npm - @aooth/user - Versions diffs - 0.1.2 → 0.1.4 - Mend

@aooth/user 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/atscript-db.cjs +25 -1
package/dist/atscript-db.d.cts +11 -1
package/dist/atscript-db.d.mts +11 -1
package/dist/atscript-db.mjs +25 -1
package/dist/index.cjs +167 -68
package/dist/index.d.cts +64 -14
package/dist/index.d.mts +64 -14
package/dist/index.mjs +167 -69
package/dist/{user-store-Dbc9unW3.d.mts → user-store-B3EStUfT.d.cts} +65 -6
package/dist/{user-store-CdWrTeqR.cjs → user-store-BPZVAboN.cjs} +2 -1
package/dist/{user-store-B_l9vqlQ.mjs → user-store-BaBmH13V.mjs} +2 -1
package/dist/{user-store-VJPWNgdp.d.cts → user-store-C1lxahSB.d.mts} +65 -6
package/package.json +10 -11
package/src/atscript-db/user-credentials.as +6 -1

package/dist/{user-store-VJPWNgdp.d.cts → user-store-C1lxahSB.d.mts} RENAMED Viewed

@@ -2,6 +2,14 @@
 interface UserCredentials {
   id: string;
   username: string;
+  /**
+   * Server-managed optimistic-concurrency counter. Bumped by `UserStore.update`
+   * on every successful write; checked against `UserStoreUpdate.expectedVersion`
+   * for CAS. Callers MUST NOT write it directly — atscript-db rejects direct
+   * writes with `DbError("VERSION_COLUMN_WRITE")`. Optional in TS so pre-OCC
+   * fixtures keep compiling; the store seeds `0` on insert.
+   */
+  version?: number;
   password: PasswordData;
   account: AccountData;
   mfa: MfaData;
@@ -49,8 +57,8 @@ interface AccountData {
    * True while the user record exists from an admin-issued invite but the
    * invitee has not yet accepted (set password + activate). Used by
    * `InviteWorkflow` to gate the accept tail, reject duplicate invites, and
-   * power `auth.reInvite` / `auth.cancelInvite`. Absent / `false` once the
-   * invite has been accepted.
+   * power `auth/invite/resend` / `auth/invite/cancel`. Absent / `false` once
+   * the invite has been accepted.
    */
   pendingInvitation?: boolean;
 }
@@ -69,6 +77,12 @@ interface MfaMethod {
   confirmed: boolean;
   /** The method's value: email address, phone number, or TOTP secret */
   value: string;
+  /**
+   * Last HOTP counter accepted for this method (TOTP only). Server-managed
+   * replay guard — `verifyMfa` rejects any code whose matched counter is
+   * `<= lastUsedWindow`. Never written from user-facing input.
+   */
+  lastUsedWindow?: number;
 }
 interface UserServiceConfig {
   password?: PasswordConfig;
@@ -107,7 +121,23 @@ interface LockoutConfig {
   duration?: number;
 }
 interface PasswordPolicyDef {
-  rule: string | PasswordPolicyEvalFn;
+  /**
+   * Backend evaluator. Function only — executed directly with no sandbox.
+   * String rules were removed: `@prostojs/ftring`'s sandbox does NOT block
+   * prototype-chain escapes (`constructor.constructor("return process")()`,
+   * `__proto__.x = ...`), so accepting strings was an RCE vector. Authors
+   * use `definePasswordPolicy({ rule, args })` to get both this fn AND the
+   * serialized form for free.
+   */
+  rule: PasswordPolicyEvalFn;
+  /**
+   * Pre-baked function-literal text shipped to clients for cross-tier
+   * validation via `getTransferablePolicies()`. Authored as
+   * `(v) => (${ruleSource})(v, ${args.map(JSON.stringify).join(', ')})` by
+   * `definePasswordPolicy`. Absent → the policy is backend-only (frontend
+   * skips it; server-side check remains authoritative).
+   */
+  serialized?: string;
   description?: string;
   errorMessage?: string;
 }
@@ -127,8 +157,15 @@ interface UserStoreUpdate {
   set?: DeepPartial<UserCredentials>;
   /** Dot-paths to atomically increment: e.g. {'account.failedLoginAttempts': 1} */
   inc?: Record<string, number>;
+  /**
+   * Optimistic concurrency control: when supplied, the store applies the
+   * update iff the row's current `version` equals this value. On mismatch
+   * the store returns `false` (same shape as "not found") and does NOT
+   * mutate. Service callers treat both states as "stale read, retry".
+   */
+  expectedVersion?: number;
 }
-type UserAuthErrorType = "NOT_FOUND" | "ALREADY_EXISTS" | "LOCKED" | "INACTIVE" | "INVALID_CREDENTIALS" | "POLICY_VIOLATION" | "PASSWORDS_MISMATCH" | "PASSWORD_IN_HISTORY" | "MFA_REQUIRED" | "MFA_INVALID" | "MFA_NOT_CONFIGURED";
+type UserAuthErrorType = "NOT_FOUND" | "ALREADY_EXISTS" | "LOCKED" | "INACTIVE" | "INVALID_CREDENTIALS" | "POLICY_VIOLATION" | "PASSWORDS_MISMATCH" | "PASSWORD_IN_HISTORY" | "MFA_REQUIRED" | "MFA_INVALID" | "MFA_NOT_CONFIGURED" | "CAS_EXHAUSTED";
 interface LoginResult<T extends object = object> {
   user: UserCredentials & T;
   /** Whether MFA verification is required before granting full access */
@@ -171,6 +208,15 @@ interface TotpConfig {
 }
 //#endregion
 //#region src/store/user-store.d.ts
+interface WithCasOptions {
+  /**
+   * Total attempts (1 initial + retries). Default `2` = one retry. Each
+   * attempt re-reads the row so the mutator runs against fresh state — that
+   * is the whole point of retry under OCC. Bump for high-contention writers
+   * (bulk admin scripts); leave at default for normal per-user request flow.
+   */
+  maxAttempts?: number;
+}
 declare abstract class UserStore<T extends object = object> {
   abstract exists(username: string): Promise<boolean>;
   abstract findByUsername(username: string): Promise<(UserCredentials & T) | null>;
@@ -179,9 +225,22 @@ declare abstract class UserStore<T extends object = object> {
   /**
    * Hard-delete the row. Returns `true` when a row was removed, `false` when
    * the username was not found. Used by `UserService.deleteUser` (and in turn
-   * by the invite workflow's `auth.cancelInvite` step).
+   * by the invite workflow's `auth/invite/cancel` step).
    */
   abstract delete(username: string): Promise<boolean>;
+  /**
+   * Run a read-modify-write cycle under optimistic concurrency. Each attempt
+   * fetches the current row, calls `mutator` with it, and applies the returned
+   * patch under CAS (`expectedVersion = current.version`). On CAS miss the
+   * cycle repeats up to `opts.maxAttempts`. The mutator MAY return `null` to
+   * exit early without writing — used for "race-loser detects nothing left to
+   * do" paths (e.g. the backup code was already consumed by the winner).
+   *
+   * Throws `UserAuthError("NOT_FOUND")` when no row matches `username`, or
+   * `UserAuthError("CAS_EXHAUSTED")` when retries are saturated. Errors
+   * thrown from inside `mutator` propagate immediately without retry.
+   */
+  abstract withCas(username: string, mutator: (current: UserCredentials & T) => UserStoreUpdate | null, opts?: WithCasOptions): Promise<void>;
 }
 //#endregion
-export { UserStoreUpdate as C, UserServiceConfig as S, TotpConfig as _, LockoutConfig as a, UserAuthErrorType as b, MfaMethod as c, PasswordData as d, PasswordPolicyContext as f, PolicyCheckResult as g, PasswordPolicyInstance as h, LockStatus as i, MfaMethodInfo as l, PasswordPolicyEvalFn as m, AccountData as n, LoginResult as o, PasswordPolicyDef as p, DeepPartial as r, MfaData as s, UserStore as t, PasswordConfig as u, TransferablePolicy as v, UserCredentials as x, TrustedDeviceRecord as y };
+export { UserServiceConfig as C, UserCredentials as S, PolicyCheckResult as _, LockStatus as a, TrustedDeviceRecord as b, MfaData as c, PasswordConfig as d, PasswordData as f, PasswordPolicyInstance as g, PasswordPolicyEvalFn as h, DeepPartial as i, MfaMethod as l, PasswordPolicyDef as m, WithCasOptions as n, LockoutConfig as o, PasswordPolicyContext as p, AccountData as r, LoginResult as s, UserStore as t, MfaMethodInfo as u, TotpConfig as v, UserStoreUpdate as w, UserAuthErrorType as x, TransferablePolicy as y };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/user",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "User credential primitives for aoothjs",
   "keywords": [
     "aoothjs",
@@ -45,18 +45,15 @@
   "publishConfig": {
     "access": "public"
   },
-  "dependencies": {
-    "@prostojs/ftring": "^0.0.3"
-  },
   "devDependencies": {
-    "@atscript/core": "^0.1.56",
-    "@atscript/db": "^0.1.80",
-    "@atscript/db-sql-tools": "^0.1.80",
-    "@atscript/db-sqlite": "^0.1.80",
-    "@atscript/typescript": "^0.1.56",
+    "@atscript/core": "^0.1.61",
+    "@atscript/db": "^0.1.87",
+    "@atscript/db-sql-tools": "^0.1.87",
+    "@atscript/db-sqlite": "^0.1.87",
+    "@atscript/typescript": "^0.1.61",
     "@types/better-sqlite3": "^7.6.13",
     "better-sqlite3": "^12.6.2",
-    "unplugin-atscript": "^0.1.56"
+    "unplugin-atscript": "^0.1.61"
   },
   "peerDependencies": {
     "@atscript/db": ">=0.1.79"
@@ -70,6 +67,8 @@
     "build": "vp pack",
     "dev": "vp pack --watch",
     "test": "vp test",
-    "check": "vp check"
+    "check": "vp check",
+    "gen:atscript": "asc",
+    "postinstall": "asc"
   }
 }

package/src/atscript-db/user-credentials.as CHANGED Viewed

@@ -2,6 +2,9 @@ export interface AoothUserCredentials {
     @db.index.unique 'username_idx'
     username: string
+    @db.column.version
+    version: number.int
     @db.patch.strategy 'merge'
     password: {
         hash: string
@@ -25,7 +28,7 @@ export interface AoothUserCredentials {
     @db.patch.strategy 'merge'
     mfa: {
-        methods: { name: string, confirmed: boolean, value: string }[]
+        methods: { name: string, confirmed: boolean, value: string, lastUsedWindow?: number.int }[]
         defaultMethod: string
         autoSend: boolean
@@ -39,4 +42,6 @@ export interface AoothUserCredentials {
         expiresAt: number.timestamp
         name?: string
     }[]
+    backupCodes?: string[]
 }