Add allowUnauthenticatedIdentities to front-end config (#924)

* fix: add allowUnauthenticatedIdentities to front end config

* chore: cleanup

* fix: use === instead of ==

* fix: make property optional in output

* chore: update api

* fix: front end config tests

* chore: update api

Author: awsluja

.changeset/purple-cherries-cry.md

@@ -0,0 +1,7 @@
+---
+'@aws-amplify/backend-output-schemas': patch
+'@aws-amplify/auth-construct-alpha': patch
+'@aws-amplify/client-config': patch
+---
+
+Add allowUnauthenticatedIdentities to config output.

packages/auth-construct/src/construct.test.ts

@@ -501,6 +501,7 @@ void describe('Auth construct', () => {
             signupAttributes: '["EMAIL"]',
             verificationMechanisms: '["EMAIL"]',
             usernameAttributes: '["EMAIL"]',
+            allowUnauthenticatedIdentities: 'true',
           },
         },
       ]);
@@ -561,6 +562,7 @@ void describe('Auth construct', () => {
             oauthRedirectSignOut: 'http://logout.com',
             oauthResponseType: 'code',
             socialProviders: '["GOOGLE"]',
+            allowUnauthenticatedIdentities: 'true',
           },
         },
       ]);
@@ -634,6 +636,7 @@ void describe('Auth construct', () => {
               'webClientId',
               'identityPoolId',
               'authRegion',
+              'allowUnauthenticatedIdentities',
               'signupAttributes',
               'usernameAttributes',
               'verificationMechanisms',

packages/auth-construct/src/construct.ts

@@ -707,8 +707,12 @@ export class AmplifyAuth
       webClientId: this.resources.userPoolClient.userPoolClientId,
       identityPoolId: this.resources.cfnResources.cfnIdentityPool.ref,
       authRegion: Stack.of(this).region,
+      allowUnauthenticatedIdentities:
+        this.resources.cfnResources.cfnIdentityPool
+          .allowUnauthenticatedIdentities === true
+          ? 'true'
+          : 'false',
     };
-
     if (this.computedUserPoolProps.standardAttributes) {
       const signupAttributes = Object.entries(
         this.computedUserPoolProps.standardAttributes

packages/backend-output-schemas/API.md

@@ -104,6 +104,7 @@ export const unifiedBackendOutputSchema: z.ZodObject<{
             appleClientId: z.ZodOptional<z.ZodString>;
             facebookClientId: z.ZodOptional<z.ZodString>;
             googleClientId: z.ZodOptional<z.ZodString>;
+            allowUnauthenticatedIdentities: z.ZodOptional<z.ZodString>;
             usernameAttributes: z.ZodOptional<z.ZodString>;
             signupAttributes: z.ZodOptional<z.ZodString>;
             passwordPolicyMinLength: z.ZodOptional<z.ZodString>;
@@ -113,7 +114,9 @@ export const unifiedBackendOutputSchema: z.ZodObject<{
             verificationMechanisms: z.ZodOptional<z.ZodString>;
             socialProviders: z.ZodOptional<z.ZodString>;
             oauthDomain: z.ZodOptional<z.ZodString>;
-            oauthScope: z.ZodOptional<z.ZodString>;
+            oauthScope: z.ZodOptional<z.ZodString>; /**
+            * re-export the storage output schema
+            */
             oauthRedirectSignIn: z.ZodOptional<z.ZodString>;
             oauthRedirectSignOut: z.ZodOptional<z.ZodString>;
             oauthClientId: z.ZodOptional<z.ZodString>;
@@ -127,6 +130,7 @@ export const unifiedBackendOutputSchema: z.ZodObject<{
             appleClientId?: string | undefined;
             facebookClientId?: string | undefined;
             googleClientId?: string | undefined;
+            allowUnauthenticatedIdentities?: string | undefined;
             usernameAttributes?: string | undefined;
             signupAttributes?: string | undefined;
             passwordPolicyMinLength?: string | undefined;
@@ -150,6 +154,7 @@ export const unifiedBackendOutputSchema: z.ZodObject<{
             appleClientId?: string | undefined;
             facebookClientId?: string | undefined;
             googleClientId?: string | undefined;
+            allowUnauthenticatedIdentities?: string | undefined;
             usernameAttributes?: string | undefined;
             signupAttributes?: string | undefined;
             passwordPolicyMinLength?: string | undefined;
@@ -176,6 +181,7 @@ export const unifiedBackendOutputSchema: z.ZodObject<{
             appleClientId?: string | undefined;
             facebookClientId?: string | undefined;
             googleClientId?: string | undefined;
+            allowUnauthenticatedIdentities?: string | undefined;
             usernameAttributes?: string | undefined;
             signupAttributes?: string | undefined;
             passwordPolicyMinLength?: string | undefined;
@@ -202,6 +208,7 @@ export const unifiedBackendOutputSchema: z.ZodObject<{
             appleClientId?: string | undefined;
             facebookClientId?: string | undefined;
             googleClientId?: string | undefined;
+            allowUnauthenticatedIdentities?: string | undefined;
             usernameAttributes?: string | undefined;
             signupAttributes?: string | undefined;
             passwordPolicyMinLength?: string | undefined;
@@ -317,6 +324,7 @@ export const unifiedBackendOutputSchema: z.ZodObject<{
             appleClientId?: string | undefined;
             facebookClientId?: string | undefined;
             googleClientId?: string | undefined;
+            allowUnauthenticatedIdentities?: string | undefined;
             usernameAttributes?: string | undefined;
             signupAttributes?: string | undefined;
             passwordPolicyMinLength?: string | undefined;
@@ -372,6 +380,7 @@ export const unifiedBackendOutputSchema: z.ZodObject<{
             appleClientId?: string | undefined;
             facebookClientId?: string | undefined;
             googleClientId?: string | undefined;
+            allowUnauthenticatedIdentities?: string | undefined;
             usernameAttributes?: string | undefined;
             signupAttributes?: string | undefined;
             passwordPolicyMinLength?: string | undefined;
@@ -422,6 +431,7 @@ export const versionedAuthOutputSchema: z.ZodDiscriminatedUnion<"version", [z.Zo
         appleClientId: z.ZodOptional<z.ZodString>;
         facebookClientId: z.ZodOptional<z.ZodString>;
         googleClientId: z.ZodOptional<z.ZodString>;
+        allowUnauthenticatedIdentities: z.ZodOptional<z.ZodString>;
         usernameAttributes: z.ZodOptional<z.ZodString>;
         signupAttributes: z.ZodOptional<z.ZodString>;
         passwordPolicyMinLength: z.ZodOptional<z.ZodString>;
@@ -445,6 +455,7 @@ export const versionedAuthOutputSchema: z.ZodDiscriminatedUnion<"version", [z.Zo
         appleClientId?: string | undefined;
         facebookClientId?: string | undefined;
         googleClientId?: string | undefined;
+        allowUnauthenticatedIdentities?: string | undefined;
         usernameAttributes?: string | undefined;
         signupAttributes?: string | undefined;
         passwordPolicyMinLength?: string | undefined;
@@ -468,6 +479,7 @@ export const versionedAuthOutputSchema: z.ZodDiscriminatedUnion<"version", [z.Zo
         appleClientId?: string | undefined;
         facebookClientId?: string | undefined;
         googleClientId?: string | undefined;
+        allowUnauthenticatedIdentities?: string | undefined;
         usernameAttributes?: string | undefined;
         signupAttributes?: string | undefined;
         passwordPolicyMinLength?: string | undefined;
@@ -494,6 +506,7 @@ export const versionedAuthOutputSchema: z.ZodDiscriminatedUnion<"version", [z.Zo
         appleClientId?: string | undefined;
         facebookClientId?: string | undefined;
         googleClientId?: string | undefined;
+        allowUnauthenticatedIdentities?: string | undefined;
         usernameAttributes?: string | undefined;
         signupAttributes?: string | undefined;
         passwordPolicyMinLength?: string | undefined;
@@ -520,6 +533,7 @@ export const versionedAuthOutputSchema: z.ZodDiscriminatedUnion<"version", [z.Zo
         appleClientId?: string | undefined;
         facebookClientId?: string | undefined;
         googleClientId?: string | undefined;
+        allowUnauthenticatedIdentities?: string | undefined;
         usernameAttributes?: string | undefined;
         signupAttributes?: string | undefined;
         passwordPolicyMinLength?: string | undefined;

packages/backend-output-schemas/src/auth/v1.ts

@@ -13,6 +13,8 @@ export const authOutputSchema = z.object({
     facebookClientId: z.optional(z.string()),
     googleClientId: z.optional(z.string()),
 
+    allowUnauthenticatedIdentities: z.optional(z.string()), // boolean as string 'true' | 'false'
+
     usernameAttributes: z.string().optional(), // JSON array as string
     signupAttributes: z.string().optional(), // JSON array as string
     passwordPolicyMinLength: z.string().optional(),

packages/client-config/API.md

@@ -24,6 +24,7 @@ export type AuthClientConfig = {
     };
     aws_cognito_verification_mechanisms?: string[];
     aws_cognito_social_providers?: string[];
+    allowUnauthenticatedIdentities?: string;
     oauth?: {
         domain?: string;
         scope?: string[];

packages/client-config/src/client-config-contributor/auth_client_config_contributor.test.ts

@@ -29,6 +29,31 @@ void describe('AuthClientConfigContributor', () => {
   });
 
   void it('returns translated config when output has auth', () => {
+    const contributor = new AuthClientConfigContributor();
+    assert.deepStrictEqual(
+      contributor.contribute({
+        [authOutputKey]: {
+          version: '1',
+          payload: {
+            identityPoolId: 'testIdentityPoolId',
+            userPoolId: 'testUserPoolId',
+            webClientId: 'testWebClientId',
+            authRegion: 'testRegion',
+            allowUnauthenticatedIdentities: 'true',
+          },
+        },
+      }),
+      {
+        aws_user_pools_id: 'testUserPoolId',
+        aws_user_pools_web_client_id: 'testWebClientId',
+        aws_cognito_region: 'testRegion',
+        aws_cognito_identity_pool_id: 'testIdentityPoolId',
+        allowUnauthenticatedIdentities: 'true',
+      }
+    );
+  });
+
+  void it('returns translated config without requiring allowUnauthenticatedIdentities', () => {
     const contributor = new AuthClientConfigContributor();
     assert.deepStrictEqual(
       contributor.contribute({
@@ -70,6 +95,7 @@ void describe('AuthClientConfigContributor', () => {
             verificationMechanisms: '["EMAIL","PHONE"]',
             usernameAttributes: '["EMAIL"]',
             signupAttributes: '["EMAIL"]',
+            allowUnauthenticatedIdentities: 'true',
           },
         },
       }),
@@ -91,6 +117,7 @@ void describe('AuthClientConfigContributor', () => {
         aws_cognito_signup_attributes: ['EMAIL'],
         aws_cognito_username_attributes: ['EMAIL'],
         aws_cognito_verification_mechanisms: ['EMAIL', 'PHONE'],
+        allowUnauthenticatedIdentities: 'true',
       }
     );
   });

packages/client-config/src/client-config-contributor/auth_client_config_contributor.ts

@@ -35,6 +35,10 @@ export class AuthClientConfigContributor implements ClientConfigContributor {
       aws_user_pools_web_client_id: authOutput.payload.webClientId,
       aws_cognito_identity_pool_id: authOutput.payload.identityPoolId,
     };
+    if (authOutput.payload.allowUnauthenticatedIdentities !== undefined) {
+      authClientConfig.allowUnauthenticatedIdentities =
+        authOutput.payload.allowUnauthenticatedIdentities;
+    }
 
     parseAndAssignObject(
       authClientConfig,

packages/client-config/src/client-config-contributor/graphql_client_config_contributor.test.ts

@@ -28,6 +28,7 @@ void describe('GraphqlClientConfigContributor', () => {
           userPoolId: 'stuff',
           authRegion: 'testRegion ',
           webClientId: 'clientId',
+          allowUnauthenticatedIdentities: 'true',
         },
       },
     });

packages/client-config/src/client-config-types/auth_client_config.ts

@@ -21,6 +21,8 @@ export type AuthClientConfig = {
 
   aws_cognito_social_providers?: string[];
 
+  allowUnauthenticatedIdentities?: string;
+
   oauth?: {
     domain?: string;
     scope?: string[];