@fiado/type-kit 3.131.0 → 3.132.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_test_/unit/platformRbac/enums/PrincipalIdentifierEnum.test.ts +10 -0
- package/bin/cognitoBackofficeConnector/dtos/CreatePoolRequest.d.ts +5 -0
- package/bin/cognitoBackofficeConnector/dtos/CreatePoolRequest.js +7 -0
- package/bin/platformRbac/application/Application.d.ts +9 -0
- package/bin/platformRbac/dtos/ResendOtpRequest.d.ts +22 -0
- package/bin/{walletFunding/dtos/CancelFundingRequest.js → platformRbac/dtos/ResendOtpRequest.js} +16 -13
- package/bin/platformRbac/dtos/ResendSelfRegisterOtpRequest.d.ts +11 -0
- package/bin/{cognitoBackofficeConnector/dtos/MfaPoolConfig.js → platformRbac/dtos/ResendSelfRegisterOtpRequest.js} +18 -18
- package/bin/platformRbac/enums/PrincipalIdentifierEnum.d.ts +8 -0
- package/bin/platformRbac/enums/PrincipalIdentifierEnum.js +12 -0
- package/bin/platformRbac/index.d.ts +1 -0
- package/bin/platformRbac/index.js +4 -1
- package/package.json +1 -1
- package/src/cognitoBackofficeConnector/dtos/CreatePoolRequest.ts +11 -1
- package/src/platformRbac/application/Application.ts +9 -0
- package/src/platformRbac/enums/PrincipalIdentifierEnum.ts +8 -0
- package/src/platformRbac/index.ts +2 -0
- package/bin/cognitoBackofficeConnector/dtos/MfaPoolConfig.d.ts +0 -7
- package/bin/cognitoBackofficeConnector/dtos/PoolConfigResponse.d.ts +0 -20
- package/bin/cognitoBackofficeConnector/dtos/PoolConfigResponse.js +0 -11
- package/bin/cognitoBackofficeConnector/dtos/PoolsListResponse.d.ts +0 -4
- package/bin/cognitoBackofficeConnector/dtos/PoolsListResponse.js +0 -6
- package/bin/cognitoBackofficeConnector/validators/MfaTypesRequiresOne.d.ts +0 -17
- package/bin/cognitoBackofficeConnector/validators/MfaTypesRequiresOne.js +0 -39
- package/bin/rbac/enums/PoolKind.d.ts +0 -16
- package/bin/rbac/enums/PoolKind.js +0 -20
- package/bin/rbac/index.d.ts +0 -1
- package/bin/rbac/index.js +0 -17
- package/bin/walletFunding/dtos/CancelFundingReferenceRequest.d.ts +0 -5
- package/bin/walletFunding/dtos/CancelFundingReferenceRequest.js +0 -31
- package/bin/walletFunding/dtos/CancelFundingReferenceResponse.d.ts +0 -7
- package/bin/walletFunding/dtos/CancelFundingReferenceResponse.js +0 -6
- package/bin/walletFunding/dtos/CancelFundingRequest.d.ts +0 -11
- package/bin/walletFunding/dtos/CancelFundingResponse.d.ts +0 -14
- package/bin/walletFunding/dtos/CancelFundingResponse.js +0 -12
- package/bin/walletFunding/dtos/CancelWalletFundingRequest.d.ts +0 -3
- package/bin/walletFunding/dtos/CancelWalletFundingRequest.js +0 -21
- package/bin/walletFunding/dtos/CancelWalletFundingResponse.d.ts +0 -7
- package/bin/walletFunding/dtos/CancelWalletFundingResponse.js +0 -6
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import { describe, it, expect } from '@jest/globals';
|
|
2
|
+
import { PrincipalIdentifierEnum } from '../../../../src/platformRbac/enums/PrincipalIdentifierEnum';
|
|
3
|
+
|
|
4
|
+
describe('PrincipalIdentifierEnum', () => {
|
|
5
|
+
it('tiene EMAIL y PHONE con esos valores', () => {
|
|
6
|
+
expect(PrincipalIdentifierEnum.EMAIL).toBe('EMAIL');
|
|
7
|
+
expect(PrincipalIdentifierEnum.PHONE).toBe('PHONE');
|
|
8
|
+
expect(Object.values(PrincipalIdentifierEnum)).toEqual(['EMAIL', 'PHONE']);
|
|
9
|
+
});
|
|
10
|
+
});
|
|
@@ -19,4 +19,9 @@ export declare class CreatePoolRequest {
|
|
|
19
19
|
passwordPolicy: PasswordPolicyConfig;
|
|
20
20
|
customAttributes: CustomAttributeSpec[];
|
|
21
21
|
appClientConfig: AppClientConfig;
|
|
22
|
+
/**
|
|
23
|
+
* DEC-RBAC-079: atributos de sign-in del pool (Cognito UsernameAttributes). Ausente → el connector
|
|
24
|
+
* default-ea a ['email'] (backward-compatible con los pools ya creados).
|
|
25
|
+
*/
|
|
26
|
+
usernameAttributes?: Array<'email' | 'phone_number'>;
|
|
22
27
|
}
|
|
@@ -59,3 +59,10 @@ __decorate([
|
|
|
59
59
|
(0, class_transformer_1.Type)(() => AppClientConfig_1.AppClientConfig),
|
|
60
60
|
__metadata("design:type", AppClientConfig_1.AppClientConfig)
|
|
61
61
|
], CreatePoolRequest.prototype, "appClientConfig", void 0);
|
|
62
|
+
__decorate([
|
|
63
|
+
(0, class_transformer_1.Expose)(),
|
|
64
|
+
(0, class_validator_1.IsOptional)(),
|
|
65
|
+
(0, class_validator_1.IsArray)(),
|
|
66
|
+
(0, class_validator_1.IsIn)(['email', 'phone_number'], { each: true }),
|
|
67
|
+
__metadata("design:type", Array)
|
|
68
|
+
], CreatePoolRequest.prototype, "usernameAttributes", void 0);
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { PermissionScope } from '../enums/PermissionScope';
|
|
2
|
+
import { PrincipalIdentifierEnum } from '../enums/PrincipalIdentifierEnum';
|
|
2
3
|
import { ApplicationStatus } from '../enums/ApplicationStatus';
|
|
3
4
|
import type { UserFieldDef } from '../dtos/UserFieldDef';
|
|
4
5
|
import type { TokenValidationMode } from '../enums/TokenValidationMode';
|
|
@@ -35,6 +36,14 @@ export interface ApplicationDefaults {
|
|
|
35
36
|
brandingConfig?: ApplicationBrandingDefault;
|
|
36
37
|
tokenValidationMode?: TokenValidationMode;
|
|
37
38
|
autoregister?: AutoregisterConfig;
|
|
39
|
+
/** DEC-RBAC-079: identificador principal de login que heredan los tenants de esta app. Default EMAIL. */
|
|
40
|
+
principalIdentifier?: PrincipalIdentifierEnum;
|
|
41
|
+
/**
|
|
42
|
+
* DEC-RBAC-081: si la app permite un identificador secundario (el otro método) que el usuario/admin
|
|
43
|
+
* agrega y verifica después, habilitando login dual. Default false. INMUTABLE (define el
|
|
44
|
+
* UsernameAttributes del pool): true ⇒ pool con ['email','phone_number']. Heredado al tenant.
|
|
45
|
+
*/
|
|
46
|
+
allowSecondary?: boolean;
|
|
38
47
|
}
|
|
39
48
|
export interface SeedRole {
|
|
40
49
|
roleId: string;
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
import { MfaMethodEnum } from '../enums/MfaMethodEnum';
|
|
2
|
+
/**
|
|
3
|
+
* Body del POST /auth/resend-otp (público, anónimo). DEC-RBAC-054.
|
|
4
|
+
* Reenvía el OTP del login re-disparando el challenge real CUSTOM_AUTH (EMAIL_OTP) para la
|
|
5
|
+
* identidad SIN password. `tenantId` obligatorio (DEC-064 — el picker ya lo resolvió, NO "solo email").
|
|
6
|
+
* El email se normaliza lowercase server-side. Postura anti-enumeración: respuesta 200 genérica
|
|
7
|
+
* siempre, sin filtrar existencia (ver AuthLoginManager.resendChallengeOtp).
|
|
8
|
+
*/
|
|
9
|
+
export declare class ResendOtpRequest {
|
|
10
|
+
email: string;
|
|
11
|
+
tenantId: string;
|
|
12
|
+
}
|
|
13
|
+
/**
|
|
14
|
+
* Respuesta del resend-otp. `session`/`mfaMethod` frescos del nuevo challenge CUSTOM_AUTH.
|
|
15
|
+
* Plain sin validators (no validamos lo que mandamos al cliente — fiado-validation-and-dtos § 7).
|
|
16
|
+
* Ambos opcionales: en los caminos de rechazo silencioso (anti-enumeración) o ramas sin CUSTOM_AUTH
|
|
17
|
+
* el server responde 200 genérico sin session ni método.
|
|
18
|
+
*/
|
|
19
|
+
export interface ResendOtpResponse {
|
|
20
|
+
session?: string;
|
|
21
|
+
mfaMethod?: MfaMethodEnum;
|
|
22
|
+
}
|
package/bin/{walletFunding/dtos/CancelFundingRequest.js → platformRbac/dtos/ResendOtpRequest.js}
RENAMED
|
@@ -9,25 +9,28 @@ var __metadata = (this && this.__metadata) || function (k, v) {
|
|
|
9
9
|
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.
|
|
12
|
+
exports.ResendOtpRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
13
14
|
const class_validator_1 = require("class-validator");
|
|
14
15
|
/**
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
* `
|
|
18
|
-
*
|
|
19
|
-
*
|
|
16
|
+
* Body del POST /auth/resend-otp (público, anónimo). DEC-RBAC-054.
|
|
17
|
+
* Reenvía el OTP del login re-disparando el challenge real CUSTOM_AUTH (EMAIL_OTP) para la
|
|
18
|
+
* identidad SIN password. `tenantId` obligatorio (DEC-064 — el picker ya lo resolvió, NO "solo email").
|
|
19
|
+
* El email se normaliza lowercase server-side. Postura anti-enumeración: respuesta 200 genérica
|
|
20
|
+
* siempre, sin filtrar existencia (ver AuthLoginManager.resendChallengeOtp).
|
|
20
21
|
*/
|
|
21
|
-
class
|
|
22
|
+
class ResendOtpRequest {
|
|
22
23
|
}
|
|
23
|
-
exports.
|
|
24
|
+
exports.ResendOtpRequest = ResendOtpRequest;
|
|
24
25
|
__decorate([
|
|
25
|
-
(0,
|
|
26
|
-
(0, class_validator_1.
|
|
26
|
+
(0, class_transformer_1.Expose)(),
|
|
27
|
+
(0, class_validator_1.IsEmail)(),
|
|
28
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
27
29
|
__metadata("design:type", String)
|
|
28
|
-
],
|
|
30
|
+
], ResendOtpRequest.prototype, "email", void 0);
|
|
29
31
|
__decorate([
|
|
32
|
+
(0, class_transformer_1.Expose)(),
|
|
30
33
|
(0, class_validator_1.IsString)(),
|
|
31
|
-
(0, class_validator_1.
|
|
34
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
32
35
|
__metadata("design:type", String)
|
|
33
|
-
],
|
|
36
|
+
], ResendOtpRequest.prototype, "tenantId", void 0);
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Body del POST /self-register/resend-otp (público, anónimo). DEC-RBAC-054.
|
|
3
|
+
* Re-envía el OTP del autoregistro (mecanismo messages-business, NO Cognito) tras validar un
|
|
4
|
+
* `pending` existente. Misma postura anti-enumeración del start. El email se normaliza lowercase
|
|
5
|
+
* server-side. DTO propio por endpoint (NO reusa SelfRegisterStartRequest, que exige roleId/scope/
|
|
6
|
+
* scopeRef, ni SelfRegisterVerifyOtpRequest, que exige otp).
|
|
7
|
+
*/
|
|
8
|
+
export declare class ResendSelfRegisterOtpRequest {
|
|
9
|
+
tenantId: string;
|
|
10
|
+
email: string;
|
|
11
|
+
}
|
|
@@ -9,28 +9,28 @@ var __metadata = (this && this.__metadata) || function (k, v) {
|
|
|
9
9
|
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
10
|
};
|
|
11
11
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.
|
|
12
|
+
exports.ResendSelfRegisterOtpRequest = void 0;
|
|
13
13
|
const class_transformer_1 = require("class-transformer");
|
|
14
14
|
const class_validator_1 = require("class-validator");
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
class
|
|
15
|
+
/**
|
|
16
|
+
* Body del POST /self-register/resend-otp (público, anónimo). DEC-RBAC-054.
|
|
17
|
+
* Re-envía el OTP del autoregistro (mecanismo messages-business, NO Cognito) tras validar un
|
|
18
|
+
* `pending` existente. Misma postura anti-enumeración del start. El email se normaliza lowercase
|
|
19
|
+
* server-side. DTO propio por endpoint (NO reusa SelfRegisterStartRequest, que exige roleId/scope/
|
|
20
|
+
* scopeRef, ni SelfRegisterVerifyOtpRequest, que exige otp).
|
|
21
|
+
*/
|
|
22
|
+
class ResendSelfRegisterOtpRequest {
|
|
23
23
|
}
|
|
24
|
-
exports.
|
|
24
|
+
exports.ResendSelfRegisterOtpRequest = ResendSelfRegisterOtpRequest;
|
|
25
25
|
__decorate([
|
|
26
26
|
(0, class_transformer_1.Expose)(),
|
|
27
|
-
(0, class_validator_1.
|
|
28
|
-
|
|
29
|
-
|
|
27
|
+
(0, class_validator_1.IsString)(),
|
|
28
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
29
|
+
__metadata("design:type", String)
|
|
30
|
+
], ResendSelfRegisterOtpRequest.prototype, "tenantId", void 0);
|
|
30
31
|
__decorate([
|
|
31
32
|
(0, class_transformer_1.Expose)(),
|
|
32
|
-
(0, class_validator_1.
|
|
33
|
-
(0, class_validator_1.
|
|
34
|
-
(
|
|
35
|
-
|
|
36
|
-
], MfaPoolConfig.prototype, "mfaTypes", void 0);
|
|
33
|
+
(0, class_validator_1.IsEmail)(),
|
|
34
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
35
|
+
__metadata("design:type", String)
|
|
36
|
+
], ResendSelfRegisterOtpRequest.prototype, "email", void 0);
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* DEC-RBAC-079: identificador principal de login de una aplicación. Lo hereda cada tenant (inmutable)
|
|
3
|
+
* y determina el UsernameAttributes del pool, el campo obligatorio del alta y el canal de mensajes.
|
|
4
|
+
*/
|
|
5
|
+
export declare enum PrincipalIdentifierEnum {
|
|
6
|
+
EMAIL = "EMAIL",
|
|
7
|
+
PHONE = "PHONE"
|
|
8
|
+
}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.PrincipalIdentifierEnum = void 0;
|
|
4
|
+
/**
|
|
5
|
+
* DEC-RBAC-079: identificador principal de login de una aplicación. Lo hereda cada tenant (inmutable)
|
|
6
|
+
* y determina el UsernameAttributes del pool, el campo obligatorio del alta y el canal de mensajes.
|
|
7
|
+
*/
|
|
8
|
+
var PrincipalIdentifierEnum;
|
|
9
|
+
(function (PrincipalIdentifierEnum) {
|
|
10
|
+
PrincipalIdentifierEnum["EMAIL"] = "EMAIL";
|
|
11
|
+
PrincipalIdentifierEnum["PHONE"] = "PHONE";
|
|
12
|
+
})(PrincipalIdentifierEnum || (exports.PrincipalIdentifierEnum = PrincipalIdentifierEnum = {}));
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
export { Permission, PERMISSION_BIT_ORDER, PERMS_VERSION, permissionsToBits, bitsToPermissions, } from './enums/Permission';
|
|
2
2
|
export { PermissionScope } from './enums/PermissionScope';
|
|
3
3
|
export { PermissionCategory } from './enums/PermissionCategory';
|
|
4
|
+
export { PrincipalIdentifierEnum } from './enums/PrincipalIdentifierEnum';
|
|
4
5
|
export type { AuthContext } from './dtos/AuthContext';
|
|
5
6
|
export type { RoleAssignmentInfo } from './dtos/RoleAssignmentInfo';
|
|
6
7
|
export type { PermissionMeta } from './dtos/PermissionMeta';
|
|
@@ -23,7 +23,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
|
|
|
23
23
|
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
|
|
24
24
|
};
|
|
25
25
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
26
|
-
exports.UserFieldType = exports.scopeRankOrder = exports.tableSuffixForLevel = exports.levelsOf = exports.TENANT_TYPES = exports.TenantType = exports.AuthorizeDenyReason = exports.PermissionCategory = exports.PermissionScope = exports.bitsToPermissions = exports.permissionsToBits = exports.PERMS_VERSION = exports.PERMISSION_BIT_ORDER = exports.Permission = void 0;
|
|
26
|
+
exports.UserFieldType = exports.scopeRankOrder = exports.tableSuffixForLevel = exports.levelsOf = exports.TENANT_TYPES = exports.TenantType = exports.AuthorizeDenyReason = exports.PrincipalIdentifierEnum = exports.PermissionCategory = exports.PermissionScope = exports.bitsToPermissions = exports.permissionsToBits = exports.PERMS_VERSION = exports.PERMISSION_BIT_ORDER = exports.Permission = void 0;
|
|
27
27
|
var Permission_1 = require("./enums/Permission");
|
|
28
28
|
Object.defineProperty(exports, "Permission", { enumerable: true, get: function () { return Permission_1.Permission; } });
|
|
29
29
|
Object.defineProperty(exports, "PERMISSION_BIT_ORDER", { enumerable: true, get: function () { return Permission_1.PERMISSION_BIT_ORDER; } });
|
|
@@ -34,6 +34,9 @@ var PermissionScope_1 = require("./enums/PermissionScope");
|
|
|
34
34
|
Object.defineProperty(exports, "PermissionScope", { enumerable: true, get: function () { return PermissionScope_1.PermissionScope; } });
|
|
35
35
|
var PermissionCategory_1 = require("./enums/PermissionCategory");
|
|
36
36
|
Object.defineProperty(exports, "PermissionCategory", { enumerable: true, get: function () { return PermissionCategory_1.PermissionCategory; } });
|
|
37
|
+
// DEC-RBAC-079: identificador principal de login por aplicación (heredado por tenant).
|
|
38
|
+
var PrincipalIdentifierEnum_1 = require("./enums/PrincipalIdentifierEnum");
|
|
39
|
+
Object.defineProperty(exports, "PrincipalIdentifierEnum", { enumerable: true, get: function () { return PrincipalIdentifierEnum_1.PrincipalIdentifierEnum; } });
|
|
37
40
|
// Fase 1 — Custom Auth Challenge (Email OTP + TOTP) + MFA self-service.
|
|
38
41
|
// Class values (no type-only) — los DTOs llevan decoradores class-validator y se hidratan con plainToInstance en runtime.
|
|
39
42
|
__exportStar(require("./enums/MfaMethodEnum"), exports);
|
package/package.json
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { Expose, Type } from 'class-transformer';
|
|
2
|
-
import { IsArray, IsString, ValidateNested } from 'class-validator';
|
|
2
|
+
import { IsArray, IsIn, IsOptional, IsString, ValidateNested } from 'class-validator';
|
|
3
3
|
import { PasswordPolicyConfig } from './PasswordPolicyConfig';
|
|
4
4
|
import { CustomAttributeSpec } from './CustomAttributeSpec';
|
|
5
5
|
import { AppClientConfig } from './AppClientConfig';
|
|
@@ -28,4 +28,14 @@ export class CreatePoolRequest {
|
|
|
28
28
|
|
|
29
29
|
@Expose() @ValidateNested() @Type(() => AppClientConfig)
|
|
30
30
|
appClientConfig!: AppClientConfig;
|
|
31
|
+
|
|
32
|
+
/**
|
|
33
|
+
* DEC-RBAC-079: atributos de sign-in del pool (Cognito UsernameAttributes). Ausente → el connector
|
|
34
|
+
* default-ea a ['email'] (backward-compatible con los pools ya creados).
|
|
35
|
+
*/
|
|
36
|
+
@Expose()
|
|
37
|
+
@IsOptional()
|
|
38
|
+
@IsArray()
|
|
39
|
+
@IsIn(['email', 'phone_number'], { each: true })
|
|
40
|
+
usernameAttributes?: Array<'email' | 'phone_number'>;
|
|
31
41
|
}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { PermissionScope } from '../enums/PermissionScope';
|
|
2
|
+
import { PrincipalIdentifierEnum } from '../enums/PrincipalIdentifierEnum';
|
|
2
3
|
import { ApplicationStatus } from '../enums/ApplicationStatus';
|
|
3
4
|
import type { UserFieldDef } from '../dtos/UserFieldDef';
|
|
4
5
|
import type { TokenValidationMode } from '../enums/TokenValidationMode';
|
|
@@ -45,6 +46,14 @@ export interface ApplicationDefaults {
|
|
|
45
46
|
brandingConfig?: ApplicationBrandingDefault;
|
|
46
47
|
tokenValidationMode?: TokenValidationMode;
|
|
47
48
|
autoregister?: AutoregisterConfig;
|
|
49
|
+
/** DEC-RBAC-079: identificador principal de login que heredan los tenants de esta app. Default EMAIL. */
|
|
50
|
+
principalIdentifier?: PrincipalIdentifierEnum;
|
|
51
|
+
/**
|
|
52
|
+
* DEC-RBAC-081: si la app permite un identificador secundario (el otro método) que el usuario/admin
|
|
53
|
+
* agrega y verifica después, habilitando login dual. Default false. INMUTABLE (define el
|
|
54
|
+
* UsernameAttributes del pool): true ⇒ pool con ['email','phone_number']. Heredado al tenant.
|
|
55
|
+
*/
|
|
56
|
+
allowSecondary?: boolean;
|
|
48
57
|
}
|
|
49
58
|
|
|
50
59
|
export interface SeedRole {
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* DEC-RBAC-079: identificador principal de login de una aplicación. Lo hereda cada tenant (inmutable)
|
|
3
|
+
* y determina el UsernameAttributes del pool, el campo obligatorio del alta y el canal de mensajes.
|
|
4
|
+
*/
|
|
5
|
+
export enum PrincipalIdentifierEnum {
|
|
6
|
+
EMAIL = 'EMAIL',
|
|
7
|
+
PHONE = 'PHONE',
|
|
8
|
+
}
|
|
@@ -17,6 +17,8 @@ export {
|
|
|
17
17
|
} from './enums/Permission';
|
|
18
18
|
export { PermissionScope } from './enums/PermissionScope';
|
|
19
19
|
export { PermissionCategory } from './enums/PermissionCategory';
|
|
20
|
+
// DEC-RBAC-079: identificador principal de login por aplicación (heredado por tenant).
|
|
21
|
+
export { PrincipalIdentifierEnum } from './enums/PrincipalIdentifierEnum';
|
|
20
22
|
|
|
21
23
|
export type { AuthContext } from './dtos/AuthContext';
|
|
22
24
|
export type { RoleAssignmentInfo } from './dtos/RoleAssignmentInfo';
|
|
@@ -1,20 +0,0 @@
|
|
|
1
|
-
import { PoolKind } from '../../rbac/enums/PoolKind';
|
|
2
|
-
/**
|
|
3
|
-
* Shape del `PoolConfigRow` expuesto al caller (BFF M18 / otros lambdas Fiado).
|
|
4
|
-
* Refleja la configuración de un Cognito User Pool registrado en la tabla
|
|
5
|
-
* `PoolConfigs_GT` del lambda `cognito-backoffice-connector`.
|
|
6
|
-
*/
|
|
7
|
-
export declare class PoolConfigResponse {
|
|
8
|
-
userPoolId: string;
|
|
9
|
-
userPoolArn: string;
|
|
10
|
-
region: string;
|
|
11
|
-
poolKind: PoolKind;
|
|
12
|
-
displayName: string;
|
|
13
|
-
appClients: Record<string, {
|
|
14
|
-
clientId: string;
|
|
15
|
-
clientName: string;
|
|
16
|
-
}>;
|
|
17
|
-
status: 'active' | 'deprecated';
|
|
18
|
-
createdAt: number;
|
|
19
|
-
updatedAt: number;
|
|
20
|
-
}
|
|
@@ -1,11 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.PoolConfigResponse = void 0;
|
|
4
|
-
/**
|
|
5
|
-
* Shape del `PoolConfigRow` expuesto al caller (BFF M18 / otros lambdas Fiado).
|
|
6
|
-
* Refleja la configuración de un Cognito User Pool registrado en la tabla
|
|
7
|
-
* `PoolConfigs_GT` del lambda `cognito-backoffice-connector`.
|
|
8
|
-
*/
|
|
9
|
-
class PoolConfigResponse {
|
|
10
|
-
}
|
|
11
|
-
exports.PoolConfigResponse = PoolConfigResponse;
|
|
@@ -1,17 +0,0 @@
|
|
|
1
|
-
import { ValidatorConstraintInterface, ValidationArguments } from 'class-validator';
|
|
2
|
-
/**
|
|
3
|
-
* Cross-field validator: si `requireMfa: true`, entonces `mfaTypes` debe tener
|
|
4
|
-
* al menos 1 elemento. Si `requireMfa: false`, `mfaTypes` puede ser vacío.
|
|
5
|
-
*
|
|
6
|
-
* Razón: cuando el pool nace con MFA habilitado, el connector llama
|
|
7
|
-
* `SetUserPoolMfaConfigCommand` con la lista de tipos del DTO. Si el array
|
|
8
|
-
* llega vacío con `requireMfa: true`, el SDK rechaza con InvalidParameterException
|
|
9
|
-
* y el pool queda en estado inconsistente (MfaConfiguration:'ON' sin tipos).
|
|
10
|
-
* Mejor rechazar en validación del DTO antes de tocar AWS.
|
|
11
|
-
*
|
|
12
|
-
* Ver pivote v1.4.1 TD-017 cerrado + spec doc §1 R3.
|
|
13
|
-
*/
|
|
14
|
-
export declare class MfaTypesRequiresOne implements ValidatorConstraintInterface {
|
|
15
|
-
validate(mfaTypes: unknown, args: ValidationArguments): boolean;
|
|
16
|
-
defaultMessage(): string;
|
|
17
|
-
}
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
-
};
|
|
8
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
-
exports.MfaTypesRequiresOne = void 0;
|
|
10
|
-
const class_validator_1 = require("class-validator");
|
|
11
|
-
/**
|
|
12
|
-
* Cross-field validator: si `requireMfa: true`, entonces `mfaTypes` debe tener
|
|
13
|
-
* al menos 1 elemento. Si `requireMfa: false`, `mfaTypes` puede ser vacío.
|
|
14
|
-
*
|
|
15
|
-
* Razón: cuando el pool nace con MFA habilitado, el connector llama
|
|
16
|
-
* `SetUserPoolMfaConfigCommand` con la lista de tipos del DTO. Si el array
|
|
17
|
-
* llega vacío con `requireMfa: true`, el SDK rechaza con InvalidParameterException
|
|
18
|
-
* y el pool queda en estado inconsistente (MfaConfiguration:'ON' sin tipos).
|
|
19
|
-
* Mejor rechazar en validación del DTO antes de tocar AWS.
|
|
20
|
-
*
|
|
21
|
-
* Ver pivote v1.4.1 TD-017 cerrado + spec doc §1 R3.
|
|
22
|
-
*/
|
|
23
|
-
let MfaTypesRequiresOne = class MfaTypesRequiresOne {
|
|
24
|
-
validate(mfaTypes, args) {
|
|
25
|
-
const obj = args.object;
|
|
26
|
-
if (obj.requireMfa === true) {
|
|
27
|
-
return Array.isArray(mfaTypes) && mfaTypes.length >= 1;
|
|
28
|
-
}
|
|
29
|
-
// requireMfa: false → cualquier mfaTypes pasa.
|
|
30
|
-
return true;
|
|
31
|
-
}
|
|
32
|
-
defaultMessage() {
|
|
33
|
-
return 'mfaTypes requiere al menos un tipo cuando requireMfa=true';
|
|
34
|
-
}
|
|
35
|
-
};
|
|
36
|
-
exports.MfaTypesRequiresOne = MfaTypesRequiresOne;
|
|
37
|
-
exports.MfaTypesRequiresOne = MfaTypesRequiresOne = __decorate([
|
|
38
|
-
(0, class_validator_1.ValidatorConstraint)({ name: 'MfaTypesRequiresOneWhenMfaRequired', async: false })
|
|
39
|
-
], MfaTypesRequiresOne);
|
|
@@ -1,16 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Tipo de User Pool de Cognito desde la perspectiva del modelo RBAC Fiado.
|
|
3
|
-
*
|
|
4
|
-
* Origen: spec del proyecto `cognito-backoffice-connector` (Fase 0, componente 01
|
|
5
|
-
* documento `docs/superpowers/specs/2026-05-26-cognito-connector-decisiones-pendientes-design.md`).
|
|
6
|
-
*
|
|
7
|
-
* Decisión (TD-003): el proyecto converge en estos 2 valores. El documento componente 03
|
|
8
|
-
* lista 3 valores (incluyendo una variante adicional) pero queda como outlier — la
|
|
9
|
-
* decisión vigente en los 6 docs restantes y en el plan de implementación es 2 valores:
|
|
10
|
-
* - BACKOFFICE_PLATFORM — pool del backoffice de plataforma (cross-tenant)
|
|
11
|
-
* - BACKOFFICE_TENANT — pool por tenant (multi-tenant isolation)
|
|
12
|
-
*/
|
|
13
|
-
export declare enum PoolKind {
|
|
14
|
-
BACKOFFICE_PLATFORM = "BACKOFFICE_PLATFORM",
|
|
15
|
-
BACKOFFICE_TENANT = "BACKOFFICE_TENANT"
|
|
16
|
-
}
|
|
@@ -1,20 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.PoolKind = void 0;
|
|
4
|
-
/**
|
|
5
|
-
* Tipo de User Pool de Cognito desde la perspectiva del modelo RBAC Fiado.
|
|
6
|
-
*
|
|
7
|
-
* Origen: spec del proyecto `cognito-backoffice-connector` (Fase 0, componente 01
|
|
8
|
-
* documento `docs/superpowers/specs/2026-05-26-cognito-connector-decisiones-pendientes-design.md`).
|
|
9
|
-
*
|
|
10
|
-
* Decisión (TD-003): el proyecto converge en estos 2 valores. El documento componente 03
|
|
11
|
-
* lista 3 valores (incluyendo una variante adicional) pero queda como outlier — la
|
|
12
|
-
* decisión vigente en los 6 docs restantes y en el plan de implementación es 2 valores:
|
|
13
|
-
* - BACKOFFICE_PLATFORM — pool del backoffice de plataforma (cross-tenant)
|
|
14
|
-
* - BACKOFFICE_TENANT — pool por tenant (multi-tenant isolation)
|
|
15
|
-
*/
|
|
16
|
-
var PoolKind;
|
|
17
|
-
(function (PoolKind) {
|
|
18
|
-
PoolKind["BACKOFFICE_PLATFORM"] = "BACKOFFICE_PLATFORM";
|
|
19
|
-
PoolKind["BACKOFFICE_TENANT"] = "BACKOFFICE_TENANT";
|
|
20
|
-
})(PoolKind || (exports.PoolKind = PoolKind = {}));
|
package/bin/rbac/index.d.ts
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export * from './enums/PoolKind';
|
package/bin/rbac/index.js
DELETED
|
@@ -1,17 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
-
if (k2 === undefined) k2 = k;
|
|
4
|
-
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
-
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
-
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
-
}
|
|
8
|
-
Object.defineProperty(o, k2, desc);
|
|
9
|
-
}) : (function(o, m, k, k2) {
|
|
10
|
-
if (k2 === undefined) k2 = k;
|
|
11
|
-
o[k2] = m[k];
|
|
12
|
-
}));
|
|
13
|
-
var __exportStar = (this && this.__exportStar) || function(m, exports) {
|
|
14
|
-
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
|
|
15
|
-
};
|
|
16
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
-
__exportStar(require("./enums/PoolKind"), exports);
|
|
@@ -1,31 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
-
};
|
|
8
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
-
};
|
|
11
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.CancelFundingReferenceRequest = void 0;
|
|
13
|
-
const class_validator_1 = require("class-validator");
|
|
14
|
-
class CancelFundingReferenceRequest {
|
|
15
|
-
}
|
|
16
|
-
exports.CancelFundingReferenceRequest = CancelFundingReferenceRequest;
|
|
17
|
-
__decorate([
|
|
18
|
-
(0, class_validator_1.IsString)(),
|
|
19
|
-
(0, class_validator_1.MaxLength)(64),
|
|
20
|
-
__metadata("design:type", String)
|
|
21
|
-
], CancelFundingReferenceRequest.prototype, "fundingId", void 0);
|
|
22
|
-
__decorate([
|
|
23
|
-
(0, class_validator_1.IsString)(),
|
|
24
|
-
(0, class_validator_1.MaxLength)(64),
|
|
25
|
-
__metadata("design:type", String)
|
|
26
|
-
], CancelFundingReferenceRequest.prototype, "directoryId", void 0);
|
|
27
|
-
__decorate([
|
|
28
|
-
(0, class_validator_1.IsString)(),
|
|
29
|
-
(0, class_validator_1.MaxLength)(64),
|
|
30
|
-
__metadata("design:type", String)
|
|
31
|
-
], CancelFundingReferenceRequest.prototype, "idempotencyKey", void 0);
|
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
import { BenefitPaymentStatusEnum } from "../../benefitCenter/enums/BenefitPaymentStatusEnum";
|
|
2
|
-
import { WalletFundingErrorCodeEnum } from "../enums/WalletFundingErrorCodeEnum";
|
|
3
|
-
export declare class CancelFundingReferenceResponse {
|
|
4
|
-
fundingId: string;
|
|
5
|
-
status: BenefitPaymentStatusEnum;
|
|
6
|
-
errorCode?: WalletFundingErrorCodeEnum;
|
|
7
|
-
}
|
|
@@ -1,11 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Request del cancel via Centro de Beneficios (spec 13 v2.0).
|
|
3
|
-
* `fundingId` viaja en el path, `directoryId` se resuelve del JWT.
|
|
4
|
-
* `providerModuleName` permite al marketplace rutear al publisher correcto
|
|
5
|
-
* sin tener que persistir el mapping (el wallet-app sabe el moduleName
|
|
6
|
-
* porque vino en la respuesta del authorize).
|
|
7
|
-
*/
|
|
8
|
-
export declare class CancelFundingRequest {
|
|
9
|
-
idempotencyKey: string;
|
|
10
|
-
providerModuleName: string;
|
|
11
|
-
}
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
import { BenefitPaymentStatusEnum } from "../../benefitCenter/enums/BenefitPaymentStatusEnum";
|
|
2
|
-
import { WalletFundingErrorCodeEnum } from "../enums/WalletFundingErrorCodeEnum";
|
|
3
|
-
/**
|
|
4
|
-
* Response del cancel via Centro de Beneficios (spec 13 v2.0).
|
|
5
|
-
* `status` reusa `BenefitPaymentStatusEnum` (APPROVED = cancel aceptado;
|
|
6
|
-
* REJECTED = no se pudo) para consistencia con `CancelFundingReferenceResponse`
|
|
7
|
-
* (marketplace ↔ connector). Idempotente: re-cancelar devuelve APPROVED.
|
|
8
|
-
*/
|
|
9
|
-
export declare class CancelFundingResponse {
|
|
10
|
-
fundingId: string;
|
|
11
|
-
status: BenefitPaymentStatusEnum;
|
|
12
|
-
errorCode?: WalletFundingErrorCodeEnum;
|
|
13
|
-
message?: string;
|
|
14
|
-
}
|
|
@@ -1,12 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.CancelFundingResponse = void 0;
|
|
4
|
-
/**
|
|
5
|
-
* Response del cancel via Centro de Beneficios (spec 13 v2.0).
|
|
6
|
-
* `status` reusa `BenefitPaymentStatusEnum` (APPROVED = cancel aceptado;
|
|
7
|
-
* REJECTED = no se pudo) para consistencia con `CancelFundingReferenceResponse`
|
|
8
|
-
* (marketplace ↔ connector). Idempotente: re-cancelar devuelve APPROVED.
|
|
9
|
-
*/
|
|
10
|
-
class CancelFundingResponse {
|
|
11
|
-
}
|
|
12
|
-
exports.CancelFundingResponse = CancelFundingResponse;
|
|
@@ -1,21 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
-
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
-
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
-
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
-
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
-
};
|
|
8
|
-
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
-
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
-
};
|
|
11
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
-
exports.CancelWalletFundingRequest = void 0;
|
|
13
|
-
const class_validator_1 = require("class-validator");
|
|
14
|
-
class CancelWalletFundingRequest {
|
|
15
|
-
}
|
|
16
|
-
exports.CancelWalletFundingRequest = CancelWalletFundingRequest;
|
|
17
|
-
__decorate([
|
|
18
|
-
(0, class_validator_1.IsString)(),
|
|
19
|
-
(0, class_validator_1.MaxLength)(64),
|
|
20
|
-
__metadata("design:type", String)
|
|
21
|
-
], CancelWalletFundingRequest.prototype, "idempotencyKey", void 0);
|
|
@@ -1,7 +0,0 @@
|
|
|
1
|
-
import { BenefitPaymentStatusEnum } from "../../benefitCenter/enums/BenefitPaymentStatusEnum";
|
|
2
|
-
import { WalletFundingErrorCodeEnum } from "../enums/WalletFundingErrorCodeEnum";
|
|
3
|
-
export declare class CancelWalletFundingResponse {
|
|
4
|
-
status: BenefitPaymentStatusEnum;
|
|
5
|
-
errorCode?: WalletFundingErrorCodeEnum;
|
|
6
|
-
fundingId?: string;
|
|
7
|
-
}
|