AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Resources:
  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: false
      UserPoolName: !Sub ${AWS::StackName}-UserPool
      AutoVerifiedAttributes:
        - email
      LambdaConfig:
        DefineAuthChallenge: !GetAtt DefineAuthChallenge.Arn
        CreateAuthChallenge: !GetAtt CreateAuthChallenge.Arn
        VerifyAuthChallengeResponse: !GetAtt VerifyAuthChallenge.Arn
      Schema:
        - AttributeDataType: String
          Name: publicKeyCred
          Mutable: true
          StringAttributeConstraints:
            MaxLength: 1024
        
  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: my-app
      GenerateSecret: false
      UserPoolId: !Ref UserPool
      ExplicitAuthFlows:
        - ALLOW_CUSTOM_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
        - ALLOW_USER_SRP_AUTH
      WriteAttributes:
        - custom:publicKeyCred
        - email
        - name
      ReadAttributes:
        - email
        - name
        
  DefineAuthChallenge:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-DefineAuthChallenge
      CodeUri: s3://webauthn-with-amazon-cognito/DefineAuthChallenge
      Handler: index.handler
      Runtime: nodejs12.x
      MemorySize: 1024
      Timeout: 30
      Tracing: Active
  DefineAuthChallengePermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt DefineAuthChallenge.Arn
      Principal: cognito-idp.amazonaws.com
      Action: lambda:InvokeFunction
      SourceArn: !GetAtt UserPool.Arn
      
  CreateAuthChallenge:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-CreateAuthChallenge
      CodeUri: s3://webauthn-with-amazon-cognito/CreateAuthChallenge
      Handler: index.handler
      Runtime: nodejs12.x
      MemorySize: 1024
      Timeout: 30
      Tracing: Active
  CreateAuthChallengePermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt CreateAuthChallenge.Arn
      Principal: cognito-idp.amazonaws.com
      Action: lambda:InvokeFunction
      SourceArn: !GetAtt UserPool.Arn
      
  VerifyAuthChallenge:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-VerifyAuthChallenge
      CodeUri: s3://webauthn-with-amazon-cognito/VerifyAuthChallenge
      Handler: index.handler
      Runtime: nodejs12.x
      MemorySize: 1024
      Timeout: 30
      Tracing: Active
  VerifyAuthChallengePermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt VerifyAuthChallenge.Arn
      Principal: cognito-idp.amazonaws.com
      Action: lambda:InvokeFunction
      SourceArn: !GetAtt UserPool.Arn
        
Outputs :
  UserPoolId:
    Value: !Ref 'UserPool'
  AppClientID:
    Value: !Ref 'UserPoolClient'