@ttoss/cloud-auth 0.3.1 → 0.4.0

package/src/template.ts

@@ -1,3 +1,4 @@
+import { CloudFormationTemplate } from '@ttoss/cloudformation';
 import { PASSWORD_MINIMUM_LENGTH } from './config';
 
 const CognitoUserPoolLogicalId = 'CognitoUserPool';
@@ -6,13 +7,55 @@ const CognitoUserPoolClientLogicalId = 'CognitoUserPoolClient';
 
 const CognitoIdentityPoolLogicalId = 'CognitoIdentityPool';
 
-export const createAuthTemplate = () => {
-  const template = {
+type Role =
+  | string
+  | {
+      'Fn::ImportValue': string;
+    };
+
+export const createAuthTemplate = ({
+  autoVerifiedAttributes = ['email'],
+  identityPool = true,
+  roles,
+  schema,
+}: {
+  autoVerifiedAttributes?: Array<'email' | 'phone_number'> | null | false;
+  identityPool?: boolean;
+  roles?: {
+    authenticated?: Role;
+    unauthenticated?: Role;
+  };
+  /**
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html
+   */
+  schema?: {
+    AttributeDataType?: 'Boolean' | 'DateTime' | 'Number' | 'String';
+    DeveloperOnlyAttribute?: boolean;
+    Mutable?: boolean;
+    Name?: string;
+    NumberAttributeConstraints?: {
+      MaxValue?: string;
+      MinValue?: string;
+    };
+    Required?: boolean;
+    StringAttributeConstraints?: {
+      MaxLength: string;
+      MinLength: string;
+    };
+  }[];
+} = {}) => {
+  const AutoVerifiedAttributes =
+    Array.isArray(autoVerifiedAttributes) && autoVerifiedAttributes.length > 0
+      ? autoVerifiedAttributes
+      : undefined;
+
+  const template: CloudFormationTemplate = {
+    AWSTemplateFormatVersion: '2010-09-09',
     Resources: {
       [CognitoUserPoolLogicalId]: {
         Type: 'AWS::Cognito::UserPool',
         Properties: {
-          AutoVerifiedAttributes: ['email'],
+          AutoVerifiedAttributes,
           Policies: {
             PasswordPolicy: {
               MinimumLength: PASSWORD_MINIMUM_LENGTH,
@@ -23,6 +66,7 @@ export const createAuthTemplate = () => {
               TemporaryPasswordValidityDays: 30,
             },
           },
+          Schema: schema,
           UsernameAttributes: ['email'],
           UsernameConfiguration: {
             CaseSensitive: false,
@@ -41,36 +85,6 @@ export const createAuthTemplate = () => {
           },
         },
       },
-      /**
-       * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
-       */
-      [CognitoIdentityPoolLogicalId]: {
-        Type: 'AWS::Cognito::IdentityPool',
-        Properties: {
-          AllowUnauthenticatedIdentities: true,
-          CognitoIdentityProviders: [
-            {
-              ClientId: {
-                Ref: CognitoUserPoolClientLogicalId,
-              },
-              ProviderName: {
-                'Fn::GetAtt': [CognitoUserPoolLogicalId, 'ProviderName'],
-              },
-            },
-          ],
-        },
-      },
-      /**
-       * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
-       */
-      // CognitoIdentityPoolRoleAttachment: {
-      //   Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
-      //   Properties: {
-      //     IdentityPoolId: {
-      //       Ref: CognitoIdentityPoolLogicalId,
-      //     },
-      //   },
-      // },
     },
     Outputs: {
       Region: {
@@ -107,22 +121,69 @@ export const createAuthTemplate = () => {
           },
         },
       },
-      IdentityPoolId: {
-        Description: 'You use this value on Amplify Auth `identityPoolId`.',
-        Value: {
-          Ref: CognitoIdentityPoolLogicalId,
-        },
-        Export: {
-          Name: {
-            'Fn::Join': [
-              ':',
-              [{ Ref: 'AWS::StackName' }, 'CognitoIdentityPoolId'],
-            ],
+    },
+  };
+
+  if (identityPool) {
+    /**
+     * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypool.html
+     */
+    template.Resources[CognitoIdentityPoolLogicalId] = {
+      Type: 'AWS::Cognito::IdentityPool',
+      Properties: {
+        AllowUnauthenticatedIdentities: true,
+        CognitoIdentityProviders: [
+          {
+            ClientId: {
+              Ref: CognitoUserPoolClientLogicalId,
+            },
+            ProviderName: {
+              'Fn::GetAtt': [CognitoUserPoolLogicalId, 'ProviderName'],
+            },
+          },
+        ],
+      },
+    };
+
+    if (roles) {
+      /**
+       * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html
+       */
+      template.Resources.CognitoIdentityPoolRoleAttachment = {
+        Type: 'AWS::Cognito::IdentityPoolRoleAttachment',
+        Properties: {
+          IdentityPoolId: {
+            Ref: CognitoIdentityPoolLogicalId,
           },
+          Roles: roles,
         },
+      };
+    }
+
+    if (!template.Outputs) {
+      template.Outputs = {};
+    }
+
+    template.Outputs.IdentityPoolId = {
+      Description: 'You use this value on Amplify Auth `identityPoolId`.',
+      Value: {
+        Ref: CognitoIdentityPoolLogicalId,
       },
-    },
-  };
+      Export: {
+        Name: {
+          'Fn::Join': [
+            ':',
+            [{ Ref: 'AWS::StackName' }, 'CognitoIdentityPoolId'],
+          ],
+        },
+      },
+    };
+  }
 
   return template;
 };
+
+createAuthTemplate.CognitoUserPoolLogicalId = CognitoUserPoolLogicalId;
+createAuthTemplate.CognitoUserPoolClientLogicalId =
+  CognitoUserPoolClientLogicalId;
+createAuthTemplate.CognitoIdentityPoolLogicalId = CognitoIdentityPoolLogicalId;

package/tests/unit/template.test.ts

@@ -0,0 +1,73 @@
+import { createAuthTemplate } from '../../src';
+
+test('do not add schema if not provided', () => {
+  const template = createAuthTemplate();
+  expect(template.Resources.CognitoUserPool.Properties.Schema).toBeUndefined();
+});
+
+test('add schema if provided', () => {
+  const schema = [
+    {
+      AttributeDataType: 'String' as const,
+      DeveloperOnlyAttribute: false,
+      Mutable: true,
+      Name: 'email',
+      Required: true,
+      StringAttributeConstraints: {
+        MaxLength: '2048',
+        MinLength: '0',
+      },
+    },
+  ];
+
+  const template = createAuthTemplate({ schema });
+  expect(template.Resources.CognitoUserPool.Properties.Schema).toEqual(schema);
+});
+
+test('should have autoVerifiedAttributes equal email by default', () => {
+  const template = createAuthTemplate();
+  expect(
+    template.Resources.CognitoUserPool.Properties.AutoVerifiedAttributes
+  ).toEqual(['email']);
+});
+
+test.each([[], null, false])(
+  'should have autoVerifiedAttributes undefined: %p',
+  (autoVerifiedAttributes: any) => {
+    const template = createAuthTemplate({ autoVerifiedAttributes });
+    expect(
+      template.Resources.CognitoUserPool.Properties.AutoVerifiedAttributes
+    ).toBeUndefined();
+  }
+);
+
+test.each([true, undefined])(
+  'should have identity pool by default or true: %p',
+  (identityPool) => {
+    const template = createAuthTemplate({ identityPool });
+    expect(template.Resources.CognitoIdentityPool).toBeDefined();
+    expect(template.Outputs?.IdentityPoolId).toBeDefined();
+  }
+);
+
+test('should not have identity pool if false', () => {
+  const template = createAuthTemplate({ identityPool: false });
+  expect(template.Resources.CognitoIdentityPool).toBeUndefined();
+  expect(template.Outputs?.IdentityPoolId).toBeUndefined();
+});
+
+test('should have identity pool role attachment with roles', () => {
+  const roles = {
+    authenticated: 'arn:aws:iam::123456789012:role/authenticated',
+    unauthenticated: 'arn:aws:iam::123456789012:role/unauthenticated',
+  };
+  const template = createAuthTemplate({ roles });
+  expect(
+    template.Resources.CognitoIdentityPoolRoleAttachment.Properties.Roles
+  ).toEqual(roles);
+});
+
+test('should not have identity pool role attachment without roles', () => {
+  const template = createAuthTemplate();
+  expect(template.Resources.CognitoIdentityPoolRoleAttachment).toBeUndefined();
+});