@fnd-platform/cognito-auth 1.0.0-alpha.1

package/lib/cognito-construct.js

@@ -0,0 +1,211 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FndCognitoAuth = exports.VALID_STAGES = void 0;
+exports.validateStage = validateStage;
+const constructs_1 = require("constructs");
+const cognito = __importStar(require("aws-cdk-lib/aws-cognito"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+/**
+ * Valid deployment stages for fnd-platform applications.
+ */
+exports.VALID_STAGES = ['dev', 'staging', 'prod'];
+/**
+ * Validates that the provided stage is a valid deployment stage.
+ * @param stage - The stage to validate
+ * @throws Error if stage is not valid
+ */
+function validateStage(stage) {
+    if (!exports.VALID_STAGES.includes(stage)) {
+        throw new Error(`Invalid stage "${stage}". Valid stages are: ${exports.VALID_STAGES.join(', ')}`);
+    }
+}
+/**
+ * CDK construct for AWS Cognito User Pool with app clients and user groups.
+ *
+ * Creates a fully configured User Pool with:
+ * - Secure password policy
+ * - Email verification
+ * - MFA support (optional, enabled by default in prod)
+ * - User groups (admin, editor, viewer)
+ * - Web client for frontend OAuth flows
+ * - Admin client for CMS direct authentication
+ *
+ * @example
+ * ```typescript
+ * const auth = new FndCognitoAuth(this, 'Auth', {
+ *   appName: 'my-app',
+ *   stage: 'dev',
+ *   callbackUrls: ['http://localhost:3000'],
+ * });
+ *
+ * // Access the User Pool ID
+ * console.log(auth.userPoolId);
+ *
+ * // Use the web client for frontend
+ * console.log(auth.webClientId);
+ * ```
+ */
+class FndCognitoAuth extends constructs_1.Construct {
+    /**
+     * The Cognito User Pool.
+     */
+    userPool;
+    /**
+     * The web client for frontend OAuth authentication.
+     */
+    webClient;
+    /**
+     * The admin client for CMS direct authentication.
+     */
+    adminClient;
+    /**
+     * The User Pool ID.
+     */
+    userPoolId;
+    /**
+     * The web client ID.
+     */
+    webClientId;
+    /**
+     * The admin client ID.
+     */
+    adminClientId;
+    /**
+     * The deployment stage.
+     */
+    stage;
+    constructor(scope, id, props) {
+        super(scope, id);
+        // Validate and store stage
+        validateStage(props.stage);
+        this.stage = props.stage;
+        const isProd = this.stage === 'prod';
+        // Determine MFA setting
+        const mfaEnabled = props.mfaEnabled ?? isProd;
+        // Determine removal policy
+        const removalPolicy = props.removalPolicy ?? (isProd ? aws_cdk_lib_1.RemovalPolicy.RETAIN : aws_cdk_lib_1.RemovalPolicy.DESTROY);
+        // Create User Pool
+        this.userPool = new cognito.UserPool(this, 'UserPool', {
+            userPoolName: `${props.appName}-${this.stage}`,
+            selfSignUpEnabled: true,
+            signInAliases: { email: true },
+            autoVerify: { email: true },
+            passwordPolicy: {
+                minLength: 8,
+                requireLowercase: true,
+                requireUppercase: true,
+                requireDigits: true,
+                requireSymbols: isProd,
+            },
+            mfa: mfaEnabled ? cognito.Mfa.OPTIONAL : cognito.Mfa.OFF,
+            mfaSecondFactor: mfaEnabled
+                ? {
+                    sms: false,
+                    otp: true,
+                }
+                : undefined,
+            accountRecovery: cognito.AccountRecovery.EMAIL_ONLY,
+            removalPolicy: removalPolicy,
+            standardAttributes: {
+                email: { required: true, mutable: true },
+                fullname: { required: false, mutable: true },
+            },
+        });
+        // Create user groups
+        this.createUserGroups();
+        // Create web client (for frontend with OAuth)
+        this.webClient = this.userPool.addClient('WebClient', {
+            userPoolClientName: `${props.appName}-web`,
+            authFlows: {
+                userPassword: true,
+                userSrp: true,
+            },
+            oAuth: {
+                flows: { authorizationCodeGrant: true },
+                callbackUrls: props.callbackUrls,
+                logoutUrls: props.callbackUrls,
+                scopes: [cognito.OAuthScope.EMAIL, cognito.OAuthScope.OPENID, cognito.OAuthScope.PROFILE],
+            },
+            accessTokenValidity: aws_cdk_lib_1.Duration.hours(1),
+            idTokenValidity: aws_cdk_lib_1.Duration.hours(1),
+            refreshTokenValidity: aws_cdk_lib_1.Duration.days(30),
+        });
+        // Create admin client (for CMS, no OAuth)
+        this.adminClient = this.userPool.addClient('AdminClient', {
+            userPoolClientName: `${props.appName}-admin`,
+            authFlows: {
+                userPassword: true,
+                userSrp: true,
+                adminUserPassword: true,
+            },
+            accessTokenValidity: aws_cdk_lib_1.Duration.hours(1),
+            idTokenValidity: aws_cdk_lib_1.Duration.hours(1),
+            refreshTokenValidity: aws_cdk_lib_1.Duration.days(7),
+        });
+        // Store IDs for easy access
+        this.userPoolId = this.userPool.userPoolId;
+        this.webClientId = this.webClient.userPoolClientId;
+        this.adminClientId = this.adminClient.userPoolClientId;
+    }
+    /**
+     * Creates the standard user groups for role-based access control.
+     * - admin: Full access to CMS and API
+     * - editor: Can create/edit content, no admin settings
+     * - viewer: Read-only access
+     */
+    createUserGroups() {
+        new cognito.CfnUserPoolGroup(this, 'AdminGroup', {
+            userPoolId: this.userPool.userPoolId,
+            groupName: 'admin',
+            description: 'Administrators with full access',
+            precedence: 1,
+        });
+        new cognito.CfnUserPoolGroup(this, 'EditorGroup', {
+            userPoolId: this.userPool.userPoolId,
+            groupName: 'editor',
+            description: 'Content editors',
+            precedence: 2,
+        });
+        new cognito.CfnUserPoolGroup(this, 'ViewerGroup', {
+            userPoolId: this.userPool.userPoolId,
+            groupName: 'viewer',
+            description: 'Read-only users',
+            precedence: 3,
+        });
+    }
+}
+exports.FndCognitoAuth = FndCognitoAuth;
+//# sourceMappingURL=cognito-construct.js.map

package/lib/cognito-construct.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cognito-construct.js","sourceRoot":"","sources":["../src/cognito-construct.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmBA,sCAIC;AAvBD,2CAAuC;AACvC,iEAAmD;AACnD,6CAAsD;AAEtD;;GAEG;AACU,QAAA,YAAY,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,CAAU,CAAC;AAOhE;;;;GAIG;AACH,SAAgB,aAAa,CAAC,KAAa;IACzC,IAAI,CAAC,oBAAY,CAAC,QAAQ,CAAC,KAAc,CAAC,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CAAC,kBAAkB,KAAK,wBAAwB,oBAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC;AAsCD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAa,cAAe,SAAQ,sBAAS;IAC3C;;OAEG;IACa,QAAQ,CAAmB;IAE3C;;OAEG;IACa,SAAS,CAAyB;IAElD;;OAEG;IACa,WAAW,CAAyB;IAEpD;;OAEG;IACa,UAAU,CAAS;IAEnC;;OAEG;IACa,WAAW,CAAS;IAEpC;;OAEG;IACa,aAAa,CAAS;IAEtC;;OAEG;IACa,KAAK,CAAQ;IAE7B,YAAY,KAAgB,EAAE,EAAU,EAAE,KAA0B;QAClE,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAEjB,2BAA2B;QAC3B,aAAa,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;QAEzB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,KAAK,MAAM,CAAC;QAErC,wBAAwB;QACxB,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,MAAM,CAAC;QAE9C,2BAA2B;QAC3B,MAAM,aAAa,GACjB,KAAK,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,2BAAa,CAAC,MAAM,CAAC,CAAC,CAAC,2BAAa,CAAC,OAAO,CAAC,CAAC;QAEjF,mBAAmB;QACnB,IAAI,CAAC,QAAQ,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,EAAE;YACrD,YAAY,EAAE,GAAG,KAAK,CAAC,OAAO,IAAI,IAAI,CAAC,KAAK,EAAE;YAC9C,iBAAiB,EAAE,IAAI;YACvB,aAAa,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;YAC9B,UAAU,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;YAE3B,cAAc,EAAE;gBACd,SAAS,EAAE,CAAC;gBACZ,gBAAgB,EAAE,IAAI;gBACtB,gBAAgB,EAAE,IAAI;gBACtB,aAAa,EAAE,IAAI;gBACnB,cAAc,EAAE,MAAM;aACvB;YAED,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG;YACxD,eAAe,EAAE,UAAU;gBACzB,CAAC,CAAC;oBACE,GAAG,EAAE,KAAK;oBACV,GAAG,EAAE,IAAI;iBACV;gBACH,CAAC,CAAC,SAAS;YAEb,eAAe,EAAE,OAAO,CAAC,eAAe,CAAC,UAAU;YACnD,aAAa,EAAE,aAAa;YAE5B,kBAAkB,EAAE;gBAClB,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBACxC,QAAQ,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE;aAC7C;SACF,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,8CAA8C;QAC9C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE;YACpD,kBAAkB,EAAE,GAAG,KAAK,CAAC,OAAO,MAAM;YAC1C,SAAS,EAAE;gBACT,YAAY,EAAE,IAAI;gBAClB,OAAO,EAAE,IAAI;aACd;YACD,KAAK,EAAE;gBACL,KAAK,EAAE,EAAE,sBAAsB,EAAE,IAAI,EAAE;gBACvC,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,UAAU,EAAE,KAAK,CAAC,YAAY;gBAC9B,MAAM,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;aAC1F;YACD,mBAAmB,EAAE,sBAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YACtC,eAAe,EAAE,sBAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAClC,oBAAoB,EAAE,sBAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;SACxC,CAAC,CAAC;QAEH,0CAA0C;QAC1C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,aAAa,EAAE;YACxD,kBAAkB,EAAE,GAAG,KAAK,CAAC,OAAO,QAAQ;YAC5C,SAAS,EAAE;gBACT,YAAY,EAAE,IAAI;gBAClB,OAAO,EAAE,IAAI;gBACb,iBAAiB,EAAE,IAAI;aACxB;YACD,mBAAmB,EAAE,sBAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YACtC,eAAe,EAAE,sBAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAClC,oBAAoB,EAAE,sBAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;SACvC,CAAC,CAAC;QAEH,4BAA4B;QAC5B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC3C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC;QACnD,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,gBAAgB,CAAC;IACzD,CAAC;IAED;;;;;OAKG;IACK,gBAAgB;QACtB,IAAI,OAAO,CAAC,gBAAgB,CAAC,IAAI,EAAE,YAAY,EAAE;YAC/C,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU;YACpC,SAAS,EAAE,OAAO;YAClB,WAAW,EAAE,iCAAiC;YAC9C,UAAU,EAAE,CAAC;SACd,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,gBAAgB,CAAC,IAAI,EAAE,aAAa,EAAE;YAChD,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU;YACpC,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,iBAAiB;YAC9B,UAAU,EAAE,CAAC;SACd,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,gBAAgB,CAAC,IAAI,EAAE,aAAa,EAAE;YAChD,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU;YACpC,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,iBAAiB;YAC9B,UAAU,EAAE,CAAC;SACd,CAAC,CAAC;IACL,CAAC;CACF;AAxJD,wCAwJC"}

package/lib/index.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @fnd-platform/cognito-auth
+ *
+ * AWS Cognito authentication constructs and middleware for fnd-platform applications.
+ *
+ * Provides:
+ * - Fully configured Cognito User Pool CDK construct
+ * - JWT token validation middleware
+ * - Lambda authorizer for API Gateway
+ * - Token refresh utilities
+ *
+ * @packageDocumentation
+ */
+export { FndCognitoAuth } from './cognito-construct.js';
+export type { FndCognitoAuthProps, Stage } from './cognito-construct.js';
+export { validateStage, VALID_STAGES } from './cognito-construct.js';
+export type { CognitoAccessTokenPayload, CognitoIdTokenPayload, CognitoAuthOptions, JwtVerifierConfig, TokenVerificationResult, } from './types.js';
+export { verifyToken, verifyAndExtract, getVerifier, clearVerifierCache } from './jwt.js';
+export { withCognitoAuth } from './middleware/auth.js';
+export type { CognitoAuthenticatedEvent, Middleware as CognitoMiddleware, MiddlewareHandler as CognitoMiddlewareHandler, } from './middleware/auth.js';
+export { handler as authorizerHandler } from './authorizer/handler.js';
+export { refreshAccessToken, clearClientCache } from './utils/token-refresh.js';
+export type { TokenRefreshConfig, RefreshResult } from './utils/token-refresh.js';
+export { FndAuthClient, clearClientCache as clearAuthClientCache } from './client/auth-client.js';
+export { AuthError } from './client/errors.js';
+export type { AuthErrorCode } from './client/errors.js';
+export { createSessionStorage, getSession, createUserSession, requireAuth, getOptionalUser, getUserSession, logout, } from './remix/session.server.js';
+export { requireAdmin, requireRole, hasRole, hasAnyRole } from './remix/admin.server.js';
+export type { AuthClientConfig, AuthTokens, SignUpResult, SessionData, SessionUser, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,YAAY,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGrE,YAAY,EACV,yBAAyB,EACzB,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAG1F,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,YAAY,EACV,yBAAyB,EACzB,UAAU,IAAI,iBAAiB,EAC/B,iBAAiB,IAAI,wBAAwB,GAC9C,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAGvE,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAChF,YAAY,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAGlF,OAAO,EAAE,aAAa,EAAE,gBAAgB,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,YAAY,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGxD,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,cAAc,EACd,MAAM,GACP,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAGzF,YAAY,EACV,gBAAgB,EAChB,UAAU,EACV,YAAY,EACZ,WAAW,EACX,WAAW,GACZ,MAAM,YAAY,CAAC"}

package/lib/index.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * @fnd-platform/cognito-auth
+ *
+ * AWS Cognito authentication constructs and middleware for fnd-platform applications.
+ *
+ * Provides:
+ * - Fully configured Cognito User Pool CDK construct
+ * - JWT token validation middleware
+ * - Lambda authorizer for API Gateway
+ * - Token refresh utilities
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasAnyRole = exports.hasRole = exports.requireRole = exports.requireAdmin = exports.logout = exports.getUserSession = exports.getOptionalUser = exports.requireAuth = exports.createUserSession = exports.getSession = exports.createSessionStorage = exports.AuthError = exports.clearAuthClientCache = exports.FndAuthClient = exports.clearClientCache = exports.refreshAccessToken = exports.authorizerHandler = exports.withCognitoAuth = exports.clearVerifierCache = exports.getVerifier = exports.verifyAndExtract = exports.verifyToken = exports.VALID_STAGES = exports.validateStage = exports.FndCognitoAuth = void 0;
+// ===== CDK Constructs =====
+var cognito_construct_js_1 = require("./cognito-construct.js");
+Object.defineProperty(exports, "FndCognitoAuth", { enumerable: true, get: function () { return cognito_construct_js_1.FndCognitoAuth; } });
+var cognito_construct_js_2 = require("./cognito-construct.js");
+Object.defineProperty(exports, "validateStage", { enumerable: true, get: function () { return cognito_construct_js_2.validateStage; } });
+Object.defineProperty(exports, "VALID_STAGES", { enumerable: true, get: function () { return cognito_construct_js_2.VALID_STAGES; } });
+// ===== JWT Utilities =====
+var jwt_js_1 = require("./jwt.js");
+Object.defineProperty(exports, "verifyToken", { enumerable: true, get: function () { return jwt_js_1.verifyToken; } });
+Object.defineProperty(exports, "verifyAndExtract", { enumerable: true, get: function () { return jwt_js_1.verifyAndExtract; } });
+Object.defineProperty(exports, "getVerifier", { enumerable: true, get: function () { return jwt_js_1.getVerifier; } });
+Object.defineProperty(exports, "clearVerifierCache", { enumerable: true, get: function () { return jwt_js_1.clearVerifierCache; } });
+// ===== Middleware =====
+var auth_js_1 = require("./middleware/auth.js");
+Object.defineProperty(exports, "withCognitoAuth", { enumerable: true, get: function () { return auth_js_1.withCognitoAuth; } });
+// ===== Lambda Authorizer =====
+var handler_js_1 = require("./authorizer/handler.js");
+Object.defineProperty(exports, "authorizerHandler", { enumerable: true, get: function () { return handler_js_1.handler; } });
+// ===== Token Utilities =====
+var token_refresh_js_1 = require("./utils/token-refresh.js");
+Object.defineProperty(exports, "refreshAccessToken", { enumerable: true, get: function () { return token_refresh_js_1.refreshAccessToken; } });
+Object.defineProperty(exports, "clearClientCache", { enumerable: true, get: function () { return token_refresh_js_1.clearClientCache; } });
+// ===== Auth Client =====
+var auth_client_js_1 = require("./client/auth-client.js");
+Object.defineProperty(exports, "FndAuthClient", { enumerable: true, get: function () { return auth_client_js_1.FndAuthClient; } });
+Object.defineProperty(exports, "clearAuthClientCache", { enumerable: true, get: function () { return auth_client_js_1.clearClientCache; } });
+var errors_js_1 = require("./client/errors.js");
+Object.defineProperty(exports, "AuthError", { enumerable: true, get: function () { return errors_js_1.AuthError; } });
+// ===== Remix Utilities =====
+var session_server_js_1 = require("./remix/session.server.js");
+Object.defineProperty(exports, "createSessionStorage", { enumerable: true, get: function () { return session_server_js_1.createSessionStorage; } });
+Object.defineProperty(exports, "getSession", { enumerable: true, get: function () { return session_server_js_1.getSession; } });
+Object.defineProperty(exports, "createUserSession", { enumerable: true, get: function () { return session_server_js_1.createUserSession; } });
+Object.defineProperty(exports, "requireAuth", { enumerable: true, get: function () { return session_server_js_1.requireAuth; } });
+Object.defineProperty(exports, "getOptionalUser", { enumerable: true, get: function () { return session_server_js_1.getOptionalUser; } });
+Object.defineProperty(exports, "getUserSession", { enumerable: true, get: function () { return session_server_js_1.getUserSession; } });
+Object.defineProperty(exports, "logout", { enumerable: true, get: function () { return session_server_js_1.logout; } });
+var admin_server_js_1 = require("./remix/admin.server.js");
+Object.defineProperty(exports, "requireAdmin", { enumerable: true, get: function () { return admin_server_js_1.requireAdmin; } });
+Object.defineProperty(exports, "requireRole", { enumerable: true, get: function () { return admin_server_js_1.requireRole; } });
+Object.defineProperty(exports, "hasRole", { enumerable: true, get: function () { return admin_server_js_1.hasRole; } });
+Object.defineProperty(exports, "hasAnyRole", { enumerable: true, get: function () { return admin_server_js_1.hasAnyRole; } });
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,6BAA6B;AAC7B,+DAAwD;AAA/C,sHAAA,cAAc,OAAA;AAEvB,+DAAqE;AAA5D,qHAAA,aAAa,OAAA;AAAE,oHAAA,YAAY,OAAA;AAWpC,4BAA4B;AAC5B,mCAA0F;AAAjF,qGAAA,WAAW,OAAA;AAAE,0GAAA,gBAAgB,OAAA;AAAE,qGAAA,WAAW,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AAEvE,yBAAyB;AACzB,gDAAuD;AAA9C,0GAAA,eAAe,OAAA;AAOxB,gCAAgC;AAChC,sDAAuE;AAA9D,+GAAA,OAAO,OAAqB;AAErC,8BAA8B;AAC9B,6DAAgF;AAAvE,sHAAA,kBAAkB,OAAA;AAAE,oHAAA,gBAAgB,OAAA;AAG7C,0BAA0B;AAC1B,0DAAkG;AAAzF,+GAAA,aAAa,OAAA;AAAE,sHAAA,gBAAgB,OAAwB;AAChE,gDAA+C;AAAtC,sGAAA,SAAS,OAAA;AAGlB,8BAA8B;AAC9B,+DAQmC;AAPjC,yHAAA,oBAAoB,OAAA;AACpB,+GAAA,UAAU,OAAA;AACV,sHAAA,iBAAiB,OAAA;AACjB,gHAAA,WAAW,OAAA;AACX,oHAAA,eAAe,OAAA;AACf,mHAAA,cAAc,OAAA;AACd,2GAAA,MAAM,OAAA;AAGR,2DAAyF;AAAhF,+GAAA,YAAY,OAAA;AAAE,8GAAA,WAAW,OAAA;AAAE,0GAAA,OAAO,OAAA;AAAE,6GAAA,UAAU,OAAA"}

package/lib/jwt.d.ts

@@ -0,0 +1,89 @@
+/**
+ * JWT verification utilities using aws-jwt-verify.
+ *
+ * Uses a singleton pattern for the verifier to avoid re-fetching
+ * JWKS on every request.
+ *
+ * @packageDocumentation
+ */
+import { CognitoJwtVerifier } from 'aws-jwt-verify';
+import type {
+  CognitoAccessTokenPayload,
+  CognitoIdTokenPayload,
+  JwtVerifierConfig,
+  TokenVerificationResult,
+} from './types.js';
+/** Verifier instance type */
+type VerifierInstance = ReturnType<typeof CognitoJwtVerifier.create>;
+/**
+ * Gets or creates a verifier for the given configuration.
+ * Verifiers are cached to avoid re-fetching JWKS.
+ *
+ * @param config - Verifier configuration
+ * @returns Cached or new verifier instance
+ *
+ * @example
+ * ```typescript
+ * const verifier = getVerifier({
+ *   userPoolId: 'us-east-1_abc123',
+ *   clientId: '1234567890abcdef',
+ * });
+ * ```
+ */
+export declare function getVerifier(config: JwtVerifierConfig): VerifierInstance;
+/**
+ * Verifies a JWT token from Cognito.
+ *
+ * @param token - The JWT token string
+ * @param config - Verifier configuration
+ * @returns The verified token payload
+ * @throws Error if token is invalid or expired
+ *
+ * @example
+ * ```typescript
+ * const payload = await verifyToken(token, {
+ *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
+ *   clientId: process.env.COGNITO_CLIENT_ID!,
+ * });
+ * console.log(payload.sub); // User ID
+ * ```
+ */
+export declare function verifyToken(
+  token: string,
+  config: JwtVerifierConfig
+): Promise<CognitoAccessTokenPayload | CognitoIdTokenPayload>;
+/**
+ * Verifies a token and returns a normalized result.
+ *
+ * @param token - The JWT token string
+ * @param config - Verifier configuration
+ * @returns Normalized verification result
+ * @throws Error if token is invalid or expired
+ *
+ * @example
+ * ```typescript
+ * const result = await verifyAndExtract(token, {
+ *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
+ *   clientId: process.env.COGNITO_CLIENT_ID!,
+ * });
+ * console.log(result.userId); // User ID
+ * console.log(result.groups); // ['admin', 'editor']
+ * ```
+ */
+export declare function verifyAndExtract(
+  token: string,
+  config: JwtVerifierConfig
+): Promise<TokenVerificationResult>;
+/**
+ * Clears the verifier cache. Useful for testing.
+ *
+ * @example
+ * ```typescript
+ * beforeEach(() => {
+ *   clearVerifierCache();
+ * });
+ * ```
+ */
+export declare function clearVerifierCache(): void;
+export {};
+//# sourceMappingURL=jwt.d.ts.map

package/lib/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,KAAK,EACV,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,uBAAuB,EACxB,MAAM,YAAY,CAAC;AAEpB,6BAA6B;AAC7B,KAAK,gBAAgB,GAAG,UAAU,CAAC,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC;AAerE;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,gBAAgB,CAavE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,yBAAyB,GAAG,qBAAqB,CAAC,CAK5D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,uBAAuB,CAAC,CASlC;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC"}

package/lib/jwt.js

@@ -0,0 +1,117 @@
+'use strict';
+/**
+ * JWT verification utilities using aws-jwt-verify.
+ *
+ * Uses a singleton pattern for the verifier to avoid re-fetching
+ * JWKS on every request.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, '__esModule', { value: true });
+exports.getVerifier = getVerifier;
+exports.verifyToken = verifyToken;
+exports.verifyAndExtract = verifyAndExtract;
+exports.clearVerifierCache = clearVerifierCache;
+const aws_jwt_verify_1 = require('aws-jwt-verify');
+/** Verifier cache keyed by userPoolId+clientId+tokenUse */
+const verifierCache = new Map();
+/**
+ * Creates a cache key for the verifier.
+ *
+ * @param config - Verifier configuration
+ * @returns Cache key string
+ */
+function getCacheKey(config) {
+  return `${config.userPoolId}:${config.clientId}:${config.tokenUse ?? 'access'}`;
+}
+/**
+ * Gets or creates a verifier for the given configuration.
+ * Verifiers are cached to avoid re-fetching JWKS.
+ *
+ * @param config - Verifier configuration
+ * @returns Cached or new verifier instance
+ *
+ * @example
+ * ```typescript
+ * const verifier = getVerifier({
+ *   userPoolId: 'us-east-1_abc123',
+ *   clientId: '1234567890abcdef',
+ * });
+ * ```
+ */
+function getVerifier(config) {
+  const key = getCacheKey(config);
+  if (!verifierCache.has(key)) {
+    const verifier = aws_jwt_verify_1.CognitoJwtVerifier.create({
+      userPoolId: config.userPoolId,
+      clientId: config.clientId,
+      tokenUse: config.tokenUse ?? 'access',
+    });
+    verifierCache.set(key, verifier);
+  }
+  return verifierCache.get(key);
+}
+/**
+ * Verifies a JWT token from Cognito.
+ *
+ * @param token - The JWT token string
+ * @param config - Verifier configuration
+ * @returns The verified token payload
+ * @throws Error if token is invalid or expired
+ *
+ * @example
+ * ```typescript
+ * const payload = await verifyToken(token, {
+ *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
+ *   clientId: process.env.COGNITO_CLIENT_ID!,
+ * });
+ * console.log(payload.sub); // User ID
+ * ```
+ */
+async function verifyToken(token, config) {
+  const verifier = getVerifier(config);
+  const payload = await verifier.verify(token);
+  // Cast through unknown to handle aws-jwt-verify's generic payload type
+  return payload;
+}
+/**
+ * Verifies a token and returns a normalized result.
+ *
+ * @param token - The JWT token string
+ * @param config - Verifier configuration
+ * @returns Normalized verification result
+ * @throws Error if token is invalid or expired
+ *
+ * @example
+ * ```typescript
+ * const result = await verifyAndExtract(token, {
+ *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
+ *   clientId: process.env.COGNITO_CLIENT_ID!,
+ * });
+ * console.log(result.userId); // User ID
+ * console.log(result.groups); // ['admin', 'editor']
+ * ```
+ */
+async function verifyAndExtract(token, config) {
+  const payload = await verifyToken(token, config);
+  return {
+    userId: payload.sub,
+    email: 'email' in payload ? payload.email : undefined,
+    groups: payload['cognito:groups'] ?? [],
+    payload,
+  };
+}
+/**
+ * Clears the verifier cache. Useful for testing.
+ *
+ * @example
+ * ```typescript
+ * beforeEach(() => {
+ *   clearVerifierCache();
+ * });
+ * ```
+ */
+function clearVerifierCache() {
+  verifierCache.clear();
+}
+//# sourceMappingURL=jwt.js.map

package/lib/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;AAyCH,kCAaC;AAmBD,kCAQC;AAoBD,4CAYC;AAYD,gDAEC;AA7HD,mDAAoD;AAWpD,2DAA2D;AAC3D,MAAM,aAAa,GAAG,IAAI,GAAG,EAA4B,CAAC;AAE1D;;;;;GAKG;AACH,SAAS,WAAW,CAAC,MAAyB;IAC5C,OAAO,GAAG,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,IAAI,QAAQ,EAAE,CAAC;AAClF,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAgB,WAAW,CAAC,MAAyB;IACnD,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAEhC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,mCAAkB,CAAC,MAAM,CAAC;YACzC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,QAAQ;SACtC,CAAC,CAAC;QACH,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,aAAa,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;AACjC,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,MAAyB;IAEzB,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7C,uEAAuE;IACvE,OAAO,OAAuE,CAAC;AACjF,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACI,KAAK,UAAU,gBAAgB,CACpC,KAAa,EACb,MAAyB;IAEzB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAEjD,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,GAAG;QACnB,KAAK,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACrD,MAAM,EAAE,OAAO,CAAC,gBAAgB,CAAC,IAAI,EAAE;QACvC,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,kBAAkB;IAChC,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC"}

package/lib/middleware/auth.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Cognito authentication middleware with real JWT validation.
+ *
+ * @packageDocumentation
+ */
+import type { APIGatewayProxyEvent, APIGatewayProxyResult, Context } from 'aws-lambda';
+import type { CognitoAuthOptions, TokenVerificationResult } from '../types.js';
+/**
+ * Authenticated event with verified Cognito claims.
+ */
+export interface CognitoAuthenticatedEvent extends APIGatewayProxyEvent {
+  /** Verified auth information */
+  auth: TokenVerificationResult;
+}
+/**
+ * Middleware handler type.
+ */
+export type MiddlewareHandler<TEvent = APIGatewayProxyEvent> = (
+  event: TEvent,
+  context: Context
+) => Promise<APIGatewayProxyResult>;
+/**
+ * Middleware function type.
+ */
+export type Middleware<TEventIn = APIGatewayProxyEvent, TEventOut = TEventIn> = (
+  handler: MiddlewareHandler<TEventOut>
+) => MiddlewareHandler<TEventIn>;
+/**
+ * Middleware that validates JWT tokens from Cognito.
+ *
+ * Unlike the API package's withAuth (which expects API Gateway to validate),
+ * this middleware performs actual JWT verification using aws-jwt-verify.
+ *
+ * @param options - Authentication configuration
+ * @returns Middleware that validates tokens and adds auth info to event
+ *
+ * @example
+ * ```typescript
+ * // Basic auth - validates token
+ * const handler = withCognitoAuth()(async (event) => {
+ *   const userId = event.auth.userId;
+ *   return { statusCode: 200, body: JSON.stringify({ userId }) };
+ * });
+ *
+ * // With role requirement
+ * const adminHandler = withCognitoAuth({ roles: ['admin'] })(async (event) => {
+ *   return { statusCode: 200, body: 'Admin access granted' };
+ * });
+ *
+ * // Skip auth for certain paths
+ * const handler = withCognitoAuth({ skipPaths: ['/health'] })(async (event) => {
+ *   return { statusCode: 200, body: 'OK' };
+ * });
+ * ```
+ */
+export declare function withCognitoAuth(
+  options?: CognitoAuthOptions
+): Middleware<APIGatewayProxyEvent, CognitoAuthenticatedEvent>;
+//# sourceMappingURL=auth.d.ts.map

package/lib/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAEvF,OAAO,KAAK,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAE/E;;GAEG;AACH,MAAM,WAAW,yBAA0B,SAAQ,oBAAoB;IACrE,gCAAgC;IAChC,IAAI,EAAE,uBAAuB,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,MAAM,iBAAiB,CAAC,MAAM,GAAG,oBAAoB,IAAI,CAC7D,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,OAAO,KACb,OAAO,CAAC,qBAAqB,CAAC,CAAC;AAEpC;;GAEG;AACH,MAAM,MAAM,UAAU,CAAC,QAAQ,GAAG,oBAAoB,EAAE,SAAS,GAAG,QAAQ,IAAI,CAC9E,OAAO,EAAE,iBAAiB,CAAC,SAAS,CAAC,KAClC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;AAgEjC;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,eAAe,CAC7B,OAAO,GAAE,kBAAuB,GAC/B,UAAU,CAAC,oBAAoB,EAAE,yBAAyB,CAAC,CAkE7D"}