@ttoss/cloud-auth 0.12.20 → 0.12.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/LICENSE +21 -674
  2. package/dist/esm/index.js +299 -0
  3. package/dist/index.d.mts +45 -0
  4. package/dist/index.d.ts +45 -0
  5. package/dist/index.js +335 -0
  6. package/package.json +5 -5
  7. package/src/config.ts +0 -1
  8. package/src/index.ts +0 -2
  9. package/src/template.ts +0 -387
package/src/template.ts DELETED
@@ -1,387 +0,0 @@
1
- import { PASSWORD_MINIMUM_LENGTH } from './config';
2
- import type { CloudFormationTemplate, Policy } from '@ttoss/cloudformation';
3
-
4
- const CognitoUserPoolLogicalId = 'CognitoUserPool';
5
-
6
- const CognitoUserPoolClientLogicalId = 'CognitoUserPoolClient';
7
-
8
- const CognitoIdentityPoolLogicalId = 'CognitoIdentityPool';
9
-
10
- const IdentityPoolAuthenticatedIAMRoleLogicalId =
11
- 'IdentityPoolAuthenticatedIAMRole';
12
-
13
- const IdentityPoolUnauthenticatedIAMRoleLogicalId =
14
- 'IdentityPoolUnauthenticatedIAMRole';
15
-
16
- export const DenyStatement = {
17
- Effect: 'Deny' as const,
18
- Action: ['*'],
19
- Resource: ['*'],
20
- };
21
-
22
- export const defaultPrincipalTags = {
23
- appClientId: 'aud',
24
- userId: 'sub',
25
- };
26
-
27
- export const createAuthTemplate = ({
28
- autoVerifiedAttributes = ['email'],
29
- identityPool,
30
- schema,
31
- usernameAttributes = ['email'],
32
- }: {
33
- autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
34
- identityPool?: {
35
- enabled?: boolean;
36
- name?: string;
37
- allowUnauthenticatedIdentities?: boolean;
38
- authenticatedRoleArn?: string;
39
- authenticatedPolicies?: Policy[];
40
- unauthenticatedRoleArn?: string;
41
- unauthenticatedPolicies?: Policy[];
42
- principalTags?: Record<string, string> | boolean;
43
- };
44
- /**
45
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
46
- */
47
- schema?: {
48
- attributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
49
- developerOnlyAttribute?: boolean;
50
- mutable?: boolean;
51
- name?: string;
52
- numberAttributeConstraints?: {
53
- maxValue?: string;
54
- minValue?: string;
55
- };
56
- required?: boolean;
57
- stringAttributeConstraints?: {
58
- maxLength: string;
59
- minLength: string;
60
- };
61
- }[];
62
- usernameAttributes?: Array<'email' | 'phone_number'> | null;
63
- // eslint-disable-next-line @typescript-eslint/no-explicit-any
64
- } = {}): any => {
65
- const AutoVerifiedAttributes =
66
- Array.isArray(autoVerifiedAttributes) && autoVerifiedAttributes.length > 0
67
- ? autoVerifiedAttributes
68
- : [];
69
-
70
- const template: CloudFormationTemplate = {
71
- AWSTemplateFormatVersion: '2010-09-09',
72
- Resources: {
73
- [CognitoUserPoolLogicalId]: {
74
- /**
75
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
76
- */
77
- Type: 'AWS::Cognito::UserPool',
78
- Properties: {
79
- AutoVerifiedAttributes,
80
- Policies: {
81
- PasswordPolicy: {
82
- MinimumLength: PASSWORD_MINIMUM_LENGTH,
83
- RequireLowercase: false,
84
- RequireNumbers: false,
85
- RequireSymbols: false,
86
- RequireUppercase: false,
87
- TemporaryPasswordValidityDays: 30,
88
- },
89
- },
90
- UsernameAttributes: usernameAttributes,
91
- UsernameConfiguration: {
92
- CaseSensitive: false,
93
- },
94
- UserPoolName: {
95
- Ref: 'AWS::StackName',
96
- },
97
- },
98
- },
99
- [CognitoUserPoolClientLogicalId]: {
100
- /**
101
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
102
- */
103
- Type: 'AWS::Cognito::UserPoolClient',
104
- Properties: {
105
- SupportedIdentityProviders: ['COGNITO'],
106
- UserPoolId: {
107
- Ref: 'CognitoUserPool',
108
- },
109
- },
110
- },
111
- },
112
- Outputs: {
113
- Region: {
114
- Description: 'You use this value on Amplify Auth `region`.',
115
- Value: {
116
- Ref: 'AWS::Region',
117
- },
118
- Export: {
119
- Name: {
120
- 'Fn::Join': [':', [{ Ref: 'AWS::StackName' }, 'Region']],
121
- },
122
- },
123
- },
124
- UserPoolId: {
125
- Description: 'You use this value on Amplify Auth `userPoolId`.',
126
- Value: {
127
- Ref: CognitoUserPoolLogicalId,
128
- },
129
- Export: {
130
- Name: {
131
- 'Fn::Join': [':', [{ Ref: 'AWS::StackName' }, 'UserPoolId']],
132
- },
133
- },
134
- },
135
- AppClientId: {
136
- Description:
137
- 'You use this value on Amplify Auth `userPoolWebClientId`.',
138
- Value: {
139
- Ref: CognitoUserPoolClientLogicalId,
140
- },
141
- Export: {
142
- Name: {
143
- 'Fn::Join': [':', [{ Ref: 'AWS::StackName' }, 'AppClientId']],
144
- },
145
- },
146
- },
147
- },
148
- };
149
-
150
- if (schema) {
151
- const Schema = schema.map((attribute) => {
152
- let NumberAttributeConstraints = undefined;
153
-
154
- if (attribute.numberAttributeConstraints) {
155
- NumberAttributeConstraints = {
156
- MaxValue: attribute.numberAttributeConstraints?.maxValue,
157
- MinValue: attribute.numberAttributeConstraints?.minValue,
158
- };
159
- }
160
-
161
- let StringAttributeConstraints = undefined;
162
-
163
- if (attribute.stringAttributeConstraints) {
164
- StringAttributeConstraints = {
165
- MaxLength: attribute.stringAttributeConstraints?.maxLength,
166
- MinLength: attribute.stringAttributeConstraints?.minLength,
167
- };
168
- }
169
-
170
- return {
171
- AttributeDataType: attribute.attributeDataType,
172
- DeveloperOnlyAttribute: attribute.developerOnlyAttribute,
173
- Mutable: attribute.mutable,
174
- Name: attribute.name,
175
- NumberAttributeConstraints,
176
- Required: attribute.required,
177
- StringAttributeConstraints,
178
- };
179
- });
180
-
181
- template.Resources[CognitoUserPoolLogicalId].Properties.Schema = Schema;
182
- }
183
-
184
- if (identityPool?.enabled) {
185
- template.Resources[CognitoIdentityPoolLogicalId] = {
186
- /**
187
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
188
- */
189
- Type: 'AWS::Cognito::IdentityPool',
190
- Properties: {
191
- AllowUnauthenticatedIdentities:
192
- identityPool.allowUnauthenticatedIdentities || false,
193
- CognitoIdentityProviders: [
194
- {
195
- ClientId: {
196
- Ref: CognitoUserPoolClientLogicalId,
197
- },
198
- ProviderName: {
199
- 'Fn::GetAtt': [CognitoUserPoolLogicalId, 'ProviderName'],
200
- },
201
- },
202
- ],
203
- },
204
- };
205
-
206
- if (identityPool.name) {
207
- template.Resources[
208
- CognitoIdentityPoolLogicalId
209
- ].Properties.IdentityPoolName = identityPool.name;
210
- }
211
-
212
- template.Resources.CognitoIdentityPoolRoleAttachment = {
213
- /**
214
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
215
- */
216
- Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
217
- Properties: {
218
- IdentityPoolId: {
219
- Ref: CognitoIdentityPoolLogicalId,
220
- },
221
- Roles: {},
222
- },
223
- };
224
-
225
- if (!identityPool.authenticatedRoleArn) {
226
- template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
227
- Type: 'AWS::IAM::Role',
228
- Properties: {
229
- AssumeRolePolicyDocument: {
230
- Version: '2012-10-17' as const,
231
- Statement: [
232
- {
233
- Effect: 'Allow' as const,
234
- Principal: {
235
- Federated: 'cognito-identity.amazonaws.com',
236
- },
237
- Action: ['sts:AssumeRoleWithWebIdentity', 'sts:TagSession'],
238
- Condition: {
239
- StringEquals: {
240
- 'cognito-identity.amazonaws.com:aud': {
241
- Ref: CognitoIdentityPoolLogicalId,
242
- },
243
- },
244
- 'ForAnyValue:StringLike': {
245
- 'cognito-identity.amazonaws.com:amr': 'authenticated',
246
- },
247
- },
248
- },
249
- ],
250
- },
251
- Policies: identityPool.authenticatedPolicies || [
252
- {
253
- PolicyName: 'IdentityPoolAuthenticatedIAMRolePolicyName',
254
- PolicyDocument: {
255
- Version: '2012-10-17' as const,
256
- Statement: [DenyStatement],
257
- },
258
- },
259
- ],
260
- },
261
- };
262
-
263
- template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated =
264
- {
265
- 'Fn::GetAtt': [IdentityPoolAuthenticatedIAMRoleLogicalId, 'Arn'],
266
- };
267
- } else {
268
- template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated =
269
- identityPool.authenticatedRoleArn;
270
- }
271
-
272
- if (!identityPool.unauthenticatedRoleArn) {
273
- template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
274
- Type: 'AWS::IAM::Role',
275
- Properties: {
276
- AssumeRolePolicyDocument: {
277
- Version: '2012-10-17' as const,
278
- Statement: [
279
- {
280
- Effect: 'Allow' as const,
281
- Principal: {
282
- Federated: 'cognito-identity.amazonaws.com',
283
- },
284
- Action: 'sts:AssumeRoleWithWebIdentity',
285
- Condition: {
286
- StringEquals: {
287
- 'cognito-identity.amazonaws.com:aud': {
288
- Ref: CognitoIdentityPoolLogicalId,
289
- },
290
- },
291
- 'ForAnyValue:StringLike': {
292
- 'cognito-identity.amazonaws.com:amr': 'unauthenticated',
293
- },
294
- },
295
- },
296
- ],
297
- },
298
- Policies: identityPool.authenticatedPolicies || [
299
- {
300
- PolicyName: 'IdentityPoolUnauthenticatedIAMRolePolicyName',
301
- PolicyDocument: {
302
- Version: '2012-10-17' as const,
303
- Statement: [DenyStatement],
304
- },
305
- },
306
- ],
307
- },
308
- };
309
-
310
- template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated =
311
- {
312
- 'Fn::GetAtt': [IdentityPoolUnauthenticatedIAMRoleLogicalId, 'Arn'],
313
- };
314
- } else {
315
- template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated =
316
- identityPool.unauthenticatedRoleArn;
317
- }
318
-
319
- /**
320
- * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolprincipaltag.html
321
- */
322
- if (
323
- identityPool.principalTags ||
324
- identityPool.principalTags === undefined
325
- ) {
326
- const PrincipalTags = (() => {
327
- if (typeof identityPool.principalTags === 'boolean') {
328
- return defaultPrincipalTags;
329
- }
330
-
331
- if (identityPool.principalTags === undefined) {
332
- return defaultPrincipalTags;
333
- }
334
-
335
- return identityPool.principalTags;
336
- })();
337
-
338
- template.Resources.CognitoIdentityPoolPrincipalTag = {
339
- Type: 'AWS::Cognito::IdentityPoolPrincipalTag',
340
- Properties: {
341
- IdentityPoolId: {
342
- Ref: CognitoIdentityPoolLogicalId,
343
- },
344
- IdentityProviderName: {
345
- 'Fn::GetAtt': [CognitoUserPoolLogicalId, 'ProviderName'],
346
- },
347
- PrincipalTags,
348
- UseDefaults: false,
349
- },
350
- };
351
- }
352
-
353
- if (!template.Outputs) {
354
- template.Outputs = {};
355
- }
356
-
357
- template.Outputs.IdentityPoolId = {
358
- Description: 'You use this value on Amplify Auth `identityPoolId`.',
359
- Value: {
360
- Ref: CognitoIdentityPoolLogicalId,
361
- },
362
- Export: {
363
- Name: {
364
- 'Fn::Join': [
365
- ':',
366
- [{ Ref: 'AWS::StackName' }, 'CognitoIdentityPoolId'],
367
- ],
368
- },
369
- },
370
- };
371
- }
372
-
373
- return template;
374
- };
375
-
376
- createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
377
-
378
- createAuthTemplate.CognitoUserPoolClientLogicalId =
379
- CognitoUserPoolClientLogicalId;
380
-
381
- createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
382
-
383
- createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId =
384
- IdentityPoolAuthenticatedIAMRoleLogicalId;
385
-
386
- createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId =
387
- IdentityPoolUnauthenticatedIAMRoleLogicalId;