@lafken/auth 0.10.1

package/lib/resolver/auth/user-pool/external/external.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ExternalUserPool = void 0;
+const data_aws_cognito_user_pool_1 = require("@cdktn/provider-aws/lib/data-aws-cognito-user-pool");
+const resolver_1 = require("@lafken/resolver");
+class ExternalUserPool extends resolver_1.lafkenResource.make(data_aws_cognito_user_pool_1.DataAwsCognitoUserPool) {
+    constructor(scope, id, props) {
+        super(scope, `${id}-user-pool`, {
+            userPoolId: props.userPoolId,
+        });
+        this.isGlobal('auth', id);
+    }
+}
+exports.ExternalUserPool = ExternalUserPool;

package/lib/resolver/auth/user-pool/identity-provider/identity-provider.d.ts

@@ -0,0 +1,13 @@
+import { Construct } from 'constructs';
+import type { IdentityProviderProps } from './identity-provider.types';
+export declare class IdentityProvider extends Construct {
+    private id;
+    private props;
+    constructor(scope: Construct, id: string, props: IdentityProviderProps);
+    private createGoogleProvider;
+    private createFacebookProvider;
+    private createAmazonProvider;
+    private createAppleProvider;
+    private createOidcProvider;
+    private getProviderAttributes;
+}

package/lib/resolver/auth/user-pool/identity-provider/identity-provider.js

@@ -0,0 +1,120 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IdentityProvider = void 0;
+const cognito_identity_provider_1 = require("@cdktn/provider-aws/lib/cognito-identity-provider");
+const constructs_1 = require("constructs");
+const auth_utils_1 = require("../../auth.utils");
+class IdentityProvider extends constructs_1.Construct {
+    id;
+    props;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.id = id;
+        this.props = props;
+        switch (props.type) {
+            case 'google':
+                this.createGoogleProvider(props);
+                break;
+            case 'facebook':
+                this.createFacebookProvider(props);
+                break;
+            case 'amazon':
+                this.createAmazonProvider(props);
+                break;
+            case 'apple':
+                this.createAppleProvider(props);
+                break;
+            case 'oidc':
+                this.createOidcProvider(props);
+                break;
+        }
+    }
+    createGoogleProvider(props) {
+        new cognito_identity_provider_1.CognitoIdentityProvider(this, 'google-identity-provider', {
+            userPoolId: this.props.userPoolId,
+            providerName: `${this.id}-identity-provider`,
+            providerType: 'Google',
+            providerDetails: {
+                client_id: props.clientId,
+                client_secret: props.clientSecret,
+                authorize_scopes: props.scopes.join(' '),
+            },
+            attributeMapping: this.getProviderAttributes(props.attributes),
+        });
+    }
+    createFacebookProvider(props) {
+        new cognito_identity_provider_1.CognitoIdentityProvider(this, 'facebook-identity-provider', {
+            userPoolId: this.props.userPoolId,
+            providerName: `${this.id}-identity-provider`,
+            providerType: 'Facebook',
+            providerDetails: {
+                client_id: props.clientId,
+                client_secret: props.clientSecret,
+                authorize_scopes: props.scopes.join(','),
+                ...(props.apiVersion ? { api_version: props.apiVersion } : {}),
+            },
+            attributeMapping: this.getProviderAttributes(props.attributes),
+        });
+    }
+    createAmazonProvider(props) {
+        new cognito_identity_provider_1.CognitoIdentityProvider(this, 'amazon-identity-provider', {
+            userPoolId: this.props.userPoolId,
+            providerName: `${this.id}-identity-provider`,
+            providerType: 'LoginWithAmazon',
+            providerDetails: {
+                client_id: props.clientId,
+                client_secret: props.clientSecret,
+                authorize_scopes: props.scopes.join(' '),
+            },
+            attributeMapping: this.getProviderAttributes(props.attributes),
+        });
+    }
+    createAppleProvider(props) {
+        new cognito_identity_provider_1.CognitoIdentityProvider(this, 'apple-identity-provider', {
+            userPoolId: this.props.userPoolId,
+            providerName: `${this.id}-identity-provider`,
+            providerType: 'SignInWithApple',
+            providerDetails: {
+                client_id: props.clientId,
+                team_id: props.teamId,
+                key_id: props.keyId,
+                private_key: props.privateKeyValue,
+                authorize_scopes: props.scopes.join(' '),
+            },
+            attributeMapping: this.getProviderAttributes(props.attributes),
+        });
+    }
+    createOidcProvider(props) {
+        new cognito_identity_provider_1.CognitoIdentityProvider(this, 'oidc-identity-provider', {
+            userPoolId: this.props.userPoolId,
+            providerName: `${this.id}-identity-provider`,
+            providerType: 'OIDC',
+            providerDetails: {
+                client_id: props.clientId,
+                client_secret: props.clientSecret,
+                authorize_scopes: props.scopes.join(' '),
+                attributes_request_method: props.attributesRequestMethod,
+                authorize_url: props.authorizeUrl,
+                token_url: props.tokenUrl,
+                attributes_url: props.attributesUrl,
+                jwks_uri: props.jwksUri,
+            },
+            attributeMapping: this.getProviderAttributes(props.attributes),
+        });
+    }
+    getProviderAttributes(providerAttributes) {
+        const attributes = {};
+        for (const providerAttribute in providerAttributes) {
+            const attribute = this.props.attributeByName[providerAttribute];
+            if (!attribute) {
+                throw new Error(`Attribute ${providerAttribute} not exist in attribute class`);
+            }
+            const attributeName = attribute.attributeType === 'standard'
+                ? auth_utils_1.mapUserAttributes[attribute.name]
+                : `custom:${attribute.name}`;
+            attributes[attributeName] = providerAttributes[providerAttribute];
+        }
+        return attributes;
+    }
+}
+exports.IdentityProvider = IdentityProvider;

package/lib/resolver/auth/user-pool/identity-provider/identity-provider.types.d.ts

@@ -0,0 +1,6 @@
+import type { CustomAttributesMetadata, StandardAttributeMetadata } from '../../../../main';
+import type { IdentityProvider } from '../user-pool.types';
+export type IdentityProviderProps = IdentityProvider<any> & {
+    userPoolId: string;
+    attributeByName: Record<string, CustomAttributesMetadata | StandardAttributeMetadata>;
+};

package/lib/resolver/auth/user-pool/identity-provider/identity-provider.types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/resolver/auth/user-pool/internal/internal.d.ts

@@ -0,0 +1,30 @@
+import { CognitoUserPool } from '@cdktn/provider-aws/lib/cognito-user-pool';
+import type { Construct } from 'constructs';
+import { type CustomAttributesMetadata, type StandardAttributeMetadata } from '../../../../main';
+import type { InternalUserPoolProps } from '../user-pool.types';
+declare const InternalUserPool_base: (new (...args: any[]) => {
+    isGlobal(module: import("@lafken/common").ModuleGlobalReferenceNames | (string & {}), id: string): void;
+    isDependent(resolveDependency: () => void): void;
+    readonly node: import("constructs").Node;
+    with(...mixins: import("constructs").IMixin[]): import("constructs").IConstruct;
+    toString(): string;
+}) & typeof CognitoUserPool;
+export declare class InternalUserPool extends InternalUserPool_base {
+    attributeByName: Record<string, CustomAttributesMetadata | StandardAttributeMetadata>;
+    constructor(scope: Construct, id: string, props: InternalUserPoolProps<any>);
+    private assignIdentityProviders;
+    private addLambdaConfig;
+    private static getSmsConfig;
+    private static getMfaConfig;
+    private static getUserAttributes;
+    private static getUserVerification;
+    private static getSignInCaseSensitive;
+    private static getCognitoPlan;
+    private static getEmailConfig;
+    private static getAutoVerifiedAttributes;
+    private static getPasswordPolicy;
+    private static getAdminCreateUserConfig;
+    private static getAccountRecoverySettings;
+    private static getAliasAttributes;
+}
+export {};

package/lib/resolver/auth/user-pool/internal/internal.js

@@ -0,0 +1,332 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InternalUserPool = void 0;
+const cognito_user_pool_1 = require("@cdktn/provider-aws/lib/cognito-user-pool");
+const iam_role_1 = require("@cdktn/provider-aws/lib/iam-role");
+const iam_role_policy_1 = require("@cdktn/provider-aws/lib/iam-role-policy");
+const common_1 = require("@lafken/common");
+const resolver_1 = require("@lafken/resolver");
+const cdktn_1 = require("cdktn");
+const main_1 = require("../../../../main");
+const extension_1 = require("../../../../main/extension/extension");
+const auth_utils_1 = require("../../auth.utils");
+const extension_2 = require("../extension/extension");
+const identity_provider_1 = require("../identity-provider/identity-provider");
+class InternalUserPool extends resolver_1.lafkenResource.make(cognito_user_pool_1.CognitoUserPool) {
+    attributeByName = {};
+    constructor(scope, id, props) {
+        const attributes = InternalUserPool.getUserAttributes(props.attributes);
+        super(scope, `${id}-user-pool`, {
+            ...InternalUserPool.getMfaConfig(props.mfa),
+            name: id,
+            autoVerifiedAttributes: InternalUserPool.getAutoVerifiedAttributes(props.autoVerifyAttributes),
+            accountRecoverySetting: InternalUserPool.getAccountRecoverySettings(props.accountRecovery),
+            aliasAttributes: InternalUserPool.getAliasAttributes(props.signInAliases),
+            adminCreateUserConfig: InternalUserPool.getAdminCreateUserConfig(props.selfSignUpEnabled, props.invitationMessage),
+            passwordPolicy: InternalUserPool.getPasswordPolicy(props.passwordPolicy),
+            emailConfiguration: InternalUserPool.getEmailConfig(props.email),
+            userPoolTier: InternalUserPool.getCognitoPlan(props.cognitoPlan),
+            usernameConfiguration: InternalUserPool.getSignInCaseSensitive(props.signInCaseSensitive),
+            verificationMessageTemplate: InternalUserPool.getUserVerification(props.userVerification),
+            schema: attributes?.schema,
+            smsConfiguration: InternalUserPool.getSmsConfig(scope, id, props.mfa, props.userVerification),
+            usernameAttributes: InternalUserPool.getAliasAttributes(props.usernameAttributes),
+            lifecycle: {
+                ignoreChanges: ['schema'],
+            },
+        });
+        this.addLambdaConfig();
+        if (attributes?.attributeByName) {
+            this.attributeByName = attributes.attributeByName;
+        }
+        this.isGlobal('auth', id);
+        this.assignIdentityProviders(props.identityProviders);
+        new resolver_1.ResourceOutput(this, props.outputs);
+    }
+    assignIdentityProviders(identityProviders) {
+        if (identityProviders?.length) {
+            for (const identityProvider of identityProviders) {
+                new identity_provider_1.IdentityProvider(this, identityProvider.type, {
+                    ...identityProvider,
+                    attributeByName: this.attributeByName,
+                    userPoolId: this.id,
+                });
+            }
+        }
+    }
+    addLambdaConfig(extensions = []) {
+        let lambdaConfig = {};
+        for (const extension of extensions) {
+            const metadata = (0, common_1.getResourceMetadata)(extension);
+            if (metadata.type !== extension_1.RESOURCE_TYPE) {
+                throw new Error(`extension should have @AuthExtension decorator`);
+            }
+            const handlers = (0, common_1.getResourceHandlerMetadata)(extension);
+            const trigger = new extension_2.Extension(this, `${metadata.name}-extension`, {
+                handlers,
+                resourceMetadata: metadata,
+            });
+            const triggers = trigger.createTriggers(this.arn);
+            for (const key in triggers) {
+                const configKey = key;
+                if (lambdaConfig[configKey] !== undefined) {
+                    throw new Error(`trigger ${key} already exist`);
+                }
+            }
+            lambdaConfig = {
+                ...lambdaConfig,
+                ...triggers,
+            };
+        }
+        if (Object.keys(lambdaConfig).length === 0) {
+            return;
+        }
+        this.putLambdaConfig(lambdaConfig);
+    }
+    static getSmsConfig(scope, id, mfa, userVerification) {
+        if ((!mfa || mfa.status === 'off' || !mfa.sms) && !userVerification) {
+            return;
+        }
+        const externalId = `${id}-sms-config`;
+        const roleId = `${id}-cognito-sms-role`;
+        const snsRole = new iam_role_1.IamRole(scope, roleId, {
+            name: roleId,
+            assumeRolePolicy: JSON.stringify({
+                Version: '2012-10-17',
+                Statement: [
+                    {
+                        Effect: 'Allow',
+                        Principal: { Service: 'cognito-idp.amazonaws.com' },
+                        Action: 'sts:AssumeRole',
+                        Condition: {
+                            StringEquals: {
+                                'sts:ExternalId': externalId,
+                            },
+                        },
+                    },
+                ],
+            }),
+        });
+        new iam_role_policy_1.IamRolePolicy(scope, `${roleId}-policy`, {
+            name: 'AllowSnsPublish',
+            role: snsRole.name,
+            policy: JSON.stringify({
+                Version: '2012-10-17',
+                Statement: [
+                    {
+                        Effect: 'Allow',
+                        Action: ['sns:Publish'],
+                        Resource: '*',
+                    },
+                ],
+            }),
+        });
+        return {
+            externalId,
+            snsCallerArn: snsRole.arn,
+        };
+    }
+    static getMfaConfig(mfa) {
+        if (!mfa || mfa.status === 'off') {
+            return;
+        }
+        const config = {
+            mfaConfiguration: mfa.status === 'optional' ? 'OPTIONAL' : 'ON',
+        };
+        if (mfa.sms) {
+            config.smsAuthenticationMessage = mfa.sms;
+        }
+        if (mfa.email) {
+            config.emailMfaConfiguration = {
+                message: mfa.email.body,
+                subject: mfa.email.subject,
+            };
+        }
+        if (mfa.opt) {
+            config.softwareTokenMfaConfiguration = {
+                enabled: mfa.opt,
+            };
+        }
+        return config;
+    }
+    static getUserAttributes(attributeClass) {
+        if (!attributeClass) {
+            return;
+        }
+        const attributeByName = {};
+        const schema = [];
+        const attributeMetadata = (0, common_1.getMetadataPrototypeByKey)(attributeClass, main_1.authFieldKey);
+        for (const attribute of attributeMetadata) {
+            attributeByName[attribute.name] = attribute;
+            if (attribute.attributeType === 'standard') {
+                const attributeName = auth_utils_1.mapUserAttributes[attribute.name];
+                if (!attributeName) {
+                    throw new Error(`${attribute.name} is not a standard cognito attribute`);
+                }
+                schema.push({
+                    attributeDataType: attribute.type,
+                    name: attributeName,
+                    mutable: attribute.mutable,
+                    required: attribute.required,
+                    ...(attribute.type === 'String' && {
+                        stringAttributeConstraints: {
+                            minLength: cdktn_1.Token.asString(1),
+                            maxLength: cdktn_1.Token.asString(2048),
+                        },
+                    }),
+                    ...(attribute.type === 'Number' && {
+                        numberAttributeConstraints: {
+                            minValue: cdktn_1.Token.asString(0),
+                            maxValue: cdktn_1.Token.asString(999999),
+                        },
+                    }),
+                });
+            }
+            else {
+                let constrains;
+                if (attribute.type === 'Number') {
+                    constrains = {
+                        minValue: cdktn_1.Token.asString(attribute.min ?? 0),
+                        maxValue: cdktn_1.Token.asString(attribute.max ?? 999999),
+                    };
+                }
+                else if (attribute.type === 'String') {
+                    constrains = {
+                        minLength: cdktn_1.Token.asString(attribute.minLen ?? 0),
+                        maxLength: cdktn_1.Token.asString(attribute.maxLen ?? 2048),
+                    };
+                }
+                schema.push({
+                    attributeDataType: attribute.type === 'Object' ? 'DateTime' : attribute.type,
+                    name: attribute.name,
+                    mutable: attribute.mutable,
+                    numberAttributeConstraints: attribute.type === 'Number'
+                        ? constrains
+                        : undefined,
+                    stringAttributeConstraints: attribute.type === 'String'
+                        ? constrains
+                        : undefined,
+                });
+            }
+        }
+        return {
+            schema,
+            attributeByName,
+        };
+    }
+    static getUserVerification(userVerification) {
+        if (!userVerification) {
+            return;
+        }
+        const verificationTemplate = {
+            smsMessage: userVerification.sms,
+        };
+        if (!userVerification.email) {
+            return verificationTemplate;
+        }
+        if (userVerification.email.type === 'code') {
+            verificationTemplate.defaultEmailOption = 'CONFIRM_WITH_CODE';
+            verificationTemplate.emailMessage = userVerification.email.body;
+            verificationTemplate.emailSubject = userVerification.email.subject;
+            return verificationTemplate;
+        }
+        verificationTemplate.defaultEmailOption = 'CONFIRM_WITH_LINK';
+        verificationTemplate.emailMessageByLink = userVerification.email.body;
+        verificationTemplate.emailSubjectByLink = userVerification.email.subject;
+        return verificationTemplate;
+    }
+    static getSignInCaseSensitive(signInCaseSensitive) {
+        if (signInCaseSensitive === undefined) {
+            return;
+        }
+        return {
+            caseSensitive: signInCaseSensitive,
+        };
+    }
+    static getCognitoPlan(plan) {
+        if (!plan) {
+            return;
+        }
+        return plan.toUpperCase();
+    }
+    static getEmailConfig(email) {
+        if (!email) {
+            return;
+        }
+        if (email.account === 'ses') {
+            return {
+                emailSendingAccount: 'DEVELOPER',
+                sourceArn: email.arn,
+                fromEmailAddress: email.from,
+                replyToEmailAddress: email.reply,
+                configurationSet: email.configurationSet,
+            };
+        }
+        return {
+            emailSendingAccount: 'COGNITO_DEFAULT',
+            fromEmailAddress: email.from,
+            replyToEmailAddress: email.reply,
+        };
+    }
+    static getAutoVerifiedAttributes(attributes) {
+        if (!attributes) {
+            return undefined;
+        }
+        const verifyAttributes = {
+            email: 'email',
+            phone: 'phone_number',
+        };
+        return attributes.map((attr) => verifyAttributes[attr]);
+    }
+    static getPasswordPolicy(policy) {
+        if (!policy) {
+            return undefined;
+        }
+        return {
+            minimumLength: policy.minLength,
+            requireLowercase: policy.requireLowercase,
+            requireNumbers: policy.requireDigits,
+            requireSymbols: policy.requireSymbols,
+            requireUppercase: policy.requireUppercase,
+            temporaryPasswordValidityDays: policy.validityDays,
+        };
+    }
+    static getAdminCreateUserConfig(selfSignUpEnabled, invitationMessage) {
+        if (selfSignUpEnabled === undefined && !invitationMessage) {
+            return undefined;
+        }
+        return {
+            allowAdminCreateUserOnly: selfSignUpEnabled !== undefined ? !selfSignUpEnabled : undefined,
+            inviteMessageTemplate: invitationMessage
+                ? {
+                    emailMessage: invitationMessage?.email?.body,
+                    emailSubject: invitationMessage?.email?.subject,
+                    smsMessage: invitationMessage?.sms,
+                }
+                : undefined,
+        };
+    }
+    static getAccountRecoverySettings(accountRecovery) {
+        if (!accountRecovery) {
+            return undefined;
+        }
+        return {
+            recoveryMechanism: accountRecovery.map((name, index) => ({
+                name,
+                priority: index + 1,
+            })),
+        };
+    }
+    static getAliasAttributes(signInAliases) {
+        if (!signInAliases) {
+            return undefined;
+        }
+        const aliases = {
+            email: 'email',
+            phone: 'phoneNumber',
+            preferred_username: 'preferred_username',
+        };
+        return signInAliases.map((alias) => aliases[alias]);
+    }
+}
+exports.InternalUserPool = InternalUserPool;