@aooth/user 0.1.6 → 0.1.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/user",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "User credential primitives for aoothjs",
   "keywords": [
     "aoothjs",
@@ -21,7 +21,10 @@
   },
   "files": [
     "dist",
-    "src/atscript-db/user-credentials.as"
+    "src/atscript-db/user-credentials.as",
+    "src/atscript-db/user-credentials.as.d.ts",
+    "src/atscript-db/federated-identity.as",
+    "src/atscript-db/federated-identity.as.d.ts"
   ],
   "type": "module",
   "sideEffects": false,
@@ -39,21 +42,32 @@
       "import": "./dist/atscript-db.mjs",
       "require": "./dist/atscript-db.cjs"
     },
-    "./atscript-db/model.as": "./src/atscript-db/user-credentials.as",
+    "./atscript-db/model.as": {
+      "types": "./src/atscript-db/user-credentials.as.d.ts",
+      "default": "./src/atscript-db/user-credentials.as"
+    },
+    "./atscript-db/federated-model": {
+      "types": "./src/atscript-db/federated-identity.as.d.ts",
+      "default": "./src/atscript-db/federated-identity.as"
+    },
+    "./atscript-db/federated-model.as": {
+      "types": "./src/atscript-db/federated-identity.as.d.ts",
+      "default": "./src/atscript-db/federated-identity.as"
+    },
     "./package.json": "./package.json"
   },
   "publishConfig": {
     "access": "public"
   },
   "devDependencies": {
-    "@atscript/core": "^0.1.64",
-    "@atscript/db": "^0.1.90",
-    "@atscript/db-sql-tools": "^0.1.90",
-    "@atscript/db-sqlite": "^0.1.90",
-    "@atscript/typescript": "^0.1.64",
+    "@atscript/core": "^0.1.69",
+    "@atscript/db": "^0.1.96",
+    "@atscript/db-sql-tools": "^0.1.96",
+    "@atscript/db-sqlite": "^0.1.96",
+    "@atscript/typescript": "^0.1.69",
     "@types/better-sqlite3": "^7.6.13",
     "better-sqlite3": "^12.6.2",
-    "unplugin-atscript": "^0.1.64"
+    "unplugin-atscript": "^0.1.69"
   },
   "peerDependencies": {
     "@atscript/db": ">=0.1.79"

package/src/atscript-db/federated-identity.as

@@ -0,0 +1,44 @@
+// Account-linking table: one external-provider account → exactly one aooth
+// user. The genuinely new piece of persistent state for federated login —
+// the `(provider, subject) → userId` map (RFC IDP.md §3.3). Shipped concrete
+// (own `@db.table`), like `AoothAuthCredential`; consumers can extend it with
+// `extends AoothFederatedIdentity {}` to re-own the table name, exactly as
+// `DemoAuthCredential` does.
+@db.table 'aooth_federated_identities'
+@db.depth.limit 0
+export interface AoothFederatedIdentity {
+    // Surrogate PK — lets a row be addressed (unlink-by-id) / extended.
+    @meta.id
+    @db.default.uuid
+    id: string
+
+    // Composite identity key. The SAME index name on both fields collapses
+    // into ONE compound UNIQUE index (atscript-db groups index fields by
+    // (type, name)) — so a provider account maps to at most one row, which is
+    // the anti-account-takeover guarantee (RFC §1 note #4, §4).
+    @db.index.unique 'provider_subject_idx'
+    provider: string                 // 'google' | 'github' | 'oidc:<issuer>' ...
+    @db.index.unique 'provider_subject_idx'
+    subject: string                  // the IdP's stable subject id (`sub`)
+
+    // Owner — the user's stable surrogate `id`. A PLAIN indexed string, NOT a
+    // `@db.rel.FK`: `@aooth/user` cannot know the consumer's concrete user
+    // table (`AoothUserCredentials` is an abstract, table-less base), so this
+    // mirrors `AoothAuthCredential.userId`. Cross-row cleanup is the explicit
+    // `FederatedIdentityStore.deleteAllForUser` (GDPR), not a DB cascade.
+    // Consumers wanting a hard FK + cascade re-declare it in their subclass.
+    @db.index.plain
+    userId: string
+
+    // Display snapshots — refreshed by `touchLogin` on each federated login;
+    // NOT join keys (the stable join is always `(provider, subject)`). A
+    // provider's snapshot email (e.g. Apple Private Relay) may differ from the
+    // user-row `email` handle, so these live here per-identity.
+    email?: string
+    emailVerified?: boolean
+    displayName?: string
+    avatarUrl?: string
+
+    linkedAt: number.timestamp
+    lastLoginAt?: number.timestamp
+}

package/src/atscript-db/federated-identity.as.d.ts

@@ -0,0 +1,62 @@
+// prettier-ignore-start
+/* eslint-disable */
+/* oxlint-disable */
+/// <reference path="./federated-identity.as" />
+/**
+ * 🪄 This file was generated by Atscript
+ * Do not edit this file!
+ */
+
+import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
+
+/**
+ * Atscript interface **AoothFederatedIdentity**
+ * @see {@link ./federated-identity.as:9:18}
+ */
+export declare class AoothFederatedIdentity {
+  id: string
+  provider: string
+  subject: string
+  userId: string
+  email?: string
+  emailVerified?: boolean
+  displayName?: string
+  avatarUrl?: string
+  linkedAt: number /* timestamp */
+  lastLoginAt?: number /* timestamp */
+  static __is_atscript_annotated_type: true
+  static type: TAtscriptTypeObject<keyof AoothFederatedIdentity, AoothFederatedIdentity>
+  static metadata: TMetadataMap<AtscriptMetadata>
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothFederatedIdentity>
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any
+  static __flat: {
+    "id": string
+    "provider": string
+    "subject": string
+    "userId": string
+    "email"?: string
+    "emailVerified"?: boolean
+    "displayName"?: string
+    "avatarUrl"?: string
+    "linkedAt": number /* timestamp */
+    "lastLoginAt"?: number /* timestamp */
+  }
+  static __ownProps: {
+    "id": string
+    "provider": string
+    "subject": string
+    "userId": string
+    "email"?: string
+    "emailVerified"?: boolean
+    "displayName"?: string
+    "avatarUrl"?: string
+    "linkedAt": number /* timestamp */
+    "lastLoginAt"?: number /* timestamp */
+  }
+  
+  static __pk: string
+}
+// prettier-ignore-end

package/src/atscript-db/user-credentials.as

@@ -1,7 +1,14 @@
 export interface AoothUserCredentials {
+    @meta.id
+    @db.default.uuid
+    id: string
+
     @db.index.unique 'username_idx'
     username: string
 
+    @db.index.unique 'email_idx'
+    email?: string
+
     @db.column.version
     version: number.int
 
@@ -42,6 +49,4 @@ export interface AoothUserCredentials {
         expiresAt: number.timestamp
         name?: string
     }[]
-
-    backupCodes?: string[]
 }

package/src/atscript-db/user-credentials.as.d.ts

@@ -0,0 +1,62 @@
+// prettier-ignore-start
+/* eslint-disable */
+/* oxlint-disable */
+/// <reference path="./user-credentials.as" />
+/**
+ * 🪄 This file was generated by Atscript
+ * Do not edit this file!
+ */
+
+import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
+
+/**
+ * Atscript interface **AoothUserCredentials**
+ * @see {@link ./user-credentials.as:1:18}
+ */
+export declare class AoothUserCredentials {
+  id: string
+  username: string
+  email?: string
+  version: number /* int */
+  password: {
+    hash: string
+    history: string[]
+    lastChanged: number /* timestamp */
+    isInitial: boolean
+  }
+  account: {
+    active: boolean
+    locked: boolean
+    lockReason: string
+    lockEnds: number /* timestamp */
+    failedLoginAttempts: number
+    lastLogin: number /* timestamp */
+    pendingInvitation?: boolean
+  }
+  mfa: {
+    methods: {
+      name: string
+      confirmed: boolean
+      value: string
+      lastUsedWindow?: number /* int */
+    }[]
+    defaultMethod: string
+    autoSend: boolean
+  }
+  trustedDevices?: {
+    token: string
+    ip?: string
+    issuedAt: number /* timestamp */
+    expiresAt: number /* timestamp */
+    name?: string
+  }[]
+  static __is_atscript_annotated_type: true
+  static type: TAtscriptTypeObject<keyof AoothUserCredentials, AoothUserCredentials>
+  static metadata: TMetadataMap<AtscriptMetadata>
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothUserCredentials>
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any
+}
+// prettier-ignore-end

package/dist/user-store-B3EStUfT.d.cts

@@ -1,246 +0,0 @@
-//#region src/types.d.ts
-interface UserCredentials {
-  id: string;
-  username: string;
-  /**
-   * Server-managed optimistic-concurrency counter. Bumped by `UserStore.update`
-   * on every successful write; checked against `UserStoreUpdate.expectedVersion`
-   * for CAS. Callers MUST NOT write it directly — atscript-db rejects direct
-   * writes with `DbError("VERSION_COLUMN_WRITE")`. Optional in TS so pre-OCC
-   * fixtures keep compiling; the store seeds `0` on insert.
-   */
-  version?: number;
-  password: PasswordData;
-  account: AccountData;
-  mfa: MfaData;
-  /**
-   * Hashed backup codes (SHA-256, hex-encoded). Generated via
-   * `UserService.generateBackupCodes`. Undefined when the user has not
-   * enrolled backup codes; an empty array means all codes were consumed.
-   */
-  backupCodes?: string[];
-  /**
-   * Persisted device-trust records ("remember this device, skip MFA next
-   * time"). Managed by `UserService.{issue,add,verify,revoke,list}TrustedDevice`.
-   * Absent when the user has never opted in.
-   */
-  trustedDevices?: TrustedDeviceRecord[];
-}
-interface TrustedDeviceRecord {
-  /** `<raw>.<sig>` — what we hand back to the consumer and what they round-trip. */
-  token: string;
-  /** Bound IP — set when `deviceTrust.bindsTo === 'cookie+ip'`. */
-  ip?: string;
-  issuedAt: number;
-  expiresAt: number;
-  /** Optional human-readable label (e.g. user-agent summary). */
-  name?: string;
-}
-interface PasswordData {
-  /** Self-describing scrypt hash: $scrypt$N=...,r=...,p=...,l=...$salt$hash */
-  hash: string;
-  /** Previous password hashes (self-describing strings) */
-  history: string[];
-  lastChanged: number;
-  /** True when password was system-generated and user hasn't set their own */
-  isInitial: boolean;
-}
-interface AccountData {
-  active: boolean;
-  locked: boolean;
-  lockReason: string;
-  /** 0 = permanent lock, >0 = timestamp (ms) when lock expires */
-  lockEnds: number;
-  failedLoginAttempts: number;
-  lastLogin: number;
-  /**
-   * True while the user record exists from an admin-issued invite but the
-   * invitee has not yet accepted (set password + activate). Used by
-   * `InviteWorkflow` to gate the accept tail, reject duplicate invites, and
-   * power `auth/invite/resend` / `auth/invite/cancel`. Absent / `false` once
-   * the invite has been accepted.
-   */
-  pendingInvitation?: boolean;
-}
-interface MfaData {
-  /** Registered MFA methods */
-  methods: MfaMethod[];
-  /** Name of the default MFA method */
-  defaultMethod: string;
-  /** Auto-send MFA challenge on login */
-  autoSend: boolean;
-}
-interface MfaMethod {
-  /** Method name: 'email', 'sms', 'totp' */
-  name: string;
-  /** Whether this method has been verified/confirmed */
-  confirmed: boolean;
-  /** The method's value: email address, phone number, or TOTP secret */
-  value: string;
-  /**
-   * Last HOTP counter accepted for this method (TOTP only). Server-managed
-   * replay guard — `verifyMfa` rejects any code whose matched counter is
-   * `<= lastUsedWindow`. Never written from user-facing input.
-   */
-  lastUsedWindow?: number;
-}
-interface UserServiceConfig {
-  password?: PasswordConfig;
-  lockout?: LockoutConfig;
-  /** Injectable clock for testability. Defaults to Date.now */
-  clock?: () => number;
-  /**
-   * Device-trust config. Required (with a non-empty `secret`) when any
-   * `issueTrustedDevice` / `verifyTrustedDevice` API is called; the methods
-   * throw clearly when invoked without it.
-   */
-  deviceTrust?: {
-    /** HMAC-SHA256 signing secret for trust-device tokens. */secret: string;
-  };
-}
-interface PasswordConfig {
-  /** Pepper string prepended to password before hashing */
-  pepper?: string;
-  /** Number of historical hashes to retain (0 = disabled) */
-  historyLength?: number;
-  /** scrypt cost parameter N (default 16384) */
-  scryptN?: number;
-  /** scrypt block size r (default 8) */
-  scryptR?: number;
-  /** scrypt parallelism p (default 1) */
-  scryptP?: number;
-  /** Hash output length in bytes (default 64) */
-  keyLength?: number;
-  /** Password policy rules */
-  policies?: (PasswordPolicyDef | PasswordPolicyInstance)[];
-}
-interface LockoutConfig {
-  /** Lock after this many failed attempts (0 = disabled) */
-  threshold?: number;
-  /** Lock duration in ms (0 = permanent) */
-  duration?: number;
-}
-interface PasswordPolicyDef {
-  /**
-   * Backend evaluator. Function only — executed directly with no sandbox.
-   * String rules were removed: `@prostojs/ftring`'s sandbox does NOT block
-   * prototype-chain escapes (`constructor.constructor("return process")()`,
-   * `__proto__.x = ...`), so accepting strings was an RCE vector. Authors
-   * use `definePasswordPolicy({ rule, args })` to get both this fn AND the
-   * serialized form for free.
-   */
-  rule: PasswordPolicyEvalFn;
-  /**
-   * Pre-baked function-literal text shipped to clients for cross-tier
-   * validation via `getTransferablePolicies()`. Authored as
-   * `(v) => (${ruleSource})(v, ${args.map(JSON.stringify).join(', ')})` by
-   * `definePasswordPolicy`. Absent → the policy is backend-only (frontend
-   * skips it; server-side check remains authoritative).
-   */
-  serialized?: string;
-  description?: string;
-  errorMessage?: string;
-}
-type PasswordPolicyEvalFn = (password: string, context?: PasswordPolicyContext) => boolean | Promise<boolean>;
-interface PasswordPolicyContext {
-  passwordData?: PasswordData;
-  passwordConfig?: PasswordConfig;
-}
-/** Interface satisfied by the PasswordPolicy class (avoids circular import) */
-interface PasswordPolicyInstance extends PasswordPolicyDef {
-  evaluate(password: string, context?: PasswordPolicyContext): boolean | Promise<boolean>;
-  transferable: boolean;
-}
-type DeepPartial<T> = { [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P] };
-interface UserStoreUpdate {
-  /** Partial object with fields to set (deep-merged) */
-  set?: DeepPartial<UserCredentials>;
-  /** Dot-paths to atomically increment: e.g. {'account.failedLoginAttempts': 1} */
-  inc?: Record<string, number>;
-  /**
-   * Optimistic concurrency control: when supplied, the store applies the
-   * update iff the row's current `version` equals this value. On mismatch
-   * the store returns `false` (same shape as "not found") and does NOT
-   * mutate. Service callers treat both states as "stale read, retry".
-   */
-  expectedVersion?: number;
-}
-type UserAuthErrorType = "NOT_FOUND" | "ALREADY_EXISTS" | "LOCKED" | "INACTIVE" | "INVALID_CREDENTIALS" | "POLICY_VIOLATION" | "PASSWORDS_MISMATCH" | "PASSWORD_IN_HISTORY" | "MFA_REQUIRED" | "MFA_INVALID" | "MFA_NOT_CONFIGURED" | "CAS_EXHAUSTED";
-interface LoginResult<T extends object = object> {
-  user: UserCredentials & T;
-  /** Whether MFA verification is required before granting full access */
-  mfaRequired: boolean;
-}
-interface LockStatus {
-  locked: boolean;
-  /** True when lock has a non-zero lockEnds that is in the past */
-  expired: boolean;
-  reason: string;
-  lockEnds: number;
-}
-interface PolicyCheckResult {
-  passed: boolean;
-  policies: {
-    description: string;
-    passed: boolean;
-  }[];
-  errors: string[];
-}
-interface TransferablePolicy {
-  rule: string;
-  description?: string;
-  errorMessage?: string;
-}
-interface MfaMethodInfo {
-  name: string;
-  isDefault: boolean;
-  masked: string;
-}
-interface TotpConfig {
-  /** Time step in seconds (default 30) */
-  period?: number;
-  /** Number of digits in the code (default 6) */
-  digits?: number;
-  /** Verification window — number of steps to check on each side (default 1) */
-  window?: number;
-  /** Injectable clock for testability */
-  clock?: () => number;
-}
-//#endregion
-//#region src/store/user-store.d.ts
-interface WithCasOptions {
-  /**
-   * Total attempts (1 initial + retries). Default `2` = one retry. Each
-   * attempt re-reads the row so the mutator runs against fresh state — that
-   * is the whole point of retry under OCC. Bump for high-contention writers
-   * (bulk admin scripts); leave at default for normal per-user request flow.
-   */
-  maxAttempts?: number;
-}
-declare abstract class UserStore<T extends object = object> {
-  abstract exists(username: string): Promise<boolean>;
-  abstract findByUsername(username: string): Promise<(UserCredentials & T) | null>;
-  abstract create(data: UserCredentials & T): Promise<void>;
-  abstract update(username: string, update: UserStoreUpdate): Promise<boolean>;
-  /**
-   * Hard-delete the row. Returns `true` when a row was removed, `false` when
-   * the username was not found. Used by `UserService.deleteUser` (and in turn
-   * by the invite workflow's `auth/invite/cancel` step).
-   */
-  abstract delete(username: string): Promise<boolean>;
-  /**
-   * Run a read-modify-write cycle under optimistic concurrency. Each attempt
-   * fetches the current row, calls `mutator` with it, and applies the returned
-   * patch under CAS (`expectedVersion = current.version`). On CAS miss the
-   * cycle repeats up to `opts.maxAttempts`. The mutator MAY return `null` to
-   * exit early without writing — used for "race-loser detects nothing left to
-   * do" paths (e.g. the backup code was already consumed by the winner).
-   *
-   * Throws `UserAuthError("NOT_FOUND")` when no row matches `username`, or
-   * `UserAuthError("CAS_EXHAUSTED")` when retries are saturated. Errors
-   * thrown from inside `mutator` propagate immediately without retry.
-   */
-  abstract withCas(username: string, mutator: (current: UserCredentials & T) => UserStoreUpdate | null, opts?: WithCasOptions): Promise<void>;
-}
-//#endregion
-export { UserServiceConfig as C, UserCredentials as S, PolicyCheckResult as _, LockStatus as a, TrustedDeviceRecord as b, MfaData as c, PasswordConfig as d, PasswordData as f, PasswordPolicyInstance as g, PasswordPolicyEvalFn as h, DeepPartial as i, MfaMethod as l, PasswordPolicyDef as m, WithCasOptions as n, LockoutConfig as o, PasswordPolicyContext as p, AccountData as r, LoginResult as s, UserStore as t, MfaMethodInfo as u, TotpConfig as v, UserStoreUpdate as w, UserAuthErrorType as x, TransferablePolicy as y };