import type { UnionToIntersection, DefineFunction } from '@aws-amplify/data-schema-types'; declare const __data: unique symbol; /** * All possible providers. * * This list should not be used if you need to restrict available providers * according to an auth strategcy. E.g., `public` auth can only be facilitated * by `apiKey` and `identityPool` providers. */ export declare const Providers: readonly ["apiKey", "identityPool", "userPools", "oidc", "function"]; export type Provider = (typeof Providers)[number]; /** * The subset of auth providers that can facilitate `public` auth. */ export declare const PublicProviders: readonly ["apiKey", "identityPool"]; export type PublicProvider = (typeof PublicProviders)[number]; /** * The subset of auth providers that can facilitate `private` auth. */ export declare const PrivateProviders: readonly ["userPools", "oidc", "identityPool"]; export type PrivateProvider = (typeof PrivateProviders)[number]; /** * The subset of auth providers that can facilitate `owner` auth. */ export declare const OwnerProviders: readonly ["userPools", "oidc"]; export type OwnerProviders = (typeof OwnerProviders)[number]; /** * The subset of auth providers that can facilitate `group` auth. */ export declare const GroupProviders: readonly ["userPools", "oidc"]; export type GroupProvider = (typeof GroupProviders)[number]; /** * The subset of auth providers that can facilitate `custom` auth. */ export declare const CustomProviders: readonly ["function"]; export type CustomProvider = (typeof CustomProviders)[number]; export declare const Strategies: readonly ["public", "private", "owner", "groups", "custom"]; export type Strategy = (typeof Strategies)[number]; /** * The operations that can be performed against an API. */ export declare const Operations: readonly ["create", "update", "delete", "read", "get", "list", "sync", "listen", "search"]; export type Operation = (typeof Operations)[number]; /** * The operations that can be performed against an API by a Lambda function. */ export declare const ResourceOperations: readonly ["query", "mutate", "listen"]; export type ResourceOperation = (typeof ResourceOperations)[number]; /** * Super-set of regular auth type; includes schema-level resource access configuration */ export type SchemaAuthorization = Authorization | ResourceAuthorization; /** * Container for representing the authorization of function resources */ export type ResourceAuthorization = { [__data]: ResourceAuthorizationData; }; export type ResourceAuthorizationData = { strategy: 'resource'; resource: DefineFunction; operations?: ResourceOperation[]; }; /** * Container for authorization schema definition content. * * @param AuthStrategy The auth strategy to use. * @param AuthField The field to use for owner authorization. * @param AuthFieldPlurality Whether the field is plural or singular. */ export type Authorization = { [__data]: { strategy?: AuthStrategy; provider?: Provider; operations?: Operation[]; groupOrOwnerField?: AuthField; groups?: string[]; multiOwner: AuthFieldPlurality; identityClaim?: string; groupClaim?: string; }; }; export type OwnerField = object; declare function to>(this: SELF, operations: Operation[]): Omit; /** * Specifies a property of the identity JWT to use in place of `sub::username` * as the value to match against the owner field for authorization. * * @param this Authorization object to operate against. * @param property A property of identity JWT. * @returns A copy of the Authorization object with the claim attached. */ declare function identityClaim>(this: SELF, property: string): Omit; declare function withClaimIn>(this: SELF, property: string): Omit; /** * Defines an authorization rule for your data models and fields. First choose an authorization strategy (`public`, * `private`, `owner`, `group`, or `custom`), then choose an auth provider (`apiKey`, `identitypool`, `userPools`, `oidc`, or `function`) * and optionally use `.to(...)` to specify the operations that can be performed against your data models and fields. */ export declare const allow: { /** * Authorize unauthenticated users by using API key based authorization. * @returns an authorization rule for unauthenticated users */ readonly publicApiKey: () => Authorization<"public", undefined, false> & { to: typeof to; }; /** * Authorize unauthenticated users by using IDENTITYPOOL based authorization. * @returns an authorization rule for unauthenticated users */ readonly guest: () => Authorization<"public", undefined, false> & { to: typeof to; }; /** * Authorize authenticated users. By default, `.authenticated()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.authenticated("identityPool")` or `.authenticated("oidc")` to use identityPool or OIDC based authorization for authenticated users. * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc" * @returns an authorization rule for authenticated users */ readonly authenticated: (provider?: PrivateProvider) => Authorization<"private", undefined, false> & { to: typeof to; }; /** * Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new `owner: a.string()` * field will be added to the model to store which user "owns" the item. Upon item creation, the "owner field" is * auto-populated with the authenticated user's information. If you want to specify which field should be used as * the owner field, you can use the `ownerDefinedIn` builder function instead. * * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.owner("oidc")` to use OIDC based authentication to designate the owner. * * To change the specific claim that should be used as the user identifier within the owner field, chain the * `.identityClaim(...)` method. * * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc" * @returns an authorization rule for authenticated users */ readonly owner: (provider?: OwnerProviders) => Authorization<"owner", "owner", false> & { to: typeof to; identityClaim: typeof identityClaim; }; /** * Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field. * * By default, `.owner()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.ownerDefinedIn("owner", "oidc")` to use OIDC based authentication to designate the owner. * * To change the specific claim that should be used as the user identifier within the owner field, chain the * `.identityClaim(...)` method. * * @param ownerField the field that contains the owner information * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc" * @returns an authorization rule for authenticated users */ readonly ownerDefinedIn: (ownerField: T, provider?: OwnerProviders) => Authorization<"owner", T, false> & { to: typeof to; identityClaim: typeof identityClaim; }; /** * Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new `owners: a.string().array()` * field will be added to the model to store which users "own" the item. Upon item creation, the "owners field" is * auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the `owners` array. * * You can specify which field should be used as the owners field by passing the `ownersField` parameter. * * By default, `.ownersDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.ownersDefinedIn("owners", "oidc")` to use OIDC based authentication to designate the owner. * * To change the specific claim that should be used as the user identifier within the owners field, chain the * `.identityClaim(...)` method. * * @param ownersField the field that contains the owners information * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc" * @returns an authorization rule for authenticated users */ readonly ownersDefinedIn: (ownersField: T, provider?: OwnerProviders) => Authorization<"owner", T, true> & { to: typeof to; identityClaim: typeof identityClaim; }; /** * Authorize a specific user group. Provide the name of the specific user group to have access. * * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.group("group-name", "oidc")` to use OIDC based authentication to designate the user group. * * To change the specific claim that should be used as the user group identifier, chain the * `.withClaimIn(...)` method. * @param group the name of the group to authorize * @param provider the authentication provider - supports "userPools" or "oidc" * @returns an authorization rule to grant access by a specific group */ readonly group: (group: string, provider?: GroupProvider) => Authorization<"groups", undefined, false> & { to: typeof to; withClaimIn: typeof withClaimIn; }; /** * Authorize multiple specific user groups. Provide the names of the specific user groups to have access. * * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.groups(["group-a", "group-b"], "oidc")` to use OIDC based authentication to designate the user group. * * To change the specific claim that should be used as the user group identifier, chain the * `.withClaimIn(...)` method. * @param groups the names of the group to authorize defined as an array * @param provider the authentication provider - supports "userPools" or "oidc" * @returns an authorization rule to grant access by a specific group */ readonly groups: (groups: string[], provider?: GroupProvider) => Authorization<"groups", undefined, false> & { to: typeof to; withClaimIn: typeof withClaimIn; }; /** * Authorize if a user is part of a group defined in a data model field. * * By default, `.groupDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.groupDefinedIn("field-name", "oidc")` to use OIDC based authentication to designate the user group. * * To change the specific claim that should be used as the user group identifier within the groups field, chain the * `.withClaimIn(...)` method. * @param groupsField the field that should store the authorized user group information * @param provider the authentication provider - supports "userPools" or "oidc" * @returns an authorization rule to grant access by a specific group */ readonly groupDefinedIn: (groupsField: T, provider?: GroupProvider) => Authorization<"groups", T, false> & { to: typeof to; withClaimIn: typeof withClaimIn; }; /** * Authorize if a user is part of a one of the groups defined in a data model field. * * By default, `.groupsDefinedIn()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.groupsDefinedIn("field-name", "oidc")` to use OIDC based authentication to designate the user group. * * To change the specific claim that should be used as the user group identifier within the groups field, chain the * `.withClaimIn(...)` method. * @param groupsField the field that should store the list of authorized user groups * @param provider the authentication provider - supports "userPools" or "oidc" * @returns an authorization rule to grant access by a specific group */ readonly groupsDefinedIn: (groupsField: T, provider?: GroupProvider) => Authorization<"groups", T, true> & { to: typeof to; withClaimIn: typeof withClaimIn; }; readonly custom: (provider?: CustomProvider) => Authorization<"custom", undefined, false> & { to: typeof to; }; readonly resource: (fn: DefineFunction) => ResourceAuthorization & { to: typeof resourceTo; }; }; /** * This is a copy of the {@link allow} defined above, with modifications for custom operations. * * Removed builder methods: * * * `owner` * * `ownerDefinedIn` * * `ownersDefinedIn` * * `groupDefinedIn` * * `groupsDefinedIn` * * `resource` * * `.to()` builder method from each available rule builder */ export declare const allowForCustomOperations: { /** * Authorize unauthenticated users by using API key based authorization. * @returns an authorization rule for unauthenticated users */ readonly publicApiKey: () => Authorization<"public", undefined, false>; /** * Authorize unauthenticated users by using identityPool based authorization. * @returns an authorization rule for unauthenticated users */ readonly guest: () => Authorization<"public", undefined, false>; /** * Authorize authenticated users. By default, `.private()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.authenticated("identityPool")` or `.authenticated("oidc")` to use Identity Pool or OIDC based authorization for authenticated users. * @param provider the authentication provider - supports "userPools", "identityPool", or "oidc" * @returns an authorization rule for authenticated users */ readonly authenticated: (provider?: PrivateProvider) => Authorization<"private", undefined, false>; /** * Authorize a specific user group. Provide the name of the specific user group to have access. * * By default, `.group()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.group("group-name", "oidc")` to use OIDC based authentication to designate the user group. * * @param group the name of the group to authorize * @param provider the authentication provider - supports "userPools" or "oidc" * @returns an authorization rule to grant access by a specific group */ readonly group: (group: string, provider?: GroupProvider) => Authorization<"groups", undefined, false>; /** * Authorize multiple specific user groups. Provide the names of the specific user groups to have access. * * By default, `.groups()` uses an Amazon Cognito user pool based authorization. You can additionally * use `.groups(["group-a", "group-b"], "oidc")` to use OIDC based authentication to designate the user group. * * @param groups the names of the group to authorize defined as an array * @param provider the authentication provider - supports "userPools" or "oidc" * @returns an authorization rule to grant access by a specific group */ readonly groups: (groups: string[], provider?: GroupProvider) => Authorization<"groups", undefined, false>; readonly custom: (provider?: CustomProvider) => Authorization<"custom", undefined, false>; }; export declare const allowForConversations: { readonly owner: () => Authorization<"owner", undefined, false> & { to: typeof to; identityClaim: typeof identityClaim; }; }; declare function resourceTo(this: SELF, operations: ResourceOperation[]): Omit; /** * Turns the type from a list of `Authorization` rules like this: * * ```typescript * [ * allow.public(), * allow.ownerDefinedIn('otherfield'), * allow.ownersDefinedIn('editors') * ] * ``` * * Into a union of the possible `fieldname: type` auth objects like this: * * ```typescript * { * owner?: string | undefined; * } | { * otherfield?: string | undefined; * } | { * editors?: string[] | undefined; * } * ``` */ export type ImpliedAuthField> = T extends Authorization ? Field extends undefined ? never : Field extends string ? isMulti extends true ? { [K in Field]?: string[] | null | undefined; } : { [K in Field]?: string | null | undefined; } : never : never; /** * Turns the type from a list of `Authorization` rules like this: * * ```typescript * [ * allow.public(), * allow.ownerDefinedIn('otherfield'), * allow.ownersDefinedIn('editors') * ] * ``` * * Into an object type that includes all auth fields like this: * * ```typescript * { * owner?: string | undefined; * otherfield?: string | undefined; * editors?: string[] | undefined; * } * ``` */ export type ImpliedAuthFields> = ImpliedAuthField extends never ? never : UnionToIntersection>; export declare const accessData: >(authorization: T) => { strategy?: any; provider?: Provider; operations?: Operation[]; groupOrOwnerField?: any; groups?: string[]; multiOwner: any; identityClaim?: string; groupClaim?: string; }; export declare const accessSchemaData: >(authorization: T) => T[typeof __data]; export type AllowModifier = typeof allow; export type AllowModifierForCustomOperation = typeof allowForCustomOperations; export type AllowModifierForConversations = typeof allowForConversations; export type BaseAllowModifier = Omit; export type AnyAuthorization = Authorization; export {};