npm - @ttoss/cloud-auth - Versions diffs - 0.12.31 → 0.13.1 - Mend

@ttoss/cloud-auth 0.12.31 → 0.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # @ttoss/cloud-auth
-It's a library for creating AWS Cognito resources. It creates an user pool, identity pool, a client application, and others resources.
+AWS Cognito authentication infrastructure as code. Creates user pools, identity pools, and Lambda triggers with CloudFormation.
 ## Installation
@@ -8,49 +8,184 @@ It's a library for creating AWS Cognito resources. It creates an user pool, iden
 pnpm add @ttoss/cloud-auth
 ```
-## Quickstart
+## Quick Start
-Create a `cloudformation.ts` file in your project and export the template:
-```typescript src/cloudformation.ts
+```typescript
+// src/cloudformation.ts
 import { createAuthTemplate } from '@ttoss/cloud-auth';
-const template = createAuthTemplate();
+export default createAuthTemplate();
+```
+## Core Features
-export default template;
+### User Pool Configuration
+The template creates a secure user pool with email-based authentication by default:
+```typescript
+const template = createAuthTemplate({
+  autoVerifiedAttributes: ['email'], // Default
+  usernameAttributes: ['email'], // Default
+  deletionProtection: 'ACTIVE', // Optional: ACTIVE | INACTIVE
+  schema: [
+    {
+      attributeDataType: 'String',
+      name: 'department',
+      required: false,
+      mutable: true,
+      stringAttributeConstraints: {
+        maxLength: '100',
+        minLength: '1',
+      },
+    },
+  ],
+});
 ```
-## Usage
+### Lambda Triggers
-### Identity Pool
+Customize authentication workflows with [AWS Cognito Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html). Lambda triggers accept either string ARNs or `Fn::GetAtt` CloudFormation references.
-#### Create an basic identity pool
+#### Basic Lambda Trigger Setup
 ```typescript
 const template = createAuthTemplate({
-  identityPool: {
-    enabled: true, // false by default
-    name: 'MyIdentityPool',
-    allowUnauthenticatedIdentities: false, // false by default
+  lambdaTriggers: {
+    preSignUp: 'arn:aws:lambda:us-east-1:123456789:function:PreSignUp',
+    postConfirmation: { 'Fn::GetAtt': ['PostConfirmationFunction', 'Arn'] },
+    preTokenGeneration: { 'Fn::GetAtt': ['TokenCustomizerFunction', 'Arn'] },
   },
 });
 ```
-#### Create an identity pool with external roles
+#### Complete Lambda Integration Example
+Based on the [Terezinha Farm implementation](https://github.com/ttoss/ttoss/tree/main/terezinha-farm/auth), here's how to integrate Lambda functions with your auth template:
+```typescript
+// src/cloudformation.ts
+import { createAuthTemplate } from '@ttoss/cloud-auth';
+export default () => {
+  const template = createAuthTemplate({
+    lambdaTriggers: {
+      postConfirmation: {
+        'Fn::GetAtt': ['PostConfirmationLambdaFunction', 'Arn'],
+      },
+    },
+  });
+  // Add Lambda S3 parameters for Carlin deployment
+  template.Parameters = {
+    ...template.Parameters,
+    LambdaS3Bucket: { Type: 'String' },
+    LambdaS3Key: { Type: 'String' },
+    LambdaS3ObjectVersion: { Type: 'String' },
+  };
+  // Define Lambda function resource
+  template.Resources = {
+    ...template.Resources,
+    PostConfirmationLambdaFunction: {
+      Type: 'AWS::Lambda::Function',
+      Properties: {
+        Handler: 'triggers.postConfirmation',
+        Code: {
+          S3Bucket: { Ref: 'LambdaS3Bucket' },
+          S3Key: { Ref: 'LambdaS3Key' },
+          S3ObjectVersion: { Ref: 'LambdaS3ObjectVersion' },
+        },
+        Role: 'arn:aws:iam::account:role/lambda-execution-role',
+        Runtime: 'nodejs22.x',
+      },
+    },
+  };
+  return template;
+};
+```
+#### Lambda Function Implementation
+Create your trigger functions following AWS Lambda handler patterns:
+```typescript
+// src/triggers.ts
+import type { PostConfirmationTriggerHandler } from 'aws-lambda';
+export const postConfirmation: PostConfirmationTriggerHandler = async (
+  event
+) => {
+  const email = event.request.userAttributes.email;
+  // Custom logic: send welcome email, create user profile, etc.
+  console.log(`New user confirmed: ${email}`);
+  // Always return the event object
+  return event;
+};
+```
+#### Available Lambda Triggers
+Check [Customizing user pool workflows with Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html) for more information.
+**Authentication Flow:**
+- `preSignUp` - Validate signup data, auto-confirm users
+- `postConfirmation` - Execute post-signup actions
+- `preAuthentication` - Custom authentication validation
+- `postAuthentication` - Track logins, update last seen
+**Token Customization:**
+- `preTokenGeneration` - Add custom claims, modify token content
+**User Migration:**
+- `userMigration` - Migrate users from external systems
+**Custom Challenges:**
+- `defineAuthChallenge` - Define custom authentication flows
+- `createAuthChallenge` - Generate custom challenges
+- `verifyAuthChallengeResponse` - Validate challenge responses
+**Messaging:**
+- `customMessage` - Customize email/SMS content
+- `customEmailSender` - Third-party email providers
+- `customSMSSender` - Third-party SMS providers
+#### Deployment with Carlin
+When using [Carlin deploy](https://ttoss.dev/docs/carlin/commands/deploy), Lambda functions are automatically built and uploaded to S3. Your `Handler` property should match your file structure:
+```
+src/
+  └── triggers.ts          # Handler: 'triggers.postConfirmation's
+```
+The S3 parameters (`LambdaS3Bucket`, `LambdaS3Key`, `LambdaS3ObjectVersion`) are automatically injected by Carlin and referenced in your Lambda function's `Code` property.
+### Identity Pool
+Enable federated identities for AWS resource access:
 ```typescript
 const template = createAuthTemplate({
   identityPool: {
     enabled: true,
-    authenticatedRoleArn:
-      'arn:aws:iam::123456789012:role/MyIdentityPool_AuthenticatedRole',
-    unauthenticatedRoleArn:
-      'arn:aws:iam::123456789012:role/MyIdentityPool_UnauthenticatedRole',
+    name: 'MyApp_IdentityPool',
+    allowUnauthenticatedIdentities: false,
   },
 });
 ```
-#### Create an identity pool with defined policies
+#### Custom IAM Policies
+Define specific permissions for authenticated and unauthenticated users:
 ```typescript
 const template = createAuthTemplate({
@@ -58,29 +193,14 @@ const template = createAuthTemplate({
     enabled: true,
     authenticatedPolicies: [
       {
-        policyName: 'MyIdentityPool_AuthenticatedPolicy',
-        policyDocument: {
+        PolicyName: 'S3Access',
+        PolicyDocument: {
           Version: '2012-10-17',
           Statement: [
             {
               Effect: 'Allow',
-              Action: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
-              Resource: ['*'],
-            },
-          ],
-        },
-      },
-    ],
-    unauthenticatedPolicies: [
-      {
-        policyName: 'MyIdentityPool_UnauthenticatedPolicy',
-        policyDocument: {
-          Version: '2012-10-17',
-          Statement: [
-            {
-              Effect: 'Deny',
-              Action: ['*'],
-              Resource: ['*'],
+              Action: ['s3:GetObject', 's3:PutObject'],
+              Resource: 'arn:aws:s3:::my-bucket/${aws:PrincipalTag/userId}/*',
             },
           ],
         },
@@ -90,53 +210,123 @@ const template = createAuthTemplate({
 });
 ```
-#### Using attributes for access control
+#### Principal Tags for Access Control
-When you enable the identity pool, it maps the following [principal tags to handle access control](https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html) by default:
+Enable [attribute-based access control](https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html) using JWT claims as IAM principal tags:
-```yml
-PrincipalTags:
-  appClientId: 'aud'
-  userId: 'sub'
+```typescript
+// Default principal tags
+const template = createAuthTemplate({
+  identityPool: { enabled: true },
+  // Maps: appClientId → 'aud', userId → 'sub'
+});
+// Custom principal tags
+const template = createAuthTemplate({
+  identityPool: {
+    enabled: true,
+    principalTags: {
+      department: 'custom:department',
+      role: 'custom:role',
+      userId: 'sub',
+    },
+  },
+});
 ```
-This way you can use the `appClientId` and `userId` tags in your IAM policies by [controlling access for IAM principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals). For example:
+Use principal tags in IAM policies for fine-grained access control:
 ```json
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "s3:GetObject*",
-      "Resource": "arn:aws:s3:::*-${aws:PrincipalTag/userId}/*"
+  "Effect": "Allow",
+  "Action": "dynamodb:Query",
+  "Resource": "arn:aws:dynamodb:*:*:table/UserData",
+  "Condition": {
+    "StringEquals": {
+      "dynamodb:LeadingKeys": "${aws:PrincipalTag/userId}"
     }
-  ]
+  }
 }
 ```
-You can change the default tags by passing the `principalTags` property and [other tokens](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#token-claims-for-role-based-access-control):
+#### External IAM Roles
+Use existing IAM roles instead of creating new ones:
 ```typescript
 const template = createAuthTemplate({
   identityPool: {
     enabled: true,
-    principalTags: {
-      appId: 'aud',
-      username: 'sub',
-      name: 'name',
-    },
+    authenticatedRoleArn: 'arn:aws:iam::123456789012:role/AuthenticatedRole',
+    unauthenticatedRoleArn:
+      'arn:aws:iam::123456789012:role:UnauthenticatedRole',
   },
 });
 ```
-If you want to disable the principal tags, you can pass the `principalTags` property with `false` value:
+## Template Outputs
+The template provides these CloudFormation outputs for integration:
+- **Region**: AWS region for Amplify Auth configuration
+- **UserPoolId**: Cognito User Pool ID
+- **AppClientId**: User Pool Client ID for applications
+- **IdentityPoolId**: Identity Pool ID (when enabled)
+Access outputs in other CloudFormation templates:
+```yaml
+AuthConfig:
+  UserPoolId: !ImportValue MyAuthStack:UserPoolId
+  AppClientId: !ImportValue MyAuthStack:AppClientId
+```
+## Advanced Configuration
+### Custom User Attributes
+Define application-specific user attributes with validation:
 ```typescript
 const template = createAuthTemplate({
-  identityPool: {
-    enabled: true,
-    principalTags: false,
-  },
+  schema: [
+    {
+      attributeDataType: 'Number',
+      name: 'employee_id',
+      required: true,
+      mutable: false,
+      numberAttributeConstraints: {
+        minValue: '1000',
+        maxValue: '99999',
+      },
+    },
+    {
+      attributeDataType: 'String',
+      name: 'department',
+      required: false,
+      mutable: true,
+      stringAttributeConstraints: {
+        minLength: '2',
+        maxLength: '50',
+      },
+    },
+  ],
 });
 ```
+### Production Considerations
+For production deployments:
+- Use `Fn::GetAtt` references instead of hardcoded ARNs for Lambda functions
+- Enable deletion protection (`deletionProtection: 'ACTIVE'`) for production user pools
+- Configure appropriate IAM roles with minimal required permissions for Lambda functions
+- Implement proper error handling in Lambda triggers to prevent authentication failures
+- Set up monitoring and alerting for authentication metrics
+- Consider regional failover strategies
+## Related Resources
+- [AWS Cognito User Pools Documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html)
+- [Lambda Triggers Reference](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html)
+- [Attribute-Based Access Control](https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html)

package/dist/esm/index.js CHANGED Viewed

@@ -22,7 +22,9 @@ var createAuthTemplate = ({
   autoVerifiedAttributes = ["email"],
   identityPool,
   schema,
-  usernameAttributes = ["email"]
+  usernameAttributes = ["email"],
+  lambdaTriggers,
+  deletionProtection
 } = {}) => {
   const AutoVerifiedAttributes = Array.isArray(autoVerifiedAttributes) && autoVerifiedAttributes.length > 0 ? autoVerifiedAttributes : [];
   const template = {
@@ -51,7 +53,10 @@ var createAuthTemplate = ({
           },
           UserPoolName: {
             Ref: "AWS::StackName"
-          }
+          },
+          ...(deletionProtection && {
+            DeletionProtection: deletionProtection
+          })
         }
       },
       [CognitoUserPoolClientLogicalId]: {
@@ -135,7 +140,10 @@ var createAuthTemplate = ({
         StringAttributeConstraints
       };
     });
-    template.Resources[CognitoUserPoolLogicalId].Properties.Schema = Schema;
+    template.Resources[CognitoUserPoolLogicalId].Properties = {
+      ...template.Resources[CognitoUserPoolLogicalId].Properties,
+      Schema
+    };
   }
   if (identityPool?.enabled) {
     template.Resources[CognitoIdentityPoolLogicalId] = {
@@ -156,7 +164,10 @@ var createAuthTemplate = ({
       }
     };
     if (identityPool.name) {
-      template.Resources[CognitoIdentityPoolLogicalId].Properties.IdentityPoolName = identityPool.name;
+      template.Resources[CognitoIdentityPoolLogicalId].Properties = {
+        ...template.Resources[CognitoIdentityPoolLogicalId].Properties,
+        IdentityPoolName: identityPool.name
+      };
     }
     template.Resources.CognitoIdentityPoolRoleAttachment = {
       /**
@@ -203,11 +214,15 @@ var createAuthTemplate = ({
           }]
         }
       };
-      template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = {
-        "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
-      };
+      Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
+        authenticated: {
+          "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
+        }
+      });
     } else {
-      template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = identityPool.authenticatedRoleArn;
+      Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
+        authenticated: identityPool.authenticatedRoleArn
+      });
     }
     if (!identityPool.unauthenticatedRoleArn) {
       template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
@@ -233,7 +248,7 @@ var createAuthTemplate = ({
               }
             }]
           },
-          Policies: identityPool.authenticatedPolicies || [{
+          Policies: identityPool.unauthenticatedPolicies || [{
             PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
             PolicyDocument: {
               Version: "2012-10-17",
@@ -242,11 +257,15 @@ var createAuthTemplate = ({
           }]
         }
       };
-      template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = {
-        "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
-      };
+      Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
+        unauthenticated: {
+          "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
+        }
+      });
     } else {
-      template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = identityPool.unauthenticatedRoleArn;
+      Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
+        unauthenticated: identityPool.unauthenticatedRoleArn
+      });
     }
     if (identityPool.principalTags || identityPool.principalTags === void 0) {
       const PrincipalTags = (() => {
@@ -272,23 +291,82 @@ var createAuthTemplate = ({
         }
       };
     }
-    if (!template.Outputs) {
-      template.Outputs = {};
-    }
-    template.Outputs.IdentityPoolId = {
-      Description: "You use this value on Amplify Auth `identityPoolId`.",
-      Value: {
-        Ref: CognitoIdentityPoolLogicalId
-      },
-      Export: {
-        Name: {
-          "Fn::Join": [":", [{
-            Ref: "AWS::StackName"
-          }, "CognitoIdentityPoolId"]]
+    template.Outputs = {
+      ...template.Outputs,
+      IdentityPoolId: {
+        Description: "You use this value on Amplify Auth `identityPoolId`.",
+        Value: {
+          Ref: CognitoIdentityPoolLogicalId
+        },
+        Export: {
+          Name: {
+            "Fn::Join": [":", [{
+              Ref: "AWS::StackName"
+            }, "CognitoIdentityPoolId"]]
+          }
         }
       }
     };
   }
+  if (lambdaTriggers) {
+    const LambdaConfig = {};
+    if (lambdaTriggers.preSignUp) {
+      LambdaConfig.PreSignUp = lambdaTriggers.preSignUp;
+    }
+    if (lambdaTriggers.postConfirmation) {
+      LambdaConfig.PostConfirmation = lambdaTriggers.postConfirmation;
+    }
+    if (lambdaTriggers.preAuthentication) {
+      LambdaConfig.PreAuthentication = lambdaTriggers.preAuthentication;
+    }
+    if (lambdaTriggers.postAuthentication) {
+      LambdaConfig.PostAuthentication = lambdaTriggers.postAuthentication;
+    }
+    if (lambdaTriggers.defineAuthChallenge) {
+      LambdaConfig.DefineAuthChallenge = lambdaTriggers.defineAuthChallenge;
+    }
+    if (lambdaTriggers.createAuthChallenge) {
+      LambdaConfig.CreateAuthChallenge = lambdaTriggers.createAuthChallenge;
+    }
+    if (lambdaTriggers.verifyAuthChallengeResponse) {
+      LambdaConfig.VerifyAuthChallengeResponse = lambdaTriggers.verifyAuthChallengeResponse;
+    }
+    if (lambdaTriggers.preTokenGeneration) {
+      LambdaConfig.PreTokenGeneration = lambdaTriggers.preTokenGeneration;
+    }
+    if (lambdaTriggers.userMigration) {
+      LambdaConfig.UserMigration = lambdaTriggers.userMigration;
+    }
+    if (lambdaTriggers.customMessage) {
+      LambdaConfig.CustomMessage = lambdaTriggers.customMessage;
+    }
+    if (lambdaTriggers.customEmailSender) {
+      LambdaConfig.CustomEmailSender = lambdaTriggers.customEmailSender;
+    }
+    if (lambdaTriggers.customSMSSender) {
+      LambdaConfig.CustomSMSSender = lambdaTriggers.customSMSSender;
+    }
+    if (Object.keys(LambdaConfig).length > 0) {
+      template.Resources[CognitoUserPoolLogicalId].Properties = {
+        ...template.Resources[CognitoUserPoolLogicalId].Properties,
+        LambdaConfig
+      };
+    }
+    for (const [key, lambdaTrigger] of Object.entries(LambdaConfig)) {
+      const permissionLogicalId = `${key}PermissionFor${CognitoUserPoolLogicalId}`.slice(0, 255);
+      template.Resources[permissionLogicalId] = {
+        Type: "AWS::Lambda::Permission",
+        Properties: {
+          Action: "lambda:InvokeFunction",
+          FunctionName: lambdaTrigger,
+          Principal: "cognito-idp.amazonaws.com",
+          SourceArn: {
+            "Fn::GetAtt": [CognitoUserPoolLogicalId, "Arn"]
+          }
+        }
+      };
+    }
+  }
   return template;
 };
 createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;

package/dist/index.d.mts CHANGED Viewed

@@ -1,40 +1,56 @@
-import { Policy } from '@ttoss/cloudformation';
+import { Policy, CloudFormationGetAtt, CloudFormationTemplate } from '@ttoss/cloudformation';
 declare const PASSWORD_MINIMUM_LENGTH = 8;
+type SchemaAttribute = {
+    attributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
+    developerOnlyAttribute?: boolean;
+    mutable?: boolean;
+    name?: string;
+    numberAttributeConstraints?: {
+        maxValue?: string;
+        minValue?: string;
+    };
+    required?: boolean;
+    stringAttributeConstraints?: {
+        maxLength: string;
+        minLength: string;
+    };
+};
+type IdentityPoolConfig = {
+    enabled?: boolean;
+    name?: string;
+    allowUnauthenticatedIdentities?: boolean;
+    authenticatedRoleArn?: string;
+    authenticatedPolicies?: Policy[];
+    unauthenticatedRoleArn?: string;
+    unauthenticatedPolicies?: Policy[];
+    principalTags?: Record<string, string> | boolean;
+};
+type LambdaTriggers = {
+    preSignUp?: string | CloudFormationGetAtt;
+    postConfirmation?: string | CloudFormationGetAtt;
+    preAuthentication?: string | CloudFormationGetAtt;
+    postAuthentication?: string | CloudFormationGetAtt;
+    defineAuthChallenge?: string | CloudFormationGetAtt;
+    createAuthChallenge?: string | CloudFormationGetAtt;
+    verifyAuthChallengeResponse?: string | CloudFormationGetAtt;
+    preTokenGeneration?: string | CloudFormationGetAtt;
+    userMigration?: string | CloudFormationGetAtt;
+    customMessage?: string | CloudFormationGetAtt;
+    customEmailSender?: string | CloudFormationGetAtt;
+    customSMSSender?: string | CloudFormationGetAtt;
+};
+type CreateAuthTemplateParams = {
+    autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
+    identityPool?: IdentityPoolConfig;
+    schema?: SchemaAttribute[];
+    usernameAttributes?: Array<'email' | 'phone_number'> | null;
+    lambdaTriggers?: LambdaTriggers;
+    deletionProtection?: 'ACTIVE' | 'INACTIVE';
+};
 declare const createAuthTemplate: {
-    ({ autoVerifiedAttributes, identityPool, schema, usernameAttributes, }?: {
-        autoVerifiedAttributes?: Array<"email" | "phone_number"> | null | false;
-        identityPool?: {
-            enabled?: boolean;
-            name?: string;
-            allowUnauthenticatedIdentities?: boolean;
-            authenticatedRoleArn?: string;
-            authenticatedPolicies?: Policy[];
-            unauthenticatedRoleArn?: string;
-            unauthenticatedPolicies?: Policy[];
-            principalTags?: Record<string, string> | boolean;
-        };
-        /**
-         * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
-         */
-        schema?: {
-            attributeDataType?: "Boolean" | "DateTime" | "Number" | "String";
-            developerOnlyAttribute?: boolean;
-            mutable?: boolean;
-            name?: string;
-            numberAttributeConstraints?: {
-                maxValue?: string;
-                minValue?: string;
-            };
-            required?: boolean;
-            stringAttributeConstraints?: {
-                maxLength: string;
-                minLength: string;
-            };
-        }[];
-        usernameAttributes?: Array<"email" | "phone_number"> | null;
-    }): any;
+    ({ autoVerifiedAttributes, identityPool, schema, usernameAttributes, lambdaTriggers, deletionProtection, }?: CreateAuthTemplateParams): CloudFormationTemplate;
     CognitoUserPoolLogicalId: string;
     CognitoUserPoolClientLogicalId: string;
     CognitoIdentityPoolLogicalId: string;

package/dist/index.d.ts CHANGED Viewed

@@ -1,40 +1,56 @@
-import { Policy } from '@ttoss/cloudformation';
+import { Policy, CloudFormationGetAtt, CloudFormationTemplate } from '@ttoss/cloudformation';
 declare const PASSWORD_MINIMUM_LENGTH = 8;
+type SchemaAttribute = {
+    attributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
+    developerOnlyAttribute?: boolean;
+    mutable?: boolean;
+    name?: string;
+    numberAttributeConstraints?: {
+        maxValue?: string;
+        minValue?: string;
+    };
+    required?: boolean;
+    stringAttributeConstraints?: {
+        maxLength: string;
+        minLength: string;
+    };
+};
+type IdentityPoolConfig = {
+    enabled?: boolean;
+    name?: string;
+    allowUnauthenticatedIdentities?: boolean;
+    authenticatedRoleArn?: string;
+    authenticatedPolicies?: Policy[];
+    unauthenticatedRoleArn?: string;
+    unauthenticatedPolicies?: Policy[];
+    principalTags?: Record<string, string> | boolean;
+};
+type LambdaTriggers = {
+    preSignUp?: string | CloudFormationGetAtt;
+    postConfirmation?: string | CloudFormationGetAtt;
+    preAuthentication?: string | CloudFormationGetAtt;
+    postAuthentication?: string | CloudFormationGetAtt;
+    defineAuthChallenge?: string | CloudFormationGetAtt;
+    createAuthChallenge?: string | CloudFormationGetAtt;
+    verifyAuthChallengeResponse?: string | CloudFormationGetAtt;
+    preTokenGeneration?: string | CloudFormationGetAtt;
+    userMigration?: string | CloudFormationGetAtt;
+    customMessage?: string | CloudFormationGetAtt;
+    customEmailSender?: string | CloudFormationGetAtt;
+    customSMSSender?: string | CloudFormationGetAtt;
+};
+type CreateAuthTemplateParams = {
+    autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
+    identityPool?: IdentityPoolConfig;
+    schema?: SchemaAttribute[];
+    usernameAttributes?: Array<'email' | 'phone_number'> | null;
+    lambdaTriggers?: LambdaTriggers;
+    deletionProtection?: 'ACTIVE' | 'INACTIVE';
+};
 declare const createAuthTemplate: {
-    ({ autoVerifiedAttributes, identityPool, schema, usernameAttributes, }?: {
-        autoVerifiedAttributes?: Array<"email" | "phone_number"> | null | false;
-        identityPool?: {
-            enabled?: boolean;
-            name?: string;
-            allowUnauthenticatedIdentities?: boolean;
-            authenticatedRoleArn?: string;
-            authenticatedPolicies?: Policy[];
-            unauthenticatedRoleArn?: string;
-            unauthenticatedPolicies?: Policy[];
-            principalTags?: Record<string, string> | boolean;
-        };
-        /**
-         * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
-         */
-        schema?: {
-            attributeDataType?: "Boolean" | "DateTime" | "Number" | "String";
-            developerOnlyAttribute?: boolean;
-            mutable?: boolean;
-            name?: string;
-            numberAttributeConstraints?: {
-                maxValue?: string;
-                minValue?: string;
-            };
-            required?: boolean;
-            stringAttributeConstraints?: {
-                maxLength: string;
-                minLength: string;
-            };
-        }[];
-        usernameAttributes?: Array<"email" | "phone_number"> | null;
-    }): any;
+    ({ autoVerifiedAttributes, identityPool, schema, usernameAttributes, lambdaTriggers, deletionProtection, }?: CreateAuthTemplateParams): CloudFormationTemplate;
     CognitoUserPoolLogicalId: string;
     CognitoUserPoolClientLogicalId: string;
     CognitoIdentityPoolLogicalId: string;

package/dist/index.js CHANGED Viewed

@@ -54,7 +54,9 @@ var createAuthTemplate = ({
   autoVerifiedAttributes = ["email"],
   identityPool,
   schema,
-  usernameAttributes = ["email"]
+  usernameAttributes = ["email"],
+  lambdaTriggers,
+  deletionProtection
 } = {}) => {
   const AutoVerifiedAttributes = Array.isArray(autoVerifiedAttributes) && autoVerifiedAttributes.length > 0 ? autoVerifiedAttributes : [];
   const template = {
@@ -83,7 +85,10 @@ var createAuthTemplate = ({
           },
           UserPoolName: {
             Ref: "AWS::StackName"
-          }
+          },
+          ...(deletionProtection && {
+            DeletionProtection: deletionProtection
+          })
         }
       },
       [CognitoUserPoolClientLogicalId]: {
@@ -167,7 +172,10 @@ var createAuthTemplate = ({
         StringAttributeConstraints
       };
     });
-    template.Resources[CognitoUserPoolLogicalId].Properties.Schema = Schema;
+    template.Resources[CognitoUserPoolLogicalId].Properties = {
+      ...template.Resources[CognitoUserPoolLogicalId].Properties,
+      Schema
+    };
   }
   if (identityPool?.enabled) {
     template.Resources[CognitoIdentityPoolLogicalId] = {
@@ -188,7 +196,10 @@ var createAuthTemplate = ({
       }
     };
     if (identityPool.name) {
-      template.Resources[CognitoIdentityPoolLogicalId].Properties.IdentityPoolName = identityPool.name;
+      template.Resources[CognitoIdentityPoolLogicalId].Properties = {
+        ...template.Resources[CognitoIdentityPoolLogicalId].Properties,
+        IdentityPoolName: identityPool.name
+      };
     }
     template.Resources.CognitoIdentityPoolRoleAttachment = {
       /**
@@ -235,11 +246,15 @@ var createAuthTemplate = ({
           }]
         }
       };
-      template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = {
-        "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
-      };
+      Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
+        authenticated: {
+          "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
+        }
+      });
     } else {
-      template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.authenticated = identityPool.authenticatedRoleArn;
+      Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
+        authenticated: identityPool.authenticatedRoleArn
+      });
     }
     if (!identityPool.unauthenticatedRoleArn) {
       template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
@@ -265,7 +280,7 @@ var createAuthTemplate = ({
               }
             }]
           },
-          Policies: identityPool.authenticatedPolicies || [{
+          Policies: identityPool.unauthenticatedPolicies || [{
             PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
             PolicyDocument: {
               Version: "2012-10-17",
@@ -274,11 +289,15 @@ var createAuthTemplate = ({
           }]
         }
       };
-      template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = {
-        "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
-      };
+      Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
+        unauthenticated: {
+          "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
+        }
+      });
     } else {
-      template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles.unauthenticated = identityPool.unauthenticatedRoleArn;
+      Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
+        unauthenticated: identityPool.unauthenticatedRoleArn
+      });
     }
     if (identityPool.principalTags || identityPool.principalTags === void 0) {
       const PrincipalTags = (() => {
@@ -304,23 +323,82 @@ var createAuthTemplate = ({
         }
       };
     }
-    if (!template.Outputs) {
-      template.Outputs = {};
-    }
-    template.Outputs.IdentityPoolId = {
-      Description: "You use this value on Amplify Auth `identityPoolId`.",
-      Value: {
-        Ref: CognitoIdentityPoolLogicalId
-      },
-      Export: {
-        Name: {
-          "Fn::Join": [":", [{
-            Ref: "AWS::StackName"
-          }, "CognitoIdentityPoolId"]]
+    template.Outputs = {
+      ...template.Outputs,
+      IdentityPoolId: {
+        Description: "You use this value on Amplify Auth `identityPoolId`.",
+        Value: {
+          Ref: CognitoIdentityPoolLogicalId
+        },
+        Export: {
+          Name: {
+            "Fn::Join": [":", [{
+              Ref: "AWS::StackName"
+            }, "CognitoIdentityPoolId"]]
+          }
         }
       }
     };
   }
+  if (lambdaTriggers) {
+    const LambdaConfig = {};
+    if (lambdaTriggers.preSignUp) {
+      LambdaConfig.PreSignUp = lambdaTriggers.preSignUp;
+    }
+    if (lambdaTriggers.postConfirmation) {
+      LambdaConfig.PostConfirmation = lambdaTriggers.postConfirmation;
+    }
+    if (lambdaTriggers.preAuthentication) {
+      LambdaConfig.PreAuthentication = lambdaTriggers.preAuthentication;
+    }
+    if (lambdaTriggers.postAuthentication) {
+      LambdaConfig.PostAuthentication = lambdaTriggers.postAuthentication;
+    }
+    if (lambdaTriggers.defineAuthChallenge) {
+      LambdaConfig.DefineAuthChallenge = lambdaTriggers.defineAuthChallenge;
+    }
+    if (lambdaTriggers.createAuthChallenge) {
+      LambdaConfig.CreateAuthChallenge = lambdaTriggers.createAuthChallenge;
+    }
+    if (lambdaTriggers.verifyAuthChallengeResponse) {
+      LambdaConfig.VerifyAuthChallengeResponse = lambdaTriggers.verifyAuthChallengeResponse;
+    }
+    if (lambdaTriggers.preTokenGeneration) {
+      LambdaConfig.PreTokenGeneration = lambdaTriggers.preTokenGeneration;
+    }
+    if (lambdaTriggers.userMigration) {
+      LambdaConfig.UserMigration = lambdaTriggers.userMigration;
+    }
+    if (lambdaTriggers.customMessage) {
+      LambdaConfig.CustomMessage = lambdaTriggers.customMessage;
+    }
+    if (lambdaTriggers.customEmailSender) {
+      LambdaConfig.CustomEmailSender = lambdaTriggers.customEmailSender;
+    }
+    if (lambdaTriggers.customSMSSender) {
+      LambdaConfig.CustomSMSSender = lambdaTriggers.customSMSSender;
+    }
+    if (Object.keys(LambdaConfig).length > 0) {
+      template.Resources[CognitoUserPoolLogicalId].Properties = {
+        ...template.Resources[CognitoUserPoolLogicalId].Properties,
+        LambdaConfig
+      };
+    }
+    for (const [key, lambdaTrigger] of Object.entries(LambdaConfig)) {
+      const permissionLogicalId = `${key}PermissionFor${CognitoUserPoolLogicalId}`.slice(0, 255);
+      template.Resources[permissionLogicalId] = {
+        Type: "AWS::Lambda::Permission",
+        Properties: {
+          Action: "lambda:InvokeFunction",
+          FunctionName: lambdaTrigger,
+          Principal: "cognito-idp.amazonaws.com",
+          SourceArn: {
+            "Fn::GetAtt": [CognitoUserPoolLogicalId, "Arn"]
+          }
+        }
+      };
+    }
+  }
   return template;
 };
 createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ttoss/cloud-auth",
-  "version": "0.12.31",
+  "version": "0.13.1",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -19,7 +19,7 @@
   ],
   "sideEffects": false,
   "dependencies": {
-    "@ttoss/cloudformation": "^0.10.20"
+    "@ttoss/cloudformation": "^0.11.0"
   },
   "devDependencies": {
     "@types/jest": "^30.0.0",