search

aws-amplify / amplify-backend

Home to all tools related to Amplify's code-first DX (Gen 2) for building fullstack apps on AWS
Apache License 2.0
168 stars 56 forks source link

allow disabling self sign-up in auth, surface output to auto-configure Authenticator #1656

Open josefaidt opened 3 months ago

josefaidt commented 3 months ago

Environment information

System:
  OS: macOS 14.5
  CPU: (10) arm64 Apple M1 Pro
  Memory: 98.95 MB / 32.00 GB
  Shell: /opt/homebrew/bin/fish
Binaries:
  Node: 20.14.0 - ~/.local/state/fnm_multishells/44106_1718394805068/bin/node
  Yarn: undefined - undefined
  npm: 10.7.0 - ~/.local/state/fnm_multishells/44106_1718394805068/bin/npm
  pnpm: 9.1.4 - ~/.local/state/fnm_multishells/44106_1718394805068/bin/pnpm
NPM Packages:
  @aws-amplify/backend: 1.0.3
  @aws-amplify/backend-cli: 1.0.4
  aws-amplify: 6.3.6
  aws-cdk: 2.144.0
  aws-cdk-lib: 2.144.0
  typescript: 5.4.5
AWS environment variables:
  AWS_PROFILE = josef-gen2
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Description

As a developer building an enterprise microsite, or an application using my existing enterprise identity provider with SAML, etc., I want to disable self sign-up on the Cognito User Pool and force end users to authenticate via SAML.

Today I can disable using CDK:

// amplify/backend.ts
import { defineBackend } from "@aws-amplify/backend"
import { auth } from "./auth/resource"

const backend = defineBackend({
  auth,
})

const { cfnUserPool } = backend.auth.resources.cfnResources

cfnUserPool.adminCreateUserConfig = {
  // disables self sign-up for non-federated users
  allowAdminCreateUserOnly: true,
}

However the property name to modify is a bit ambiguous compared to the construct prop selfSignUpEnabled.

Consider surfacing a method on backend.auth to easily disable

// amplify/backend.ts
import { defineBackend } from "@aws-amplify/backend"
import { auth } from "./auth/resource"

const backend = defineBackend({
  auth,
})

backend.auth.disableSelfSignUp()

Or provide a way of configuring an external provider without also enabling email sign-in by default

// amplify/auth/resource.ts
import { defineAuth } from "@aws-amplify/backend"

export const auth = defineAuth({
  loginWith: {
    // not specifying `email` here implicitly disables self sign-up
    externalProviders: {
      /* details */
    }
  }
})
ykethan commented 3 months ago

Marking this as feature request.