npm - @auth-craft/tenant-access-control-dynamodb - Versions diffs - 0.0.1 → 0.0.2 - Mend

@auth-craft/tenant-access-control-dynamodb 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js CHANGED Viewed

@@ -2,9 +2,547 @@ import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
 import { DynamoDBDocumentClient, GetCommand, PutCommand, UpdateCommand, DeleteCommand, QueryCommand, TransactWriteCommand } from '@aws-sdk/lib-dynamodb';
 import { ok, err } from 'ts-micro-result';
 import { tenantAccessErrors } from '@auth-craft/tenant-access-control';
-import { TableAttr, KeyPattern, KeyExtractor, millisToDate, GSIKeys, GSIName } from '@auth-craft/database-plugin-dynamodb';
 // src/index.ts
+// ../auth-core/dist/chunk-66N4CPWZ.mjs
+var USER_STATUS = {
+  ACTIVE: "active"};
+// ../database-plugin-dynamodb/dist/index.mjs
+var EntityPrefix = {
+  USER: "USR"
+};
+var PkPrefix = {
+  USER: `${EntityPrefix.USER}#`,
+  SESSION: "SES#",
+  PROVIDER: "PRV#",
+  CHALLENGE: "CHL#",
+  IDENTITY: "IDT#",
+  // Identity (email/phone/username)
+  CREDENTIAL: "CRD#",
+  // Credential (password, passkey, etc.)
+  // Note: MFA credentials use PK: USR#{userId} (stored under user, not separate partition)
+  TENANT: "TNT#",
+  // TenantMember (SCHEMA_V4 multi-tenant)
+  AUDIENCE: "AUD#"
+  // Audience prefix for TenantMember SK
+};
+var SkPrefix = {
+  METADATA: "MD",
+  // Metadata suffix for entities
+  AUTH: "AUTH",
+  // UserAuth entity (SCHEMA_V4)
+  PROFILE: "PROF",
+  // UserProfile entity (SCHEMA_V4)
+  PROVIDER: "PRV#",
+  MFA: "MFA#"
+  // UserMFAAuthenticator entity (SCHEMA_V4)
+};
+var DELIMITER = "#";
+var KeyPattern = {
+  // ============================================
+  // USER
+  // ============================================
+  /**
+   * User PK
+   * Pattern: USR#{userId}
+   */
+  USER_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * User Auth SK (SCHEMA_V4)
+   * Pattern: AUTH
+   * Stores: userStatus, mfaRequired, mfaMethods[], createdAt, updatedAt
+   *
+   * Removed in SCHEMA_V4:
+   * - email, phone fields → moved to Identity entity
+   * - passwordHash → moved to Credential entity
+   * - lockedUntil, failedLoginAttempts → moved to Identity.guards (per-method)
+   * - MFA credentials (mfaSecret, mfaBackupCodes) → moved to UserMFAAuthenticator items
+   * - Profile fields (givenName, familyName, avatarUrl, locale, metadata) → moved to PROF item
+   * - tokenVersion → removed (use Session.revokedAt instead)
+   * - permissions → removed from UserAuth (use TenantMember.permMask or Session.permMask)
+   */
+  USER_AUTH_SK: () => SkPrefix.AUTH,
+  /**
+   * User Profile SK (SCHEMA_V4)
+   * Pattern: PROF
+   * Stores: userStatus, deletedAt, givenName, familyName, avatarUrl,
+   *         locale, metadata, createdAt, updatedAt, statusPk, statusSk
+   *
+   * Removed in SCHEMA_V4:
+   * - email, phone fields → moved to Identity entity
+   */
+  USER_PROFILE_SK: () => SkPrefix.PROFILE,
+  // ============================================
+  // USER MFA AUTHENTICATOR (SCHEMA_V4)
+  // ============================================
+  /**
+   * UserMFAAuthenticator SK (single-instance methods like TOTP)
+   * Pattern: MFA#{method}
+   * Example: MFA#totp
+   * Used by: Single-instance MFA methods that don't need ID
+   */
+  USER_MFA_SK: (method) => `${SkPrefix.MFA}${method}`,
+  /**
+   * UserMFAAuthenticator SK (multi-instance methods like WebAuthn)
+   * Pattern: MFA#{method}#{id}
+   * Example: MFA#webauthn#key_abc123, MFA#passkey#pk_xyz789
+   * Used by: Multi-instance MFA methods (security keys, passkeys)
+   */
+  USER_MFA_WITH_ID_SK: (method, id) => `${SkPrefix.MFA}${method}${DELIMITER}${id}`,
+  // ============================================
+  // TENANT MEMBER (SCHEMA_V4)
+  // ============================================
+  /**
+   * Tenant Member PK
+   * Pattern: TNT#{tenantId}
+   * Example: TNT#org-abc
+   * Used by: DynamoDBTenantMemberItem (main table)
+   */
+  TENANT_MEMBER_PK: (tenantId) => `${PkPrefix.TENANT}${tenantId}`,
+  /**
+   * Tenant Member SK
+   * Pattern: AUD#{audience}#USR#{userId}
+   * Example: AUD#admin#USR#01HQZX8V9ABCDEFGHIJK
+   * Used by: DynamoDBTenantMemberItem (main table)
+   */
+  TENANT_MEMBER_SK: (audience, userId) => `${PkPrefix.AUDIENCE}${audience}${DELIMITER}${PkPrefix.USER}${userId}`,
+  /**
+   * Tenant Member SK Prefix (for querying by audience)
+   * Pattern: AUD#{audience}#
+   * Example: AUD#admin#
+   * Used for: Query all members in a specific audience
+   */
+  TENANT_MEMBER_SK_PREFIX: (audience) => `${PkPrefix.AUDIENCE}${audience}${DELIMITER}`,
+  // ============================================
+  // SESSION
+  // ============================================
+  /**
+   * Session PK (New session-centric design)
+   * Pattern: SES#{sessionId}
+   * Example: SES#01HQZX8V9ABCDEFGHIJK
+   */
+  SESSION_PK: (sessionId) => `${PkPrefix.SESSION}${sessionId}`,
+  /**
+   * Session Metadata SK
+   * Pattern: MD
+   * Stores: userId, tokenId, tenantId, audience, permMask, roleIds,
+   *         deviceLabel, country, city, createdAt, expiresAt, lastUsedAt,
+   *         revokedAt, metadata, TTL
+   * Note: sessionId extracted from PK
+   */
+  SESSION_METADATA_SK: () => SkPrefix.METADATA,
+  /**
+   * Session SK (alias for SESSION_METADATA_SK)
+   */
+  SESSION_SK: () => SkPrefix.METADATA,
+  /**
+   * Provider SK
+   * Pattern: PRV#{provider}#{externalId}
+   * Used for:
+   * - GSI_UserProviders sort key (userProviderSk)
+   * - DynamoDBProviderRegistryItem PK
+   */
+  PROVIDER_SK: (provider, externalId) => `${SkPrefix.PROVIDER}${provider}${DELIMITER}${externalId}`,
+  // ============================================
+  // PROVIDER (Provider-centric design)
+  // ============================================
+  /**
+   * Provider PK (Main table)
+   * Pattern: PRV#{provider}#{externalId}
+   * Example: PRV#google#123456789
+   * Used by: DynamoDBUserProviderItem (main table)
+   */
+  PROVIDER_PK: (provider, externalId) => `${PkPrefix.PROVIDER}${provider}${DELIMITER}${externalId}`,
+  /**
+   * Provider Metadata SK
+   * Pattern: MD
+   * Stores: userId, system, externalUsername, externalEmail, externalPhone,
+   *         externalName, externalAvatarUrl, accessToken, refreshToken,
+   *         tokenExpiresAt, createdAt, metadata
+   * Note: id generated at mapper layer from PK (base64url), NOT stored
+   * Note: provider and externalId extracted from PK
+   */
+  PROVIDER_METADATA_SK: () => SkPrefix.METADATA,
+  // ============================================
+  // CHALLENGE
+  // ============================================
+  /**
+   * Challenge PK
+   * Pattern: CHL#{challengeId}
+   * Example: CHL#abc123xyz
+   */
+  CHALLENGE_PK: (challengeId) => `${PkPrefix.CHALLENGE}${challengeId}`,
+  /**
+   * Challenge Metadata SK
+   * Pattern: MD
+   * Stores: userId, tenantId, audience, purpose, status, phase, allowedMethods,
+   *         method, codeHash, attempts, maxAttempts, metadata, flowKey,
+   *         expiresAt, createdAt, TTL
+   * Note: challengeId extracted from PK
+   */
+  CHALLENGE_SK: () => SkPrefix.METADATA,
+  // ============================================
+  // IDENTITY
+  // ============================================
+  /**
+   * Identity PK
+   * Pattern: IDT#{type}#{value}
+   * Examples:
+   *   - IDT#email#user@example.com
+   *   - IDT#phone#+84987654321
+   *   - IDT#username#johndoe
+   *
+   * Purpose: Fast O(1) lookup by identity type and value
+   */
+  IDENTITY_PK: (type, value) => {
+    return `${PkPrefix.IDENTITY}${type}#${value}`;
+  },
+  /**
+   * Identity Metadata SK
+   * Pattern: MD
+   * Stores: userId, loginEnabled, verifiedAt, guards, createdAt, updatedAt
+   * Note: type and value extracted from PK
+   */
+  IDENTITY_SK: () => SkPrefix.METADATA,
+  // ============================================
+  // CREDENTIAL
+  // ============================================
+  /**
+   * Credential PK
+   * Pattern: CRD#{credentialId}
+   * Example: CRD#cred_01JCQR8XMZP2KGH7NWV8F9E3TS
+   */
+  CREDENTIAL_PK: (credentialId) => `${PkPrefix.CREDENTIAL}${credentialId}`,
+  /**
+   * Credential Metadata SK
+   * Pattern: MD
+   * Stores: userId, value, metadata, isActive, createdAt, updatedAt, lastUsedAt
+   * Note: credentialId and type extracted from PK and GSI SK
+   */
+  CREDENTIAL_SK: () => SkPrefix.METADATA,
+  /**
+   * Credential Type Prefix (for GSI query)
+   * Pattern: CRD#{type}#
+   * Used to query credentials by type with begins_with
+   */
+  CREDENTIAL_TYPE_PREFIX: (type) => `${PkPrefix.CREDENTIAL}${type}#`,
+  /**
+   * Credential User GSI SK
+   * Pattern: CRD#{type}#{credentialId}
+   * Example: CRD#password#cred_01JCQR8XMZP2KGH7NWV8F9E3TS
+   * Allows querying credentials by user and filtering by type
+   */
+  CREDENTIAL_USER_SK: (type, credentialId) => `${PkPrefix.CREDENTIAL}${type}#${credentialId}`,
+  // ============================================
+  // IDENTITY
+  // ============================================
+  /**
+   * User Index GSI PK (for Identity)
+   * Pattern: USR#{userId}
+   * Example: USR#01JCQR8XMZP2KGH7NWV8F9E3TS
+   *
+   * Purpose: Query all identities for a specific user
+   */
+  USER_INDEX_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * User Index GSI SK (for Identity)
+   * Pattern: IDT#{type}#{value}
+   * Examples:
+   *   - IDT#email#user@example.com
+   *   - IDT#phone#+84987654321
+   *
+   * Purpose: Sort identities by type and extract type/value without additional attributes
+   */
+  USER_INDEX_SK: (type, value) => {
+    return `${PkPrefix.IDENTITY}${type}#${value}`;
+  }
+};
+var KeyExtractor = {
+  // ============================================
+  // PK Extractors
+  // ============================================
+  /**
+   * Extract userId from User PK
+   * Pattern: USR#{userId} -> userId
+   */
+  userId: (pk) => pk.slice(PkPrefix.USER.length),
+  /**
+   * Extract sessionId from Session PK
+   * Pattern: SES#{sessionId} -> sessionId
+   */
+  sessionId: (pk) => pk.slice(PkPrefix.SESSION.length),
+  /**
+   * Extract provider and externalId from Provider PK
+   * Pattern: PRV#{provider}#{externalId} -> { provider, externalId }
+   * Example: PRV#google#123456789 -> { provider: 'google', externalId: '123456789' }
+   */
+  providerPKInfo: (pk) => {
+    const remainder = pk.slice(PkPrefix.PROVIDER.length);
+    const delimiterIndex = remainder.indexOf("#");
+    if (delimiterIndex === -1) return null;
+    const provider = remainder.slice(0, delimiterIndex);
+    const externalId = remainder.slice(delimiterIndex + 1);
+    return { provider, externalId };
+  },
+  // ============================================
+  // SK Extractors
+  // ============================================
+  /**
+   * Extract provider and externalId from Provider SK
+   * Pattern: PRV#{provider}#{externalId} -> { provider, externalId }
+   */
+  providerInfo: (sk) => {
+    const remainder = sk.slice(SkPrefix.PROVIDER.length);
+    const delimiterIndex = remainder.indexOf(DELIMITER);
+    if (delimiterIndex === -1) return null;
+    const provider = remainder.slice(0, delimiterIndex);
+    const externalId = remainder.slice(delimiterIndex + 1);
+    return { provider, externalId };
+  },
+  /**
+   * Extract method and optional id from MFA SK
+   * Pattern: MFA#{method} or MFA#{method}#{id} -> { method, id? }
+   * Example: MFA#totp -> { method: 'totp' }
+   * Example: MFA#webauthn#key_abc -> { method: 'webauthn', id: 'key_abc' }
+   */
+  mfaSKInfo: (sk) => {
+    const remainder = sk.slice(SkPrefix.MFA.length);
+    const delimiterIndex = remainder.indexOf(DELIMITER);
+    if (delimiterIndex === -1) {
+      return { method: remainder };
+    }
+    const method = remainder.slice(0, delimiterIndex);
+    const id = remainder.slice(delimiterIndex + 1);
+    return { method, id };
+  },
+  // ============================================
+  // Tenant Extractors (SCHEMA_V4)
+  // ============================================
+  /**
+   * Extract tenantId from TenantMember PK
+   * Pattern: TNT#{tenantId} -> tenantId
+   * Example: TNT#org-abc -> org-abc
+   */
+  tenantId: (pk) => pk.slice(PkPrefix.TENANT.length),
+  /**
+   * Extract audience and userId from TenantMember SK
+   * Pattern: AUD#{audience}#USR#{userId} -> { audience, userId }
+   * Example: AUD#admin#USR#01HQZX8V9ABCDEFGHIJK -> { audience: 'admin', userId: '01HQZX8V9ABCDEFGHIJK' }
+   */
+  tenantMemberSKInfo: (sk) => {
+    const audPrefix = PkPrefix.AUDIENCE;
+    const usrPrefix = PkPrefix.USER;
+    if (!sk.startsWith(audPrefix)) return null;
+    const remainder = sk.slice(audPrefix.length);
+    const usrIndex = remainder.indexOf(DELIMITER + usrPrefix);
+    if (usrIndex === -1) return null;
+    const audience = remainder.slice(0, usrIndex);
+    const userId = remainder.slice(usrIndex + 1 + usrPrefix.length);
+    return { audience, userId };
+  },
+  /**
+   * Extract challengeId from Challenge PK
+   * Pattern: CHL#{challengeId} -> challengeId
+   * Example: CHL#abc123xyz -> abc123xyz
+   */
+  challengeIdFromPK: (pk) => pk.slice(PkPrefix.CHALLENGE.length),
+  /**
+   * Extract type and value from Identity PK
+   * Pattern: IDT#{type}#{value} -> { type, value }
+   * Example: IDT#email#user@example.com -> { type: 'email', value: 'user@example.com' }
+   */
+  identityPKInfo: (pk) => {
+    const remainder = pk.slice(PkPrefix.IDENTITY.length);
+    const delimiterIndex = remainder.indexOf("#");
+    if (delimiterIndex === -1) return null;
+    const type = remainder.slice(0, delimiterIndex);
+    const value = remainder.slice(delimiterIndex + 1);
+    return { type, value };
+  },
+  /**
+   * Extract credentialId from Credential PK
+   * Pattern: CRD#{credentialId} -> credentialId
+   * Example: CRD#cred_01JCQR8XMZP2KGH7NWV8F9E3TS -> cred_01JCQR8XMZP2KGH7NWV8F9E3TS
+   */
+  credentialId: (pk) => pk.slice(PkPrefix.CREDENTIAL.length),
+  /**
+   * Extract type from Credential User GSI SK
+   * Pattern: CRD#{type}#{credentialId} -> type
+   * Example: CRD#password#cred_abc -> password
+   */
+  credentialTypeFromUserSK: (sk) => {
+    const remainder = sk.slice(PkPrefix.CREDENTIAL.length);
+    const delimiterIndex = remainder.indexOf("#");
+    if (delimiterIndex === -1) return "";
+    return remainder.slice(0, delimiterIndex);
+  },
+  /**
+   * Extract type and value from User Index SK (GSI)
+   * Pattern: IDT#{type}#{value} -> { type, value }
+   * Example: IDT#email#user@example.com -> { type: 'email', value: 'user@example.com' }
+   */
+  userIndexSKInfo: (sk) => {
+    const remainder = sk.slice(PkPrefix.IDENTITY.length);
+    const delimiterIndex = remainder.indexOf("#");
+    if (delimiterIndex === -1) return null;
+    const type = remainder.slice(0, delimiterIndex);
+    const value = remainder.slice(delimiterIndex + 1);
+    return { type, value };
+  }
+};
+var GSIKeys = {
+  // ============================================
+  // GSI_ActiveSessions
+  // ============================================
+  /**
+   * Active Sessions GSI PK
+   * Pattern: USR#{userId} (user-partitioned for scalability)
+   * Used by: GSI_ActiveSessions
+   * NOTE: Changed from global 'ACTIVE' to user-partitioned to prevent hot partition
+   */
+  ACTIVE_SESSION_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * Active Sessions GSI SK
+   * Pattern: {createdAt}#{sessionId}
+   * Used by: GSI_ActiveSessions
+   */
+  ACTIVE_SESSION_SK: (createdAt, sessionId) => `${createdAt}${DELIMITER}${sessionId}`,
+  // ============================================
+  // GSI_UserSessions
+  // ============================================
+  /**
+   * User Sessions GSI PK
+   * Pattern: USR#{userId}
+   * Used by: GSI_UserSessions
+   */
+  USER_SESSION_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * User Sessions GSI SK
+   * Pattern: {createdAt}#{sessionId}
+   * Used by: GSI_UserSessions
+   */
+  USER_SESSION_SK: (createdAt, sessionId) => `${createdAt}${DELIMITER}${sessionId}`,
+  // ============================================
+  // GSI_UsersByStatus
+  // ============================================
+  /**
+   * Users By Status GSI PK
+   * Pattern: USR#ACTIVE or USR#INACTIVE (SCHEMA_V4)
+   * Used by: GSI_UsersByStatus
+   * Maps: active → ACTIVE, suspended/deleted → INACTIVE
+   */
+  USER_STATUS_PK: (status) => {
+    const statusGroup = status === USER_STATUS.ACTIVE ? "ACTIVE" : "INACTIVE";
+    return `${EntityPrefix.USER}${DELIMITER}${statusGroup}`;
+  },
+  /**
+   * Users By Status GSI SK
+   * Pattern: {userId}
+   * Used by: GSI_UsersByStatus
+   * Simple userId pattern to avoid needing createdAt for syncAuthStatus
+   */
+  USER_STATUS_SK: (userId) => userId,
+  // ============================================
+  // GSI_UserProviders
+  // ============================================
+  /**
+   * User Providers GSI PK
+   * Pattern: USR#{userId}
+   * Used by: GSI_UserProviders
+   */
+  USER_PROVIDER_PK: (userId) => `${PkPrefix.USER}${userId}`,
+  /**
+   * User Providers GSI SK
+   * Pattern: PRV#{provider}#{externalId}
+   * Used by: GSI_UserProviders
+   */
+  USER_PROVIDER_SK: (provider, externalId) => `${SkPrefix.PROVIDER}${provider}${DELIMITER}${externalId}`
+};
+var TableAttr = {
+  PK: "PK",
+  SK: "SK",
+  TTL: "TTL",
+  ACTIVE_SESSION_PK: "activeSessionPk",
+  // GSI partition key for active sessions
+  ACTIVE_SESSION_SK: "activeSessionSk",
+  // GSI sort key for active sessions (createdAt#sessionId)
+  USER_SESSION_PK: "userSessionPk",
+  // GSI partition key for user sessions (USR#{userId})
+  USER_SESSION_SK: "userSessionSk",
+  // GSI sort key for user sessions (createdAt#sessionId)
+  USER_STATUS_PK: "userStatusPk",
+  // GSI partition key for users by status
+  USER_STATUS_SK: "userStatusSk",
+  // GSI sort key for users by status (userId)
+  USER_PROVIDER_PK: "userProviderPk",
+  // GSI partition key for user providers (USR#{userId})
+  USER_PROVIDER_SK: "userProviderSk",
+  // GSI sort key for user providers (PRV#{provider}#{externalId})
+  // Challenge attributes
+  USER_ID: "userId",
+  TENANT_ID: "tenantId",
+  AUDIENCE: "audience",
+  PURPOSE: "purpose",
+  CHALLENGE_STATUS: "challengeStatus",
+  // Named challengeStatus to avoid DynamoDB reserved keyword 'status'
+  PHASE: "phase",
+  ALLOWED_METHODS: "allowedMethods",
+  METHOD: "method",
+  IDENTITY_TYPE: "identityType",
+  // For credential challenges
+  IDENTITY_VALUE: "identityValue",
+  // For credential challenges
+  CODE_HASH: "codeHash",
+  ATTEMPTS: "attempts",
+  MAX_ATTEMPTS: "maxAttempts",
+  METADATA: "metadata",
+  FLOW_KEY: "flowKey",
+  EXPIRES_AT: "expiresAt",
+  CREATED_AT: "createdAt",
+  // Session attributes
+  TOKEN_ID: "tokenId",
+  LAST_USED_AT: "lastUsedAt",
+  REVOKED_AT: "revokedAt",
+  PERM_MASK: "permMask",
+  ROLE_IDS: "roleIds",
+  DEVICE_LABEL: "deviceLabel",
+  COUNTRY: "country",
+  CITY: "city",
+  // Identity attributes
+  IDENTITY_USER_PK: "identityUserPk",
+  // GSI partition key for user identities (USR#{userId})
+  IDENTITY_USER_SK: "identityUserSk",
+  // GSI sort key for user identities (IDT#{type}#{value})
+  LOGIN_ENABLED: "loginEnabled",
+  VERIFIED_AT: "verifiedAt",
+  GUARDS: "guards",
+  UPDATED_AT: "updatedAt",
+  // Credential attributes
+  CREDENTIAL_USER_PK: "credentialUserPk",
+  // GSI partition key for user credentials (USR#{userId})
+  CREDENTIAL_USER_SK: "credentialUserSk",
+  // GSI sort key for user credentials (CRD#{type}#{credentialId})
+  CREDENTIAL_VALUE: "value"
+  // Credential value (password hash, etc.)
+  // Note: REVOKED_AT is shared with Session (defined above)
+};
+var GSIName = {
+  ACTIVE_SESSIONS: "GSI_ActiveSessions",
+  USER_SESSIONS: "GSI_UserSessions",
+  USERS_BY_STATUS: "GSI_UsersByStatus",
+  USER_PROVIDERS: "GSI_UserProviders",
+  USER_IDENTITIES: "GSI_UserIdentities",
+  // Query all identities for a user
+  USER_CREDENTIALS: "GSI_UserCredentials"
+  // Query all credentials for a user
+};
+function millisToDate(millis) {
+  return new Date(millis);
+}
+// src/dynamodb-tenant-member-repo.ts
 var DynamoDBTenantMemberRepository = class {
   constructor(client, tableName) {
     this.client = client;