diff --git a/src/__tests__/api.test.ts b/src/__tests__/api.test.ts index 5cf47893..196f6358 100644 --- a/src/__tests__/api.test.ts +++ b/src/__tests__/api.test.ts @@ -117,7 +117,7 @@ describe('Api', () => { "UserPoolConfig": Object { "AppIdClientRegex": "[a-z]", "AwsRegion": "us-east-1", - "DefaultAction": "DENY", + "DefaultAction": "ALLOW", "UserPoolId": "pool123", }, }, @@ -202,147 +202,6 @@ describe('Api', () => { }); }); - it('should use defaultAction as ALLOW for Cognito when primary auth and additionalAuth are present', () => { - const api = new Api( - given.appSyncConfig({ - authentication: { - type: 'AMAZON_COGNITO_USER_POOLS', - config: { - userPoolId: 'pool123', - awsRegion: 'us-east-1', - appIdClientRegex: '[a-z]', - }, - }, - additionalAuthentications: [ - { - type: 'AWS_IAM', - }, - ], - }), - plugin, - ); - expect(api.compileEndpoint()).toMatchInlineSnapshot(` - Object { - "GraphQlApi": Object { - "Properties": Object { - "AdditionalAuthenticationProviders": Array [ - Object { - "AuthenticationType": "AWS_IAM", - }, - ], - "AuthenticationType": "AMAZON_COGNITO_USER_POOLS", - "Name": "MyApi", - "Tags": Array [ - Object { - "Key": "stage", - "Value": "Dev", - }, - ], - "UserPoolConfig": Object { - "AppIdClientRegex": "[a-z]", - "AwsRegion": "us-east-1", - "DefaultAction": "ALLOW", - "UserPoolId": "pool123", - }, - "XrayEnabled": false, - }, - "Type": "AWS::AppSync::GraphQLApi", - }, - } - `); - }); - - it('should use defaultAction as DENY for Cognito when primary auth and additionalAuth are not present', () => { - const api = new Api( - given.appSyncConfig({ - authentication: { - type: 'AMAZON_COGNITO_USER_POOLS', - config: { - userPoolId: 'pool123', - awsRegion: 'us-east-1', - appIdClientRegex: '[a-z]', - }, - }, - additionalAuthentications: [], - }), - plugin, - ); - expect(api.compileEndpoint()).toMatchInlineSnapshot(` - Object { - "GraphQlApi": Object { - "Properties": Object { - "AuthenticationType": "AMAZON_COGNITO_USER_POOLS", - "Name": "MyApi", - "Tags": Array [ - Object { - "Key": "stage", - "Value": "Dev", - }, - ], - "UserPoolConfig": Object { - "AppIdClientRegex": "[a-z]", - "AwsRegion": "us-east-1", - "DefaultAction": "DENY", - "UserPoolId": "pool123", - }, - "XrayEnabled": false, - }, - "Type": "AWS::AppSync::GraphQLApi", - }, - } - `); - }); - - it('should use defaultAction as DENY for Cognito when not primary auth', () => { - const api = new Api( - given.appSyncConfig({ - authentication: { - type: 'API_KEY', - }, - additionalAuthentications: [ - { - type: 'AMAZON_COGNITO_USER_POOLS', - config: { - userPoolId: 'pool123', - awsRegion: 'us-east-1', - appIdClientRegex: '[a-z]', - }, - }, - ], - }), - plugin, - ); - expect(api.compileEndpoint()).toMatchInlineSnapshot(` - Object { - "GraphQlApi": Object { - "Properties": Object { - "AdditionalAuthenticationProviders": Array [ - Object { - "AuthenticationType": "AMAZON_COGNITO_USER_POOLS", - "UserPoolConfig": Object { - "AppIdClientRegex": "[a-z]", - "AwsRegion": "us-east-1", - "DefaultAction": "DENY", - "UserPoolId": "pool123", - }, - }, - ], - "AuthenticationType": "API_KEY", - "Name": "MyApi", - "Tags": Array [ - Object { - "Key": "stage", - "Value": "Dev", - }, - ], - "XrayEnabled": false, - }, - "Type": "AWS::AppSync::GraphQLApi", - }, - } - `); - }); - describe('Logs', () => { it('should not compile CloudWatch Resources when logging not configured', () => { const api = new Api(given.appSyncConfig(), plugin); diff --git a/src/resources/Api.ts b/src/resources/Api.ts index 22d6ba96..4ca35959 100644 --- a/src/resources/Api.ts +++ b/src/resources/Api.ts @@ -416,14 +416,8 @@ export class Api { UserPoolId: auth.config.userPoolId, AppIdClientRegex: auth.config.appIdClientRegex, // Default action is the one passed in the config - // or 'ALLOW' if the primary auth is Cognito User Pool - // else, DENY - DefaultAction: - auth.config.defaultAction || - (this.config.authentication.type === 'AMAZON_COGNITO_USER_POOLS' && - this.config.additionalAuthentications.length > 0 - ? 'ALLOW' - : 'DENY'), + // or 'ALLOW' + DefaultAction: auth.config.defaultAction || 'ALLOW', }; return userPoolConfig;