@arcote.tech/arc-auth 0.4.1

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "@arcote.tech/arc-auth",
+  "type": "module",
+  "version": "0.4.1",
+  "private": false,
+  "description": "Reusable authentication module for Arc framework — aggregate-based auth with factory pattern",
+  "main": "./src/index.ts",
+  "types": "./src/index.ts",
+  "scripts": {
+    "type-check": "tsc --noEmit"
+  },
+  "peerDependencies": {
+    "@arcote.tech/arc": "workspace:*",
+    "react": "^18.0.0 || ^19.0.0",
+    "typescript": "^5.0.0"
+  },
+  "devDependencies": {
+    "@types/bun": "latest"
+  }
+}

package/src/aggregates/account.ts

@@ -0,0 +1,301 @@
+/// <reference path="../arc.d.ts" />
+import {
+  aggregate,
+  boolean,
+  date,
+  string,
+  type $type,
+  type ArcRawShape,
+} from "@arcote.tech/arc";
+import type { AccountId } from "../ids/account";
+import type { Token } from "../tokens/token";
+
+/**
+ * Password helpers — server-only, tree-shaken on client.
+ */
+async function verifyPassword(
+  password: string,
+  hash: string,
+): Promise<boolean> {
+  return await Bun.password.verify(password, hash);
+}
+
+async function hashPassword(password: string): Promise<string> {
+  return await Bun.password.hash(password);
+}
+
+export type AccountAggregateData<CustomFields extends ArcRawShape> = {
+  name: string;
+  accountId: AccountId;
+  token: Token;
+  customFields: CustomFields;
+};
+
+export const createAccountAggregate = <
+  const CustomFields extends ArcRawShape,
+  const Data extends AccountAggregateData<CustomFields>,
+>(
+  data: Data,
+) => {
+  const { accountId, token, customFields } = data;
+
+  return (
+    aggregate(`${data.name}Accounts`, accountId, {
+      email: string().email(),
+      isEmailVerified: boolean(),
+      passwordHash: string().optional(),
+      authMethod: string(),
+      registeredAt: date(),
+      lastSignedInAt: date().optional(),
+      ...customFields,
+    })
+      // --- Public Events ---
+
+      .publicEvent(
+        "accountRegistered",
+        {
+          accountId,
+          email: string().email(),
+          passwordHash: string(),
+          ...customFields,
+        },
+        async (ctx, event) => {
+          const {
+            accountId: id,
+            email,
+            passwordHash,
+            ...customData
+          } = event.payload as any;
+          await ctx.set(id, {
+            email,
+            isEmailVerified: false,
+            passwordHash,
+            authMethod: "email",
+            registeredAt: event.createdAt,
+            lastSignedInAt: null,
+            ...customData,
+          } as any);
+        },
+      )
+
+      .publicEvent(
+        "accountRegisteredViaOAuth",
+        {
+          accountId,
+          email: string().email(),
+          provider: string(),
+          providerUserId: string(),
+          ...customFields,
+        },
+        async (ctx, event) => {
+          const {
+            accountId: id,
+            email,
+            provider: _provider,
+            providerUserId: _providerUserId,
+            ...customData
+          } = event.payload as any;
+          await ctx.set(id, {
+            email,
+            isEmailVerified: true,
+            passwordHash: null,
+            authMethod: "oauth",
+            registeredAt: event.createdAt,
+            lastSignedInAt: event.createdAt,
+            ...customData,
+          } as any);
+        },
+      )
+
+      .publicEvent(
+        "signedIn",
+        { accountId, email: string().email() },
+        async (ctx, event) => {
+          await ctx.modify(
+            event.payload.accountId as any,
+            {
+              lastSignedInAt: event.createdAt,
+            } as any,
+          );
+        },
+      )
+
+      .publicEvent("emailVerified", { accountId }, async (ctx, event) => {
+        await ctx.modify(
+          event.payload.accountId as any,
+          {
+            isEmailVerified: true,
+          } as any,
+        );
+      })
+
+      // --- Mutate Methods ---
+
+      /**
+       * register — server-only. Hashes password, emits accountRegistered.
+       */
+      .mutateMethod(
+        "register",
+        {
+          params: {
+            email: string().email(),
+            password: string().minLength(6).maxLength(32),
+            ...customFields,
+          },
+        },
+        ONLY_SERVER &&
+          (async (ctx: any, params: any) => {
+            const existing = await ctx.$query.findOne({ email: params.email });
+            if (existing) {
+              return { error: "EMAIL_ALREADY_TAKEN" as const };
+            }
+
+            const id = accountId.generate();
+            const pwHash = await hashPassword(params.password);
+            const { email, password: _pw, ...custom } = params;
+
+            await ctx.accountRegistered.emit({
+              accountId: id,
+              email,
+              passwordHash: pwHash,
+              ...custom,
+            });
+
+            return { accountId: id };
+          }),
+      )
+
+      /**
+       * signIn — server-only. Verifies password, checks email verification, returns JWT.
+       */
+      .mutateMethod(
+        "signIn",
+        {
+          params: {
+            email: string().email(),
+            password: string().minLength(6).maxLength(32),
+          },
+        },
+        ONLY_SERVER &&
+          (async (ctx: any, params: any) => {
+            const account = await ctx.$query.findOne({ email: params.email });
+
+            if (!account) {
+              return { error: "INVALID_EMAIL_OR_PASSWORD" as const };
+            }
+
+            const isValid = await verifyPassword(
+              params.password,
+              account.passwordHash,
+            );
+            if (!isValid) {
+              return { error: "INVALID_EMAIL_OR_PASSWORD" as const };
+            }
+
+            if (!account.isEmailVerified) {
+              return {
+                error: "EMAIL_NOT_VERIFIED" as const,
+                email: params.email,
+              };
+            }
+
+            const jwtToken = token.generateJWT({ accountId: account._id });
+
+            await ctx.signedIn.emit({
+              accountId: account._id,
+              email: params.email,
+            });
+
+            return { token: jwtToken };
+          }),
+      )
+
+      /**
+       * registerViaOAuth — server-only. Creates account from OAuth provider data.
+       */
+      .mutateMethod(
+        "registerViaOAuth",
+        {
+          params: {
+            email: string().email(),
+            provider: string(),
+            providerUserId: string(),
+            ...customFields,
+          },
+          result: {} as
+            | { accountId: $type<typeof accountId> }
+            | {
+                error: "EMAIL_ALREADY_TAKEN";
+                accountId: $type<typeof accountId>;
+              },
+        },
+        ONLY_SERVER &&
+          (async (ctx: any, params: any) => {
+            const existing = await ctx.$query.findOne({ email: params.email });
+            if (existing) {
+              return {
+                error: "EMAIL_ALREADY_TAKEN" as const,
+                accountId: existing._id,
+              };
+            }
+
+            const id = accountId.generate();
+            const { email, provider, providerUserId, ...custom } = params;
+
+            await ctx.accountRegisteredViaOAuth.emit({
+              accountId: id,
+              email,
+              provider,
+              providerUserId,
+              ...custom,
+            });
+
+            return { accountId: id };
+          }),
+      )
+
+      /**
+       * signInViaOAuth — server-only. Signs in via OAuth (no password check).
+       * Identity already verified by the OAuth provider.
+       */
+      .mutateMethod(
+        "signInViaOAuth",
+        {
+          params: {
+            email: string().email(),
+            provider: string(),
+            providerUserId: string(),
+          },
+          result: {} as { token: string } | { error: "ACCOUNT_NOT_FOUND" },
+        },
+        ONLY_SERVER &&
+          (async (ctx: any, params: any) => {
+            const account = await ctx.$query.findOne({ email: params.email });
+
+            if (!account) {
+              return { error: "ACCOUNT_NOT_FOUND" as const };
+            }
+
+            const jwtToken = token.generateJWT({ accountId: account._id });
+
+            await ctx.signedIn.emit({
+              accountId: account._id,
+              email: params.email,
+            });
+
+            return { token: jwtToken };
+          }),
+      )
+
+      .protectBy(token, (params: any) => ({ _id: params.accountId }))
+      .clientQuery("getAll", async (ctx) => ctx.$query.find({}))
+      .clientQuery("getMe", async (ctx) => ctx.$query.findOne({}))
+      .build()
+  );
+};
+
+export type AccountAggregate<
+  CustomFields extends ArcRawShape = ArcRawShape,
+  Data extends AccountAggregateData<CustomFields> =
+    AccountAggregateData<CustomFields>,
+> = ReturnType<typeof createAccountAggregate<CustomFields, Data>>;

package/src/aggregates/oauth-identity.ts

@@ -0,0 +1,131 @@
+import { aggregate, date, string } from "@arcote.tech/arc";
+import type { OAuthIdentityId } from "../ids/oauth-identity";
+import type { AccountId } from "../ids/account";
+
+export type OAuthIdentityAggregateData = {
+  name: string;
+  oauthIdentityId: OAuthIdentityId;
+  accountId: AccountId;
+};
+
+export const createOAuthIdentityAggregate = <
+  const Data extends OAuthIdentityAggregateData,
+>(
+  data: Data,
+) => {
+  const { oauthIdentityId, accountId } = data;
+
+  return aggregate(`${data.name}OAuthIdentities`, oauthIdentityId, {
+    accountId,
+    provider: string(),
+    providerUserId: string(),
+    providerEmail: string().email(),
+    linkedAt: date(),
+    lastUsedAt: date().optional(),
+  })
+    .publicEvent(
+      "oauthIdentityLinked",
+      {
+        oauthIdentityId,
+        accountId,
+        provider: string(),
+        providerUserId: string(),
+        providerEmail: string().email(),
+      },
+      async (ctx, event) => {
+        const {
+          oauthIdentityId: id,
+          accountId: accId,
+          provider,
+          providerUserId,
+          providerEmail,
+        } = event.payload as any;
+        await ctx.set(id, {
+          accountId: accId,
+          provider,
+          providerUserId,
+          providerEmail,
+          linkedAt: event.createdAt,
+          lastUsedAt: null,
+        } as any);
+      },
+    )
+
+    .publicEvent(
+      "oauthIdentityUsed",
+      { oauthIdentityId },
+      async (ctx, event) => {
+        await ctx.modify(event.payload.oauthIdentityId as any, {
+          lastUsedAt: event.createdAt,
+        } as any);
+      },
+    )
+
+    .publicEvent(
+      "oauthIdentityUnlinked",
+      { oauthIdentityId },
+      async (ctx, event) => {
+        await ctx.remove(event.payload.oauthIdentityId as any);
+      },
+    )
+
+    .mutateMethod(
+    "linkIdentity",
+    {
+        params: {
+          accountId,
+          provider: string(),
+          providerUserId: string(),
+          providerEmail: string().email(),
+        },
+      },
+      ONLY_SERVER &&
+        (async (ctx: any, params: any) => {
+          // Check for duplicate (same provider + providerUserId)
+          const existing = await ctx.$query.findOne({
+            provider: params.provider,
+            providerUserId: params.providerUserId,
+          });
+          if (existing) {
+            return { error: "OAUTH_IDENTITY_ALREADY_LINKED" as const };
+          }
+
+          const id = oauthIdentityId.generate();
+
+          await ctx.oauthIdentityLinked.emit({
+            oauthIdentityId: id,
+            accountId: params.accountId,
+            provider: params.provider,
+            providerUserId: params.providerUserId,
+            providerEmail: params.providerEmail,
+          });
+
+          return { oauthIdentityId: id };
+        }),
+    )
+
+    .mutateMethod(
+    "markUsed",
+    { params: { oauthIdentityId } },
+      ONLY_SERVER &&
+        (async (ctx: any, params: any) => {
+          await ctx.oauthIdentityUsed.emit({
+            oauthIdentityId: params.oauthIdentityId,
+          });
+        }),
+    )
+    .clientQuery("getAll", async (ctx) => ctx.$query.find({}))
+    .clientQuery(
+      "findByProvider",
+      async (ctx, params: { provider: string; providerUserId: string }) =>
+        ctx.$query.findOne({
+          provider: params.provider,
+          providerUserId: params.providerUserId,
+        }),
+    )
+    .build();
+};
+
+export type OAuthIdentityAggregate<
+  Data extends OAuthIdentityAggregateData = OAuthIdentityAggregateData,
+> = ReturnType<typeof createOAuthIdentityAggregate<Data>>;

package/src/arc.d.ts

@@ -0,0 +1,14 @@
+declare const BROWSER: boolean;
+declare const NOT_ON_BROWSER: boolean;
+declare const ONLY_BROWSER: boolean;
+declare const SERVER: boolean;
+declare const NOT_ON_SERVER: boolean;
+declare const ONLY_SERVER: boolean;
+
+// Bun runtime API — available on server only, tree-shaken on browser
+declare namespace Bun {
+  const password: {
+    verify(password: string, hash: string): Promise<boolean>;
+    hash(password: string): Promise<string>;
+  };
+}

package/src/auth-builder.ts

@@ -0,0 +1,132 @@
+import {
+  aggregateContextElement,
+  context,
+  route,
+  type ArcAggregateElement,
+  type ArcContextElement,
+  type ArcRawShape,
+  type AggregateConstructorAny,
+} from "@arcote.tech/arc";
+import { createAccountAggregate } from "./aggregates/account";
+import { createOAuthIdentityAggregate } from "./aggregates/oauth-identity";
+import { createAccountId } from "./ids/account";
+import { createOAuthIdentityId } from "./ids/oauth-identity";
+import { createToken } from "./tokens/token";
+import { createOAuthRoutes } from "./routes/oauth-routes";
+import type { OAuthProvidersConfig } from "./providers/types";
+
+export class AuthBuilder<
+  AccId,
+  Tok,
+  Account extends AggregateConstructorAny,
+  AccountEl extends ArcAggregateElement<Account>,
+  OAuthIdentity extends AggregateConstructorAny | undefined,
+  EnabledProviders extends string[],
+  Elements extends ArcContextElement<any>[],
+> {
+  constructor(
+    private readonly _name: string,
+    readonly accountId: AccId,
+    readonly token: Tok,
+    readonly Account: Account,
+    readonly accountElement: AccountEl,
+    readonly OAuthIdentity: OAuthIdentity,
+    readonly enabledProviders: EnabledProviders,
+    readonly elements: Elements,
+  ) {}
+
+  useOAuth(config: {
+    providers?: OAuthProvidersConfig;
+    baseUrl?: string;
+  }) {
+    const oauthIdentityId = createOAuthIdentityId({ name: this._name });
+    const OAuthIdentity = createOAuthIdentityAggregate({
+      name: this._name,
+      oauthIdentityId,
+      accountId: this.accountId as any,
+    });
+    const oauthIdentityElement = aggregateContextElement(OAuthIdentity);
+
+    const hasProviders = config.providers && config.baseUrl;
+    const routes = hasProviders
+      ? createOAuthRoutes({
+          providers: config.providers!,
+          baseUrl: config.baseUrl!,
+          token: this.token as any,
+          accountElement: this.accountElement,
+          oauthIdentityElement,
+        })
+      : null;
+
+    const oauthStart =
+      routes?.oauthStart ??
+      route("oauthStart")
+        .path("/auth/oauth/:provider/start")
+        .public()
+        .handle({});
+    const oauthCallback =
+      routes?.oauthCallback ??
+      route("oauthCallback")
+        .path("/auth/oauth/:provider/callback")
+        .public()
+        .handle({});
+
+    return new AuthBuilder(
+      this._name,
+      this.accountId,
+      this.token,
+      this.Account,
+      this.accountElement,
+      OAuthIdentity,
+      routes?.enabledProviders ?? ([] as string[]),
+      [
+        this.accountElement,
+        oauthIdentityElement,
+        oauthStart,
+        oauthCallback,
+      ] as const,
+    );
+  }
+
+  build() {
+    return {
+      context: context(this.elements),
+      accountId: this.accountId,
+      token: this.token,
+      Account: this.Account,
+      OAuthIdentity: this.OAuthIdentity,
+      enabledProviders: this.enabledProviders,
+    };
+  }
+}
+
+export function auth<
+  const Name extends string,
+  const CustomFields extends ArcRawShape,
+  const Secret extends string | undefined,
+>(config: {
+  name: Name;
+  customFields: CustomFields;
+  secret: Secret;
+}) {
+  const accountId = createAccountId({ name: config.name });
+  const token = createToken({ name: config.name, secret: config.secret });
+  const Account = createAccountAggregate({
+    name: config.name,
+    accountId,
+    token,
+    customFields: config.customFields,
+  });
+  const accountElement = aggregateContextElement(Account);
+
+  return new AuthBuilder(
+    config.name,
+    accountId,
+    token,
+    Account,
+    accountElement,
+    undefined,
+    [] as string[],
+    [accountElement] as const,
+  );
+}

package/src/ids/account.ts

@@ -0,0 +1,13 @@
+import { id } from "@arcote.tech/arc";
+
+export type AccountIdData = {
+  name: string;
+};
+
+export const createAccountId = <const Data extends AccountIdData>(
+  data: Readonly<Data>,
+) => id(`${data.name}Account`);
+
+export type AccountId<Data extends AccountIdData = AccountIdData> = ReturnType<
+  typeof createAccountId<Data>
+>;

package/src/ids/oauth-identity.ts

@@ -0,0 +1,15 @@
+import { id } from "@arcote.tech/arc";
+
+export type OAuthIdentityIdData = {
+  name: string;
+};
+
+export const createOAuthIdentityId = <
+  const Data extends OAuthIdentityIdData,
+>(
+  data: Readonly<Data>,
+) => id(`${data.name}OAuthIdentity`);
+
+export type OAuthIdentityId<
+  Data extends OAuthIdentityIdData = OAuthIdentityIdData,
+> = ReturnType<typeof createOAuthIdentityId<Data>>;