import * as cloudfront from "aws-cdk-lib/aws-cloudfront"; import { AddBehaviorOptions, BehaviorOptions, IOrigin } from "aws-cdk-lib/aws-cloudfront"; import * as cognito from "aws-cdk-lib/aws-cognito"; import { ClientUpdate } from "./client-update"; import { AuthLambdas } from "./lambdas"; import { Construct } from "constructs"; export interface CloudFrontAuthProps { /** * Cognito Client that will be used to authenticate the user. * * If a custom client is provided, the updateClient method cannot * be used since we cannot know which parameters was set. * * @default - a new client will be generated */ client?: cognito.UserPoolClient; userPool: cognito.IUserPool; /** * The domain that is used for Cognito Auth. * * If not using custom domains this will be a name under amazoncognito.com. * * @example `${domain.domainName}.auth.${region}.amazoncognito.com` */ cognitoAuthDomain: string; authLambdas: AuthLambdas; /** * @default /auth/callback */ callbackPath?: string; /** * @default / */ signOutRedirectTo?: string; /** * @default /auth/sign-out */ signOutPath?: string; /** * @default /auth/refresh */ refreshAuthPath?: string; /** * Log level. * * A log level of debug will log secrets and should only be used in * a development environment. * * @default warn */ logLevel?: "none" | "error" | "warn" | "info" | "debug"; /** * Require the user to be part of a specific Cognito group to * access any resource. */ requireGroupAnyOf?: string[]; } export interface UpdateClientProps { signOutUrl: string; callbackUrl: string; /** * List of identity providers used for the client. * * @default - COGNITO and identity providers registered in the UserPool construct */ identityProviders?: string[]; } /** * Configure previously deployed lambda functions, Cognito client * and CloudFront distribution. */ export declare class CloudFrontAuth extends Construct { readonly callbackPath: string; readonly signOutRedirectTo: string; readonly signOutPath: string; readonly refreshAuthPath: string; private readonly userPool; private readonly clientCreated; readonly client: cognito.UserPoolClient; private readonly checkAuthFn; private readonly httpHeadersFn; private readonly parseAuthFn; private readonly refreshAuthFn; private readonly signOutFn; private readonly oauthScopes; constructor(scope: Construct, id: string, props: CloudFrontAuthProps); private createPathLambda; /** * Create behaviors for authentication pages: * * - callback page * - refresh page * - sign out page * * This is to be used with CloudFrontWebDistribution. See * createAuthPagesBehaviors if using Distribution. */ get authPages(): cloudfront.Behavior[]; /** * Create behaviors for authentication pages. * * - callback page * - refresh page * - sign out page * * This is to be used with Distribution. */ createAuthPagesBehaviors(origin: IOrigin, options?: AddBehaviorOptions): Record; /** * Create lambda function association for viewer request to check * authentication and original response to add headers. * * This is to be used with CloudFrontWebDistribution. See * createProtectedBehavior if using Distribution. */ get authFilters(): cloudfront.LambdaFunctionAssociation[]; /** * Create behavior that includes authorization check. * * This is to be used with Distribution. */ createProtectedBehavior(origin: IOrigin, options?: AddBehaviorOptions): BehaviorOptions; /** * Update Cognito client to use the proper URLs and OAuth scopes. * * TODO: In case the client configuration changes and is updated * by CloudFormation, this will not be reapplied causing the client * to not be correctly configured. * How can we avoid this scenario? */ updateClient(id: string, props: UpdateClientProps): ClientUpdate; }