feat(aws-cognito): add AuthSessionValidity property on a UserPoolClient

packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts

@@ -239,6 +239,15 @@ export interface UserPoolClientOptions {
    */
   readonly oAuth?: OAuthSettings;
 
+  /**
+   * Cognito creates a session token for each API request in an authentication flow.
+   * AuthSessionValidity is the duration, in minutes, of that session token.
+   * see defaults in `AuthSessionValidity`. Valid duration is from 3 to 15 minutes.
+   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity
+   * @default - Duration.minutes(3)
+   */
+  readonly authSessionValidity?: Duration;
+
   /**
    * Whether Cognito returns a UserNotFoundException exception when the
    * user does not exist in the user pool (false), or whether it returns
@@ -409,6 +418,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
       writeAttributes: props.writeAttributes?.attributes(),
       enableTokenRevocation: props.enableTokenRevocation,
     });
+    this.configureAuthSessionValidity(resource, props);
     this.configureTokenValidity(resource, props);
 
     this.userPoolClientId = resource.ref;
@@ -522,6 +532,11 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
     return Array.from(providers);
   }
 
+  private configureAuthSessionValidity(resource: CfnUserPoolClient, props: UserPoolClientProps) {
+    this.validateDuration('authSessionValidity', Duration.minutes(3), Duration.minutes(15), props.authSessionValidity);
+    resource.authSessionValidity = props.authSessionValidity ? props.authSessionValidity.toMinutes() : undefined;
+  }
+
   private configureTokenValidity(resource: CfnUserPoolClient, props: UserPoolClientProps) {
     this.validateDuration('idTokenValidity', Duration.minutes(5), Duration.days(1), props.idTokenValidity);
     this.validateDuration('accessTokenValidity', Duration.minutes(5), Duration.days(1), props.accessTokenValidity);

packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts

@@ -777,6 +777,86 @@ describe('User Pool Client', () => {
     });
   });
 
+  describe('auth session validity', () => {
+    test('default', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'Pool');
+
+      // WHEN
+      pool.addClient('Client1', {
+        userPoolClientName: 'Client1',
+        authSessionValidity: Duration.minutes(3),
+      });
+      pool.addClient('Client2', {
+        userPoolClientName: 'Client2',
+        authSessionValidity: Duration.minutes(9),
+      });
+      pool.addClient('Client3', {
+        userPoolClientName: 'Client3',
+        authSessionValidity: Duration.minutes(15),
+      });
+      pool.addClient('Client5', {
+        userPoolClientName: 'Client4',
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ClientName: 'Client1',
+        AuthSessionValidity: 3,
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ClientName: 'Client2',
+        AuthSessionValidity: 9,
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ClientName: 'Client3',
+        AuthSessionValidity: 15,
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ClientName: 'Client4',
+      });
+    });
+
+    test.each([
+      Duration.minutes(0),
+      Duration.minutes(1),
+      Duration.minutes(3).minus(Duration.minutes(1)),
+      Duration.minutes(15).plus(Duration.minutes(1)),
+      Duration.minutes(100),
+    ])('validates authSessionValidity is a duration between 3 and 15 minutes', (validity) => {
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'Pool');
+      expect(() => {
+        pool.addClient('Client1', {
+          userPoolClientName: 'Client1',
+          authSessionValidity: validity,
+        });
+      }).toThrow(`authSessionValidity: Must be a duration between 3 minutes and 15 minutes (inclusive); received ${validity.toHumanString()}.`);
+    });
+
+    test.each([
+      Duration.minutes(3),
+      Duration.minutes(9),
+      Duration.minutes(15),
+    ])('validates authSessionValidity is a duration between 3 and 15 minutes (valid)', (validity) => {
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'Pool');
+
+      // WHEN
+      pool.addClient('Client1', {
+        userPoolClientName: 'Client1',
+        authSessionValidity: validity,
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+        ClientName: 'Client1',
+        AuthSessionValidity: validity.toMinutes(),
+      });
+    });
+  });
+
   describe('token validity', () => {
     test('default', () => {
       // GIVEN