@ttoss/cloud-auth 0.13.11 → 0.13.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/esm/index.js +382 -0
  2. package/dist/index.d.mts +62 -0
  3. package/dist/index.d.ts +62 -0
  4. package/dist/index.js +417 -0
  5. package/package.json +3 -3
package/dist/esm/index.js ADDED
@@ -0,0 +1,382 @@
1
+ /** Powered by @ttoss/config. https://ttoss.dev/docs/modules/packages/config/ */
2
+ var __defProp = Object.defineProperty;
3
+ var __name = (target, value) => __defProp(target, "name", {
4
+ value,
5
+ configurable: true
6
+ });
7
+
8
+ // src/config.ts
9
+ var PASSWORD_MINIMUM_LENGTH = 8;
10
+
11
+ // src/template.ts
12
+ var CognitoUserPoolLogicalId = "CognitoUserPool";
13
+ var CognitoUserPoolClientLogicalId = "CognitoUserPoolClient";
14
+ var CognitoIdentityPoolLogicalId = "CognitoIdentityPool";
15
+ var IdentityPoolAuthenticatedIAMRoleLogicalId = "IdentityPoolAuthenticatedIAMRole";
16
+ var IdentityPoolUnauthenticatedIAMRoleLogicalId = "IdentityPoolUnauthenticatedIAMRole";
17
+ var DenyStatement = {
18
+ Effect: "Deny",
19
+ Action: ["*"],
20
+ Resource: ["*"]
21
+ };
22
+ var defaultPrincipalTags = {
23
+ appClientId: "aud",
24
+ userId: "sub"
25
+ };
26
+ var createAuthTemplate = /* @__PURE__ */__name(({
27
+ autoVerifiedAttributes = ["email"],
28
+ identityPool,
29
+ schema,
30
+ usernameAttributes = ["email"],
31
+ lambdaTriggers,
32
+ deletionProtection
33
+ } = {}) => {
34
+ const AutoVerifiedAttributes = Array.isArray(autoVerifiedAttributes) && autoVerifiedAttributes.length > 0 ? autoVerifiedAttributes : [];
35
+ const template = {
36
+ AWSTemplateFormatVersion: "2010-09-09",
37
+ Resources: {
38
+ [CognitoUserPoolLogicalId]: {
39
+ /**
40
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
41
+ */
42
+ Type: "AWS::Cognito::UserPool",
43
+ Properties: {
44
+ AutoVerifiedAttributes,
45
+ Policies: {
46
+ PasswordPolicy: {
47
+ MinimumLength: PASSWORD_MINIMUM_LENGTH,
48
+ RequireLowercase: false,
49
+ RequireNumbers: false,
50
+ RequireSymbols: false,
51
+ RequireUppercase: false,
52
+ TemporaryPasswordValidityDays: 30
53
+ }
54
+ },
55
+ UsernameAttributes: usernameAttributes,
56
+ UsernameConfiguration: {
57
+ CaseSensitive: false
58
+ },
59
+ UserPoolName: {
60
+ Ref: "AWS::StackName"
61
+ },
62
+ ...(deletionProtection && {
63
+ DeletionProtection: deletionProtection
64
+ })
65
+ }
66
+ },
67
+ [CognitoUserPoolClientLogicalId]: {
68
+ /**
69
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
70
+ */
71
+ Type: "AWS::Cognito::UserPoolClient",
72
+ Properties: {
73
+ SupportedIdentityProviders: ["COGNITO"],
74
+ UserPoolId: {
75
+ Ref: "CognitoUserPool"
76
+ }
77
+ }
78
+ }
79
+ },
80
+ Outputs: {
81
+ Region: {
82
+ Description: "You use this value on Amplify Auth `region`.",
83
+ Value: {
84
+ Ref: "AWS::Region"
85
+ },
86
+ Export: {
87
+ Name: {
88
+ "Fn::Join": [":", [{
89
+ Ref: "AWS::StackName"
90
+ }, "Region"]]
91
+ }
92
+ }
93
+ },
94
+ UserPoolId: {
95
+ Description: "You use this value on Amplify Auth `userPoolId`.",
96
+ Value: {
97
+ Ref: CognitoUserPoolLogicalId
98
+ },
99
+ Export: {
100
+ Name: {
101
+ "Fn::Join": [":", [{
102
+ Ref: "AWS::StackName"
103
+ }, "UserPoolId"]]
104
+ }
105
+ }
106
+ },
107
+ AppClientId: {
108
+ Description: "You use this value on Amplify Auth `userPoolWebClientId`.",
109
+ Value: {
110
+ Ref: CognitoUserPoolClientLogicalId
111
+ },
112
+ Export: {
113
+ Name: {
114
+ "Fn::Join": [":", [{
115
+ Ref: "AWS::StackName"
116
+ }, "AppClientId"]]
117
+ }
118
+ }
119
+ }
120
+ }
121
+ };
122
+ if (schema) {
123
+ const Schema = schema.map(attribute => {
124
+ let NumberAttributeConstraints = void 0;
125
+ if (attribute.numberAttributeConstraints) {
126
+ NumberAttributeConstraints = {
127
+ MaxValue: attribute.numberAttributeConstraints?.maxValue,
128
+ MinValue: attribute.numberAttributeConstraints?.minValue
129
+ };
130
+ }
131
+ let StringAttributeConstraints = void 0;
132
+ if (attribute.stringAttributeConstraints) {
133
+ StringAttributeConstraints = {
134
+ MaxLength: attribute.stringAttributeConstraints?.maxLength,
135
+ MinLength: attribute.stringAttributeConstraints?.minLength
136
+ };
137
+ }
138
+ return {
139
+ AttributeDataType: attribute.attributeDataType,
140
+ DeveloperOnlyAttribute: attribute.developerOnlyAttribute,
141
+ Mutable: attribute.mutable,
142
+ Name: attribute.name,
143
+ NumberAttributeConstraints,
144
+ Required: attribute.required,
145
+ StringAttributeConstraints
146
+ };
147
+ });
148
+ template.Resources[CognitoUserPoolLogicalId].Properties = {
149
+ ...template.Resources[CognitoUserPoolLogicalId].Properties,
150
+ Schema
151
+ };
152
+ }
153
+ if (identityPool?.enabled) {
154
+ template.Resources[CognitoIdentityPoolLogicalId] = {
155
+ /**
156
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
157
+ */
158
+ Type: "AWS::Cognito::IdentityPool",
159
+ Properties: {
160
+ AllowUnauthenticatedIdentities: identityPool.allowUnauthenticatedIdentities || false,
161
+ CognitoIdentityProviders: [{
162
+ ClientId: {
163
+ Ref: CognitoUserPoolClientLogicalId
164
+ },
165
+ ProviderName: {
166
+ "Fn::GetAtt": [CognitoUserPoolLogicalId, "ProviderName"]
167
+ }
168
+ }]
169
+ }
170
+ };
171
+ if (identityPool.name) {
172
+ template.Resources[CognitoIdentityPoolLogicalId].Properties = {
173
+ ...template.Resources[CognitoIdentityPoolLogicalId].Properties,
174
+ IdentityPoolName: identityPool.name
175
+ };
176
+ }
177
+ template.Resources.CognitoIdentityPoolRoleAttachment = {
178
+ /**
179
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
180
+ */
181
+ Type: "AWS::Cognito::IdentityPoolRoleAttachment",
182
+ Properties: {
183
+ IdentityPoolId: {
184
+ Ref: CognitoIdentityPoolLogicalId
185
+ },
186
+ Roles: {}
187
+ }
188
+ };
189
+ if (!identityPool.authenticatedRoleArn) {
190
+ template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
191
+ Type: "AWS::IAM::Role",
192
+ Properties: {
193
+ AssumeRolePolicyDocument: {
194
+ Version: "2012-10-17",
195
+ Statement: [{
196
+ Effect: "Allow",
197
+ Principal: {
198
+ Federated: "cognito-identity.amazonaws.com"
199
+ },
200
+ Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
201
+ Condition: {
202
+ StringEquals: {
203
+ "cognito-identity.amazonaws.com:aud": {
204
+ Ref: CognitoIdentityPoolLogicalId
205
+ }
206
+ },
207
+ "ForAnyValue:StringLike": {
208
+ "cognito-identity.amazonaws.com:amr": "authenticated"
209
+ }
210
+ }
211
+ }]
212
+ },
213
+ Policies: identityPool.authenticatedPolicies || [{
214
+ PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
215
+ PolicyDocument: {
216
+ Version: "2012-10-17",
217
+ Statement: [DenyStatement]
218
+ }
219
+ }]
220
+ }
221
+ };
222
+ Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
223
+ authenticated: {
224
+ "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
225
+ }
226
+ });
227
+ } else {
228
+ Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
229
+ authenticated: identityPool.authenticatedRoleArn
230
+ });
231
+ }
232
+ if (!identityPool.unauthenticatedRoleArn) {
233
+ template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
234
+ Type: "AWS::IAM::Role",
235
+ Properties: {
236
+ AssumeRolePolicyDocument: {
237
+ Version: "2012-10-17",
238
+ Statement: [{
239
+ Effect: "Allow",
240
+ Principal: {
241
+ Federated: "cognito-identity.amazonaws.com"
242
+ },
243
+ Action: "sts:AssumeRoleWithWebIdentity",
244
+ Condition: {
245
+ StringEquals: {
246
+ "cognito-identity.amazonaws.com:aud": {
247
+ Ref: CognitoIdentityPoolLogicalId
248
+ }
249
+ },
250
+ "ForAnyValue:StringLike": {
251
+ "cognito-identity.amazonaws.com:amr": "unauthenticated"
252
+ }
253
+ }
254
+ }]
255
+ },
256
+ Policies: identityPool.unauthenticatedPolicies || [{
257
+ PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
258
+ PolicyDocument: {
259
+ Version: "2012-10-17",
260
+ Statement: [DenyStatement]
261
+ }
262
+ }]
263
+ }
264
+ };
265
+ Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
266
+ unauthenticated: {
267
+ "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
268
+ }
269
+ });
270
+ } else {
271
+ Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
272
+ unauthenticated: identityPool.unauthenticatedRoleArn
273
+ });
274
+ }
275
+ if (identityPool.principalTags || identityPool.principalTags === void 0) {
276
+ const PrincipalTags = (() => {
277
+ if (typeof identityPool.principalTags === "boolean") {
278
+ return defaultPrincipalTags;
279
+ }
280
+ if (identityPool.principalTags === void 0) {
281
+ return defaultPrincipalTags;
282
+ }
283
+ return identityPool.principalTags;
284
+ })();
285
+ template.Resources.CognitoIdentityPoolPrincipalTag = {
286
+ Type: "AWS::Cognito::IdentityPoolPrincipalTag",
287
+ Properties: {
288
+ IdentityPoolId: {
289
+ Ref: CognitoIdentityPoolLogicalId
290
+ },
291
+ IdentityProviderName: {
292
+ "Fn::GetAtt": [CognitoUserPoolLogicalId, "ProviderName"]
293
+ },
294
+ PrincipalTags,
295
+ UseDefaults: false
296
+ }
297
+ };
298
+ }
299
+ template.Outputs = {
300
+ ...template.Outputs,
301
+ IdentityPoolId: {
302
+ Description: "You use this value on Amplify Auth `identityPoolId`.",
303
+ Value: {
304
+ Ref: CognitoIdentityPoolLogicalId
305
+ },
306
+ Export: {
307
+ Name: {
308
+ "Fn::Join": [":", [{
309
+ Ref: "AWS::StackName"
310
+ }, "CognitoIdentityPoolId"]]
311
+ }
312
+ }
313
+ }
314
+ };
315
+ }
316
+ if (lambdaTriggers) {
317
+ const LambdaConfig = {};
318
+ if (lambdaTriggers.preSignUp) {
319
+ LambdaConfig.PreSignUp = lambdaTriggers.preSignUp;
320
+ }
321
+ if (lambdaTriggers.postConfirmation) {
322
+ LambdaConfig.PostConfirmation = lambdaTriggers.postConfirmation;
323
+ }
324
+ if (lambdaTriggers.preAuthentication) {
325
+ LambdaConfig.PreAuthentication = lambdaTriggers.preAuthentication;
326
+ }
327
+ if (lambdaTriggers.postAuthentication) {
328
+ LambdaConfig.PostAuthentication = lambdaTriggers.postAuthentication;
329
+ }
330
+ if (lambdaTriggers.defineAuthChallenge) {
331
+ LambdaConfig.DefineAuthChallenge = lambdaTriggers.defineAuthChallenge;
332
+ }
333
+ if (lambdaTriggers.createAuthChallenge) {
334
+ LambdaConfig.CreateAuthChallenge = lambdaTriggers.createAuthChallenge;
335
+ }
336
+ if (lambdaTriggers.verifyAuthChallengeResponse) {
337
+ LambdaConfig.VerifyAuthChallengeResponse = lambdaTriggers.verifyAuthChallengeResponse;
338
+ }
339
+ if (lambdaTriggers.preTokenGeneration) {
340
+ LambdaConfig.PreTokenGeneration = lambdaTriggers.preTokenGeneration;
341
+ }
342
+ if (lambdaTriggers.userMigration) {
343
+ LambdaConfig.UserMigration = lambdaTriggers.userMigration;
344
+ }
345
+ if (lambdaTriggers.customMessage) {
346
+ LambdaConfig.CustomMessage = lambdaTriggers.customMessage;
347
+ }
348
+ if (lambdaTriggers.customEmailSender) {
349
+ LambdaConfig.CustomEmailSender = lambdaTriggers.customEmailSender;
350
+ }
351
+ if (lambdaTriggers.customSMSSender) {
352
+ LambdaConfig.CustomSMSSender = lambdaTriggers.customSMSSender;
353
+ }
354
+ if (Object.keys(LambdaConfig).length > 0) {
355
+ template.Resources[CognitoUserPoolLogicalId].Properties = {
356
+ ...template.Resources[CognitoUserPoolLogicalId].Properties,
357
+ LambdaConfig
358
+ };
359
+ }
360
+ for (const [key, lambdaTrigger] of Object.entries(LambdaConfig)) {
361
+ const permissionLogicalId = `${key}PermissionFor${CognitoUserPoolLogicalId}`.slice(0, 255);
362
+ template.Resources[permissionLogicalId] = {
363
+ Type: "AWS::Lambda::Permission",
364
+ Properties: {
365
+ Action: "lambda:InvokeFunction",
366
+ FunctionName: lambdaTrigger,
367
+ Principal: "cognito-idp.amazonaws.com",
368
+ SourceArn: {
369
+ "Fn::GetAtt": [CognitoUserPoolLogicalId, "Arn"]
370
+ }
371
+ }
372
+ };
373
+ }
374
+ }
375
+ return template;
376
+ }, "createAuthTemplate");
377
+ createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
378
+ createAuthTemplate.CognitoUserPoolClientLogicalId = CognitoUserPoolClientLogicalId;
379
+ createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
380
+ createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId = IdentityPoolAuthenticatedIAMRoleLogicalId;
381
+ createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId = IdentityPoolUnauthenticatedIAMRoleLogicalId;
382
+ export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.d.mts ADDED
@@ -0,0 +1,62 @@
1
+ import { Policy, CloudFormationGetAtt, CloudFormationTemplate } from '@ttoss/cloudformation';
2
+ export { CloudFormationTemplate } from '@ttoss/cloudformation';
3
+
4
+ declare const PASSWORD_MINIMUM_LENGTH = 8;
5
+
6
+ type SchemaAttribute = {
7
+ attributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
8
+ developerOnlyAttribute?: boolean;
9
+ mutable?: boolean;
10
+ name?: string;
11
+ numberAttributeConstraints?: {
12
+ maxValue?: string;
13
+ minValue?: string;
14
+ };
15
+ required?: boolean;
16
+ stringAttributeConstraints?: {
17
+ maxLength: string;
18
+ minLength: string;
19
+ };
20
+ };
21
+ type IdentityPoolConfig = {
22
+ enabled?: boolean;
23
+ name?: string;
24
+ allowUnauthenticatedIdentities?: boolean;
25
+ authenticatedRoleArn?: string;
26
+ authenticatedPolicies?: Policy[];
27
+ unauthenticatedRoleArn?: string;
28
+ unauthenticatedPolicies?: Policy[];
29
+ principalTags?: Record<string, string> | boolean;
30
+ };
31
+ type LambdaTriggers = {
32
+ preSignUp?: string | CloudFormationGetAtt;
33
+ postConfirmation?: string | CloudFormationGetAtt;
34
+ preAuthentication?: string | CloudFormationGetAtt;
35
+ postAuthentication?: string | CloudFormationGetAtt;
36
+ defineAuthChallenge?: string | CloudFormationGetAtt;
37
+ createAuthChallenge?: string | CloudFormationGetAtt;
38
+ verifyAuthChallengeResponse?: string | CloudFormationGetAtt;
39
+ preTokenGeneration?: string | CloudFormationGetAtt;
40
+ userMigration?: string | CloudFormationGetAtt;
41
+ customMessage?: string | CloudFormationGetAtt;
42
+ customEmailSender?: string | CloudFormationGetAtt;
43
+ customSMSSender?: string | CloudFormationGetAtt;
44
+ };
45
+ type CreateAuthTemplateParams = {
46
+ autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
47
+ identityPool?: IdentityPoolConfig;
48
+ schema?: SchemaAttribute[];
49
+ usernameAttributes?: Array<'email' | 'phone_number'> | null;
50
+ lambdaTriggers?: LambdaTriggers;
51
+ deletionProtection?: 'ACTIVE' | 'INACTIVE';
52
+ };
53
+ declare const createAuthTemplate: {
54
+ ({ autoVerifiedAttributes, identityPool, schema, usernameAttributes, lambdaTriggers, deletionProtection, }?: CreateAuthTemplateParams): CloudFormationTemplate;
55
+ CognitoUserPoolLogicalId: string;
56
+ CognitoUserPoolClientLogicalId: string;
57
+ CognitoIdentityPoolLogicalId: string;
58
+ IdentityPoolAuthenticatedIAMRoleLogicalId: string;
59
+ IdentityPoolUnauthenticatedIAMRoleLogicalId: string;
60
+ };
61
+
62
+ export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.d.ts ADDED
@@ -0,0 +1,62 @@
1
+ import { Policy, CloudFormationGetAtt, CloudFormationTemplate } from '@ttoss/cloudformation';
2
+ export { CloudFormationTemplate } from '@ttoss/cloudformation';
3
+
4
+ declare const PASSWORD_MINIMUM_LENGTH = 8;
5
+
6
+ type SchemaAttribute = {
7
+ attributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
8
+ developerOnlyAttribute?: boolean;
9
+ mutable?: boolean;
10
+ name?: string;
11
+ numberAttributeConstraints?: {
12
+ maxValue?: string;
13
+ minValue?: string;
14
+ };
15
+ required?: boolean;
16
+ stringAttributeConstraints?: {
17
+ maxLength: string;
18
+ minLength: string;
19
+ };
20
+ };
21
+ type IdentityPoolConfig = {
22
+ enabled?: boolean;
23
+ name?: string;
24
+ allowUnauthenticatedIdentities?: boolean;
25
+ authenticatedRoleArn?: string;
26
+ authenticatedPolicies?: Policy[];
27
+ unauthenticatedRoleArn?: string;
28
+ unauthenticatedPolicies?: Policy[];
29
+ principalTags?: Record<string, string> | boolean;
30
+ };
31
+ type LambdaTriggers = {
32
+ preSignUp?: string | CloudFormationGetAtt;
33
+ postConfirmation?: string | CloudFormationGetAtt;
34
+ preAuthentication?: string | CloudFormationGetAtt;
35
+ postAuthentication?: string | CloudFormationGetAtt;
36
+ defineAuthChallenge?: string | CloudFormationGetAtt;
37
+ createAuthChallenge?: string | CloudFormationGetAtt;
38
+ verifyAuthChallengeResponse?: string | CloudFormationGetAtt;
39
+ preTokenGeneration?: string | CloudFormationGetAtt;
40
+ userMigration?: string | CloudFormationGetAtt;
41
+ customMessage?: string | CloudFormationGetAtt;
42
+ customEmailSender?: string | CloudFormationGetAtt;
43
+ customSMSSender?: string | CloudFormationGetAtt;
44
+ };
45
+ type CreateAuthTemplateParams = {
46
+ autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
47
+ identityPool?: IdentityPoolConfig;
48
+ schema?: SchemaAttribute[];
49
+ usernameAttributes?: Array<'email' | 'phone_number'> | null;
50
+ lambdaTriggers?: LambdaTriggers;
51
+ deletionProtection?: 'ACTIVE' | 'INACTIVE';
52
+ };
53
+ declare const createAuthTemplate: {
54
+ ({ autoVerifiedAttributes, identityPool, schema, usernameAttributes, lambdaTriggers, deletionProtection, }?: CreateAuthTemplateParams): CloudFormationTemplate;
55
+ CognitoUserPoolLogicalId: string;
56
+ CognitoUserPoolClientLogicalId: string;
57
+ CognitoIdentityPoolLogicalId: string;
58
+ IdentityPoolAuthenticatedIAMRoleLogicalId: string;
59
+ IdentityPoolUnauthenticatedIAMRoleLogicalId: string;
60
+ };
61
+
62
+ export { PASSWORD_MINIMUM_LENGTH, createAuthTemplate };
package/dist/index.js ADDED
@@ -0,0 +1,417 @@
1
+ /** Powered by @ttoss/config. https://ttoss.dev/docs/modules/packages/config/ */
2
+ "use strict";
3
+
4
+ var __defProp = Object.defineProperty;
5
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
6
+ var __getOwnPropNames = Object.getOwnPropertyNames;
7
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
8
+ var __name = (target, value) => __defProp(target, "name", {
9
+ value,
10
+ configurable: true
11
+ });
12
+ var __export = (target, all) => {
13
+ for (var name in all) __defProp(target, name, {
14
+ get: all[name],
15
+ enumerable: true
16
+ });
17
+ };
18
+ var __copyProps = (to, from, except, desc) => {
19
+ if (from && typeof from === "object" || typeof from === "function") {
20
+ for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
21
+ get: () => from[key],
22
+ enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
23
+ });
24
+ }
25
+ return to;
26
+ };
27
+ var __toCommonJS = mod => __copyProps(__defProp({}, "__esModule", {
28
+ value: true
29
+ }), mod);
30
+
31
+ // src/index.ts
32
+ var index_exports = {};
33
+ __export(index_exports, {
34
+ PASSWORD_MINIMUM_LENGTH: () => PASSWORD_MINIMUM_LENGTH,
35
+ createAuthTemplate: () => createAuthTemplate
36
+ });
37
+ module.exports = __toCommonJS(index_exports);
38
+
39
+ // src/config.ts
40
+ var PASSWORD_MINIMUM_LENGTH = 8;
41
+
42
+ // src/template.ts
43
+ var CognitoUserPoolLogicalId = "CognitoUserPool";
44
+ var CognitoUserPoolClientLogicalId = "CognitoUserPoolClient";
45
+ var CognitoIdentityPoolLogicalId = "CognitoIdentityPool";
46
+ var IdentityPoolAuthenticatedIAMRoleLogicalId = "IdentityPoolAuthenticatedIAMRole";
47
+ var IdentityPoolUnauthenticatedIAMRoleLogicalId = "IdentityPoolUnauthenticatedIAMRole";
48
+ var DenyStatement = {
49
+ Effect: "Deny",
50
+ Action: ["*"],
51
+ Resource: ["*"]
52
+ };
53
+ var defaultPrincipalTags = {
54
+ appClientId: "aud",
55
+ userId: "sub"
56
+ };
57
+ var createAuthTemplate = /* @__PURE__ */__name(({
58
+ autoVerifiedAttributes = ["email"],
59
+ identityPool,
60
+ schema,
61
+ usernameAttributes = ["email"],
62
+ lambdaTriggers,
63
+ deletionProtection
64
+ } = {}) => {
65
+ const AutoVerifiedAttributes = Array.isArray(autoVerifiedAttributes) && autoVerifiedAttributes.length > 0 ? autoVerifiedAttributes : [];
66
+ const template = {
67
+ AWSTemplateFormatVersion: "2010-09-09",
68
+ Resources: {
69
+ [CognitoUserPoolLogicalId]: {
70
+ /**
71
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
72
+ */
73
+ Type: "AWS::Cognito::UserPool",
74
+ Properties: {
75
+ AutoVerifiedAttributes,
76
+ Policies: {
77
+ PasswordPolicy: {
78
+ MinimumLength: PASSWORD_MINIMUM_LENGTH,
79
+ RequireLowercase: false,
80
+ RequireNumbers: false,
81
+ RequireSymbols: false,
82
+ RequireUppercase: false,
83
+ TemporaryPasswordValidityDays: 30
84
+ }
85
+ },
86
+ UsernameAttributes: usernameAttributes,
87
+ UsernameConfiguration: {
88
+ CaseSensitive: false
89
+ },
90
+ UserPoolName: {
91
+ Ref: "AWS::StackName"
92
+ },
93
+ ...(deletionProtection && {
94
+ DeletionProtection: deletionProtection
95
+ })
96
+ }
97
+ },
98
+ [CognitoUserPoolClientLogicalId]: {
99
+ /**
100
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
101
+ */
102
+ Type: "AWS::Cognito::UserPoolClient",
103
+ Properties: {
104
+ SupportedIdentityProviders: ["COGNITO"],
105
+ UserPoolId: {
106
+ Ref: "CognitoUserPool"
107
+ }
108
+ }
109
+ }
110
+ },
111
+ Outputs: {
112
+ Region: {
113
+ Description: "You use this value on Amplify Auth `region`.",
114
+ Value: {
115
+ Ref: "AWS::Region"
116
+ },
117
+ Export: {
118
+ Name: {
119
+ "Fn::Join": [":", [{
120
+ Ref: "AWS::StackName"
121
+ }, "Region"]]
122
+ }
123
+ }
124
+ },
125
+ UserPoolId: {
126
+ Description: "You use this value on Amplify Auth `userPoolId`.",
127
+ Value: {
128
+ Ref: CognitoUserPoolLogicalId
129
+ },
130
+ Export: {
131
+ Name: {
132
+ "Fn::Join": [":", [{
133
+ Ref: "AWS::StackName"
134
+ }, "UserPoolId"]]
135
+ }
136
+ }
137
+ },
138
+ AppClientId: {
139
+ Description: "You use this value on Amplify Auth `userPoolWebClientId`.",
140
+ Value: {
141
+ Ref: CognitoUserPoolClientLogicalId
142
+ },
143
+ Export: {
144
+ Name: {
145
+ "Fn::Join": [":", [{
146
+ Ref: "AWS::StackName"
147
+ }, "AppClientId"]]
148
+ }
149
+ }
150
+ }
151
+ }
152
+ };
153
+ if (schema) {
154
+ const Schema = schema.map(attribute => {
155
+ let NumberAttributeConstraints = void 0;
156
+ if (attribute.numberAttributeConstraints) {
157
+ NumberAttributeConstraints = {
158
+ MaxValue: attribute.numberAttributeConstraints?.maxValue,
159
+ MinValue: attribute.numberAttributeConstraints?.minValue
160
+ };
161
+ }
162
+ let StringAttributeConstraints = void 0;
163
+ if (attribute.stringAttributeConstraints) {
164
+ StringAttributeConstraints = {
165
+ MaxLength: attribute.stringAttributeConstraints?.maxLength,
166
+ MinLength: attribute.stringAttributeConstraints?.minLength
167
+ };
168
+ }
169
+ return {
170
+ AttributeDataType: attribute.attributeDataType,
171
+ DeveloperOnlyAttribute: attribute.developerOnlyAttribute,
172
+ Mutable: attribute.mutable,
173
+ Name: attribute.name,
174
+ NumberAttributeConstraints,
175
+ Required: attribute.required,
176
+ StringAttributeConstraints
177
+ };
178
+ });
179
+ template.Resources[CognitoUserPoolLogicalId].Properties = {
180
+ ...template.Resources[CognitoUserPoolLogicalId].Properties,
181
+ Schema
182
+ };
183
+ }
184
+ if (identityPool?.enabled) {
185
+ template.Resources[CognitoIdentityPoolLogicalId] = {
186
+ /**
187
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
188
+ */
189
+ Type: "AWS::Cognito::IdentityPool",
190
+ Properties: {
191
+ AllowUnauthenticatedIdentities: identityPool.allowUnauthenticatedIdentities || false,
192
+ CognitoIdentityProviders: [{
193
+ ClientId: {
194
+ Ref: CognitoUserPoolClientLogicalId
195
+ },
196
+ ProviderName: {
197
+ "Fn::GetAtt": [CognitoUserPoolLogicalId, "ProviderName"]
198
+ }
199
+ }]
200
+ }
201
+ };
202
+ if (identityPool.name) {
203
+ template.Resources[CognitoIdentityPoolLogicalId].Properties = {
204
+ ...template.Resources[CognitoIdentityPoolLogicalId].Properties,
205
+ IdentityPoolName: identityPool.name
206
+ };
207
+ }
208
+ template.Resources.CognitoIdentityPoolRoleAttachment = {
209
+ /**
210
+ * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
211
+ */
212
+ Type: "AWS::Cognito::IdentityPoolRoleAttachment",
213
+ Properties: {
214
+ IdentityPoolId: {
215
+ Ref: CognitoIdentityPoolLogicalId
216
+ },
217
+ Roles: {}
218
+ }
219
+ };
220
+ if (!identityPool.authenticatedRoleArn) {
221
+ template.Resources[IdentityPoolAuthenticatedIAMRoleLogicalId] = {
222
+ Type: "AWS::IAM::Role",
223
+ Properties: {
224
+ AssumeRolePolicyDocument: {
225
+ Version: "2012-10-17",
226
+ Statement: [{
227
+ Effect: "Allow",
228
+ Principal: {
229
+ Federated: "cognito-identity.amazonaws.com"
230
+ },
231
+ Action: ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"],
232
+ Condition: {
233
+ StringEquals: {
234
+ "cognito-identity.amazonaws.com:aud": {
235
+ Ref: CognitoIdentityPoolLogicalId
236
+ }
237
+ },
238
+ "ForAnyValue:StringLike": {
239
+ "cognito-identity.amazonaws.com:amr": "authenticated"
240
+ }
241
+ }
242
+ }]
243
+ },
244
+ Policies: identityPool.authenticatedPolicies || [{
245
+ PolicyName: "IdentityPoolAuthenticatedIAMRolePolicyName",
246
+ PolicyDocument: {
247
+ Version: "2012-10-17",
248
+ Statement: [DenyStatement]
249
+ }
250
+ }]
251
+ }
252
+ };
253
+ Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
254
+ authenticated: {
255
+ "Fn::GetAtt": [IdentityPoolAuthenticatedIAMRoleLogicalId, "Arn"]
256
+ }
257
+ });
258
+ } else {
259
+ Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
260
+ authenticated: identityPool.authenticatedRoleArn
261
+ });
262
+ }
263
+ if (!identityPool.unauthenticatedRoleArn) {
264
+ template.Resources[IdentityPoolUnauthenticatedIAMRoleLogicalId] = {
265
+ Type: "AWS::IAM::Role",
266
+ Properties: {
267
+ AssumeRolePolicyDocument: {
268
+ Version: "2012-10-17",
269
+ Statement: [{
270
+ Effect: "Allow",
271
+ Principal: {
272
+ Federated: "cognito-identity.amazonaws.com"
273
+ },
274
+ Action: "sts:AssumeRoleWithWebIdentity",
275
+ Condition: {
276
+ StringEquals: {
277
+ "cognito-identity.amazonaws.com:aud": {
278
+ Ref: CognitoIdentityPoolLogicalId
279
+ }
280
+ },
281
+ "ForAnyValue:StringLike": {
282
+ "cognito-identity.amazonaws.com:amr": "unauthenticated"
283
+ }
284
+ }
285
+ }]
286
+ },
287
+ Policies: identityPool.unauthenticatedPolicies || [{
288
+ PolicyName: "IdentityPoolUnauthenticatedIAMRolePolicyName",
289
+ PolicyDocument: {
290
+ Version: "2012-10-17",
291
+ Statement: [DenyStatement]
292
+ }
293
+ }]
294
+ }
295
+ };
296
+ Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
297
+ unauthenticated: {
298
+ "Fn::GetAtt": [IdentityPoolUnauthenticatedIAMRoleLogicalId, "Arn"]
299
+ }
300
+ });
301
+ } else {
302
+ Object.assign(template.Resources.CognitoIdentityPoolRoleAttachment.Properties?.Roles, {
303
+ unauthenticated: identityPool.unauthenticatedRoleArn
304
+ });
305
+ }
306
+ if (identityPool.principalTags || identityPool.principalTags === void 0) {
307
+ const PrincipalTags = (() => {
308
+ if (typeof identityPool.principalTags === "boolean") {
309
+ return defaultPrincipalTags;
310
+ }
311
+ if (identityPool.principalTags === void 0) {
312
+ return defaultPrincipalTags;
313
+ }
314
+ return identityPool.principalTags;
315
+ })();
316
+ template.Resources.CognitoIdentityPoolPrincipalTag = {
317
+ Type: "AWS::Cognito::IdentityPoolPrincipalTag",
318
+ Properties: {
319
+ IdentityPoolId: {
320
+ Ref: CognitoIdentityPoolLogicalId
321
+ },
322
+ IdentityProviderName: {
323
+ "Fn::GetAtt": [CognitoUserPoolLogicalId, "ProviderName"]
324
+ },
325
+ PrincipalTags,
326
+ UseDefaults: false
327
+ }
328
+ };
329
+ }
330
+ template.Outputs = {
331
+ ...template.Outputs,
332
+ IdentityPoolId: {
333
+ Description: "You use this value on Amplify Auth `identityPoolId`.",
334
+ Value: {
335
+ Ref: CognitoIdentityPoolLogicalId
336
+ },
337
+ Export: {
338
+ Name: {
339
+ "Fn::Join": [":", [{
340
+ Ref: "AWS::StackName"
341
+ }, "CognitoIdentityPoolId"]]
342
+ }
343
+ }
344
+ }
345
+ };
346
+ }
347
+ if (lambdaTriggers) {
348
+ const LambdaConfig = {};
349
+ if (lambdaTriggers.preSignUp) {
350
+ LambdaConfig.PreSignUp = lambdaTriggers.preSignUp;
351
+ }
352
+ if (lambdaTriggers.postConfirmation) {
353
+ LambdaConfig.PostConfirmation = lambdaTriggers.postConfirmation;
354
+ }
355
+ if (lambdaTriggers.preAuthentication) {
356
+ LambdaConfig.PreAuthentication = lambdaTriggers.preAuthentication;
357
+ }
358
+ if (lambdaTriggers.postAuthentication) {
359
+ LambdaConfig.PostAuthentication = lambdaTriggers.postAuthentication;
360
+ }
361
+ if (lambdaTriggers.defineAuthChallenge) {
362
+ LambdaConfig.DefineAuthChallenge = lambdaTriggers.defineAuthChallenge;
363
+ }
364
+ if (lambdaTriggers.createAuthChallenge) {
365
+ LambdaConfig.CreateAuthChallenge = lambdaTriggers.createAuthChallenge;
366
+ }
367
+ if (lambdaTriggers.verifyAuthChallengeResponse) {
368
+ LambdaConfig.VerifyAuthChallengeResponse = lambdaTriggers.verifyAuthChallengeResponse;
369
+ }
370
+ if (lambdaTriggers.preTokenGeneration) {
371
+ LambdaConfig.PreTokenGeneration = lambdaTriggers.preTokenGeneration;
372
+ }
373
+ if (lambdaTriggers.userMigration) {
374
+ LambdaConfig.UserMigration = lambdaTriggers.userMigration;
375
+ }
376
+ if (lambdaTriggers.customMessage) {
377
+ LambdaConfig.CustomMessage = lambdaTriggers.customMessage;
378
+ }
379
+ if (lambdaTriggers.customEmailSender) {
380
+ LambdaConfig.CustomEmailSender = lambdaTriggers.customEmailSender;
381
+ }
382
+ if (lambdaTriggers.customSMSSender) {
383
+ LambdaConfig.CustomSMSSender = lambdaTriggers.customSMSSender;
384
+ }
385
+ if (Object.keys(LambdaConfig).length > 0) {
386
+ template.Resources[CognitoUserPoolLogicalId].Properties = {
387
+ ...template.Resources[CognitoUserPoolLogicalId].Properties,
388
+ LambdaConfig
389
+ };
390
+ }
391
+ for (const [key, lambdaTrigger] of Object.entries(LambdaConfig)) {
392
+ const permissionLogicalId = `${key}PermissionFor${CognitoUserPoolLogicalId}`.slice(0, 255);
393
+ template.Resources[permissionLogicalId] = {
394
+ Type: "AWS::Lambda::Permission",
395
+ Properties: {
396
+ Action: "lambda:InvokeFunction",
397
+ FunctionName: lambdaTrigger,
398
+ Principal: "cognito-idp.amazonaws.com",
399
+ SourceArn: {
400
+ "Fn::GetAtt": [CognitoUserPoolLogicalId, "Arn"]
401
+ }
402
+ }
403
+ };
404
+ }
405
+ }
406
+ return template;
407
+ }, "createAuthTemplate");
408
+ createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
409
+ createAuthTemplate.CognitoUserPoolClientLogicalId = CognitoUserPoolClientLogicalId;
410
+ createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;
411
+ createAuthTemplate.IdentityPoolAuthenticatedIAMRoleLogicalId = IdentityPoolAuthenticatedIAMRoleLogicalId;
412
+ createAuthTemplate.IdentityPoolUnauthenticatedIAMRoleLogicalId = IdentityPoolUnauthenticatedIAMRoleLogicalId;
413
+ // Annotate the CommonJS export names for ESM import in node:
414
+ 0 && (module.exports = {
415
+ PASSWORD_MINIMUM_LENGTH,
416
+ createAuthTemplate
417
+ });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ttoss/cloud-auth",
3
- "version": "0.13.11",
3
+ "version": "0.13.13",
4
4
  "license": "MIT",
5
5
  "repository": {
6
6
  "type": "git",
@@ -19,14 +19,14 @@
19
19
  ],
20
20
  "sideEffects": false,
21
21
  "dependencies": {
22
- "@ttoss/cloudformation": "^0.11.9"
22
+ "@ttoss/cloudformation": "^0.12.0"
23
23
  },
24
24
  "devDependencies": {
25
25
  "@types/jest": "^30.0.0",
26
26
  "jest": "^30.2.0",
27
27
  "tsup": "^8.5.1",
28
28
  "typescript": "~5.9.3",
29
- "@ttoss/config": "^1.35.12"
29
+ "@ttoss/config": "^1.36.0"
30
30
  },
31
31
  "publishConfig": {
32
32
  "access": "public",