@apito-io/js-admin-sdk 2.1.2 → 2.7.0

package/src/__tests__/client.test.ts

@@ -230,10 +230,7 @@ describe('ApitoClient', () => {
       const client = getTestClient();
 
       try {
-        const token = await client.generateTenantToken(
-          'ak_4HESWVQEXE7V4GVGGDRYGXVWXSCAJL44TAUICSLBPQTOB6CJ53KTU3GUOEXJUIXVAKFMM2BDRJRWWPKEN3DRA3HDLZUY4NZMVLFJUIK5H4BWLY26AUKDOHPZE2ENGJNCXPPPEBKCNLTUXXUFUKVDGYJ2H6CZCSMQCY5KSCYNJVYBXVJBYE6O7C73DI3NV7Q',
-          'ba0ee756-6aea-43a6-b052-c7baab3da91c'
-        );
+        const token = await client.generateTenantToken('ba0ee756-6aea-43a6-b052-c7baab3da91c');
 
         expect(token).toBeDefined();
         expect(typeof token).toBe('string');
@@ -245,6 +242,67 @@ describe('ApitoClient', () => {
     }, 30000);
   });
 
+  describe('Tenant users (Pro)', () => {
+    it('should search tenant users when APITO_PROJECT_ID is set', async () => {
+      const projectId = process.env.APITO_PROJECT_ID;
+      if (!projectId) {
+        console.log('Tenant users (Pro): skipped — set APITO_PROJECT_ID');
+        return;
+      }
+      const client = getTestClient();
+      try {
+        const { count, users } = await client.searchTenantUsers(projectId, 10, 0);
+        expect(count).toBeGreaterThanOrEqual(0);
+        console.log('✅ searchTenantUsers:', count, users?.length);
+      } catch (error) {
+        console.log('searchTenantUsers failed (may be expected):', error);
+      }
+    }, 30000);
+
+    it('should search tenants by domain when APITO_PROJECT_ID is set', async () => {
+      const projectId = process.env.APITO_PROJECT_ID;
+      if (!projectId) {
+        console.log('searchTenantsByDomain: skipped — set APITO_PROJECT_ID');
+        return;
+      }
+      const client = getTestClient();
+      try {
+        const { tenant } = await client.searchTenantsByDomain(projectId, 'example.invalid');
+        expect(tenant === null || typeof tenant?.id === 'string').toBe(true);
+        console.log('✅ searchTenantsByDomain:', tenant ? 'match' : 'no match');
+      } catch (error) {
+        console.log('searchTenantsByDomain failed (may be expected):', error);
+      }
+    }, 30000);
+
+    it('should login when APITO_PROJECT_ID and credentials are set', async () => {
+      const projectId = process.env.APITO_PROJECT_ID;
+      const email = process.env.APITO_TENANT_EMAIL ?? '';
+      const phone = process.env.APITO_TENANT_PHONE ?? '';
+      const password = process.env.APITO_TENANT_PASSWORD;
+      if (!projectId || !(email.trim() || phone.trim()) || !password) {
+        console.log(
+          'loginTenantUser skipped — set APITO_PROJECT_ID, APITO_TENANT_PASSWORD, and APITO_TENANT_EMAIL and/or APITO_TENANT_PHONE'
+        );
+        return;
+      }
+      const client = getTestClient();
+      try {
+        const login = await client.loginTenantUser({
+          projectId,
+          password,
+          ...(email.trim() ? { email: email.trim() } : {}),
+          ...(phone.trim() ? { phone: phone.trim() } : {}),
+        });
+        expect(login.token).toBeDefined();
+        expect(login.token.length).toBeGreaterThan(0);
+        console.log('✅ loginTenantUser token length:', login.token.length);
+      } catch (error) {
+        console.log('loginTenantUser failed (may be expected):', error);
+      }
+    }, 30000);
+  });
+
   describe('Debug', () => {
     it('should send debug data', async () => {
       const client = getTestClient();

package/src/client.ts

@@ -11,6 +11,14 @@ import {
   ApitoError,
   ValidationError,
   InjectedDBOperationInterface,
+  TenantLoginResponse,
+  TenantUser,
+  TenantUsersResponse,
+  TenantByDomainResponse,
+  TenantCatalogSearchRow,
+  TenantLoginParams,
+  CreateTenantUserParams,
+  UpdateTenantUserParams,
 } from './types';
 
 /**
@@ -32,7 +40,9 @@ export class ApitoClient implements InjectedDBOperationInterface {
       timeout: config.timeout || 30000,
       headers: {
         'Content-Type': 'application/json',
-        'X-Apito-Key': this.apiKey,
+        ...(this.apiKey.startsWith('cli-') || this.apiKey.startsWith('sdk-')
+          ? { 'X-Apito-Sync-Key': this.apiKey }
+          : { 'X-Apito-Key': this.apiKey }),
       },
       ...config.httpClient,
     });
@@ -60,7 +70,9 @@ export class ApitoClient implements InjectedDBOperationInterface {
 
       const headers: Record<string, string> = {
         'Content-Type': 'application/json',
-        'X-Apito-Key': this.apiKey,
+        ...(this.apiKey.startsWith('cli-') || this.apiKey.startsWith('sdk-')
+          ? { 'X-Apito-Sync-Key': this.apiKey }
+          : { 'X-Apito-Key': this.apiKey }),
       };
 
       if (options?.tenantId || this.tenantId) {
@@ -96,28 +108,35 @@ export class ApitoClient implements InjectedDBOperationInterface {
   }
 
   /**
-   * Generate a tenant-scoped API key for {@link tenantId}.
+   * Generate a tenant-scoped API key. Matches engine `generateTenantToken`: `tenant_id`, `duration`, optional `role`.
+   * Auth uses `X-Apito-Key` (client `apiKey`).
    *
-   * `token` is legacy and ignored; the engine authenticates via `X-Apito-Key` (client `apiKey`).
-   * Expiry is sent as a calendar day `YYYY-MM-DD`; defaults to one year ahead in UTC (same default as Go admin/internal SDK).
+   * @param tenantId Catalog tenant id (`tenant_id` in the mutation).
+   * @param duration Expiry calendar day `YYYY-MM-DD`. If omitted/empty, defaults to one year ahead in UTC.
+   * @param role Optional token role; if omitted/empty, the engine defaults to `admin`.
    */
-  async generateTenantToken(token: string, tenantId: string): Promise<string> {
-    void token;
-
-    const d = new Date();
-    const duration = `${d.getUTCFullYear() + 1}-${String(d.getUTCMonth() + 1).padStart(2, '0')}-${String(
-      d.getUTCDate()
-    ).padStart(2, '0')}`;
+  async generateTenantToken(tenantId: string, duration?: string, role?: string): Promise<string> {
+    let dur = (duration ?? '').trim();
+    if (!dur) {
+      const d = new Date();
+      dur = `${d.getUTCFullYear() + 1}-${String(d.getUTCMonth() + 1).padStart(2, '0')}-${String(
+        d.getUTCDate()
+      ).padStart(2, '0')}`;
+    }
 
     const query = `
-      mutation GenerateTenantToken($tenantId: String!, $duration: String!) {
-        generateTenantToken(tenant_id: $tenantId, duration: $duration) {
+      mutation GenerateTenantToken($tenantId: String!, $duration: String!, $role: String) {
+        generateTenantToken(tenant_id: $tenantId, duration: $duration, role: $role) {
           token
         }
       }
     `;
 
-    const variables = { tenantId, duration };
+    const variables: Record<string, any> = {
+      tenantId,
+      duration: dur,
+      role: role !== undefined && role.trim() !== '' ? role.trim() : null,
+    };
     const response = await this.executeGraphQL(query, variables, { tenantId });
 
     const data = response.data?.generateTenantToken;
@@ -128,6 +147,270 @@ export class ApitoClient implements InjectedDBOperationInterface {
     return data.token;
   }
 
+  /**
+   * Tenant catalog login (system GraphQL `loginTenantUser`). Password path: pass `password` and `email` or `phone` per project Authentication settings. Google OAuth path: `authMethod: 'google'` with `code` and `state` from the redirect; call `tenantGoogleOAuthState(projectId)` before opening Google to obtain `state`.
+   */
+  async loginTenantUser(params: TenantLoginParams): Promise<TenantLoginResponse> {
+    const authMethod = (params.authMethod ?? 'general').trim().toLowerCase() || 'general';
+    const variables: Record<string, any> = {
+      project_id: params.projectId,
+    };
+
+    if (authMethod === 'google') {
+      variables.auth_method = 'google';
+      const code = (params.code ?? '').trim();
+      const state = (params.state ?? '').trim();
+      if (!code || !state) {
+        throw new ValidationError('code and state are required for Google login');
+      }
+      variables.code = code;
+      variables.state = state;
+    } else {
+      const password = (params.password ?? '').trim();
+      if (!password) {
+        throw new ValidationError('password is required');
+      }
+      variables.password = password;
+      const email = (params.email ?? '').trim();
+      const phone = (params.phone ?? '').trim();
+      if (!email && !phone) {
+        throw new ValidationError('email or phone is required');
+      }
+      if (email) variables.email = email;
+      if (phone) variables.phone = phone;
+    }
+
+    const query = `
+      query LoginTenantUser($project_id: String!, $password: String, $auth_method: String, $email: String, $phone: String, $code: String, $state: String) {
+        loginTenantUser(project_id: $project_id, password: $password, auth_method: $auth_method, email: $email, phone: $phone, code: $code, state: $state) {
+          token
+          user {
+            id
+            email
+            phone
+            role
+            provider
+            tenant_id
+            status
+            created_at
+            updated_at
+          }
+        }
+      }
+    `;
+    const response = await this.executeGraphQL(query, variables);
+    const raw = response.data?.loginTenantUser;
+    if (!raw?.token) {
+      throw new ValidationError('Invalid response format for loginTenantUser');
+    }
+    return {
+      token: raw.token as string,
+      user: raw.user as TenantUser | undefined,
+    };
+  }
+
+  /**
+   * Signed OAuth state for tenant Google login (system query `tenantGoogleOAuthState`). Use in the authorize URL together with project `google_client_id` and the configured redirect URI.
+   */
+  async tenantGoogleOAuthState(projectId: string): Promise<{ state: string }> {
+    const query = `
+      query TenantGoogleOAuthState($project_id: String!) {
+        tenantGoogleOAuthState(project_id: $project_id) {
+          state
+        }
+      }
+    `;
+    const variables = { project_id: projectId };
+    const response = await this.executeGraphQL(query, variables);
+    const raw = response.data?.tenantGoogleOAuthState;
+    const state = typeof raw?.state === 'string' ? raw.state.trim() : '';
+    if (!state) {
+      throw new ValidationError('Invalid response format for tenantGoogleOAuthState');
+    }
+    return { state };
+  }
+
+  /**
+   * Search tenant users for a project.
+   */
+  async searchTenantUsers(
+    projectId: string,
+    limit?: number,
+    offset?: number
+  ): Promise<TenantUsersResponse> {
+    const query = `
+      query SearchTenantUsers($project_id: String!, $limit: Int, $offset: Int) {
+        searchTenantUsers(project_id: $project_id, limit: $limit, offset: $offset) {
+          count
+          users {
+            id
+            email
+            phone
+            role
+            provider
+            tenant_id
+            status
+            created_at
+            updated_at
+          }
+        }
+      }
+    `;
+    const variables: Record<string, any> = { project_id: projectId };
+    if (limit !== undefined) variables.limit = limit;
+    if (offset !== undefined) variables.offset = offset;
+    const response = await this.executeGraphQL(query, variables);
+    const raw = response.data?.searchTenantUsers;
+    if (!raw) {
+      throw new ValidationError('Invalid response format for searchTenantUsers');
+    }
+    let count = 0;
+    if (typeof raw.count === 'number') {
+      count = raw.count;
+    }
+    const users = (raw.users ?? []) as TenantUser[];
+    return { users, count };
+  }
+
+  /**
+   * Resolve the single SaaS catalog tenant for an exact domain match in the project (`tenant` null if none).
+   */
+  async searchTenantsByDomain(projectId: string, domain: string): Promise<TenantByDomainResponse> {
+    const query = `
+      query SearchTenantsByDomain($project_id: String!, $domain: String!) {
+        searchTenantsByDomain(project_id: $project_id, domain: $domain) {
+          tenant {
+            id
+            name
+            status
+            domain
+            data
+          }
+        }
+      }
+    `;
+    const variables: Record<string, any> = {
+      project_id: projectId,
+      domain,
+    };
+    const response = await this.executeGraphQL(query, variables);
+    const raw = response.data?.searchTenantsByDomain;
+    if (!raw) {
+      throw new ValidationError('Invalid response format for searchTenantsByDomain');
+    }
+    const tenant = (raw.tenant ?? null) as TenantCatalogSearchRow | null;
+    return { tenant };
+  }
+
+  /**
+   * Create a tenant catalog user (local password). Use `email` and/or `phone` per engine validation for the project identifier mode.
+   */
+  async createTenantUser(
+    projectId: string,
+    params: CreateTenantUserParams
+  ): Promise<TenantUser> {
+    const password = (params.password ?? '').trim();
+    if (!password) {
+      throw new ValidationError('password is required');
+    }
+    const query = `
+      mutation CreateTenantUser($project_id: String!, $password: String!, $role: String, $email: String, $phone: String) {
+        createTenantUser(project_id: $project_id, password: $password, role: $role, email: $email, phone: $phone) {
+          id
+          email
+          phone
+          role
+          provider
+          tenant_id
+          status
+          created_at
+          updated_at
+        }
+      }
+    `;
+    const variables: Record<string, any> = {
+      project_id: projectId,
+      password,
+    };
+    const role = (params.role ?? '').trim();
+    if (role) variables.role = role;
+    const email = (params.email ?? '').trim();
+    if (email) variables.email = email;
+    const phone = (params.phone ?? '').trim();
+    if (phone) variables.phone = phone;
+    const response = await this.executeGraphQL(query, variables);
+    const u = response.data?.createTenantUser;
+    if (!u?.id) {
+      throw new ValidationError('Invalid response format for createTenantUser');
+    }
+    return u as TenantUser;
+  }
+
+  /**
+   * Update a tenant catalog user. Project scope is implied by the API key. Only include fields to change.
+   */
+  async updateTenantUser(userId: string, params: UpdateTenantUserParams): Promise<TenantUser> {
+    const uid = (userId ?? '').trim();
+    if (!uid) {
+      throw new ValidationError('userId is required');
+    }
+    if (
+      params.email === undefined &&
+      params.phone === undefined &&
+      params.password === undefined &&
+      params.role === undefined
+    ) {
+      throw new ValidationError('at least one field must be provided');
+    }
+    const query = `
+      mutation UpdateTenantUser($user_id: String!, $email: String, $phone: String, $password: String, $role: String) {
+        updateTenantUser(user_id: $user_id, email: $email, phone: $phone, password: $password, role: $role) {
+          id
+          email
+          phone
+          role
+          provider
+          tenant_id
+          status
+          created_at
+          updated_at
+        }
+      }
+    `;
+    const variables: Record<string, any> = { user_id: uid };
+    if (params.email !== undefined) variables.email = params.email;
+    if (params.phone !== undefined) variables.phone = params.phone;
+    if (params.password !== undefined) variables.password = params.password;
+    if (params.role !== undefined) variables.role = params.role;
+    const response = await this.executeGraphQL(query, variables);
+    const u = response.data?.updateTenantUser;
+    if (!u?.id) {
+      throw new ValidationError('Invalid response format for updateTenantUser');
+    }
+    return u as TenantUser;
+  }
+
+  /**
+   * Delete a tenant catalog user by id. Project scope is implied by the API key.
+   */
+  async deleteTenantUser(userId: string): Promise<boolean> {
+    const uid = (userId ?? '').trim();
+    if (!uid) {
+      throw new ValidationError('userId is required');
+    }
+    const query = `
+      mutation DeleteTenantUser($user_id: String!) {
+        deleteTenantUser(user_id: $user_id)
+      }
+    `;
+    const response = await this.executeGraphQL(query, { user_id: uid });
+    const ok = response.data?.deleteTenantUser;
+    if (typeof ok !== 'boolean') {
+      throw new ValidationError('Invalid response format for deleteTenantUser');
+    }
+    return ok;
+  }
+
   /**
    * Get a single resource by model and ID
    */

package/src/index.ts

@@ -24,6 +24,9 @@ export type {
   ApitoError,
   ValidationError,
   InjectedDBOperationInterface,
+  TenantLoginParams,
+  CreateTenantUserParams,
+  UpdateTenantUserParams,
 } from './types';
 
 // Default export for convenience

package/src/types.ts

@@ -86,6 +86,76 @@ export interface CreateAndUpdateRequest {
   forceUpdate?: boolean;
 }
 
+/** Tenant catalog user from engine system DB (pro_tenant_users). */
+export interface TenantUser {
+  id: string;
+  email?: string;
+  phone?: string;
+  role: string;
+  tenant_id: string;
+  provider?: string;
+  status?: string;
+  created_at?: string;
+  updated_at?: string;
+}
+
+/** Login via system GraphQL `loginTenantUser`. Password path: use `email` or `phone` per project settings. Google OAuth code path: `authMethod: 'google'`, `code`, `state` from redirect (get `state` first via `tenantGoogleOAuthState`). */
+export interface TenantLoginParams {
+  projectId: string;
+  /** Required for general (password) login. */
+  password?: string;
+  email?: string;
+  phone?: string;
+  /** `general` (default) or `google`. */
+  authMethod?: string;
+  /** Google authorization code (with `authMethod: 'google'`). */
+  code?: string;
+  /** OAuth state from `tenantGoogleOAuthState` or callback (with `authMethod: 'google'`). */
+  state?: string;
+}
+
+export interface TenantGoogleOAuthStateResponse {
+  state: string;
+}
+
+export interface CreateTenantUserParams {
+  password: string;
+  role?: string;
+  email?: string;
+  phone?: string;
+}
+
+/** Optional fields for `updateTenantUser`; omitted keys are not sent. */
+export interface UpdateTenantUserParams {
+  email?: string;
+  phone?: string;
+  password?: string;
+  role?: string;
+}
+
+export interface TenantLoginResponse {
+  token: string;
+  user?: TenantUser;
+}
+
+export interface TenantUsersResponse {
+  users: TenantUser[];
+  count: number;
+}
+
+/** One SaaS catalog tenant row from searchTenantsByDomain. */
+export interface TenantCatalogSearchRow {
+  id: string;
+  name: string;
+  status?: string;
+  domain?: string;
+  data?: string;
+}
+
+export interface TenantByDomainResponse {
+  tenant: TenantCatalogSearchRow | null;
+}
+
 export interface ClientConfig {
   baseURL: string;
   apiKey: string;
@@ -121,7 +191,14 @@ export interface InjectedDBOperationInterface {
     options?: { tenantId?: string }
   ): Promise<GraphQLResponse>;
   /** @param token Legacy; ignored. Auth uses client API key. */
-  generateTenantToken(token: string, tenantId: string): Promise<string>;
+  generateTenantToken(tenantId: string, duration?: string, role?: string): Promise<string>;
+  loginTenantUser(params: TenantLoginParams): Promise<TenantLoginResponse>;
+  tenantGoogleOAuthState(projectId: string): Promise<TenantGoogleOAuthStateResponse>;
+  searchTenantUsers(projectId: string, limit?: number, offset?: number): Promise<TenantUsersResponse>;
+  searchTenantsByDomain(projectId: string, domain: string): Promise<TenantByDomainResponse>;
+  createTenantUser(projectId: string, params: CreateTenantUserParams): Promise<TenantUser>;
+  updateTenantUser(userId: string, params: UpdateTenantUserParams): Promise<TenantUser>;
+  deleteTenantUser(userId: string): Promise<boolean>;
   getSingleResource(model: string, id: string, singlePageData?: boolean): Promise<DefaultDocumentStructure>;
   searchResources(model: string, filter?: Record<string, any>, aggregate?: boolean): Promise<SearchResult>;
   getRelationDocuments(id: string, connection: Record<string, any>): Promise<SearchResult>;

package/src/version.ts

@@ -1,7 +1,7 @@
 /**
  * Apito JavaScript internal SDK version (kept in sync with package.json for releases)
  */
-export const Version = '2.1.1';
+export const Version = '2.7.0';
 
 /**
  * GetVersion returns the current version of the SDK