aws-amplify · Jordan-Nelson · Jul 30, 2024 · Jun 20, 2024 · Jun 26, 2024 · Jun 27, 2024
@@ -0,0 +1,5 @@
+# amplify
+node_modules
+.amplify
+amplify_outputs*
+amplifyconfiguration*
@@ -0,0 +1,14 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { defineAuth } from "@aws-amplify/backend";
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+  loginWith: {
+    email: true,
+  },
+});
@@ -0,0 +1,25 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { defineBackend } from "@aws-amplify/backend";
+import { addAuthUserExtensions } from "infra-common";
+import { auth } from "./auth/resource";
+
+const backend = defineBackend({
+  auth,
+});
+
+const resources = backend.auth.resources;
+const { userPool, cfnResources } = resources;
+const { stack } = userPool;
+const { cfnUserPool } = cfnResources;
+
+// Adds infra for creating/deleting users via App Sync and fetching confirmation
+// and MFA codes from App Sync.
+const customOutputs = addAuthUserExtensions({
+  name: "email-sign-in",
+  stack,
+  userPool,
+  cfnUserPool,
+});
+backend.addOutput(customOutputs);
@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}
@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "es2022",
+    "module": "es2022",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "paths": {
+      "$amplify/*": [
+        "../.amplify/generated/*"
+      ]
+    }
+  }
+}
@@ -0,0 +1,5 @@
+{
+  "name": "email-sign-in",
+  "version": "1.0.0",
+  "main": "index.js"
+}
@@ -0,0 +1,5 @@
+# amplify
+node_modules
+.amplify
+amplify_outputs*
+amplifyconfiguration*
@@ -0,0 +1,14 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { defineAuth } from "@aws-amplify/backend";
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+  loginWith: {
+    phone: true,
+  },
+});
@@ -0,0 +1,25 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { defineBackend } from "@aws-amplify/backend";
+import { addAuthUserExtensions } from "infra-common";
+import { auth } from "./auth/resource";
+
+const backend = defineBackend({
+  auth,
+});
+
+const resources = backend.auth.resources;
+const { userPool, cfnResources } = resources;
+const { stack } = userPool;
+const { cfnUserPool } = cfnResources;
+
+// Adds infra for creating/deleting users via App Sync and fetching confirmation
+// and MFA codes from App Sync.
+const customOutputs = addAuthUserExtensions({
+  name: "phone-sign-in",
+  stack,
+  userPool,
+  cfnUserPool,
+});
+backend.addOutput(customOutputs);
@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}
@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "es2022",
+    "module": "es2022",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "paths": {
+      "$amplify/*": [
+        "../.amplify/generated/*"
+      ]
+    }
+  }
+}
@@ -0,0 +1,5 @@
+{
+  "name": "phone-sign-in",
+  "version": "1.0.0",
+  "main": "index.js"
+}
@@ -7,6 +7,7 @@
     ".": "./dist/index.js"
   },
   "scripts": {
-    "build": "tsc"
+    "build": "tsc && npm run copy-graphql",
+    "copy-graphql": "cp -r ./src/schemas ./dist"
   }
 }
@@ -0,0 +1,6 @@
+# auth-user-extensions
+
+This directory contains extensions useful for managing authorized users, including:
+
+- creating & deleting users via App Sync
+- sending confirmation codes to App Sync instead of email/SMS
@@ -0,0 +1,35 @@
+import { BackendBase } from "@aws-amplify/backend";
+import { Stack } from "aws-cdk-lib";
+import { CfnUserPool, IUserPool } from "aws-cdk-lib/aws-cognito";
+import { addCreateUserLambda } from "./create-user-lambda";
+import { addCustomSenderLambda } from "./custom-sender-lambda";
+import { addDeleteUserLambda } from "./delete-user-lambda";
+import { addUserGraphql } from "./user-graphql";
+
+type AmplifyOutputs = Parameters<BackendBase["addOutput"]>[0];
+
+export const addAuthUserExtensions = ({
+  name,
+  stack,
+  userPool,
+  cfnUserPool,
+}: {
+  name: string;
+  stack: Stack;
+  userPool: IUserPool;
+  cfnUserPool: CfnUserPool;
+}): AmplifyOutputs => {
+  const graphQL = addUserGraphql(stack);
+  addCustomSenderLambda({ name, stack, cfnUserPool, graphQL });
+  addCreateUserLambda({ name, stack, userPool, graphQL });
+  addDeleteUserLambda({ name, stack, userPool, graphQL });
+  return {
+    data: {
+      aws_region: stack.region,
+      url: graphQL.graphqlUrl,
+      api_key: graphQL.apiKey,
+      default_authorization_type: "API_KEY",
+      authorization_types: [],
+    },
+  };
+};
@@ -0,0 +1,46 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { Stack } from "aws-cdk-lib";
+import { GraphqlApi, MappingTemplate } from "aws-cdk-lib/aws-appsync";
+import { IUserPool } from "aws-cdk-lib/aws-cognito";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
+import path from "path";
+
+export function addCreateUserLambda({
+  name,
+  stack,
+  graphQL,
+  userPool,
+}: {
+  name: string;
+  stack: Stack;
+  graphQL: GraphqlApi;
+  userPool: IUserPool;
+}) {
+  const createUserLambda = new NodejsFunction(stack, `${name}-createUser`, {
+    entry: path.resolve(__dirname, "..", "lambda-triggers", "create-user.js"),
+    runtime: Runtime.NODEJS_18_X,
+    environment: {
+      USER_POOL_ID: userPool.userPoolId,
+    },
+  });
+  userPool.grant(
+    createUserLambda,
+    "cognito-idp:AdminCreateUser",
+    "cognito-idp:AdminSetUserPassword",
+    "cognito-idp:AdminSetUserMFAPreference",
+    "cognito-idp:AdminUpdateUserAttributes"
+  );
+  const createUserSource = graphQL.addLambdaDataSource(
+    `${name}-GraphQLApiCreateUserLambda`,
+    createUserLambda
+  );
+  createUserSource.createResolver(`${name}-MutationCreateUserResolver`, {
+    typeName: "Mutation",
+    fieldName: "createUser",
+    requestMappingTemplate: MappingTemplate.lambdaRequest(),
+    responseMappingTemplate: MappingTemplate.lambdaResult(),
+  });
+}
@@ -0,0 +1,145 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { RemovalPolicy, Stack } from "aws-cdk-lib";
+import {
+  Assign,
+  GraphqlApi,
+  MappingTemplate,
+  PrimaryKey,
+  Values,
+} from "aws-cdk-lib/aws-appsync";
+import { CfnUserPool } from "aws-cdk-lib/aws-cognito";
+import { AttributeType, BillingMode, Table } from "aws-cdk-lib/aws-dynamodb";
+import { ServicePrincipal } from "aws-cdk-lib/aws-iam";
+import { Key } from "aws-cdk-lib/aws-kms";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
+import path from "path";
+
+export function addCustomSenderLambda({
+  name,
+  stack,
+  graphQL,
+  cfnUserPool,
+}: {
+  name: string;
+  stack: Stack;
+  graphQL: GraphqlApi;
+  cfnUserPool: CfnUserPool;
+}): NodejsFunction {
+  const customSenderKmsKey = new Key(stack, `${name}-CustomSenderKey`, {
+    description: `Key for encrypting/decrypting SMS messages sent from ${stack.stackId}`,
+    removalPolicy: RemovalPolicy.DESTROY,
+  });
+
+  const customEmailSender = new NodejsFunction(
+    stack,
+    `${name}-customEmailSender`,
+    {
+      entry: path.resolve(
+        __dirname,
+        "..",
+        "lambda-triggers",
+        "custom-email-sender.js"
+      ),
+      runtime: Runtime.NODEJS_18_X,
+      bundling: {
+        nodeModules: ["@aws-crypto/client-node"],
+      },
+      environment: {
+        GRAPHQL_API_ENDPOINT: graphQL.graphqlUrl,
+        GRAPHQL_API_KEY: graphQL.apiKey!,
+        KMS_KEY_ARN: customSenderKmsKey.keyArn,
+      },
+    }
+  );
+
+  customEmailSender.addPermission("PermitCognitoInvoke", {
+    principal: new ServicePrincipal("cognito-idp.amazonaws.com"),
+    sourceArn: cfnUserPool.attrArn,
+  });
+
+  const customSmsSender = new NodejsFunction(stack, `${name}-customSmsSender`, {
+    entry: path.resolve(
+      __dirname,
+      "..",
+      "lambda-triggers",
+      "custom-sms-sender.js"
+    ),
+    runtime: Runtime.NODEJS_18_X,
+    bundling: {
+      nodeModules: ["@aws-crypto/client-node"],
+    },
+    environment: {
+      GRAPHQL_API_ENDPOINT: graphQL.graphqlUrl,
+      GRAPHQL_API_KEY: graphQL.apiKey!,
+      KMS_KEY_ARN: customSenderKmsKey.keyArn,
+    },
+  });
+
+  customSmsSender.addPermission("PermitCognitoInvoke", {
+    principal: new ServicePrincipal("cognito-idp.amazonaws.com"),
+    sourceArn: cfnUserPool.attrArn,
+  });
+
+  cfnUserPool.lambdaConfig = {
+    customEmailSender: {
+      lambdaArn: customEmailSender.functionArn,
+      lambdaVersion: "V1_0",
+    },
+    customSmsSender: {
+      lambdaArn: customSmsSender.functionArn,
+      lambdaVersion: "V1_0",
+    },
+    kmsKeyId: customSenderKmsKey.keyArn,
+  };
+
+  graphQL.grantMutation(customEmailSender);
+  customSenderKmsKey.grantDecrypt(customEmailSender);
+
+  graphQL.grantMutation(customSmsSender);
+  customSenderKmsKey.grantDecrypt(customSmsSender);
+
+  const mfaCodesTable = new Table(stack, `${name}-MFACodesTable`, {
+    removalPolicy: RemovalPolicy.DESTROY,
+    billingMode: BillingMode.PAY_PER_REQUEST,
+    partitionKey: {
+      type: AttributeType.STRING,
+      name: "username",
+    },
+    sortKey: {
+      type: AttributeType.STRING,
+      name: "code",
+    },
+  });
+
+  const mfaCodesSource = graphQL.addDynamoDbDataSource(
+    "GraphQLApiMFACodes",
+    mfaCodesTable
+  );
+
+  // Mutation.createMFACode
+  mfaCodesSource.createResolver(`${name}-MutationCreateMFACodeResolver`, {
+    typeName: "Mutation",
+    fieldName: "createMFACode",
+    requestMappingTemplate: MappingTemplate.dynamoDbPutItem(
+      new PrimaryKey(
+        new Assign("username", "$input.username"),
+        new Assign("code", "$input.code")
+      ),
+      Values.projecting("input")
+    ),
+    responseMappingTemplate: MappingTemplate.dynamoDbResultItem(),
+  });
+
+  // Query.listMFACodes
+  mfaCodesSource.createResolver(`${name}-QueryListMFACodesResolver`, {
+    typeName: "Query",
+    fieldName: "listMFACodes",
+    requestMappingTemplate: MappingTemplate.dynamoDbScanTable(),
+    responseMappingTemplate: MappingTemplate.dynamoDbResultItem(),
+  });
+
+  return customEmailSender;
+}