feat(client-cognito-identity-provider): Added support for threat prot…

…ection for custom authentication in Amazon Cognito user pools.
aws · Aug 8, 2024 · e2e4ccc · e2e4ccc
1 parent b2a49e6
commit e2e4ccc
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 30 deletions.
diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts
@@ -193,6 +193,9 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  *   ],
  *   UserPoolAddOns: { // UserPoolAddOnsType
  *     AdvancedSecurityMode: "OFF" || "AUDIT" || "ENFORCED", // required
+ *     AdvancedSecurityAdditionalFlows: { // AdvancedSecurityAdditionalFlowsType
+ *       CustomAuthMode: "AUDIT" || "ENFORCED",
+ *     },
  *   },
  *   UsernameConfiguration: { // UsernameConfigurationType
  *     CaseSensitive: true || false, // required
@@ -331,6 +334,9 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  * //     },
  * //     UserPoolAddOns: { // UserPoolAddOnsType
  * //       AdvancedSecurityMode: "OFF" || "AUDIT" || "ENFORCED", // required
+ * //       AdvancedSecurityAdditionalFlows: { // AdvancedSecurityAdditionalFlowsType
+ * //         CustomAuthMode: "AUDIT" || "ENFORCED",
+ * //       },
  * //     },
  * //     UsernameConfiguration: { // UsernameConfigurationType
  * //       CaseSensitive: true || false, // required

diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts
@@ -187,6 +187,9 @@ export interface DescribeUserPoolCommandOutput extends DescribeUserPoolResponse,
  * //     },
  * //     UserPoolAddOns: { // UserPoolAddOnsType
  * //       AdvancedSecurityMode: "OFF" || "AUDIT" || "ENFORCED", // required
+ * //       AdvancedSecurityAdditionalFlows: { // AdvancedSecurityAdditionalFlowsType
+ * //         CustomAuthMode: "AUDIT" || "ENFORCED",
+ * //       },
  * //     },
  * //     UsernameConfiguration: { // UsernameConfigurationType
  * //       CaseSensitive: true || false, // required

diff --git a/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts b/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts
@@ -10,7 +10,8 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { RevokeTokenRequest, RevokeTokenRequestFilterSensitiveLog, RevokeTokenResponse } from "../models/models_0";
+import { RevokeTokenRequest, RevokeTokenRequestFilterSensitiveLog } from "../models/models_0";
+import { RevokeTokenResponse } from "../models/models_1";
 import { de_RevokeTokenCommand, se_RevokeTokenCommand } from "../protocols/Aws_json1_1";
 
 /**

diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts
@@ -170,6 +170,9 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M
  *   },
  *   UserPoolAddOns: { // UserPoolAddOnsType
  *     AdvancedSecurityMode: "OFF" || "AUDIT" || "ENFORCED", // required
+ *     AdvancedSecurityAdditionalFlows: { // AdvancedSecurityAdditionalFlowsType
+ *       CustomAuthMode: "AUDIT" || "ENFORCED",
+ *     },
  *   },
  *   AccountRecoverySetting: { // AccountRecoverySettingType
  *     RecoveryMechanisms: [ // RecoveryMechanismsType

diff --git a/clients/client-cognito-identity-provider/src/models/models_0.ts b/clients/client-cognito-identity-provider/src/models/models_0.ts
@@ -3644,6 +3644,39 @@ export interface AdminUserGlobalSignOutRequest {
  */
 export interface AdminUserGlobalSignOutResponse {}
 
+/**
+ * @public
+ * @enum
+ */
+export const AdvancedSecurityEnabledModeType = {
+  AUDIT: "AUDIT",
+  ENFORCED: "ENFORCED",
+} as const;
+
+/**
+ * @public
+ */
+export type AdvancedSecurityEnabledModeType =
+  (typeof AdvancedSecurityEnabledModeType)[keyof typeof AdvancedSecurityEnabledModeType];
+
+/**
+ * <p>Advanced security configuration options for additional authentication types
+ *             in your user pool, including custom authentication and refresh-token
+ *             authentication.
+ *         </p>
+ * @public
+ */
+export interface AdvancedSecurityAdditionalFlowsType {
+  /**
+   * <p>The operating mode of advanced security features in custom authentication with
+   *             <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html">
+   *                 Custom authentication challenge Lambda triggers</a>.
+   *         </p>
+   * @public
+   */
+  CustomAuthMode?: AdvancedSecurityEnabledModeType;
+}
+
 /**
  * @public
  * @enum
@@ -5502,10 +5535,22 @@ export interface UsernameConfigurationType {
  */
 export interface UserPoolAddOnsType {
   /**
-   * <p>The operating mode of advanced security features in your user pool.</p>
+   * <p>The operating mode of advanced security features for standard authentication types
+   *             in your user pool, including username-password and secure remote password (SRP)
+   *             authentication.
+   *         </p>
    * @public
    */
   AdvancedSecurityMode: AdvancedSecurityModeType | undefined;
+
+  /**
+   * <p>Advanced security configuration options for additional authentication types
+   *             in your user pool, including custom authentication and refresh-token
+   *             authentication.
+   *         </p>
+   * @public
+   */
+  AdvancedSecurityAdditionalFlows?: AdvancedSecurityAdditionalFlowsType;
 }
 
 /**
@@ -9662,32 +9707,6 @@ export interface RevokeTokenRequest {
   ClientSecret?: string;
 }
 
-/**
- * @public
- */
-export interface RevokeTokenResponse {}
-
-/**
- * <p>Exception that is thrown when the request isn't authorized. This can happen due to an
- *             invalid access token in the request.</p>
- * @public
- */
-export class UnauthorizedException extends __BaseException {
-  readonly name: "UnauthorizedException" = "UnauthorizedException";
-  readonly $fault: "client" = "client";
-  /**
-   * @internal
-   */
-  constructor(opts: __ExceptionOptionType<UnauthorizedException, __BaseException>) {
-    super({
-      name: "UnauthorizedException",
-      $fault: "client",
-      ...opts,
-    });
-    Object.setPrototypeOf(this, UnauthorizedException.prototype);
-  }
-}
-
 /**
  * @internal
  */

diff --git a/clients/client-cognito-identity-provider/src/models/models_1.ts b/clients/client-cognito-identity-provider/src/models/models_1.ts
@@ -53,6 +53,32 @@ import {
   VerifiedAttributeType,
 } from "./models_0";
 
+/**
+ * @public
+ */
+export interface RevokeTokenResponse {}
+
+/**
+ * <p>Exception that is thrown when the request isn't authorized. This can happen due to an
+ *             invalid access token in the request.</p>
+ * @public
+ */
+export class UnauthorizedException extends __BaseException {
+  readonly name: "UnauthorizedException" = "UnauthorizedException";
+  readonly $fault: "client" = "client";
+  /**
+   * @internal
+   */
+  constructor(opts: __ExceptionOptionType<UnauthorizedException, __BaseException>) {
+    super({
+      name: "UnauthorizedException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, UnauthorizedException.prototype);
+  }
+}
+
 /**
  * <p>Exception that is thrown when you attempt to perform an operation that isn't enabled
  *             for the user pool client.</p>

diff --git a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts
@@ -339,6 +339,7 @@ import {
   AdminUpdateDeviceStatusRequest,
   AdminUpdateUserAttributesRequest,
   AdminUserGlobalSignOutRequest,
+  AdvancedSecurityAdditionalFlowsType,
   AliasAttributeType,
   AliasExistsException,
   AnalyticsConfigurationType,
@@ -492,7 +493,6 @@ import {
   TooManyFailedAttemptsException,
   TooManyRequestsException,
   UICustomizationType,
-  UnauthorizedException,
   UnexpectedLambdaException,
   UnsupportedIdentityProviderException,
   UnsupportedUserStateException,
@@ -533,6 +533,7 @@ import {
   StopUserImportJobRequest,
   StopUserImportJobResponse,
   TagResourceRequest,
+  UnauthorizedException,
   UnsupportedOperationException,
   UnsupportedTokenTypeException,
   UntagResourceRequest,
@@ -4794,6 +4795,8 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_AdminUserGlobalSignOutRequest omitted.
 
+// se_AdvancedSecurityAdditionalFlowsType omitted.
+
 // se_AliasAttributesListType omitted.
 
 // se_AnalyticsConfigurationType omitted.
@@ -5217,6 +5220,8 @@ const de_AdminListUserAuthEventsResponse = (output: any, context: __SerdeContext
 
 // de_AdminUserGlobalSignOutResponse omitted.
 
+// de_AdvancedSecurityAdditionalFlowsType omitted.
+
 // de_AliasAttributesListType omitted.
 
 // de_AliasExistsException omitted.

diff --git a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json
@@ -3780,6 +3780,37 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#AdvancedSecurityAdditionalFlowsType": {
+      "type": "structure",
+      "members": {
+        "CustomAuthMode": {
+          "target": "com.amazonaws.cognitoidentityprovider#AdvancedSecurityEnabledModeType",
+          "traits": {
+            "smithy.api#documentation": "<p>The operating mode of advanced security features in custom authentication with \n            <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">\n                Custom authentication challenge Lambda triggers</a>.\n        </p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Advanced security configuration options for additional authentication types\n            in your user pool, including custom authentication and refresh-token \n            authentication.\n        </p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#AdvancedSecurityEnabledModeType": {
+      "type": "enum",
+      "members": {
+        "AUDIT": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "AUDIT"
+          }
+        },
+        "ENFORCED": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "ENFORCED"
+          }
+        }
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#AdvancedSecurityModeType": {
       "type": "enum",
       "members": {
@@ -15168,9 +15199,15 @@
         "AdvancedSecurityMode": {
           "target": "com.amazonaws.cognitoidentityprovider#AdvancedSecurityModeType",
           "traits": {
-            "smithy.api#documentation": "<p>The operating mode of advanced security features in your user pool.</p>",
+            "smithy.api#documentation": "<p>The operating mode of advanced security features for standard authentication types\n            in your user pool, including username-password and secure remote password (SRP)\n            authentication.\n        </p>",
             "smithy.api#required": {}
           }
+        },
+        "AdvancedSecurityAdditionalFlows": {
+          "target": "com.amazonaws.cognitoidentityprovider#AdvancedSecurityAdditionalFlowsType",
+          "traits": {
+            "smithy.api#documentation": "<p>Advanced security configuration options for additional authentication types\n            in your user pool, including custom authentication and refresh-token \n            authentication.\n        </p>"
+          }
         }
       },
       "traits": {