@openhi/constructs 0.0.92 → 0.0.94

package/lib/index.d.mts

@@ -500,12 +500,23 @@ declare class PostConfirmationLambda extends Construct {
     constructor(scope: Construct, props: PostConfirmationLambdaProps);
 }
 
+interface PreTokenGenerationLambdaProps {
+    /**
+     * DynamoDB data store table name. Passed to the Lambda as DYNAMO_TABLE_NAME
+     * so the control-plane ElectroDB service reads the User by Cognito `sub`
+     * (GSI2) and the user's first active Membership (fallback path).
+     */
+    readonly dynamoTableName: string;
+}
 /**
- * Lambda used as Cognito Pre Token Generation trigger.
+ * Lambda used as Cognito Pre Token Generation trigger. Resolves the OpenHI
+ * User from the request's Cognito `sub` and injects `ohi_tid`, `ohi_wid`,
+ * `ohi_uid`, `ohi_uname` into both the ID token and the access token
+ * (ADR 2026-03-17-01).
  */
 declare class PreTokenGenerationLambda extends Construct {
     readonly lambda: NodejsFunction;
-    constructor(scope: Construct);
+    constructor(scope: Construct, props: PreTokenGenerationLambdaProps);
 }
 
 /**
@@ -983,8 +994,10 @@ declare class OpenHiAuthService extends OpenHiService {
      */
     protected createUserPoolKmsKey(): IKey;
     /**
-     * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
-     * openhi_* claims to the access token only; trigger version V2_0 may be required.
+     * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+     * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+     * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+     * both the ID token and the access token (ADR 2026-03-17-01).
      */
     protected createPreTokenGenerationLambda(): IFunction;
     /**
@@ -1008,6 +1021,16 @@ declare class OpenHiAuthService extends OpenHiService {
      * Override to customize.
      */
     protected createUserPool(): IUserPool;
+    /**
+     * Grants the Pre Token Generation Lambda read-only access on the data
+     * store table and its GSIs. The Lambda only needs:
+     * - `Query` on GSI2 to resolve a User by Cognito `sub`
+     * - `GetItem` on the base table for direct User reads
+     *
+     * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+     * falls into the absent-claims path; repair belongs in a separate backfill.
+     */
+    protected grantPreTokenGenerationPermissions(): void;
     /**
      * Grants the Post Authentication Lambda permission to call
      * `cognito-idp:AdminUserGlobalSignOut`.
@@ -1289,4 +1312,4 @@ declare class OpenHiGraphqlService extends OpenHiService {
     protected createRootGraphqlApi(): RootGraphqlApi;
 }
 
-export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoFixtureSeederClient, type CognitoFixtureSeederClientProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, type StaticHostingProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };
+export { type BuildParameterNameProps, ChildHostedZone, type ChildHostedZoneProps, CognitoFixtureSeederClient, type CognitoFixtureSeederClientProps, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, type DataStoreHistoricalArchiveProps, DataStorePostgresReplica, type DataStorePostgresReplicaProps, DiscoverableStringParameter, type DiscoverableStringParameterProps, DynamoDbDataStore, type DynamoDbDataStoreProps, type FhirCurrentResourceChangeDetail, OpenHiApp, type OpenHiAppProps, OpenHiAuthService, type OpenHiAuthServiceProps, OpenHiDataService, type OpenHiDataServiceProps, OpenHiEnvironment, type OpenHiEnvironmentProps, OpenHiGlobalService, type OpenHiGlobalServiceProps, OpenHiGraphqlService, type OpenHiGraphqlServiceProps, OpenHiRestApiService, type OpenHiRestApiServiceProps, OpenHiService, type OpenHiServiceProps, type OpenHiServiceType, OpenHiStage, type OpenHiStageProps, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PostAuthenticationLambda, PostConfirmationLambda, type PostConfirmationLambdaProps, PreTokenGenerationLambda, type PreTokenGenerationLambdaProps, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, type RootGraphqlApiProps, RootHostedZone, RootHttpApi, type RootHttpApiProps, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, type StaticHostingProps, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };

package/lib/index.d.ts

@@ -595,12 +595,23 @@ declare class PostConfirmationLambda extends Construct {
     constructor(scope: Construct, props: PostConfirmationLambdaProps);
 }
 
+interface PreTokenGenerationLambdaProps {
+    /**
+     * DynamoDB data store table name. Passed to the Lambda as DYNAMO_TABLE_NAME
+     * so the control-plane ElectroDB service reads the User by Cognito `sub`
+     * (GSI2) and the user's first active Membership (fallback path).
+     */
+    readonly dynamoTableName: string;
+}
 /**
- * Lambda used as Cognito Pre Token Generation trigger.
+ * Lambda used as Cognito Pre Token Generation trigger. Resolves the OpenHI
+ * User from the request's Cognito `sub` and injects `ohi_tid`, `ohi_wid`,
+ * `ohi_uid`, `ohi_uname` into both the ID token and the access token
+ * (ADR 2026-03-17-01).
  */
 declare class PreTokenGenerationLambda extends Construct {
     readonly lambda: NodejsFunction;
-    constructor(scope: Construct);
+    constructor(scope: Construct, props: PreTokenGenerationLambdaProps);
 }
 
 /**
@@ -1078,8 +1089,10 @@ declare class OpenHiAuthService extends OpenHiService {
      */
     protected createUserPoolKmsKey(): IKey;
     /**
-     * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
-     * openhi_* claims to the access token only; trigger version V2_0 may be required.
+     * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+     * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+     * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+     * both the ID token and the access token (ADR 2026-03-17-01).
      */
     protected createPreTokenGenerationLambda(): IFunction;
     /**
@@ -1103,6 +1116,16 @@ declare class OpenHiAuthService extends OpenHiService {
      * Override to customize.
      */
     protected createUserPool(): IUserPool;
+    /**
+     * Grants the Pre Token Generation Lambda read-only access on the data
+     * store table and its GSIs. The Lambda only needs:
+     * - `Query` on GSI2 to resolve a User by Cognito `sub`
+     * - `GetItem` on the base table for direct User reads
+     *
+     * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+     * falls into the absent-claims path; repair belongs in a separate backfill.
+     */
+    protected grantPreTokenGenerationPermissions(): void;
     /**
      * Grants the Post Authentication Lambda permission to call
      * `cognito-idp:AdminUserGlobalSignOut`.
@@ -1385,4 +1408,4 @@ declare class OpenHiGraphqlService extends OpenHiService {
 }
 
 export { ChildHostedZone, CognitoFixtureSeederClient, CognitoUserPool, CognitoUserPoolClient, CognitoUserPoolDomain, CognitoUserPoolKmsKey, DATA_STORE_CHANGE_DETAIL_MAX_UTF8_BYTES, DATA_STORE_CHANGE_DETAIL_TYPE, DATA_STORE_CHANGE_EVENT_SOURCE, DataEventBus, DataStoreHistoricalArchive, DataStorePostgresReplica, DiscoverableStringParameter, DynamoDbDataStore, OpenHiApp, OpenHiAuthService, OpenHiDataService, OpenHiEnvironment, OpenHiGlobalService, OpenHiGraphqlService, OpenHiRestApiService, OpenHiService, OpenHiStage, OpsEventBus, POSTGRES_REPLICA_CLUSTER_ARN_SSM_NAME, POSTGRES_REPLICA_DATABASE_NAME_SSM_NAME, POSTGRES_REPLICA_SECRET_ARN_SSM_NAME, PostAuthenticationLambda, PostConfirmationLambda, PreTokenGenerationLambda, REST_API_BASE_URL_SSM_NAME, RootGraphqlApi, RootHostedZone, RootHttpApi, RootWildcardCertificate, STATIC_HOSTING_SERVICE_TYPE, StaticHosting, buildFhirCurrentResourceChangeDetail, getDynamoDbDataStoreTableName, getPostgresReplicaSchemaName };
-export type { BuildParameterNameProps, ChildHostedZoneProps, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, PostConfirmationLambdaProps, RootGraphqlApiProps, RootHttpApiProps, StaticHostingProps };
+export type { BuildParameterNameProps, ChildHostedZoneProps, CognitoFixtureSeederClientProps, DataStoreHistoricalArchiveProps, DataStorePostgresReplicaProps, DiscoverableStringParameterProps, DynamoDbDataStoreProps, FhirCurrentResourceChangeDetail, OpenHiAppProps, OpenHiAuthServiceProps, OpenHiDataServiceProps, OpenHiEnvironmentProps, OpenHiGlobalServiceProps, OpenHiGraphqlServiceProps, OpenHiRestApiServiceProps, OpenHiServiceProps, OpenHiServiceType, OpenHiStageProps, PostConfirmationLambdaProps, PreTokenGenerationLambdaProps, RootGraphqlApiProps, RootHttpApiProps, StaticHostingProps };

package/lib/index.js

@@ -647,6 +647,10 @@ var CognitoUserPool = class extends import_aws_cognito2.UserPool {
         emailStyle: import_aws_cognito2.VerificationEmailStyle.CODE
       },
       removalPolicy: props.removalPolicy ?? service.removalPolicy,
+      // Plus is required for access-token V2 claim customization in the
+      // pre-token-generation Lambda. Essentials silently drops
+      // claimsAndScopeOverrideDetails.accessTokenGeneration.claimsToAddOrOverride.
+      featurePlan: import_aws_cognito2.FeaturePlan.PLUS,
       /**
        * Over-rideable props
        */
@@ -795,12 +799,15 @@ function resolveHandlerEntry3(dirname) {
   return fromLib;
 }
 var PreTokenGenerationLambda = class extends import_constructs3.Construct {
-  constructor(scope) {
+  constructor(scope, props) {
     super(scope, "pre-token-generation-lambda");
     this.lambda = new import_aws_lambda_nodejs3.NodejsFunction(this, "handler", {
       entry: resolveHandlerEntry3(__dirname),
       runtime: import_aws_lambda3.Runtime.NODEJS_LATEST,
-      memorySize: 1024
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
     });
   }
 };
@@ -1513,6 +1520,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.postConfirmationLambda = this.createPostConfirmationLambda();
     this.userPool = this.createUserPool();
+    this.grantPreTokenGenerationPermissions();
     this.grantPostAuthenticationPermissions();
     this.grantPostConfirmationPermissions();
     this.userPoolClient = this.createUserPoolClient();
@@ -1605,11 +1613,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     return key;
   }
   /**
-   * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
-   * openhi_* claims to the access token only; trigger version V2_0 may be required.
+   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+   * both the ID token and the access token (ADR 2026-03-17-01).
    */
   createPreTokenGenerationLambda() {
-    const construct = new PreTokenGenerationLambda(this);
+    const construct = new PreTokenGenerationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
+    });
     return construct.lambda;
   }
   /**
@@ -1670,6 +1682,27 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return userPool;
   }
+  /**
+   * Grants the Pre Token Generation Lambda read-only access on the data
+   * store table and its GSIs. The Lambda only needs:
+   * - `Query` on GSI2 to resolve a User by Cognito `sub`
+   * - `GetItem` on the base table for direct User reads
+   *
+   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+   * falls into the absent-claims path; repair belongs in a separate backfill.
+   */
+  grantPreTokenGenerationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
+    this.preTokenGenerationLambda.addToRolePolicy(
+      new import_aws_iam.PolicyStatement({
+        effect: import_aws_iam.Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
+  }
   /**
    * Grants the Post Authentication Lambda permission to call
    * `cognito-idp:AdminUserGlobalSignOut`.