@betterportal/auth-default 0.0.1

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/index.js

@@ -0,0 +1,106 @@
+import * as av from "anyvali";
+import { createHandler } from "@betterportal/framework";
+export const QuerySchema = av.object({
+    next: av.optional(av.string()).describe("The view path to pass through to login after first-admin registration.")
+}, { unknownKeys: "strip" });
+export const HeadersSchema = av.object({}, { unknownKeys: "strip" });
+export const RequestSchema = av.object({
+    username: av.string().minLength(1).describe("Username for the first admin account."),
+    password: av.string().minLength(8).describe("Password for the first admin account."),
+    email: av.optional(av.string()).describe("Email address for the first admin account."),
+    name: av.optional(av.string()).describe("Display name for the first admin account.")
+}, { unknownKeys: "strip" });
+export const ResponseSchema = av.object({
+    status: av.enum_(["ok", "error"]).describe("Registration request outcome."),
+    message: av.optional(av.string()).describe("Human-readable status or error message for the renderer."),
+    user: av.optional(av.object({
+        id: av.string().describe("Stable UUIDv7 user id."),
+        username: av.string().describe("Created account username."),
+        isFirstAdmin: av.bool().describe("True when this account is the deployment's first admin.")
+    }, { unknownKeys: "strip" }).describe("Created first-admin user summary.")),
+    // GET state for the theme renderer: registrations are closed once any user
+    // exists; loginUrl (self-origin, absolute) is where the renderer sends the
+    // browser in that case - and after a successful first-admin creation.
+    registrationOpen: av.optional(av.bool()).describe("True while the auth service has zero users; once false, the renderer should send the browser to login."),
+    loginUrl: av.optional(av.string()).describe("Absolute self-origin URL of this auth service's login view, used when registration is closed and after successful first-admin creation.")
+}, { unknownKeys: "strip" });
+export const title = "Register First Admin";
+export const description = "Open registration for the very first user. Once any user exists, this endpoint requires admin auth.";
+export const role = "auth.register";
+export const dependencies = ["login.index"];
+export const chrome = { fullScreen: true };
+export const auth = {
+    required: false,
+    permissions: []
+};
+export const cacheHints = {
+    ttlSeconds: 0,
+    varyBy: []
+};
+/** Self-origin absolute URL for a path, derived from the request Host header. */
+function runtimeFrom(ctx) {
+    const runtime = ctx.plugin?.runtime;
+    if (!runtime)
+        throw new Error("Auth runtime not available on handler context");
+    return runtime;
+}
+function selfUrl(ctx, path, next) {
+    const host = ctx.headers.host;
+    if (!host)
+        return undefined;
+    const proto = ctx.headers["x-forwarded-proto"] ?? "http";
+    return `${proto}://${host}${path}${next ? `?next=${encodeURIComponent(next)}` : ""}`;
+}
+export const handleGet = createHandler({ response: ResponseSchema, query: QuerySchema }, (ctx) => {
+    const runtime = runtimeFrom(ctx);
+    const next = ctx.query.next;
+    return {
+        status: "ok",
+        registrationOpen: runtime.userStore.hasNoUsers(),
+        loginUrl: selfUrl(ctx, "/login", next)
+    };
+});
+export const handlePost = createHandler({ response: ResponseSchema, request: RequestSchema, query: QuerySchema }, async (ctx) => {
+    const runtime = runtimeFrom(ctx);
+    const tenantId = ctx.tenant.id;
+    const appId = ctx.app.id;
+    if (!runtime.userStore.hasNoUsers()) {
+        // Registration is closed once any user exists. Respond 404 so the route
+        // appears not to exist (no user-enumeration surface).
+        ctx.setStatus?.(404);
+        return {
+            status: "error",
+            message: ""
+        };
+    }
+    const body = ctx.request;
+    try {
+        const created = await runtime.userStore.createUser({
+            username: body.username,
+            password: body.password,
+            email: body.email,
+            name: body.name,
+            tenantId,
+            appRoles: { [appId]: ["admin"] }
+        });
+        return {
+            status: "ok",
+            message: "First admin created.",
+            user: {
+                id: created.id,
+                username: created.username,
+                isFirstAdmin: true
+            },
+            // For the themed success view: where to send the browser to sign in.
+            loginUrl: selfUrl(ctx, "/login", ctx.query.next)
+        };
+    }
+    catch (err) {
+        ctx.setStatus?.(400);
+        return {
+            status: "error",
+            message: err.message
+        };
+    }
+});
+//# sourceMappingURL=index.js.map

package/lib/plugins/service-betterportal-auth-default/bp-routes/register/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/plugins/service-betterportal-auth-default/bp-routes/register/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EACL,aAAa,EAId,MAAM,yBAAyB,CAAC;AAGjC,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC,MAAM,CAAC;IACnC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,wEAAwE,CAAC;CAClH,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAC7B,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAErE,MAAM,CAAC,MAAM,aAAa,GAAG,EAAE,CAAC,MAAM,CAAC;IACrC,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,uCAAuC,CAAC;IACpF,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,uCAAuC,CAAC;IACpF,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,4CAA4C,CAAC;IACtF,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,2CAA2C,CAAC;CACrF,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAE7B,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC,MAAM,CAAC;IACtC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,OAAO,CAAU,CAAC,CAAC,QAAQ,CAAC,+BAA+B,CAAC;IACpF,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,0DAA0D,CAAC;IACtG,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,CAAC;QAC1B,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wBAAwB,CAAC;QAClD,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2BAA2B,CAAC;QAC3D,YAAY,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,yDAAyD,CAAC;KAC5F,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,mCAAmC,CAAC,CAAC;IAC3E,2EAA2E;IAC3E,2EAA2E;IAC3E,sEAAsE;IACtE,gBAAgB,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,wGAAwG,CAAC;IAC3J,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,yIAAyI,CAAC;CACvL,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,CAAC,MAAM,KAAK,GAAG,sBAAsB,CAAC;AAC5C,MAAM,CAAC,MAAM,WAAW,GAAG,qGAAqG,CAAC;AAEjI,MAAM,CAAC,MAAM,IAAI,GAAG,eAAe,CAAC;AACpC,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,aAAa,CAAC,CAAC;AAC5C,MAAM,CAAC,MAAM,MAAM,GAA4B,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;AAEpE,MAAM,CAAC,MAAM,IAAI,GAAuB;IACtC,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,EAAE;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,iFAAiF;AACjF,SAAS,WAAW,CAAC,GAAyB;IAC5C,MAAM,OAAO,GAAI,GAAG,CAAC,MAAgD,EAAE,OAAO,CAAC;IAC/E,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IAC/E,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,OAAO,CAAC,GAAwC,EAAE,IAAY,EAAE,IAAa;IACpF,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;IAC9B,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC;IACzD,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AACvF,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAG,aAAa,CACpC,EAAE,QAAQ,EAAE,cAAc,EAAE,KAAK,EAAE,WAAW,EAAE,EAChD,CAAC,GAAG,EAAE,EAAE;IACN,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,IAAI,GAAI,GAAG,CAAC,KAA2B,CAAC,IAAI,CAAC;IACnD,OAAO;QACL,MAAM,EAAE,IAAa;QACrB,gBAAgB,EAAE,OAAO,CAAC,SAAS,CAAC,UAAU,EAAE;QAChD,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC;KACvC,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,MAAM,CAAC,MAAM,UAAU,GAAG,aAAa,CACrC,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,WAAW,EAAE,EACxE,KAAK,EAAE,GAAG,EAAE,EAAE;IACZ,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;IAEzB,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC;QACpC,wEAAwE;QACxE,sDAAsD;QACtD,GAAG,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO;YACL,MAAM,EAAE,OAAgB;YACxB,OAAO,EAAE,EAAE;SACZ,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,OAAsC,CAAC;IACxD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC;YACjD,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ;YACR,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE;SACjC,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,IAAa;YACrB,OAAO,EAAE,sBAAsB;YAC/B,IAAI,EAAE;gBACJ,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,YAAY,EAAE,IAAI;aACnB;YACD,qEAAqE;YACrE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAG,GAAG,CAAC,KAA2B,CAAC,IAAI,CAAC;SACxE,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO;YACL,MAAM,EAAE,OAAgB;YACxB,OAAO,EAAG,GAAa,CAAC,OAAO;SAChC,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC"}

package/lib/plugins/service-betterportal-auth-default/index.d.ts

@@ -0,0 +1,115 @@
+import { type BSBServiceConstructor, type Observable } from "@bsb/base";
+import * as av from "anyvali";
+import { BPService, type BPServiceDefinition } from "@betterportal/plugin-bsb";
+import { type BpTokenIssuer, type JwtVerifier } from "@betterportal/framework";
+import { UserStore } from "../../userStore.js";
+declare const PluginConfigSchema: av.ObjectSchema<{
+    host: av.StringSchema;
+    port: av.IntSchema;
+    issuer: av.StringSchema;
+    audience: av.StringSchema;
+    accessTokenSeconds: av.IntSchema;
+    refreshTokenSeconds: av.IntSchema;
+    keyStorePath: av.StringSchema;
+    userStorePath: av.StringSchema;
+    betterportal: av.OptionalSchema<av.ObjectSchema<{
+        bpConfigPath: av.OptionalSchema<av.StringSchema>;
+        configApiToken: av.OptionalSchema<av.StringSchema>;
+        configEncryptionKey: av.OptionalSchema<av.StringSchema>;
+        controlPlaneUrl: av.OptionalSchema<av.StringSchema>;
+        serviceApiKey: av.OptionalSchema<av.StringSchema>;
+        bootstrapStatePath: av.StringSchema;
+        scopedConfigCachePath: av.StringSchema;
+        trustedProxyHeaders: av.BoolSchema;
+        cfProxy: av.BoolSchema;
+        trustedProxyIps: av.ArraySchema<av.StringSchema>;
+    }>>;
+}>;
+export type AuthPluginConfig = av.Infer<typeof PluginConfigSchema>;
+declare const Config: import("@bsb/base").BSBPluginConfigClass<av.ObjectSchema<{
+    host: av.StringSchema;
+    port: av.IntSchema;
+    issuer: av.StringSchema;
+    audience: av.StringSchema;
+    accessTokenSeconds: av.IntSchema;
+    refreshTokenSeconds: av.IntSchema;
+    keyStorePath: av.StringSchema;
+    userStorePath: av.StringSchema;
+    betterportal: av.OptionalSchema<av.ObjectSchema<{
+        bpConfigPath: av.OptionalSchema<av.StringSchema>;
+        configApiToken: av.OptionalSchema<av.StringSchema>;
+        configEncryptionKey: av.OptionalSchema<av.StringSchema>;
+        controlPlaneUrl: av.OptionalSchema<av.StringSchema>;
+        serviceApiKey: av.OptionalSchema<av.StringSchema>;
+        bootstrapStatePath: av.StringSchema;
+        scopedConfigCachePath: av.StringSchema;
+        trustedProxyHeaders: av.BoolSchema;
+        cfProxy: av.BoolSchema;
+        trustedProxyIps: av.ArraySchema<av.StringSchema>;
+    }>>;
+}>>;
+declare const EventSchemas: {
+    readonly emitEvents: {};
+    readonly onEvents: {};
+    readonly emitReturnableEvents: {};
+    readonly onReturnableEvents: {};
+    readonly emitBroadcast: {};
+    readonly onBroadcast: {};
+};
+export interface DefaultAuthAppConfig {
+    loginRedirectPath?: string;
+    logoutRedirectPath?: string;
+}
+export declare function resolveDefaultAuthAppConfig(raw: Record<string, unknown> | undefined): DefaultAuthAppConfig;
+export interface AuthRuntime {
+    readonly tokenIssuer: BpTokenIssuer;
+    readonly userStore: UserStore;
+    readonly accessTokenSeconds: number;
+    readonly refreshTokenSeconds: number;
+}
+export declare class Plugin extends BPService<InstanceType<typeof Config>, typeof EventSchemas> {
+    static Config: import("@bsb/base").BSBPluginConfigClass<av.ObjectSchema<{
+        host: av.StringSchema;
+        port: av.IntSchema;
+        issuer: av.StringSchema;
+        audience: av.StringSchema;
+        accessTokenSeconds: av.IntSchema;
+        refreshTokenSeconds: av.IntSchema;
+        keyStorePath: av.StringSchema;
+        userStorePath: av.StringSchema;
+        betterportal: av.OptionalSchema<av.ObjectSchema<{
+            bpConfigPath: av.OptionalSchema<av.StringSchema>;
+            configApiToken: av.OptionalSchema<av.StringSchema>;
+            configEncryptionKey: av.OptionalSchema<av.StringSchema>;
+            controlPlaneUrl: av.OptionalSchema<av.StringSchema>;
+            serviceApiKey: av.OptionalSchema<av.StringSchema>;
+            bootstrapStatePath: av.StringSchema;
+            scopedConfigCachePath: av.StringSchema;
+            trustedProxyHeaders: av.BoolSchema;
+            cfProxy: av.BoolSchema;
+            trustedProxyIps: av.ArraySchema<av.StringSchema>;
+        }>>;
+    }>>;
+    static EventSchemas: {
+        readonly emitEvents: {};
+        readonly onEvents: {};
+        readonly emitReturnableEvents: {};
+        readonly onReturnableEvents: {};
+        readonly emitBroadcast: {};
+        readonly onBroadcast: {};
+    };
+    private keyPair;
+    private userStore;
+    constructor(cfg: BSBServiceConstructor<InstanceType<typeof Config>, typeof EventSchemas>);
+    protected definition(): BPServiceDefinition;
+    init(obs: Observable): Promise<void>;
+    get runtime(): AuthRuntime;
+    /**
+     * Override BPService hook so the auth service can verify its own access tokens
+     * (e.g., for routes that require auth, even on the auth service itself).
+     */
+    protected getJwtVerifier(_tenantId: string, _appId: string): JwtVerifier | undefined;
+    private tokenIssuer;
+}
+export { Config, EventSchemas };
+//# sourceMappingURL=index.d.ts.map

package/lib/plugins/service-betterportal-auth-default/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/plugins/service-betterportal-auth-default/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,qBAAqB,EAG1B,KAAK,UAAU,EAChB,MAAM,WAAW,CAAC;AACnB,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAEL,SAAS,EACT,KAAK,mBAAmB,EACzB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAIL,KAAK,aAAa,EAElB,KAAK,WAAW,EAEjB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAG/C,QAAA,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;EAUI,CAAC;AAC7B,MAAM,MAAM,gBAAgB,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEnE,QAAA,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;GAQX,CAAC;AAEF,QAAA,MAAM,YAAY;;;;;;;CAOhB,CAAC;AAEH,MAAM,WAAW,oBAAoB;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,wBAAgB,2BAA2B,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,GAAG,oBAAoB,CAW1G;AAkBD,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC;IACpC,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC;CACtC;AAED,qBAAa,MAAO,SAAQ,SAAS,CAAC,YAAY,CAAC,OAAO,MAAM,CAAC,EAAE,OAAO,YAAY,CAAC;IACrF,MAAM,CAAC,MAAM;;;;;;;;;;;;;;;;;;;;;QAAU;IACvB,MAAM,CAAC,YAAY;;;;;;;MAAgB;IAEnC,OAAO,CAAC,OAAO,CAAc;IAC7B,OAAO,CAAC,SAAS,CAAa;gBAElB,GAAG,EAAE,qBAAqB,CAAC,YAAY,CAAC,OAAO,MAAM,CAAC,EAAE,OAAO,YAAY,CAAC;IAIxF,SAAS,CAAC,UAAU,IAAI,mBAAmB;IAarC,IAAI,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB1C,IAAI,OAAO,IAAI,WAAW,CAOzB;IAED;;;OAGG;IACH,SAAS,CAAC,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAIpF,OAAO,CAAC,WAAW;CASpB;AAED,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC"}

package/lib/plugins/service-betterportal-auth-default/index.js

@@ -0,0 +1,121 @@
+import { createConfigSchema, createEventSchemas } from "@bsb/base";
+import * as av from "anyvali";
+import { resolve } from "node:path";
+import { BetterPortalConfigSchema, BPService } from "@betterportal/plugin-bsb";
+import { createBpTokenIssuer, loadOrGenerateKeyPair, publicKeyToJwk } from "@betterportal/framework";
+import { UserStore } from "../../userStore.js";
+import { registry } from "./.bp-generated/registry.js";
+const PluginConfigSchema = av.object({
+    host: av.string().minLength(1).default("0.0.0.0"),
+    port: av.int().min(1).default(3210),
+    issuer: av.string().minLength(1).default("https://auth.betterportal.local"),
+    audience: av.string().minLength(1).default("betterportal-runtime"),
+    accessTokenSeconds: av.int().min(1).default(60 * 15),
+    refreshTokenSeconds: av.int().min(1).default(60 * 60 * 24 * 7),
+    keyStorePath: av.string().minLength(1).default("./.bp-auth-state/keys.json"),
+    userStorePath: av.string().minLength(1).default("./.bp-auth-state/users.json"),
+    betterportal: BetterPortalConfigSchema
+}, { unknownKeys: "strip" });
+const Config = createConfigSchema({
+    name: "service-betterportal-auth-default",
+    description: "Default BetterPortal v10 auth service: JWKS, login/logout/refresh, bcrypt user store",
+    tags: ["betterportal", "auth", "jwt", "jwks"],
+    documentation: ["./README.md"]
+}, PluginConfigSchema);
+const EventSchemas = createEventSchemas({
+    emitEvents: {},
+    onEvents: {},
+    emitReturnableEvents: {},
+    onReturnableEvents: {},
+    emitBroadcast: {},
+    onBroadcast: {}
+});
+export function resolveDefaultAuthAppConfig(raw) {
+    const loginRedirectPath = typeof raw?.loginRedirectPath === "string" && raw.loginRedirectPath.trim()
+        ? raw.loginRedirectPath.trim()
+        : undefined;
+    const logoutRedirectPath = typeof raw?.logoutRedirectPath === "string" && raw.logoutRedirectPath.trim()
+        ? raw.logoutRedirectPath.trim()
+        : undefined;
+    return {
+        ...(loginRedirectPath ? { loginRedirectPath } : {}),
+        ...(logoutRedirectPath ? { logoutRedirectPath } : {})
+    };
+}
+const DefaultAuthConfigSchemas = [{
+        id: "auth.default.app",
+        title: "Default Auth Config",
+        description: "App-scoped default auth settings.",
+        scope: "app",
+        jsonSchema: { loginRedirectPath: "string", logoutRedirectPath: "string" },
+        groups: [
+            { id: "login", title: "Login", description: "Routes used after signing in.", order: 10, optional: true },
+            { id: "logout", title: "Logout", description: "Routes used after signing out.", order: 20, optional: true }
+        ],
+        fields: [
+            { key: "loginRedirectPath", title: "Logged In Route", description: "Tenant route shown after signing in when no next path is supplied.", scope: "app", visibility: "protected", ownership: "bp", sourceOfTruth: "bp", groupId: "login", order: 10, defaultValue: "/", ui: { control: "select", optionsSource: "app.routes" }, required: false },
+            { key: "logoutRedirectPath", title: "Logged Out Route", description: "Tenant route shown after signing out.", scope: "app", visibility: "protected", ownership: "bp", sourceOfTruth: "bp", groupId: "logout", order: 10, defaultValue: "/", ui: { control: "select", optionsSource: "app.routes" }, required: false }
+        ]
+    }];
+export class Plugin extends BPService {
+    static Config = Config;
+    static EventSchemas = EventSchemas;
+    keyPair;
+    userStore;
+    constructor(cfg) {
+        super({ ...cfg, eventSchemas: EventSchemas });
+    }
+    definition() {
+        return {
+            manifest: {
+                pluginId: "service.betterportal.auth.default",
+                title: "BetterPortal Default Auth",
+                description: "JWT-issuing auth service (RS256 + JWKS + bcrypt user store).",
+                capabilities: ["auth"],
+                configSchemas: DefaultAuthConfigSchemas
+            },
+            registry
+        };
+    }
+    async init(obs) {
+        const cfg = this.config;
+        this.keyPair = loadOrGenerateKeyPair(resolve(cfg.keyStorePath));
+        this.userStore = new UserStore(resolve(cfg.userStorePath));
+        await super.init(obs);
+        const jwk = publicKeyToJwk(this.keyPair.publicKeyPem, this.keyPair.kid);
+        this.registerAsAuthProvider({
+            jwks: { keys: [jwk] }
+        });
+        obs.log.info("Auth service initialized: issuer={issuer} audience={audience} kid={kid}", {
+            issuer: cfg.issuer,
+            audience: cfg.audience,
+            kid: this.keyPair.kid
+        });
+    }
+    get runtime() {
+        return {
+            tokenIssuer: this.tokenIssuer(),
+            userStore: this.userStore,
+            accessTokenSeconds: this.config.accessTokenSeconds,
+            refreshTokenSeconds: this.config.refreshTokenSeconds
+        };
+    }
+    /**
+     * Override BPService hook so the auth service can verify its own access tokens
+     * (e.g., for routes that require auth, even on the auth service itself).
+     */
+    getJwtVerifier(_tenantId, _appId) {
+        return this.tokenIssuer().verifier("access");
+    }
+    tokenIssuer() {
+        return createBpTokenIssuer({
+            keyPair: this.keyPair,
+            issuer: this.config.issuer,
+            audience: this.config.audience,
+            accessTokenSeconds: this.config.accessTokenSeconds,
+            refreshTokenSeconds: this.config.refreshTokenSeconds
+        });
+    }
+}
+export { Config, EventSchemas };
+//# sourceMappingURL=index.js.map

package/lib/plugins/service-betterportal-auth-default/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/plugins/service-betterportal-auth-default/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,kBAAkB,EAClB,kBAAkB,EAEnB,MAAM,WAAW,CAAC;AACnB,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EACL,wBAAwB,EACxB,SAAS,EAEV,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,cAAc,EAKf,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAEvD,MAAM,kBAAkB,GAAG,EAAE,CAAC,MAAM,CAAC;IACnC,IAAI,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IACjD,IAAI,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACnC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,iCAAiC,CAAC;IAC3E,QAAQ,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC;IAClE,kBAAkB,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;IACpD,mBAAmB,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC9D,YAAY,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,4BAA4B,CAAC;IAC5E,aAAa,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,6BAA6B,CAAC;IAC9E,YAAY,EAAE,wBAAwB;CACvC,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;AAG7B,MAAM,MAAM,GAAG,kBAAkB,CAC/B;IACE,IAAI,EAAE,mCAAmC;IACzC,WAAW,EAAE,sFAAsF;IACnG,IAAI,EAAE,CAAC,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;IAC7C,aAAa,EAAE,CAAC,aAAa,CAAC;CAC/B,EACD,kBAAkB,CACnB,CAAC;AAEF,MAAM,YAAY,GAAG,kBAAkB,CAAC;IACtC,UAAU,EAAE,EAAE;IACd,QAAQ,EAAE,EAAE;IACZ,oBAAoB,EAAE,EAAE;IACxB,kBAAkB,EAAE,EAAE;IACtB,aAAa,EAAE,EAAE;IACjB,WAAW,EAAE,EAAE;CAChB,CAAC,CAAC;AAOH,MAAM,UAAU,2BAA2B,CAAC,GAAwC;IAClF,MAAM,iBAAiB,GAAG,OAAO,GAAG,EAAE,iBAAiB,KAAK,QAAQ,IAAI,GAAG,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClG,CAAC,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAC9B,CAAC,CAAC,SAAS,CAAC;IACd,MAAM,kBAAkB,GAAG,OAAO,GAAG,EAAE,kBAAkB,KAAK,QAAQ,IAAI,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE;QACrG,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE;QAC/B,CAAC,CAAC,SAAS,CAAC;IACd,OAAO;QACL,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnD,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACtD,CAAC;AACJ,CAAC;AAED,MAAM,wBAAwB,GAA6B,CAAC;QAC1D,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EAAE,mCAAmC;QAChD,KAAK,EAAE,KAAK;QACZ,UAAU,EAAE,EAAE,iBAAiB,EAAE,QAAQ,EAAE,kBAAkB,EAAE,QAAQ,EAAE;QACzE,MAAM,EAAE;YACN,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,+BAA+B,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE;YACxG,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,gCAAgC,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE;SAC5G;QACD,MAAM,EAAE;YACN,EAAE,GAAG,EAAE,mBAAmB,EAAE,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,oEAAoE,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE;YAC/U,EAAE,GAAG,EAAE,oBAAoB,EAAE,KAAK,EAAE,kBAAkB,EAAE,WAAW,EAAE,uCAAuC,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE;SACtT;KACF,CAAC,CAAC;AASH,MAAM,OAAO,MAAO,SAAQ,SAA2D;IACrF,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,MAAM,CAAC,YAAY,GAAG,YAAY,CAAC;IAE3B,OAAO,CAAc;IACrB,SAAS,CAAa;IAE9B,YAAY,GAA4E;QACtF,KAAK,CAAC,EAAE,GAAG,GAAG,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC,CAAC;IAChD,CAAC;IAES,UAAU;QAClB,OAAO;YACL,QAAQ,EAAE;gBACR,QAAQ,EAAE,mCAAmC;gBAC7C,KAAK,EAAE,2BAA2B;gBAClC,WAAW,EAAE,8DAA8D;gBAC3E,YAAY,EAAE,CAAC,MAAM,CAAC;gBACtB,aAAa,EAAE,wBAAwB;aACxC;YACD,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAe;QACxB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC;QAExB,IAAI,CAAC,OAAO,GAAG,qBAAqB,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;QAE3D,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEtB,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxE,IAAI,CAAC,sBAAsB,CAAC;YAC1B,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,GAAyC,CAAC,EAAE;SAC5D,CAAC,CAAC;QAEH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,yEAAyE,EAAE;YACtF,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;SACtB,CAAC,CAAC;IACL,CAAC;IAED,IAAI,OAAO;QACT,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE;YAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;YAClD,mBAAmB,EAAE,IAAI,CAAC,MAAM,CAAC,mBAAmB;SACrD,CAAC;IACJ,CAAC;IAED;;;OAGG;IACO,cAAc,CAAC,SAAiB,EAAE,MAAc;QACxD,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC;IAEO,WAAW;QACjB,OAAO,mBAAmB,CAAC;YACzB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;YAClD,mBAAmB,EAAE,IAAI,CAAC,MAAM,CAAC,mBAAmB;SACrD,CAAC,CAAC;IACL,CAAC;;AAGH,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC"}

package/lib/schemas/service-betterportal-auth-default.json

@@ -0,0 +1,145 @@
+{
+  "pluginName": "service-betterportal-auth-default",
+  "events": {},
+  "version": "0.0.1",
+  "configSchema": {
+    "anyvaliVersion": "1.0",
+    "schemaVersion": "1.1",
+    "root": {
+      "kind": "object",
+      "properties": {
+        "host": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "0.0.0.0"
+        },
+        "port": {
+          "kind": "int",
+          "min": 1,
+          "default": 3210
+        },
+        "issuer": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "https://auth.betterportal.local"
+        },
+        "audience": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "betterportal-runtime"
+        },
+        "accessTokenSeconds": {
+          "kind": "int",
+          "min": 1,
+          "default": 900
+        },
+        "refreshTokenSeconds": {
+          "kind": "int",
+          "min": 1,
+          "default": 604800
+        },
+        "keyStorePath": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "./.bp-auth-state/keys.json"
+        },
+        "userStorePath": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "./.bp-auth-state/users.json"
+        },
+        "betterportal": {
+          "kind": "optional",
+          "inner": {
+            "kind": "object",
+            "properties": {
+              "bpConfigPath": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 1
+                }
+              },
+              "configApiToken": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 1
+                }
+              },
+              "configEncryptionKey": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 16
+                }
+              },
+              "controlPlaneUrl": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 1
+                }
+              },
+              "serviceApiKey": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 1
+                }
+              },
+              "bootstrapStatePath": {
+                "kind": "string",
+                "minLength": 1,
+                "default": "./.bp-bootstrap/state.enc"
+              },
+              "scopedConfigCachePath": {
+                "kind": "string",
+                "minLength": 1,
+                "default": "./.bp-sync-cache/scoped.json"
+              },
+              "trustedProxyHeaders": {
+                "kind": "bool",
+                "default": false
+              },
+              "cfProxy": {
+                "kind": "bool",
+                "default": false
+              },
+              "trustedProxyIps": {
+                "kind": "array",
+                "items": {
+                  "kind": "string",
+                  "minLength": 1
+                },
+                "default": []
+              }
+            },
+            "required": [
+              "bootstrapStatePath",
+              "scopedConfigCachePath",
+              "trustedProxyHeaders",
+              "cfProxy",
+              "trustedProxyIps"
+            ],
+            "unknownKeys": "strip"
+          }
+        }
+      },
+      "required": [
+        "host",
+        "port",
+        "issuer",
+        "audience",
+        "accessTokenSeconds",
+        "refreshTokenSeconds",
+        "keyStorePath",
+        "userStorePath"
+      ],
+      "unknownKeys": "strip"
+    },
+    "definitions": {},
+    "extensions": {}
+  },
+  "pluginType": "service"
+}

package/lib/schemas/service-betterportal-auth-default.plugin.json

@@ -0,0 +1,158 @@
+{
+  "id": "service-betterportal-auth-default",
+  "name": "service-betterportal-auth-default",
+  "version": "0.0.1",
+  "description": "Default BetterPortal v10 auth service: JWKS, login/logout/refresh, bcrypt user store",
+  "category": "service",
+  "tags": [
+    "betterportal",
+    "auth",
+    "jwt",
+    "jwks"
+  ],
+  "documentation": [
+    "./README.md"
+  ],
+  "dependencies": [],
+  "author": "BetterCorp",
+  "license": "(AGPL-3.0-only OR Commercial)",
+  "configSchema": {
+    "anyvaliVersion": "1.0",
+    "schemaVersion": "1.1",
+    "root": {
+      "kind": "object",
+      "properties": {
+        "host": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "0.0.0.0"
+        },
+        "port": {
+          "kind": "int",
+          "min": 1,
+          "default": 3210
+        },
+        "issuer": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "https://auth.betterportal.local"
+        },
+        "audience": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "betterportal-runtime"
+        },
+        "accessTokenSeconds": {
+          "kind": "int",
+          "min": 1,
+          "default": 900
+        },
+        "refreshTokenSeconds": {
+          "kind": "int",
+          "min": 1,
+          "default": 604800
+        },
+        "keyStorePath": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "./.bp-auth-state/keys.json"
+        },
+        "userStorePath": {
+          "kind": "string",
+          "minLength": 1,
+          "default": "./.bp-auth-state/users.json"
+        },
+        "betterportal": {
+          "kind": "optional",
+          "inner": {
+            "kind": "object",
+            "properties": {
+              "bpConfigPath": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 1
+                }
+              },
+              "configApiToken": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 1
+                }
+              },
+              "configEncryptionKey": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 16
+                }
+              },
+              "controlPlaneUrl": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 1
+                }
+              },
+              "serviceApiKey": {
+                "kind": "optional",
+                "inner": {
+                  "kind": "string",
+                  "minLength": 1
+                }
+              },
+              "bootstrapStatePath": {
+                "kind": "string",
+                "minLength": 1,
+                "default": "./.bp-bootstrap/state.enc"
+              },
+              "scopedConfigCachePath": {
+                "kind": "string",
+                "minLength": 1,
+                "default": "./.bp-sync-cache/scoped.json"
+              },
+              "trustedProxyHeaders": {
+                "kind": "bool",
+                "default": false
+              },
+              "cfProxy": {
+                "kind": "bool",
+                "default": false
+              },
+              "trustedProxyIps": {
+                "kind": "array",
+                "items": {
+                  "kind": "string",
+                  "minLength": 1
+                },
+                "default": []
+              }
+            },
+            "required": [
+              "bootstrapStatePath",
+              "scopedConfigCachePath",
+              "trustedProxyHeaders",
+              "cfProxy",
+              "trustedProxyIps"
+            ],
+            "unknownKeys": "strip"
+          }
+        }
+      },
+      "required": [
+        "host",
+        "port",
+        "issuer",
+        "audience",
+        "accessTokenSeconds",
+        "refreshTokenSeconds",
+        "keyStorePath",
+        "userStorePath"
+      ],
+      "unknownKeys": "strip"
+    },
+    "definitions": {},
+    "extensions": {}
+  }
+}