@bajustone/fortress 1.0.0-rc.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1011 -0
- package/LICENSE +21 -0
- package/README.md +760 -0
- package/SECURITY.md +197 -0
- package/bin/fortress.ts +667 -0
- package/dist/auth-service-BcyQ2PuZ.d.cts +307 -0
- package/dist/auth-service-BkzZkWfH.d.ts +307 -0
- package/dist/config-B2366s_G.d.ts +665 -0
- package/dist/config-GtlVt6ZD.d.cts +665 -0
- package/dist/convert-routes-BLCQT57f.d.ts +72 -0
- package/dist/convert-routes-BdMvP2_X.d.cts +72 -0
- package/dist/crypto.cjs +61 -0
- package/dist/crypto.d.cts +36 -0
- package/dist/crypto.d.ts +36 -0
- package/dist/crypto.js +35 -0
- package/dist/drift-BT1wtMDJ.d.cts +22 -0
- package/dist/drift-k9LiYpRP.d.ts +22 -0
- package/dist/drizzle/pg.cjs +481 -0
- package/dist/drizzle/pg.d.cts +15 -0
- package/dist/drizzle/pg.d.ts +15 -0
- package/dist/drizzle/pg.js +454 -0
- package/dist/drizzle.cjs +1442 -0
- package/dist/drizzle.d.cts +85 -0
- package/dist/drizzle.d.ts +85 -0
- package/dist/drizzle.js +1411 -0
- package/dist/express.cjs +1357 -0
- package/dist/express.d.cts +333 -0
- package/dist/express.d.ts +333 -0
- package/dist/express.js +1314 -0
- package/dist/fetcher.cjs +77 -0
- package/dist/fetcher.d.cts +7 -0
- package/dist/fetcher.d.ts +7 -0
- package/dist/fetcher.js +41 -0
- package/dist/fortress-BmSvFfqK.d.cts +1089 -0
- package/dist/fortress-uA-_cheR.d.ts +1089 -0
- package/dist/hono.cjs +1530 -0
- package/dist/hono.d.cts +514 -0
- package/dist/hono.d.ts +514 -0
- package/dist/hono.js +1483 -0
- package/dist/index-CxEkfCA0.d.cts +77 -0
- package/dist/index-CxEkfCA0.d.ts +77 -0
- package/dist/index-D054pcb-.d.cts +146 -0
- package/dist/index-jAMbbUAY.d.ts +146 -0
- package/dist/index.cjs +9046 -0
- package/dist/index.d.cts +717 -0
- package/dist/index.d.ts +717 -0
- package/dist/index.js +8935 -0
- package/dist/jwt.cjs +255 -0
- package/dist/jwt.d.cts +90 -0
- package/dist/jwt.d.ts +90 -0
- package/dist/jwt.js +227 -0
- package/dist/otel.cjs +108 -0
- package/dist/otel.d.cts +62 -0
- package/dist/otel.d.ts +62 -0
- package/dist/otel.js +73 -0
- package/dist/plugins/account-lockout.cjs +322 -0
- package/dist/plugins/account-lockout.d.cts +42 -0
- package/dist/plugins/account-lockout.d.ts +42 -0
- package/dist/plugins/account-lockout.js +295 -0
- package/dist/plugins/admin.cjs +2378 -0
- package/dist/plugins/admin.d.cts +72 -0
- package/dist/plugins/admin.d.ts +72 -0
- package/dist/plugins/admin.js +2351 -0
- package/dist/plugins/api-key.cjs +792 -0
- package/dist/plugins/api-key.d.cts +121 -0
- package/dist/plugins/api-key.d.ts +121 -0
- package/dist/plugins/api-key.js +765 -0
- package/dist/plugins/audit-log.cjs +493 -0
- package/dist/plugins/audit-log.d.cts +86 -0
- package/dist/plugins/audit-log.d.ts +86 -0
- package/dist/plugins/audit-log.js +468 -0
- package/dist/plugins/data-isolation.cjs +211 -0
- package/dist/plugins/data-isolation.d.cts +49 -0
- package/dist/plugins/data-isolation.d.ts +49 -0
- package/dist/plugins/data-isolation.js +186 -0
- package/dist/plugins/email-verification.cjs +273 -0
- package/dist/plugins/email-verification.d.cts +44 -0
- package/dist/plugins/email-verification.d.ts +44 -0
- package/dist/plugins/email-verification.js +246 -0
- package/dist/plugins/magic-link.cjs +231 -0
- package/dist/plugins/magic-link.d.cts +39 -0
- package/dist/plugins/magic-link.d.ts +39 -0
- package/dist/plugins/magic-link.js +204 -0
- package/dist/plugins/oauth.cjs +1696 -0
- package/dist/plugins/oauth.d.cts +406 -0
- package/dist/plugins/oauth.d.ts +406 -0
- package/dist/plugins/oauth.js +1669 -0
- package/dist/plugins/openapi.cjs +1185 -0
- package/dist/plugins/openapi.d.cts +6 -0
- package/dist/plugins/openapi.d.ts +6 -0
- package/dist/plugins/openapi.js +1158 -0
- package/dist/plugins/rate-limit/express.cjs +55 -0
- package/dist/plugins/rate-limit/express.d.cts +64 -0
- package/dist/plugins/rate-limit/express.d.ts +64 -0
- package/dist/plugins/rate-limit/express.js +30 -0
- package/dist/plugins/rate-limit/hono.cjs +51 -0
- package/dist/plugins/rate-limit/hono.d.cts +59 -0
- package/dist/plugins/rate-limit/hono.d.ts +59 -0
- package/dist/plugins/rate-limit/hono.js +26 -0
- package/dist/plugins/rate-limit/sveltekit.cjs +49 -0
- package/dist/plugins/rate-limit/sveltekit.d.cts +59 -0
- package/dist/plugins/rate-limit/sveltekit.d.ts +59 -0
- package/dist/plugins/rate-limit/sveltekit.js +24 -0
- package/dist/plugins/rate-limit.cjs +354 -0
- package/dist/plugins/rate-limit.d.cts +140 -0
- package/dist/plugins/rate-limit.d.ts +140 -0
- package/dist/plugins/rate-limit.js +325 -0
- package/dist/plugins/social-login.cjs +905 -0
- package/dist/plugins/social-login.d.cts +114 -0
- package/dist/plugins/social-login.d.ts +114 -0
- package/dist/plugins/social-login.js +880 -0
- package/dist/plugins/tenancy.cjs +780 -0
- package/dist/plugins/tenancy.d.cts +108 -0
- package/dist/plugins/tenancy.d.ts +108 -0
- package/dist/plugins/tenancy.js +753 -0
- package/dist/plugins/two-factor.cjs +555 -0
- package/dist/plugins/two-factor.d.cts +67 -0
- package/dist/plugins/two-factor.d.ts +67 -0
- package/dist/plugins/two-factor.js +526 -0
- package/dist/plugins/webauthn.cjs +786 -0
- package/dist/plugins/webauthn.d.cts +72 -0
- package/dist/plugins/webauthn.d.ts +72 -0
- package/dist/plugins/webauthn.js +766 -0
- package/dist/plugins/webhook.cjs +819 -0
- package/dist/plugins/webhook.d.cts +254 -0
- package/dist/plugins/webhook.d.ts +254 -0
- package/dist/plugins/webhook.js +789 -0
- package/dist/protect-D1v_0upK.d.cts +123 -0
- package/dist/protect-DsxV_-dJ.d.ts +123 -0
- package/dist/sveltekit.cjs +1258 -0
- package/dist/sveltekit.d.cts +420 -0
- package/dist/sveltekit.d.ts +420 -0
- package/dist/sveltekit.js +1207 -0
- package/dist/testing.cjs +4294 -0
- package/dist/testing.d.cts +197 -0
- package/dist/testing.d.ts +197 -0
- package/dist/testing.js +4264 -0
- package/dist/types-et0R8tsC.d.cts +217 -0
- package/dist/types-et0R8tsC.d.ts +217 -0
- package/docs/adapter-typed-helpers.md +192 -0
- package/docs/admin-recipes.md +227 -0
- package/docs/architecture.md +434 -0
- package/docs/ci/github-actions.yml +59 -0
- package/docs/ci.md +109 -0
- package/docs/compatibility.md +115 -0
- package/docs/deployment.md +305 -0
- package/docs/hardening.md +118 -0
- package/docs/host-owned-routes.md +154 -0
- package/docs/migrations/0001-schema-version.md +54 -0
- package/docs/migrations/0002-initial-schema.md +84 -0
- package/docs/migrations/upgrade-guide.md +160 -0
- package/docs/observability.md +394 -0
- package/docs/plugins/account-lockout.md +131 -0
- package/docs/plugins/admin.md +402 -0
- package/docs/plugins/api-key.md +327 -0
- package/docs/plugins/audit-log.md +261 -0
- package/docs/plugins/data-isolation.md +186 -0
- package/docs/plugins/email-verification.md +121 -0
- package/docs/plugins/magic-link.md +123 -0
- package/docs/plugins/oauth.md +544 -0
- package/docs/plugins/openapi.md +250 -0
- package/docs/plugins/rate-limit.md +223 -0
- package/docs/plugins/social-login.md +337 -0
- package/docs/plugins/tenancy.md +122 -0
- package/docs/plugins/two-factor.md +191 -0
- package/docs/plugins/webauthn.md +188 -0
- package/docs/plugins/webhook.md +242 -0
- package/docs/policy-as-code.md +156 -0
- package/docs/route-manifest.md +46 -0
- package/docs/security.md +261 -0
- package/docs/threat-model.md +161 -0
- package/examples/README.md +119 -0
- package/examples/express-app/index.ts +747 -0
- package/examples/hono-app/docker-compose.yml +14 -0
- package/examples/hono-app/index.ts +1009 -0
- package/examples/policy/fortress.policy.json +47 -0
- package/examples/sveltekit-app/README.md +125 -0
- package/examples/sveltekit-app/src/app.d.ts +16 -0
- package/examples/sveltekit-app/src/hooks.server.ts +23 -0
- package/examples/sveltekit-app/src/lib/server/fortress.ts +81 -0
- package/examples/sveltekit-app/src/routes/api/echo/[id]/+server.ts +32 -0
- package/examples/sveltekit-app/src/routes/api/fortress/[...path]/+server.ts +15 -0
- package/examples/sveltekit-app/src/routes/dashboard/+page.server.ts +20 -0
- package/examples/sveltekit-app/src/routes/login/+page.server.ts +48 -0
- package/examples/sveltekit-app/src/routes/oauth/consent/+page.server.ts +69 -0
- package/examples/sveltekit-app/src/routes/oauth/consent/+page.svelte +83 -0
- package/migrations/pg/0001_schema_version.down.sql +2 -0
- package/migrations/pg/0001_schema_version.sql +8 -0
- package/migrations/pg/0002_initial_schema.down.sql +36 -0
- package/migrations/pg/0002_initial_schema.sql +376 -0
- package/migrations/pg/0003_auth_continuation.down.sql +6 -0
- package/migrations/pg/0003_auth_continuation.sql +30 -0
- package/migrations/pg/0004_tenant_default_unique.down.sql +1 -0
- package/migrations/pg/0004_tenant_default_unique.sql +14 -0
- package/migrations/pg/0005_hot_indexes_timestamptz.down.sql +71 -0
- package/migrations/pg/0005_hot_indexes_timestamptz.sql +71 -0
- package/migrations/pg/0006_canonical_email.down.sql +3 -0
- package/migrations/pg/0006_canonical_email.sql +8 -0
- package/migrations/pg/0007_audit_chain_anchor.down.sql +1 -0
- package/migrations/pg/0007_audit_chain_anchor.sql +8 -0
- package/migrations/pg/0008_two_factor_hardening.down.sql +8 -0
- package/migrations/pg/0008_two_factor_hardening.sql +8 -0
- package/migrations/pg/0009_encrypt_totp_secrets.down.sql +2 -0
- package/migrations/pg/0009_encrypt_totp_secrets.sql +5 -0
- package/migrations/pg/0010_bigint_append_only_ids.down.sql +2 -0
- package/migrations/pg/0010_bigint_append_only_ids.sql +23 -0
- package/migrations/sqlite/0001_schema_version.down.sql +2 -0
- package/migrations/sqlite/0001_schema_version.sql +8 -0
- package/migrations/sqlite/0002_initial_schema.down.sql +36 -0
- package/migrations/sqlite/0002_initial_schema.sql +376 -0
- package/migrations/sqlite/0003_auth_continuation.down.sql +27 -0
- package/migrations/sqlite/0003_auth_continuation.sql +45 -0
- package/migrations/sqlite/0004_tenant_default_unique.down.sql +1 -0
- package/migrations/sqlite/0004_tenant_default_unique.sql +13 -0
- package/migrations/sqlite/0005_hot_indexes_timestamptz.down.sql +10 -0
- package/migrations/sqlite/0005_hot_indexes_timestamptz.sql +10 -0
- package/migrations/sqlite/0006_canonical_email.down.sql +3 -0
- package/migrations/sqlite/0006_canonical_email.sql +8 -0
- package/migrations/sqlite/0007_audit_chain_anchor.down.sql +1 -0
- package/migrations/sqlite/0007_audit_chain_anchor.sql +8 -0
- package/migrations/sqlite/0008_two_factor_hardening.down.sql +14 -0
- package/migrations/sqlite/0008_two_factor_hardening.sql +7 -0
- package/migrations/sqlite/0009_encrypt_totp_secrets.down.sql +2 -0
- package/migrations/sqlite/0009_encrypt_totp_secrets.sql +5 -0
- package/migrations/sqlite/0010_bigint_append_only_ids.down.sql +1 -0
- package/migrations/sqlite/0010_bigint_append_only_ids.sql +2 -0
- package/package.json +398 -0
- package/src/adapters/database/index.ts +63 -0
- package/src/adapters/database/types.ts +22 -0
- package/src/changelog-script.test.ts +21 -0
- package/src/cli.test.ts +79 -0
- package/src/core/auth/auth-admin.test.ts +247 -0
- package/src/core/auth/auth-endpoints.ts +558 -0
- package/src/core/auth/auth-observer.test.ts +191 -0
- package/src/core/auth/auth-service.ts +1464 -0
- package/src/core/auth/email.test.ts +17 -0
- package/src/core/auth/email.ts +11 -0
- package/src/core/auth/hooks.test.ts +251 -0
- package/src/core/auth/impersonation.test.ts +179 -0
- package/src/core/auth/jwt.test.ts +184 -0
- package/src/core/auth/jwt.ts +239 -0
- package/src/core/auth/login-timing.test.ts +77 -0
- package/src/core/auth/password-policy.test.ts +253 -0
- package/src/core/auth/password-policy.ts +220 -0
- package/src/core/auth/password.test.ts +42 -0
- package/src/core/auth/password.ts +62 -0
- package/src/core/auth/post-auth-gate.test.ts +258 -0
- package/src/core/auth/post-auth-gate.ts +228 -0
- package/src/core/auth/refresh-token.test.ts +86 -0
- package/src/core/auth/refresh-token.ts +105 -0
- package/src/core/auth/timing-safe.ts +23 -0
- package/src/core/config.ts +212 -0
- package/src/core/endpoint.ts +149 -0
- package/src/core/errors.ts +199 -0
- package/src/core/fetcher-interop.test.ts +106 -0
- package/src/core/fortress.test.ts +354 -0
- package/src/core/fortress.ts +550 -0
- package/src/core/http/call.test.ts +148 -0
- package/src/core/http/call.ts +149 -0
- package/src/core/http/cookie-serialize.test.ts +198 -0
- package/src/core/http/cookie-serialize.ts +107 -0
- package/src/core/http/csrf.test.ts +140 -0
- package/src/core/http/csrf.ts +173 -0
- package/src/core/http/dispatch.ts +652 -0
- package/src/core/http/error-response.test.ts +69 -0
- package/src/core/http/error-response.ts +93 -0
- package/src/core/http/fortress-rbac.test.ts +43 -0
- package/src/core/http/fortress-rbac.ts +127 -0
- package/src/core/http/handle-request.test.ts +441 -0
- package/src/core/http/handle-request.ts +354 -0
- package/src/core/http/match.test.ts +122 -0
- package/src/core/http/match.ts +126 -0
- package/src/core/http/outbound.test.ts +34 -0
- package/src/core/http/outbound.ts +105 -0
- package/src/core/http/plugin-middleware.ts +67 -0
- package/src/core/http/principal.test.ts +345 -0
- package/src/core/http/principal.ts +86 -0
- package/src/core/http/protect.test.ts +220 -0
- package/src/core/http/protect.ts +394 -0
- package/src/core/http/token-extraction.test.ts +59 -0
- package/src/core/http/token-extraction.ts +53 -0
- package/src/core/iam/explain.test.ts +177 -0
- package/src/core/iam/explain.ts +302 -0
- package/src/core/iam/iam-endpoints.ts +779 -0
- package/src/core/iam/iam-service.test.ts +829 -0
- package/src/core/iam/iam-service.ts +1137 -0
- package/src/core/iam/permission-cache.test.ts +115 -0
- package/src/core/iam/permission-cache.ts +71 -0
- package/src/core/iam/permission-check-observer.test.ts +90 -0
- package/src/core/iam/permission-evaluator.test.ts +291 -0
- package/src/core/iam/permission-evaluator.ts +198 -0
- package/src/core/iam/permission-sync.test.ts +166 -0
- package/src/core/iam/permission-sync.ts +192 -0
- package/src/core/iam/resource-sync.test.ts +70 -0
- package/src/core/iam/resource-sync.ts +182 -0
- package/src/core/iam/service-account-http.test.ts +529 -0
- package/src/core/iam/service-account.test.ts +282 -0
- package/src/core/internal-adapter.test.ts +389 -0
- package/src/core/internal-adapter.ts +435 -0
- package/src/core/json-schema.ts +50 -0
- package/src/core/manifest/__snapshots__/route-manifest.test.ts.snap +192 -0
- package/src/core/manifest/drift.ts +103 -0
- package/src/core/manifest/route-manifest.test.ts +142 -0
- package/src/core/manifest/route-manifest.ts +154 -0
- package/src/core/migrate.test.ts +72 -0
- package/src/core/migrations/engine.test.ts +308 -0
- package/src/core/migrations/engine.ts +548 -0
- package/src/core/migrations/migrations.ts +1771 -0
- package/src/core/migrations/pg-migration.integration-test.ts +353 -0
- package/src/core/migrations/upgrade-fixture.test.ts +378 -0
- package/src/core/observability/db-instrumentation.ts +205 -0
- package/src/core/observability/listener-list.test.ts +124 -0
- package/src/core/observability/listener-list.ts +73 -0
- package/src/core/observability/logger.test.ts +43 -0
- package/src/core/observability/logger.ts +49 -0
- package/src/core/observability/spans.test.ts +193 -0
- package/src/core/observability/types.ts +80 -0
- package/src/core/openapi-drift.test.ts +41 -0
- package/src/core/openapi.ts +47 -0
- package/src/core/plugin-methods-map.ts +75 -0
- package/src/core/plugin-runner.test.ts +233 -0
- package/src/core/plugin-runner.ts +276 -0
- package/src/core/plugin.ts +210 -0
- package/src/core/policy/apply.ts +272 -0
- package/src/core/policy/diff.ts +288 -0
- package/src/core/policy/loader.test.ts +63 -0
- package/src/core/policy/loader.ts +214 -0
- package/src/core/policy/policy.test.ts +232 -0
- package/src/core/policy/types.ts +105 -0
- package/src/core/schema-builder.test.ts +660 -0
- package/src/core/schema-builder.ts +881 -0
- package/src/core/standard-schema.ts +56 -0
- package/src/core/types.ts +258 -0
- package/src/core/validation.test.ts +195 -0
- package/src/core/validation.ts +192 -0
- package/src/drizzle/adapter.test.ts +425 -0
- package/src/drizzle/adapter.ts +474 -0
- package/src/drizzle/index.ts +31 -0
- package/src/drizzle/pg/adapter.integration-test.ts +456 -0
- package/src/drizzle/pg/index.ts +13 -0
- package/src/drizzle/pg/pg.integration-test.ts +1539 -0
- package/src/drizzle/pg/schema.ts +539 -0
- package/src/drizzle/pg-error-map.test.ts +218 -0
- package/src/drizzle/pg-error-map.ts +151 -0
- package/src/drizzle/schema.ts +544 -0
- package/src/drizzle/sqlite-serialization.test.ts +106 -0
- package/src/express/express-api-key-user-routes.test.ts +241 -0
- package/src/express/express.test.ts +442 -0
- package/src/express/handle.ts +191 -0
- package/src/express/index.ts +62 -0
- package/src/express/middleware.ts +551 -0
- package/src/express/protect.ts +154 -0
- package/src/express/validated.test.ts +86 -0
- package/src/express/validated.ts +99 -0
- package/src/fetcher/index.ts +81 -0
- package/src/hono/convert-routes.test.ts +220 -0
- package/src/hono/convert-routes.ts +196 -0
- package/src/hono/converters.test.ts +50 -0
- package/src/hono/converters.ts +43 -0
- package/src/hono/handle.ts +79 -0
- package/src/hono/helpers.ts +2 -0
- package/src/hono/hono-api-key-user-routes.test.ts +225 -0
- package/src/hono/hono-handlers.test.ts +861 -0
- package/src/hono/hono.test.ts +454 -0
- package/src/hono/index.ts +101 -0
- package/src/hono/middleware/auth.ts +236 -0
- package/src/hono/middleware/auth.types.test.ts +94 -0
- package/src/hono/middleware/csrf.test.ts +127 -0
- package/src/hono/middleware/csrf.ts +68 -0
- package/src/hono/middleware/error-handler.ts +12 -0
- package/src/hono/middleware/plugin-middleware.ts +35 -0
- package/src/hono/middleware/rbac.ts +131 -0
- package/src/hono/middleware/security-headers.test.ts +88 -0
- package/src/hono/middleware/security-headers.ts +68 -0
- package/src/hono/openapi.ts +237 -0
- package/src/hono/protect.ts +87 -0
- package/src/hono/validated.test.ts +123 -0
- package/src/hono/validated.ts +62 -0
- package/src/index.ts +309 -0
- package/src/integration.test.ts +718 -0
- package/src/internal/changelog.ts +56 -0
- package/src/otel/index.ts +158 -0
- package/src/otel/otel-types.test.ts +35 -0
- package/src/otel/otel.test.ts +235 -0
- package/src/plugins/account-lockout/account-lockout.test.ts +367 -0
- package/src/plugins/account-lockout/index.ts +267 -0
- package/src/plugins/admin/admin-api-key.test.ts +438 -0
- package/src/plugins/admin/index.ts +1612 -0
- package/src/plugins/api-key/api-key.test.ts +684 -0
- package/src/plugins/api-key/core.ts +336 -0
- package/src/plugins/api-key/index.ts +315 -0
- package/src/plugins/audit-log/audit-log.test.ts +749 -0
- package/src/plugins/audit-log/index.ts +680 -0
- package/src/plugins/data-isolation/data-isolation.test.ts +197 -0
- package/src/plugins/data-isolation/index.ts +157 -0
- package/src/plugins/email-verification/email-verification.test.ts +199 -0
- package/src/plugins/email-verification/index.ts +190 -0
- package/src/plugins/magic-link/index.ts +129 -0
- package/src/plugins/magic-link/magic-link.test.ts +156 -0
- package/src/plugins/oauth/id-token.ts +86 -0
- package/src/plugins/oauth/index.ts +2145 -0
- package/src/plugins/oauth/jwks.test.ts +32 -0
- package/src/plugins/oauth/jwks.ts +182 -0
- package/src/plugins/oauth/oauth.test.ts +2220 -0
- package/src/plugins/oauth/pkce.ts +58 -0
- package/src/plugins/openapi/index.ts +298 -0
- package/src/plugins/openapi/openapi.test.ts +425 -0
- package/src/plugins/openapi/spec-builder.ts +287 -0
- package/src/plugins/rate-limit/express.test.ts +89 -0
- package/src/plugins/rate-limit/express.ts +86 -0
- package/src/plugins/rate-limit/hono.test.ts +60 -0
- package/src/plugins/rate-limit/hono.ts +74 -0
- package/src/plugins/rate-limit/index.ts +383 -0
- package/src/plugins/rate-limit/memory-store.ts +61 -0
- package/src/plugins/rate-limit/rate-limit.test.ts +756 -0
- package/src/plugins/rate-limit/sveltekit.test.ts +58 -0
- package/src/plugins/rate-limit/sveltekit.ts +66 -0
- package/src/plugins/social-login/index.ts +715 -0
- package/src/plugins/social-login/providers/apple.ts +34 -0
- package/src/plugins/social-login/providers/discord.ts +26 -0
- package/src/plugins/social-login/providers/github.ts +54 -0
- package/src/plugins/social-login/providers/google.ts +23 -0
- package/src/plugins/social-login/providers/index.ts +22 -0
- package/src/plugins/social-login/providers/microsoft.ts +35 -0
- package/src/plugins/social-login/providers/oidc.ts +37 -0
- package/src/plugins/social-login/providers/providers.test.ts +211 -0
- package/src/plugins/social-login/social-login.test.ts +675 -0
- package/src/plugins/social-login/types.ts +80 -0
- package/src/plugins/tenancy/index.ts +544 -0
- package/src/plugins/tenancy/tenancy.test.ts +323 -0
- package/src/plugins/two-factor/index.ts +569 -0
- package/src/plugins/two-factor/two-factor.test.ts +235 -0
- package/src/plugins/webauthn/index.ts +554 -0
- package/src/plugins/webauthn/webauthn.test.ts +472 -0
- package/src/plugins/webhook/builtin-events.ts +29 -0
- package/src/plugins/webhook/delivery.test.ts +51 -0
- package/src/plugins/webhook/delivery.ts +154 -0
- package/src/plugins/webhook/hooks.ts +89 -0
- package/src/plugins/webhook/index.ts +445 -0
- package/src/plugins/webhook/queue/database.ts +67 -0
- package/src/plugins/webhook/queue/in-memory.test.ts +48 -0
- package/src/plugins/webhook/queue/in-memory.ts +71 -0
- package/src/plugins/webhook/queue/types.ts +51 -0
- package/src/plugins/webhook/registry.test.ts +48 -0
- package/src/plugins/webhook/registry.ts +64 -0
- package/src/plugins/webhook/signing.ts +45 -0
- package/src/plugins/webhook/ssrf.ts +198 -0
- package/src/plugins/webhook/types.ts +138 -0
- package/src/plugins/webhook/webhook.test.ts +324 -0
- package/src/sveltekit/actions.ts +233 -0
- package/src/sveltekit/catch-all.ts +43 -0
- package/src/sveltekit/cookies.ts +136 -0
- package/src/sveltekit/handle.ts +356 -0
- package/src/sveltekit/helpers.ts +69 -0
- package/src/sveltekit/index.ts +74 -0
- package/src/sveltekit/protect.ts +80 -0
- package/src/sveltekit/sveltekit-types.test.ts +31 -0
- package/src/sveltekit/sveltekit.test.ts +799 -0
- package/src/sveltekit/types.ts +134 -0
- package/src/sveltekit/validated.test.ts +117 -0
- package/src/sveltekit/validated.ts +78 -0
- package/src/testing/adapter-conformance.test.ts +408 -0
- package/src/testing/checks.test.ts +124 -0
- package/src/testing/checks.ts +304 -0
- package/src/testing/index.ts +107 -0
|
@@ -0,0 +1,420 @@
|
|
|
1
|
+
import { RequestEvent, Handle, ActionFailure } from '@sveltejs/kit';
|
|
2
|
+
import { F as Fortress, V as AuthCookiePayload } from './fortress-BmSvFfqK.cjs';
|
|
3
|
+
import { S as Subject, T as TokenClaims, m as AuthChallenge } from './types-et0R8tsC.cjs';
|
|
4
|
+
import { D as DatabaseAdapter } from './index-CxEkfCA0.cjs';
|
|
5
|
+
import { E as EndpointDefinition, S as StandardSchemaV1 } from './config-GtlVt6ZD.cjs';
|
|
6
|
+
import { P as ProtectedRouteContext, a as ProtectOptions } from './protect-D1v_0upK.cjs';
|
|
7
|
+
export { b as ProtectedRouteTarget } from './protect-D1v_0upK.cjs';
|
|
8
|
+
import './index-D054pcb-.cjs';
|
|
9
|
+
import './auth-service-BcyQ2PuZ.cjs';
|
|
10
|
+
import './plugins/api-key.cjs';
|
|
11
|
+
import './jwt.cjs';
|
|
12
|
+
import './plugins/audit-log.cjs';
|
|
13
|
+
import './plugins/data-isolation.cjs';
|
|
14
|
+
import './plugins/email-verification.cjs';
|
|
15
|
+
import './plugins/magic-link.cjs';
|
|
16
|
+
import './plugins/oauth.cjs';
|
|
17
|
+
import './plugins/social-login.cjs';
|
|
18
|
+
import './plugins/tenancy.cjs';
|
|
19
|
+
import './plugins/two-factor.cjs';
|
|
20
|
+
import './plugins/webauthn.cjs';
|
|
21
|
+
import '@simplewebauthn/server';
|
|
22
|
+
|
|
23
|
+
/**
|
|
24
|
+
* SvelteKit adapter types. Public handle/action signatures are anchored to
|
|
25
|
+
* the real optional `@sveltejs/kit` peer so strict-mode consumers can assign
|
|
26
|
+
* them without casts. Small request/cookie subsets remain for framework-free
|
|
27
|
+
* helpers and tests; every real RequestEvent structurally satisfies them.
|
|
28
|
+
*/
|
|
29
|
+
|
|
30
|
+
/** Cookie options accepted by SvelteKit's `event.cookies.set` / `delete`. */
|
|
31
|
+
interface SvelteKitCookieOptions {
|
|
32
|
+
path?: string;
|
|
33
|
+
domain?: string;
|
|
34
|
+
httpOnly?: boolean;
|
|
35
|
+
secure?: boolean;
|
|
36
|
+
sameSite?: 'lax' | 'strict' | 'none' | boolean;
|
|
37
|
+
maxAge?: number;
|
|
38
|
+
expires?: Date;
|
|
39
|
+
}
|
|
40
|
+
/** SvelteKit `Cookies` API surface used by the fortress adapter. */
|
|
41
|
+
interface SvelteKitCookies {
|
|
42
|
+
get: (name: string) => string | undefined;
|
|
43
|
+
set: (name: string, value: string, opts: SvelteKitCookieOptions & {
|
|
44
|
+
path: string;
|
|
45
|
+
}) => void;
|
|
46
|
+
delete: (name: string, opts: SvelteKitCookieOptions & {
|
|
47
|
+
path: string;
|
|
48
|
+
}) => void;
|
|
49
|
+
getAll?: () => {
|
|
50
|
+
name: string;
|
|
51
|
+
value: string;
|
|
52
|
+
}[];
|
|
53
|
+
}
|
|
54
|
+
/**
|
|
55
|
+
* Minimal `RequestEvent` shape consumed by the adapter. Compatible by
|
|
56
|
+
* structural typing with `@sveltejs/kit`'s real `RequestEvent`. The
|
|
57
|
+
* `locals.fortress` field comes from the consumer augmenting `App.Locals`
|
|
58
|
+
* with {@link FortressLocals}.
|
|
59
|
+
*
|
|
60
|
+
* `TLocals` is constrained to `object` (not `Record<string, unknown>`) so
|
|
61
|
+
* the {@link FortressLocals} interface — which only declares the
|
|
62
|
+
* `fortress` key without an index signature — satisfies it.
|
|
63
|
+
*/
|
|
64
|
+
interface SvelteKitRequestEvent<TLocals extends object = object> {
|
|
65
|
+
request: Request;
|
|
66
|
+
url: URL;
|
|
67
|
+
cookies: SvelteKitCookies;
|
|
68
|
+
locals: TLocals;
|
|
69
|
+
params: Record<string, string>;
|
|
70
|
+
setHeaders?: (headers: Record<string, string>) => void;
|
|
71
|
+
}
|
|
72
|
+
/** Exact SvelteKit `Handle` hook signature, including the resolve options overload. */
|
|
73
|
+
type SvelteKitHandle = Handle;
|
|
74
|
+
/** SvelteKit-compatible form action signature with a narrowed result type. */
|
|
75
|
+
type SvelteKitAction<TResult = unknown> = (event: RequestEvent) => Promise<TResult> | TResult;
|
|
76
|
+
/**
|
|
77
|
+
* Shape of `event.locals.fortress` after the fortress handle hook runs.
|
|
78
|
+
*
|
|
79
|
+
* Consumers augment SvelteKit's `App.Locals` with this interface so server
|
|
80
|
+
* load functions and `+server.ts` handlers can read the auth context with
|
|
81
|
+
* full type safety.
|
|
82
|
+
*
|
|
83
|
+
* @example
|
|
84
|
+
* ```ts
|
|
85
|
+
* // src/app.d.ts
|
|
86
|
+
* import type { FortressLocals } from '@bajustone/fortress/sveltekit';
|
|
87
|
+
*
|
|
88
|
+
* declare global {
|
|
89
|
+
* namespace App {
|
|
90
|
+
* interface Locals extends FortressLocals {}
|
|
91
|
+
* }
|
|
92
|
+
* }
|
|
93
|
+
* ```
|
|
94
|
+
*/
|
|
95
|
+
interface FortressLocals {
|
|
96
|
+
fortress: {
|
|
97
|
+
/**
|
|
98
|
+
* Resolved principal for the current request. Set for every
|
|
99
|
+
* authenticated request regardless of credential type (JWT, api-key,
|
|
100
|
+
* future OAuth client_credentials, mTLS). Check `subject.type` to
|
|
101
|
+
* distinguish `USER` / `SERVICE_ACCOUNT` / `GROUP`.
|
|
102
|
+
*/
|
|
103
|
+
subject?: Subject;
|
|
104
|
+
/**
|
|
105
|
+
* Convenience alias for `subject.id` — set **only** when
|
|
106
|
+
* `subject.type === 'USER'`. Non-USER principals (e.g. a service
|
|
107
|
+
* account via api-key) leave this undefined; fall back to `subject`.
|
|
108
|
+
*/
|
|
109
|
+
userId?: string;
|
|
110
|
+
/**
|
|
111
|
+
* Verified JWT claims, if the request was authenticated via a JWT.
|
|
112
|
+
* Plugin-resolved principals (api-key, etc.) do not populate this.
|
|
113
|
+
*/
|
|
114
|
+
claims?: TokenClaims;
|
|
115
|
+
/** Credential-level narrowing scopes (for example API-key scopes). */
|
|
116
|
+
scopes?: string[] | null;
|
|
117
|
+
/** Per-request DB adapter with plugin `wrapAdapter` chain applied. */
|
|
118
|
+
db?: DatabaseAdapter;
|
|
119
|
+
/** Lazily compute a model-scoped DB adapter (data-isolation aware). */
|
|
120
|
+
getScopedDb?: (model: string) => Promise<DatabaseAdapter>;
|
|
121
|
+
};
|
|
122
|
+
}
|
|
123
|
+
/** Options accepted by {@link createSvelteKitHandle}. */
|
|
124
|
+
interface SvelteKitAdapterOptions {
|
|
125
|
+
/**
|
|
126
|
+
* Path prefix the fortress routes live under (defaults to `/api`).
|
|
127
|
+
*
|
|
128
|
+
* Example: with `basePath: '/api'`, the request `/api/auth/login` is
|
|
129
|
+
* internally rewritten to `/auth/login` before being passed to
|
|
130
|
+
* `fortress.handleRequest`. Plugin and IAM routes follow the same prefix.
|
|
131
|
+
*/
|
|
132
|
+
basePath?: string;
|
|
133
|
+
/**
|
|
134
|
+
* Optional declarative route → `(resource, action)` map for user-owned
|
|
135
|
+
* routes. Used by the user-route RBAC pass to call
|
|
136
|
+
* `fortress.iam.checkPermission` for non-fortress paths. Format:
|
|
137
|
+
* `'GET /api/users': { resource: 'user', action: 'list' }`.
|
|
138
|
+
*/
|
|
139
|
+
routeMap?: Record<string, {
|
|
140
|
+
resource: string;
|
|
141
|
+
action: string;
|
|
142
|
+
}>;
|
|
143
|
+
/** Behavior for user-owned routes absent from routeMap (default: allow). */
|
|
144
|
+
unmappedRoutes?: 'allow' | 'deny';
|
|
145
|
+
/**
|
|
146
|
+
* Paths the user-route RBAC pass should skip entirely (supports `*`).
|
|
147
|
+
* Example: `['/api/health', '/api/public/*']`.
|
|
148
|
+
*/
|
|
149
|
+
skipPaths?: string[];
|
|
150
|
+
}
|
|
151
|
+
|
|
152
|
+
/**
|
|
153
|
+
* SvelteKit form-action helpers for the common auth flows.
|
|
154
|
+
*
|
|
155
|
+
* Use these in `+page.server.ts` to wire `<form method="POST">` to
|
|
156
|
+
* fortress's auth methods. They handle:
|
|
157
|
+
*
|
|
158
|
+
* - parsing form data
|
|
159
|
+
* - calling `fortress.auth.*`
|
|
160
|
+
* - setting cookies via `event.cookies.set` (so SvelteKit's `Set-Cookie`
|
|
161
|
+
* handling sees them, not just the browser)
|
|
162
|
+
* - returning `fail(...)` on `FortressError`
|
|
163
|
+
* - throwing a `redirect(...)` on success when `redirectTo` is supplied
|
|
164
|
+
*
|
|
165
|
+
* Redirects and failures use SvelteKit's real `redirect()` / `fail()`
|
|
166
|
+
* primitives, so the action runtime recognizes them without casts or
|
|
167
|
+
* raw-Response 500s.
|
|
168
|
+
*
|
|
169
|
+
* @example
|
|
170
|
+
* ```ts
|
|
171
|
+
* // src/routes/login/+page.server.ts
|
|
172
|
+
* import { fortressActions } from '@bajustone/fortress/sveltekit';
|
|
173
|
+
* import { fortress } from '$lib/server/fortress';
|
|
174
|
+
*
|
|
175
|
+
* export const actions = {
|
|
176
|
+
* default: fortressActions.login(fortress, { redirectTo: '/dashboard' }),
|
|
177
|
+
* };
|
|
178
|
+
* ```
|
|
179
|
+
*/
|
|
180
|
+
|
|
181
|
+
/** Shape returned by form-action helpers when something goes wrong. */
|
|
182
|
+
type FortressActionFailure = ActionFailure<{
|
|
183
|
+
error: string;
|
|
184
|
+
code?: string;
|
|
185
|
+
}>;
|
|
186
|
+
/** Discriminated result returned when no `redirectTo` is configured. */
|
|
187
|
+
type FortressActionSuccess = {
|
|
188
|
+
success: true;
|
|
189
|
+
pending: false;
|
|
190
|
+
} | {
|
|
191
|
+
success: true;
|
|
192
|
+
pending: true;
|
|
193
|
+
challenge: AuthChallenge;
|
|
194
|
+
};
|
|
195
|
+
/** Common options for the auth-issuing helpers. */
|
|
196
|
+
interface FortressActionOptions {
|
|
197
|
+
/**
|
|
198
|
+
* On success, throw a redirect to this path. SvelteKit's action runtime
|
|
199
|
+
* picks up the thrown 3xx and emits a normal HTTP redirect.
|
|
200
|
+
*/
|
|
201
|
+
redirectTo?: string;
|
|
202
|
+
}
|
|
203
|
+
/** Type of the {@link fortressActions} namespace — explicit so JSR's slow-type check is happy. */
|
|
204
|
+
interface FortressActions {
|
|
205
|
+
login: (fortress: Fortress<any, any>, opts?: FortressActionOptions) => SvelteKitAction<FortressActionFailure | FortressActionSuccess>;
|
|
206
|
+
register: (fortress: Fortress<any, any>, opts?: FortressActionOptions) => SvelteKitAction<FortressActionFailure | FortressActionSuccess>;
|
|
207
|
+
logout: (fortress: Fortress<any, any>, opts?: FortressActionOptions) => SvelteKitAction<FortressActionSuccess>;
|
|
208
|
+
refresh: (fortress: Fortress<any, any>) => SvelteKitAction<FortressActionFailure | FortressActionSuccess>;
|
|
209
|
+
}
|
|
210
|
+
/** Form-action helpers exported as a single namespace. */
|
|
211
|
+
declare const fortressActions: FortressActions;
|
|
212
|
+
|
|
213
|
+
/**
|
|
214
|
+
* Optional catch-all `+server.ts` escape hatch.
|
|
215
|
+
*
|
|
216
|
+
* Lets users colocate Fortress routes inside their normal `src/routes/`
|
|
217
|
+
* tree instead of (or in addition to) the handle-hook approach.
|
|
218
|
+
*
|
|
219
|
+
* @example
|
|
220
|
+
* ```ts
|
|
221
|
+
* // src/routes/api/fortress/[...path]/+server.ts
|
|
222
|
+
* import { toSvelteKitHandler } from '@bajustone/fortress/sveltekit';
|
|
223
|
+
* import { fortress } from '$lib/server/fortress';
|
|
224
|
+
*
|
|
225
|
+
* export const { GET, POST, PUT, DELETE, PATCH } = toSvelteKitHandler(fortress);
|
|
226
|
+
* ```
|
|
227
|
+
*/
|
|
228
|
+
|
|
229
|
+
/** Per-method handler signature compatible with SvelteKit `+server.ts` exports. */
|
|
230
|
+
type SvelteKitRouteHandler = (event: SvelteKitRequestEvent) => Promise<Response>;
|
|
231
|
+
/**
|
|
232
|
+
* Build a `{ GET, POST, PUT, DELETE, PATCH }` set of handlers that all
|
|
233
|
+
* delegate to `fortress.handleRequest`. Suitable for `export const { ... } =
|
|
234
|
+
* toSvelteKitHandler(fortress)` in a catch-all `+server.ts`.
|
|
235
|
+
*/
|
|
236
|
+
declare function toSvelteKitHandler(fortress: Fortress<any, any>): {
|
|
237
|
+
GET: SvelteKitRouteHandler;
|
|
238
|
+
POST: SvelteKitRouteHandler;
|
|
239
|
+
PUT: SvelteKitRouteHandler;
|
|
240
|
+
DELETE: SvelteKitRouteHandler;
|
|
241
|
+
PATCH: SvelteKitRouteHandler;
|
|
242
|
+
};
|
|
243
|
+
|
|
244
|
+
/**
|
|
245
|
+
* SvelteKit cookie bridging.
|
|
246
|
+
*
|
|
247
|
+
* Translates between fortress's auth result objects and SvelteKit's
|
|
248
|
+
* `event.cookies` API. Cookie attributes (name, secure, sameSite, path,
|
|
249
|
+
* domain) come from the resolved {@link ResolvedCookieConfig} on the
|
|
250
|
+
* Fortress instance, so SvelteKit, Hono, and Express all emit cookies with
|
|
251
|
+
* the same shape.
|
|
252
|
+
*/
|
|
253
|
+
|
|
254
|
+
/**
|
|
255
|
+
* Set the access + refresh cookies on a SvelteKit `RequestEvent` from a
|
|
256
|
+
* fortress auth result. Used by the form-action helpers and the auto-refresh
|
|
257
|
+
* path inside `createSvelteKitHandle`.
|
|
258
|
+
*/
|
|
259
|
+
declare function setAuthCookies(event: SvelteKitRequestEvent, fortress: Fortress<any, any>, payload: AuthCookiePayload): void;
|
|
260
|
+
/** Clear both fortress auth cookies (logout). */
|
|
261
|
+
declare function clearAuthCookies(event: SvelteKitRequestEvent, fortress: Fortress<any, any>): void;
|
|
262
|
+
/**
|
|
263
|
+
* Replay any `Set-Cookie` headers from a `Response` (typically returned by
|
|
264
|
+
* `fortress.handleRequest`) through `event.cookies.set` so they're visible
|
|
265
|
+
* to subsequent same-request reads. Returns the original response unchanged
|
|
266
|
+
* — the cookies are already on it; this just mirrors them into SvelteKit's
|
|
267
|
+
* cookie jar for in-request use.
|
|
268
|
+
*/
|
|
269
|
+
declare function replayCookies(response: Response, event: SvelteKitRequestEvent): void;
|
|
270
|
+
|
|
271
|
+
/**
|
|
272
|
+
* `createSvelteKitHandle(fortress, options)` — primary entrypoint for the
|
|
273
|
+
* SvelteKit adapter.
|
|
274
|
+
*
|
|
275
|
+
* Returns a SvelteKit `Handle` hook that:
|
|
276
|
+
*
|
|
277
|
+
* 1. Short-circuits during `vite build` prerender (caller passes
|
|
278
|
+
* `building` to opt out).
|
|
279
|
+
* 2. Intercepts Fortress-managed paths (`/auth/*`, `/iam/*`, plugin paths)
|
|
280
|
+
* by calling `fortress.handleRequest(event.request)` and returning the
|
|
281
|
+
* `Response` directly. This bypasses SvelteKit's built-in CSRF check
|
|
282
|
+
* (which only runs inside `resolve(event)`), but `handleRequest` runs
|
|
283
|
+
* Fortress's own pipeline CSRF check (H5) in its place.
|
|
284
|
+
* 3. For user routes, runs plugin `before-auth` middleware, extracts the
|
|
285
|
+
* access token (cookie-first, Bearer fallback), verifies it,
|
|
286
|
+
* auto-refreshes when expired, populates `event.locals.fortress`, runs
|
|
287
|
+
* plugin `after-auth` and (when a route map matches) RBAC, then
|
|
288
|
+
* delegates to `resolve(event)`.
|
|
289
|
+
*
|
|
290
|
+
* Compose with `sequence()` from `@sveltejs/kit/hooks` if you have other
|
|
291
|
+
* handles.
|
|
292
|
+
*
|
|
293
|
+
* @example
|
|
294
|
+
* ```ts
|
|
295
|
+
* // src/hooks.server.ts
|
|
296
|
+
* import { sequence } from '@sveltejs/kit/hooks';
|
|
297
|
+
* import { createSvelteKitHandle } from '@bajustone/fortress/sveltekit';
|
|
298
|
+
* import { fortress } from '$lib/server/fortress';
|
|
299
|
+
*
|
|
300
|
+
* export const handle = sequence(
|
|
301
|
+
* createSvelteKitHandle(fortress, { basePath: '/api' }),
|
|
302
|
+
* );
|
|
303
|
+
* ```
|
|
304
|
+
*/
|
|
305
|
+
|
|
306
|
+
/** Build the SvelteKit `handle` hook for a Fortress instance. */
|
|
307
|
+
declare function createSvelteKitHandle(fortress: Fortress<any, any>, options?: SvelteKitAdapterOptions): SvelteKitHandle;
|
|
308
|
+
|
|
309
|
+
/**
|
|
310
|
+
* Read fortress request context from a SvelteKit `RequestEvent`.
|
|
311
|
+
*
|
|
312
|
+
* Each helper throws `FortressError('UNAUTHORIZED')` when the field is
|
|
313
|
+
* missing — typically because the auth handle hook didn't populate
|
|
314
|
+
* `event.locals.fortress.userId` (i.e. the request was anonymous).
|
|
315
|
+
*/
|
|
316
|
+
|
|
317
|
+
type EventWithFortress = SvelteKitRequestEvent<FortressLocals>;
|
|
318
|
+
/**
|
|
319
|
+
* Read the resolved principal from the event, throwing 401 if missing.
|
|
320
|
+
* Works for every subject kind (`USER`, `SERVICE_ACCOUNT`, ...).
|
|
321
|
+
*/
|
|
322
|
+
declare function getSubject(event: EventWithFortress): Subject;
|
|
323
|
+
/**
|
|
324
|
+
* Read the authenticated user ID. Throws 401 when the request was
|
|
325
|
+
* authenticated by a non-USER subject (e.g. a service account via
|
|
326
|
+
* api-key) — use {@link getSubject} for handlers that accept any
|
|
327
|
+
* principal.
|
|
328
|
+
*/
|
|
329
|
+
declare function getUserId(event: EventWithFortress): string;
|
|
330
|
+
/**
|
|
331
|
+
* Read the verified JWT claims. Only populated when the request was
|
|
332
|
+
* authenticated via a JWT — api-key principals have no JWT claims and
|
|
333
|
+
* this helper throws 401.
|
|
334
|
+
*/
|
|
335
|
+
declare function getClaims(event: EventWithFortress): TokenClaims;
|
|
336
|
+
/** Read the per-request DB adapter (with plugin wrappers applied). */
|
|
337
|
+
declare function getDb(event: EventWithFortress): DatabaseAdapter;
|
|
338
|
+
/**
|
|
339
|
+
* Read the per-request DB adapter scoped to a specific model. Applies any
|
|
340
|
+
* active row-level scope rules from data-isolation plugins.
|
|
341
|
+
*/
|
|
342
|
+
declare function getScopedDb(event: EventWithFortress, model: string): Promise<DatabaseAdapter>;
|
|
343
|
+
|
|
344
|
+
/**
|
|
345
|
+
* SvelteKit-flavoured host callback. `E` flows in from the endpoint passed
|
|
346
|
+
* to `protectedRoute()`, so `ctx.body` / `ctx.query` / `ctx.params` /
|
|
347
|
+
* `ctx.input` are typed from the endpoint's phantom generics. String
|
|
348
|
+
* targets degrade to the loose default.
|
|
349
|
+
*/
|
|
350
|
+
type SvelteKitProtectedRouteHandler<E extends EndpointDefinition<any, any, any, any> = EndpointDefinition, TResult = unknown> = (event: SvelteKitRequestEvent, ctx: ProtectedRouteContext<E>) => TResult | Response | Promise<TResult | Response>;
|
|
351
|
+
/**
|
|
352
|
+
* Wrap a host-owned SvelteKit route/action in Fortress's protection pipeline.
|
|
353
|
+
*
|
|
354
|
+
* Two overloads, mirroring `protect()`:
|
|
355
|
+
*
|
|
356
|
+
* - **Typed target** — passing an `EndpointDefinition` flows its phantom
|
|
357
|
+
* generics through `ctx`.
|
|
358
|
+
* - **String target** — passing a unique `handler` name keeps the loose
|
|
359
|
+
* `Record<string, unknown>` / `unknown` typing.
|
|
360
|
+
*/
|
|
361
|
+
declare function protectedRoute<E extends EndpointDefinition<any, any, any, any>, TResult = unknown>(fortress: Fortress<any, any>, target: E, handler: SvelteKitProtectedRouteHandler<E, TResult>, options?: ProtectOptions): (event: SvelteKitRequestEvent) => Promise<Response>;
|
|
362
|
+
declare function protectedRoute<TResult = unknown>(fortress: Fortress<any, any>, target: string, handler: SvelteKitProtectedRouteHandler<EndpointDefinition, TResult>, options?: ProtectOptions): (event: SvelteKitRequestEvent) => Promise<Response>;
|
|
363
|
+
|
|
364
|
+
/**
|
|
365
|
+
* Typed extraction-and-validation helpers for SvelteKit `+server.ts` handlers
|
|
366
|
+
* and form actions.
|
|
367
|
+
*
|
|
368
|
+
* These helpers extract request data (body, params, query) **and validate
|
|
369
|
+
* it at runtime** against the supplied Standard Schema. On success they
|
|
370
|
+
* return the parsed value with full TypeScript inference; on failure they
|
|
371
|
+
* throw `FortressError('VALIDATION_ERROR', 422)` — the same shape every
|
|
372
|
+
* fortress-managed endpoint produces — so the existing SvelteKit error
|
|
373
|
+
* mapping (via `errorToResponse`) formats it identically.
|
|
374
|
+
*
|
|
375
|
+
* Works with any Standard Schema V1 library: Zod, Valibot, ArkType, or
|
|
376
|
+
* fortress's built-in schema builders.
|
|
377
|
+
*
|
|
378
|
+
* @example
|
|
379
|
+
* ```ts
|
|
380
|
+
* // src/routes/api/users/[id]/+server.ts
|
|
381
|
+
* import { vBody, vParam } from '@bajustone/fortress/sveltekit';
|
|
382
|
+
* import { obj, str } from '@bajustone/fortress';
|
|
383
|
+
*
|
|
384
|
+
* const UpdateBody = obj({ name: str() }, 'name');
|
|
385
|
+
* const Params = obj({ id: str() }, 'id');
|
|
386
|
+
*
|
|
387
|
+
* export async function PATCH(event) {
|
|
388
|
+
* const { id } = await vParam(event, Params);
|
|
389
|
+
* const { name } = await vBody(event, UpdateBody);
|
|
390
|
+
* // ...
|
|
391
|
+
* }
|
|
392
|
+
* ```
|
|
393
|
+
*
|
|
394
|
+
* Validation runs per call, so the first failing helper throws and any
|
|
395
|
+
* downstream helpers in the same handler do not run. If you need to
|
|
396
|
+
* aggregate body+query+params issues into a single response, use the
|
|
397
|
+
* framework-agnostic `validateRequest` from `@bajustone/fortress` instead.
|
|
398
|
+
*/
|
|
399
|
+
|
|
400
|
+
/** Infer the output type of a Standard Schema V1 schema. */
|
|
401
|
+
type InferOutput<T extends StandardSchemaV1> = StandardSchemaV1.InferOutput<T>;
|
|
402
|
+
/**
|
|
403
|
+
* Extract and validate the JSON request body. Returns the parsed value typed
|
|
404
|
+
* as `InferOutput<T>`, or throws `FortressError('VALIDATION_ERROR', 422)`.
|
|
405
|
+
*/
|
|
406
|
+
declare function vBody<T extends StandardSchemaV1>(event: SvelteKitRequestEvent, schema: T): Promise<InferOutput<T>>;
|
|
407
|
+
/**
|
|
408
|
+
* Extract and validate route parameters from a `[param]`-style file. Returns
|
|
409
|
+
* the parsed value typed as `InferOutput<T>`, or throws
|
|
410
|
+
* `FortressError('VALIDATION_ERROR', 422)`.
|
|
411
|
+
*/
|
|
412
|
+
declare function vParam<T extends StandardSchemaV1>(event: SvelteKitRequestEvent, schema: T): Promise<InferOutput<T>>;
|
|
413
|
+
/**
|
|
414
|
+
* Extract and validate query parameters from `event.url.searchParams`.
|
|
415
|
+
* Returns the parsed value typed as `InferOutput<T>`, or throws
|
|
416
|
+
* `FortressError('VALIDATION_ERROR', 422)`.
|
|
417
|
+
*/
|
|
418
|
+
declare function vQuery<T extends StandardSchemaV1>(event: SvelteKitRequestEvent, schema: T): Promise<InferOutput<T>>;
|
|
419
|
+
|
|
420
|
+
export { type FortressActionFailure, type FortressActionOptions, type FortressActionSuccess, type FortressActions, type FortressLocals, type InferOutput, ProtectOptions, ProtectedRouteContext, type SvelteKitAction, type SvelteKitAdapterOptions, type SvelteKitCookieOptions, type SvelteKitCookies, type SvelteKitHandle, type SvelteKitProtectedRouteHandler, type SvelteKitRequestEvent, type SvelteKitRouteHandler, clearAuthCookies, createSvelteKitHandle, fortressActions, getClaims, getDb, getScopedDb, getSubject, getUserId, protectedRoute, replayCookies, setAuthCookies, toSvelteKitHandler, vBody, vParam, vQuery };
|