feat(apigatewayv2-authorizers): http api - allow multiple user pool clients per HttpUserPoolAuthorizer (aws#16903)

tmokmss · TikiTDO · commit 266112931b8e · 2022-02-21T18:26:39.000-05:00
closes aws#15431 BREAKING CHANGE: `userPoolClient` property in `UserPoolAuthorizerProps` is now renamed to `userPoolClients`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md b/packages/@aws-cdk/aws-apigatewayv2-authorizers/README.md
@@ -150,7 +150,7 @@ const userPoolClient = userPool.addClient('UserPoolClient');
 
 const authorizer = new HttpUserPoolAuthorizer({
   userPool,
-  userPoolClient,
+  userPoolClients: [userPoolClient],
 });
 
 const api = new HttpApi(stack, 'HttpApi');
diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/http/user-pool.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/http/user-pool.ts
@@ -7,9 +7,9 @@ import { Stack, Token } from '@aws-cdk/core';
  */
 export interface UserPoolAuthorizerProps {
   /**
-   * The user pool client that should be used to authorize requests with the user pool.
+   * The user pool clients that should be used to authorize requests with the user pool.
    */
-  readonly userPoolClient: IUserPoolClient;
+  readonly userPoolClients: IUserPoolClient[];
 
   /**
    * The associated user pool
@@ -33,7 +33,7 @@ export interface UserPoolAuthorizerProps {
    *
    * @default ['$request.header.Authorization']
    */
-  readonly identitySource?: string[],
+  readonly identitySource?: string[];
 }
 
 /**
@@ -56,7 +56,7 @@ export class HttpUserPoolAuthorizer implements IHttpRouteAuthorizer {
         identitySource: this.props.identitySource ?? ['$request.header.Authorization'],
         type: HttpAuthorizerType.JWT,
         authorizerName: this.props.authorizerName,
-        jwtAudience: [this.props.userPoolClient.userPoolClientId],
+        jwtAudience: this.props.userPoolClients.map((c) => c.userPoolClientId),
         jwtIssuer: `https://cognito-idp.${region}.amazonaws.com/${this.props.userPool.userPoolId}`,
       });
     }
@@ -66,4 +66,4 @@ export class HttpUserPoolAuthorizer implements IHttpRouteAuthorizer {
       authorizationType: 'JWT',
     };
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/integ.user-pool.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/integ.user-pool.ts
@@ -25,7 +25,7 @@ const userPoolClient = userPool.addClient('my-client');
 
 const authorizer = new HttpUserPoolAuthorizer({
   userPool,
-  userPoolClient,
+  userPoolClients: [userPoolClient],
 });
 
 const handler = new lambda.Function(stack, 'lambda', {
diff --git a/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/user-pool.test.ts b/packages/@aws-cdk/aws-apigatewayv2-authorizers/test/http/user-pool.test.ts
@@ -13,7 +13,7 @@ describe('HttpUserPoolAuthorizer', () => {
     const userPoolClient = userPool.addClient('UserPoolClient');
     const authorizer = new HttpUserPoolAuthorizer({
       userPool,
-      userPoolClient,
+      userPoolClients: [userPoolClient],
     });
 
     // WHEN
@@ -52,7 +52,7 @@ describe('HttpUserPoolAuthorizer', () => {
     const userPoolClient = userPool.addClient('UserPoolClient');
     const authorizer = new HttpUserPoolAuthorizer({
       userPool,
-      userPoolClient,
+      userPoolClients: [userPoolClient],
     });
 
     // WHEN
@@ -70,6 +70,46 @@ describe('HttpUserPoolAuthorizer', () => {
     // THEN
     Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Authorizer', 1);
   });
+
+  test('multiple userPoolClients are attached', () => {
+    // GIVEN
+    const stack = new Stack();
+    const api = new HttpApi(stack, 'HttpApi');
+    const userPool = new UserPool(stack, 'UserPool');
+    const userPoolClient1 = userPool.addClient('UserPoolClient1');
+    const userPoolClient2 = userPool.addClient('UserPoolClient2');
+    const authorizer = new HttpUserPoolAuthorizer({
+      userPool,
+      userPoolClients: [userPoolClient1, userPoolClient2],
+    });
+
+    // WHEN
+    api.addRoutes({
+      integration: new DummyRouteIntegration(),
+      path: '/books',
+      authorizer,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Authorizer', {
+      AuthorizerType: 'JWT',
+      IdentitySource: ['$request.header.Authorization'],
+      JwtConfiguration: {
+        Audience: [stack.resolve(userPoolClient1.userPoolClientId), stack.resolve(userPoolClient2.userPoolClientId)],
+        Issuer: {
+          'Fn::Join': [
+            '',
+            [
+              'https://cognito-idp.',
+              { Ref: 'AWS::Region' },
+              '.amazonaws.com/',
+              stack.resolve(userPool.userPoolId),
+            ],
+          ],
+        },
+      },
+    });
+  });
 });
 
 class DummyRouteIntegration implements IHttpRouteIntegration {
