAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,cAAc;QACd,UAAU,EAAE,gBAAgB;QAC5B,UAAU,EAAE,gBAAgB;QAC5B,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;IACF,IAAI,CAAC;QACH,MAAM,QAAQ,EAAE,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,gCAAgC;YACvC,UAAU;YACV,KAAK,EAAG,GAAyB,CAAC,IAAI,IAAI,SAAS;SACpD,CAAC,CACH,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -1,3 +1,23 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Cognito PreTokenGeneration trigger (V2 access-token override).
|
|
3
|
+
*
|
|
4
|
+
* Runs on every token issuance and refresh. Responsibilities:
|
|
5
|
+
* 1. Read the cached claims from DynamoDB.
|
|
6
|
+
* 2. On miss: load from RDS (User + active TenantMember + Tenant slug).
|
|
7
|
+
* 3. For federated users: re-resolve the tenant role from the current
|
|
8
|
+
* `custom:idpGroups` against `TenantRoleMapping`. This catches admin-side
|
|
9
|
+
* group changes within the access-token TTL.
|
|
10
|
+
* 4. Write the (possibly refreshed) claims back to DDB.
|
|
11
|
+
* 5. Override the access-token claims via the V2 response shape.
|
|
12
|
+
*
|
|
13
|
+
* Failure modes:
|
|
14
|
+
* - User row missing (drift after RDS restore): return minimal claims —
|
|
15
|
+
* the API responds 403 to tenant-scoped endpoints, never a 500 at sign-in.
|
|
16
|
+
* - DDB or RDS error: bubble up; Cognito treats the issuance as failed.
|
|
17
|
+
*
|
|
18
|
+
* No PII is logged. We log counts and decisions ("cache_hit", "drift",
|
|
19
|
+
* "role_refreshed") and the opaque cognitoSub.
|
|
20
|
+
*/
|
|
1
21
|
import type { PreTokenGenerationV2TriggerHandler } from "aws-lambda";
|
|
2
22
|
export declare const handler: PreTokenGenerationV2TriggerHandler;
|
|
3
23
|
//# sourceMappingURL=pre-token-generation.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pre-token-generation.d.ts","sourceRoot":"","sources":["../../src/lambda/pre-token-generation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,
|
|
1
|
+
{"version":3,"file":"pre-token-generation.d.ts","sourceRoot":"","sources":["../../src/lambda/pre-token-generation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAEV,kCAAkC,EACnC,MAAM,YAAY,CAAC;AAwKpB,eAAO,MAAM,OAAO,EAAE,kCAyHrB,CAAC"}
|