@aooth/auth-moost 0.1.22 → 0.1.24

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.22",
+  "version": "0.1.24",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -57,18 +57,18 @@
     "access": "public"
   },
   "dependencies": {
-    "@atscript/moost-wf": "^0.1.100",
+    "@atscript/moost-wf": "^0.1.101",
     "@wooksjs/http-body": "^0.7.19",
-    "@aooth/auth": "0.1.22",
-    "@aooth/arbac-moost": "^0.1.22",
-    "@aooth/user": "0.1.22",
-    "@aooth/idp": "0.1.22"
+    "@aooth/arbac-moost": "^0.1.24",
+    "@aooth/idp": "0.1.24",
+    "@aooth/auth": "0.1.24",
+    "@aooth/user": "0.1.24"
   },
   "devDependencies": {
     "@atscript/core": "^0.1.76",
     "@atscript/typescript": "^0.1.76",
-    "@atscript/ui": "^0.1.100",
-    "@atscript/ui-fns": "^0.1.100",
+    "@atscript/ui": "^0.1.101",
+    "@atscript/ui-fns": "^0.1.101",
     "@moostjs/event-http": "^0.6.27",
     "@moostjs/event-wf": "^0.6.27",
     "moost": "^0.6.27",
@@ -76,7 +76,7 @@
     "wooks": "^0.7.19"
   },
   "peerDependencies": {
-    "@atscript/moost-wf": "^0.1.100",
+    "@atscript/moost-wf": "^0.1.101",
     "@atscript/typescript": "^0.1.76",
     "@moostjs/event-http": "^0.6.27",
     "@moostjs/event-wf": "^0.6.27",

package/src/atscript/models/forms.as

@@ -369,9 +369,13 @@ export interface InviteForm {
 @meta.description 'Pick how you would like to verify your identity.'
 @wf.context.pass 'public'
 export interface Select2faForm {
+    // sms/email options append the masked destination ("Email (ma•••@x.com)")
+    // so picking a method doubles as informed consent for the code dispatch —
+    // the user sees WHERE the code goes before it is sent (totp `masked` is
+    // always the empty string, so authenticator entries render bare).
     @ui.form.order 10
     @ui.form.type 'radio'
-    @ui.form.fn.options '(_, _d, ctx) => Array.isArray(ctx.public?.mfa?.enrolledMethods) ? ctx.public.mfa.enrolledMethods.map(m => ({ key: m.methodName, label: m.kind === "totp" ? "TOTP (Authenticator app)" : m.kind === "email" ? "Email" : m.kind === "sms" ? "SMS" : m.kind })) : []'
+    @ui.form.fn.options '(_, _d, ctx) => Array.isArray(ctx.public?.mfa?.enrolledMethods) ? ctx.public.mfa.enrolledMethods.map(m => ({ key: m.methodName, label: (m.kind === "totp" ? "TOTP (Authenticator app)" : m.kind === "email" ? "Email" : m.kind === "sms" ? "SMS" : m.kind) + (m.masked && (m.kind === "email" || m.kind === "sms") ? " (" + m.masked + ")" : "") })) : []'
     @meta.label 'MFA method'
     @meta.required
     methodName: string
@@ -668,6 +672,10 @@ export interface EnrollTotpQrForm {
  * - **Change / Remove** options come from `ctx.public.mfa.enrolledMethods`,
  *   with any transport in `ctx.public.manage.locked` omitted (a handle-bound
  *   factor the consumer forbids changing here — `lockedNote` explains why).
+ * - **Remove** options are also omitted when `ctx.public.manage.removeBlocked`
+ *   — the last confirmed factor under a `required` policy can never be
+ *   removed, so offering the operation would dead-end on a guard error
+ *   (`requiredNote` explains; Change stays available).
  *
  * A zero-MFA user never sees this form — the flow routes straight to the
  * enrol picker (first-time opt-in).
@@ -682,9 +690,14 @@ export interface ManageMfaForm {
     @ui.form.fn.hidden '(_, _d, ctx) => (ctx.public?.manage?.locked?.length ?? 0) === 0'
     lockedNote: ui.paragraph
 
+    @ui.form.order 6
+    @ui.form.fn.value '(_, _d, ctx) => ctx.public?.manage?.removeBlocked ? "Two-factor authentication is required for your account, so your last method can be changed but not removed." : ""'
+    @ui.form.fn.hidden '(_, _d, ctx) => !ctx.public?.manage?.removeBlocked'
+    requiredNote: ui.paragraph
+
     @ui.form.order 10
     @ui.form.type 'radio'
-    @ui.form.fn.options '(_, _d, ctx) => { const lbl = (t) => t === "totp" ? "authenticator app" : t === "sms" ? "SMS" : t === "email" ? "email" : t; const locked = ctx.public?.manage?.locked ?? []; const out = []; for (const t of (ctx.public?.manage?.candidates ?? [])) out.push({ key: "add:" + t, label: "Add " + lbl(t) }); for (const m of (ctx.public?.mfa?.enrolledMethods ?? [])) { if (locked.includes(m.kind)) continue; out.push({ key: "replace:" + m.kind, label: "Change " + lbl(m.kind) + (m.masked ? " (" + m.masked + ")" : "") }); out.push({ key: "remove:" + m.kind, label: "Remove " + lbl(m.kind) }); } return out; }'
+    @ui.form.fn.options '(_, _d, ctx) => { const lbl = (t) => t === "totp" ? "authenticator app" : t === "sms" ? "SMS" : t === "email" ? "email" : t; const locked = ctx.public?.manage?.locked ?? []; const out = []; for (const t of (ctx.public?.manage?.candidates ?? [])) out.push({ key: "add:" + t, label: "Add " + lbl(t) }); for (const m of (ctx.public?.mfa?.enrolledMethods ?? [])) { if (locked.includes(m.kind)) continue; out.push({ key: "replace:" + m.kind, label: "Change " + lbl(m.kind) + (m.masked ? " (" + m.masked + ")" : "") }); if (!ctx.public?.manage?.removeBlocked) out.push({ key: "remove:" + m.kind, label: "Remove " + lbl(m.kind) }); } return out; }'
     @meta.label 'What would you like to do?'
     @meta.required
     operation: string
@@ -745,6 +758,36 @@ export interface PasswordReauthForm {
     cancel?: ui.action
 }
 
+/**
+ * Manage-MFA step-up consent — the `manage-stepup-confirm` pause shown BEFORE
+ * the step-up pincode dispatch, so opening the manage dialog never emails /
+ * texts the user as a side effect (a user who opened it by mistake closes it
+ * with zero codes consumed). Fieldless apart from the notice: the primary
+ * submit ('Continue') consents and the SAME engine pass mints + sends the
+ * code; `useDifferentMethod` re-opens the factor picker (`select-2fa`, whose
+ * masked-destination options make the pick itself the consent); the hidden
+ * `cancel` aborts with nothing dispatched. Not rendered for TOTP step-up
+ * (nothing to send) or when `resolveStepUpConfirmBeforeSend` opts out.
+ */
+@meta.label 'Verify your identity'
+@wf.context.pass 'public'
+@ui.form.submit.text 'Continue'
+export interface StepUpConfirmForm {
+    @ui.form.order 1
+    @ui.form.fn.value '(_, _d, ctx) => { const kind = ctx.public?.mfa?.method; const m = (ctx.public?.mfa?.enrolledMethods ?? []).find(e => e.kind === kind); const to = m && m.masked ? " to " + m.masked : kind === "sms" ? " to your phone" : " to your email"; return "To continue, we will send a verification code" + to + "."; }'
+    notice: ui.paragraph
+
+    @ui.form.action 'useDifferentMethod', 'Use a different method'
+    @ui.form.fn.hidden '(_, _d, ctx) => (ctx.public?.mfa?.methodCount ?? 0) < 2'
+    useDifferentMethod?: ui.action
+
+    // Hidden built-in cancel — host renders its own and fires `cancel` on
+    // abandon (so the durable wf-state row is cleaned, not left to expire).
+    @ui.form.action 'cancel', 'Cancel'
+    @ui.form.fn.hidden '() => true'
+    cancel?: ui.action
+}
+
 /**
  * Standalone consent-bump prompt. Fires for returning users with pending
  * consents (set by `prepare-consents` from `ConsentStore.getPendingConsents`)

package/src/atscript/models/forms.as.d.ts

@@ -154,7 +154,7 @@ export declare class Select2faForm {
 
 /**
  * Atscript interface **PincodeForm**
- * @see {@link ./forms.as:417:18}
+ * @see {@link ./forms.as:421:18}
  */
 export declare class PincodeForm {
   // transportHint: ui.paragraph
@@ -175,7 +175,7 @@ export declare class PincodeForm {
 
 /**
  * Atscript interface **AskEmailForm**
- * @see {@link ./forms.as:456:18}
+ * @see {@link ./forms.as:460:18}
  */
 export declare class AskEmailForm extends WithInlineConsentForm {
   // disclosure: ui.paragraph
@@ -192,7 +192,7 @@ export declare class AskEmailForm extends WithInlineConsentForm {
 
 /**
  * Atscript interface **AskPhoneForm**
- * @see {@link ./forms.as:486:18}
+ * @see {@link ./forms.as:490:18}
  */
 export declare class AskPhoneForm extends WithInlineConsentForm {
   // disclosure: ui.paragraph
@@ -209,7 +209,7 @@ export declare class AskPhoneForm extends WithInlineConsentForm {
 
 /**
  * Atscript interface **EnrollPickMethodForm**
- * @see {@link ./forms.as:510:18}
+ * @see {@link ./forms.as:514:18}
  */
 export declare class EnrollPickMethodForm {
   method: string
@@ -227,7 +227,7 @@ export declare class EnrollPickMethodForm {
 
 /**
  * Atscript interface **EnrollAddressForm**
- * @see {@link ./forms.as:544:18}
+ * @see {@link ./forms.as:548:18}
  */
 export declare class EnrollAddressForm {
   address: string
@@ -246,7 +246,7 @@ export declare class EnrollAddressForm {
 
 /**
  * Atscript interface **EnrollConfirmForm**
- * @see {@link ./forms.as:590:18}
+ * @see {@link ./forms.as:594:18}
  */
 export declare class EnrollConfirmForm {
   // transportHint: ui.paragraph
@@ -267,7 +267,7 @@ export declare class EnrollConfirmForm {
 
 /**
  * Atscript interface **EnrollTotpQrForm**
- * @see {@link ./forms.as:640:18}
+ * @see {@link ./forms.as:644:18}
  */
 export declare class EnrollTotpQrForm {
   // qrCode: ui.paragraph
@@ -286,10 +286,11 @@ export declare class EnrollTotpQrForm {
 
 /**
  * Atscript interface **ManageMfaForm**
- * @see {@link ./forms.as:679:18}
+ * @see {@link ./forms.as:687:18}
  */
 export declare class ManageMfaForm {
   // lockedNote: ui.paragraph
+  // requiredNote: ui.paragraph
   operation: string
   // cancel: ui.action
   static __is_atscript_annotated_type: true
@@ -304,7 +305,7 @@ export declare class ManageMfaForm {
 
 /**
  * Atscript interface **RemoveMfaConfirmForm**
- * @see {@link ./forms.as:708:18}
+ * @see {@link ./forms.as:721:18}
  */
 export declare class RemoveMfaConfirmForm {
   // notice: ui.paragraph
@@ -321,7 +322,7 @@ export declare class RemoveMfaConfirmForm {
 
 /**
  * Atscript interface **PasswordReauthForm**
- * @see {@link ./forms.as:731:18}
+ * @see {@link ./forms.as:744:18}
  */
 export declare class PasswordReauthForm {
   password: string
@@ -336,9 +337,27 @@ export declare class PasswordReauthForm {
   static toExampleData?: () => any
 }
 
+/**
+ * Atscript interface **StepUpConfirmForm**
+ * @see {@link ./forms.as:775:18}
+ */
+export declare class StepUpConfirmForm {
+  // notice: ui.paragraph
+  // useDifferentMethod: ui.action
+  // cancel: ui.action
+  static __is_atscript_annotated_type: true
+  static type: TAtscriptTypeObject<keyof StepUpConfirmForm, StepUpConfirmForm>
+  static metadata: TMetadataMap<AtscriptMetadata>
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof StepUpConfirmForm>
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any
+}
+
 /**
  * Atscript interface **TermsBumpForm**
- * @see {@link ./forms.as:760:18}
+ * @see {@link ./forms.as:803:18}
  */
 export declare class TermsBumpForm extends WithInlineConsentForm {
   static __is_atscript_annotated_type: true
@@ -353,7 +372,7 @@ export declare class TermsBumpForm extends WithInlineConsentForm {
 
 /**
  * Atscript interface **ConcurrencyLimitForm**
- * @see {@link ./forms.as:773:18}
+ * @see {@link ./forms.as:816:18}
  */
 export declare class ConcurrencyLimitForm {
   static __is_atscript_annotated_type: true
@@ -368,7 +387,7 @@ export declare class ConcurrencyLimitForm {
 
 /**
  * Atscript interface **MagicLinkRequestForm**
- * @see {@link ./forms.as:783:18}
+ * @see {@link ./forms.as:826:18}
  */
 export declare class MagicLinkRequestForm {
   identifier: string
@@ -384,7 +403,7 @@ export declare class MagicLinkRequestForm {
 
 /**
  * Atscript interface **RecoveryModeSelectForm**
- * @see {@link ./forms.as:798:18}
+ * @see {@link ./forms.as:841:18}
  */
 export declare class RecoveryModeSelectForm {
   mode: string
@@ -400,7 +419,7 @@ export declare class RecoveryModeSelectForm {
 
 /**
  * Atscript interface **RecoveryFactorForm**
- * @see {@link ./forms.as:821:18}
+ * @see {@link ./forms.as:864:18}
  */
 export declare class RecoveryFactorForm {
   factor: string
@@ -417,7 +436,7 @@ export declare class RecoveryFactorForm {
 
 /**
  * Atscript interface **ChangePasswordForm**
- * @see {@link ./forms.as:855:18}
+ * @see {@link ./forms.as:898:18}
  */
 export declare class ChangePasswordForm {
   // intro: ui.paragraph
@@ -437,7 +456,7 @@ export declare class ChangePasswordForm {
 
 /**
  * Atscript interface **ProveControlForm**
- * @see {@link ./forms.as:920:18}
+ * @see {@link ./forms.as:963:18}
  */
 export declare class ProveControlForm {
   // intro: ui.paragraph
@@ -455,7 +474,7 @@ export declare class ProveControlForm {
 
 /**
  * Atscript interface **ProveControlOtpForm**
- * @see {@link ./forms.as:955:18}
+ * @see {@link ./forms.as:998:18}
  */
 export declare class ProveControlOtpForm {
   // intro: ui.paragraph
@@ -474,7 +493,7 @@ export declare class ProveControlOtpForm {
 
 /**
  * Atscript interface **AuthorizeConsentForm**
- * @see {@link ./forms.as:1005:18}
+ * @see {@link ./forms.as:1048:18}
  */
 export declare class AuthorizeConsentForm {
   // notice: ui.paragraph