@fnd-platform/cognito-auth 1.0.0-alpha.1

package/lib/client/auth-client.js

@@ -0,0 +1,270 @@
+'use strict';
+/**
+ * Cognito authentication client for frontend applications.
+ *
+ * Provides methods for sign-in, sign-up, sign-out, and token refresh
+ * using AWS Cognito User Pools.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, '__esModule', { value: true });
+exports.FndAuthClient = void 0;
+exports.clearClientCache = clearClientCache;
+const client_cognito_identity_provider_1 = require('@aws-sdk/client-cognito-identity-provider');
+const errors_js_1 = require('./errors.js');
+/**
+ * Cache for Cognito clients keyed by configuration.
+ */
+const clientCache = new Map();
+/**
+ * Generates a cache key for the given configuration.
+ */
+function getCacheKey(config) {
+  const region = config.region ?? process.env.AWS_REGION ?? 'us-east-1';
+  return `${config.userPoolId}:${config.clientId}:${region}`;
+}
+/**
+ * Gets or creates a Cognito client for the given configuration.
+ */
+function getClient(config) {
+  const key = getCacheKey(config);
+  let client = clientCache.get(key);
+  if (!client) {
+    const region = config.region ?? process.env.AWS_REGION ?? 'us-east-1';
+    client = new client_cognito_identity_provider_1.CognitoIdentityProviderClient({ region });
+    clientCache.set(key, client);
+  }
+  return client;
+}
+/**
+ * Clears the client cache. Useful for testing.
+ */
+function clearClientCache() {
+  clientCache.clear();
+}
+/**
+ * Cognito authentication client for frontend applications.
+ *
+ * Provides methods for user authentication including sign-in, sign-up,
+ * email confirmation, token refresh, and sign-out.
+ *
+ * @example
+ * ```typescript
+ * const authClient = new FndAuthClient({
+ *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
+ *   clientId: process.env.COGNITO_CLIENT_ID!,
+ *   region: process.env.AWS_REGION,
+ * });
+ *
+ * // Sign in
+ * const tokens = await authClient.signIn('user@example.com', 'password');
+ *
+ * // Use access token for API calls
+ * const response = await fetch('/api/data', {
+ *   headers: { Authorization: `Bearer ${tokens.accessToken}` },
+ * });
+ * ```
+ */
+class FndAuthClient {
+  client;
+  clientId;
+  /**
+   * Creates a new FndAuthClient.
+   *
+   * @param config - Configuration for the auth client
+   */
+  constructor(config) {
+    this.client = getClient(config);
+    this.clientId = config.clientId;
+  }
+  /**
+   * Signs in a user with email and password.
+   *
+   * @param email - User's email address
+   * @param password - User's password
+   * @returns Authentication tokens
+   * @throws {AuthError} If authentication fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const tokens = await authClient.signIn('user@example.com', 'password');
+   *   console.log('Logged in!', tokens.accessToken);
+   * } catch (error) {
+   *   if (error instanceof AuthError && error.code === 'USER_NOT_CONFIRMED') {
+   *     // Redirect to confirmation page
+   *   }
+   * }
+   * ```
+   */
+  async signIn(email, password) {
+    try {
+      const result = await this.client.send(
+        new client_cognito_identity_provider_1.InitiateAuthCommand({
+          AuthFlow: client_cognito_identity_provider_1.AuthFlowType.USER_PASSWORD_AUTH,
+          ClientId: this.clientId,
+          AuthParameters: {
+            USERNAME: email,
+            PASSWORD: password,
+          },
+        })
+      );
+      if (!result.AuthenticationResult) {
+        throw new Error('Authentication failed - no result returned');
+      }
+      const { AccessToken, IdToken, RefreshToken, ExpiresIn } = result.AuthenticationResult;
+      if (!AccessToken || !IdToken || !RefreshToken) {
+        throw new Error('Authentication failed - missing tokens');
+      }
+      return {
+        accessToken: AccessToken,
+        idToken: IdToken,
+        refreshToken: RefreshToken,
+        expiresIn: ExpiresIn ?? 3600,
+      };
+    } catch (error) {
+      throw (0, errors_js_1.mapCognitoError)(error, 'Sign in failed');
+    }
+  }
+  /**
+   * Signs up a new user.
+   *
+   * @param email - User's email address
+   * @param password - User's password
+   * @param name - Optional user's name
+   * @returns Sign-up result with confirmation status
+   * @throws {AuthError} If sign-up fails
+   *
+   * @example
+   * ```typescript
+   * const result = await authClient.signUp('user@example.com', 'password', 'John Doe');
+   * if (!result.userConfirmed) {
+   *   // Show confirmation code input
+   *   console.log(`Code sent to ${result.codeDeliveryDetails?.destination}`);
+   * }
+   * ```
+   */
+  async signUp(email, password, name) {
+    try {
+      const userAttributes = [{ Name: 'email', Value: email }];
+      if (name) {
+        userAttributes.push({ Name: 'name', Value: name });
+      }
+      const result = await this.client.send(
+        new client_cognito_identity_provider_1.SignUpCommand({
+          ClientId: this.clientId,
+          Username: email,
+          Password: password,
+          UserAttributes: userAttributes,
+        })
+      );
+      return {
+        userConfirmed: result.UserConfirmed ?? false,
+        codeDeliveryDetails: result.CodeDeliveryDetails
+          ? {
+              destination: result.CodeDeliveryDetails.Destination,
+              deliveryMedium: result.CodeDeliveryDetails.DeliveryMedium,
+            }
+          : undefined,
+      };
+    } catch (error) {
+      throw (0, errors_js_1.mapCognitoError)(error, 'Sign up failed');
+    }
+  }
+  /**
+   * Confirms a user's sign-up with the verification code.
+   *
+   * @param email - User's email address
+   * @param code - Verification code from email/SMS
+   * @throws {AuthError} If confirmation fails
+   *
+   * @example
+   * ```typescript
+   * await authClient.confirmSignUp('user@example.com', '123456');
+   * // User is now confirmed, can sign in
+   * ```
+   */
+  async confirmSignUp(email, code) {
+    try {
+      await this.client.send(
+        new client_cognito_identity_provider_1.ConfirmSignUpCommand({
+          ClientId: this.clientId,
+          Username: email,
+          ConfirmationCode: code,
+        })
+      );
+    } catch (error) {
+      throw (0, errors_js_1.mapCognitoError)(error, 'Confirmation failed');
+    }
+  }
+  /**
+   * Refreshes authentication tokens using a refresh token.
+   *
+   * @param refreshToken - The refresh token from a previous authentication
+   * @returns New authentication tokens
+   * @throws {AuthError} If refresh fails
+   *
+   * @example
+   * ```typescript
+   * // When access token is about to expire
+   * const newTokens = await authClient.refreshTokens(tokens.refreshToken);
+   * ```
+   */
+  async refreshTokens(refreshToken) {
+    try {
+      const result = await this.client.send(
+        new client_cognito_identity_provider_1.InitiateAuthCommand({
+          AuthFlow: client_cognito_identity_provider_1.AuthFlowType.REFRESH_TOKEN_AUTH,
+          ClientId: this.clientId,
+          AuthParameters: {
+            REFRESH_TOKEN: refreshToken,
+          },
+        })
+      );
+      if (!result.AuthenticationResult) {
+        throw new Error('Token refresh failed - no result returned');
+      }
+      const { AccessToken, IdToken, ExpiresIn } = result.AuthenticationResult;
+      if (!AccessToken || !IdToken) {
+        throw new Error('Token refresh failed - missing tokens');
+      }
+      return {
+        accessToken: AccessToken,
+        idToken: IdToken,
+        // Refresh token doesn't change on refresh
+        refreshToken: refreshToken,
+        expiresIn: ExpiresIn ?? 3600,
+      };
+    } catch (error) {
+      throw (0, errors_js_1.mapCognitoError)(error, 'Token refresh failed');
+    }
+  }
+  /**
+   * Signs out the user from all devices.
+   *
+   * This invalidates all refresh tokens for the user, effectively
+   * signing them out from all devices.
+   *
+   * @param accessToken - The user's current access token
+   * @throws {AuthError} If sign-out fails
+   *
+   * @example
+   * ```typescript
+   * await authClient.signOut(tokens.accessToken);
+   * // User is now signed out from all devices
+   * ```
+   */
+  async signOut(accessToken) {
+    try {
+      await this.client.send(
+        new client_cognito_identity_provider_1.GlobalSignOutCommand({
+          AccessToken: accessToken,
+        })
+      );
+    } catch (error) {
+      throw (0, errors_js_1.mapCognitoError)(error, 'Sign out failed');
+    }
+  }
+}
+exports.FndAuthClient = FndAuthClient;
+//# sourceMappingURL=auth-client.js.map

package/lib/client/auth-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-client.js","sourceRoot":"","sources":["../../src/client/auth-client.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AA2CH,4CAEC;AA3CD,gGAOmD;AAEnD,2CAA8C;AAE9C;;GAEG;AACH,MAAM,WAAW,GAAG,IAAI,GAAG,EAAyC,CAAC;AAErE;;GAEG;AACH,SAAS,WAAW,CAAC,MAAwB;IAC3C,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW,CAAC;IACtE,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,EAAE,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,MAAwB;IACzC,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW,CAAC;QACtE,MAAM,GAAG,IAAI,gEAA6B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACvD,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB;IAC9B,WAAW,CAAC,KAAK,EAAE,CAAC;AACtB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAa,aAAa;IACP,MAAM,CAAgC;IACtC,QAAQ,CAAS;IAElC;;;;OAIG;IACH,YAAY,MAAwB;QAClC,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAClC,CAAC;IAED;;;;;;;;;;;;;;;;;;;OAmBG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,QAAgB;QAC1C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACnC,IAAI,sDAAmB,CAAC;gBACtB,QAAQ,EAAE,+CAAY,CAAC,kBAAkB;gBACzC,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,cAAc,EAAE;oBACd,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,QAAQ;iBACnB;aACF,CAAC,CACH,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAChE,CAAC;YAED,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC,oBAAoB,CAAC;YAEtF,IAAI,CAAC,WAAW,IAAI,CAAC,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC9C,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC5D,CAAC;YAED,OAAO;gBACL,WAAW,EAAE,WAAW;gBACxB,OAAO,EAAE,OAAO;gBAChB,YAAY,EAAE,YAAY;gBAC1B,SAAS,EAAE,SAAS,IAAI,IAAI;aAC7B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAA,2BAAe,EAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,QAAgB,EAAE,IAAa;QACzD,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;YAEzD,IAAI,IAAI,EAAE,CAAC;gBACT,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACrD,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACnC,IAAI,gDAAa,CAAC;gBAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,QAAQ;gBAClB,cAAc,EAAE,cAAc;aAC/B,CAAC,CACH,CAAC;YAEF,OAAO;gBACL,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,KAAK;gBAC5C,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;oBAC7C,CAAC,CAAC;wBACE,WAAW,EAAE,MAAM,CAAC,mBAAmB,CAAC,WAAW;wBACnD,cAAc,EAAE,MAAM,CAAC,mBAAmB,CAAC,cAAiC;qBAC7E;oBACH,CAAC,CAAC,SAAS;aACd,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAA,2BAAe,EAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa,EAAE,IAAY;QAC7C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,uDAAoB,CAAC;gBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ,EAAE,KAAK;gBACf,gBAAgB,EAAE,IAAI;aACvB,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAA,2BAAe,EAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,aAAa,CAAC,YAAoB;QACtC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACnC,IAAI,sDAAmB,CAAC;gBACtB,QAAQ,EAAE,+CAAY,CAAC,kBAAkB;gBACzC,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,cAAc,EAAE;oBACd,aAAa,EAAE,YAAY;iBAC5B;aACF,CAAC,CACH,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;YAC/D,CAAC;YAED,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC,oBAAoB,CAAC;YAExE,IAAI,CAAC,WAAW,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D,CAAC;YAED,OAAO;gBACL,WAAW,EAAE,WAAW;gBACxB,OAAO,EAAE,OAAO;gBAChB,0CAA0C;gBAC1C,YAAY,EAAE,YAAY;gBAC1B,SAAS,EAAE,SAAS,IAAI,IAAI;aAC7B,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAA,2BAAe,EAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,OAAO,CAAC,WAAmB;QAC/B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,uDAAoB,CAAC;gBACvB,WAAW,EAAE,WAAW;aACzB,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAA,2BAAe,EAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;CACF;AAzND,sCAyNC"}

package/lib/client/errors.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Authentication error types for FndAuthClient.
+ *
+ * Provides structured error handling with error codes for common
+ * Cognito authentication failures.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Error codes for authentication failures.
+ */
+export type AuthErrorCode =
+  | 'INVALID_CREDENTIALS'
+  | 'USER_NOT_FOUND'
+  | 'USER_NOT_CONFIRMED'
+  | 'CODE_MISMATCH'
+  | 'CODE_EXPIRED'
+  | 'TOKEN_EXPIRED'
+  | 'INVALID_TOKEN'
+  | 'USER_EXISTS'
+  | 'PASSWORD_POLICY'
+  | 'RATE_LIMITED'
+  | 'SERVICE_ERROR';
+/**
+ * Authentication error with structured error code.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await authClient.signIn(email, password);
+ * } catch (error) {
+ *   if (error instanceof AuthError) {
+ *     switch (error.code) {
+ *       case 'INVALID_CREDENTIALS':
+ *         // Handle invalid credentials
+ *         break;
+ *       case 'USER_NOT_CONFIRMED':
+ *         // Redirect to confirmation page
+ *         break;
+ *     }
+ *   }
+ * }
+ * ```
+ */
+export declare class AuthError extends Error {
+  readonly code: AuthErrorCode;
+  readonly cause?: Error | undefined;
+  /**
+   * Creates a new AuthError.
+   *
+   * @param message - Human-readable error message
+   * @param code - Structured error code for programmatic handling
+   * @param cause - Original error that caused this error
+   */
+  constructor(message: string, code: AuthErrorCode, cause?: Error | undefined);
+}
+/**
+ * Maps a Cognito SDK error to an AuthError.
+ *
+ * @param error - Error from Cognito SDK
+ * @param defaultMessage - Default message if error message is not available
+ * @returns AuthError with appropriate code
+ *
+ * @internal
+ */
+export declare function mapCognitoError(error: unknown, defaultMessage: string): AuthError;
+//# sourceMappingURL=errors.d.ts.map

package/lib/client/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;GAEG;AACH,MAAM,MAAM,aAAa,GACrB,qBAAqB,GACrB,gBAAgB,GAChB,oBAAoB,GACpB,eAAe,GACf,cAAc,GACd,eAAe,GACf,eAAe,GACf,aAAa,GACb,iBAAiB,GACjB,cAAc,GACd,eAAe,CAAC;AAEpB;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,SAAU,SAAQ,KAAK;aAUhB,IAAI,EAAE,aAAa;aACnB,KAAK,CAAC,EAAE,KAAK;IAV/B;;;;;;OAMG;gBAED,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,aAAa,EACnB,KAAK,CAAC,EAAE,KAAK,YAAA;CAShC;AAoBD;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,SAAS,CAOjF"}

package/lib/client/errors.js

@@ -0,0 +1,90 @@
+'use strict';
+/**
+ * Authentication error types for FndAuthClient.
+ *
+ * Provides structured error handling with error codes for common
+ * Cognito authentication failures.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, '__esModule', { value: true });
+exports.AuthError = void 0;
+exports.mapCognitoError = mapCognitoError;
+/**
+ * Authentication error with structured error code.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await authClient.signIn(email, password);
+ * } catch (error) {
+ *   if (error instanceof AuthError) {
+ *     switch (error.code) {
+ *       case 'INVALID_CREDENTIALS':
+ *         // Handle invalid credentials
+ *         break;
+ *       case 'USER_NOT_CONFIRMED':
+ *         // Redirect to confirmation page
+ *         break;
+ *     }
+ *   }
+ * }
+ * ```
+ */
+class AuthError extends Error {
+  code;
+  cause;
+  /**
+   * Creates a new AuthError.
+   *
+   * @param message - Human-readable error message
+   * @param code - Structured error code for programmatic handling
+   * @param cause - Original error that caused this error
+   */
+  constructor(message, code, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+    this.name = 'AuthError';
+    // Maintains proper stack trace in V8 environments
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, AuthError);
+    }
+  }
+}
+exports.AuthError = AuthError;
+/**
+ * Maps Cognito exception names to AuthErrorCode.
+ *
+ * @internal
+ */
+const COGNITO_ERROR_MAP = {
+  NotAuthorizedException: 'INVALID_CREDENTIALS',
+  UserNotFoundException: 'USER_NOT_FOUND',
+  UserNotConfirmedException: 'USER_NOT_CONFIRMED',
+  CodeMismatchException: 'CODE_MISMATCH',
+  ExpiredCodeException: 'CODE_EXPIRED',
+  UsernameExistsException: 'USER_EXISTS',
+  InvalidPasswordException: 'PASSWORD_POLICY',
+  InvalidParameterException: 'PASSWORD_POLICY',
+  TooManyRequestsException: 'RATE_LIMITED',
+  LimitExceededException: 'RATE_LIMITED',
+};
+/**
+ * Maps a Cognito SDK error to an AuthError.
+ *
+ * @param error - Error from Cognito SDK
+ * @param defaultMessage - Default message if error message is not available
+ * @returns AuthError with appropriate code
+ *
+ * @internal
+ */
+function mapCognitoError(error, defaultMessage) {
+  if (error instanceof Error) {
+    const errorName = error.name;
+    const code = COGNITO_ERROR_MAP[errorName] ?? 'SERVICE_ERROR';
+    return new AuthError(error.message || defaultMessage, code, error);
+  }
+  return new AuthError(defaultMessage, 'SERVICE_ERROR');
+}
+//# sourceMappingURL=errors.js.map

package/lib/client/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAwFH,0CAOC;AA7ED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAa,SAAU,SAAQ,KAAK;IAUhB;IACA;IAVlB;;;;;;OAMG;IACH,YACE,OAAe,EACC,IAAmB,EACnB,KAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAe;QACnB,UAAK,GAAL,KAAK,CAAQ;QAG7B,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,kDAAkD;QAClD,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC5B,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;CACF;AApBD,8BAoBC;AAED;;;;GAIG;AACH,MAAM,iBAAiB,GAAkC;IACvD,sBAAsB,EAAE,qBAAqB;IAC7C,qBAAqB,EAAE,gBAAgB;IACvC,yBAAyB,EAAE,oBAAoB;IAC/C,qBAAqB,EAAE,eAAe;IACtC,oBAAoB,EAAE,cAAc;IACpC,uBAAuB,EAAE,aAAa;IACtC,wBAAwB,EAAE,iBAAiB;IAC3C,yBAAyB,EAAE,iBAAiB;IAC5C,wBAAwB,EAAE,cAAc;IACxC,sBAAsB,EAAE,cAAc;CACvC,CAAC;AAEF;;;;;;;;GAQG;AACH,SAAgB,eAAe,CAAC,KAAc,EAAE,cAAsB;IACpE,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC;QAC7B,MAAM,IAAI,GAAG,iBAAiB,CAAC,SAAS,CAAC,IAAI,eAAe,CAAC;QAC7D,OAAO,IAAI,SAAS,CAAC,KAAK,CAAC,OAAO,IAAI,cAAc,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;AACxD,CAAC"}

package/lib/client/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Auth client exports.
+ *
+ * @packageDocumentation
+ */
+export { FndAuthClient, clearClientCache } from './auth-client.js';
+export { AuthError, type AuthErrorCode } from './errors.js';
+//# sourceMappingURL=index.d.ts.map

package/lib/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACnE,OAAO,EAAE,SAAS,EAAE,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC"}

package/lib/client/index.js

@@ -0,0 +1,29 @@
+'use strict';
+/**
+ * Auth client exports.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, '__esModule', { value: true });
+exports.AuthError = exports.clearClientCache = exports.FndAuthClient = void 0;
+var auth_client_js_1 = require('./auth-client.js');
+Object.defineProperty(exports, 'FndAuthClient', {
+  enumerable: true,
+  get: function () {
+    return auth_client_js_1.FndAuthClient;
+  },
+});
+Object.defineProperty(exports, 'clearClientCache', {
+  enumerable: true,
+  get: function () {
+    return auth_client_js_1.clearClientCache;
+  },
+});
+var errors_js_1 = require('./errors.js');
+Object.defineProperty(exports, 'AuthError', {
+  enumerable: true,
+  get: function () {
+    return errors_js_1.AuthError;
+  },
+});
+//# sourceMappingURL=index.js.map

package/lib/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,mDAAmE;AAA1D,+GAAA,aAAa,OAAA;AAAE,kHAAA,gBAAgB,OAAA;AACxC,yCAA4D;AAAnD,sGAAA,SAAS,OAAA"}

package/lib/cognito-construct.d.ts

@@ -0,0 +1,113 @@
+import { Construct } from 'constructs';
+import * as cognito from 'aws-cdk-lib/aws-cognito';
+import { RemovalPolicy } from 'aws-cdk-lib';
+/**
+ * Valid deployment stages for fnd-platform applications.
+ */
+export declare const VALID_STAGES: readonly ['dev', 'staging', 'prod'];
+/**
+ * Deployment stage type.
+ */
+export type Stage = (typeof VALID_STAGES)[number];
+/**
+ * Validates that the provided stage is a valid deployment stage.
+ * @param stage - The stage to validate
+ * @throws Error if stage is not valid
+ */
+export declare function validateStage(stage: string): asserts stage is Stage;
+/**
+ * Configuration options for FndCognitoAuth construct.
+ */
+export interface FndCognitoAuthProps {
+  /**
+   * Application name used in User Pool naming.
+   * The User Pool will be named `{appName}-{stage}`.
+   */
+  appName: string;
+  /**
+   * Deployment stage (dev, staging, prod).
+   * Affects security settings like MFA and password policy.
+   */
+  stage: Stage | string;
+  /**
+   * Frontend callback URLs for OAuth flows.
+   * These URLs will be allowed for OAuth redirects.
+   * @example ['http://localhost:3000', 'https://myapp.com']
+   */
+  callbackUrls: string[];
+  /**
+   * Enable Multi-Factor Authentication.
+   * @default false for dev/staging, true for prod
+   */
+  mfaEnabled?: boolean;
+  /**
+   * Removal policy for the User Pool.
+   * @default RemovalPolicy.DESTROY for dev/staging, RemovalPolicy.RETAIN for prod
+   */
+  removalPolicy?: RemovalPolicy;
+}
+/**
+ * CDK construct for AWS Cognito User Pool with app clients and user groups.
+ *
+ * Creates a fully configured User Pool with:
+ * - Secure password policy
+ * - Email verification
+ * - MFA support (optional, enabled by default in prod)
+ * - User groups (admin, editor, viewer)
+ * - Web client for frontend OAuth flows
+ * - Admin client for CMS direct authentication
+ *
+ * @example
+ * ```typescript
+ * const auth = new FndCognitoAuth(this, 'Auth', {
+ *   appName: 'my-app',
+ *   stage: 'dev',
+ *   callbackUrls: ['http://localhost:3000'],
+ * });
+ *
+ * // Access the User Pool ID
+ * console.log(auth.userPoolId);
+ *
+ * // Use the web client for frontend
+ * console.log(auth.webClientId);
+ * ```
+ */
+export declare class FndCognitoAuth extends Construct {
+  /**
+   * The Cognito User Pool.
+   */
+  readonly userPool: cognito.UserPool;
+  /**
+   * The web client for frontend OAuth authentication.
+   */
+  readonly webClient: cognito.UserPoolClient;
+  /**
+   * The admin client for CMS direct authentication.
+   */
+  readonly adminClient: cognito.UserPoolClient;
+  /**
+   * The User Pool ID.
+   */
+  readonly userPoolId: string;
+  /**
+   * The web client ID.
+   */
+  readonly webClientId: string;
+  /**
+   * The admin client ID.
+   */
+  readonly adminClientId: string;
+  /**
+   * The deployment stage.
+   */
+  readonly stage: Stage;
+  constructor(scope: Construct, id: string, props: FndCognitoAuthProps);
+  /**
+   * Creates the standard user groups for role-based access control.
+   * - admin: Full access to CMS and API
+   * - editor: Can create/edit content, no admin settings
+   * - viewer: Read-only access
+   */
+  private createUserGroups;
+}
+//# sourceMappingURL=cognito-construct.d.ts.map

package/lib/cognito-construct.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognito-construct.d.ts","sourceRoot":"","sources":["../src/cognito-construct.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,KAAK,OAAO,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAY,MAAM,aAAa,CAAC;AAEtD;;GAEG;AACH,eAAO,MAAM,YAAY,qCAAsC,CAAC;AAEhE;;GAEG;AACH,MAAM,MAAM,KAAK,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC;AAElD;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAInE;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,KAAK,EAAE,KAAK,GAAG,MAAM,CAAC;IAEtB;;;;OAIG;IACH,YAAY,EAAE,MAAM,EAAE,CAAC;IAEvB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;OAGG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,cAAe,SAAQ,SAAS;IAC3C;;OAEG;IACH,SAAgB,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC;IAE3C;;OAEG;IACH,SAAgB,SAAS,EAAE,OAAO,CAAC,cAAc,CAAC;IAElD;;OAEG;IACH,SAAgB,WAAW,EAAE,OAAO,CAAC,cAAc,CAAC;IAEpD;;OAEG;IACH,SAAgB,UAAU,EAAE,MAAM,CAAC;IAEnC;;OAEG;IACH,SAAgB,WAAW,EAAE,MAAM,CAAC;IAEpC;;OAEG;IACH,SAAgB,aAAa,EAAE,MAAM,CAAC;IAEtC;;OAEG;IACH,SAAgB,KAAK,EAAE,KAAK,CAAC;gBAEjB,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,mBAAmB;IAwFpE;;;;;OAKG;IACH,OAAO,CAAC,gBAAgB;CAsBzB"}