fix(CloudFormation): Invalid Cognito Auth DefaultAction (#514)

sid88in · Jun 15, 2022 · 57c52bd · 57c52bd
1 parent 7a2b5be
commit 57c52bd
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 150 deletions.
diff --git a/src/__tests__/api.test.ts b/src/__tests__/api.test.ts
@@ -117,7 +117,7 @@ describe('Api', () => {
                   "UserPoolConfig": Object {
                     "AppIdClientRegex": "[a-z]",
                     "AwsRegion": "us-east-1",
-                    "DefaultAction": "DENY",
+                    "DefaultAction": "ALLOW",
                     "UserPoolId": "pool123",
                   },
                 },
@@ -202,147 +202,6 @@ describe('Api', () => {
     });
   });
 
-  it('should use defaultAction as ALLOW for Cognito when primary auth and additionalAuth are present', () => {
-    const api = new Api(
-      given.appSyncConfig({
-        authentication: {
-          type: 'AMAZON_COGNITO_USER_POOLS',
-          config: {
-            userPoolId: 'pool123',
-            awsRegion: 'us-east-1',
-            appIdClientRegex: '[a-z]',
-          },
-        },
-        additionalAuthentications: [
-          {
-            type: 'AWS_IAM',
-          },
-        ],
-      }),
-      plugin,
-    );
-    expect(api.compileEndpoint()).toMatchInlineSnapshot(`
-      Object {
-        "GraphQlApi": Object {
-          "Properties": Object {
-            "AdditionalAuthenticationProviders": Array [
-              Object {
-                "AuthenticationType": "AWS_IAM",
-              },
-            ],
-            "AuthenticationType": "AMAZON_COGNITO_USER_POOLS",
-            "Name": "MyApi",
-            "Tags": Array [
-              Object {
-                "Key": "stage",
-                "Value": "Dev",
-              },
-            ],
-            "UserPoolConfig": Object {
-              "AppIdClientRegex": "[a-z]",
-              "AwsRegion": "us-east-1",
-              "DefaultAction": "ALLOW",
-              "UserPoolId": "pool123",
-            },
-            "XrayEnabled": false,
-          },
-          "Type": "AWS::AppSync::GraphQLApi",
-        },
-      }
-    `);
-  });
-
-  it('should use defaultAction as DENY for Cognito when primary auth and additionalAuth are not present', () => {
-    const api = new Api(
-      given.appSyncConfig({
-        authentication: {
-          type: 'AMAZON_COGNITO_USER_POOLS',
-          config: {
-            userPoolId: 'pool123',
-            awsRegion: 'us-east-1',
-            appIdClientRegex: '[a-z]',
-          },
-        },
-        additionalAuthentications: [],
-      }),
-      plugin,
-    );
-    expect(api.compileEndpoint()).toMatchInlineSnapshot(`
-      Object {
-        "GraphQlApi": Object {
-          "Properties": Object {
-            "AuthenticationType": "AMAZON_COGNITO_USER_POOLS",
-            "Name": "MyApi",
-            "Tags": Array [
-              Object {
-                "Key": "stage",
-                "Value": "Dev",
-              },
-            ],
-            "UserPoolConfig": Object {
-              "AppIdClientRegex": "[a-z]",
-              "AwsRegion": "us-east-1",
-              "DefaultAction": "DENY",
-              "UserPoolId": "pool123",
-            },
-            "XrayEnabled": false,
-          },
-          "Type": "AWS::AppSync::GraphQLApi",
-        },
-      }
-    `);
-  });
-
-  it('should use defaultAction as DENY for Cognito when not primary auth', () => {
-    const api = new Api(
-      given.appSyncConfig({
-        authentication: {
-          type: 'API_KEY',
-        },
-        additionalAuthentications: [
-          {
-            type: 'AMAZON_COGNITO_USER_POOLS',
-            config: {
-              userPoolId: 'pool123',
-              awsRegion: 'us-east-1',
-              appIdClientRegex: '[a-z]',
-            },
-          },
-        ],
-      }),
-      plugin,
-    );
-    expect(api.compileEndpoint()).toMatchInlineSnapshot(`
-      Object {
-        "GraphQlApi": Object {
-          "Properties": Object {
-            "AdditionalAuthenticationProviders": Array [
-              Object {
-                "AuthenticationType": "AMAZON_COGNITO_USER_POOLS",
-                "UserPoolConfig": Object {
-                  "AppIdClientRegex": "[a-z]",
-                  "AwsRegion": "us-east-1",
-                  "DefaultAction": "DENY",
-                  "UserPoolId": "pool123",
-                },
-              },
-            ],
-            "AuthenticationType": "API_KEY",
-            "Name": "MyApi",
-            "Tags": Array [
-              Object {
-                "Key": "stage",
-                "Value": "Dev",
-              },
-            ],
-            "XrayEnabled": false,
-          },
-          "Type": "AWS::AppSync::GraphQLApi",
-        },
-      }
-    `);
-  });
-
   describe('Logs', () => {
     it('should not compile CloudWatch Resources when logging not configured', () => {
       const api = new Api(given.appSyncConfig(), plugin);

diff --git a/src/resources/Api.ts b/src/resources/Api.ts
@@ -416,14 +416,8 @@ export class Api {
       UserPoolId: auth.config.userPoolId,
       AppIdClientRegex: auth.config.appIdClientRegex,
       // Default action is the one passed in the config
-      // or 'ALLOW' if the primary auth is Cognito User Pool
-      // else, DENY
-      DefaultAction:
-        auth.config.defaultAction ||
-        (this.config.authentication.type === 'AMAZON_COGNITO_USER_POOLS' &&
-        this.config.additionalAuthentications.length > 0
-          ? 'ALLOW'
-          : 'DENY'),
+      // or 'ALLOW'
+      DefaultAction: auth.config.defaultAction || 'ALLOW',
     };
 
     return userPoolConfig;