@augmenting-integrations/auth 8.4.1 → 8.5.0

package/dist/server.js

@@ -63,6 +63,9 @@ function createAuth(opts) {
     appDomain: tenant.appDomain,
     apex: tenant.apex
   });
+  const requiredIdentityGroups = opts.appAccess?.requiredIdentityGroups ?? [];
+  const hasAccessPolicy = requiredIdentityGroups.length > 0;
+  const forbiddenPage = opts.appAccess?.forbiddenPage ?? (tenant.appDomain === tenant.apex ? `/login?error=app_forbidden&app=${encodeURIComponent(tenant.appSlug ?? "apex")}` : `https://${tenant.apex}/login?error=app_forbidden&app=${encodeURIComponent(tenant.appSlug ?? "")}`);
   const config = {
     secret: authSecret,
     cookies: cookieDomain ? {
@@ -109,7 +112,7 @@ function createAuth(opts) {
     ],
     session: { strategy: "jwt" },
     callbacks: {
-      jwt: ({ token, user, profile }) => {
+      jwt: ({ token, user, profile, account }) => {
         if (user) {
           token.sub ??= user.id ?? void 0;
           token.email ??= user.email ?? void 0;
@@ -127,11 +130,18 @@ function createAuth(opts) {
             token["cognito:groups"] = groups;
           }
         }
+        if (account?.access_token) {
+          token["accessToken"] = account.access_token;
+        }
         return token;
       },
       session: ({ session, token }) => {
         const groups = token["cognito:groups"] ?? [];
         session.user.groups = groups;
+        const accessToken = token["accessToken"];
+        if (typeof accessToken === "string") {
+          session.accessToken = accessToken;
+        }
         return session;
       },
       authorized: ({ auth: session, request: { nextUrl } }) => {
@@ -147,6 +157,16 @@ function createAuth(opts) {
           }
           return false;
         }
+        if (session && isAuthedRoute && hasAccessPolicy) {
+          const userGroups = (session.user?.groups ?? []).map((g) => g.toLowerCase());
+          const allowed = requiredIdentityGroups.some(
+            (g) => userGroups.includes(g.toLowerCase())
+          );
+          if (!allowed) {
+            const target = forbiddenPage.startsWith("http") ? new URL(forbiddenPage) : new URL(forbiddenPage, nextUrl.origin);
+            return Response.redirect(target.toString(), 302);
+          }
+        }
         return true;
       },
       redirect: buildRedirectCallback(tenant.parentDomain)
@@ -293,89 +313,6 @@ function createGetOrCreateAppUser(opts) {
   };
 }
 
-// src/server/tenant.ts
-import "server-only";
-import * as React from "react";
-
-// src/tenant-types.ts
-var TENANT_GLOBAL_KEY = "__TENANT__";
-
-// src/server/tenant.ts
-function loadTenantConfig(opts) {
-  const env = process.env;
-  const o = opts.overrides ?? {};
-  const parentDomainRaw = o.parentDomain ?? env.AUTH_ALLOWED_PARENT_DOMAIN;
-  const apexFallback = parentDomainRaw?.replace(/^\./, "");
-  const draft = {
-    role: opts.role,
-    apex: o.apex ?? env.APEX_DOMAIN ?? apexFallback,
-    cookieDomain: o.cookieDomain ?? env.AUTH_COOKIE_DOMAIN,
-    parentDomain: parentDomainRaw,
-    region: o.region ?? env.AWS_REGION ?? "us-east-1",
-    appSlug: o.appSlug ?? env.APP_SLUG,
-    appDomain: o.appDomain ?? env.APP_DOMAIN,
-    authSecretArn: o.authSecretArn ?? env.AUTH_SECRET_ARN,
-    registryTable: o.registryTable ?? env.APP_REGISTRY_TABLE,
-    authCognitoSecretArn: o.authCognitoSecretArn ?? env.AUTH_COGNITO_SECRET_ARN,
-    cognitoIssuer: o.cognitoIssuer ?? env.AUTH_COGNITO_ISSUER,
-    cognitoClientId: o.cognitoClientId ?? env.AUTH_COGNITO_ID,
-    adminEmails: o.adminEmails ?? env.ADMIN_EMAILS,
-    dbSecretArn: o.dbSecretArn ?? env.DB_SECRET_ARN,
-    dbHost: o.dbHost ?? env.DB_HOST,
-    dbName: o.dbName ?? env.DB_NAME,
-    stripeSecretArn: o.stripeSecretArn ?? env.STRIPE_SECRET_ARN,
-    stripeWebhookSecretArn: o.stripeWebhookSecretArn ?? env.STRIPE_WEBHOOK_SECRET_ARN
-  };
-  if (opts.role === "apex" && !draft.appDomain) {
-    draft.appDomain = draft.apex;
-  }
-  const required = [
-    { key: "apex", env: "APEX_DOMAIN (or derived from AUTH_ALLOWED_PARENT_DOMAIN)" },
-    { key: "cookieDomain", env: "AUTH_COOKIE_DOMAIN" },
-    { key: "parentDomain", env: "AUTH_ALLOWED_PARENT_DOMAIN" },
-    { key: "authSecretArn", env: "AUTH_SECRET_ARN" },
-    { key: "appDomain", env: "APP_DOMAIN" }
-  ];
-  if (opts.role === "apex") {
-    required.push(
-      { key: "authCognitoSecretArn", env: "AUTH_COGNITO_SECRET_ARN" },
-      { key: "cognitoIssuer", env: "AUTH_COGNITO_ISSUER" },
-      { key: "cognitoClientId", env: "AUTH_COGNITO_ID" }
-    );
-  } else {
-    required.push({ key: "appSlug", env: "APP_SLUG" });
-  }
-  if (process.env.NEXT_PHASE === "phase-production-build" || !process.env.AWS_LAMBDA_FUNCTION_NAME) {
-    return draft;
-  }
-  const missing = required.filter((r) => !draft[r.key]).map((r) => r.env);
-  if (missing.length > 0) {
-    throw new Error(
-      `loadTenantConfig(${opts.role}): missing required env vars: ${missing.join(", ")}`
-    );
-  }
-  return draft;
-}
-function publicSubset(config) {
-  return {
-    apex: config.apex,
-    cookieDomain: config.cookieDomain,
-    parentDomain: config.parentDomain,
-    region: config.region,
-    appSlug: config.appSlug,
-    appDomain: config.appDomain,
-    role: config.role
-  };
-}
-var INNER_HTML_PROP = "dangerouslySetInnerHTML";
-function TenantBootScript({ config }) {
-  const payload = JSON.stringify(config).replace(/</g, "\\u003c");
-  const body = `window.${TENANT_GLOBAL_KEY}=${payload};`;
-  const props = {};
-  props[INNER_HTML_PROP] = { __html: body };
-  return React.createElement("script", props);
-}
-
 // src/server/handlers.ts
 import "server-only";
 import { NextResponse } from "next/server";
@@ -603,22 +540,279 @@ function createInvitationHandlers(opts) {
     }
   };
 }
+
+// src/server/settings.ts
+import "server-only";
+import { NextResponse as NextResponse2 } from "next/server";
+function getAccessToken(session) {
+  if (!session) return null;
+  const fromTop = session.accessToken;
+  if (typeof fromTop === "string" && fromTop.length > 0) return fromTop;
+  return null;
+}
+function accessTokenMissingResponse() {
+  return NextResponse2.json(
+    {
+      error: "Cognito access token not present on the session. The user must sign in fresh on the apex.",
+      code: "access_token_missing"
+    },
+    { status: 401 }
+  );
+}
+function jsonValidation(message) {
+  return NextResponse2.json({ error: message, code: "validation" }, { status: 400 });
+}
+function createSettingsHandlers(opts) {
+  const passwordChange = {
+    POST: async (request) => {
+      const session = await opts.auth();
+      if (!session?.user) {
+        return NextResponse2.json({ error: "unauthorized" }, { status: 401 });
+      }
+      const accessToken = getAccessToken(session);
+      if (!accessToken) return accessTokenMissingResponse();
+      let body;
+      try {
+        body = await request.json();
+      } catch {
+        return jsonValidation("invalid JSON body");
+      }
+      const currentPassword = typeof body.currentPassword === "string" ? body.currentPassword : "";
+      const newPassword = typeof body.newPassword === "string" ? body.newPassword : "";
+      if (!currentPassword) return jsonValidation("currentPassword required");
+      if (newPassword.length < 8)
+        return jsonValidation("newPassword must be at least 8 chars");
+      try {
+        await opts.cognito.changePassword({
+          accessToken,
+          previousPassword: currentPassword,
+          proposedPassword: newPassword
+        });
+        const appUser = await opts.getOrCreateAppUser(session);
+        const db = await opts.getDb();
+        await db.user.update({
+          where: { id: appUser.id },
+          data: { must_change_password: false }
+        });
+        return NextResponse2.json({ ok: true });
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return NextResponse2.json({ error: message, code: "cognito" }, { status: 400 });
+      }
+    }
+  };
+  const twoFactorSetup = {
+    POST: async () => {
+      const session = await opts.auth();
+      if (!session?.user) {
+        return NextResponse2.json({ error: "unauthorized" }, { status: 401 });
+      }
+      const accessToken = getAccessToken(session);
+      if (!accessToken) return accessTokenMissingResponse();
+      try {
+        const { secretCode } = await opts.cognito.associateSoftwareToken({
+          accessToken
+        });
+        const accountName = session.user.email ?? "user";
+        const otpAuthUri = opts.cognito.buildOtpAuthUri({
+          secret: secretCode,
+          accountName,
+          issuer: opts.appDisplayName
+        });
+        const qrDataUrl = opts.generateQrDataUrl ? await opts.generateQrDataUrl(otpAuthUri).catch(() => "") : "";
+        return NextResponse2.json({ qrDataUrl, otpAuthUri, secret: secretCode });
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return NextResponse2.json({ error: message, code: "cognito" }, { status: 500 });
+      }
+    }
+  };
+  const twoFactorVerify = {
+    POST: async (request) => {
+      const session = await opts.auth();
+      if (!session?.user) {
+        return NextResponse2.json({ error: "unauthorized" }, { status: 401 });
+      }
+      const accessToken = getAccessToken(session);
+      if (!accessToken) return accessTokenMissingResponse();
+      let body;
+      try {
+        body = await request.json();
+      } catch {
+        return jsonValidation("invalid JSON body");
+      }
+      const code = typeof body.code === "string" ? body.code : "";
+      if (!/^[0-9]{6}$/.test(code)) return jsonValidation("code must be 6 digits");
+      try {
+        const result = await opts.cognito.verifySoftwareToken({ accessToken, code });
+        if (result.status !== "SUCCESS") {
+          return NextResponse2.json(
+            { error: `verify failed: ${result.status}`, code: "verify_failed" },
+            { status: 400 }
+          );
+        }
+        await opts.cognito.setUserMfaPreference({ accessToken, enabled: true });
+        const appUser = await opts.getOrCreateAppUser(session);
+        const db = await opts.getDb();
+        await db.user.update({
+          where: { id: appUser.id },
+          data: { two_factor_confirmed_at: /* @__PURE__ */ new Date() }
+        });
+        return NextResponse2.json({ ok: true });
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return NextResponse2.json({ error: message, code: "cognito" }, { status: 500 });
+      }
+    }
+  };
+  const twoFactorDisable = {
+    POST: async () => {
+      const session = await opts.auth();
+      if (!session?.user) {
+        return NextResponse2.json({ error: "unauthorized" }, { status: 401 });
+      }
+      const accessToken = getAccessToken(session);
+      if (!accessToken) return accessTokenMissingResponse();
+      try {
+        await opts.cognito.setUserMfaPreference({ accessToken, enabled: false });
+        const appUser = await opts.getOrCreateAppUser(session);
+        const db = await opts.getDb();
+        await db.user.update({
+          where: { id: appUser.id },
+          data: { two_factor_confirmed_at: null }
+        });
+        return NextResponse2.json({ ok: true });
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return NextResponse2.json({ error: message, code: "cognito" }, { status: 500 });
+      }
+    }
+  };
+  return { passwordChange, twoFactorSetup, twoFactorVerify, twoFactorDisable };
+}
+
+// src/server/invitations.ts
+import "server-only";
+import { NextResponse as NextResponse3 } from "next/server";
+var EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+var ROLE_RE = /^[a-z_]+$/;
+var PARENT_RE = /^\d+$/;
+function jsonError(status, error, code, extra) {
+  return NextResponse3.json({ error, code, ...extra ?? {} }, { status });
+}
+function createInvitationSendHandlers(opts) {
+  const send = {
+    POST: async (request) => {
+      const session = await opts.auth();
+      if (!session?.user) return jsonError(401, "unauthorized", "unauthorized");
+      const caller = await opts.getOrCreateAppUser(session);
+      if (!opts.canInvite(caller.role)) {
+        return jsonError(403, "forbidden", "forbidden");
+      }
+      let body;
+      try {
+        body = await request.json();
+      } catch {
+        return jsonError(400, "invalid JSON body", "validation");
+      }
+      const email = typeof body.email === "string" ? body.email.trim().toLowerCase() : "";
+      const role = typeof body.role === "string" ? body.role.trim() : "";
+      const parentIdRaw = body.parent_id;
+      if (!EMAIL_RE.test(email) || email.length > 255) {
+        return jsonError(400, "invalid email", "validation");
+      }
+      if (!role || role.length > 30 || !ROLE_RE.test(role)) {
+        return jsonError(400, "role must be snake_case lowercase", "validation");
+      }
+      if (opts.allowedRoles && !opts.allowedRoles.includes(role)) {
+        return jsonError(
+          400,
+          `role must be one of: ${opts.allowedRoles.join(", ")}`,
+          "validation"
+        );
+      }
+      let parentOverride = null;
+      if (parentIdRaw !== void 0 && parentIdRaw !== null) {
+        if (typeof parentIdRaw !== "string" || !PARENT_RE.test(parentIdRaw)) {
+          return jsonError(
+            400,
+            "parent_id must be a stringified BigInt or null",
+            "validation"
+          );
+        }
+        parentOverride = BigInt(parentIdRaw);
+      }
+      const parent_id = opts.resolveInviteScope(caller, parentOverride);
+      const db = await opts.getDb();
+      const existing = await db.user.findUnique({ where: { email } });
+      if (existing) {
+        return jsonError(409, "user with that email already exists", "conflict");
+      }
+      const token = opts.generateInvitationToken();
+      const expiresAt = opts.invitationExpiresAt();
+      const invitation = await db.invitation.create({
+        data: {
+          token,
+          email,
+          inviter_id: caller.id,
+          intended_role: role,
+          parent_id,
+          expires_at: expiresAt
+        }
+      });
+      const origin = opts.appDomainEnv ? `https://${opts.appDomainEnv}` : new URL(request.url).origin;
+      const invitationUrl = opts.buildInvitationUrl(token, origin);
+      const rendered = opts.renderInvitationEmail({
+        inviterName: caller.name,
+        inviteeEmail: email,
+        intendedRole: role,
+        invitationUrl,
+        expiresAt,
+        appDisplayName: opts.appDisplayName
+      });
+      try {
+        await opts.sendEmail({
+          to: email,
+          subject: rendered.subject,
+          html: rendered.html,
+          text: rendered.text
+        });
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return NextResponse3.json(
+          {
+            invitationId: invitation.id.toString(),
+            expiresAt: invitation.expires_at.toISOString(),
+            warning: `invitation saved but email send failed: ${message}`
+          },
+          { status: 202 }
+        );
+      }
+      return NextResponse3.json(
+        {
+          invitationId: invitation.id.toString(),
+          expiresAt: invitation.expires_at.toISOString()
+        },
+        { status: 201 }
+      );
+    }
+  };
+  return { send };
+}
 export {
   AuthError,
   IMPERSONATE_COOKIE_NAME,
   IMPERSONATE_TTL_SECONDS,
-  TENANT_GLOBAL_KEY,
-  TenantBootScript,
   createAuth,
   createGetOrCreateAppUser,
   createImpersonateHandlers,
   createInvitationHandlers,
+  createInvitationSendHandlers,
   createMeHandler,
+  createSettingsHandlers,
   getUserGroups,
   hasGroup,
-  loadTenantConfig,
   mintImpersonationToken,
-  publicSubset,
   requireGroup,
   verifyImpersonationToken
 };