cdk-serverless-agentic-api/lib/cognito.js

CDK construct for serverless web applications with CloudFront, S3, Cognito, API Gateway, and Lambda

"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    var desc = Object.getOwnPropertyDescriptor(m, k);
    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
      desc = { enumerable: true, get: function() { return m[k]; } };
    }
    Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
    o["default"] = v;
});
var __importStar = (this && this.__importStar) || (function () {
    var ownKeys = function(o) {
        ownKeys = Object.getOwnPropertyNames || function (o) {
            var ar = [];
            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
            return ar;
        };
        return ownKeys(o);
    };
    return function (mod) {
        if (mod && mod.__esModule) return mod;
        var result = {};
        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
        __setModuleDefault(result, mod);
        return result;
    };
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.createUserPool = createUserPool;
exports.createUserPoolClient = createUserPoolClient;
exports.createUserGroups = createUserGroups;
const cognito = __importStar(require("aws-cdk-lib/aws-cognito"));
const aws_cdk_lib_1 = require("aws-cdk-lib");
/**
 * Creates the Cognito User Pool for authentication
 *
 * @param scope The construct scope
 * @param id The construct ID
 * @param props Configuration properties
 * @returns The created Cognito User Pool and User Pool Client
 */
function createUserPool(scope, id, props) {
    const userPool = new cognito.UserPool(scope, 'UserPool', {
        userPoolName: props?.userPoolName || `${id}-user-pool`,
        // Configure email-based authentication
        signInAliases: {
            email: true,
            username: false,
            phone: false,
        },
        // Configure sign-up settings
        selfSignUpEnabled: true,
        autoVerify: {
            email: true,
        },
        // Configure password policy
        passwordPolicy: {
            minLength: 8,
            requireLowercase: true,
            requireUppercase: true,
            requireDigits: true,
            requireSymbols: true,
        },
        // Configure account recovery
        accountRecovery: cognito.AccountRecovery.EMAIL_ONLY,
        // Configure email settings
        email: cognito.UserPoolEmail.withCognito(),
        // Configure user verification
        userVerification: {
            emailSubject: 'Verify your email for our app',
            emailBody: 'Hello {username}, Thanks for signing up! Your verification code is {####}',
            emailStyle: cognito.VerificationEmailStyle.CODE,
        },
        // Configure user invitation
        userInvitation: {
            emailSubject: 'Invite to join our app',
            emailBody: 'Hello {username}, you have been invited to join our app! Your temporary password is {####}',
        },
        // Configure standard attributes
        standardAttributes: {
            email: {
                required: true,
                mutable: true,
            },
            givenName: {
                required: false,
                mutable: true,
            },
            familyName: {
                required: false,
                mutable: true,
            },
        },
        // Configure MFA
        mfa: cognito.Mfa.OPTIONAL,
        mfaSecondFactor: {
            sms: false,
            otp: true,
        },
        // Configure device tracking
        deviceTracking: {
            challengeRequiredOnNewDevice: true,
            deviceOnlyRememberedOnUserPrompt: false,
        },
        // Configure removal policy
        removalPolicy: aws_cdk_lib_1.RemovalPolicy.DESTROY,
    });
    // Create user pool client for API Gateway integration
    const userPoolClient = createUserPoolClient(scope, id, userPool);
    // Create default user groups for role-based access control
    createUserGroups(scope, userPool);
    return { userPool, userPoolClient };
}
/**
 * Creates the Cognito User Pool Client for API Gateway integration
 *
 * @param scope The construct scope
 * @param id The construct ID
 * @param userPool The user pool to create the client for
 * @returns The created user pool client
 */
function createUserPoolClient(scope, id, userPool) {
    return new cognito.UserPoolClient(scope, 'UserPoolClient', {
        userPool,
        userPoolClientName: `${id}-client`,
        // Configure authentication flows
        authFlows: {
            userPassword: true,
            userSrp: true,
            custom: false,
            adminUserPassword: false,
        },
        // Configure OAuth settings
        oAuth: {
            flows: {
                authorizationCodeGrant: true,
                implicitCodeGrant: false,
                clientCredentials: false,
            },
            scopes: [
                cognito.OAuthScope.EMAIL,
                cognito.OAuthScope.OPENID,
                cognito.OAuthScope.PROFILE,
            ],
            callbackUrls: ['http://localhost:3000/callback'], // Will be updated when domain is configured
            logoutUrls: ['http://localhost:3000/logout'],
        },
        // Configure token validity
        accessTokenValidity: aws_cdk_lib_1.Duration.hours(1),
        idTokenValidity: aws_cdk_lib_1.Duration.hours(1),
        refreshTokenValidity: aws_cdk_lib_1.Duration.days(30),
        // Configure token generation
        generateSecret: false, // Required for JavaScript SDK
        // Configure supported identity providers
        supportedIdentityProviders: [
            cognito.UserPoolClientIdentityProvider.COGNITO,
        ],
        // Configure read and write attributes
        readAttributes: new cognito.ClientAttributes()
            .withStandardAttributes({
            email: true,
            emailVerified: true,
            givenName: true,
            familyName: true,
        }),
        writeAttributes: new cognito.ClientAttributes()
            .withStandardAttributes({
            email: true,
            givenName: true,
            familyName: true,
        }),
        // Prevent user existence errors for security
        preventUserExistenceErrors: true,
    });
}
/**
 * Creates default user groups for role-based access control
 *
 * @param scope The construct scope
 * @param userPool The user pool to create groups for
 */
function createUserGroups(scope, userPool) {
    // Create admin group with elevated privileges
    new cognito.CfnUserPoolGroup(scope, 'AdminGroup', {
        userPoolId: userPool.userPoolId,
        groupName: 'admin',
        description: 'Administrator group with full access to all resources',
        precedence: 1,
    });
    // Create user group for regular users
    new cognito.CfnUserPoolGroup(scope, 'UserGroup', {
        userPoolId: userPool.userPoolId,
        groupName: 'user',
        description: 'Regular user group with limited access to resources',
        precedence: 10,
    });
    // Create moderator group with intermediate privileges
    new cognito.CfnUserPoolGroup(scope, 'ModeratorGroup', {
        userPoolId: userPool.userPoolId,
        groupName: 'moderator',
        description: 'Moderator group with intermediate access to resources',
        precedence: 5,
    });
}
//# sourceMappingURL=cognito.js.map