@openhi/constructs 0.0.92 → 0.0.94

package/lib/index.mjs

@@ -576,6 +576,7 @@ CognitoFixtureSeederClient.SSM_PARAM_NAME = "COGNITO_FIXTURE_SEEDER_CLIENT";
 
 // src/components/cognito/cognito-user-pool.ts
 import {
+  FeaturePlan,
   UserPool,
   VerificationEmailStyle
 } from "aws-cdk-lib/aws-cognito";
@@ -596,6 +597,10 @@ var CognitoUserPool = class extends UserPool {
         emailStyle: VerificationEmailStyle.CODE
       },
       removalPolicy: props.removalPolicy ?? service.removalPolicy,
+      // Plus is required for access-token V2 claim customization in the
+      // pre-token-generation Lambda. Essentials silently drops
+      // claimsAndScopeOverrideDetails.accessTokenGeneration.claimsToAddOrOverride.
+      featurePlan: FeaturePlan.PLUS,
       /**
        * Over-rideable props
        */
@@ -744,12 +749,15 @@ function resolveHandlerEntry3(dirname) {
   return fromLib;
 }
 var PreTokenGenerationLambda = class extends Construct3 {
-  constructor(scope) {
+  constructor(scope, props) {
     super(scope, "pre-token-generation-lambda");
     this.lambda = new NodejsFunction3(this, "handler", {
       entry: resolveHandlerEntry3(__dirname),
       runtime: Runtime3.NODEJS_LATEST,
-      memorySize: 1024
+      memorySize: 1024,
+      environment: {
+        DYNAMO_TABLE_NAME: props.dynamoTableName
+      }
     });
   }
 };
@@ -1358,6 +1366,7 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     this.postAuthenticationLambda = this.createPostAuthenticationLambda();
     this.postConfirmationLambda = this.createPostConfirmationLambda();
     this.userPool = this.createUserPool();
+    this.grantPreTokenGenerationPermissions();
     this.grantPostAuthenticationPermissions();
     this.grantPostConfirmationPermissions();
     this.userPoolClient = this.createUserPoolClient();
@@ -1450,11 +1459,15 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     return key;
   }
   /**
-   * Creates the Pre Token Generation Lambda (Cognito trigger). Phase 2 will add
-   * openhi_* claims to the access token only; trigger version V2_0 may be required.
+   * Creates the Pre Token Generation Lambda (Cognito trigger). On every
+   * sign-in and token refresh the Lambda resolves the User by Cognito `sub`
+   * (GSI2) and injects `ohi_tid`, `ohi_wid`, `ohi_uid`, `ohi_uname` into
+   * both the ID token and the access token (ADR 2026-03-17-01).
    */
   createPreTokenGenerationLambda() {
-    const construct = new PreTokenGenerationLambda(this);
+    const construct = new PreTokenGenerationLambda(this, {
+      dynamoTableName: this.dataStoreTable().tableName
+    });
     return construct.lambda;
   }
   /**
@@ -1515,6 +1528,27 @@ var _OpenHiAuthService = class _OpenHiAuthService extends OpenHiService {
     });
     return userPool;
   }
+  /**
+   * Grants the Pre Token Generation Lambda read-only access on the data
+   * store table and its GSIs. The Lambda only needs:
+   * - `Query` on GSI2 to resolve a User by Cognito `sub`
+   * - `GetItem` on the base table for direct User reads
+   *
+   * No write or scan access: a User missing `currentTenant`/`currentWorkspace`
+   * falls into the absent-claims path; repair belongs in a separate backfill.
+   */
+  grantPreTokenGenerationPermissions() {
+    const dataStoreTable = this.dataStoreTable();
+    const dynamoActions = ["dynamodb:GetItem", "dynamodb:Query"];
+    dataStoreTable.grant(this.preTokenGenerationLambda, ...dynamoActions);
+    this.preTokenGenerationLambda.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: [...dynamoActions],
+        resources: [`${dataStoreTable.tableArn}/index/*`]
+      })
+    );
+  }
   /**
    * Grants the Post Authentication Lambda permission to call
    * `cognito-idp:AdminUserGlobalSignOut`.