daniel/agent-claw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

agent-claw: automated task changes

Browse Source
This commit is contained in:
daniel
2026-05-06 18:55:16 -05:00
parent 38905bb1e9
commit 732b00fb66
8494 changed files with 2018127 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

953
cdk/node_modules/aws-cdk-lib/aws-cognito/lib/user-pool.d.ts generated vendored Normal file
View File

@@ -0,0 +1,953 @@
import type { Construct } from 'constructs';
import type { ICustomAttribute, StandardAttributes } from './user-pool-attr';
import type { UserPoolClientOptions } from './user-pool-client';
import { UserPoolClient } from './user-pool-client';
import type { UserPoolDomainOptions } from './user-pool-domain';
import { UserPoolDomain } from './user-pool-domain';
import type { UserPoolEmail } from './user-pool-email';
import type { UserPoolGroupOptions } from './user-pool-group';
import { UserPoolGroup } from './user-pool-group';
import type { IUserPoolIdentityProvider } from './user-pool-idp';
import type { UserPoolResourceServerOptions } from './user-pool-resource-server';
import { UserPoolResourceServer } from './user-pool-resource-server';
import type { IGrantable, IRoleRef } from '../../aws-iam';
import { Grant } from '../../aws-iam';
import type { IKeyRef } from '../../aws-kms';
import type * as lambda from '../../aws-lambda';
import type { IResource, RemovalPolicy } from '../../core';
import { Duration, Resource } from '../../core';
import type { IUserPoolIdentityProviderRef, IUserPoolRef, UserPoolReference } from '../../interfaces/generated/aws-cognito-interfaces.generated';
/**
* The different ways in which users of this pool can sign up or sign in.
*/
export interface SignInAliases {
/**
* Whether user is allowed to sign up or sign in with a username
* @default true
*/
readonly username?: boolean;
/**
* Whether a user is allowed to sign up or sign in with an email address
* @default false
*/
readonly email?: boolean;
/**
* Whether a user is allowed to sign up or sign in with a phone number
* @default false
*/
readonly phone?: boolean;
/**
* Whether a user is allowed to sign in with a secondary username, that can be set and modified after sign up.
* Can only be used in conjunction with `USERNAME`.
* @default false
*/
readonly preferredUsername?: boolean;
}
/**
* Attributes that can be automatically verified for users in a user pool.
*/
export interface AutoVerifiedAttrs {
/**
* Whether the email address of the user should be auto verified at sign up.
*
* Note: If both `email` and `phone` is set, Cognito only verifies the phone number. To also verify email, see here -
* https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html
*
* @default - true, if email is turned on for `signIn`. false, otherwise.
*/
readonly email?: boolean;
/**
* Whether the phone number of the user should be auto verified at sign up.
* @default - true, if phone is turned on for `signIn`. false, otherwise.
*/
readonly phone?: boolean;
}
/**
* Attributes that will be kept until the user verifies the changed attribute.
*/
export interface KeepOriginalAttrs {
/**
* Whether the email address of the user should remain the original value until the new email address is verified.
*
* @default - false
*/
readonly email?: boolean;
/**
* Whether the phone number of the user should remain the original value until the new phone number is verified.
*
* @default - false
*/
readonly phone?: boolean;
}
/**
* Triggers for a user pool
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
*/
export interface UserPoolTriggers {
/**
* Creates an authentication challenge.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.html
* @default - no trigger configured
*/
readonly createAuthChallenge?: lambda.IFunction;
/**
* A custom Message AWS Lambda trigger.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html
* @default - no trigger configured
*/
readonly customMessage?: lambda.IFunction;
/**
* Defines the authentication challenge.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.html
* @default - no trigger configured
*/
readonly defineAuthChallenge?: lambda.IFunction;
/**
* A post-authentication AWS Lambda trigger.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html
* @default - no trigger configured
*/
readonly postAuthentication?: lambda.IFunction;
/**
* A post-confirmation AWS Lambda trigger.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html
* @default - no trigger configured
*/
readonly postConfirmation?: lambda.IFunction;
/**
* A pre-authentication AWS Lambda trigger.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html
* @default - no trigger configured
*/
readonly preAuthentication?: lambda.IFunction;
/**
* A pre-registration AWS Lambda trigger.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
* @default - no trigger configured
*/
readonly preSignUp?: lambda.IFunction;
/**
* A pre-token-generation AWS Lambda trigger.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
* @default - no trigger configured
*/
readonly preTokenGeneration?: lambda.IFunction;
/**
* A user-migration AWS Lambda trigger.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html
* @default - no trigger configured
*/
readonly userMigration?: lambda.IFunction;
/**
* Verifies the authentication challenge response.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-verify-auth-challenge-response.html
* @default - no trigger configured
*/
readonly verifyAuthChallengeResponse?: lambda.IFunction;
/**
* Amazon Cognito invokes this trigger to send email notifications to users.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
* @default - no trigger configured
*/
readonly customEmailSender?: lambda.IFunction;
/**
* Amazon Cognito invokes this trigger to send SMS notifications to users.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
* @default - no trigger configured
*/
readonly customSmsSender?: lambda.IFunction;
/**
* Index signature.
*
* This index signature is not usable in non-TypeScript/JavaScript languages.
*
* @jsii ignore
*/
[trigger: string]: lambda.IFunction | undefined;
}
/**
* User pool operations to which lambda triggers can be attached.
*/
export declare class UserPoolOperation {
/**
* Creates a challenge in a custom auth flow
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-create-auth-challenge.html
*/
static readonly CREATE_AUTH_CHALLENGE: UserPoolOperation;
/**
* Advanced customization and localization of messages
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html
*/
static readonly CUSTOM_MESSAGE: UserPoolOperation;
/**
* Determines the next challenge in a custom auth flow
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.html
*/
static readonly DEFINE_AUTH_CHALLENGE: UserPoolOperation;
/**
* Event logging for custom analytics
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html
*/
static readonly POST_AUTHENTICATION: UserPoolOperation;
/**
* Custom welcome messages or event logging for custom analytics
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html
*/
static readonly POST_CONFIRMATION: UserPoolOperation;
/**
* Custom validation to accept or deny the sign-in request
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html
*/
static readonly PRE_AUTHENTICATION: UserPoolOperation;
/**
* Custom validation to accept or deny the sign-up request
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
*/
static readonly PRE_SIGN_UP: UserPoolOperation;
/**
* Add or remove attributes in Id tokens
*
* Set this parameter for legacy purposes.
* If you also set an ARN in PreTokenGenerationConfig, its value must be identical to PreTokenGeneration.
* For new instances of pre token generation triggers, set the LambdaArn of PreTokenGenerationConfig.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
*/
static readonly PRE_TOKEN_GENERATION: UserPoolOperation;
/**
* Add or remove attributes in Id tokens and Access tokens
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
*/
static readonly PRE_TOKEN_GENERATION_CONFIG: UserPoolOperation;
/**
* Migrate a user from an existing user directory to user pools
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html
*/
static readonly USER_MIGRATION: UserPoolOperation;
/**
* Determines if a response is correct in a custom auth flow
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-verify-auth-challenge-response.html
*/
static readonly VERIFY_AUTH_CHALLENGE_RESPONSE: UserPoolOperation;
/**
* Amazon Cognito invokes this trigger to send email notifications to users.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
*/
static readonly CUSTOM_EMAIL_SENDER: UserPoolOperation;
/**
* Amazon Cognito invokes this trigger to send email notifications to users.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
*/
static readonly CUSTOM_SMS_SENDER: UserPoolOperation;
/** A custom user pool operation */
static of(name: string): UserPoolOperation;
/** The key to use in `CfnUserPool.LambdaConfigProperty` */
readonly operationName: string;
private constructor();
}
/**
* The email verification style
*/
export declare enum VerificationEmailStyle {
/** Verify email via code */
CODE = "CONFIRM_WITH_CODE",
/** Verify email via link */
LINK = "CONFIRM_WITH_LINK"
}
/**
* The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.
*/
export declare enum LambdaVersion {
/**
* V1_0 trigger
*/
V1_0 = "V1_0",
/**
* V2_0 trigger
*
* This is supported only for PRE_TOKEN_GENERATION trigger.
*/
V2_0 = "V2_0",
/**
* V3_0 trigger
*
* This is supported only for PRE_TOKEN_GENERATION trigger.
*/
V3_0 = "V3_0"
}
/**
* User pool configuration for user self sign up.
*/
export interface UserVerificationConfig {
/**
* The email subject template for the verification email sent to the user upon sign up.
* See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
* learn more about message templates.
* @default 'Verify your new account'
*/
readonly emailSubject?: string;
/**
* The email body template for the verification email sent to the user upon sign up.
* See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
* learn more about message templates.
*
* @default - 'The verification code to your new account is {####}' if VerificationEmailStyle.CODE is chosen,
* 'Verify your account by clicking on {##Verify Email##}' if VerificationEmailStyle.LINK is chosen.
*/
readonly emailBody?: string;
/**
* Emails can be verified either using a code or a link.
* Learn more at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-email-verification-message-customization.html
* @default VerificationEmailStyle.CODE
*/
readonly emailStyle?: VerificationEmailStyle;
/**
* The message template for the verification SMS sent to the user upon sign up.
* See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-templates.html to
* learn more about message templates.
*
* @default - 'The verification code to your new account is {####}' if VerificationEmailStyle.CODE is chosen,
* not configured if VerificationEmailStyle.LINK is chosen
*/
readonly smsMessage?: string;
}
/**
* User pool configuration when administrators sign users up.
*/
export interface UserInvitationConfig {
/**
* The template to the email subject that is sent to the user when an administrator signs them up to the user pool.
* @default 'Your temporary password'
*/
readonly emailSubject?: string;
/**
* The template to the email body that is sent to the user when an administrator signs them up to the user pool.
* @default 'Your username is {username} and temporary password is {####}.'
*/
readonly emailBody?: string;
/**
* The template to the SMS message that is sent to the user when an administrator signs them up to the user pool.
* @default 'Your username is {username} and temporary password is {####}'
*/
readonly smsMessage?: string;
}
/**
* The different ways in which a user pool's MFA enforcement can be configured.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
*/
export declare enum Mfa {
/** Users are not required to use MFA for sign in, and cannot configure one. */
OFF = "OFF",
/** Users are not required to use MFA for sign in, but can configure one if they so choose to. */
OPTIONAL = "OPTIONAL",
/** Users are required to configure an MFA, and have to use it to sign in. */
REQUIRED = "ON"
}
/**
* The different ways in which a user pool can obtain their MFA token for sign in.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
*/
export interface MfaSecondFactor {
/**
* The MFA token is sent to the user via SMS to their verified phone numbers
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html
* @default true
*/
readonly sms: boolean;
/**
* The MFA token is a time-based one time password that is generated by a hardware or software token
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html
* @default false
*/
readonly otp: boolean;
/**
* The MFA token is sent to the user via EMAIL
*
* To enable email-based MFA, set `email` property to the Amazon SES email-sending configuration
* and set `feturePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`
*
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-sms-email-message.html
* @default false
*/
readonly email?: boolean;
}
/**
* Password policy for User Pools.
*/
export interface PasswordPolicy {
/**
* The length of time the temporary password generated by an admin is valid.
* This must be provided as whole days, like Duration.days(3) or Duration.hours(48).
* Fractional days, such as Duration.hours(20), will generate an error.
* @default Duration.days(7)
*/
readonly tempPasswordValidity?: Duration;
/**
* Minimum length required for a user's password.
* @default 8
*/
readonly minLength?: number;
/**
* Whether the user is required to have lowercase characters in their password.
* @default true
*/
readonly requireLowercase?: boolean;
/**
* Whether the user is required to have uppercase characters in their password.
* @default true
*/
readonly requireUppercase?: boolean;
/**
* Whether the user is required to have digits in their password.
* @default true
*/
readonly requireDigits?: boolean;
/**
* Whether the user is required to have symbols in their password.
* @default true
*/
readonly requireSymbols?: boolean;
/**
* The number of previous passwords that you want Amazon Cognito to restrict each user from reusing.
*
* `passwordHistorySize` can not be set when `featurePlan` is `FeaturePlan.LITE`.
*
* @default undefined - Cognito default setting is no restriction
*/
readonly passwordHistorySize?: number;
}
/**
* Sign-in policy for User Pools.
*/
export interface SignInPolicy {
/**
* The types of authentication that you want to allow for users' first authentication prompt.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice
*
* @default - Password only
*/
readonly allowedFirstAuthFactors?: AllowedFirstAuthFactors;
}
/**
* The types of authentication that you want to allow for users' first authentication prompt
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice
*/
export interface AllowedFirstAuthFactors {
/**
* Whether the password authentication is allowed.
* This must be true.
*/
readonly password: boolean;
/**
* Whether the email message one-time password is allowed.
* @default false
*/
readonly emailOtp?: boolean;
/**
* Whether the SMS message one-time password is allowed.
* @default false
*/
readonly smsOtp?: boolean;
/**
* Whether the Passkey (WebAuthn) is allowed.
* @default false
*/
readonly passkey?: boolean;
}
/**
* The user-pool treatment for MFA with a passkey
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey
*/
export declare enum PasskeyUserVerification {
/** Passkey MFA is preferred */
PREFERRED = "preferred",
/** Passkey MFA is required */
REQUIRED = "required"
}
/**
* Email settings for the user pool.
*/
export interface EmailSettings {
/**
* The 'from' address on the emails received by the user.
* @default noreply@verificationemail.com
*/
readonly from?: string;
/**
* The 'replyTo' address on the emails received by the user as defined by IETF RFC-5322.
* When set, most email clients recognize to change 'to' line to this address when a reply is drafted.
* @default - Not set.
*/
readonly replyTo?: string;
}
/**
* How will a user be able to recover their account?
*
* When a user forgets their password, they can have a code sent to their verified email or verified phone to recover their account.
* You can choose the preferred way to send codes below.
* We recommend not allowing phone to be used for both password resets and multi-factor authentication (MFA).
*
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html
*/
export declare enum AccountRecovery {
/**
* Email if available, otherwise phone, but dont allow a user to reset their password via phone if they are also using it for MFA
*/
EMAIL_AND_PHONE_WITHOUT_MFA = 0,
/**
* Phone if available, otherwise email, but dont allow a user to reset their password via phone if they are also using it for MFA
*/
PHONE_WITHOUT_MFA_AND_EMAIL = 1,
/**
* Email only
*/
EMAIL_ONLY = 2,
/**
* Phone only, but dont allow a user to reset their password via phone if they are also using it for MFA
*/
PHONE_ONLY_WITHOUT_MFA = 3,
/**
* (Not Recommended) Phone if available, otherwise email, and do allow a user to reset their password via phone if they are also using it for MFA.
*/
PHONE_AND_EMAIL = 4,
/**
* None users will have to contact an administrator to reset their passwords
*/
NONE = 5
}
/**
* Device tracking settings
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
*/
export interface DeviceTracking {
/**
* Indicates whether a challenge is required on a new device. Only applicable to a new device.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
* @default false
*/
readonly challengeRequiredOnNewDevice: boolean;
/**
* If true, a device is only remembered on user prompt.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
* @default false
*/
readonly deviceOnlyRememberedOnUserPrompt: boolean;
}
/**
* The different ways in which a user pool's Advanced Security Mode can be configured.
* @deprecated Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
*/
export declare enum AdvancedSecurityMode {
/** Enable advanced security mode */
ENFORCED = "ENFORCED",
/** gather metrics on detected risks without taking action. Metrics are published to Amazon CloudWatch */
AUDIT = "AUDIT",
/** Advanced security mode is disabled */
OFF = "OFF"
}
/**
* The user pool feature plan, or tier.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
*/
export declare enum FeaturePlan {
/** Lite feature plan */
LITE = "LITE",
/** Essentials feature plan */
ESSENTIALS = "ESSENTIALS",
/** Plus feature plan */
PLUS = "PLUS"
}
/**
* The Type of Threat Protection Enabled for Standard Authentication
*
* This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
*
* Acceptable values are strings with values 'ENFORCED', 'AUDIT', or 'OFF'
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
*/
export declare enum StandardThreatProtectionMode {
/** Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool */
FULL_FUNCTION = "ENFORCED",
/** Cognito gathers metrics on detected risks, but doesn't take automatic action */
AUDIT_ONLY = "AUDIT",
/** Cognito doesn't gather metrics on detected risks or automatically take preventative actions */
NO_ENFORCEMENT = "OFF"
}
/**
* The Type of Threat Protection Enabled for Custom Authentication
*
* This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
*
* Acceptable values are strings with values 'ENFORCED', or 'AUDIT'. For 'OFF' behavior, don't define this value
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
*/
export declare enum CustomThreatProtectionMode {
/** Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool */
FULL_FUNCTION = "ENFORCED",
/** Cognito gathers metrics on detected risks, but doesn't take automatic action */
AUDIT_ONLY = "AUDIT"
}
/**
* Props for the UserPool construct
*/
export interface UserPoolProps {
/**
* Name of the user pool.
*
* @default - automatically generated name by CloudFormation at deploy time.
*/
readonly userPoolName?: string;
/**
* Whether self sign-up should be enabled.
* To configure self sign-up configuration use the `userVerification` property.
*
* @default - false
*/
readonly selfSignUpEnabled?: boolean;
/**
* Configuration around users signing themselves up to the user pool.
* Enable or disable self sign-up via the `selfSignUpEnabled` property.
*
* @default - see defaults in UserVerificationConfig.
*/
readonly userVerification?: UserVerificationConfig;
/**
* Configuration around admins signing up users into a user pool.
*
* @default - see defaults in UserInvitationConfig.
*/
readonly userInvitation?: UserInvitationConfig;
/**
* The IAM role that Cognito will assume while sending SMS messages.
*
* @default - a new IAM role is created.
*/
readonly smsRole?: IRoleRef;
/**
* The 'ExternalId' that Cognito service must be using when assuming the `smsRole`, if the role is restricted with an 'sts:ExternalId' conditional.
* Learn more about ExternalId here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
*
* This property will be ignored if `smsRole` is not specified.
*
* @default - No external id will be configured.
*/
readonly smsRoleExternalId?: string;
/**
* The region to integrate with SNS to send SMS messages.
*
* This property will do nothing if SMS configuration is not configured.
*
* @default - The same region as the user pool, with a few exceptions - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#user-pool-sms-settings-first-time
*/
readonly snsRegion?: string;
/**
* Setting this would explicitly enable or disable SMS role creation.
* When left unspecified, CDK will determine based on other properties if a role is needed or not.
*
* @default - CDK will determine based on other properties of the user pool if an SMS role should be created or not.
*/
readonly enableSmsRole?: boolean;
/**
* Methods in which a user registers or signs in to a user pool.
* Allows either username with aliases OR sign in with email, phone, or both.
*
* Read the sections on usernames and aliases to learn more -
* https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
*
* To match with 'Option 1' in the above link, with a verified email, this property should be set to
* `{ username: true, email: true }`. To match with 'Option 2' in the above link with both a verified email and phone
* number, this property should be set to `{ email: true, phone: true }`.
*
* @default { username: true }
*/
readonly signInAliases?: SignInAliases;
/**
* Attributes which Cognito will look to verify automatically upon user sign up.
* EMAIL and PHONE are the only available options.
*
* @default - If `signInAlias` includes email and/or phone, they will be included in `autoVerifiedAttributes` by default.
* If absent, no attributes will be auto-verified.
*/
readonly autoVerify?: AutoVerifiedAttrs;
/**
* Attributes which Cognito will look to handle changes to the value of your users' email address and phone number attributes.
* EMAIL and PHONE are the only available options.
*
* @default - Nothing is kept.
*/
readonly keepOriginal?: KeepOriginalAttrs;
/**
* The set of attributes that are required for every user in the user pool.
* Read more on attributes here - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
*
* @default - All standard attributes are optional and mutable.
*/
readonly standardAttributes?: StandardAttributes;
/**
* Define a set of custom attributes that can be configured for each user in the user pool.
*
* @default - No custom attributes.
*/
readonly customAttributes?: {
[key: string]: ICustomAttribute;
};
/**
* Configure whether users of this user pool can or are required use MFA to sign in.
*
* @default Mfa.OFF
*/
readonly mfa?: Mfa;
/**
* The SMS message template sent during MFA verification.
* Use '{####}' in the template where Cognito should insert the verification code.
* @default 'Your authentication code is {####}.'
*/
readonly mfaMessage?: string;
/**
* Configure the MFA types that users can use in this user pool. Ignored if `mfa` is set to `OFF`.
*
* @default - { sms: true, otp: false, email: false }, if `mfa` is set to `OPTIONAL` or `REQUIRED`.
* { sms: false, otp: false, email:false }, otherwise
*/
readonly mfaSecondFactor?: MfaSecondFactor;
/**
* Password policy for this user pool.
* @default - see defaults on each property of PasswordPolicy.
*/
readonly passwordPolicy?: PasswordPolicy;
/**
* Sign-in policy for this user pool.
* @default - see defaults on each property of SignInPolicy.
*/
readonly signInPolicy?: SignInPolicy;
/**
* The authentication domain that passkey providers must use as a relying party (RP) in their configuration.
*
* Under the following conditions, the passkey relying party ID must be the fully-qualified domain name of your custom domain:
* - The user pool is configured for passkey authentication.
* - The user pool has a custom domain, whether or not it also has a prefix domain.
* - Your application performs authentication with managed login or the classic hosted UI.
*
* @default - No authentication domain
*/
readonly passkeyRelyingPartyId?: string;
/**
* Your user-pool treatment for MFA with a passkey.
* You can override other MFA options and require passkey MFA, or you can set it as preferred.
* When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in.
*
* @default - Cognito default setting is PasskeyUserVerification.PREFERRED
*/
readonly passkeyUserVerification?: PasskeyUserVerification;
/**
* Email settings for a user pool.
* @default - cognito will use the default email configuration
*/
readonly email?: UserPoolEmail;
/**
* Lambda functions to use for supported Cognito triggers.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
* @default - No Lambda triggers.
*/
readonly lambdaTriggers?: UserPoolTriggers;
/**
* Whether sign-in aliases should be evaluated with case sensitivity.
* For example, when this option is set to false, users will be able to sign in using either `MyUsername` or `myusername`.
* @default true
*/
readonly signInCaseSensitive?: boolean;
/**
* How will a user be able to recover their account?
*
* @default AccountRecovery.PHONE_WITHOUT_MFA_AND_EMAIL
*/
readonly accountRecovery?: AccountRecovery;
/**
* Policy to apply when the user pool is removed from the stack
*
* @default RemovalPolicy.RETAIN
*/
readonly removalPolicy?: RemovalPolicy;
/**
* Indicates whether the user pool should have deletion protection enabled.
*
* @default false
*/
readonly deletionProtection?: boolean;
/**
* Device tracking settings
* @default - see defaults on each property of DeviceTracking.
*/
readonly deviceTracking?: DeviceTracking;
/**
* This key will be used to encrypt temporary passwords and authorization codes that Amazon Cognito generates.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html
* @default - no key ID configured
*/
readonly customSenderKmsKey?: IKeyRef;
/**
* The user pool's Advanced Security Mode
* @deprecated Advanced Security Mode is deprecated due to user pool feature plans. Use StandardThreatProtectionMode and CustomThreatProtectionMode to set Thread Protection level.
* @default - no value
*/
readonly advancedSecurityMode?: AdvancedSecurityMode;
/**
* The user pool feature plan, or tier.
* This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
* @default - FeaturePlan.ESSENTIALS for a newly created user pool; FeaturePlan.LITE otherwise
*/
readonly featurePlan?: FeaturePlan;
/**
* The Type of Threat Protection Enabled for Standard Authentication
*
* This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
*
* Acceptable values are strings with values 'ENFORCED', 'AUDIT', or 'OFF'
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
*
* @default - StandardThreatProtectionMode.NO_ENFORCEMENT
*/
readonly standardThreatProtectionMode?: StandardThreatProtectionMode;
/**
* The Type of Threat Protection Enabled for Custom Authentication
*
* This feature only functions if your FeaturePlan is set to FeaturePlan.PLUS
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html
*
* Acceptable values are strings with values 'ENFORCED', or 'AUDIT'. For 'OFF' behavior, don't define this value
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
*
* @default - no value
*/
readonly customThreatProtectionMode?: CustomThreatProtectionMode;
}
/**
* Represents a Cognito UserPool
*/
export interface IUserPool extends IResource, IUserPoolRef {
/**
* The physical ID of this user pool resource
* @attribute
*/
readonly userPoolId: string;
/**
* The ARN of this user pool resource
* @attribute
*/
readonly userPoolArn: string;
/**
* The provider name of this user pool resource
*
* @attribute
*/
readonly userPoolProviderName: string;
/**
* Get all identity providers registered with this user pool.
*/
readonly identityProviders: IUserPoolIdentityProvider[];
/**
* Add a new app client to this user pool.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
*/
addClient(id: string, options?: UserPoolClientOptions): UserPoolClient;
/**
* Associate a domain to this user pool.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html
*/
addDomain(id: string, options: UserPoolDomainOptions): UserPoolDomain;
/**
* Add a new resource server to this user pool.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-resource-servers.html
*/
addResourceServer(id: string, options: UserPoolResourceServerOptions): UserPoolResourceServer;
/**
* Add a new group to this user pool.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
*/
addGroup(id: string, options: UserPoolGroupOptions): UserPoolGroup;
/**
* Register an identity provider with this user pool.
*/
registerIdentityProvider(provider: IUserPoolIdentityProviderRef): void;
/**
* Adds an IAM policy statement associated with this user pool to an
* IAM principal's policy.
*/
grant(grantee: IGrantable, ...actions: string[]): Grant;
}
declare abstract class UserPoolBase extends Resource implements IUserPool {
abstract readonly userPoolId: string;
abstract readonly userPoolArn: string;
abstract readonly userPoolProviderName: string;
readonly identityProviders: IUserPoolIdentityProvider[];
get userPoolRef(): UserPoolReference;
addClient(id: string, options?: UserPoolClientOptions): UserPoolClient;
addDomain(id: string, options: UserPoolDomainOptions): UserPoolDomain;
addResourceServer(id: string, options: UserPoolResourceServerOptions): UserPoolResourceServer;
addGroup(id: string, options: UserPoolGroupOptions): UserPoolGroup;
registerIdentityProvider(provider: IUserPoolIdentityProviderRef): void;
/**
* [disable-awslint:no-grants]
*/
grant(grantee: IGrantable, ...actions: string[]): Grant;
}
/**
* Define a Cognito User Pool
*/
export declare class UserPool extends UserPoolBase {
/**
* Uniquely identifies this class.
*/
static readonly PROPERTY_INJECTION_ID: string;
/**
* Import an existing user pool based on its id.
*/
static fromUserPoolId(scope: Construct, id: string, userPoolId: string): IUserPool;
/**
* Import an existing user pool based on its ARN.
*/
static fromUserPoolArn(scope: Construct, id: string, userPoolArn: string): IUserPool;
/**
* The physical ID of this user pool resource
*/
readonly userPoolId: string;
/**
* The ARN of the user pool
*/
readonly userPoolArn: string;
/**
* User pool provider name
* @attribute
*/
readonly userPoolProviderName: string;
/**
* User pool provider URL
* @attribute
*/
readonly userPoolProviderUrl: string;
private triggers;
private emailConfiguration;
constructor(scope: Construct, id: string, props?: UserPoolProps);
/**
* Add a lambda trigger to a user pool operation
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
*/
addTrigger(operation: UserPoolOperation, fn: lambda.IFunction, lambdaVersion?: LambdaVersion): void;
private addLambdaPermission;
private mfaMessage;
private verificationMessageConfiguration;
private signInConfiguration;
private smsConfiguration;
private mfaConfiguration;
private configurePasswordPolicy;
private configureSignInPolicy;
private schemaConfiguration;
private accountRecovery;
private configureUserAttributeChanges;
private validateEmailMfa;
}
export {};