@lafken/auth 0.10.1

package/lib/resolver/auth/user-pool/user-pool.types.d.ts

@@ -0,0 +1,263 @@
+import type { ClassResource, ResourceOutputType } from '@lafken/common';
+export type SignInAliases = 'email' | 'phone' | 'preferred_username';
+export type CognitoPlan = 'lite' | 'essentials' | 'plus';
+export type UserVerificationType = 'code' | 'link';
+export type AccountRecovery = 'verified_email' | 'verified_phone_number' | 'admin_only';
+export type AuthFlow = 'admin_user_password' | 'custom' | 'user' | 'user_password' | 'user_srp';
+export type OAuthFlow = 'authorization_code_grant' | 'client_credentials' | 'implicit_code_grant';
+export type OAuthScopes = 'cognito_admin' | 'email' | 'open_id' | 'phone' | 'profile' | {
+    name: string;
+    description: string;
+};
+export type AmazonProviderAttributes = 'email' | 'name' | 'postal_code' | 'user_id';
+export type AppleProviderAttributes = 'email' | 'email_verified' | 'first_name' | 'last_name' | 'name';
+export type FacebookProviderAttributes = 'id' | 'email' | 'birthday' | 'gender' | 'id' | 'locale' | 'middle_name' | 'name' | 'first_name' | 'last_name' | 'link' | 'website';
+export type GoogleProviderAttributes = 'sub' | 'name' | 'given_name' | 'family_name' | 'middle_name' | 'nickname' | 'preferred_username' | 'profile' | 'picture' | 'website' | 'email' | 'email_verified' | 'gender' | 'birthdate' | 'zoneinfo' | 'locale' | 'phone_number' | 'phone_number_verified' | 'address' | 'updated_at';
+export type AutoVerifyAttributes = Exclude<SignInAliases, 'preferred_username'>;
+export type UserPoolOutputAttributes = 'arn' | 'domain' | 'endpoint' | 'id';
+export interface PasswordPolicy {
+    minLength?: number;
+    requireDigits?: boolean;
+    requireLowercase?: boolean;
+    requireSymbols?: boolean;
+    requireUppercase?: boolean;
+    validityDays?: number;
+}
+export interface CognitoEmailBase {
+    from?: string;
+    reply?: string;
+}
+export interface CognitoEmailAccount extends CognitoEmailBase {
+    account?: 'cognito';
+}
+export interface SesEmailAccount extends CognitoEmailBase {
+    account: 'ses';
+    arn: string;
+    configurationSet?: string;
+}
+export type EmailConfig = CognitoEmailAccount | SesEmailAccount;
+export interface MfaConfigOff {
+    status: 'off';
+}
+export interface MfaConfigOn {
+    status: 'optional' | 'required';
+    email?: {
+        body: string;
+        subject: string;
+    };
+    sms?: string;
+    opt?: boolean;
+}
+export interface InvitationMessage {
+    email?: {
+        subject: string;
+        body: string;
+    };
+    sms?: string;
+}
+export interface UserVerification {
+    email?: {
+        subject: string;
+        body: string;
+        type: UserVerificationType;
+    };
+    sms?: string;
+}
+export type Mfa = MfaConfigOff | MfaConfigOn;
+export type IdentityProviderAttributes<T extends Function, A extends string> = Partial<Record<keyof T['prototype'], A | (string & {})>>;
+export interface CommonIdentityProvider {
+    clientId: string;
+    clientSecret: string;
+    scopes: string[];
+}
+export interface AmazonIdentityProvider<T extends Function> extends CommonIdentityProvider {
+    type: 'amazon';
+    attributes: IdentityProviderAttributes<T, AmazonProviderAttributes>;
+}
+export interface AppleIdentityProvider<T extends Function> extends Omit<CommonIdentityProvider, 'clientSecret'> {
+    type: 'apple';
+    keyId: string;
+    teamId: string;
+    privateKeyValue: string;
+    attributes: IdentityProviderAttributes<T, AppleProviderAttributes>;
+}
+export interface FacebookIdentityProvider<T extends Function> extends CommonIdentityProvider {
+    type: 'facebook';
+    apiVersion?: string;
+    attributes: IdentityProviderAttributes<T, FacebookProviderAttributes>;
+}
+export interface GoogleIdentityProvider<T extends Function> extends CommonIdentityProvider {
+    type: 'google';
+    attributes: IdentityProviderAttributes<T, GoogleProviderAttributes>;
+}
+export interface OidcIdentityProvider<T extends Function> extends CommonIdentityProvider {
+    type: 'oidc';
+    name: string;
+    attributes: IdentityProviderAttributes<T, string>;
+    attributesRequestMethod: 'GET' | 'POST';
+    authorizeUrl: string;
+    tokenUrl: string;
+    attributesUrl: string;
+    jwksUri: string;
+}
+export type IdentityProvider<T extends ClassResource> = AmazonIdentityProvider<T> | AppleIdentityProvider<T> | FacebookIdentityProvider<T> | GoogleIdentityProvider<T> | OidcIdentityProvider<T>;
+export interface InternalUserPoolProps<T extends ClassResource> {
+    isExternal?: never;
+    /**
+     * Defines the attributes for the Cognito User Pool.
+     * Accepts a class decorated with `@Attributes`, where each property can be:
+     * - Decorated with `@Standard` to use Cognito's built-in standard attributes, such as email, phone number, or full name.
+     * - Decorated with `@Custom` to define custom attributes specific to your application.
+     *
+     * This allows defining both standard and custom user attributes in a structured way.
+     *
+     * @example
+     * class UserAttributes {
+     *   @Standard()
+     *   email!: string;
+     *
+     *   @Custom()
+     *   favoriteColor!: string;
+     * }
+     *
+     * const userPoolProps: UserPoolProps = {
+     *   attributes: UserAttributes,
+     * };
+     */
+    attributes?: T;
+    /**
+     *  Defines which identifiers users can use to sign in to the Cognito User Pool.
+     * Supported aliases include:
+     * - `username`
+     * - `email`
+     * - `phone_number`
+     */
+    signInAliases?: SignInAliases[];
+    /**
+     * Defines the password policy for the Cognito User Pool.
+     * This allows configuring rules for user passwords, including:
+     * - Minimum length
+     * - Requirement for uppercase letters
+     * - Requirement for lowercase letters
+     * - Requirement for numbers
+     * - Requirement for special characters
+     */
+    passwordPolicy?: PasswordPolicy;
+    /**
+     *  Defines the account recovery options for the Cognito User Pool.
+     * This determines how users can recover their accounts if they forget their password,
+     * such as via email, phone, or both.
+     *
+     * Choosing appropriate recovery options improves user experience and security.
+     */
+    accountRecovery?: AccountRecovery[];
+    /**
+     * Specifies which user attributes can be used as the username during sign-up
+     * and authentication. Common options include `email` and `phone`.
+     */
+    usernameAttributes?: AutoVerifyAttributes[];
+    /**
+     * Defines which attributes Cognito should automatically verify during sign-up.
+     * Only attributes such as `email` or `phone` can be auto-verified.
+     */
+    autoVerifyAttributes?: AutoVerifyAttributes[];
+    /**
+     * Defines the email configuration for the Cognito User Pool.
+     * This includes settings such as the sending method (SES or default),
+     * sender email address, and reply-to address.
+     * It allows customizing how Cognito sends verification and notification emails.
+     */
+    email?: EmailConfig;
+    /**
+     * Defines the Cognito pricing and feature plan for the User Pool.
+     */
+    cognitoPlan?: CognitoPlan;
+    /**
+     * Defines the Multi-Factor Authentication (MFA) configuration for the User Pool.
+     * MFA adds an extra layer of security by requiring users to provide additional verification,
+     * such as a code sent via SMS or an authenticator app.
+     */
+    mfa?: Mfa;
+    /**
+     * Defines whether users can register (sign up) themselves into the User Pool
+     * without an administrator creating their accounts.
+     */
+    selfSignUpEnabled?: boolean;
+    /**
+     *  Defines whether sign-in identifiers (such as username or email)
+     * are treated as case-sensitive.
+     */
+    signInCaseSensitive?: boolean;
+    /**
+     * Defines the custom invitation message configuration sent to new users
+     * when they are created by an admin or imported into the User Pool.
+     */
+    invitationMessage?: InvitationMessage;
+    /**
+     *  Defines the messages and methods used to verify a user's account
+     * during sign-up in the Cognito User Pool. Verification can be sent via email or SMS.
+     */
+    userVerification?: UserVerification;
+    /**
+     * Defines the external identity providers that can be associated with the UserPool.
+     * These providers allow users to authenticate using third-party services
+     * such as Google, Facebook, Amazon, Apple or OpenID .
+     */
+    identityProviders?: IdentityProvider<T>[];
+    /**
+     * Defines the list of extensions (triggers) to attach to the Cognito User Pool.
+     *
+     * This property allows you to add custom logic to different actions performed
+     * by the User Pool, such as `preSignUp`, `postConfirmation`, `preAuthentication`, etc.
+     *
+     * Each extension should be a class decorated with `@AuthExtension`, and its methods
+     * must be decorated with `@Trigger`. The `type` of each trigger must be unique
+     * to prevent conflicts.
+     *
+     * @example
+     * // first create an extension class with @AuthExtension decorator
+     * {
+     *   extensions: [PreSignUpClass, PostTokenClass]
+     * }
+     */
+    extensions?: ClassResource[];
+    /**
+     * Defines which Cognito User Pool attributes should be exported.
+     *
+     * Supported attributes are based on Terraform `aws_cognito_user_pool`
+     * exported attributes and currently include:
+     * - `arn`: ARN of the user pool.
+     * - `domain`: Domain prefix associated with the user pool.
+     * - `endpoint`: Endpoint name of the user pool.
+     * - `id`: ID of the user pool.
+     *
+     * Each selected attribute can be exported through SSM Parameter Store (`type: 'ssm'`)
+     * or Terraform outputs (`type: 'output'`).
+     *
+     * @example
+     * {
+     *   output: [
+     *     { type: 'ssm', name: '/my-user-pool/id', value: 'id' },
+     *     { type: 'output', name: 'user_pool_arn', value: 'arn' }
+     *   ]
+     * }
+     */
+    outputs?: ResourceOutputType<UserPoolOutputAttributes>;
+}
+export interface ExternalUserPoolProps {
+    /**
+     * Marks the User Pool as an external resource.
+     *
+     * When set to `true`, the User Pool is not created by the framework.
+     * Instead, it references an existing Cognito User Pool using the provided `userPoolId`.
+     */
+    isExternal: true;
+    /**
+     * The ID of the existing Cognito User Pool to reference.
+     *
+     * This value is used to look up and integrate with a User Pool
+     * that was created outside of the framework.
+     */
+    userPoolId: string;
+}
+export type UserPoolProps<T extends ClassResource> = InternalUserPoolProps<T> | ExternalUserPoolProps;

package/lib/resolver/auth/user-pool/user-pool.types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/resolver/auth/user-pool-client/external/external.d.ts

@@ -0,0 +1,7 @@
+import { DataAwsCognitoUserPoolClient } from '@cdktn/provider-aws/lib/data-aws-cognito-user-pool-client';
+import { Construct } from 'constructs';
+import type { ExternalUserPoolClientProps } from '../user-pool-client.types';
+export declare class ExternalUserPoolClient extends Construct {
+    cognitoUserPoolClient: DataAwsCognitoUserPoolClient;
+    constructor(scope: Construct, id: string, props: ExternalUserPoolClientProps);
+}

package/lib/resolver/auth/user-pool-client/external/external.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ExternalUserPoolClient = void 0;
+const data_aws_cognito_user_pool_client_1 = require("@cdktn/provider-aws/lib/data-aws-cognito-user-pool-client");
+const constructs_1 = require("constructs");
+class ExternalUserPoolClient extends constructs_1.Construct {
+    cognitoUserPoolClient;
+    constructor(scope, id, props) {
+        super(scope, 'user-pool-client');
+        this.cognitoUserPoolClient = new data_aws_cognito_user_pool_client_1.DataAwsCognitoUserPoolClient(this, id, {
+            clientId: props.clientId,
+            userPoolId: props.userPoolId,
+        });
+    }
+}
+exports.ExternalUserPoolClient = ExternalUserPoolClient;

package/lib/resolver/auth/user-pool-client/internal/internal.d.ts

@@ -0,0 +1,14 @@
+import { CognitoUserPoolClient } from '@cdktn/provider-aws/lib/cognito-user-pool-client';
+import { Construct } from 'constructs';
+import type { InternalUserPoolClientProps } from '../user-pool-client.types';
+export declare class InternalUserPoolClient extends Construct {
+    private props;
+    cognitoUserPoolClient: CognitoUserPoolClient;
+    constructor(scope: Construct, id: string, props: InternalUserPoolClientProps);
+    private getRefreshTokenRotation;
+    private getExplicitAuthFlows;
+    private getOauthConfig;
+    private getValidity;
+    private resolveValidityUnit;
+    private getAttributes;
+}

package/lib/resolver/auth/user-pool-client/internal/internal.js

@@ -0,0 +1,115 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InternalUserPoolClient = void 0;
+const cognito_user_pool_client_1 = require("@cdktn/provider-aws/lib/cognito-user-pool-client");
+const resolver_1 = require("@lafken/resolver");
+const constructs_1 = require("constructs");
+const auth_utils_1 = require("../../auth.utils");
+class InternalUserPoolClient extends constructs_1.Construct {
+    props;
+    cognitoUserPoolClient;
+    constructor(scope, id, props) {
+        super(scope, 'user-pool-client');
+        this.props = props;
+        this.cognitoUserPoolClient = new cognito_user_pool_client_1.CognitoUserPoolClient(this, id, {
+            ...this.getValidity(props),
+            ...this.getOauthConfig(props.oauth),
+            name: id,
+            userPoolId: props.userPoolId,
+            enableTokenRevocation: props.enableTokenRevocation ?? true,
+            generateSecret: props.generateSecret ?? false,
+            preventUserExistenceErrors: props.preventUserExistenceErrors !== false ? 'ENABLED' : 'LEGACY',
+            explicitAuthFlows: this.getExplicitAuthFlows(props.authFlows),
+            refreshTokenRotation: this.getRefreshTokenRotation(props.refreshTokenRotationGracePeriod),
+            readAttributes: this.getAttributes(props.readAttributes),
+            writeAttributes: this.getAttributes(props.writeAttributes),
+        });
+        new resolver_1.ResourceOutput(this.cognitoUserPoolClient, props.outputs);
+    }
+    getRefreshTokenRotation(period) {
+        if (!period) {
+            return;
+        }
+        return [
+            {
+                feature: 'ENABLED',
+                retryGracePeriodSeconds: period,
+            },
+        ];
+    }
+    getExplicitAuthFlows(authFlows) {
+        if (!authFlows?.length) {
+            return undefined;
+        }
+        return authFlows.map((flow) => flow.toUpperCase());
+    }
+    getOauthConfig(oauth) {
+        if (!oauth || !oauth.flows?.length) {
+            return {};
+        }
+        return {
+            allowedOauthFlowsUserPoolClient: true,
+            allowedOauthFlows: oauth.flows,
+            allowedOauthScopes: oauth.scopes,
+            callbackUrls: oauth.callbackUrls,
+            defaultRedirectUri: oauth.defaultRedirectUri,
+            logoutUrls: oauth.logoutUrls,
+        };
+    }
+    getValidity(props) {
+        const accessToken = this.resolveValidityUnit(props.validity?.accessToken);
+        const idToken = this.resolveValidityUnit(props.validity?.idToken);
+        const refreshToken = this.resolveValidityUnit(props.validity?.refreshToken);
+        return {
+            authSessionValidity: props.validity?.authSession ?? 3,
+            accessTokenValidity: accessToken.value,
+            idTokenValidity: idToken.value,
+            refreshTokenValidity: refreshToken.value,
+            tokenValidityUnits: accessToken.unit || idToken.unit || refreshToken.unit
+                ? [
+                    {
+                        accessToken: accessToken.unit,
+                        refreshToken: refreshToken.unit,
+                        idToken: idToken.unit,
+                    },
+                ]
+                : undefined,
+        };
+    }
+    resolveValidityUnit(value) {
+        if (!value) {
+            return {};
+        }
+        if (typeof value === 'number') {
+            return {
+                value,
+                unit: 'hours',
+            };
+        }
+        return {
+            value: value.value,
+            unit: value.type,
+        };
+    }
+    getAttributes(selectedAttributes) {
+        if (!selectedAttributes?.length) {
+            return;
+        }
+        const attributes = [];
+        for (const providerAttribute of selectedAttributes) {
+            const attribute = this.props.attributeByName[providerAttribute];
+            if (!attribute) {
+                throw new Error(`Attribute ${providerAttribute} not exist in attribute class`);
+            }
+            const attributeName = attribute.attributeType === 'standard'
+                ? auth_utils_1.mapUserAttributes[attribute.name]
+                : `custom:${attribute.name}`;
+            if (!attributeName) {
+                throw new Error(`Attribute ${attribute.name} is not a standard attribute`);
+            }
+            attributes.push(attributeName);
+        }
+        return attributes;
+    }
+}
+exports.InternalUserPoolClient = InternalUserPoolClient;

package/lib/resolver/auth/user-pool-client/user-pool-client.types.d.ts

@@ -0,0 +1,169 @@
+import type { ResourceOutputType } from '@lafken/common';
+import type { CustomAttributesMetadata, StandardAttributeMetadata } from '../../../main';
+export type AuthFlow = 'allow_admin_user_password_auth' | 'allow_custom_auth' | 'allow_user_password_auth' | 'allow_user_srp_auth' | 'allow_refresh_token_auth' | 'allow_user_auth';
+export type OAuthFlow = 'code' | 'client_credentials' | 'implicit';
+export type OAuthScopes = 'aws.cognito.signin.user.admin' | 'email' | 'openid' | 'phone' | 'profile' | (string & {});
+export type UserPoolClientOutputAttributes = 'clientSecret' | 'id';
+export interface ValidityUnit {
+    type: 'seconds' | 'minutes' | 'hours' | 'days';
+    value: number;
+}
+export interface Validity {
+    authSession?: number;
+    accessToken?: number | ValidityUnit;
+    idToken?: number | ValidityUnit;
+    refreshToken?: number | ValidityUnit;
+}
+export interface OAuthConfig {
+    callbackUrls?: string[];
+    defaultRedirectUri?: string;
+    flows?: OAuthFlow[];
+    logoutUrls?: string[];
+    scopes?: OAuthScopes[];
+}
+export interface InternalUserClientProps<T extends Function> {
+    isExternal?: never;
+    /**
+     * Defines the authentication flows enabled for the Cognito User Pool Client.
+     *
+     * This property specifies which authentication mechanisms are allowed
+     * when users attempt to sign in. It supports standard, custom, and admin-based
+     * authentication flows.
+     *
+     * Available values include:
+     * - `'admin_no_srp_auth'`: Admin-initiated authentication without SRP (Secure Remote Password).
+     * - `'custom_auth_flow_only'`: Only allows a custom authentication flow.
+     * - `'user_password_auth'`: Standard username and password authentication.
+     * - `'allow_admin_user_password_auth'`: Admin can authenticate with username and password.
+     * - `'allow_custom_auth'`: Allows custom authentication flows.
+     * - `'allow_user_password_auth'`: Users can authenticate with username and password.
+     * - `'allow_user_srp_auth'`: Users can authenticate with SRP (Secure Remote Password).
+     * - `'allow_refresh_token_auth'`: Enables refreshing authentication tokens.
+     * - `'allow_user_auth'`: Enables general user authentication.
+     */
+    authFlows?: AuthFlow[];
+    /**
+     * Defines the validity durations for the authentication tokens and sessions
+     * of the Cognito User Pool Client.
+     *
+     * This property allows you to specify how long different elements of the
+     * authentication process remain valid before expiring.
+     *
+     * Available options include:
+     * - `authSession`: Duration of the authentication session in seconds.
+     * - `accessToken`: Duration of the access token.
+     * - `idToken`: Duration of the ID token.
+     * - `refreshToken`: Duration of the refresh token.
+     */
+    validity?: Validity;
+    /**
+     * Defines whether token revocation is enabled for the Cognito User Pool Client.
+     *
+     * When set to `true`, it allows tokens (access, ID, and refresh tokens)
+     * issued to users to be explicitly revoked before their natural expiration.
+     * This enhances security by allowing administrators to invalidate tokens
+     * in case of suspicious activity or when a user should no longer have access.
+     */
+    enableTokenRevocation?: boolean;
+    /**
+     * Defines whether the Cognito User Pool Client should generate a client secret.
+     *
+     * When set to `true`, a secret will be generated and associated with the client.
+     * This is useful for server-side applications where the client secret can
+     * be securely stored and used for authentication flows, such as the
+     * client credentials or authorization code flows.
+     */
+    generateSecret?: boolean;
+    /**
+     * Defines the OAuth 2.0 configuration for the Cognito User Pool Client.
+     *
+     * This property allows you to specify how the client interacts with
+     * external OAuth flows, including allowed redirect URLs, enabled flows,
+     * scopes, and logout URLs.
+     *
+     * Available options:
+     * - `callbackUrls`: An array of URLs where Cognito will redirect after successful authentication.
+     * - `defaultRedirectUri`: The default URL used for redirection if none is specified.
+     * - `flows`: List of OAuth flows enabled for the client (e.g., authorization code, implicit).
+     * - `logoutUrls`: URLs where users are redirected after logging out.
+     * - `scopes`: The scopes allowed for this client, defining the access privileges.
+     */
+    oauth?: OAuthConfig;
+    /**
+     * Defines whether to prevent user existence errors for the Cognito User Pool Client.
+     *
+     * When set to `true`, the client will not reveal whether a user exists or not
+     * during authentication attempts. This helps to prevent information leakage
+     * about registered users, enhancing security against user enumeration attacks
+     */
+    preventUserExistenceErrors?: boolean;
+    /**
+     * Defines which attributes of the Cognito User Pool Client are readable.
+     *
+     * This property allows you to specify a list of attribute names that
+     * can be accessed by the client. Only the attributes included in this
+     * list will be returned when querying user information.
+     */
+    readAttributes?: (keyof T['prototype'])[];
+    /**
+     * Defines which attributes of the Cognito User Pool Client are writable.
+     *
+     * This property allows you to specify a list of attribute names that
+     * the client is allowed to modify. Only the attributes included in this
+     * list can be updated through client operations.
+     */
+    writeAttributes?: (keyof T['prototype'])[];
+    /**
+     * Defines the grace period (in seconds) for refresh token rotation in the Cognito User Pool Client.
+     *
+     * When refresh token rotation is enabled, a new refresh token is issued each time
+     * the user uses an existing refresh token. This property sets a grace period during
+     * which both the old and new refresh tokens are valid, allowing smooth token rotation
+     * without immediately invalidating active sessions.
+     */
+    refreshTokenRotationGracePeriod?: number;
+    /**
+     * Defines which Cognito User Pool Client attributes should be exported.
+     *
+     * Supported attributes are based on Terraform `aws_cognito_user_pool_client`
+     * exported attributes and currently include:
+     * - `clientSecret`: Client secret of the user pool client.
+     * - `id`: ID of the user pool client.
+     *
+     * Each selected attribute can be exported through SSM Parameter Store (`type: 'ssm'`)
+     * or Terraform outputs (`type: 'output'`).
+     *
+     * @example
+     * {
+     *   output: [
+     *     { type: 'ssm', name: '/my-user-pool-client/id', value: 'id' },
+     *     { type: 'output', name: 'user_pool_client_secret', value: 'clientSecret' }
+     *   ]
+     * }
+     */
+    outputs?: ResourceOutputType<UserPoolClientOutputAttributes>;
+}
+export interface ExternalUserClientProps {
+    /**
+     * Marks the User Pool as an external resource.
+     *
+     * When set to `true`, the User Pool Client is not created by the framework.
+     * Instead, it references an existing Cognito User Pool Client using the provided `userPoolId`.
+     */
+    isExternal: true;
+    /**
+     * The ID of the existing Cognito User Pool Client to reference.
+     *
+     * This value is used to look up and integrate with a User Pool Client
+     * that was created outside of the framework.
+     */
+    clientId: string;
+}
+export type UserClientProps<T extends Function> = InternalUserClientProps<T> | ExternalUserClientProps;
+export interface InternalUserPoolClientProps extends InternalUserClientProps<any> {
+    userPoolId: string;
+    attributeByName: Record<string, CustomAttributesMetadata | StandardAttributeMetadata>;
+}
+export interface ExternalUserPoolClientProps extends ExternalUserClientProps {
+    userPoolId: string;
+}

package/lib/resolver/auth/user-pool-client/user-pool-client.types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/resolver/index.d.ts

@@ -0,0 +1 @@
+export * from './resolver';

package/lib/resolver/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./resolver"), exports);

package/lib/resolver/resolver.d.ts

@@ -0,0 +1,12 @@
+import type { ClassResource } from '@lafken/common';
+import type { AppModule, ResolverType } from '@lafken/resolver';
+import type { AuthOptions } from './resolver.types';
+export declare class AuthResolver<T extends ClassResource = ClassResource> implements ResolverType {
+    protected options: AuthOptions<T>;
+    type: "AUTHENTICATION";
+    private auth;
+    constructor(options: AuthOptions<T>);
+    beforeCreate(scope: AppModule): Promise<void>;
+    create(module: AppModule): Promise<void>;
+    afterCreate(): Promise<void>;
+}

package/lib/resolver/resolver.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthResolver = void 0;
+const cdktn_1 = require("cdktn");
+const extension_1 = require("../main/extension/extension");
+const auth_1 = require("./auth/auth");
+class AuthResolver {
+    options;
+    type = extension_1.RESOURCE_TYPE;
+    auth;
+    constructor(options) {
+        this.options = options;
+    }
+    async beforeCreate(scope) {
+        this.auth = new auth_1.Auth(scope, this.options.name, this.options);
+        this.auth.create();
+    }
+    async create(module) {
+        cdktn_1.Annotations.of(module).addError('Auth has no resources to create');
+    }
+    async afterCreate() {
+        await this.auth.callExtends();
+    }
+}
+exports.AuthResolver = AuthResolver;