@aooth/auth-moost 0.1.21 → 0.1.22

package/dist/index.d.mts

@@ -1178,6 +1178,16 @@ interface AuthWfMfaEnrollState {
    */
   mode?: "required" | "optional" | "manage";
   done?: boolean;
+  /**
+   * Set by `enroll-send` when `resolveEnrollPreConfirmed` vouches that the
+   * staged sms/email address is verified-by-construction (e.g. the invited
+   * email the user just proved by redeeming the magic link delivered to it).
+   * `enroll-send` then skips the pincode dispatch and `enroll-confirm` runs
+   * its write-on-confirm tail with no code-entry pause. Server-only (decided
+   * by the resolver, never read from the wire); never set for TOTP —
+   * possession of an authenticator cannot be proven by construction.
+   */
+  preConfirmed?: boolean;
   /**
    * Gates the standalone `enroll-totp-qr` step (TOTP only). Set once the user
    * has been shown the QR/secret and clicked Continue, so the QR pause fires
@@ -2201,6 +2211,31 @@ declare class AuthWorkflow {
    * Reached from login.flow.
    */
   protected resolveEnrollment(_ctx: AuthWfCtx): NonNullable<AuthWfCtx["enrollment"]> | Promise<NonNullable<AuthWfCtx["enrollment"]>>;
+  /**
+   * Vouch that an MFA-enrolment address is verified-by-construction, skipping
+   * the pincode round-trip: `enroll-send` sends nothing and `enroll-confirm`
+   * writes the confirmed factor (+ `verifiedEmail` for email) with no
+   * code-entry pause. Asked once per dispatch with the staged transport +
+   * normalized address (ctx-first, extra positional args — same convention as
+   * `resolveOtpDisclosure`).
+   *
+   * Default `false` — every enrolment proves its address. The canonical
+   * override is the invite-accept case, where the user is inside the flow
+   * only because they redeemed a magic link delivered to that exact address
+   * minutes earlier (the same proof `activate-user` trusts to write
+   * `account.verifiedEmail`):
+   *
+   * ```ts
+   * protected resolveEnrollPreConfirmed(ctx: AuthWfCtx, method: MfaTransport, address: string) {
+   *   return !!ctx.accept && method === "email" && address === ctx.email;
+   * }
+   * ```
+   *
+   * Keep the equality check — the proof transfers ONLY to the address the
+   * magic link was delivered to; vouching for a different address the user
+   * typed would confirm an unproven inbox. Never asked for TOTP.
+   */
+  protected resolveEnrollPreConfirmed(_ctx: AuthWfCtx, _method: MfaTransport, _address: string): boolean | Promise<boolean>;
   /**
    * Resolve the finalize policy. Reached from login.flow. `auditLogin` is
    * dropped from the shape per §2 — audit moved out of the workflow layer.
@@ -2536,10 +2571,18 @@ declare class AuthWorkflow {
   protected mfaKindOf(methodName: string): MfaTransport | null;
   /**
    * Send an enrolment pincode and stamp `ctx.pincode.sentTo` with the masked
-   * recipient. Shared by `enrollAddress` (initial dispatch) and the resend
-   * path inside `enrollConfirm`.
+   * recipient. Reached only through {@link mintAndSendEnrollPincode}; kept
+   * separate as the delivery-only override seam.
    */
   protected sendEnrollPincode(ctx: AuthWfCtx, address: string, code: string): Promise<void>;
+  /**
+   * The single enrol-dispatch implementation: mint a fresh pin, arm the
+   * resend cooldown + the code-length form hint, and deliver the code.
+   * Shared by `enrollSend` (initial dispatch) and the resend arm inside
+   * `enrollConfirm`, so the arming policy cannot drift between first send
+   * and resend.
+   */
+  private mintAndSendEnrollPincode;
   /**
    * Drop the per-enrolment scratch fields (the `mfaEnroll` provisioning fields +
    * the pincode timers/`sentTo`) off ctx — the shared teardown used by the
@@ -2952,15 +2995,30 @@ declare class AuthWorkflow {
    */
   enrollPickMethod(ctx: AuthWfCtx): undefined | Promise<undefined>;
   /**
-   * Unified MFA-enrol phase 2 (collect sms/email address + send pincode).
-   * Not invoked for totp. Handles `skip` (opt-in) / `cancel` (manage) /
-   * `useDifferentMethod`. Validates the address server-side (the client
-   * `@ui.form.validate` hint is advisory), then STAGES the candidate value in
-   * wf-state (`m.address`) — the user record is written only on confirm
-   * (write-on-confirm), so an ADD leaves no partial row and a REPLACE keeps the
-   * old confirmed value live until the new code verifies in `enroll-confirm`.
-   */
-  enrollAddress(ctx: AuthWfCtx): Promise<undefined>;
+   * Unified MFA-enrol phase 2 (collect sms/email address). Not invoked for
+   * totp. Handles `skip` (opt-in) / `cancel` (manage) / `useDifferentMethod`.
+   * Validates the address server-side (the client `@ui.form.validate` hint is
+   * advisory), then STAGES the candidate value in wf-state (`m.address`) — the
+   * user record is written only on confirm (write-on-confirm), so an ADD
+   * leaves no partial row and a REPLACE keeps the old confirmed value live
+   * until the new code verifies in `enroll-confirm`. Collection ONLY: the
+   * pincode dispatch lives in `enroll-send` (same engine pass, no extra
+   * round-trip), so a consumer pre-seeding `mfaEnroll.address` — which skips
+   * this whole step via its schema condition — still gets exactly one code.
+   */
+  enrollAddress(ctx: AuthWfCtx): undefined;
+  /**
+   * Unified MFA-enrol dispatch (sms/email only) — the trio's ONLY pincode
+   * send. A separate step (the canonical "send if no pin" gate, mirroring
+   * `pincode-send`) so both address paths share one dispatch site: collected
+   * by `enroll-address`, or pre-seeded by a consumer (which skips
+   * `enroll-address` entirely — previously skipping the dispatch with it and
+   * stranding the user on a code form no code was sent for). Asks
+   * `resolveEnrollPreConfirmed` first: a verified-by-construction address
+   * (e.g. the invite email the magic link just proved) skips the round-trip —
+   * `enroll-confirm` then writes the factor without pausing.
+   */
+  enrollSend(ctx: AuthWfCtx): Promise<undefined>;
   /**
    * MFA-enrol TOTP QR step — shown on its OWN pause between method-pick and
    * code-entry (so the user scans first, types the code next). Idempotently
@@ -2985,6 +3043,16 @@ declare class AuthWorkflow {
    * a fresh row for an ADD.
    */
   enrollConfirm(ctx: AuthWfCtx): Promise<undefined>;
+  /**
+   * `enroll-confirm`'s write-on-confirm tail (uniform for ADD and REPLACE, all
+   * transports): the staged value (sms/email `address`, totp `secret`) is now
+   * proven — by a verified pincode/TOTP code, or vouched by
+   * `resolveEnrollPreConfirmed` — so upsert it as confirmed. `addMfaMethod`
+   * replaces any row of the same name, so a REPLACE atomically swaps in the
+   * new value with no pre-confirm clobber window, and an ADD creates the row
+   * fresh.
+   */
+  private confirmEnrolledFactor;
   /**
    * Promote a freshly-confirmed channel into its login-handle column so future
    * login + recovery resolve the account by it (`findByHandle`). Runs once,

package/dist/index.mjs

@@ -797,6 +797,10 @@ const enrollTrioSteps = [
 		id: "enroll-totp-qr",
 		condition: (ctx) => ctx.mfaEnroll?.method === "totp" && !ctx.mfaEnroll.qrSeen
 	},
+	{
+		id: "enroll-send",
+		condition: (ctx) => (ctx.mfaEnroll?.method === "sms" || ctx.mfaEnroll?.method === "email") && !!ctx.mfaEnroll.address && !ctx.mfaEnroll.done && !ctx.mfaEnroll.preConfirmed && !ctx.pin
+	},
 	{
 		id: "enroll-confirm",
 		condition: (ctx) => !!ctx.mfaEnroll?.method && (ctx.mfaEnroll.method === "totp" ? !!ctx.mfaEnroll.qrSeen : !!ctx.mfaEnroll.address) && !ctx.mfaEnroll.done
@@ -1414,6 +1418,33 @@ let AuthWorkflow = class AuthWorkflow {
 		};
 	}
 	/**
+	* Vouch that an MFA-enrolment address is verified-by-construction, skipping
+	* the pincode round-trip: `enroll-send` sends nothing and `enroll-confirm`
+	* writes the confirmed factor (+ `verifiedEmail` for email) with no
+	* code-entry pause. Asked once per dispatch with the staged transport +
+	* normalized address (ctx-first, extra positional args — same convention as
+	* `resolveOtpDisclosure`).
+	*
+	* Default `false` — every enrolment proves its address. The canonical
+	* override is the invite-accept case, where the user is inside the flow
+	* only because they redeemed a magic link delivered to that exact address
+	* minutes earlier (the same proof `activate-user` trusts to write
+	* `account.verifiedEmail`):
+	*
+	* ```ts
+	* protected resolveEnrollPreConfirmed(ctx: AuthWfCtx, method: MfaTransport, address: string) {
+	*   return !!ctx.accept && method === "email" && address === ctx.email;
+	* }
+	* ```
+	*
+	* Keep the equality check — the proof transfers ONLY to the address the
+	* magic link was delivered to; vouching for a different address the user
+	* typed would confirm an unproven inbox. Never asked for TOTP.
+	*/
+	resolveEnrollPreConfirmed(_ctx, _method, _address) {
+		return false;
+	}
+	/**
 	* Resolve the finalize policy. Reached from login.flow. `auditLogin` is
 	* dropped from the shape per §2 — audit moved out of the workflow layer.
 	*/
@@ -1968,8 +1999,8 @@ let AuthWorkflow = class AuthWorkflow {
 	}
 	/**
 	* Send an enrolment pincode and stamp `ctx.pincode.sentTo` with the masked
-	* recipient. Shared by `enrollAddress` (initial dispatch) and the resend
-	* path inside `enrollConfirm`.
+	* recipient. Reached only through {@link mintAndSendEnrollPincode}; kept
+	* separate as the delivery-only override seam.
 	*/
 	async sendEnrollPincode(ctx, address, code) {
 		const pincode = ctx.pincode ??= {};
@@ -1984,6 +2015,20 @@ let AuthWorkflow = class AuthWorkflow {
 		});
 	}
 	/**
+	* The single enrol-dispatch implementation: mint a fresh pin, arm the
+	* resend cooldown + the code-length form hint, and deliver the code.
+	* Shared by `enrollSend` (initial dispatch) and the resend arm inside
+	* `enrollConfirm`, so the arming policy cannot drift between first send
+	* and resend.
+	*/
+	async mintAndSendEnrollPincode(ctx, address) {
+		const code = this.mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
+		const pincode = ctx.pincode ??= {};
+		pincode.resendAllowedAt = Date.now() + this.opts.mfa.pincodeResendTimeoutMs;
+		pincode.codeLength = this.opts.mfa.pincodeLength;
+		await this.sendEnrollPincode(ctx, address, code);
+	}
+	/**
 	* Drop the per-enrolment scratch fields (the `mfaEnroll` provisioning fields +
 	* the pincode timers/`sentTo`) off ctx — the shared teardown used by the
 	* opt-in `skip` / `useDifferentMethod` arms and {@link cancelManageEnrollment}.
@@ -2000,6 +2045,7 @@ let AuthWorkflow = class AuthWorkflow {
 			delete m.secret;
 			delete m.uri;
 			delete m.qrSeen;
+			delete m.preConfirmed;
 		}
 		delete ctx.pin;
 		delete ctx.pinExpire;
@@ -3434,15 +3480,18 @@ let AuthWorkflow = class AuthWorkflow {
 		}
 	}
 	/**
-	* Unified MFA-enrol phase 2 (collect sms/email address + send pincode).
-	* Not invoked for totp. Handles `skip` (opt-in) / `cancel` (manage) /
-	* `useDifferentMethod`. Validates the address server-side (the client
-	* `@ui.form.validate` hint is advisory), then STAGES the candidate value in
-	* wf-state (`m.address`) — the user record is written only on confirm
-	* (write-on-confirm), so an ADD leaves no partial row and a REPLACE keeps the
-	* old confirmed value live until the new code verifies in `enroll-confirm`.
+	* Unified MFA-enrol phase 2 (collect sms/email address). Not invoked for
+	* totp. Handles `skip` (opt-in) / `cancel` (manage) / `useDifferentMethod`.
+	* Validates the address server-side (the client `@ui.form.validate` hint is
+	* advisory), then STAGES the candidate value in wf-state (`m.address`) — the
+	* user record is written only on confirm (write-on-confirm), so an ADD
+	* leaves no partial row and a REPLACE keeps the old confirmed value live
+	* until the new code verifies in `enroll-confirm`. Collection ONLY: the
+	* pincode dispatch lives in `enroll-send` (same engine pass, no extra
+	* round-trip), so a consumer pre-seeding `mfaEnroll.address` — which skips
+	* this whole step via its schema condition — still gets exactly one code.
 	*/
-	async enrollAddress(ctx) {
+	enrollAddress(ctx) {
 		this.requireSubject(ctx);
 		const m = ctx.mfaEnroll ??= {};
 		const mode = m.mode ?? "optional";
@@ -3465,13 +3514,29 @@ let AuthWorkflow = class AuthWorkflow {
 		const methodName = m.method;
 		const addrErr = this.validateMfaAddress(methodName, input.address);
 		if (addrErr) throw this.throwPublic(ctx, wf, { errors: { address: addrErr } });
-		const address = this.normalizeMfaAddress(methodName, input.address);
-		m.address = address;
-		const code = this.mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
-		const pincode = ctx.pincode ??= {};
-		pincode.resendAllowedAt = Date.now() + this.opts.mfa.pincodeResendTimeoutMs;
-		pincode.codeLength = this.opts.mfa.pincodeLength;
-		await this.sendEnrollPincode(ctx, address, code);
+		m.address = this.normalizeMfaAddress(methodName, input.address);
+	}
+	/**
+	* Unified MFA-enrol dispatch (sms/email only) — the trio's ONLY pincode
+	* send. A separate step (the canonical "send if no pin" gate, mirroring
+	* `pincode-send`) so both address paths share one dispatch site: collected
+	* by `enroll-address`, or pre-seeded by a consumer (which skips
+	* `enroll-address` entirely — previously skipping the dispatch with it and
+	* stranding the user on a code form no code was sent for). Asks
+	* `resolveEnrollPreConfirmed` first: a verified-by-construction address
+	* (e.g. the invite email the magic link just proved) skips the round-trip —
+	* `enroll-confirm` then writes the factor without pausing.
+	*/
+	async enrollSend(ctx) {
+		this.requireSubject(ctx);
+		const m = ctx.mfaEnroll ??= {};
+		const method = m.method;
+		const address = m.address;
+		if (await this.resolveEnrollPreConfirmed(ctx, method, address)) {
+			m.preConfirmed = true;
+			return;
+		}
+		await this.mintAndSendEnrollPincode(ctx, address);
 	}
 	/**
 	* MFA-enrol TOTP QR step — shown on its OWN pause between method-pick and
@@ -3512,8 +3577,11 @@ let AuthWorkflow = class AuthWorkflow {
 	*/
 	async enrollConfirm(ctx) {
 		this.requireSubject(ctx);
-		const username = ctx.subject;
 		const m = ctx.mfaEnroll ??= {};
+		if (m.preConfirmed && m.method !== "totp" && m.address) {
+			await this.confirmEnrolledFactor(ctx);
+			return;
+		}
 		const wf = this.useAtscriptWfPublic(ctx, this.opts.forms.enrollConfirm);
 		const action = wf.resolveAction();
 		if (this.handleEnrollExit(ctx, action)) return void 0;
@@ -3524,11 +3592,7 @@ let AuthWorkflow = class AuthWorkflow {
 				const waitSec = Math.ceil((cooldown - Date.now()) / 1e3);
 				throw this.throwPublic(ctx, wf, { formMessage: `Please wait ${waitSec}s before requesting another code` });
 			}
-			const code = this.mintPin(ctx, this.opts.mfa.pincodeLength, this.opts.mfa.pincodeTtlMs);
-			const pincode = ctx.pincode ??= {};
-			pincode.resendAllowedAt = Date.now() + this.opts.mfa.pincodeResendTimeoutMs;
-			pincode.codeLength = this.opts.mfa.pincodeLength;
-			await this.sendEnrollPincode(ctx, m.address, code);
+			await this.mintAndSendEnrollPincode(ctx, m.address);
 			return;
 		}
 		const input = wf.resolveInput();
@@ -3538,8 +3602,23 @@ let AuthWorkflow = class AuthWorkflow {
 			const pinErr = this.verifyPin(ctx, input.code);
 			if (pinErr) throw this.throwPublic(ctx, wf, { errors: pinErr });
 		}
+		await this.confirmEnrolledFactor(ctx);
+	}
+	/**
+	* `enroll-confirm`'s write-on-confirm tail (uniform for ADD and REPLACE, all
+	* transports): the staged value (sms/email `address`, totp `secret`) is now
+	* proven — by a verified pincode/TOTP code, or vouched by
+	* `resolveEnrollPreConfirmed` — so upsert it as confirmed. `addMfaMethod`
+	* replaces any row of the same name, so a REPLACE atomically swaps in the
+	* new value with no pre-confirm clobber window, and an ADD creates the row
+	* fresh.
+	*/
+	async confirmEnrolledFactor(ctx) {
+		this.requireSubject(ctx);
+		const username = ctx.subject;
+		const m = ctx.mfaEnroll ??= {};
 		const methodName = m.method;
-		const value = m.method === "totp" ? m.secret : m.address;
+		const value = methodName === "totp" ? m.secret : m.address;
 		await this.withStoreErrorTranslation(() => this.users.addMfaMethod(username, {
 			name: methodName,
 			value,
@@ -5077,8 +5156,16 @@ __decorate([
 	__decorateParam(0, WorkflowParam("context")),
 	__decorateMetadata("design:type", Function),
 	__decorateMetadata("design:paramtypes", [Object]),
-	__decorateMetadata("design:returntype", Promise)
+	__decorateMetadata("design:returntype", void 0)
 ], AuthWorkflow.prototype, "enrollAddress", null);
+__decorate([
+	Step("enroll-send"),
+	Public(),
+	__decorateParam(0, WorkflowParam("context")),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object]),
+	__decorateMetadata("design:returntype", Promise)
+], AuthWorkflow.prototype, "enrollSend", null);
 __decorate([
 	Step("enroll-totp-qr"),
 	Public(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.21",
+  "version": "0.1.22",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -59,10 +59,10 @@
   "dependencies": {
     "@atscript/moost-wf": "^0.1.100",
     "@wooksjs/http-body": "^0.7.19",
-    "@aooth/arbac-moost": "^0.1.21",
-    "@aooth/auth": "0.1.21",
-    "@aooth/idp": "0.1.21",
-    "@aooth/user": "0.1.21"
+    "@aooth/auth": "0.1.22",
+    "@aooth/arbac-moost": "^0.1.22",
+    "@aooth/user": "0.1.22",
+    "@aooth/idp": "0.1.22"
   },
   "devDependencies": {
     "@atscript/core": "^0.1.76",