wirejs-deploy-amplify-basic 0.1.176 → 0.1.177

package/amplify-backend-assets/backend.ts

@@ -4,7 +4,8 @@ import { randomUUID } from 'crypto';
 import {
   defineBackend,
 } from '@aws-amplify/backend';
-import { Duration, RemovalPolicy, NestedStack } from "aws-cdk-lib";
+import { Duration, Fn, RemovalPolicy, NestedStack } from "aws-cdk-lib";
+import { UserPool } from 'aws-cdk-lib/aws-cognito';
 import { 
   FunctionUrlAuthType,
   IFunction,
@@ -16,12 +17,11 @@ import { Table, AttributeType, BillingMode } from 'aws-cdk-lib/aws-dynamodb';
 import { AnyPrincipal, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { Rule, RuleTargetInput, Schedule } from 'aws-cdk-lib/aws-events';
 import { LambdaFunction as LambdaFunctionTarget } from 'aws-cdk-lib/aws-events-targets';
-import { SESClient, VerifyEmailIdentityCommand, GetIdentityVerificationAttributesCommand } from '@aws-sdk/client-ses';
+import { SESClient, VerifyEmailIdentityCommand, GetIdentityVerificationAttributesCommand, VerifyDomainIdentityCommand } from '@aws-sdk/client-ses';
 
 import { TableDefinition, indexName, DeploymentConfig } from 'wirejs-resources';
 import { TableIndexes } from './constructs/table-indexes';
 import { RealtimeService } from './constructs/realtime-service';
-import { auth } from './auth/resource';
 
 // @ts-ignore
 import generatedResources from './generated-resources';
@@ -47,7 +47,7 @@ const SELF_INVOCATION_ID = randomUUID();
 /**
  * Amplify resources
  */
-const backend = defineBackend({ auth });
+const backend = defineBackend({});
 
 copyFileSync(
   path.join(__dirname, 'api', 'handler.ts'),
@@ -62,6 +62,51 @@ if (fs.existsSync(CONFIG_PATH)) {
   console.log('\nNo deployment config found. Using defaults.\n')
 }
 
+/**
+ * Cognito resources for AuthenticationService
+ */
+function isAuthenticationService(resource: any): resource is {
+  type: 'AuthenticationService';
+  options: { absoluteId: string };
+} {
+  return resource.type === 'AuthenticationService';
+}
+
+type CognitoResources = {
+  absoluteId: string;
+  userPool: UserPool;
+  clientId: string;
+};
+
+const cognitoResources: CognitoResources[] = [];
+for (const resource of generated) {
+  if (isAuthenticationService(resource)) {
+    const sanitizedId = resource.options.absoluteId.replace(/[^a-zA-Z0-9-_]/g, '_');
+    const userPool = new UserPool(backend.stack, `UserPool_${sanitizedId}`, {
+      signInAliases: { email: true },
+      passwordPolicy: {
+        minLength: 8,
+        requireLowercase: false,
+        requireNumbers: false,
+        requireSymbols: false,
+        requireUppercase: false,
+      },
+      selfSignUpEnabled: true,
+    });
+    const userPoolClient = userPool.addClient('UserPoolClient', {
+      authFlows: {
+        userPassword: true,
+        adminUserPassword: true,
+      },
+    });
+    cognitoResources.push({
+      absoluteId: resource.options.absoluteId,
+      userPool,
+      clientId: userPoolClient.userPoolClientId,
+    });
+  }
+}
+
 const api = new NodejsFunction(backend.stack, 'ApiHandler', {
   runtime: {
     20: Runtime.NODEJS_20_X,
@@ -81,25 +126,6 @@ const api = new NodejsFunction(backend.stack, 'ApiHandler', {
   timeout: Duration.seconds(cfg.runtimeTimeoutSeconds ?? 15 * 60),
 });
 
-/**
- * Amplify resource augmentations
- */
-backend.auth.resources.cfnResources.cfnUserPool.policies = {
-  passwordPolicy: {
-    minimumLength: 8,
-    requireLowercase: false,
-    requireNumbers: false,
-    requireSymbols: false,
-    requireUppercase: false,
-  }
-}
-const userPoolClient = backend.auth.resources.cfnResources.cfnUserPoolClient;
-userPoolClient.explicitAuthFlows = userPoolClient.explicitAuthFlows || [];
-userPoolClient.explicitAuthFlows.push(
-  'ALLOW_USER_PASSWORD_AUTH',
-  'ALLOW_ADMIN_USER_PASSWORD_AUTH'
-);
-
 api.role?.addToPrincipalPolicy(new PolicyStatement({
   actions: ['lambda:InvokeFunction'],
   resources: [
@@ -282,9 +308,17 @@ for (const resource of generated) {
 api.addEnvironment(
   'BUCKET', bucket.bucketName,
 );
-api.addEnvironment(
-  'COGNITO_CLIENT_ID', backend.auth.resources.userPoolClient.userPoolClientId
-);
+if (cognitoResources.length > 0) {
+  const clientIdMap: Record<string, string> = {};
+  for (const { absoluteId, userPool, clientId } of cognitoResources) {
+    clientIdMap[absoluteId] = clientId;
+    userPool.grant(api,
+      'cognito-idp:AdminInitiateAuth',
+      'cognito-idp:AdminRespondToAuthChallenge',
+    );
+  }
+  api.addEnvironment('COGNITO_CLIENT_IDS', Fn.toJsonString(clientIdMap));
+}
 api.addEnvironment(
   'TABLE_NAME_PREFIX', TABLE_NAME_PREFIX
 );
@@ -315,14 +349,28 @@ api.addToRolePolicy(new PolicyStatement({
  */
 function isEmailSender(resource: any): resource is {
   type: 'EmailSender';
-  options: { absoluteId: string; from: string };
+  options: { 
+    absoluteId: string; 
+    from?: string; 
+    fromDomain?: string;
+    type: 'email' | 'domain';
+  };
 } {
   return resource.type === 'EmailSender';
 }
 
 const emailSenderResources = generated.filter(isEmailSender);
 if (emailSenderResources.length > 0) {
-  const senderAddresses = emailSenderResources.map(r => r.options.from);
+  // Extract both email addresses and domains for verification
+  const emailAddresses = emailSenderResources
+    .filter(r => r.options.type === 'email' && r.options.from)
+    .map(r => r.options.from!);
+  
+  const domains = emailSenderResources
+    .filter(r => r.options.type === 'domain' && r.options.fromDomain)
+    .map(r => r.options.fromDomain!);
+  
+  // Add SES permissions for all identity types
   api.addToRolePolicy(new PolicyStatement({
     actions: [
       'ses:SendEmail',
@@ -333,13 +381,12 @@ if (emailSenderResources.length > 0) {
     ],
   }));
 
-  // Initiate SES email verification for each sender address during deployment.
-  // This sends a verification email to each address automatically so customers
-  // don't need to manually trigger it from the AWS console.
+  // Initiate SES verification for emails and domains during deployment.
   const sesClient = new SESClient();
-  const verificationResults: { address: string; status: string }[] = [];
+  const verificationResults: { identity: string; type: 'email' | 'domain'; status: string }[] = [];
 
-  for (const address of senderAddresses) {
+  // Verify individual email addresses
+  for (const address of emailAddresses) {
     try {
       // Check current verification status first
       const statusResult = await sesClient.send(
@@ -348,35 +395,64 @@ if (emailSenderResources.length > 0) {
       const currentStatus = statusResult.VerificationAttributes?.[address]?.VerificationStatus;
 
       if (currentStatus === 'Success') {
-        verificationResults.push({ address, status: 'already verified ✅' });
+        verificationResults.push({ identity: address, type: 'email', status: 'already verified ✅' });
       } else {
         // Trigger a (new) verification email
         await sesClient.send(new VerifyEmailIdentityCommand({ EmailAddress: address }));
-        verificationResults.push({ address, status: 'verification email sent 📧' });
+        verificationResults.push({ identity: address, type: 'email', status: 'verification email sent 📧' });
+      }
+    } catch (err: any) {
+      verificationResults.push({ identity: address, type: 'email', status: `could not initiate automatically — ${err?.message ?? err}` });
+    }
+  }
+
+  // Verify domains
+  for (const domain of domains) {
+    try {
+      // Check current verification status first
+      const statusResult = await sesClient.send(
+        new GetIdentityVerificationAttributesCommand({ Identities: [domain] })
+      );
+      const currentStatus = statusResult.VerificationAttributes?.[domain]?.VerificationStatus;
+
+      if (currentStatus === 'Success') {
+        verificationResults.push({ identity: domain, type: 'domain', status: 'already verified ✅' });
+      } else {
+        // Trigger domain verification (requires DNS setup) 
+        await sesClient.send(new VerifyDomainIdentityCommand({ Domain: domain }));
+        verificationResults.push({ identity: domain, type: 'domain', status: 'initiated - DNS setup required 🌐' });
       }
     } catch (err: any) {
-      verificationResults.push({ address, status: `could not initiate automatically — ${err?.message ?? err}` });
+      verificationResults.push({ identity: domain, type: 'domain', status: `could not initiate automatically — ${err?.message ?? err}` });
     }
   }
 
+  // Enhanced console output
   console.log(`
-⚠️  AWS SES Email Verification
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-Your app uses EmailSender with the following sender address(es):
+⚠️  AWS SES Email and Domain Verification
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Your app uses EmailSender with the following identities:
+
+EMAIL ADDRESSES:
+${verificationResults.filter(r => r.type === 'email').map(r => `  📧 ${r.identity} — ${r.status}`).join('\n') || '  (none)'}
 
-${verificationResults.map(r => `  • ${r.address} — ${r.status}`).join('\n')}
+DOMAINS:
+${verificationResults.filter(r => r.type === 'domain').map(r => `  🌐 ${r.identity} — ${r.status}`).join('\n') || '  (none)'}
 
-${verificationResults.some(r => r.status.includes('sent'))
-  ? 'Check your inbox and click the verification link in each email from AWS SES.'
-  : ''}
-AWS SES starts in "sandbox" mode — you must also verify recipient addresses
-or request production access to send to arbitrary recipients.
+NEXT STEPS:
+${verificationResults.some(r => r.type === 'email' && r.status.includes('sent'))
+  ? '📧 Check your inbox and click verification links for email addresses.\n' : ''}${verificationResults.some(r => r.type === 'domain' && r.status.includes('DNS'))
+  ? '🌐 Set up DNS records for domain verification (see AWS SES console).\n' : ''}
+⚠️  AWS SES starts in "sandbox" mode — you must also verify recipient addresses
+   or request production access to send to arbitrary recipients.
 
-To request production (sandbox removal) access:
-  https://docs.aws.amazon.com/ses/latest/dg/request-production-access.html
+USEFUL LINKS:
+📖 Verify identities: https://console.aws.amazon.com/ses/home?region=${backend.stack.region}#/verified-identities
+🚀 Request production: https://console.aws.amazon.com/ses/home?region=${backend.stack.region}#/account
+📚 Documentation: https://docs.aws.amazon.com/ses/latest/dg/request-production-access.html
 
 See docs/amplify.md in your project for more details.
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 `);
 }
 

package/amplify-hosting-assets/compute/default/package.json

@@ -3,6 +3,6 @@
 	"dependencies": {
 		"jsdom": "^25.0.1",
 		"wirejs-dom": "^1.0.44",
-		"wirejs-resources": "^0.1.176"
+		"wirejs-resources": "^0.1.177"
 	}
 }

package/dist/services/authentication.js

@@ -3,7 +3,6 @@ import * as jose from 'jose';
 import { CognitoIdentityProviderClient, SignUpCommand, ForgotPasswordCommand, ConfirmForgotPasswordCommand, ConfirmSignUpCommand, ResendConfirmationCodeCommand, InitiateAuthCommand, ChangePasswordCommand, } from '@aws-sdk/client-cognito-identity-provider';
 import { withContext, SignedCookie, Setting, AuthenticationService as AuthenticationServiceBase, } from 'wirejs-resources';
 import { addResource } from '../resource-collector.js';
-const ClientId = env['COGNITO_CLIENT_ID'];
 const actions = {
     changepassword: {
         name: "Change Password",
@@ -118,6 +117,7 @@ const client = new CognitoIdentityProviderClient();
 export class AuthenticationService extends AuthenticationServiceBase {
     #cookie;
     #keepalive;
+    #clientId;
     constructor(scope, id, options = {}) {
         super(scope, id, options);
         const signingSecret = new Setting(this, 'jwt-signing-secret', {
@@ -125,6 +125,8 @@ export class AuthenticationService extends AuthenticationServiceBase {
         });
         this.#keepalive = options.keepalive ?? false;
         this.#cookie = new SignedCookie(this, options.cookie ?? 'identity', signingSecret, { maxAge: ONE_WEEK });
+        const cognitoClientIds = JSON.parse(env['COGNITO_CLIENT_IDS'] || '{}');
+        this.#clientId = cognitoClientIds[this.absoluteId];
         addResource('AuthenticationService', { absoluteId: this.absoluteId });
     }
     async getMachineState(cookies) {
@@ -206,7 +208,7 @@ export class AuthenticationService extends AuthenticationServiceBase {
             }
             try {
                 const command = new SignUpCommand({
-                    ClientId,
+                    ClientId: this.#clientId,
                     Username: form.inputs.email,
                     Password: form.inputs.password,
                     UserAttributes: [
@@ -249,7 +251,7 @@ export class AuthenticationService extends AuthenticationServiceBase {
             }
             try {
                 const command = new ResendConfirmationCodeCommand({
-                    ClientId,
+                    ClientId: this.#clientId,
                     Username: state.metadata
                 });
                 await client.send(command);
@@ -283,7 +285,7 @@ export class AuthenticationService extends AuthenticationServiceBase {
                     return this.getMachineState(cookies);
                 }
                 const command = new ConfirmSignUpCommand({
-                    ClientId,
+                    ClientId: this.#clientId,
                     Username: email,
                     ConfirmationCode: form.inputs.code,
                 });
@@ -309,7 +311,7 @@ export class AuthenticationService extends AuthenticationServiceBase {
             }
             try {
                 const command = new InitiateAuthCommand({
-                    ClientId,
+                    ClientId: this.#clientId,
                     AuthFlow: 'USER_PASSWORD_AUTH',
                     AuthParameters: {
                         USERNAME: form.inputs.email,
@@ -333,7 +335,7 @@ export class AuthenticationService extends AuthenticationServiceBase {
             catch (error) {
                 if (error.message === 'User is not confirmed.') {
                     const command = new ResendConfirmationCodeCommand({
-                        ClientId,
+                        ClientId: this.#clientId,
                         Username: form.inputs.email
                     });
                     await client.send(command);
@@ -375,7 +377,7 @@ export class AuthenticationService extends AuthenticationServiceBase {
                 // change password requires an access token, which we don't actually store.
                 // so, first step is to actually authenticate.
                 const authCommand = new InitiateAuthCommand({
-                    ClientId,
+                    ClientId: this.#clientId,
                     AuthFlow: 'USER_PASSWORD_AUTH',
                     AuthParameters: {
                         USERNAME: state.user.username,
@@ -427,7 +429,7 @@ export class AuthenticationService extends AuthenticationServiceBase {
             }
             try {
                 const command = new ForgotPasswordCommand({
-                    ClientId,
+                    ClientId: this.#clientId,
                     Username: form.inputs.email
                 });
                 await client.send(command);
@@ -459,7 +461,7 @@ export class AuthenticationService extends AuthenticationServiceBase {
             }
             try {
                 const command = new ConfirmForgotPasswordCommand({
-                    ClientId,
+                    ClientId: this.#clientId,
                     ConfirmationCode: form.inputs.code,
                     Password: form.inputs.password,
                     Username: state?.metadata

package/dist/services/email-sender.d.ts

@@ -1,7 +1,5 @@
-import { Resource, EmailSender as BaseEmailSender, EmailMessage } from 'wirejs-resources';
+import { Resource, EmailSender as BaseEmailSender, EmailMessage, EmailSenderOptions } from 'wirejs-resources';
 export declare class EmailSender extends BaseEmailSender {
-    constructor(scope: Resource | string, id: string, options: {
-        from: string;
-    });
+    constructor(scope: Resource | string, id: string, options: EmailSenderOptions);
     send(message: EmailMessage): Promise<void>;
 }

package/dist/services/email-sender.js

@@ -2,32 +2,186 @@ import { SESClient, SendEmailCommand, } from '@aws-sdk/client-ses';
 import { EmailSender as BaseEmailSender, } from 'wirejs-resources';
 import { addResource } from '../resource-collector.js';
 const ses = new SESClient();
-const SEND_VERIFY_ERROR = (sender, addresses) => `
-Your app tried to send an email
+const EMAIL_VERIFICATION_ERROR = (senderEmail, recipientAddresses) => `
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+⚠️  AWS SES EMAIL SENDING FAILED - VERIFICATION REQUIRED
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
-	From : ${sender}
-	To   : ${addresses.join(', ')}
+Your app attempted to send email but failed because the sender address is not verified.
 
-However, your AWS account is in SES sandbox mode in ${process.env.AWS_REGION}.
+FAILED EMAIL:
+    From: ${senderEmail}  
+    To: ${recipientAddresses.join(', ')}
+    Region: ${process.env.AWS_REGION}
 
-You must log into the AWS SES console and EITHER:
+NEXT STEPS - Choose one of the following options:
 
-	... Verify every individual recipient (e.g., during testing),
+📧 OPTION 1: Verify Individual Email Address
+────────────────────────────────────────────
+1. Open AWS SES Console: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/verified-identities
+2. Click "Create identity"
+3. Select "Email address"
+4. Enter: ${senderEmail}
+5. Click "Create identity"
+6. Check your inbox for verification email and click the link
 
-		~~~ OR ~~~
-  
-	... Request production access.
+🌐 OPTION 2: Verify Entire Domain (Recommended for production)
+───────────────────────────────────────────────────────────────
+1. Open AWS SES Console: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/verified-identities
+2. Click "Create identity"
+3. Select "Domain" 
+4. Enter your domain (e.g., ${senderEmail.split('@')[1]})
+5. Follow DNS verification steps provided
+6. Wait for DNS propagation (may take up to 72 hours)
+
+📮 RECIPIENT VERIFICATION (SES Sandbox Mode)
+─────────────────────────────────────────────────
+Your AWS account is likely in SES sandbox mode. You must ALSO verify recipient addresses:
+
+For each recipient (${recipientAddresses.join(', ')}):
+1. Open: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/verified-identities  
+2. Click "Create identity" → "Email address"
+3. Enter the recipient email and verify
+
+🚀 PRODUCTION ACCESS (Send to any recipient)
+──────────────────────────────────────────────
+To send to unverified recipients, request production access:
+1. Open: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/account
+2. Click "Request production access"
+3. Complete the request form
+4. AWS typically approves within 24 hours
+
+📖 More Information:
+https://docs.aws.amazon.com/ses/latest/dg/verify-addresses-and-domains.html
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+`;
+const DOMAIN_VERIFICATION_ERROR = (domain, senderEmail, recipientAddresses) => `
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+⚠️  AWS SES DOMAIN SENDING FAILED - DOMAIN VERIFICATION REQUIRED  
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Your app attempted to send email from a domain but failed because the domain is not verified.
+
+FAILED EMAIL:
+    From: ${senderEmail}
+    Domain: ${domain}
+    To: ${recipientAddresses.join(', ')}
+    Region: ${process.env.AWS_REGION}
+
+NEXT STEPS:
+
+🌐 VERIFY YOUR SENDING DOMAIN
+────────────────────────────────
+1. Open AWS SES Console: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/verified-identities
+2. Click "Create identity"
+3. Select "Domain"
+4. Enter domain: ${domain}
+5. Choose verification method:
+   • DNS (recommended): Add TXT records to your DNS
+   • Email: Verify via admin email addresses
+6. Follow the provided instructions
+7. Wait for verification (DNS may take up to 72 hours)
+
+📮 RECIPIENT VERIFICATION (SES Sandbox Mode)  
+─────────────────────────────────────────────────
+Your AWS account is likely in SES sandbox mode. You must ALSO verify recipient addresses:
+
+For each recipient (${recipientAddresses.join(', ')}):
+1. Open: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/verified-identities
+2. Click "Create identity" → "Email address" 
+3. Enter the recipient email and verify
+
+🚀 PRODUCTION ACCESS (Send to any recipient)
+──────────────────────────────────────────────
+To send to unverified recipients, request production access:
+1. Open: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/account
+2. Click "Request production access"
+3. Complete the request form
+
+📖 More Information:
+https://docs.aws.amazon.com/ses/latest/dg/verify-domain-procedure.html
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+`;
+const GENERAL_SES_ERROR = (senderEmail, recipientAddresses, errorMessage) => `
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+⚠️  AWS SES EMAIL SENDING FAILED
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+FAILED EMAIL:
+    From: ${senderEmail}
+    To: ${recipientAddresses.join(', ')}
+    Region: ${process.env.AWS_REGION}
+    Error: ${errorMessage}
+
+TROUBLESHOOTING STEPS:
+
+1️⃣ VERIFY SENDER IDENTITY
+────────────────────────────
+• Open AWS SES Console: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/verified-identities
+• Ensure your sender address/domain is verified and shows "Verified" status
+
+2️⃣ CHECK RECIPIENT ADDRESSES (Sandbox Mode)
+─────────────────────────────────────────────
+• If in sandbox mode, verify recipient addresses too
+• Or request production access: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/account
+
+3️⃣ REVIEW SES QUOTAS AND LIMITS  
+──────────────────────────────────
+• Check your sending quota: https://console.aws.amazon.com/ses/home?region=${process.env.AWS_REGION}#/account
+• Verify you haven't exceeded daily/per-second limits
+
+4️⃣ CHECK SES CONFIGURATION
+────────────────────────────────
+• Ensure SES service is available in region: ${process.env.AWS_REGION}
+• Verify your AWS credentials have SES permissions
+
+📖 AWS SES Documentation:
+https://docs.aws.amazon.com/ses/latest/dg/
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 `;
 export class EmailSender extends BaseEmailSender {
     constructor(scope, id, options) {
         super(scope, id, options);
-        addResource('EmailSender', { absoluteId: this.absoluteId, from: options.from });
+        // Register the resource with appropriate metadata for backend.ts verification
+        if ('from' in options) {
+            addResource('EmailSender', {
+                absoluteId: this.absoluteId,
+                from: options.from,
+                type: 'email'
+            });
+        }
+        else if ('fromDomain' in options) {
+            addResource('EmailSender', {
+                absoluteId: this.absoluteId,
+                fromDomain: options.fromDomain,
+                type: 'domain'
+            });
+        }
     }
     async send(message) {
         const toAddresses = Array.isArray(message.to) ? message.to : [message.to];
+        // Determine sender email address
+        let senderEmail;
+        if (this.from) {
+            // Traditional email-based sender
+            senderEmail = this.from;
+        }
+        else if (this.fromDomain && message.from) {
+            // Domain-based sender with message-specific from
+            if (!message.from.endsWith(`@${this.fromDomain}`)) {
+                throw new Error(`Message from address "${message.from}" must use domain "@${this.fromDomain}"`);
+            }
+            senderEmail = message.from;
+        }
+        else if (this.fromDomain) {
+            throw new Error('Domain-based EmailSender requires message.from to specify the sender address');
+        }
+        else {
+            throw new Error('EmailSender configuration error: no valid sender address available');
+        }
         try {
             await ses.send(new SendEmailCommand({
-                Source: this.from,
+                Source: senderEmail,
                 Destination: { ToAddresses: toAddresses },
                 Message: {
                     Subject: { Data: message.subject },
@@ -39,18 +193,39 @@ export class EmailSender extends BaseEmailSender {
             }));
         }
         catch (e) {
+            // Enhanced error handling with detailed AWS console instructions
+            let errorMessage = '';
             if (e.message.includes('Email address is not verified')) {
-                await ses.send(new SendEmailCommand({
-                    Source: this.from,
-                    Destination: { ToAddresses: [this.from] },
-                    Message: {
-                        Subject: { Data: "Error Sending Email: Recipient not verified" },
-                        Body: { Text: { Data: SEND_VERIFY_ERROR(this.from, toAddresses)
-                            } }
-                    }
-                }));
+                if (this.isDomainSender) {
+                    errorMessage = DOMAIN_VERIFICATION_ERROR(this.fromDomain, senderEmail, toAddresses);
+                }
+                else {
+                    errorMessage = EMAIL_VERIFICATION_ERROR(senderEmail, toAddresses);
+                }
+                // Send notification email to sender (if possible)
+                try {
+                    await ses.send(new SendEmailCommand({
+                        Source: senderEmail,
+                        Destination: { ToAddresses: [senderEmail] },
+                        Message: {
+                            Subject: { Data: "⚠️ Email Sending Failed - AWS SES Verification Required" },
+                            Body: { Text: { Data: errorMessage } }
+                        }
+                    }));
+                }
+                catch (notificationError) {
+                    // If we can't send notification, that's expected if sender isn't verified
+                }
+            }
+            else {
+                // Other SES errors
+                errorMessage = GENERAL_SES_ERROR(senderEmail, toAddresses, e.message);
             }
-            throw e;
+            // Create an enhanced error with our detailed message
+            const enhancedError = new Error(errorMessage);
+            enhancedError.name = e.name;
+            enhancedError.cause = e;
+            throw enhancedError;
         }
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "wirejs-deploy-amplify-basic",
-	"version": "0.1.176",
+	"version": "0.1.177",
 	"type": "module",
 	"main": "./dist/index.js",
 	"types": "./dist/index.d.ts",
@@ -45,7 +45,7 @@
 		"recursive-copy": "^2.0.14",
 		"rimraf": "^6.0.1",
 		"wirejs-dom": "^1.0.44",
-		"wirejs-resources": "^0.1.176"
+		"wirejs-resources": "^0.1.177"
 	},
 	"devDependencies": {
 		"@aws-amplify/backend": "^1.14.0",

package/amplify-backend-assets/auth/resource.ts

@@ -1,7 +0,0 @@
-import { defineAuth } from '@aws-amplify/backend';
-
-export const auth = defineAuth({
-	loginWith: {
-		email: true,
-	},
-});