npm - @camstack/core - Versions diffs - 0.1.20 → 0.1.22 - Mend

@camstack/core 0.1.20 → 0.1.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/auth/auth-manager.d.ts +1 -16
package/dist/auth/auth-manager.d.ts.map +1 -1
package/dist/auth/scoped-token-manager.d.ts +16 -0
package/dist/auth/scoped-token-manager.d.ts.map +1 -1
package/dist/builtins/local-auth/local-auth.addon.d.ts.map +1 -1
package/dist/builtins/local-auth/local-auth.addon.js +38 -23
package/dist/builtins/local-auth/local-auth.addon.js.map +1 -1
package/dist/builtins/local-auth/local-auth.addon.mjs +38 -23
package/dist/builtins/local-auth/local-auth.addon.mjs.map +1 -1
package/dist/index.js +4 -3
package/dist/index.js.map +1 -1
package/dist/index.mjs +4 -3
package/dist/index.mjs.map +1 -1
package/package.json +1 -1

package/dist/auth/auth-manager.d.ts CHANGED Viewed

@@ -1,5 +1,4 @@
-import { ScopedToken, UserRole, TokenPayload, IScopedLogger } from '@camstack/types';
-import { ScopedTokenManager } from './scoped-token-manager.js';
+import { UserRole, TokenPayload, IScopedLogger } from '@camstack/types';
 export type { UserRole, TokenPayload };
 export type AuthConfigReader = {
     get<T>(path: string): T;
@@ -8,7 +7,6 @@ export type AuthConfigReader = {
 export declare class AuthManager {
     private readonly config;
     private readonly jwtSecret;
-    private scopedTokenManager;
     private readonly logger;
     constructor(config: AuthConfigReader, logger?: IScopedLogger);
     signToken(payload: Omit<TokenPayload, 'iat' | 'exp'>): string;
@@ -30,18 +28,5 @@ export declare class AuthManager {
         readonly role?: string;
         readonly expiresIn?: string;
     }): string;
-    /**
-     * Set the scoped token manager for the auth chain.
-     */
-    setScopedTokenManager(manager: ScopedTokenManager): void;
-    /**
-     * Validate a scoped token string.
-     * Returns the token record if valid, null otherwise.
-     */
-    validateScopedToken(rawToken: string): Promise<ScopedToken | null>;
-    /**
-     * Check whether a scoped token grants access to a given addon/route/capability.
-     */
-    matchesScopedTokenScope(token: ScopedToken, addonId?: string, routePath?: string, capability?: string): boolean;
 }
 //# sourceMappingURL=auth-manager.d.ts.map

package/dist/auth/auth-manager.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth-manager.d.ts","sourceRoot":"","sources":["../../src/auth/auth-manager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,~~WAAW,EAAE,~~QAAQ,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;~~AACzF~~,~~OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAYnE,~~YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;AAEtC,MAAM,MAAM,gBAAgB,GAAG;IAC7B,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC,CAAA;IACvB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAC7D,CAAA;AAED,qBAAa,WAAW;~~IAKV~~,OAAO,CAAC,QAAQ,CAAC,MAAM;~~IAJnC~~,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAQ;IAClC,OAAO,CAAC,~~kBAAkB,CAAkC;IAC5D,OAAO,CAAC,~~QAAQ,CAAC,MAAM,CAAe;gBAET,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAE,aAA0B;IAczF,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG,MAAM;IAI7D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAIlC,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI/C,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIvE,cAAc,IAAI;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;IAOjE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO;IAK1D;;;OAGG;IACH,kBAAkB,CAAC,IAAI,EAAE;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;QACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAA;QACtB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAC5B,GAAG,MAAM;IAcV;;OAEG;IACH,qBAAqB,CAAC,OAAO,EAAE,kBAAkB,GAAG,IAAI;IAIxD;;;OAGG;IACG,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAOxE;;OAEG;IACH,uBAAuB,CACrB,KAAK,EAAE,WAAW,EAClB,OAAO,CAAC,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,EAClB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO;CAMX"}
1	+ {"version":3,"file":"auth-manager.d.ts","sourceRoot":"","sources":["../../src/auth/auth-manager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AAY5E,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;AAEtC,MAAM,MAAM,gBAAgB,GAAG;IAC7B,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC,CAAA;IACvB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAC7D,CAAA;AAED,qBAAa,WAAW;IAIV,OAAO,CAAC,QAAQ,CAAC,MAAM;IAHnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAQ;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAe;gBAET,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAE,aAA0B;IAczF,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG,MAAM;IAI7D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY;IAIlC,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAI/C,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIvE,cAAc,IAAI;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;IAOjE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO;IAK1D;;;OAGG;IACH,kBAAkB,CAAC,IAAI,EAAE;QACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;QACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAA;QACtB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAC5B,GAAG,MAAM;CAmBX"}

package/dist/auth/scoped-token-manager.d.ts CHANGED Viewed

@@ -14,5 +14,21 @@ export declare class ScopedTokenManager {
     revoke(tokenId: string): Promise<void>;
     listForUser(userId: string): Promise<ScopedToken[]>;
     updateLastUsed(tokenId: string): Promise<void>;
+    /**
+     * One-shot migration: drop tokens whose owner can't be resolved.
+     *
+     * Two ways a token can end up orphan:
+     *   • Pre-fix tokens minted via the CLI were owned by the literal
+     *     string `"system"` (provider hardcode, fixed 2026-05-11).
+     *   • A user gets deleted but their tokens were not cascade-revoked.
+     *
+     * Either way the UI's `listScopedTokens({ userId: u.id })` never
+     * returns them, so the operator can't revoke through the normal flow.
+     * We sweep both classes by passing the live user-id set in.
+     *
+     * Idempotent: if no orphans exist the method is a no-op.
+     * Returns the number of tokens removed.
+     */
+    cleanupOrphans(validUserIds: ReadonlySet<string>): Promise<number>;
 }
 //# sourceMappingURL=scoped-token-manager.d.ts.map

package/dist/auth/scoped-token-manager.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"scoped-token-manager.d.ts","sourceRoot":"","sources":["../../src/auth/scoped-token-manager.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAUnF;;GAEG;AACH,qBAAa,kBAAkB;IACjB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,mBAAmB;IAEjD,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,UAAU,EAAE,EACpB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,WAAW,CAAA;KAAE,CAAC;IAsB5C,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAY7D,YAAY,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO;IAW9F,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAItC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAKnD,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;~~CAMrD~~"}
1	+ {"version":3,"file":"scoped-token-manager.d.ts","sourceRoot":"","sources":["../../src/auth/scoped-token-manager.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAA;AAUnF;;GAEG;AACH,qBAAa,kBAAkB;IACjB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBAAL,KAAK,EAAE,mBAAmB;IAEjD,MAAM,CACV,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,UAAU,EAAE,EACpB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,WAAW,CAAA;KAAE,CAAC;IAsB5C,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAY7D,YAAY,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO;IAW9F,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAItC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAKnD,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOpD;;;;;;;;;;;;;;OAcG;IACG,cAAc,CAAC,YAAY,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;CAYzE"}

package/dist/builtins/local-auth/local-auth.addon.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"local-auth.addon.d.ts","sourceRoot":"","sources":["../../../src/builtins/local-auth/local-auth.addon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAA2B,oBAAoB,EAAE,MAAM,iBAAiB,CAAA;AACpF,OAAO,EAAE,SAAS,EAAoD,MAAM,iBAAiB,CAAA;AA4B7F,UAAU,eAAe;IACvB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,qBAAa,cAAe,SAAQ,SAAS,CAAC,eAAe,CAAC;IAC5D,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,kBAAkB,CAAkC;;cAI5C,YAAY,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;~~cA6L~~/C,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAM5C;AAED,eAAe,cAAc,CAAA"}
1	+ {"version":3,"file":"local-auth.addon.d.ts","sourceRoot":"","sources":["../../../src/builtins/local-auth/local-auth.addon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAA2B,oBAAoB,EAAE,MAAM,iBAAiB,CAAA;AACpF,OAAO,EAAE,SAAS,EAAoD,MAAM,iBAAiB,CAAA;AA4B7F,UAAU,eAAe;IACvB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,qBAAa,cAAe,SAAQ,SAAS,CAAC,eAAe,CAAC;IAC5D,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,kBAAkB,CAAkC;;cAI5C,YAAY,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;cAwM/C,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAM5C;AAED,eAAe,cAAc,CAAA"}

package/dist/builtins/local-auth/local-auth.addon.js CHANGED Viewed

@@ -6166,7 +6166,6 @@ var noopLogger = {
 };
 var AuthManager = class {
 	jwtSecret;
-	scopedTokenManager = null;
 	logger;
 	constructor(config, logger = noopLogger) {
 		this.config = config;
@@ -6220,27 +6219,6 @@ var AuthManager = class {
 		const expiresIn = opts.expiresIn ?? "24h";
 		return import_jsonwebtoken.sign(payload, this.jwtSecret, { expiresIn });
 	}
-	/**
-	* Set the scoped token manager for the auth chain.
-	*/
-	setScopedTokenManager(manager) {
-		this.scopedTokenManager = manager;
-	}
-	/**
-	* Validate a scoped token string.
-	* Returns the token record if valid, null otherwise.
-	*/
-	async validateScopedToken(rawToken) {
-		if (!this.scopedTokenManager) return null;
-		return this.scopedTokenManager.validate(rawToken);
-	}
-	/**
-	* Check whether a scoped token grants access to a given addon/route/capability.
-	*/
-	matchesScopedTokenScope(token, addonId, routePath, capability) {
-		if (!this.scopedTokenManager) return false;
-		return this.scopedTokenManager.matchesScope(token, addonId, routePath, capability);
-	}
 };
 //#endregion
 //#region src/auth/parse-record.ts
@@ -6545,6 +6523,39 @@ var ScopedTokenManager = class {
 			}
 		});
 	}
+	/**
+	* One-shot migration: drop tokens whose owner can't be resolved.
+	*
+	* Two ways a token can end up orphan:
+	*   • Pre-fix tokens minted via the CLI were owned by the literal
+	*     string `"system"` (provider hardcode, fixed 2026-05-11).
+	*   • A user gets deleted but their tokens were not cascade-revoked.
+	*
+	* Either way the UI's `listScopedTokens({ userId: u.id })` never
+	* returns them, so the operator can't revoke through the normal flow.
+	* We sweep both classes by passing the live user-id set in.
+	*
+	* Idempotent: if no orphans exist the method is a no-op.
+	* Returns the number of tokens removed.
+	*/
+	async cleanupOrphans(validUserIds) {
+		const all = await this.store.query.query({
+			collection: TOKENS_COLLECTION,
+			filter: {}
+		});
+		let removed = 0;
+		for (const entry of all) {
+			const record = parseToken(entry.data);
+			if (record.userId === "system" || !validUserIds.has(record.userId)) {
+				await this.store.delete.mutate({
+					collection: TOKENS_COLLECTION,
+					key: record.id
+				});
+				removed++;
+			}
+		}
+		return removed;
+	}
 };
 //#endregion
 //#region src/builtins/local-auth/auth-schema.ts
@@ -6762,6 +6773,10 @@ var LocalAuthAddon = class extends _camstack_types.BaseAddon {
 			this.scopedTokenManager = new ScopedTokenManager(store);
 			try {
 				await this.userManager.ensureAdminExists();
+				const liveUsers = await this.userManager.listAll();
+				const liveIds = new Set(liveUsers.map((u) => u.id));
+				const removed = await this.scopedTokenManager.cleanupOrphans(liveIds);
+				if (removed > 0) this.ctx.logger.warn(`cleaned up ${removed} orphan scoped-token(s) on boot`);
 			} catch (err) {
 				const detail = err instanceof Error ? err.message : String(err);
 				throw new Error(`local-auth bootstrap failed: ensureAdminExists threw before \`user-management\` could be registered. Most likely a \`users\` collection schema mismatch in the settings-store. Underlying: ${detail}`, { cause: err });
@@ -6848,7 +6863,7 @@ var LocalAuthAddon = class extends _camstack_types.BaseAddon {
 			},
 			createScopedToken: async (input) => {
 				if (!this.scopedTokenManager) throw new Error("Scoped token management not available");
-				const { token, record } = await this.scopedTokenManager.create("system", input.name, input.scopes, input.expiresAt);
+				const { token, record } = await this.scopedTokenManager.create(input.userId, input.name, input.scopes, input.expiresAt);
 				return {
 					token,
 					record