@agent-native/core 0.24.4 → 0.24.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/onboarding/default-steps.d.ts.map +1 -1
- package/dist/onboarding/default-steps.js +0 -17
- package/dist/onboarding/default-steps.js.map +1 -1
- package/dist/server/auth.d.ts +0 -1
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +14 -338
- package/dist/server/auth.js.map +1 -1
- package/docs/content/authentication.md +8 -9
- package/docs/content/deployment.md +2 -2
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"default-steps.d.ts","sourceRoot":"","sources":["../../src/onboarding/default-steps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;
|
|
1
|
+
{"version":3,"file":"default-steps.d.ts","sourceRoot":"","sources":["../../src/onboarding/default-steps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA2RH,6DAA6D;AAC7D,wBAAgB,8BAA8B,IAAI,IAAI,CAOrD"}
|
|
@@ -195,23 +195,6 @@ const authStep = {
|
|
|
195
195
|
],
|
|
196
196
|
},
|
|
197
197
|
},
|
|
198
|
-
{
|
|
199
|
-
id: "access-token",
|
|
200
|
-
kind: "form",
|
|
201
|
-
label: "Shared access token",
|
|
202
|
-
description: "Use a simple token gate for private deployments.",
|
|
203
|
-
payload: {
|
|
204
|
-
writeScope: "workspace",
|
|
205
|
-
fields: [
|
|
206
|
-
{
|
|
207
|
-
key: "ACCESS_TOKEN",
|
|
208
|
-
label: "ACCESS_TOKEN",
|
|
209
|
-
placeholder: "Paste a strong shared token",
|
|
210
|
-
secret: true,
|
|
211
|
-
},
|
|
212
|
-
],
|
|
213
|
-
},
|
|
214
|
-
},
|
|
215
198
|
],
|
|
216
199
|
isComplete: () => true,
|
|
217
200
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"default-steps.js","sourceRoot":"","sources":["../../src/onboarding/default-steps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACL,2BAA2B,EAC3B,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAUlD,MAAM,eAAe,GAAmB;IACtC;QACE,QAAQ,EAAE,WAAW;QACrB,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,WAAW;QAClB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,sCAAsC;KACpD;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,eAAe;QACtB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,YAAY;QACtB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,YAAY;QACnB,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,QAAQ,EAAE,MAAM;QAChB,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,MAAM;QACb,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,SAAS;QACnB,EAAE,EAAE,aAAa;QACjB,KAAK,EAAE,SAAS;QAChB,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,yCAAyC;KACvD;CACF,CAAC;AAEF,MAAM,OAAO,GAAmB;IAC9B,EAAE,EAAE,KAAK;IACT,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,sBAAsB;IAC7B,WAAW,EAAE,gEAAgE;IAC7E,OAAO,EAAE;QACP;YACE,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,iBAAiB;YACxB,WAAW,EACT,mNAAmN;YACrN,OAAO,EAAE,IAAI;YACb,OAAO,EAAE;gBACP,KAAK,EAAE,KAAK;aACb;SACF;QACD,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,EAAE;YACvE,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACzC,OAAO;gBACL,EAAE;gBACF,IAAI,EAAE,MAAe;gBACrB,KAAK;gBACL,WAAW;gBACX,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrC,OAAO,EAAE;oBACP,UAAU,EAAE,WAAoB;oBAChC,MAAM,EAAE;wBACN;4BACE,GAAG,EAAE,IAAI,CAAC,MAAM;4BAChB,KAAK,EAAE,IAAI,CAAC,MAAM;4BAClB,WAAW,EAAE,IAAI,CAAC,WAAW;4BAC7B,MAAM,EAAE,IAAI;yBACb;qBACF;iBACF;aACF,CAAC;QACJ,CAAC,CAAC;KACH;IACD,UAAU,EAAE,KAAK,IAAI,EAAE;QACrB,IAAI,CAAC;YACH,MAAM,EAAE,2BAA2B,EAAE,GACnC,MAAM,MAAM,CAAC,kCAAkC,CAAC,CAAC;YACnD,IAAI,MAAM,2BAA2B,EAAE;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB;gBAAE,OAAO,IAAI,CAAC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,IAAI,MAAM,2BAA2B,EAAE;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACjE,IAAI,CAAC;YACH,OAAO,8BAA8B,CAAC,MAAM,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF,CAAC;AAEF,6EAA6E;AAC7E,MAAM,YAAY,GAAmB;IACnC,EAAE,EAAE,UAAU;IACd,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,UAAU;IACjB,WAAW,EACT,+GAA+G;IACjH,OAAO,EAAE;QACP;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,kBAAkB;YACzB,WAAW,EAAE,sDAAsD;YACnE,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,cAAc;wBACnB,KAAK,EAAE,cAAc;wBACrB,WAAW,EAAE,kDAAkD;qBAChE;oBACD;wBACE,GAAG,EAAE,qBAAqB;wBAC1B,KAAK,EAAE,iCAAiC;wBACxC,WAAW,EAAE,0CAA0C;wBACvD,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;KACF;IACD,kEAAkE;IAClE,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI;CACvB,CAAC;AAEF,yEAAyE;AACzE,MAAM,QAAQ,GAAmB;IAC/B,EAAE,EAAE,MAAM;IACV,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,gBAAgB;IACvB,WAAW,EACT,qHAAqH;IACvH,OAAO,EAAE;QACP;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,6CAA6C;YAC1D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE;oBACtD;wBACE,GAAG,EAAE,sBAAsB;wBAC3B,KAAK,EAAE,sBAAsB;wBAC7B,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,6CAA6C;YAC1D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE;oBACtD;wBACE,GAAG,EAAE,sBAAsB;wBAC3B,KAAK,EAAE,sBAAsB;wBAC7B,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,qBAAqB;YAC5B,WAAW,EAAE,kDAAkD;YAC/D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,cAAc;wBACnB,KAAK,EAAE,cAAc;wBACrB,WAAW,EAAE,6BAA6B;wBAC1C,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;KACF;IACD,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI;CACvB,CAAC;AAEF,6EAA6E;AAC7E,MAAM,SAAS,GAAmB;IAChC,EAAE,EAAE,OAAO;IACX,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,gBAAgB;IACvB,WAAW,EACT,iIAAiI;IACnI,OAAO,EAAE;QACP;YACE,EAAE,EAAE,QAAQ;YACZ,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,QAAQ;YACf,WAAW,EAAE,qCAAqC;YAClD,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,gBAAgB;wBACrB,KAAK,EAAE,gBAAgB;wBACvB,WAAW,EAAE,QAAQ;wBACrB,MAAM,EAAE,IAAI;qBACb;oBACD;wBACE,GAAG,EAAE,YAAY;wBACjB,KAAK,EAAE,2BAA2B;wBAClC,WAAW,EAAE,uCAAuC;qBACrD;oBACD;wBACE,GAAG,EAAE,UAAU;wBACf,KAAK,EAAE,mCAAmC;wBAC1C,WAAW,EAAE,YAAY;qBAC1B;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,UAAU;YACd,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,uCAAuC;YACpD,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,kBAAkB;wBACvB,KAAK,EAAE,kBAAkB;wBACzB,WAAW,EAAE,QAAQ;wBACrB,MAAM,EAAE,IAAI;qBACb;oBACD;wBACE,GAAG,EAAE,YAAY;wBACjB,KAAK,EAAE,2BAA2B;wBAClC,WAAW,EAAE,uCAAuC;qBACrD;iBACF;aACF;SACF;KACF;IACD,UAAU,EAAE,GAAG,EAAE;QACf,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC;QAC5C,uEAAuE;QACvE,wEAAwE;QACxE,iBAAiB;QACjB,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;YAAE,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAClE,OAAO,KAAK,CAAC;IACf,CAAC;CACF,CAAC;AAEF,IAAI,UAAU,GAAG,KAAK,CAAC;AAEvB,6DAA6D;AAC7D,MAAM,UAAU,8BAA8B;IAC5C,IAAI,UAAU;QAAE,OAAO;IACvB,UAAU,GAAG,IAAI,CAAC;IAClB,sBAAsB,CAAC,OAAO,CAAC,CAAC;IAChC,sBAAsB,CAAC,YAAY,CAAC,CAAC;IACrC,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACjC,sBAAsB,CAAC,SAAS,CAAC,CAAC;AACpC,CAAC","sourcesContent":["/**\n * Default framework-level onboarding steps.\n *\n * Registered when `createOnboardingPlugin()` mounts (auto-mount or explicit).\n * Templates can override any step by registering another step with the same\n * `id` after these have been registered.\n */\n\nimport { registerOnboardingStep } from \"./registry.js\";\nimport type { OnboardingStep } from \"./types.js\";\nimport {\n PROVIDER_ENV_META,\n PROVIDER_ENV_VARS,\n} from \"../agent/engine/provider-env-vars.js\";\nimport {\n detectEngineFromUserSecrets,\n isAgentEngineSettingConfigured,\n} from \"../agent/engine/registry.js\";\nimport { getSetting } from \"../settings/store.js\";\n\ntype LlmKeyMethod = {\n provider: keyof typeof PROVIDER_ENV_META;\n id: string;\n label: string;\n description: string;\n primary?: boolean;\n};\n\nconst LLM_KEY_METHODS: LlmKeyMethod[] = [\n {\n provider: \"anthropic\",\n id: \"anthropic-key\",\n label: \"Anthropic\",\n description: \"Claude models with your own Anthropic key.\",\n },\n {\n provider: \"openai\",\n id: \"openai-key\",\n label: \"OpenAI\",\n description: \"GPT models with your own OpenAI key.\",\n },\n {\n provider: \"google\",\n id: \"google-key\",\n label: \"Google Gemini\",\n description: \"Gemini models with your own Google AI key.\",\n },\n {\n provider: \"openrouter\",\n id: \"openrouter-key\",\n label: \"OpenRouter\",\n description: \"OpenRouter models with your own OpenRouter key.\",\n },\n {\n provider: \"groq\",\n id: \"groq-key\",\n label: \"Groq\",\n description: \"Groq-hosted models with your own Groq key.\",\n },\n {\n provider: \"mistral\",\n id: \"mistral-key\",\n label: \"Mistral\",\n description: \"Mistral models with your own Mistral key.\",\n },\n {\n provider: \"cohere\",\n id: \"cohere-key\",\n label: \"Cohere\",\n description: \"Cohere models with your own Cohere key.\",\n },\n];\n\nconst llmStep: OnboardingStep = {\n id: \"llm\",\n order: 10,\n required: true,\n title: \"Connect an AI engine\",\n description: \"Use Builder's managed gateway, or bring your own provider key.\",\n methods: [\n {\n id: \"builder\",\n kind: \"builder-cli-auth\",\n label: \"Connect Builder\",\n description:\n \"Connect the Builder space where this app should run. This unlocks managed LLM credits, browser automation, and file uploads. Cloud code changes appear when Builder Cloud Agents are available for the workspace.\",\n primary: true,\n payload: {\n scope: \"llm\",\n },\n },\n ...LLM_KEY_METHODS.map(({ provider, id, label, description, primary }) => {\n const meta = PROVIDER_ENV_META[provider];\n return {\n id,\n kind: \"form\" as const,\n label,\n description,\n ...(primary ? { primary: true } : {}),\n payload: {\n writeScope: \"workspace\" as const,\n fields: [\n {\n key: meta.envVar,\n label: meta.envVar,\n placeholder: meta.placeholder,\n secret: true,\n },\n ],\n },\n };\n }),\n ],\n isComplete: async () => {\n try {\n const { resolveHasBuilderPrivateKey } =\n await import(\"../server/credential-provider.js\");\n if (await resolveHasBuilderPrivateKey()) return true;\n } catch {\n if (process.env.BUILDER_PRIVATE_KEY) return true;\n }\n try {\n if (await detectEngineFromUserSecrets()) return true;\n } catch {\n // Fall through to legacy/env detection.\n }\n if (PROVIDER_ENV_VARS.some((k) => !!process.env[k])) return true;\n try {\n return isAgentEngineSettingConfigured(await getSetting(\"agent-engine\"));\n } catch {\n return false;\n }\n },\n};\n\n/** Step 2 — where application data lives. The default DB is non-blocking. */\nconst databaseStep: OnboardingStep = {\n id: \"database\",\n order: 20,\n required: false,\n title: \"Database\",\n description:\n \"Agent-native stores app data in SQL. Set DATABASE_URL when you want to point this app at a specific database.\",\n methods: [\n {\n id: \"database-url\",\n kind: \"form\",\n label: \"Set DATABASE_URL\",\n description: \"Paste the SQL connection string this app should use.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"DATABASE_URL\",\n label: \"DATABASE_URL\",\n placeholder: \"postgres://..., libsql://..., file:./data/app.db\",\n },\n {\n key: \"DATABASE_AUTH_TOKEN\",\n label: \"DATABASE_AUTH_TOKEN (if needed)\",\n placeholder: \"Token for providers such as Turso/libSQL\",\n secret: true,\n },\n ],\n },\n },\n ],\n // The default local database means this step is always satisfied.\n isComplete: () => true,\n};\n\n/** Step 3 — how users sign in. Built-in account auth is non-blocking. */\nconst authStep: OnboardingStep = {\n id: \"auth\",\n order: 30,\n required: false,\n title: \"Authentication\",\n description:\n \"Built-in email/password accounts work by default. Add OAuth or access tokens only if you want another sign-in path.\",\n methods: [\n {\n id: \"google-oauth\",\n kind: \"form\",\n label: \"Google OAuth\",\n description: \"Add Google as an optional sign-in provider.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n { key: \"GOOGLE_CLIENT_ID\", label: \"GOOGLE_CLIENT_ID\" },\n {\n key: \"GOOGLE_CLIENT_SECRET\",\n label: \"GOOGLE_CLIENT_SECRET\",\n secret: true,\n },\n ],\n },\n },\n {\n id: \"github-oauth\",\n kind: \"form\",\n label: \"GitHub OAuth\",\n description: \"Add GitHub as an optional sign-in provider.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n { key: \"GITHUB_CLIENT_ID\", label: \"GITHUB_CLIENT_ID\" },\n {\n key: \"GITHUB_CLIENT_SECRET\",\n label: \"GITHUB_CLIENT_SECRET\",\n secret: true,\n },\n ],\n },\n },\n {\n id: \"access-token\",\n kind: \"form\",\n label: \"Shared access token\",\n description: \"Use a simple token gate for private deployments.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"ACCESS_TOKEN\",\n label: \"ACCESS_TOKEN\",\n placeholder: \"Paste a strong shared token\",\n secret: true,\n },\n ],\n },\n },\n ],\n isComplete: () => true,\n};\n\n/** Step 4 — transactional email (password resets, invitations). Optional. */\nconst emailStep: OnboardingStep = {\n id: \"email\",\n order: 40,\n required: false,\n title: \"Email delivery\",\n description:\n \"Optional for local work. Before deploying with password resets, invitations, or share notifications, connect an email provider.\",\n methods: [\n {\n id: \"resend\",\n kind: \"form\",\n label: \"Resend\",\n description: \"Use Resend for transactional email.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"RESEND_API_KEY\",\n label: \"RESEND_API_KEY\",\n placeholder: \"re_...\",\n secret: true,\n },\n {\n key: \"EMAIL_FROM\",\n label: \"EMAIL_FROM (from address)\",\n placeholder: \"Agent Native <noreply@yourdomain.com>\",\n },\n {\n key: \"APP_NAME\",\n label: \"APP_NAME (shown in invite emails)\",\n placeholder: \"Acme Forms\",\n },\n ],\n },\n },\n {\n id: \"sendgrid\",\n kind: \"form\",\n label: \"SendGrid\",\n description: \"Use SendGrid for transactional email.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"SENDGRID_API_KEY\",\n label: \"SENDGRID_API_KEY\",\n placeholder: \"SG....\",\n secret: true,\n },\n {\n key: \"EMAIL_FROM\",\n label: \"EMAIL_FROM (from address)\",\n placeholder: \"Agent Native <noreply@yourdomain.com>\",\n },\n ],\n },\n },\n ],\n isComplete: () => {\n if (process.env.RESEND_API_KEY) return true;\n // SendGrid rejects Resend's sandbox sender, so EMAIL_FROM must also be\n // set — otherwise sendEmail() throws at runtime even though the API key\n // is configured.\n if (process.env.SENDGRID_API_KEY) return !!process.env.EMAIL_FROM;\n return false;\n },\n};\n\nlet registered = false;\n\n/** Idempotent. Safe to call from every plugin-mount call. */\nexport function registerDefaultOnboardingSteps(): void {\n if (registered) return;\n registered = true;\n registerOnboardingStep(llmStep);\n registerOnboardingStep(databaseStep);\n registerOnboardingStep(authStep);\n registerOnboardingStep(emailStep);\n}\n"]}
|
|
1
|
+
{"version":3,"file":"default-steps.js","sourceRoot":"","sources":["../../src/onboarding/default-steps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACL,2BAA2B,EAC3B,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAUlD,MAAM,eAAe,GAAmB;IACtC;QACE,QAAQ,EAAE,WAAW;QACrB,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,WAAW;QAClB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,sCAAsC;KACpD;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,eAAe;QACtB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,YAAY;QACtB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,YAAY;QACnB,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,QAAQ,EAAE,MAAM;QAChB,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,MAAM;QACb,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,SAAS;QACnB,EAAE,EAAE,aAAa;QACjB,KAAK,EAAE,SAAS;QAChB,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,yCAAyC;KACvD;CACF,CAAC;AAEF,MAAM,OAAO,GAAmB;IAC9B,EAAE,EAAE,KAAK;IACT,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,sBAAsB;IAC7B,WAAW,EAAE,gEAAgE;IAC7E,OAAO,EAAE;QACP;YACE,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,iBAAiB;YACxB,WAAW,EACT,mNAAmN;YACrN,OAAO,EAAE,IAAI;YACb,OAAO,EAAE;gBACP,KAAK,EAAE,KAAK;aACb;SACF;QACD,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,EAAE;YACvE,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACzC,OAAO;gBACL,EAAE;gBACF,IAAI,EAAE,MAAe;gBACrB,KAAK;gBACL,WAAW;gBACX,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrC,OAAO,EAAE;oBACP,UAAU,EAAE,WAAoB;oBAChC,MAAM,EAAE;wBACN;4BACE,GAAG,EAAE,IAAI,CAAC,MAAM;4BAChB,KAAK,EAAE,IAAI,CAAC,MAAM;4BAClB,WAAW,EAAE,IAAI,CAAC,WAAW;4BAC7B,MAAM,EAAE,IAAI;yBACb;qBACF;iBACF;aACF,CAAC;QACJ,CAAC,CAAC;KACH;IACD,UAAU,EAAE,KAAK,IAAI,EAAE;QACrB,IAAI,CAAC;YACH,MAAM,EAAE,2BAA2B,EAAE,GACnC,MAAM,MAAM,CAAC,kCAAkC,CAAC,CAAC;YACnD,IAAI,MAAM,2BAA2B,EAAE;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB;gBAAE,OAAO,IAAI,CAAC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,IAAI,MAAM,2BAA2B,EAAE;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACjE,IAAI,CAAC;YACH,OAAO,8BAA8B,CAAC,MAAM,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF,CAAC;AAEF,6EAA6E;AAC7E,MAAM,YAAY,GAAmB;IACnC,EAAE,EAAE,UAAU;IACd,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,UAAU;IACjB,WAAW,EACT,+GAA+G;IACjH,OAAO,EAAE;QACP;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,kBAAkB;YACzB,WAAW,EAAE,sDAAsD;YACnE,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,cAAc;wBACnB,KAAK,EAAE,cAAc;wBACrB,WAAW,EAAE,kDAAkD;qBAChE;oBACD;wBACE,GAAG,EAAE,qBAAqB;wBAC1B,KAAK,EAAE,iCAAiC;wBACxC,WAAW,EAAE,0CAA0C;wBACvD,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;KACF;IACD,kEAAkE;IAClE,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI;CACvB,CAAC;AAEF,yEAAyE;AACzE,MAAM,QAAQ,GAAmB;IAC/B,EAAE,EAAE,MAAM;IACV,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,gBAAgB;IACvB,WAAW,EACT,qHAAqH;IACvH,OAAO,EAAE;QACP;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,6CAA6C;YAC1D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE;oBACtD;wBACE,GAAG,EAAE,sBAAsB;wBAC3B,KAAK,EAAE,sBAAsB;wBAC7B,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,6CAA6C;YAC1D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE;oBACtD;wBACE,GAAG,EAAE,sBAAsB;wBAC3B,KAAK,EAAE,sBAAsB;wBAC7B,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;KACF;IACD,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI;CACvB,CAAC;AAEF,6EAA6E;AAC7E,MAAM,SAAS,GAAmB;IAChC,EAAE,EAAE,OAAO;IACX,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,gBAAgB;IACvB,WAAW,EACT,iIAAiI;IACnI,OAAO,EAAE;QACP;YACE,EAAE,EAAE,QAAQ;YACZ,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,QAAQ;YACf,WAAW,EAAE,qCAAqC;YAClD,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,gBAAgB;wBACrB,KAAK,EAAE,gBAAgB;wBACvB,WAAW,EAAE,QAAQ;wBACrB,MAAM,EAAE,IAAI;qBACb;oBACD;wBACE,GAAG,EAAE,YAAY;wBACjB,KAAK,EAAE,2BAA2B;wBAClC,WAAW,EAAE,uCAAuC;qBACrD;oBACD;wBACE,GAAG,EAAE,UAAU;wBACf,KAAK,EAAE,mCAAmC;wBAC1C,WAAW,EAAE,YAAY;qBAC1B;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,UAAU;YACd,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,uCAAuC;YACpD,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,kBAAkB;wBACvB,KAAK,EAAE,kBAAkB;wBACzB,WAAW,EAAE,QAAQ;wBACrB,MAAM,EAAE,IAAI;qBACb;oBACD;wBACE,GAAG,EAAE,YAAY;wBACjB,KAAK,EAAE,2BAA2B;wBAClC,WAAW,EAAE,uCAAuC;qBACrD;iBACF;aACF;SACF;KACF;IACD,UAAU,EAAE,GAAG,EAAE;QACf,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC;QAC5C,uEAAuE;QACvE,wEAAwE;QACxE,iBAAiB;QACjB,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;YAAE,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAClE,OAAO,KAAK,CAAC;IACf,CAAC;CACF,CAAC;AAEF,IAAI,UAAU,GAAG,KAAK,CAAC;AAEvB,6DAA6D;AAC7D,MAAM,UAAU,8BAA8B;IAC5C,IAAI,UAAU;QAAE,OAAO;IACvB,UAAU,GAAG,IAAI,CAAC;IAClB,sBAAsB,CAAC,OAAO,CAAC,CAAC;IAChC,sBAAsB,CAAC,YAAY,CAAC,CAAC;IACrC,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACjC,sBAAsB,CAAC,SAAS,CAAC,CAAC;AACpC,CAAC","sourcesContent":["/**\n * Default framework-level onboarding steps.\n *\n * Registered when `createOnboardingPlugin()` mounts (auto-mount or explicit).\n * Templates can override any step by registering another step with the same\n * `id` after these have been registered.\n */\n\nimport { registerOnboardingStep } from \"./registry.js\";\nimport type { OnboardingStep } from \"./types.js\";\nimport {\n PROVIDER_ENV_META,\n PROVIDER_ENV_VARS,\n} from \"../agent/engine/provider-env-vars.js\";\nimport {\n detectEngineFromUserSecrets,\n isAgentEngineSettingConfigured,\n} from \"../agent/engine/registry.js\";\nimport { getSetting } from \"../settings/store.js\";\n\ntype LlmKeyMethod = {\n provider: keyof typeof PROVIDER_ENV_META;\n id: string;\n label: string;\n description: string;\n primary?: boolean;\n};\n\nconst LLM_KEY_METHODS: LlmKeyMethod[] = [\n {\n provider: \"anthropic\",\n id: \"anthropic-key\",\n label: \"Anthropic\",\n description: \"Claude models with your own Anthropic key.\",\n },\n {\n provider: \"openai\",\n id: \"openai-key\",\n label: \"OpenAI\",\n description: \"GPT models with your own OpenAI key.\",\n },\n {\n provider: \"google\",\n id: \"google-key\",\n label: \"Google Gemini\",\n description: \"Gemini models with your own Google AI key.\",\n },\n {\n provider: \"openrouter\",\n id: \"openrouter-key\",\n label: \"OpenRouter\",\n description: \"OpenRouter models with your own OpenRouter key.\",\n },\n {\n provider: \"groq\",\n id: \"groq-key\",\n label: \"Groq\",\n description: \"Groq-hosted models with your own Groq key.\",\n },\n {\n provider: \"mistral\",\n id: \"mistral-key\",\n label: \"Mistral\",\n description: \"Mistral models with your own Mistral key.\",\n },\n {\n provider: \"cohere\",\n id: \"cohere-key\",\n label: \"Cohere\",\n description: \"Cohere models with your own Cohere key.\",\n },\n];\n\nconst llmStep: OnboardingStep = {\n id: \"llm\",\n order: 10,\n required: true,\n title: \"Connect an AI engine\",\n description: \"Use Builder's managed gateway, or bring your own provider key.\",\n methods: [\n {\n id: \"builder\",\n kind: \"builder-cli-auth\",\n label: \"Connect Builder\",\n description:\n \"Connect the Builder space where this app should run. This unlocks managed LLM credits, browser automation, and file uploads. Cloud code changes appear when Builder Cloud Agents are available for the workspace.\",\n primary: true,\n payload: {\n scope: \"llm\",\n },\n },\n ...LLM_KEY_METHODS.map(({ provider, id, label, description, primary }) => {\n const meta = PROVIDER_ENV_META[provider];\n return {\n id,\n kind: \"form\" as const,\n label,\n description,\n ...(primary ? { primary: true } : {}),\n payload: {\n writeScope: \"workspace\" as const,\n fields: [\n {\n key: meta.envVar,\n label: meta.envVar,\n placeholder: meta.placeholder,\n secret: true,\n },\n ],\n },\n };\n }),\n ],\n isComplete: async () => {\n try {\n const { resolveHasBuilderPrivateKey } =\n await import(\"../server/credential-provider.js\");\n if (await resolveHasBuilderPrivateKey()) return true;\n } catch {\n if (process.env.BUILDER_PRIVATE_KEY) return true;\n }\n try {\n if (await detectEngineFromUserSecrets()) return true;\n } catch {\n // Fall through to legacy/env detection.\n }\n if (PROVIDER_ENV_VARS.some((k) => !!process.env[k])) return true;\n try {\n return isAgentEngineSettingConfigured(await getSetting(\"agent-engine\"));\n } catch {\n return false;\n }\n },\n};\n\n/** Step 2 — where application data lives. The default DB is non-blocking. */\nconst databaseStep: OnboardingStep = {\n id: \"database\",\n order: 20,\n required: false,\n title: \"Database\",\n description:\n \"Agent-native stores app data in SQL. Set DATABASE_URL when you want to point this app at a specific database.\",\n methods: [\n {\n id: \"database-url\",\n kind: \"form\",\n label: \"Set DATABASE_URL\",\n description: \"Paste the SQL connection string this app should use.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"DATABASE_URL\",\n label: \"DATABASE_URL\",\n placeholder: \"postgres://..., libsql://..., file:./data/app.db\",\n },\n {\n key: \"DATABASE_AUTH_TOKEN\",\n label: \"DATABASE_AUTH_TOKEN (if needed)\",\n placeholder: \"Token for providers such as Turso/libSQL\",\n secret: true,\n },\n ],\n },\n },\n ],\n // The default local database means this step is always satisfied.\n isComplete: () => true,\n};\n\n/** Step 3 — how users sign in. Built-in account auth is non-blocking. */\nconst authStep: OnboardingStep = {\n id: \"auth\",\n order: 30,\n required: false,\n title: \"Authentication\",\n description:\n \"Built-in email/password accounts work by default. Add OAuth or access tokens only if you want another sign-in path.\",\n methods: [\n {\n id: \"google-oauth\",\n kind: \"form\",\n label: \"Google OAuth\",\n description: \"Add Google as an optional sign-in provider.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n { key: \"GOOGLE_CLIENT_ID\", label: \"GOOGLE_CLIENT_ID\" },\n {\n key: \"GOOGLE_CLIENT_SECRET\",\n label: \"GOOGLE_CLIENT_SECRET\",\n secret: true,\n },\n ],\n },\n },\n {\n id: \"github-oauth\",\n kind: \"form\",\n label: \"GitHub OAuth\",\n description: \"Add GitHub as an optional sign-in provider.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n { key: \"GITHUB_CLIENT_ID\", label: \"GITHUB_CLIENT_ID\" },\n {\n key: \"GITHUB_CLIENT_SECRET\",\n label: \"GITHUB_CLIENT_SECRET\",\n secret: true,\n },\n ],\n },\n },\n ],\n isComplete: () => true,\n};\n\n/** Step 4 — transactional email (password resets, invitations). Optional. */\nconst emailStep: OnboardingStep = {\n id: \"email\",\n order: 40,\n required: false,\n title: \"Email delivery\",\n description:\n \"Optional for local work. Before deploying with password resets, invitations, or share notifications, connect an email provider.\",\n methods: [\n {\n id: \"resend\",\n kind: \"form\",\n label: \"Resend\",\n description: \"Use Resend for transactional email.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"RESEND_API_KEY\",\n label: \"RESEND_API_KEY\",\n placeholder: \"re_...\",\n secret: true,\n },\n {\n key: \"EMAIL_FROM\",\n label: \"EMAIL_FROM (from address)\",\n placeholder: \"Agent Native <noreply@yourdomain.com>\",\n },\n {\n key: \"APP_NAME\",\n label: \"APP_NAME (shown in invite emails)\",\n placeholder: \"Acme Forms\",\n },\n ],\n },\n },\n {\n id: \"sendgrid\",\n kind: \"form\",\n label: \"SendGrid\",\n description: \"Use SendGrid for transactional email.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"SENDGRID_API_KEY\",\n label: \"SENDGRID_API_KEY\",\n placeholder: \"SG....\",\n secret: true,\n },\n {\n key: \"EMAIL_FROM\",\n label: \"EMAIL_FROM (from address)\",\n placeholder: \"Agent Native <noreply@yourdomain.com>\",\n },\n ],\n },\n },\n ],\n isComplete: () => {\n if (process.env.RESEND_API_KEY) return true;\n // SendGrid rejects Resend's sandbox sender, so EMAIL_FROM must also be\n // set — otherwise sendEmail() throws at runtime even though the API key\n // is configured.\n if (process.env.SENDGRID_API_KEY) return !!process.env.EMAIL_FROM;\n return false;\n },\n};\n\nlet registered = false;\n\n/** Idempotent. Safe to call from every plugin-mount call. */\nexport function registerDefaultOnboardingSteps(): void {\n if (registered) return;\n registered = true;\n registerOnboardingStep(llmStep);\n registerOnboardingStep(databaseStep);\n registerOnboardingStep(authStep);\n registerOnboardingStep(emailStep);\n}\n"]}
|
package/dist/server/auth.d.ts
CHANGED
|
@@ -259,7 +259,6 @@ export declare function setFrameworkSessionCookie(event: H3Event, token: string)
|
|
|
259
259
|
* Automatically configure auth based on environment and configuration:
|
|
260
260
|
*
|
|
261
261
|
* - **BYOA (custom getSession)**: Template-provided auth callback handles everything.
|
|
262
|
-
* - **ACCESS_TOKEN/ACCESS_TOKENS**: Simple token-based auth.
|
|
263
262
|
* - **Default**: Better Auth with email/password, social providers, organizations, and JWT.
|
|
264
263
|
* Users see an onboarding page to create an account on first visit.
|
|
265
264
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAyChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAwB5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAc7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAyChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAwB5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAc7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;AAqID,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI7D;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAgHD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAmnBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAY5E;AAgID,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;AAimCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAqKlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAMzE"}
|
package/dist/server/auth.js
CHANGED
|
@@ -428,17 +428,6 @@ function getAccessTokens() {
|
|
|
428
428
|
}
|
|
429
429
|
return tokens;
|
|
430
430
|
}
|
|
431
|
-
function safeTokenMatch(input, tokens) {
|
|
432
|
-
const inputBuf = Buffer.from(input);
|
|
433
|
-
for (const token of tokens) {
|
|
434
|
-
const tokenBuf = Buffer.from(token);
|
|
435
|
-
if (inputBuf.length === tokenBuf.length &&
|
|
436
|
-
crypto.timingSafeEqual(inputBuf, tokenBuf)) {
|
|
437
|
-
return true;
|
|
438
|
-
}
|
|
439
|
-
}
|
|
440
|
-
return false;
|
|
441
|
-
}
|
|
442
431
|
function getBearerSessionToken(event) {
|
|
443
432
|
const auth = getHeader(event, "authorization");
|
|
444
433
|
if (!auth)
|
|
@@ -1546,43 +1535,15 @@ function stripAppBasePath(pathname) {
|
|
|
1546
1535
|
return pathname;
|
|
1547
1536
|
}
|
|
1548
1537
|
// ---------------------------------------------------------------------------
|
|
1549
|
-
//
|
|
1538
|
+
// Fallback login page HTML (custom auth with no login page configured)
|
|
1550
1539
|
// ---------------------------------------------------------------------------
|
|
1551
|
-
function
|
|
1552
|
-
if (process.env.AGENT_NATIVE_WORKSPACE !== "1" &&
|
|
1553
|
-
process.env.VITE_AGENT_NATIVE_WORKSPACE !== "1") {
|
|
1554
|
-
return "";
|
|
1555
|
-
}
|
|
1556
|
-
if (!requestPath || !requestPath.startsWith("/"))
|
|
1557
|
-
return "";
|
|
1558
|
-
const firstSegment = requestPath.split(/[/?#]/)[1];
|
|
1559
|
-
if (!firstSegment)
|
|
1560
|
-
return "";
|
|
1561
|
-
const reservedRootPaths = new Set([
|
|
1562
|
-
"_agent-native",
|
|
1563
|
-
".well-known",
|
|
1564
|
-
"api",
|
|
1565
|
-
"login",
|
|
1566
|
-
"signup",
|
|
1567
|
-
"apps",
|
|
1568
|
-
"new-app",
|
|
1569
|
-
"approval",
|
|
1570
|
-
"extensions",
|
|
1571
|
-
]);
|
|
1572
|
-
if (reservedRootPaths.has(firstSegment))
|
|
1573
|
-
return "";
|
|
1574
|
-
if (!isValidWorkspaceAppIdFormat(firstSegment))
|
|
1575
|
-
return "";
|
|
1576
|
-
return `/${firstSegment}`;
|
|
1577
|
-
}
|
|
1578
|
-
function getTokenLoginHtml(options = {}) {
|
|
1579
|
-
const configuredBasePath = getAppBasePath() || inferWorkspaceBasePathFromRequest(options.requestPath);
|
|
1540
|
+
function getCustomAuthRequiredHtml() {
|
|
1580
1541
|
return `<!DOCTYPE html>
|
|
1581
1542
|
<html lang="en">
|
|
1582
1543
|
<head>
|
|
1583
1544
|
<meta charset="UTF-8">
|
|
1584
1545
|
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
|
|
1585
|
-
<title>
|
|
1546
|
+
<title>Authentication required</title>
|
|
1586
1547
|
<style>
|
|
1587
1548
|
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
|
|
1588
1549
|
:root {
|
|
@@ -1595,18 +1556,10 @@ function getTokenLoginHtml(options = {}) {
|
|
|
1595
1556
|
--text: #f4f4f5;
|
|
1596
1557
|
--muted: #a1a1aa;
|
|
1597
1558
|
--subtle: #71717a;
|
|
1598
|
-
--error: #fca5a5;
|
|
1599
|
-
--error-bg: rgba(127,29,29,0.18);
|
|
1600
|
-
--success: #86efac;
|
|
1601
|
-
--success-bg: rgba(20,83,45,0.2);
|
|
1602
|
-
--info: #c4b5fd;
|
|
1603
|
-
--info-bg: rgba(76,29,149,0.18);
|
|
1604
1559
|
}
|
|
1605
1560
|
body {
|
|
1606
1561
|
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
|
|
1607
|
-
background:
|
|
1608
|
-
radial-gradient(circle at top left, rgba(63,63,70,0.24), transparent 32rem),
|
|
1609
|
-
linear-gradient(180deg, #111114 0%, var(--bg) 58%);
|
|
1562
|
+
background: linear-gradient(180deg, #111114 0%, var(--bg) 58%);
|
|
1610
1563
|
color: var(--text);
|
|
1611
1564
|
display: flex;
|
|
1612
1565
|
align-items: center;
|
|
@@ -1650,107 +1603,11 @@ function getTokenLoginHtml(options = {}) {
|
|
|
1650
1603
|
font-size: 0.9375rem;
|
|
1651
1604
|
line-height: 1.55;
|
|
1652
1605
|
}
|
|
1653
|
-
label {
|
|
1654
|
-
display: flex;
|
|
1655
|
-
align-items: baseline;
|
|
1656
|
-
justify-content: space-between;
|
|
1657
|
-
gap: 0.75rem;
|
|
1658
|
-
font-size: 0.8125rem;
|
|
1659
|
-
color: var(--muted);
|
|
1660
|
-
margin-bottom: 0.375rem;
|
|
1661
|
-
}
|
|
1662
|
-
label span:last-child {
|
|
1663
|
-
color: var(--subtle);
|
|
1664
|
-
font-size: 0.75rem;
|
|
1665
|
-
}
|
|
1666
|
-
.input-wrap { position: relative; }
|
|
1667
|
-
input {
|
|
1668
|
-
width: 100%;
|
|
1669
|
-
min-height: 2.75rem;
|
|
1670
|
-
padding: 0.625rem 0.75rem;
|
|
1671
|
-
background: #0f0f12;
|
|
1672
|
-
border: 1px solid var(--border);
|
|
1673
|
-
border-radius: 8px;
|
|
1674
|
-
color: var(--text);
|
|
1675
|
-
font-size: 0.9375rem;
|
|
1676
|
-
outline: none;
|
|
1677
|
-
}
|
|
1678
|
-
input:focus {
|
|
1679
|
-
border-color: var(--border-strong);
|
|
1680
|
-
box-shadow: 0 0 0 3px rgba(255,255,255,0.08);
|
|
1681
|
-
}
|
|
1682
|
-
input::placeholder { color: #52525b; }
|
|
1683
|
-
button {
|
|
1684
|
-
width: 100%;
|
|
1685
|
-
min-height: 2.75rem;
|
|
1686
|
-
margin-top: 1rem;
|
|
1687
|
-
padding: 0.625rem 0.875rem;
|
|
1688
|
-
background: var(--text);
|
|
1689
|
-
color: #000;
|
|
1690
|
-
border: none;
|
|
1691
|
-
border-radius: 8px;
|
|
1692
|
-
font-size: 0.9375rem;
|
|
1693
|
-
font-weight: 600;
|
|
1694
|
-
cursor: pointer;
|
|
1695
|
-
transition: transform 120ms ease, opacity 120ms ease, background 120ms ease;
|
|
1696
|
-
}
|
|
1697
|
-
button:hover:not(:disabled) { background: #e4e4e7; transform: translateY(-1px); }
|
|
1698
|
-
button:disabled { opacity: 0.55; cursor: wait; }
|
|
1699
1606
|
.hint {
|
|
1700
|
-
margin-top: 0.75rem;
|
|
1701
|
-
color: var(--subtle);
|
|
1702
|
-
font-size: 0.8125rem;
|
|
1703
|
-
line-height: 1.45;
|
|
1704
|
-
}
|
|
1705
|
-
.msg {
|
|
1706
|
-
display: none;
|
|
1707
|
-
margin-top: 0.875rem;
|
|
1708
|
-
padding: 0.75rem;
|
|
1709
|
-
border-radius: 8px;
|
|
1710
|
-
font-size: 0.8125rem;
|
|
1711
|
-
line-height: 1.45;
|
|
1712
|
-
}
|
|
1713
|
-
.msg.show { display: block; }
|
|
1714
|
-
.msg.error {
|
|
1715
|
-
color: var(--error);
|
|
1716
|
-
background: var(--error-bg);
|
|
1717
|
-
border: 1px solid rgba(248,113,113,0.22);
|
|
1718
|
-
}
|
|
1719
|
-
.msg.success {
|
|
1720
|
-
color: var(--success);
|
|
1721
|
-
background: var(--success-bg);
|
|
1722
|
-
border: 1px solid rgba(74,222,128,0.18);
|
|
1723
|
-
}
|
|
1724
|
-
.msg.info {
|
|
1725
|
-
color: var(--info);
|
|
1726
|
-
background: var(--info-bg);
|
|
1727
|
-
border: 1px solid rgba(167,139,250,0.2);
|
|
1728
|
-
}
|
|
1729
|
-
details {
|
|
1730
1607
|
margin-top: 1rem;
|
|
1731
|
-
padding-top: 1rem;
|
|
1732
|
-
border-top: 1px solid var(--border);
|
|
1733
|
-
}
|
|
1734
|
-
summary {
|
|
1735
|
-
cursor: pointer;
|
|
1736
|
-
color: var(--muted);
|
|
1737
|
-
font-size: 0.8125rem;
|
|
1738
|
-
font-weight: 600;
|
|
1739
|
-
}
|
|
1740
|
-
details p {
|
|
1741
|
-
margin-top: 0.75rem;
|
|
1742
1608
|
color: var(--subtle);
|
|
1743
1609
|
font-size: 0.8125rem;
|
|
1744
|
-
line-height: 1.
|
|
1745
|
-
}
|
|
1746
|
-
code {
|
|
1747
|
-
color: #e4e4e7;
|
|
1748
|
-
background: var(--panel-soft);
|
|
1749
|
-
border: 1px solid var(--border);
|
|
1750
|
-
border-radius: 5px;
|
|
1751
|
-
padding: 0.075rem 0.25rem;
|
|
1752
|
-
font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
|
|
1753
|
-
font-size: 0.78rem;
|
|
1610
|
+
line-height: 1.45;
|
|
1754
1611
|
}
|
|
1755
1612
|
@media (max-width: 480px) {
|
|
1756
1613
|
.card { padding: 1.5rem; }
|
|
@@ -1760,118 +1617,11 @@ function getTokenLoginHtml(options = {}) {
|
|
|
1760
1617
|
</head>
|
|
1761
1618
|
<body>
|
|
1762
1619
|
<div class="card">
|
|
1763
|
-
<div class="eyebrow">
|
|
1764
|
-
<h1>
|
|
1765
|
-
<p class="intro">
|
|
1766
|
-
<
|
|
1767
|
-
<label for="token"><span>App ACCESS_TOKEN</span><span>Required</span></label>
|
|
1768
|
-
<div class="input-wrap">
|
|
1769
|
-
<input id="token" type="password" autocomplete="current-password" autofocus placeholder="Paste the shared app token" />
|
|
1770
|
-
</div>
|
|
1771
|
-
<button id="submit" type="submit">Continue</button>
|
|
1772
|
-
<p class="hint">If someone sent you this app, ask them for the shared app token. If you own the deploy, use the exact value saved as <code>ACCESS_TOKEN</code> or one of <code>ACCESS_TOKENS</code>.</p>
|
|
1773
|
-
<p class="msg error" id="msg" role="alert"></p>
|
|
1774
|
-
</form>
|
|
1775
|
-
<details>
|
|
1776
|
-
<summary>Where do I find this?</summary>
|
|
1777
|
-
<p>Create or copy the app's shared token from your deployment environment variables. The key should be <code>ACCESS_TOKEN</code> for one token or <code>ACCESS_TOKENS</code> for a comma-separated list. Redeploy after changing it.</p>
|
|
1778
|
-
</details>
|
|
1620
|
+
<div class="eyebrow">Authentication required</div>
|
|
1621
|
+
<h1>Sign in is not configured</h1>
|
|
1622
|
+
<p class="intro">This route requires an authenticated session, but this app's custom auth plugin did not provide a sign-in page.</p>
|
|
1623
|
+
<p class="hint">If this route should be public, add it to the auth plugin's public route configuration. Otherwise configure a custom sign-in page for this app.</p>
|
|
1779
1624
|
</div>
|
|
1780
|
-
<script>
|
|
1781
|
-
var configuredBasePath = ${JSON.stringify(configuredBasePath)};
|
|
1782
|
-
function __anBasePath() {
|
|
1783
|
-
if (
|
|
1784
|
-
configuredBasePath &&
|
|
1785
|
-
(window.location.pathname === configuredBasePath ||
|
|
1786
|
-
window.location.pathname.indexOf(configuredBasePath + '/') === 0)
|
|
1787
|
-
) {
|
|
1788
|
-
return configuredBasePath;
|
|
1789
|
-
}
|
|
1790
|
-
var marker = '/_agent-native';
|
|
1791
|
-
var idx = window.location.pathname.indexOf(marker);
|
|
1792
|
-
return idx > 0 ? window.location.pathname.slice(0, idx) : '';
|
|
1793
|
-
}
|
|
1794
|
-
function __anPath(path) {
|
|
1795
|
-
return __anBasePath() + path;
|
|
1796
|
-
}
|
|
1797
|
-
function setMessage(kind, text) {
|
|
1798
|
-
var msg = document.getElementById('msg');
|
|
1799
|
-
msg.textContent = text;
|
|
1800
|
-
msg.className = 'msg ' + kind + ' show';
|
|
1801
|
-
}
|
|
1802
|
-
function clearMessage() {
|
|
1803
|
-
var msg = document.getElementById('msg');
|
|
1804
|
-
msg.textContent = '';
|
|
1805
|
-
msg.className = 'msg error';
|
|
1806
|
-
}
|
|
1807
|
-
function setBusy(isBusy) {
|
|
1808
|
-
var button = document.getElementById('submit');
|
|
1809
|
-
var input = document.getElementById('token');
|
|
1810
|
-
button.disabled = isBusy;
|
|
1811
|
-
input.disabled = isBusy;
|
|
1812
|
-
button.textContent = isBusy ? 'Checking...' : 'Continue';
|
|
1813
|
-
}
|
|
1814
|
-
async function readJsonSafely(res) {
|
|
1815
|
-
try {
|
|
1816
|
-
return await res.json();
|
|
1817
|
-
} catch (_err) {
|
|
1818
|
-
return null;
|
|
1819
|
-
}
|
|
1820
|
-
}
|
|
1821
|
-
async function verifySession() {
|
|
1822
|
-
var res = await fetch(__anPath('/_agent-native/auth/session'), {
|
|
1823
|
-
method: 'GET',
|
|
1824
|
-
credentials: 'same-origin',
|
|
1825
|
-
cache: 'no-store',
|
|
1826
|
-
headers: { 'Accept': 'application/json' },
|
|
1827
|
-
});
|
|
1828
|
-
if (!res.ok) return false;
|
|
1829
|
-
var data = await readJsonSafely(res);
|
|
1830
|
-
return !!data && !data.error;
|
|
1831
|
-
}
|
|
1832
|
-
document.getElementById('form').addEventListener('submit', async (e) => {
|
|
1833
|
-
e.preventDefault();
|
|
1834
|
-
var token = document.getElementById('token').value.trim();
|
|
1835
|
-
if (!token) {
|
|
1836
|
-
setMessage('error', 'Paste the shared app token to continue.');
|
|
1837
|
-
return;
|
|
1838
|
-
}
|
|
1839
|
-
clearMessage();
|
|
1840
|
-
setBusy(true);
|
|
1841
|
-
setMessage('info', 'Checking the app token...');
|
|
1842
|
-
try {
|
|
1843
|
-
var res = await fetch(__anPath('/_agent-native/auth/login'), {
|
|
1844
|
-
method: 'POST',
|
|
1845
|
-
headers: {
|
|
1846
|
-
'Content-Type': 'application/json',
|
|
1847
|
-
'Accept': 'application/json',
|
|
1848
|
-
},
|
|
1849
|
-
credentials: 'same-origin',
|
|
1850
|
-
body: JSON.stringify({ token: token }),
|
|
1851
|
-
});
|
|
1852
|
-
if (!res.ok) {
|
|
1853
|
-
var badTokenMessage = 'That token was not accepted. Use this app\\'s shared ACCESS_TOKEN, not your deploy provider account token.';
|
|
1854
|
-
if (res.status === 404) {
|
|
1855
|
-
badTokenMessage = 'Could not reach this app\\'s auth endpoint. If this app is mounted under a path, confirm APP_BASE_PATH and VITE_APP_BASE_PATH match the deploy path.';
|
|
1856
|
-
}
|
|
1857
|
-
setMessage('error', badTokenMessage);
|
|
1858
|
-
setBusy(false);
|
|
1859
|
-
return;
|
|
1860
|
-
}
|
|
1861
|
-
var hasSession = await verifySession();
|
|
1862
|
-
if (!hasSession) {
|
|
1863
|
-
setMessage('error', 'The token was accepted, but the browser did not keep the session cookie. Try opening the app in a new tab, or check cookie restrictions for this domain.');
|
|
1864
|
-
setBusy(false);
|
|
1865
|
-
return;
|
|
1866
|
-
}
|
|
1867
|
-
setMessage('success', 'Signed in. Opening the app...');
|
|
1868
|
-
window.location.replace(window.location.href);
|
|
1869
|
-
} catch (_err) {
|
|
1870
|
-
setMessage('error', 'Could not contact the auth endpoint. Check the deploy status, then try again.');
|
|
1871
|
-
setBusy(false);
|
|
1872
|
-
}
|
|
1873
|
-
});
|
|
1874
|
-
</script>
|
|
1875
1625
|
</body>
|
|
1876
1626
|
</html>`;
|
|
1877
1627
|
}
|
|
@@ -2196,7 +1946,6 @@ async function mountBetterAuthRoutes(app, options) {
|
|
|
2196
1946
|
});
|
|
2197
1947
|
return { token: entry.token, email: entry.email };
|
|
2198
1948
|
}));
|
|
2199
|
-
const accessTokens = getAccessTokens();
|
|
2200
1949
|
// Initialize Better Auth. Forward `googleScopes` into the BetterAuthConfig
|
|
2201
1950
|
// so the social provider requests the broader product scopes (Gmail,
|
|
2202
1951
|
// Calendar, etc.) up front during the primary sign-in — eliminating the
|
|
@@ -2392,19 +2141,6 @@ async function mountBetterAuthRoutes(app, options) {
|
|
|
2392
2141
|
return { error: "Method not allowed" };
|
|
2393
2142
|
}
|
|
2394
2143
|
const body = await readBody(event);
|
|
2395
|
-
// Legacy ACCESS_TOKEN login
|
|
2396
|
-
if (body?.token &&
|
|
2397
|
-
typeof body.token === "string" &&
|
|
2398
|
-
accessTokens.length > 0) {
|
|
2399
|
-
if (!safeTokenMatch(body.token, accessTokens)) {
|
|
2400
|
-
setResponseStatus(event, 401);
|
|
2401
|
-
return { error: "Invalid token" };
|
|
2402
|
-
}
|
|
2403
|
-
const sessionToken = crypto.randomBytes(32).toString("hex");
|
|
2404
|
-
await addSession(sessionToken, "user");
|
|
2405
|
-
setFrameworkSessionCookie(event, sessionToken);
|
|
2406
|
-
return authLoginResponse(event, sessionToken, "user");
|
|
2407
|
-
}
|
|
2408
2144
|
// Email/password login via Better Auth
|
|
2409
2145
|
const email = body?.email?.trim?.()?.toLowerCase?.();
|
|
2410
2146
|
const password = body?.password;
|
|
@@ -2601,59 +2337,6 @@ async function mountBetterAuthRoutes(app, options) {
|
|
|
2601
2337
|
app.use(defineEventHandler(guardFn));
|
|
2602
2338
|
}
|
|
2603
2339
|
// ---------------------------------------------------------------------------
|
|
2604
|
-
// mountTokenOnlyRoutes — ACCESS_TOKEN-only auth (no Better Auth)
|
|
2605
|
-
// ---------------------------------------------------------------------------
|
|
2606
|
-
function mountTokenOnlyRoutes(app, accessTokens, publicPaths = [], workspaceAppAudience = resolveWorkspaceAppAudience(), workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess()) {
|
|
2607
|
-
app.use("/_agent-native/auth/login", defineEventHandler(async (event) => {
|
|
2608
|
-
if (getMethod(event) !== "POST") {
|
|
2609
|
-
setResponseStatus(event, 405);
|
|
2610
|
-
return { error: "Method not allowed" };
|
|
2611
|
-
}
|
|
2612
|
-
const body = await readBody(event);
|
|
2613
|
-
if (!body?.token ||
|
|
2614
|
-
typeof body.token !== "string" ||
|
|
2615
|
-
!safeTokenMatch(body.token, accessTokens)) {
|
|
2616
|
-
setResponseStatus(event, 401);
|
|
2617
|
-
return { error: "Invalid token" };
|
|
2618
|
-
}
|
|
2619
|
-
const sessionToken = crypto.randomBytes(32).toString("hex");
|
|
2620
|
-
await addSession(sessionToken, "user");
|
|
2621
|
-
setFrameworkSessionCookie(event, sessionToken);
|
|
2622
|
-
return authLoginResponse(event, sessionToken, "user");
|
|
2623
|
-
}));
|
|
2624
|
-
app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
|
|
2625
|
-
for (const cookie of getFrameworkSessionCookieValues(event)) {
|
|
2626
|
-
await removeSession(cookie);
|
|
2627
|
-
}
|
|
2628
|
-
const bearerToken = getBearerSessionToken(event);
|
|
2629
|
-
if (bearerToken)
|
|
2630
|
-
await removeSession(bearerToken);
|
|
2631
|
-
clearFrameworkSessionCookies(event);
|
|
2632
|
-
if (isElectronRequest(event))
|
|
2633
|
-
await clearDesktopSso();
|
|
2634
|
-
return { ok: true };
|
|
2635
|
-
}));
|
|
2636
|
-
app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
|
|
2637
|
-
if (!isReadMethod(event)) {
|
|
2638
|
-
setResponseStatus(event, 405);
|
|
2639
|
-
return { error: "Method not allowed" };
|
|
2640
|
-
}
|
|
2641
|
-
const session = await getSession(event);
|
|
2642
|
-
return session ?? { error: "Not authenticated" };
|
|
2643
|
-
}));
|
|
2644
|
-
_authGuardConfig = {
|
|
2645
|
-
loginHtml: getTokenLoginHtml(),
|
|
2646
|
-
getLoginHtml: (_event, rawPath) => getTokenLoginHtml({ requestPath: rawPath }),
|
|
2647
|
-
publicPaths,
|
|
2648
|
-
workspaceAppAudience,
|
|
2649
|
-
workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,
|
|
2650
|
-
workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,
|
|
2651
|
-
};
|
|
2652
|
-
const guardFn = createAuthGuardFn();
|
|
2653
|
-
_authGuardFn = guardFn;
|
|
2654
|
-
app.use(defineEventHandler(guardFn));
|
|
2655
|
-
}
|
|
2656
|
-
// ---------------------------------------------------------------------------
|
|
2657
2340
|
// mountAuthFallbackRoutes — minimal auth endpoints when Better Auth init fails
|
|
2658
2341
|
// ---------------------------------------------------------------------------
|
|
2659
2342
|
function mountAuthFallbackRoutes(app) {
|
|
@@ -2765,7 +2448,6 @@ function mountAuthFallbackRoutes(app) {
|
|
|
2765
2448
|
* Automatically configure auth based on environment and configuration:
|
|
2766
2449
|
*
|
|
2767
2450
|
* - **BYOA (custom getSession)**: Template-provided auth callback handles everything.
|
|
2768
|
-
* - **ACCESS_TOKEN/ACCESS_TOKENS**: Simple token-based auth.
|
|
2769
2451
|
* - **Default**: Better Auth with email/password, social providers, organizations, and JWT.
|
|
2770
2452
|
* Users see an onboarding page to create an account on first visit.
|
|
2771
2453
|
*
|
|
@@ -2872,13 +2554,13 @@ export async function autoMountAuth(app, options = {}) {
|
|
|
2872
2554
|
await clearDesktopSso();
|
|
2873
2555
|
return { ok: true };
|
|
2874
2556
|
}));
|
|
2875
|
-
const byoaLoginHtml = options.loginHtml ??
|
|
2557
|
+
const byoaLoginHtml = options.loginHtml ?? getCustomAuthRequiredHtml();
|
|
2876
2558
|
_authGuardConfig = {
|
|
2877
2559
|
loginHtml: byoaLoginHtml,
|
|
2878
2560
|
...(options.loginHtml
|
|
2879
2561
|
? {}
|
|
2880
2562
|
: {
|
|
2881
|
-
getLoginHtml: (
|
|
2563
|
+
getLoginHtml: () => getCustomAuthRequiredHtml(),
|
|
2882
2564
|
}),
|
|
2883
2565
|
publicPaths,
|
|
2884
2566
|
workspaceAppAudience,
|
|
@@ -2892,14 +2574,6 @@ export async function autoMountAuth(app, options = {}) {
|
|
|
2892
2574
|
console.log("[agent-native] Auth enabled — custom getSession provider.");
|
|
2893
2575
|
return true;
|
|
2894
2576
|
}
|
|
2895
|
-
// ACCESS_TOKEN-only mode
|
|
2896
|
-
const tokens = getAccessTokens();
|
|
2897
|
-
if (tokens.length > 0) {
|
|
2898
|
-
mountTokenOnlyRoutes(app, tokens, publicPaths, workspaceAppAudience, workspaceAppRouteAccess);
|
|
2899
|
-
if (process.env.DEBUG)
|
|
2900
|
-
console.log(`[agent-native] Auth enabled — ${tokens.length} access token(s) configured.`);
|
|
2901
|
-
return true;
|
|
2902
|
-
}
|
|
2903
2577
|
// Default: Better Auth (account-first)
|
|
2904
2578
|
try {
|
|
2905
2579
|
await mountBetterAuthRoutes(app, options);
|
|
@@ -2934,6 +2608,8 @@ export async function autoMountAuth(app, options = {}) {
|
|
|
2934
2608
|
* @deprecated Use `autoMountAuth(app, options?)` instead.
|
|
2935
2609
|
*/
|
|
2936
2610
|
export function mountAuthMiddleware(app, accessToken) {
|
|
2937
|
-
|
|
2611
|
+
void app;
|
|
2612
|
+
void accessToken;
|
|
2613
|
+
throw new Error("mountAuthMiddleware(accessToken) has been removed. Use createAuthPlugin() or autoMountAuth() with Better Auth, or a custom getSession provider.");
|
|
2938
2614
|
}
|
|
2939
2615
|
//# sourceMappingURL=auth.js.map
|