@aooth/user 0.1.7 → 0.1.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aooth/user",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "User credential primitives for aoothjs",
   "keywords": [
     "aoothjs",
@@ -21,7 +21,10 @@
   },
   "files": [
     "dist",
-    "src/atscript-db/user-credentials.as"
+    "src/atscript-db/user-credentials.as",
+    "src/atscript-db/user-credentials.as.d.ts",
+    "src/atscript-db/federated-identity.as",
+    "src/atscript-db/federated-identity.as.d.ts"
   ],
   "type": "module",
   "sideEffects": false,
@@ -39,21 +42,32 @@
       "import": "./dist/atscript-db.mjs",
       "require": "./dist/atscript-db.cjs"
     },
-    "./atscript-db/model.as": "./src/atscript-db/user-credentials.as",
+    "./atscript-db/model.as": {
+      "types": "./src/atscript-db/user-credentials.as.d.ts",
+      "default": "./src/atscript-db/user-credentials.as"
+    },
+    "./atscript-db/federated-model": {
+      "types": "./src/atscript-db/federated-identity.as.d.ts",
+      "default": "./src/atscript-db/federated-identity.as"
+    },
+    "./atscript-db/federated-model.as": {
+      "types": "./src/atscript-db/federated-identity.as.d.ts",
+      "default": "./src/atscript-db/federated-identity.as"
+    },
     "./package.json": "./package.json"
   },
   "publishConfig": {
     "access": "public"
   },
   "devDependencies": {
-    "@atscript/core": "^0.1.64",
-    "@atscript/db": "^0.1.91",
-    "@atscript/db-sql-tools": "^0.1.91",
-    "@atscript/db-sqlite": "^0.1.91",
-    "@atscript/typescript": "^0.1.64",
+    "@atscript/core": "^0.1.69",
+    "@atscript/db": "^0.1.96",
+    "@atscript/db-sql-tools": "^0.1.96",
+    "@atscript/db-sqlite": "^0.1.96",
+    "@atscript/typescript": "^0.1.69",
     "@types/better-sqlite3": "^7.6.13",
     "better-sqlite3": "^12.6.2",
-    "unplugin-atscript": "^0.1.64"
+    "unplugin-atscript": "^0.1.69"
   },
   "peerDependencies": {
     "@atscript/db": ">=0.1.79"

package/src/atscript-db/federated-identity.as

@@ -0,0 +1,44 @@
+// Account-linking table: one external-provider account → exactly one aooth
+// user. The genuinely new piece of persistent state for federated login —
+// the `(provider, subject) → userId` map (RFC IDP.md §3.3). Shipped concrete
+// (own `@db.table`), like `AoothAuthCredential`; consumers can extend it with
+// `extends AoothFederatedIdentity {}` to re-own the table name, exactly as
+// `DemoAuthCredential` does.
+@db.table 'aooth_federated_identities'
+@db.depth.limit 0
+export interface AoothFederatedIdentity {
+    // Surrogate PK — lets a row be addressed (unlink-by-id) / extended.
+    @meta.id
+    @db.default.uuid
+    id: string
+
+    // Composite identity key. The SAME index name on both fields collapses
+    // into ONE compound UNIQUE index (atscript-db groups index fields by
+    // (type, name)) — so a provider account maps to at most one row, which is
+    // the anti-account-takeover guarantee (RFC §1 note #4, §4).
+    @db.index.unique 'provider_subject_idx'
+    provider: string                 // 'google' | 'github' | 'oidc:<issuer>' ...
+    @db.index.unique 'provider_subject_idx'
+    subject: string                  // the IdP's stable subject id (`sub`)
+
+    // Owner — the user's stable surrogate `id`. A PLAIN indexed string, NOT a
+    // `@db.rel.FK`: `@aooth/user` cannot know the consumer's concrete user
+    // table (`AoothUserCredentials` is an abstract, table-less base), so this
+    // mirrors `AoothAuthCredential.userId`. Cross-row cleanup is the explicit
+    // `FederatedIdentityStore.deleteAllForUser` (GDPR), not a DB cascade.
+    // Consumers wanting a hard FK + cascade re-declare it in their subclass.
+    @db.index.plain
+    userId: string
+
+    // Display snapshots — refreshed by `touchLogin` on each federated login;
+    // NOT join keys (the stable join is always `(provider, subject)`). A
+    // provider's snapshot email (e.g. Apple Private Relay) may differ from the
+    // user-row `email` handle, so these live here per-identity.
+    email?: string
+    emailVerified?: boolean
+    displayName?: string
+    avatarUrl?: string
+
+    linkedAt: number.timestamp
+    lastLoginAt?: number.timestamp
+}

package/src/atscript-db/federated-identity.as.d.ts

@@ -0,0 +1,62 @@
+// prettier-ignore-start
+/* eslint-disable */
+/* oxlint-disable */
+/// <reference path="./federated-identity.as" />
+/**
+ * 🪄 This file was generated by Atscript
+ * Do not edit this file!
+ */
+
+import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
+
+/**
+ * Atscript interface **AoothFederatedIdentity**
+ * @see {@link ./federated-identity.as:9:18}
+ */
+export declare class AoothFederatedIdentity {
+  id: string
+  provider: string
+  subject: string
+  userId: string
+  email?: string
+  emailVerified?: boolean
+  displayName?: string
+  avatarUrl?: string
+  linkedAt: number /* timestamp */
+  lastLoginAt?: number /* timestamp */
+  static __is_atscript_annotated_type: true
+  static type: TAtscriptTypeObject<keyof AoothFederatedIdentity, AoothFederatedIdentity>
+  static metadata: TMetadataMap<AtscriptMetadata>
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothFederatedIdentity>
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any
+  static __flat: {
+    "id": string
+    "provider": string
+    "subject": string
+    "userId": string
+    "email"?: string
+    "emailVerified"?: boolean
+    "displayName"?: string
+    "avatarUrl"?: string
+    "linkedAt": number /* timestamp */
+    "lastLoginAt"?: number /* timestamp */
+  }
+  static __ownProps: {
+    "id": string
+    "provider": string
+    "subject": string
+    "userId": string
+    "email"?: string
+    "emailVerified"?: boolean
+    "displayName"?: string
+    "avatarUrl"?: string
+    "linkedAt": number /* timestamp */
+    "lastLoginAt"?: number /* timestamp */
+  }
+  
+  static __pk: string
+}
+// prettier-ignore-end

package/src/atscript-db/user-credentials.as

@@ -1,7 +1,14 @@
 export interface AoothUserCredentials {
+    @meta.id
+    @db.default.uuid
+    id: string
+
     @db.index.unique 'username_idx'
     username: string
 
+    @db.index.unique 'email_idx'
+    email?: string
+
     @db.column.version
     version: number.int
 
@@ -42,6 +49,4 @@ export interface AoothUserCredentials {
         expiresAt: number.timestamp
         name?: string
     }[]
-
-    backupCodes?: string[]
 }

package/src/atscript-db/user-credentials.as.d.ts

@@ -0,0 +1,62 @@
+// prettier-ignore-start
+/* eslint-disable */
+/* oxlint-disable */
+/// <reference path="./user-credentials.as" />
+/**
+ * 🪄 This file was generated by Atscript
+ * Do not edit this file!
+ */
+
+import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
+
+/**
+ * Atscript interface **AoothUserCredentials**
+ * @see {@link ./user-credentials.as:1:18}
+ */
+export declare class AoothUserCredentials {
+  id: string
+  username: string
+  email?: string
+  version: number /* int */
+  password: {
+    hash: string
+    history: string[]
+    lastChanged: number /* timestamp */
+    isInitial: boolean
+  }
+  account: {
+    active: boolean
+    locked: boolean
+    lockReason: string
+    lockEnds: number /* timestamp */
+    failedLoginAttempts: number
+    lastLogin: number /* timestamp */
+    pendingInvitation?: boolean
+  }
+  mfa: {
+    methods: {
+      name: string
+      confirmed: boolean
+      value: string
+      lastUsedWindow?: number /* int */
+    }[]
+    defaultMethod: string
+    autoSend: boolean
+  }
+  trustedDevices?: {
+    token: string
+    ip?: string
+    issuedAt: number /* timestamp */
+    expiresAt: number /* timestamp */
+    name?: string
+  }[]
+  static __is_atscript_annotated_type: true
+  static type: TAtscriptTypeObject<keyof AoothUserCredentials, AoothUserCredentials>
+  static metadata: TMetadataMap<AtscriptMetadata>
+  static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothUserCredentials>
+  /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
+  static toJsonSchema: () => any
+  /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
+  static toExampleData?: () => any
+}
+// prettier-ignore-end