@aooth/auth-moost 0.1.30 → 0.1.31

package/dist/index.d.mts

@@ -1879,6 +1879,28 @@ interface AuthWfCtx {
 interface AuthWorkflowOpts {
   autoLoginOnInvite?: boolean;
   autoLoginOnRecover?: boolean;
+  /**
+   * Closed universe of role ids the admin invite form may assign. NOT policy
+   * (it does not vary per request) — it is static configuration, like `forms`.
+   * The base `getAvailableRoles()` intersects this list with the CURRENT
+   * inviter's ARBAC grants (`auth.invite` / `assign:<role>`) at request time,
+   * so each inviter is offered — and server-side limited to — only the roles
+   * they may actually delegate. If ARBAC is unreachable the list is used
+   * verbatim (still a CLOSED whitelist, never fail-open).
+   *
+   * Leave unset to keep the legacy behaviour (NO whitelist — any role can be
+   * assigned). When unset, `getAvailableRoles` is not overridden, and
+   * `allowAnyInviteRole` is not set, a one-time warning fires the first time
+   * the admin invite flow runs.
+   */
+  invitableRoles?: string[];
+  /**
+   * Acknowledge an intentionally-unrestricted invite form — silences the
+   * "invite role whitelist is OFF" warning when `invitableRoles` is unset and
+   * `getAvailableRoles` is not overridden. Records intent only; it does not by
+   * itself relax or tighten enforcement. Default `false`.
+   */
+  allowAnyInviteRole?: boolean;
   /** Pincode infrastructure shared by login MFA, invite MFA, and recovery OTP. */
   mfa?: {
     pincodeLength?: number;
@@ -1952,6 +1974,8 @@ interface AuthWorkflowOpts {
 interface ResolvedAuthWorkflowOpts {
   autoLoginOnInvite: boolean;
   autoLoginOnRecover: boolean;
+  invitableRoles: string[];
+  allowAnyInviteRole: boolean;
   mfa: {
     pincodeLength: number;
     pincodeTtlMs: number;
@@ -2111,6 +2135,12 @@ declare class AuthWorkflow {
   protected readonly users: UserService;
   protected readonly auth: AuthCredential;
   protected readonly consentStore: ConsentStore;
+  /**
+   * Process-lifetime warn-once latch for the "invite role whitelist is OFF"
+   * notice. App-level (singleton) state, NOT per-event — keeps the warning from
+   * spamming on every invite while still surfacing the misconfig once.
+   */
+  private warnedOpenInviteWhitelist;
   constructor(opts: Partial<AuthWorkflowOpts>, users: UserService, auth: AuthCredential, consentStore: ConsentStore);
   /**
    * Unified outbound dispatch hook for direct synchronous deliveries
@@ -2174,12 +2204,39 @@ declare class AuthWorkflow {
    */
   protected afterMfaChanged(_ctx: AuthWfCtx): void | Promise<void>;
   /**
-   * Return the list of selectable role identifiers for the admin invite form.
-   * Mirrors the prior `InviteWorkflow.getAvailableRoles()` consumer hook —
-   * `undefined` (default) means no whitelist is enforced. Read by
-   * `prepareAvailableRoles`.
+   * Selectable role ids for the admin invite form — ALSO enforced server-side
+   * (`admin-form` rejects any submitted role outside this set). Read by
+   * `prepareAvailableRoles`. Mirrors the prior `InviteWorkflow.getAvailableRoles()`
+   * consumer hook.
+   *
+   * Default behaviour is driven by {@link AuthWorkflowOpts.invitableRoles}:
+   * - **configured** → that universe intersected with the CURRENT inviter's
+   *   ARBAC grants (`auth.invite` / `assign:<role>`), so an inviter can only
+   *   delegate roles they may themselves assign. If ARBAC is unreachable the
+   *   universe is returned verbatim — still a CLOSED whitelist, never fail-open.
+   * - **unset** → `undefined`, preserving the legacy "no whitelist" behaviour;
+   *   `prepareAvailableRoles` warns once unless
+   *   {@link AuthWorkflowOpts.allowAnyInviteRole} acknowledges it.
+   *
+   * Override for fully custom sourcing — the override then owns the gate
+   * outright (no warning fires; `invitableRoles` is consulted only if the
+   * override reads it).
    */
   protected getAvailableRoles(): Promise<string[] | undefined> | string[] | undefined;
+  /**
+   * Intersect a role universe with the current inviter's ARBAC grants — keep
+   * only roles they hold `auth.invite` / `assign:<role>` for. Falls back to the
+   * universe verbatim when ARBAC is unreachable (no event context / not wired),
+   * which keeps the whitelist CLOSED rather than failing open.
+   */
+  protected filterInvitableRolesByArbac(universe: string[]): Promise<string[]>;
+  /**
+   * True when the admin invite form would assign roles with NO server-side
+   * whitelist in effect: `invitableRoles` unset, `getAvailableRoles` not
+   * overridden, and the open default not acknowledged via `allowAnyInviteRole`.
+   * Drives the one-time `prepare-available-roles` warning.
+   */
+  protected inviteWhitelistIsOpen(): boolean;
   /**
    * Build the extras dict merged into the freshly-created user row. Runs for
    * EVERY new-account path: password-signup and invite-accept merge it at
@@ -2494,6 +2551,21 @@ declare class AuthWorkflow {
    * `AuthWorkflowOpts.autoLoginOnInvite` boolean (per §2 decision).
    */
   protected resolveAccept(_ctx: AuthWfCtx): NonNullable<AuthWfCtx["accept"]> | Promise<NonNullable<AuthWfCtx["accept"]>>;
+  /**
+   * Copy (heading + intro) for the unified set-password screen, staged by
+   * `create-password-form` BEFORE the pause. Branches on the resolved
+   * `ctx.password.changeReason` (`expired` / `reset`), then invite-accept
+   * (`ctx.accept`), then the initial-password fallback. Override to re-brand any
+   * phase; return a partial (`{ heading }` only) to change one field and leave
+   * the other at whatever an earlier step staged, or `{}` to keep both as-is.
+   */
+  protected resolveSetPasswordCopy(ctx: AuthWfCtx): {
+    heading?: string;
+    intro?: string;
+  } | Promise<{
+    heading?: string;
+    intro?: string;
+  }>;
   /**
    * Resolve the recovery post-reset policy. Reached from recovery.flow.
    * `freshLoginRequired` REMOVED — the auto-login choice is the static
@@ -2920,11 +2992,25 @@ declare class AuthWorkflow {
   preparePasswordRules(ctx: AuthWfCtx): undefined | Promise<undefined>;
   preparePostReset(ctx: AuthWfCtx): undefined | Promise<undefined>;
   prepareRecoveryAltActions(ctx: AuthWfCtx): undefined | Promise<undefined>;
+  /**
+   * Roles the server will honor from the admin invite form. SECURITY boundary:
+   * when `resolveAdminForm` returned `collectRoles: false` the role picker is
+   * hidden, so any submitted `roles[]` is a crafted or buggy payload and is
+   * IGNORED — roles in that mode come from `inferAdminRoles` (server-side),
+   * never client input. This keeps role authorization independent of whether
+   * `prepare-available-roles` ran: that step populates the `availableRoles`
+   * whitelist the `admin-form` guard enforces against, but it is schema-gated on
+   * `collectRoles`, so WITHOUT this check a `collectRoles:false` deployment
+   * would let a crafted POST assign ANY role with no whitelist / per-role ARBAC
+   * `assign:<role>` check.
+   */
+  protected effectiveInviteRoles(ctx: AuthWfCtx, submitted: string[]): string[];
   /**
    * Admin-side invite form. Pauses for `InviteForm`; binds `ctx.email` +
    * `ctx.admin.roles`. Server-side enforces the `availableRoles` whitelist
-   * (populated by `prepare-available-roles`). Calls `duplicateInviteCheck`
-   * to decide whether to reject duplicates.
+   * (populated by `prepare-available-roles`) and, via {@link effectiveInviteRoles},
+   * ignores any submitted roles when `resolveAdminForm` set `collectRoles:false`.
+   * Calls `duplicateInviteCheck` to decide whether to reject duplicates.
    */
   adminForm(ctx: AuthWfCtx): Promise<unknown>;
   /**

package/dist/index.mjs

@@ -1,9 +1,9 @@
 import { C as Select2faForm, D as TermsBumpForm, E as StepUpConfirmForm, S as RemoveMfaConfirmForm, T as SignupForm, _ as PincodeForm, a as ConcurrencyLimitForm, c as EnrollConfirmForm, d as InviteForm, f as LoginCredentialsForm, g as PasswordReauthForm, h as MfaCodeForm, i as ChangePasswordForm, l as EnrollPickMethodForm, m as ManageMfaForm, n as AskPhoneForm, o as EmailIdentifierForm, r as AuthorizeConsentForm, s as EnrollAddressForm, t as AskEmailForm, u as EnrollTotpQrForm, v as ProveControlForm, w as SetPasswordForm, y as ProveControlOtpForm } from "./forms-xaBNc5Ng.mjs";
-import { Controller, HandlerPaths, Inherit, Inject, InjectMoostLogger, Injectable, Intercept, MoostInit, Optional, Param, Resolve, TInterceptorPriority, defineAfterInterceptor, defineBeforeInterceptor, getMoostMate, useControllerContext } from "moost";
+import { Controller, HandlerPaths, Inherit, Inject, InjectMoostLogger, Injectable, Intercept, MoostInit, Optional, Param, Resolve, TInterceptorPriority, defineAfterInterceptor, defineBeforeInterceptor, getMoostMate, useControllerContext, useLogger } from "moost";
 import { AuthCredential, AuthError, generateMagicLinkToken } from "@aooth/auth";
 import { current, defineWook, eventTypeKey, key } from "@wooksjs/event-core";
 import { HttpError, useAuthorization, useCookies, useHeaders, useRequest, useResponse, useUrlParams } from "@wooksjs/event-http";
-import { ArbacAction, ArbacResource, getArbacMate } from "@aooth/arbac-moost";
+import { ArbacAction, ArbacResource, getArbacMate, useArbac } from "@aooth/arbac-moost";
 import { FederatedIdentityStore, SEEN_DEVICES_DEFAULT_CAP, UserAuthError, UserService, generateMfaCode, generateTotpSecret, generateTotpUri, maskEmail, maskPhone, pickDefinedProfile, verifyTotpCode } from "@aooth/user";
 import { Body, Delete, Get, HttpError as HttpError$1, Post, Query } from "@moostjs/event-http";
 import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
@@ -942,6 +942,7 @@ const consentsPersistTailSchema = [{
 * is registerable as a Moost controller, but running any of its `@Workflow`
 * schemas would no-op every step.
 */
+var _AuthWorkflow;
 /**
 * Default form schemas — the bundled `forms.as` models the workflow's
 * `useAtscriptWf()` callers resolve to. Consumers can override any field
@@ -988,6 +989,8 @@ function mergeAuthWorkflowOpts(opts) {
 	return {
 		autoLoginOnInvite: opts.autoLoginOnInvite ?? true,
 		autoLoginOnRecover: opts.autoLoginOnRecover ?? false,
+		invitableRoles: opts.invitableRoles ?? [],
+		allowAnyInviteRole: opts.allowAnyInviteRole ?? false,
 		mfa: {
 			pincodeLength: opts.mfa?.pincodeLength ?? 6,
 			pincodeTtlMs: opts.mfa?.pincodeTtlMs ?? 300 * 1e3,
@@ -1197,11 +1200,17 @@ function pickDefined(src, keys) {
 * so enumeration is moot there).
 */
 var RecoveryMethodUnavailableError = class extends Error {};
-let AuthWorkflow = class AuthWorkflow {
+let AuthWorkflow = _AuthWorkflow = class AuthWorkflow {
 	opts;
 	users;
 	auth;
 	consentStore;
+	/**
+	* Process-lifetime warn-once latch for the "invite role whitelist is OFF"
+	* notice. App-level (singleton) state, NOT per-event — keeps the warning from
+	* spamming on every invite while still surfacing the misconfig once.
+	*/
+	warnedOpenInviteWhitelist = false;
 	constructor(opts, users, auth, consentStore) {
 		this.opts = mergeAuthWorkflowOpts(opts);
 		this.users = users;
@@ -1281,12 +1290,56 @@ let AuthWorkflow = class AuthWorkflow {
 	*/
 	afterMfaChanged(_ctx) {}
 	/**
-	* Return the list of selectable role identifiers for the admin invite form.
-	* Mirrors the prior `InviteWorkflow.getAvailableRoles()` consumer hook —
-	* `undefined` (default) means no whitelist is enforced. Read by
-	* `prepareAvailableRoles`.
+	* Selectable role ids for the admin invite form — ALSO enforced server-side
+	* (`admin-form` rejects any submitted role outside this set). Read by
+	* `prepareAvailableRoles`. Mirrors the prior `InviteWorkflow.getAvailableRoles()`
+	* consumer hook.
+	*
+	* Default behaviour is driven by {@link AuthWorkflowOpts.invitableRoles}:
+	* - **configured** → that universe intersected with the CURRENT inviter's
+	*   ARBAC grants (`auth.invite` / `assign:<role>`), so an inviter can only
+	*   delegate roles they may themselves assign. If ARBAC is unreachable the
+	*   universe is returned verbatim — still a CLOSED whitelist, never fail-open.
+	* - **unset** → `undefined`, preserving the legacy "no whitelist" behaviour;
+	*   `prepareAvailableRoles` warns once unless
+	*   {@link AuthWorkflowOpts.allowAnyInviteRole} acknowledges it.
+	*
+	* Override for fully custom sourcing — the override then owns the gate
+	* outright (no warning fires; `invitableRoles` is consulted only if the
+	* override reads it).
+	*/
+	getAvailableRoles() {
+		const universe = this.opts.invitableRoles;
+		if (universe.length === 0) return void 0;
+		return this.filterInvitableRolesByArbac(universe);
+	}
+	/**
+	* Intersect a role universe with the current inviter's ARBAC grants — keep
+	* only roles they hold `auth.invite` / `assign:<role>` for. Falls back to the
+	* universe verbatim when ARBAC is unreachable (no event context / not wired),
+	* which keeps the whitelist CLOSED rather than failing open.
 	*/
-	getAvailableRoles() {}
+	async filterInvitableRolesByArbac(universe) {
+		try {
+			const arbac = useArbac();
+			const verdicts = await Promise.all(universe.map((role) => arbac.evaluate({
+				resource: "auth.invite",
+				action: `assign:${role}`
+			})));
+			return universe.filter((_, i) => verdicts[i].allowed);
+		} catch {
+			return [...universe];
+		}
+	}
+	/**
+	* True when the admin invite form would assign roles with NO server-side
+	* whitelist in effect: `invitableRoles` unset, `getAvailableRoles` not
+	* overridden, and the open default not acknowledged via `allowAnyInviteRole`.
+	* Drives the one-time `prepare-available-roles` warning.
+	*/
+	inviteWhitelistIsOpen() {
+		return !this.opts.allowAnyInviteRole && this.opts.invitableRoles.length === 0 && this.getAvailableRoles === _AuthWorkflow.prototype.getAvailableRoles;
+	}
 	/**
 	* Build the extras dict merged into the freshly-created user row. Runs for
 	* EVERY new-account path: password-signup and invite-accept merge it at
@@ -1728,6 +1781,33 @@ let AuthWorkflow = class AuthWorkflow {
 		};
 	}
 	/**
+	* Copy (heading + intro) for the unified set-password screen, staged by
+	* `create-password-form` BEFORE the pause. Branches on the resolved
+	* `ctx.password.changeReason` (`expired` / `reset`), then invite-accept
+	* (`ctx.accept`), then the initial-password fallback. Override to re-brand any
+	* phase; return a partial (`{ heading }` only) to change one field and leave
+	* the other at whatever an earlier step staged, or `{}` to keep both as-is.
+	*/
+	resolveSetPasswordCopy(ctx) {
+		const reason = ctx.password?.changeReason;
+		if (reason === "expired") return {
+			heading: "Your password has expired",
+			intro: "Choose a new password to continue. The previous one is no longer valid."
+		};
+		if (reason === "reset") return {
+			heading: "Reset your password",
+			intro: "Choose a new password for your account."
+		};
+		if (ctx.accept) return {
+			heading: "Welcome — set your password",
+			intro: "Choose a password to activate your account."
+		};
+		return {
+			heading: "Set your initial password",
+			intro: "Your account was created without a password. Choose one to continue."
+		};
+	}
+	/**
 	* Resolve the recovery post-reset policy. Reached from recovery.flow.
 	* `freshLoginRequired` REMOVED — the auto-login choice is the static
 	* `AuthWorkflowOpts.autoLoginOnRecover` boolean (per §2 decision).
@@ -2704,6 +2784,10 @@ let AuthWorkflow = class AuthWorkflow {
 	async prepareAvailableRoles(ctx) {
 		const roles = await this.getAvailableRoles();
 		if (roles) (ctx.admin ??= {}).availableRoles = roles;
+		else if (!this.warnedOpenInviteWhitelist && this.inviteWhitelistIsOpen()) {
+			this.warnedOpenInviteWhitelist = true;
+			useLogger("aooth:auth", current()).warn("Invite role whitelist is OFF — the admin invite form can assign ANY role, including privileged ones. Set `invitableRoles` (intersected with the inviter's ARBAC grants), override `getAvailableRoles()`, or set `allowAnyInviteRole: true` to acknowledge the open default.");
+		}
 	}
 	/**
 	* Merges policy from `resolveAccept` into `ctx.accept` (rather than
@@ -2736,16 +2820,33 @@ let AuthWorkflow = class AuthWorkflow {
 		ctx.recoveryAltActions = result;
 	}
 	/**
+	* Roles the server will honor from the admin invite form. SECURITY boundary:
+	* when `resolveAdminForm` returned `collectRoles: false` the role picker is
+	* hidden, so any submitted `roles[]` is a crafted or buggy payload and is
+	* IGNORED — roles in that mode come from `inferAdminRoles` (server-side),
+	* never client input. This keeps role authorization independent of whether
+	* `prepare-available-roles` ran: that step populates the `availableRoles`
+	* whitelist the `admin-form` guard enforces against, but it is schema-gated on
+	* `collectRoles`, so WITHOUT this check a `collectRoles:false` deployment
+	* would let a crafted POST assign ANY role with no whitelist / per-role ARBAC
+	* `assign:<role>` check.
+	*/
+	effectiveInviteRoles(ctx, submitted) {
+		if (ctx.adminForm?.collectRoles === false) return [];
+		return parseInviteRoles(submitted);
+	}
+	/**
 	* Admin-side invite form. Pauses for `InviteForm`; binds `ctx.email` +
 	* `ctx.admin.roles`. Server-side enforces the `availableRoles` whitelist
-	* (populated by `prepare-available-roles`). Calls `duplicateInviteCheck`
-	* to decide whether to reject duplicates.
+	* (populated by `prepare-available-roles`) and, via {@link effectiveInviteRoles},
+	* ignores any submitted roles when `resolveAdminForm` set `collectRoles:false`.
+	* Calls `duplicateInviteCheck` to decide whether to reject duplicates.
 	*/
 	async adminForm(ctx) {
 		const wf = this.useAtscriptWfPublic(ctx, this.opts.forms.invite);
 		const input = wf.resolveInput();
 		const email = input.email;
-		const parsed = parseInviteRoles(input.roles);
+		const parsed = this.effectiveInviteRoles(ctx, input.roles);
 		if (Array.isArray(ctx.admin?.availableRoles)) {
 			const allowed = new Set(ctx.admin.availableRoles);
 			if (parsed.find((r) => !allowed.has(r)) !== void 0) throw this.throwPublic(ctx, wf, { errors: { roles: "Invalid role" } });
@@ -2926,19 +3027,9 @@ let AuthWorkflow = class AuthWorkflow {
 	async createPasswordForm(ctx) {
 		this.requireSubject(ctx);
 		const password = ctx.password ??= {};
-		if (password.changeReason === "expired") {
-			password.heading = "Your password has expired";
-			password.intro = "Choose a new password to continue. The previous one is no longer valid.";
-		} else if (password.changeReason === "reset") {
-			password.heading = "Reset your password";
-			password.intro = "Choose a new password for your account.";
-		} else if (ctx.accept) {
-			password.heading = "Welcome — set your password";
-			password.intro = "Choose a password to activate your account.";
-		} else {
-			password.heading = "Set your initial password";
-			password.intro = "Your account was created without a password. Choose one to continue.";
-		}
+		const copy = await this.resolveSetPasswordCopy(ctx);
+		if (copy.heading !== void 0) password.heading = copy.heading;
+		if (copy.intro !== void 0) password.intro = copy.intro;
 		const wf = this.useAtscriptWfPublic(ctx, this.opts.forms.setPassword);
 		let input;
 		try {
@@ -6124,7 +6215,7 @@ __decorate([
 	__decorateMetadata("design:paramtypes", []),
 	__decorateMetadata("design:returntype", void 0)
 ], AuthWorkflow.prototype, "signupFlow", null);
-AuthWorkflow = __decorate([
+AuthWorkflow = _AuthWorkflow = __decorate([
 	Inherit(),
 	Controller(),
 	__decorateMetadata("design:paramtypes", [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.30",
+  "version": "0.1.31",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -59,10 +59,10 @@
   "dependencies": {
     "@atscript/moost-wf": "^0.1.107",
     "@wooksjs/http-body": "^0.7.19",
-    "@aooth/arbac-moost": "^0.1.30",
-    "@aooth/idp": "0.1.30",
-    "@aooth/auth": "0.1.30",
-    "@aooth/user": "0.1.30"
+    "@aooth/arbac-moost": "^0.1.31",
+    "@aooth/idp": "0.1.31",
+    "@aooth/auth": "0.1.31",
+    "@aooth/user": "0.1.31"
   },
   "devDependencies": {
     "@atscript/core": "^0.1.78",