@aooth/auth-moost 0.1.6 → 0.1.7

package/dist/atscript/index.d.mts

@@ -1,2 +1,2 @@
-import { C as TermsBumpForm, S as TenantSelectForm, _ as ProfileCompleteForm, a as EmailIdentifierForm, b as Select2faForm, c as EnrollPickMethodForm, d as InviteSendModeForm, f as LoginCredentialsForm, g as PincodeForm, h as PersonaSelectForm, i as ConcurrencyLimitForm, l as InviteEmailForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, p as MagicLinkRequestForm, r as BackupCodeForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as RecoveryFactorForm, w as WithInlineConsentForm, x as SetPasswordForm, y as RecoveryModeSelectForm } from "../forms-sF41Fzzn.mjs";
+import { C as TermsBumpForm, S as TenantSelectForm, _ as ProfileCompleteForm, a as EmailIdentifierForm, b as Select2faForm, c as EnrollPickMethodForm, d as InviteSendModeForm, f as LoginCredentialsForm, g as PincodeForm, h as PersonaSelectForm, i as ConcurrencyLimitForm, l as InviteEmailForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, p as MagicLinkRequestForm, r as BackupCodeForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as RecoveryFactorForm, w as WithInlineConsentForm, x as SetPasswordForm, y as RecoveryModeSelectForm } from "../forms-DtQMdkA_.mjs";
 export { AskEmailForm, AskPhoneForm, BackupCodeForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, InviteEmailForm, InviteForm, InviteSendModeForm, LoginCredentialsForm, MagicLinkRequestForm, MfaCodeForm, PersonaSelectForm, PincodeForm, ProfileCompleteForm, RecoveryFactorForm, RecoveryModeSelectForm, Select2faForm, SetPasswordForm, TenantSelectForm, TermsBumpForm, WithInlineConsentForm };

package/dist/atscript/index.mjs

@@ -1,2 +1,2 @@
-import { C as TermsBumpForm, S as TenantSelectForm, _ as ProfileCompleteForm, a as EmailIdentifierForm, b as Select2faForm, c as EnrollPickMethodForm, d as InviteSendModeForm, f as LoginCredentialsForm, g as PincodeForm, h as PersonaSelectForm, i as ConcurrencyLimitForm, l as InviteEmailForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, p as MagicLinkRequestForm, r as BackupCodeForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as RecoveryFactorForm, w as WithInlineConsentForm, x as SetPasswordForm, y as RecoveryModeSelectForm } from "../forms-sF41Fzzn.mjs";
+import { C as TermsBumpForm, S as TenantSelectForm, _ as ProfileCompleteForm, a as EmailIdentifierForm, b as Select2faForm, c as EnrollPickMethodForm, d as InviteSendModeForm, f as LoginCredentialsForm, g as PincodeForm, h as PersonaSelectForm, i as ConcurrencyLimitForm, l as InviteEmailForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, p as MagicLinkRequestForm, r as BackupCodeForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as RecoveryFactorForm, w as WithInlineConsentForm, x as SetPasswordForm, y as RecoveryModeSelectForm } from "../forms-DtQMdkA_.mjs";
 export { AskEmailForm, AskPhoneForm, BackupCodeForm, ConcurrencyLimitForm, EmailIdentifierForm, EnrollAddressForm, EnrollConfirmForm, EnrollPickMethodForm, InviteEmailForm, InviteForm, InviteSendModeForm, LoginCredentialsForm, MagicLinkRequestForm, MfaCodeForm, PersonaSelectForm, PincodeForm, ProfileCompleteForm, RecoveryFactorForm, RecoveryModeSelectForm, Select2faForm, SetPasswordForm, TenantSelectForm, TermsBumpForm, WithInlineConsentForm };

package/dist/{forms-sF41Fzzn.mjs → forms-DtQMdkA_.mjs}

@@ -264,7 +264,7 @@ defineAnnotatedType("object", SetPasswordForm).prop("consents", defineAnnotatedT
 }).optional().$type).prop("backToLogin", defineAnnotatedType().designType("phantom").tags("action", "ui").annotate("ui.form.order", 50).annotate("ui.form.action", {
 	id: "backToLogin",
 	label: "Back to sign-in"
-}).optional().$type).annotate("wf.context.pass", "passwordPolicies", true).annotate("wf.context.pass", "pendingConsents", true).annotate("wf.context.pass", "consentsPersisted", true);
+}).optional().$type).annotate("wf.context.pass", "passwordPolicies", true).annotate("wf.context.pass", "passwordChangeReason", true).annotate("wf.context.pass", "pendingConsents", true).annotate("wf.context.pass", "consentsPersisted", true);
 defineAnnotatedType("object", InviteForm).prop("email", defineAnnotatedType().designType("string").tags("email", "string").annotate("ui.form.type", "text").annotate("meta.label", "Email").annotate("ui.form.autocomplete", "email").annotate("meta.required", {}).annotate("expect.pattern", {
 	pattern: "^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$",
 	flags: "",

package/dist/index.d.mts

@@ -898,6 +898,24 @@ interface LoginWfCtx {
   /** Legacy alias for `pwReset`; kept until tests migrate. */
   mfaRequired?: boolean;
   isPasswordInitial?: boolean;
+  /**
+   * Set in `credentials` when `guards.passwordExpiry` is true AND
+   * `UserService.isPasswordExpired(user)` returns true. Combined with
+   * `isPasswordInitial` in the forced-change schema condition — either
+   * being truthy routes the user through `prepare-password-rules` +
+   * `create-password-form`. Reset after `create-password-form` commits.
+   */
+  isPasswordExpired?: boolean;
+  /**
+   * Discriminator for `SetPasswordForm` UX. `'initial'` when the
+   * password has never been used (first-set flow); `'expired'` when the
+   * password aged past `config.password.maxAgeMs` (rotation flow). When
+   * both conditions are true, `'initial'` wins — a never-used password
+   * being "expired" is semantically still its initial set. Shipped to
+   * the client via `@wf.context.pass` on `SetPasswordForm` so the SPA
+   * can swap banner copy; default form labels stay reason-agnostic.
+   */
+  passwordChangeReason?: "initial" | "expired";
   usedMagicLink?: boolean;
   /**
    * 3-state MFA policy:
@@ -1206,6 +1224,14 @@ declare class LoginWorkflow extends AuthWorkflowBase {
    * Resolve the guards policy (passwordInitial / passwordExpiry /
    * emailVerifiedRequired). Override per-tenant to tighten or loosen the
    * post-credentials gates. Sync/async friendly.
+   *
+   * The `passwordExpiry` flag (default `true`) is the per-tenant escape
+   * hatch for rotation policy: flip to `false` for SSO-only tenants
+   * where the IdP owns rotation, or for service accounts where forced
+   * change would break automation. When `true`, the `credentials` step
+   * consults `UserService.isPasswordExpired(user)` — which is itself
+   * gated on `config.password.maxAgeMs`, so an unset `maxAgeMs` already
+   * disables expiry independent of this flag.
    */
   protected resolveGuards(_ctx: LoginWfCtx): NonNullable<LoginWfCtx["guards"]> | Promise<NonNullable<LoginWfCtx["guards"]>>;
   /**

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { C as TermsBumpForm, S as TenantSelectForm, _ as ProfileCompleteForm, a as EmailIdentifierForm, b as Select2faForm, c as EnrollPickMethodForm, d as InviteSendModeForm, f as LoginCredentialsForm, g as PincodeForm, h as PersonaSelectForm, i as ConcurrencyLimitForm, l as InviteEmailForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, r as BackupCodeForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as RecoveryFactorForm, x as SetPasswordForm, y as RecoveryModeSelectForm } from "./forms-sF41Fzzn.mjs";
+import { C as TermsBumpForm, S as TenantSelectForm, _ as ProfileCompleteForm, a as EmailIdentifierForm, b as Select2faForm, c as EnrollPickMethodForm, d as InviteSendModeForm, f as LoginCredentialsForm, g as PincodeForm, h as PersonaSelectForm, i as ConcurrencyLimitForm, l as InviteEmailForm, m as MfaCodeForm, n as AskPhoneForm, o as EnrollAddressForm, r as BackupCodeForm, s as EnrollConfirmForm, t as AskEmailForm, u as InviteForm, v as RecoveryFactorForm, x as SetPasswordForm, y as RecoveryModeSelectForm } from "./forms-DtQMdkA_.mjs";
 import { Controller, Inherit, Injectable, Intercept, Optional, Param, Resolve, TInterceptorPriority, defineAfterInterceptor, defineBeforeInterceptor, getMoostMate, useControllerContext } from "moost";
 import { AuthCredential, AuthError, generateMagicLinkToken } from "@aooth/auth";
 import { current, defineWook, eventTypeKey, key } from "@wooksjs/event-core";
@@ -2442,6 +2442,14 @@ let LoginWorkflow = class LoginWorkflow extends AuthWorkflowBase {
 	* Resolve the guards policy (passwordInitial / passwordExpiry /
 	* emailVerifiedRequired). Override per-tenant to tighten or loosen the
 	* post-credentials gates. Sync/async friendly.
+	*
+	* The `passwordExpiry` flag (default `true`) is the per-tenant escape
+	* hatch for rotation policy: flip to `false` for SSO-only tenants
+	* where the IdP owns rotation, or for service accounts where forced
+	* change would break automation. When `true`, the `credentials` step
+	* consults `UserService.isPasswordExpired(user)` — which is itself
+	* gated on `config.password.maxAgeMs`, so an unset `maxAgeMs` already
+	* disables expiry independent of this flag.
 	*/
 	resolveGuards(_ctx) {
 		return {
@@ -2653,6 +2661,9 @@ let LoginWorkflow = class LoginWorkflow extends AuthWorkflowBase {
 			ctx.username = result.user.username;
 			ctx.mfaRequired = result.mfaRequired;
 			if (ctx.guards?.passwordInitial && result.user.password.isInitial) ctx.isPasswordInitial = true;
+			if (ctx.guards?.passwordExpiry && this.users.isPasswordExpired(result.user)) ctx.isPasswordExpired = true;
+			if (ctx.isPasswordInitial) ctx.passwordChangeReason = "initial";
+			else if (ctx.isPasswordExpired) ctx.passwordChangeReason = "expired";
 			const email = result.user.mfa.methods.find((m) => m.name === "email" && m.confirmed);
 			if (email) {
 				ctx.email = email.value;
@@ -3099,6 +3110,8 @@ let LoginWorkflow = class LoginWorkflow extends AuthWorkflowBase {
 		this.processInlineConsent(ctx, input, wf);
 		ctx.passwordChanged = true;
 		ctx.isPasswordInitial = false;
+		ctx.isPasswordExpired = false;
+		delete ctx.passwordChangeReason;
 	}
 	async profileComplete(ctx) {
 		const wf = useAtscriptWf(this.opts.forms.profileComplete);
@@ -3475,7 +3488,7 @@ __decorate([
 			condition: (ctx) => !!ctx.deviceTrust?.enabled && !!ctx.mfaChecked && !!ctx.newDevice && (!ctx.deviceTrust?.optIn || !!ctx.rememberDevice)
 		},
 		{
-			condition: (ctx) => !!ctx.isPasswordInitial && !ctx.passwordChanged,
+			condition: (ctx) => (!!ctx.isPasswordInitial || !!ctx.isPasswordExpired) && !ctx.passwordChanged,
 			steps: [{ id: "prepare-password-rules" }, { id: "create-password-form" }]
 		},
 		{ break: (ctx) => !!ctx.aborted },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/auth-moost",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Moost auth integration for aoothjs — AuthGuard interceptor, useAuth composable, REST endpoints, workflows",
   "keywords": [
     "aoothjs",
@@ -51,17 +51,17 @@
     "access": "public"
   },
   "dependencies": {
-    "@atscript/moost-wf": "^0.1.78",
+    "@atscript/moost-wf": "^0.1.79",
     "@wooksjs/http-body": "^0.7.15",
-    "@aooth/arbac-moost": "^0.1.6",
-    "@aooth/auth": "0.1.6",
-    "@aooth/user": "0.1.6"
+    "@aooth/arbac-moost": "^0.1.7",
+    "@aooth/auth": "0.1.7",
+    "@aooth/user": "0.1.7"
   },
   "devDependencies": {
     "@atscript/core": "^0.1.64",
     "@atscript/typescript": "^0.1.64",
-    "@atscript/ui": "^0.1.78",
-    "@atscript/ui-fns": "^0.1.78",
+    "@atscript/ui": "^0.1.79",
+    "@atscript/ui-fns": "^0.1.79",
     "@moostjs/event-http": "^0.6.17",
     "@moostjs/event-wf": "^0.6.17",
     "moost": "^0.6.17",

package/src/atscript/models/forms.as

@@ -181,8 +181,16 @@ export interface EmailIdentifierForm {
  * `data.newPassword` so the rule-fulfillment readout updates live on every
  * keystroke. `WithInlineConsentForm` continues to supply the inline-consent
  * `consents: string[]` block via `AsConsentArray` (Phase 5).
+ *
+ * `@wf.context.pass 'passwordChangeReason'` whitelists the workflow ctx key
+ * carrying `'initial' | 'expired'` — set by `LoginWorkflow.credentials` when
+ * the forced-change branch fires. Default form labels stay reason-agnostic;
+ * downstream SPAs can read the value and override banner copy via a
+ * sibling `ui.paragraph` with an `@ui.form.fn.value` expression (mirroring
+ * the Phase-3 `EnrollConfirmForm.transportHint` pattern).
  */
 @wf.context.pass 'passwordPolicies'
+@wf.context.pass 'passwordChangeReason'
 @wf.context.pass 'pendingConsents'
 @wf.context.pass 'consentsPersisted'
 export interface SetPasswordForm extends WithInlineConsentForm {

package/src/atscript/models/forms.as.d.ts

@@ -98,7 +98,7 @@ export declare class EmailIdentifierForm {
 
 /**
  * Atscript interface **SetPasswordForm**
- * @see {@link ./forms.as:188:18}
+ * @see {@link ./forms.as:196:18}
  */
 export declare class SetPasswordForm extends WithInlineConsentForm {
   newPassword: string
@@ -119,7 +119,7 @@ export declare class SetPasswordForm extends WithInlineConsentForm {
 
 /**
  * Atscript interface **InviteForm**
- * @see {@link ./forms.as:251:18}
+ * @see {@link ./forms.as:259:18}
  */
 export declare class InviteForm {
   email: string /* email */
@@ -139,7 +139,7 @@ export declare class InviteForm {
 
 /**
  * Atscript interface **InviteEmailForm**
- * @see {@link ./forms.as:282:18}
+ * @see {@link ./forms.as:290:18}
  */
 export declare class InviteEmailForm {
   email: string /* email */
@@ -156,7 +156,7 @@ export declare class InviteEmailForm {
 
 /**
  * Atscript interface **InviteSendModeForm**
- * @see {@link ./forms.as:298:18}
+ * @see {@link ./forms.as:306:18}
  */
 export declare class InviteSendModeForm {
   mode: string
@@ -173,7 +173,7 @@ export declare class InviteSendModeForm {
 
 /**
  * Atscript interface **Select2faForm**
- * @see {@link ./forms.as:322:18}
+ * @see {@link ./forms.as:330:18}
  */
 export declare class Select2faForm {
   methodName: string
@@ -191,7 +191,7 @@ export declare class Select2faForm {
 
 /**
  * Atscript interface **PincodeForm**
- * @see {@link ./forms.as:357:18}
+ * @see {@link ./forms.as:365:18}
  */
 export declare class PincodeForm {
   // transportHint: ui.paragraph
@@ -214,7 +214,7 @@ export declare class PincodeForm {
 
 /**
  * Atscript interface **AskEmailForm**
- * @see {@link ./forms.as:401:18}
+ * @see {@link ./forms.as:409:18}
  */
 export declare class AskEmailForm extends WithInlineConsentForm {
   email: string /* email */
@@ -230,7 +230,7 @@ export declare class AskEmailForm extends WithInlineConsentForm {
 
 /**
  * Atscript interface **AskPhoneForm**
- * @see {@link ./forms.as:417:18}
+ * @see {@link ./forms.as:425:18}
  */
 export declare class AskPhoneForm extends WithInlineConsentForm {
   phone: string
@@ -246,7 +246,7 @@ export declare class AskPhoneForm extends WithInlineConsentForm {
 
 /**
  * Atscript interface **EnrollPickMethodForm**
- * @see {@link ./forms.as:433:18}
+ * @see {@link ./forms.as:441:18}
  */
 export declare class EnrollPickMethodForm {
   method: string
@@ -263,7 +263,7 @@ export declare class EnrollPickMethodForm {
 
 /**
  * Atscript interface **EnrollAddressForm**
- * @see {@link ./forms.as:456:18}
+ * @see {@link ./forms.as:464:18}
  */
 export declare class EnrollAddressForm {
   address: string
@@ -281,7 +281,7 @@ export declare class EnrollAddressForm {
 
 /**
  * Atscript interface **EnrollConfirmForm**
- * @see {@link ./forms.as:484:18}
+ * @see {@link ./forms.as:492:18}
  */
 export declare class EnrollConfirmForm {
   // transportHint: ui.paragraph
@@ -301,7 +301,7 @@ export declare class EnrollConfirmForm {
 
 /**
  * Atscript interface **ProfileCompleteForm**
- * @see {@link ./forms.as:516:18}
+ * @see {@link ./forms.as:524:18}
  */
 export declare class ProfileCompleteForm extends WithInlineConsentForm {
   firstName?: string
@@ -318,7 +318,7 @@ export declare class ProfileCompleteForm extends WithInlineConsentForm {
 
 /**
  * Atscript interface **TermsBumpForm**
- * @see {@link ./forms.as:539:18}
+ * @see {@link ./forms.as:547:18}
  */
 export declare class TermsBumpForm extends WithInlineConsentForm {
   static __is_atscript_annotated_type: true
@@ -333,7 +333,7 @@ export declare class TermsBumpForm extends WithInlineConsentForm {
 
 /**
  * Atscript interface **TenantSelectForm**
- * @see {@link ./forms.as:549:18}
+ * @see {@link ./forms.as:557:18}
  */
 export declare class TenantSelectForm {
   tenantId: string
@@ -349,7 +349,7 @@ export declare class TenantSelectForm {
 
 /**
  * Atscript interface **PersonaSelectForm**
- * @see {@link ./forms.as:564:18}
+ * @see {@link ./forms.as:572:18}
  */
 export declare class PersonaSelectForm {
   personaId: string
@@ -365,7 +365,7 @@ export declare class PersonaSelectForm {
 
 /**
  * Atscript interface **ConcurrencyLimitForm**
- * @see {@link ./forms.as:576:18}
+ * @see {@link ./forms.as:584:18}
  */
 export declare class ConcurrencyLimitForm {
   action: string
@@ -383,7 +383,7 @@ export declare class ConcurrencyLimitForm {
 
 /**
  * Atscript interface **MagicLinkRequestForm**
- * @see {@link ./forms.as:595:18}
+ * @see {@link ./forms.as:603:18}
  */
 export declare class MagicLinkRequestForm {
   identifier: string
@@ -399,7 +399,7 @@ export declare class MagicLinkRequestForm {
 
 /**
  * Atscript interface **RecoveryModeSelectForm**
- * @see {@link ./forms.as:607:18}
+ * @see {@link ./forms.as:615:18}
  */
 export declare class RecoveryModeSelectForm {
   mode: string
@@ -416,7 +416,7 @@ export declare class RecoveryModeSelectForm {
 
 /**
  * Atscript interface **RecoveryFactorForm**
- * @see {@link ./forms.as:629:18}
+ * @see {@link ./forms.as:637:18}
  */
 export declare class RecoveryFactorForm {
   factor: string