Reference Auth (#2118)

* feat: reference auth basic setup * chore: factory basic tests * chore: update api * chore: add ref auth package as dependency to backend-auth * chore: lint * chore: add tests for construct * chore: cleanup tsconfig * chore: add changeset * chore: fix tests inputs * chore: update tests * fix: update resource provider types * chore: update api * feat: reference auth outputs * chore: add tests * chore: fix test * chore: cleanup reused variables * chore: changeset * chore: cleanup changeset * chore: cleanup * chore: cleanup changesets, lockfile, and api * chore: fix mismatched output structure * chore: refactor and add tests * chore: add more tests for identity pool errors * chore: cleanup * chore: fix test * chore: add role tests * chore: add tests for user pool client * chore: cleanup * chore: refactor * chore: fix api * chore: undo changes to concurrent workspace script * chore: add missing roles permission * chore: update expected IAM policy permissions for identity pool * fix: make sure to throw on errors when using Provider framework * chore: refactor * chore: cleanup * chore: more cleanup * chore: check for alias attributes and fix tests * chore: add support for validating group roles exist for user pool * chore: update package-lock file * chore: add checks for oauth validation * chore: fix typo * chore: eliminate forcing updates on any change * chore: remove commented out code * chore: merge factory count into single count for all auth factories * chore: move sample data and npmignore it * chore: cleanup * chore: fix path * chore: update package lock * chore: update package-lock * chore: move construct into backend-auth * chore: update api * chore: update changeset * chore: cleanup * chore: move props type to factory * chore: add working setup for e2e resources in ref auth (#2122) * chore: add working setup for e2e resources in ref auth * feed pr base sha and ref into envs before scripts (#2168) * feed pr base sha and ref into envs before scripts * removing empty file * chore: update names to use test prefix * chore: remove extra hyphen * chore: fix cleanup and add sandbox test * chore: make sure to throw if error describing stack is unknown --------- Co-authored-by: Roshane Pascual <[email protected]> * chore: add bsd-3-clause-clear license to allow list * chore: cleanup * chore: make lambda deps dev dependencies * chore: revert license changes * chore: remove tag mechanism as not needed for cleanup --------- Co-authored-by: Roshane Pascual <[email protected]>
aws-amplify · Nov 11, 2024 · 90a7c49 · 90a7c49
1 parent 12cf209
commit 90a7c49
Show file tree

Hide file tree

Showing 40 changed files with 3,485 additions and 17 deletions.
diff --git a/.changeset/good-pugs-rescue.md b/.changeset/good-pugs-rescue.md
@@ -0,0 +1,9 @@
+---
+'@aws-amplify/auth-construct': minor
+'@aws-amplify/backend-auth': minor
+'@aws-amplify/backend-data': minor
+'@aws-amplify/plugin-types': minor
+'@aws-amplify/backend': minor
+---
+
+Add support for referenceAuth.
diff --git a/.changeset/spicy-rules-speak.md b/.changeset/spicy-rules-speak.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -82,6 +82,8 @@ For local testing we recommend writing unit tests that exercise the code you are
 npm run test:dir packages/<package name>/lib/<file-name>.test.ts
 ```
 
+> Note: If your test depends on \_\_dirname or import.meta.url paths, you may see errors resolving paths if you specify the entire path to the test file. You should specify just the `packages/<package name>` portion of the test you are running.
+
 > Note: You must rebuild using `npm run build` for tests to pick up your changes.
 
 Sometimes it's nice to have a test project to use as a testing environment for local changes. You can create test projects in the `local-testing` directory using

diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/auth-construct/src/construct.ts b/packages/auth-construct/src/construct.ts
@@ -223,6 +223,7 @@ export class AmplifyAuth
       userPoolClient,
       authenticatedUserIamRole: auth,
       unauthenticatedUserIamRole: unAuth,
+      identityPoolId: identityPool.ref,
       cfnResources: {
         cfnUserPool,
         cfnUserPoolClient,

diff --git a/packages/backend-auth/.npmignore b/packages/backend-auth/.npmignore
@@ -10,5 +10,6 @@
 # Then ignore test js and ts declaration files
 *.test.js
 *.test.d.ts
+**/test-resources/**
 
 # This leaves us with including only js and ts declaration files of functional code
diff --git a/packages/backend-auth/API.md b/packages/backend-auth/API.md
@@ -7,9 +7,11 @@
 import { AmazonProviderProps } from '@aws-amplify/auth-construct';
 import { AmplifyFunction } from '@aws-amplify/plugin-types';
 import { AppleProviderProps } from '@aws-amplify/auth-construct';
+import { AuthOutput } from '@aws-amplify/backend-output-schemas';
 import { AuthProps } from '@aws-amplify/auth-construct';
 import { AuthResources } from '@aws-amplify/plugin-types';
 import { AuthRoleName } from '@aws-amplify/plugin-types';
+import { BackendOutputStorageStrategy } from '@aws-amplify/plugin-types';
 import { BackendSecret } from '@aws-amplify/plugin-types';
 import { ConstructFactory } from '@aws-amplify/plugin-types';
 import { ConstructFactoryGetInstanceProps } from '@aws-amplify/plugin-types';
@@ -19,6 +21,7 @@ import { FunctionResources } from '@aws-amplify/plugin-types';
 import { GoogleProviderProps } from '@aws-amplify/auth-construct';
 import { IFunction } from 'aws-cdk-lib/aws-lambda';
 import { OidcProviderProps } from '@aws-amplify/auth-construct';
+import { ReferenceAuthResources } from '@aws-amplify/plugin-types';
 import { ResourceAccessAcceptor } from '@aws-amplify/plugin-types';
 import { ResourceAccessAcceptorFactory } from '@aws-amplify/plugin-types';
 import { ResourceProvider } from '@aws-amplify/plugin-types';
@@ -48,6 +51,11 @@ export type AmplifyAuthProps = Expand<Omit<AuthProps, 'outputStorageStrategy' |
     };
 }>;
 
+// @public (undocumented)
+export type AmplifyReferenceAuthProps = Expand<Omit<ReferenceAuthProps, 'outputStorageStrategy'> & {
+    access?: AuthAccessGenerator;
+}>;
+
 // @public
 export type AppleProviderFactoryProps = Omit<AppleProviderProps, 'clientId' | 'teamId' | 'keyId' | 'privateKey'> & {
     clientId: BackendSecret;
@@ -86,6 +94,9 @@ export type AuthLoginWithFactoryProps = Omit<AuthProps['loginWith'], 'externalPr
 // @public (undocumented)
 export type BackendAuth = ResourceProvider<AuthResources> & ResourceAccessAcceptorFactory<AuthRoleName | string> & StackProvider;
 
+// @public (undocumented)
+export type BackendReferenceAuth = ResourceProvider<ReferenceAuthResources> & ResourceAccessAcceptorFactory<AuthRoleName | string> & StackProvider;
+
 // @public
 export type CustomEmailSender = {
     handler: ConstructFactory<AmplifyFunction> | IFunction;
@@ -130,6 +141,22 @@ export type OidcProviderFactoryProps = Omit<OidcProviderProps, 'clientId' | 'cli
     clientSecret: BackendSecret;
 };
 
+// @public
+export const referenceAuth: (props: AmplifyReferenceAuthProps) => ConstructFactory<BackendReferenceAuth>;
+
+// @public (undocumented)
+export type ReferenceAuthProps = {
+    outputStorageStrategy?: BackendOutputStorageStrategy<AuthOutput>;
+    userPoolId: string;
+    identityPoolId: string;
+    userPoolClientId: string;
+    authRoleArn: string;
+    unauthRoleArn: string;
+    groups?: {
+        [groupName: string]: string;
+    };
+};
+
 // (No @packageDocumentation comment for this package)
 
 ```
diff --git a/packages/backend-auth/package.json b/packages/backend-auth/package.json
@@ -20,12 +20,17 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@aws-amplify/auth-construct": "^1.4.0",
+    "@aws-amplify/backend-output-schemas": "^1.4.0",
     "@aws-amplify/backend-output-storage": "^1.1.3",
     "@aws-amplify/plugin-types": "^1.3.1"
   },
   "devDependencies": {
     "@aws-amplify/backend-platform-test-stubs": "^0.3.6",
-    "@aws-amplify/platform-core": "^1.0.6"
+    "@aws-amplify/platform-core": "^1.0.6",
+    "@aws-sdk/client-cognito-identity-provider": "^3.624.0",
+    "@aws-sdk/client-cognito-identity": "^3.624.0",
+    "@types/aws-lambda": "^8.10.119",
+    "aws-lambda": "^1.0.7"
   },
   "peerDependencies": {
     "aws-cdk-lib": "^2.158.0",

diff --git a/packages/backend-auth/src/factory.test.ts b/packages/backend-auth/src/factory.test.ts
@@ -153,8 +153,8 @@ void describe('AmplifyAuthFactory', () => {
       },
       new AmplifyUserError('MultipleSingletonResourcesError', {
         message:
-          'Multiple `defineAuth` calls are not allowed within an Amplify backend',
-        resolution: 'Remove all but one `defineAuth` call',
+          'Multiple `defineAuth` or `referenceAuth` calls are not allowed within an Amplify backend',
+        resolution: 'Remove all but one `defineAuth` or `referenceAuth` call',
       })
     );
   });

diff --git a/packages/backend-auth/src/factory.ts b/packages/backend-auth/src/factory.ts
@@ -103,8 +103,8 @@ export class AmplifyAuthFactory implements ConstructFactory<BackendAuth> {
     if (AmplifyAuthFactory.factoryCount > 0) {
       throw new AmplifyUserError('MultipleSingletonResourcesError', {
         message:
-          'Multiple `defineAuth` calls are not allowed within an Amplify backend',
-        resolution: 'Remove all but one `defineAuth` call',
+          'Multiple `defineAuth` or `referenceAuth` calls are not allowed within an Amplify backend',
+        resolution: 'Remove all but one `defineAuth` or `referenceAuth` call',
       });
     }
     AmplifyAuthFactory.factoryCount++;

diff --git a/packages/backend-auth/src/index.ts b/packages/backend-auth/src/index.ts
@@ -1,2 +1,8 @@
 export { BackendAuth, AmplifyAuthProps, defineAuth } from './factory.js';
+export {
+  BackendReferenceAuth,
+  AmplifyReferenceAuthProps,
+  referenceAuth,
+  ReferenceAuthProps,
+} from './reference_factory.js';
 export * from './types.js';
diff --git a/packages/backend-auth/src/lambda/.eslintrc.json b/packages/backend-auth/src/lambda/.eslintrc.json
@@ -0,0 +1,6 @@
+{
+  "rules": {
+    "no-console": "off",
+    "amplify-backend-rules/prefer-amplify-errors": "off"
+  }
+}