aws-cdk-lib
Version:
Version 2 of the AWS Cloud Development Kit library
2 lines (1 loc) • 14.8 kB
JavaScript
"use strict";var __esDecorate=exports&&exports.__esDecorate||function(ctor,descriptorIn,decorators,contextIn,initializers,extraInitializers){function accept(f){if(f!==void 0&&typeof f!="function")throw new TypeError("Function expected");return f}for(var kind=contextIn.kind,key=kind==="getter"?"get":kind==="setter"?"set":"value",target=!descriptorIn&&ctor?contextIn.static?ctor:ctor.prototype:null,descriptor=descriptorIn||(target?Object.getOwnPropertyDescriptor(target,contextIn.name):{}),_,done=!1,i=decorators.length-1;i>=0;i--){var context={};for(var p in contextIn)context[p]=p==="access"?{}:contextIn[p];for(var p in contextIn.access)context.access[p]=contextIn.access[p];context.addInitializer=function(f){if(done)throw new TypeError("Cannot add initializers after decoration has completed");extraInitializers.push(accept(f||null))};var result=(0,decorators[i])(kind==="accessor"?{get:descriptor.get,set:descriptor.set}:descriptor[key],context);if(kind==="accessor"){if(result===void 0)continue;if(result===null||typeof result!="object")throw new TypeError("Object expected");(_=accept(result.get))&&(descriptor.get=_),(_=accept(result.set))&&(descriptor.set=_),(_=accept(result.init))&&initializers.unshift(_)}else(_=accept(result))&&(kind==="field"?initializers.unshift(_):descriptor[key]=_)}target&&Object.defineProperty(target,contextIn.name,descriptor),done=!0},__runInitializers=exports&&exports.__runInitializers||function(thisArg,initializers,value){for(var useValue=arguments.length>2,i=0;i<initializers.length;i++)value=useValue?initializers[i].call(thisArg,value):initializers[i].call(thisArg);return useValue?value:void 0};Object.defineProperty(exports,"__esModule",{value:!0}),exports.UserPoolClient=exports.UserPoolClientIdentityProvider=exports.OAuthScope=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var cognito_generated_1=()=>{var tmp=require("./cognito.generated");return cognito_generated_1=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},errors_1=()=>{var tmp=require("../../core/lib/errors");return errors_1=()=>tmp,tmp},metadata_resource_1=()=>{var tmp=require("../../core/lib/metadata-resource");return metadata_resource_1=()=>tmp,tmp},prop_injectable_1=()=>{var tmp=require("../../core/lib/prop-injectable");return prop_injectable_1=()=>tmp,tmp},custom_resources_1=()=>{var tmp=require("../../custom-resources");return custom_resources_1=()=>tmp,tmp},cxapi=()=>{var tmp=require("../../cx-api");return cxapi=()=>tmp,tmp};class OAuthScope{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cognito.OAuthScope",version:"2.233.0"};static PHONE=new OAuthScope("phone");static EMAIL=new OAuthScope("email");static OPENID=new OAuthScope("openid");static PROFILE=new OAuthScope("profile");static COGNITO_ADMIN=new OAuthScope("aws.cognito.signin.user.admin");static custom(name){return new OAuthScope(name)}static resourceServer(server,scope){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cognito_IUserPoolResourceServer(server),jsiiDeprecationWarnings().aws_cdk_lib_aws_cognito_ResourceServerScope(scope)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.resourceServer),error}return new OAuthScope(`${server.userPoolResourceServerId}/${scope.scopeName}`)}scopeName;constructor(scopeName){this.scopeName=scopeName}}exports.OAuthScope=OAuthScope;class UserPoolClientIdentityProvider{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cognito.UserPoolClientIdentityProvider",version:"2.233.0"};static APPLE=new UserPoolClientIdentityProvider("SignInWithApple");static FACEBOOK=new UserPoolClientIdentityProvider("Facebook");static GOOGLE=new UserPoolClientIdentityProvider("Google");static AMAZON=new UserPoolClientIdentityProvider("LoginWithAmazon");static COGNITO=new UserPoolClientIdentityProvider("COGNITO");static custom(name){return new UserPoolClientIdentityProvider(name)}name;constructor(name){this.name=name}}exports.UserPoolClientIdentityProvider=UserPoolClientIdentityProvider;let UserPoolClient=(()=>{let _classDecorators=[prop_injectable_1().propertyInjectable],_classDescriptor,_classExtraInitializers=[],_classThis,_classSuper=core_1().Resource;var UserPoolClient2=class extends _classSuper{static{_classThis=this}static{const _metadata=typeof Symbol=="function"&&Symbol.metadata?Object.create(_classSuper[Symbol.metadata]??null):void 0;__esDecorate(null,_classDescriptor={value:_classThis},_classDecorators,{kind:"class",name:_classThis.name,metadata:_metadata},null,_classExtraInitializers),UserPoolClient2=_classThis=_classDescriptor.value,_metadata&&Object.defineProperty(_classThis,Symbol.metadata,{enumerable:!0,configurable:!0,writable:!0,value:_metadata})}static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cognito.UserPoolClient",version:"2.233.0"};static PROPERTY_INJECTION_ID="aws-cdk-lib.aws-cognito.UserPoolClient";static fromUserPoolClientId(scope,id,userPoolClientId){class Import extends core_1().Resource{userPoolClientId=userPoolClientId;get userPoolClientSecret(){throw new(errors_1()).ValidationError("UserPool Client Secret is not available for imported Clients",this)}}return new Import(scope,id)}userPoolClientId;_generateSecret;userPool;_userPoolClientSecret;oAuthFlows;_userPoolClientName;constructor(scope,id,props){super(scope,id);try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cognito_UserPoolClientProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,UserPoolClient2),error}if((0,metadata_resource_1().addConstructMetadata)(this,props),props.disableOAuth&&props.oAuth)throw new(errors_1()).ValidationError("OAuth settings cannot be specified when disableOAuth is set.",this);this.oAuthFlows=props.oAuth?.flows??{implicitCodeGrant:!0,authorizationCodeGrant:!0};let callbackUrls=props.oAuth?.callbackUrls;if(this.oAuthFlows.authorizationCodeGrant||this.oAuthFlows.implicitCodeGrant){if(callbackUrls===void 0)callbackUrls=["https://example.com"];else if(callbackUrls.length===0)throw new(errors_1()).ValidationError("callbackUrl must not be empty when codeGrant or implicitGrant OAuth flows are enabled.",this)}if(props.oAuth?.defaultRedirectUri&&!core_1().Token.isUnresolved(props.oAuth.defaultRedirectUri)){if(callbackUrls&&!callbackUrls.includes(props.oAuth.defaultRedirectUri))throw new(errors_1()).ValidationError("defaultRedirectUri must be included in callbackUrls.",this);if(!/^(?=.{1,1024}$)[\p{L}\p{M}\p{S}\p{N}\p{P}]+$/u.test(props.oAuth.defaultRedirectUri))throw new(errors_1()).ValidationError(`defaultRedirectUri must match the \`^(?=.{1,1024}$)[p{L}p{M}p{S}p{N}p{P}]+$\` pattern, got ${props.oAuth.defaultRedirectUri}`,this)}if(!props.generateSecret&&props.enablePropagateAdditionalUserContextData)throw new(errors_1()).ValidationError("Cannot activate enablePropagateAdditionalUserContextData in an app client without a client secret.",this);this._generateSecret=props.generateSecret,this.userPool=props.userPool;const resource=new(cognito_generated_1()).CfnUserPoolClient(this,"Resource",{clientName:props.userPoolClientName,generateSecret:props.generateSecret,userPoolId:props.userPool.userPoolId,explicitAuthFlows:this.configureAuthFlows(props),allowedOAuthFlows:props.disableOAuth?void 0:this.configureOAuthFlows(),allowedOAuthScopes:props.disableOAuth?void 0:this.configureOAuthScopes(props.oAuth),defaultRedirectUri:props.oAuth?.defaultRedirectUri,callbackUrLs:callbackUrls&&callbackUrls.length>0&&!props.disableOAuth?callbackUrls:void 0,logoutUrLs:props.oAuth?.logoutUrls,allowedOAuthFlowsUserPoolClient:!props.disableOAuth,preventUserExistenceErrors:this.configurePreventUserExistenceErrors(props.preventUserExistenceErrors),supportedIdentityProviders:this.configureIdentityProviders(props),readAttributes:props.readAttributes?.attributes(),writeAttributes:props.writeAttributes?.attributes(),enableTokenRevocation:props.enableTokenRevocation,enablePropagateAdditionalUserContextData:props.enablePropagateAdditionalUserContextData,analyticsConfiguration:props.analytics?this.configureAnalytics(props.analytics):void 0});this.configureAuthSessionValidity(resource,props),this.configureTokenValidity(resource,props),this.configureRefreshTokenRotation(resource,props),this.userPoolClientId=resource.ref,this._userPoolClientName=props.userPoolClientName}get userPoolClientName(){if(this._userPoolClientName===void 0)throw new(errors_1()).ValidationError("userPoolClientName is available only if specified on the UserPoolClient during initialization",this);return this._userPoolClientName}get userPoolClientSecret(){if(!this._generateSecret)throw new(errors_1()).ValidationError("userPoolClientSecret is available only if generateSecret is set to true.",this);const isEnableLogUserPoolClientSecret=core_1().FeatureFlags.of(this).isEnabled(cxapi().LOG_USER_POOL_CLIENT_SECRET_VALUE);return this._userPoolClientSecret||(this._userPoolClientSecret=core_1().SecretValue.resourceAttribute(new(custom_resources_1()).AwsCustomResource(this,"DescribeCognitoUserPoolClient",{resourceType:"Custom::DescribeCognitoUserPoolClient",onUpdate:{region:core_1().Stack.of(this).region,service:"CognitoIdentityServiceProvider",action:"describeUserPoolClient",parameters:{UserPoolId:this.userPool.userPoolId,ClientId:this.userPoolClientId},physicalResourceId:custom_resources_1().PhysicalResourceId.of(this.userPoolClientId),logging:isEnableLogUserPoolClientSecret?void 0:custom_resources_1().Logging.withDataHidden()},policy:custom_resources_1().AwsCustomResourcePolicy.fromSdkCalls({resources:[this.userPool.userPoolArn]}),installLatestAwsSdk:!1}).getResponseField("UserPoolClient.ClientSecret"))),this._userPoolClientSecret}configureAuthFlows(props){if(!props.authFlows||Object.keys(props.authFlows).length===0)return;const authFlows=[];return props.authFlows.userPassword&&authFlows.push("ALLOW_USER_PASSWORD_AUTH"),props.authFlows.adminUserPassword&&authFlows.push("ALLOW_ADMIN_USER_PASSWORD_AUTH"),props.authFlows.custom&&authFlows.push("ALLOW_CUSTOM_AUTH"),props.authFlows.userSrp&&authFlows.push("ALLOW_USER_SRP_AUTH"),props.authFlows.user&&authFlows.push("ALLOW_USER_AUTH"),props.refreshTokenRotationGracePeriod||authFlows.push("ALLOW_REFRESH_TOKEN_AUTH"),authFlows}configureOAuthFlows(){if((this.oAuthFlows.authorizationCodeGrant||this.oAuthFlows.implicitCodeGrant)&&this.oAuthFlows.clientCredentials)throw new(errors_1()).ValidationError("clientCredentials OAuth flow cannot be selected along with codeGrant or implicitGrant.",this);const oAuthFlows=[];if(this.oAuthFlows.clientCredentials&&oAuthFlows.push("client_credentials"),this.oAuthFlows.implicitCodeGrant&&oAuthFlows.push("implicit"),this.oAuthFlows.authorizationCodeGrant&&oAuthFlows.push("code"),oAuthFlows.length!==0)return oAuthFlows}configureOAuthScopes(oAuth){const scopes=oAuth?.scopes??[OAuthScope.PROFILE,OAuthScope.PHONE,OAuthScope.EMAIL,OAuthScope.OPENID,OAuthScope.COGNITO_ADMIN],scopeNames=new Set(scopes.map(x=>x.scopeName));return[OAuthScope.PHONE,OAuthScope.EMAIL,OAuthScope.PROFILE].reduce((agg,s)=>agg||scopeNames.has(s.scopeName),!1)&&scopeNames.add(OAuthScope.OPENID.scopeName),Array.from(scopeNames)}configurePreventUserExistenceErrors(prevent){if(prevent!==void 0)return prevent?"ENABLED":"LEGACY"}configureIdentityProviders(props){let providers;if(props.supportedIdentityProviders)providers=props.supportedIdentityProviders.map(p=>p.name);else{const providerSet=new Set(props.userPool.identityProviders.map(p=>p.providerName));providerSet.add("COGNITO"),providers=Array.from(providerSet)}if(providers.length!==0)return Array.from(providers)}configureAuthSessionValidity(resource,props){this.validateDuration("authSessionValidity",core_1().Duration.minutes(3),core_1().Duration.minutes(15),props.authSessionValidity),resource.authSessionValidity=props.authSessionValidity?props.authSessionValidity.toMinutes():void 0}configureTokenValidity(resource,props){this.validateDuration("idTokenValidity",core_1().Duration.minutes(5),core_1().Duration.days(1),props.idTokenValidity),this.validateDuration("accessTokenValidity",core_1().Duration.minutes(5),core_1().Duration.days(1),props.accessTokenValidity),this.validateDuration("refreshTokenValidity",core_1().Duration.minutes(60),core_1().Duration.days(10*365),props.refreshTokenValidity),props.refreshTokenValidity&&(this.validateDuration("idTokenValidity",core_1().Duration.minutes(5),props.refreshTokenValidity,props.idTokenValidity),this.validateDuration("accessTokenValidity",core_1().Duration.minutes(5),props.refreshTokenValidity,props.accessTokenValidity)),(props.accessTokenValidity||props.idTokenValidity||props.refreshTokenValidity)&&(resource.tokenValidityUnits={idToken:props.idTokenValidity?"minutes":void 0,accessToken:props.accessTokenValidity?"minutes":void 0,refreshToken:props.refreshTokenValidity?"minutes":void 0}),resource.idTokenValidity=props.idTokenValidity?props.idTokenValidity.toMinutes():void 0,resource.refreshTokenValidity=props.refreshTokenValidity?props.refreshTokenValidity.toMinutes():void 0,resource.accessTokenValidity=props.accessTokenValidity?props.accessTokenValidity.toMinutes():void 0}configureRefreshTokenRotation(resource,props){props.refreshTokenRotationGracePeriod&&(this.validateDuration("refreshTokenRotationGracePeriod",core_1().Duration.seconds(0),core_1().Duration.minutes(1),props.refreshTokenRotationGracePeriod),resource.refreshTokenRotation={feature:"ENABLED",retryGracePeriodSeconds:props.refreshTokenRotationGracePeriod.toSeconds()})}validateDuration(name,min,max,value){if(value!==void 0&&(value.toMilliseconds()<min.toMilliseconds()||value.toMilliseconds()>max.toMilliseconds()))throw new(errors_1()).ValidationError(`${name}: Must be a duration between ${min.toHumanString()} and ${max.toHumanString()} (inclusive); received ${value.toHumanString()}.`,this)}configureAnalytics(analytics){if(analytics.application&&(analytics.applicationId||analytics.externalId||analytics.role))throw new(errors_1()).ValidationError("Either `application` or all of `applicationId`, `externalId` and `role` must be specified.",this);if(!analytics.application&&(!analytics.applicationId||!analytics.externalId||!analytics.role))throw new(errors_1()).ValidationError("Either all of `applicationId`, `externalId` and `role` must be specified or `application` must be specified.",this);return{applicationArn:analytics.application?.attrArn,applicationId:analytics.applicationId,externalId:analytics.externalId,roleArn:analytics.role?.roleRef.roleArn,userDataShared:analytics.shareUserData}}static{__runInitializers(_classThis,_classExtraInitializers)}};return UserPoolClient2=_classThis})();exports.UserPoolClient=UserPoolClient;