@gugananuvem/aws-local-simulator 1.0.14 → 1.0.16

package/README.md

@@ -81,7 +81,9 @@ npm install --save-dev aws-local-simulator
     ]
   },
   "s3": {
-    "buckets": ["my-bucket"]
+    "buckets": [
+      { "name": "my-bucket", "region": "us-east-1" }
+    ]
   },
   "sqs": {
     "queues": ["my-queue", "dead-letter-queue"]
@@ -190,6 +192,7 @@ npx aws-local-simulator status
 |---------|----------|-------|
 | DynamoDB | http://localhost:8000 | http://localhost:8000/__admin/tables |
 | S3 | http://localhost:4566 | http://localhost:4566/__admin/buckets |
+| S3 Website | http://localhost:4566/website/{bucket}/ | — |
 | SQS | http://localhost:9324 | http://localhost:9324/__admin/queues |
 | Lambda | http://localhost:3001 | http://localhost:3001/__admin/functions |
 | Cognito | http://localhost:9229 | http://localhost:9229/__admin/userpools |
@@ -230,6 +233,46 @@ aws lambda invoke \
 # Cognito
 aws cognito-idp list-user-pools --max-results 10 --endpoint-url http://localhost:9229
 
+# Cognito cadastrar um usuario pelo adminstrador
+aws cognito-idp admin-create-user \
+  --user-pool-id us-east-xxxx\
+  --username usuario@email.com \
+  --user-attributes \
+    Name=email,Value=usuario@email.com \
+    Name=email_verified,Value=false \
+    Name=name,Value="nome usuario" \
+    Name=custom:role,Value="user" \
+    temporary-password "Teste@123456" \
+  --message-action SUPPRESS \
+  --endpoint-url http://localhost:9229
+
+# Cognito excluir um usuario
+aws cognito-idp admin-delete-user \
+  --user-pool-id us-east-xxxx \
+  --username usuario@email.com
+  --endpoint-url http://localhost:9229
+
+# Cognito Registrar usuário
+aws cognito-idp sign-up \
+  --client-id $CLIENT_ID \
+  --username usuario@email.com \
+  --password "Teste@123456" \
+  --user-attributes Name=email,Value=usuario@email.com Name=name,Value="nome usuario"
+  --endpoint-url http://localhost:9229
+
+# 2. Confirmar usuário administrativamente
+aws cognito-idp admin-confirm-sign-up \
+  --user-pool-id us-east-xxxx \
+  --username usuario@email.com
+  --endpoint-url http://localhost:9229
+
+# O código chega no e-mail do usuário. Algo como: "Your confirmation code is 123456"
+aws cognito-idp confirm-sign-up \
+  --client-id 3n4b5urk1ft4fl3mg5e62d9ado \
+  --username usuario@email.com \
+  --confirmation-code 123456
+  --endpoint-url http://localhost:9229
+  
 # STS
 aws sts get-caller-identity --endpoint-url http://localhost:9326
 aws sts assume-role \
@@ -359,6 +402,76 @@ aws athena create-named-query \
 aws athena list-named-queries --endpoint-url http://localhost:4599
 ```
 
+## ⚙️ Configuração S3
+
+### Buckets simples
+
+```json
+{
+  "s3": {
+    "buckets": [
+      "my-bucket"
+    ]
+  }
+}
+```
+
+### Buckets com região e website estático
+
+```json
+{
+  "s3": {
+    "buckets": [
+      { "name": "my-bucket", "region": "us-east-1" },
+      {
+        "name": "my-site-bucket",
+        "region": "us-east-1",
+        "websiteConfiguration": {
+          "IndexDocument": { "Suffix": "index.html" },
+          "ErrorDocument": { "Key": "error.html" }
+        }
+      }
+    ]
+  }
+}
+```
+
+Quando `websiteConfiguration` está presente, o bucket serve arquivos estáticos.
+
+### URL do website estático
+
+```
+http://localhost:4566/website/{bucket-name}/
+http://localhost:4566/website/{bucket-name}/caminho/pagina.html
+```
+
+Exemplos:
+```
+http://localhost:4566/website/my-site-bucket/           → serve index.html
+http://localhost:4566/website/my-site-bucket/about.html → serve about.html
+http://localhost:4566/website/my-site-bucket/app/       → serve app/index.html
+```
+
+### Gerenciar website config via AWS CLI
+
+```bash
+# Habilitar website em um bucket existente
+aws s3api put-bucket-website \
+  --bucket my-site-bucket \
+  --website-configuration '{"IndexDocument":{"Suffix":"index.html"},"ErrorDocument":{"Key":"error.html"}}' \
+  --endpoint-url http://localhost:4566
+
+# Ver configuração de website
+aws s3api get-bucket-website \
+  --bucket my-site-bucket \
+  --endpoint-url http://localhost:4566
+
+# Remover website
+aws s3api delete-bucket-website \
+  --bucket my-site-bucket \
+  --endpoint-url http://localhost:4566
+```
+
 ## ⚙️ Configuração de Lambdas
 
 Lambdas são registradas por **nome** e invocadas via API de invocação (igual à AWS real). O roteamento HTTP é feito pelo API Gateway.
@@ -378,6 +491,50 @@ Lambdas são registradas por **nome** e invocadas via API de invocação (igual
 }
 ```
 
+## ⚙️ Configuração SQS com Lambda Trigger
+
+Para disparar uma Lambda automaticamente quando uma mensagem chega na fila, use o formato de objeto na lista de filas com `lambdaName`:
+
+```json
+{
+  "lambdas": [
+    {
+      "name": "process-orders",
+      "handler": "./src/handlers/process-orders.js"
+    }
+  ],
+  "sqs": {
+    "queues": [
+      "simple-queue",
+      {
+        "name": "orders-queue",
+        "lambdaName": "process-orders",
+        "batchSize": 5
+      }
+    ]
+  }
+}
+```
+
+- Filas simples (string) são criadas sem trigger
+- Filas com objeto aceitam `lambdaName` (nome da Lambda registrada) e `batchSize` (padrão: 10)
+- Quando uma mensagem é enviada para `orders-queue`, a Lambda `process-orders` é invocada automaticamente com o evento no formato SQS padrão da AWS
+
+O handler recebe o evento no formato padrão AWS SQS:
+
+```javascript
+exports.handler = async (event) => {
+  for (const record of event.Records) {
+    const body = JSON.parse(record.body);
+    console.log('Mensagem recebida:', body);
+    // processar...
+  }
+
+  // Retornar batchItemFailures para reprocessar mensagens específicas
+  return { batchItemFailures: [] };
+};
+```
+
 ## ⚙️ Configuração API GATEWAY
 
 O valor do **lambdaName** deve igual ao nome Lambda que está registrada com o valor **name**. Ex: "my-user-function".
@@ -413,15 +570,166 @@ O valor do **lambdaName** deve igual ao nome Lambda que está registrada com o v
             "method": "DELETE",
             "lambdaName": "my-user-function",
             "integrationType": "lambda"
+          },
+          {
+            "path": "/user/{id}",
+            "method": "ANY",
+            "lambdaName": "my-user-function",
+            "integrationType": "lambda"
           }
         ]
       }
     ]
-  },
+  }
+}
+```
 
+### Método ANY
+
+Use `"method": "ANY"` para registrar um endpoint que aceita todos os verbos HTTP (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS) — equivalente ao `ANY` do AWS API Gateway real.
+
+```json
+{
+  "path": "/webhook",
+  "method": "ANY",
+  "lambdaName": "my-webhook-handler",
+  "integrationType": "lambda"
 }
 ```
 
+### API Key
+
+O API Gateway suporta validação de API Key via header `x-api-key`. Para proteger um endpoint, declare as `apiKeys` na configuração e use `"apiKeyRequired": true` no endpoint:
+
+```json
+{
+  "apigateway": {
+    "apiKeys": [
+      {
+        "name": "my-app-key",
+        "value": "minha-chave-secreta-123"
+      }
+    ],
+    "apis": [
+      {
+        "name": "Protected API",
+        "endpoints": [
+          {
+            "path": "/protected",
+            "method": "GET",
+            "lambdaName": "my-user-function",
+            "integrationType": "lambda",
+            "apiKeyRequired": true
+          },
+          {
+            "path": "/public",
+            "method": "GET",
+            "lambdaName": "my-user-function",
+            "integrationType": "lambda"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+Ao chamar um endpoint protegido, envie o header:
+
+```bash
+curl http://localhost:4567/protected \
+  -H "x-api-key: minha-chave-secreta-123"
+
+# Sem a key → 403 Forbidden
+curl http://localhost:4567/protected
+```
+
+> **Nota:** A validação de API Key só está ativa no fluxo de proxy (`/:apiId/:stageName/*`). Endpoints declarados diretamente no `aws-local-simulator.json` via `setupConfigRoutes` não aplicam a validação de API Key no momento.
+
+### Cognito Authorizer
+
+O API Gateway suporta autenticação via Cognito User Pools. Configure um `authorizer` na API e marque os endpoints protegidos com `"authorizerRequired": true`:
+
+```json
+{
+  "cognito": {
+    "userPools": [
+      {
+        "PoolName": "my-user-pool",
+        "UserPoolId": "us-east-XXXXX",
+        "ClientId": "XXXXXX",
+        "AutoVerifiedAttributes": ["email"]
+      }
+    ]
+  },
+  "apigateway": {
+    "apis": [
+      {
+        "name": "My API",
+        "authorizer": {
+          "type": "COGNITO_USER_POOLS",
+          "userPoolId": "us-east-XXXXX"
+        },
+        "endpoints": [
+          {
+            "path": "/profile",
+            "method": "GET",
+            "lambdaName": "my-user-function",
+            "integrationType": "lambda",
+            "authorizerRequired": true
+          },
+          {
+            "path": "/public",
+            "method": "GET",
+            "lambdaName": "my-user-function",
+            "integrationType": "lambda"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+O simulador valida o JWT do Cognito local no header `Authorization: Bearer <token>`. Se o token for inválido ou ausente, retorna `401 Unauthorized`.
+
+```bash
+# 1. Autenticar e obter o token
+TOKEN=$(curl -s -X POST http://localhost:9229/ \
+  -H "Content-Type: application/x-amz-json-1.1" \
+  -H "X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth" \
+  -d '{
+    "AuthFlow": "USER_PASSWORD_AUTH",
+    "ClientId": "XXXXXX",
+    "AuthParameters": {
+      "USERNAME": "usuario@email.com",
+      "PASSWORD": "Senha@123"
+    }
+  }' | jq -r '.AuthenticationResult.IdToken')
+
+# 2. Chamar endpoint protegido com o token
+curl http://localhost:4567/profile \
+  -H "Authorization: Bearer $TOKEN"
+
+# Sem token → 401 Unauthorized
+curl http://localhost:4567/profile
+```
+
+O token decodificado fica disponível no Lambda em `event.requestContext.authorizer.claims`:
+
+```javascript
+exports.handler = async (event) => {
+  const claims = event.requestContext.authorizer?.claims;
+  const userId = claims?.sub;
+  const email = claims?.email;
+
+  return {
+    statusCode: 200,
+    body: JSON.stringify({ userId, email })
+  };
+};
+```
+
 O handler deve exportar uma função padrão:
 
 ```javascript

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gugananuvem/aws-local-simulator",
-  "version": "1.0.14",
+  "version": "1.0.16",
   "description": "Simulador local completo para serviços AWS",
   "main": "src/index.js",
   "bin": {
@@ -81,22 +81,23 @@
     "directory": "dist"
   },
   "dependencies": {
-    "express": "^4.18.2",
     "cors": "^2.8.5",
-    "uuid": "^9.0.0",
-    "mkdirp": "^3.0.1",
-    "glob": "^10.3.0",
     "dotenv": "^16.3.1",
+    "express": "^4.18.2",
+    "glob": "^10.3.0",
     "jsonwebtoken": "^9.0.2",
-    "urlpattern-polyfill": "^10.0.0"
+    "mkdirp": "^3.0.1",
+    "urlpattern-polyfill": "^10.0.0",
+    "uuid": "^9.0.0"
   },
   "peerDependencies": {
+    "@aws-sdk/client-api-gateway": "^3.0.0",
+    "@aws-sdk/client-cognito-identity-provider": "^3.0.0",
     "@aws-sdk/client-dynamodb": "^3.0.0",
+    "@aws-sdk/client-ecs": "^3.0.0",
+    "@aws-sdk/client-lambda": "^3.1032.0",
     "@aws-sdk/client-s3": "^3.0.0",
     "@aws-sdk/client-sqs": "^3.0.0",
-    "@aws-sdk/client-cognito-identity-provider": "^3.0.0",
-    "@aws-sdk/client-api-gateway": "^3.0.0",
-    "@aws-sdk/client-ecs": "^3.0.0",
     "@aws-sdk/lib-dynamodb": "^3.0.0"
   },
   "peerDependenciesMeta": {
@@ -119,6 +120,6 @@
       "optional": true
     }
   },
-  "buildDate": "2026-04-05T12:32:46.437Z",
+  "buildDate": "2026-04-20T18:31:32.841Z",
   "published": true
 }

package/src/server.js

@@ -81,9 +81,9 @@ class Server {
       { name: "sqs",            class: SQSService,            depends: ["lambda"] },
       { name: "sns",            class: SNSService,            depends: [] },
       { name: "eventbridge",    class: EventBridgeService,    depends: [] },
-      { name: "cognito",        class: CognitoService,        depends: [] },
+      { name: "cognito",        class: CognitoService,        depends: ["lambda"] },
       { name: "ecs",            class: ECSService,            depends: [] },
-      { name: "apigateway",     class: APIGatewayService,     depends: ["lambda"] },
+      { name: "apigateway",     class: APIGatewayService,     depends: ["lambda", "cognito"] },
       { name: "kms",            class: KMSService,            depends: [] },
       { name: "cloudwatch",     class: CloudWatchService,     depends: [] },
       { name: "cloudtrail",     class: CloudTrailService,     depends: [] },

package/src/services/apigateway/index.js

@@ -15,6 +15,7 @@ class APIGatewayService {
     this.simulator = null;
     this.isRunning = false;
     this.lambdaService = dependencies.lambda || null;
+    this.cognitoService = dependencies.cognito || null;
   }
 
   async initialize() {
@@ -27,6 +28,7 @@ class APIGatewayService {
     this.server = new APIGatewayServer(this.port, this.config);
     this.server.simulator = this.simulator;
     this.server.lambdaService = this.lambdaService;
+    this.server.cognitoService = this.cognitoService;
     
     await this.server.initialize();
     

package/src/services/apigateway/server.js

@@ -64,8 +64,11 @@ class APIGatewayServer {
     // Register routes from aws-local-simulator.json config directly
     const apis = this.config.apigateway?.apis || [];
     for (const api of apis) {
+      // Build Cognito authorizer middleware for this API if configured
+      const cognitoAuthorizer = this._buildCognitoAuthorizer(api.authorizer);
+
       for (const endpoint of (api.endpoints || [])) {
-        const { path, method, lambdaName, integrationType } = endpoint;
+        const { path, method, lambdaName, integrationType, authorizerRequired } = endpoint;
         if (!path || !method) continue;
 
         const expressPath = path.replace(/\{([^}]+)\}/g, ':$1');
@@ -73,7 +76,7 @@ class APIGatewayServer {
 
         logger.debug(`📡 Registrando rota: ${method} ${path} -> ${lambdaName}`);
 
-        this.app[httpMethod](expressPath, async (req, res) => {
+        const handler = async (req, res) => {
           try {
             const lambdaService = this.lambdaService;
             if (!lambdaService) {
@@ -92,7 +95,8 @@ class APIGatewayServer {
                 path: req.path,
                 stage: 'local',
                 requestId: Math.random().toString(36).substring(7),
-                identity: { sourceIp: req.ip }
+                identity: { sourceIp: req.ip },
+                authorizer: req.cognitoAuthorizer || null
               }
             };
 
@@ -107,11 +111,70 @@ class APIGatewayServer {
             logger.error(`Lambda invoke error (${lambdaName}):`, err);
             res.status(500).json({ error: err.message });
           }
-        });
+        };
+
+        const middlewares = [];
+        if (authorizerRequired && cognitoAuthorizer) {
+          middlewares.push(cognitoAuthorizer);
+        }
+        middlewares.push(handler);
+
+        const ANY_METHODS = ['get', 'post', 'put', 'delete', 'patch', 'head', 'options'];
+        if (httpMethod === 'any') {
+          for (const m of ANY_METHODS) {
+            this.app[m](expressPath, ...middlewares);
+          }
+        } else {
+          this.app[httpMethod](expressPath, ...middlewares);
+        }
       }
     }
   }
 
+  _buildCognitoAuthorizer(authorizerConfig) {
+    if (!authorizerConfig) return null;
+    if (authorizerConfig.type !== 'COGNITO_USER_POOLS') return null;
+
+    const { userPoolId } = authorizerConfig;
+
+    return (req, res, next) => {
+      const authHeader = req.headers['authorization'] || req.headers['Authorization'];
+      if (!authHeader) {
+        return res.status(401).json({ message: 'Unauthorized' });
+      }
+
+      const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : authHeader;
+
+      const cognitoSimulator = this.cognitoService?.simulator;
+      if (!cognitoSimulator) {
+        logger.warn('⚠️ Cognito authorizer configured but Cognito service is not available');
+        return res.status(500).json({ message: 'Authorizer unavailable' });
+      }
+
+      // Validate the token belongs to the configured user pool
+      const decoded = cognitoSimulator.verifyAccessToken(token);
+      if (!decoded) {
+        return res.status(401).json({ message: 'Unauthorized' });
+      }
+
+      // If a specific userPoolId is required, verify it matches
+      if (userPoolId && decoded['cognito:username'] !== undefined) {
+        const session = cognitoSimulator.accessTokens.get(token);
+        if (session && userPoolId && session.UserPoolId !== userPoolId) {
+          return res.status(401).json({ message: 'Unauthorized' });
+        }
+      }
+
+      // Attach claims to request so Lambda receives them in requestContext.authorizer
+      req.cognitoAuthorizer = {
+        claims: decoded,
+        principalId: decoded.sub
+      };
+
+      next();
+    };
+  }
+
   setupRoutes() {
     // Health check
     this.app.get('/health', (req, res) => {

package/src/services/cognito/index.js

@@ -34,6 +34,15 @@ class CognitoService {
   injectDependencies(server) {
     const ct = server.getService('cloudtrail');
     if (ct?.simulator) this.simulator.audit.setTrail(ct.simulator);
+
+    const lambda = server.getService('lambda');
+    if (lambda?.simulator) {
+      this.simulator.setLambdaSimulator(lambda.simulator);
+      // Warn about unregistered triggers now that Lambda is fully initialized
+      for (const pool of this.simulator.userPools.values()) {
+        this.simulator._warnUnregisteredTriggers(pool);
+      }
+    }
   }
 
   async start() {

package/src/services/cognito/server.js

@@ -3,6 +3,7 @@
  */
 
 const express = require('express');
+const cors = require('cors');
 const logger = require('../../utils/logger');
 
 class CognitoServer {
@@ -16,6 +17,7 @@ class CognitoServer {
   }
 
   setupMiddlewares() {
+    this.app.use(cors());
     this.app.use(express.raw({ type: '*/*', limit: '10mb' }));
     this.app.use((req, res, next) => {
       if (req.body && Buffer.isBuffer(req.body)) {
@@ -57,25 +59,35 @@ class CognitoServer {
       });
     });
 
-    // User Pool operations
-    this.app.post('/', async (req, res) => {
+    // User Pool operations — aceita POST / e POST /:userPoolId (compatibilidade com SDK)
+    const cognitoHandler = async (req, res) => {
       const target = req.headers['x-amz-target'];
-      logger.info(`Cognito incoming: target=${target} body=${JSON.stringify(req.body)}`);
+      logger.info(`Cognito incoming: method=${req.method} path=${req.path} target=${target} body=${JSON.stringify(req.body)}`);
+
       if (!target) {
-        return res.status(400).json({ error: 'Missing X-Amz-Target header' });
+        return res.status(400).json({
+          __type: 'InvalidParameterException',
+          message: 'Missing X-Amz-Target header'
+        });
       }
 
       try {
         const result = await this.handleRequest(target, req.body || {});
         res.json(result);
       } catch (error) {
-        logger.error('Cognito Error:', error);
+        logger.error('Cognito Error:', error.message);
         res.status(400).json({
           __type: error.code || 'InternalServerError',
           message: error.message
         });
       }
-    });
+    };
+
+    // OPTIONS preflight para CORS
+    this.app.options('*', (req, res) => res.sendStatus(204));
+
+    this.app.post('/', cognitoHandler);
+    this.app.post('/:userPoolId', cognitoHandler);
 
     // Admin endpoints
     this.setupAdminRoutes();
@@ -182,6 +194,16 @@ class CognitoServer {
       });
     });
 
+    // Confirma um usuário (útil para dev local)
+    this.app.post('/__admin/userpools/:poolId/users/:username/confirm', (req, res) => {
+      const user = this.simulator.findUserByUsername(req.params.username, null, req.params.poolId);
+      if (!user) return res.status(404).json({ error: 'User not found' });
+      user.UserStatus = 'CONFIRMED';
+      user.LastModifiedDate = new Date().toISOString();
+      this.simulator.persistUsers();
+      res.json({ message: `User ${req.params.username} confirmed` });
+    });
+
     this.app.get('/__admin/userpools/:poolId/users', (req, res) => {
       const pool = this.simulator.userPools.get(req.params.poolId);
       if (!pool) {