npm - @openhi/constructs - Versions diffs - 0.0.92 → 0.0.93 - Mend

@openhi/constructs 0.0.92 → 0.0.93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/lib/index.d.mts +28 -5
package/lib/index.d.ts +28 -5
package/lib/index.js +34 -5
package/lib/index.js.map +1 -1
package/lib/index.mjs +34 -5
package/lib/index.mjs.map +1 -1
package/lib/pre-token-generation.handler.d.mts +0 -7
package/lib/pre-token-generation.handler.d.ts +0 -7
package/lib/pre-token-generation.handler.js +885 -11
package/lib/pre-token-generation.handler.js.map +1 -1
package/lib/pre-token-generation.handler.mjs +87 -11
package/lib/pre-token-generation.handler.mjs.map +1 -1
package/package.json +3 -3

package/lib/index.mjs CHANGED Viewed

@@ -744,12 +744,15 @@ function resolveHandlerEntry3(dirname) {
   return fromLib;
 }
 var PreTokenGenerationLambda = class extends Construct3 {
-  constructor(scope) {
+  constructor(scope, props) {
     super(scope, "pre-token-generation-lambda");
     this.lambda = new NodejsFunction3(this, "handler", {
       entry: resolveHandlerEntry3(__dirname),
       runtime: Runtime3.NODEJS_LATEST,
-      memorySize: 1024
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
     });
   }
 };
@@ -1358,6 +1361,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.postConfirmationLambda = this.createPostConfirmationLambda();
     this.userPool = this.createUserPool();
+    this.grantPreTokenGenerationPermissions();
     this.grantPostAuthenticationPermissions();
     this.grantPostConfirmationPermissions();
     this.userPoolClient = this.createUserPoolClient();
@@ -1450,11 +1454,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     return key;
   }
   /**
-   * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
-   * openhi_* claims to the access token only; trigger version V2_0 may be required.
+   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+   * both the ID token and the access token (ADR 2026-03-17-01).
    */
   createPreTokenGenerationLambda() {
-    const construct = new PreTokenGenerationLambda(this);
+    const construct = new PreTokenGenerationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
+    });
     return construct.lambda;
   }
   /**
@@ -1515,6 +1523,27 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return userPool;
   }
+  /**
+   * Grants the Pre Token Generation Lambda read-only access on the data
+   * store table and its GSIs. The Lambda only needs:
+   * - `Query` on GSI2 to resolve a User by Cognito `sub`
+   * - `GetItem` on the base table for direct User reads
+   *
+   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+   * falls into the absent-claims path; repair belongs in a separate backfill.
+   */
+  grantPreTokenGenerationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
+    this.preTokenGenerationLambda.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
+  }
   /**
    * Grants the Post Authentication Lambda permission to call
    * `cognito-idp:AdminUserGlobalSignOut`.