@camstack/core 0.1.21 → 0.1.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/scoped-token-manager.d.ts +16 -0
- package/dist/auth/scoped-token-manager.d.ts.map +1 -1
- package/dist/builtins/local-auth/local-auth.addon.d.ts.map +1 -1
- package/dist/builtins/local-auth/local-auth.addon.js +37 -0
- package/dist/builtins/local-auth/local-auth.addon.js.map +1 -1
- package/dist/builtins/local-auth/local-auth.addon.mjs +37 -0
- package/dist/builtins/local-auth/local-auth.addon.mjs.map +1 -1
- package/package.json +1 -1
|
@@ -6518,6 +6518,39 @@ var ScopedTokenManager = class {
|
|
|
6518
6518
|
}
|
|
6519
6519
|
});
|
|
6520
6520
|
}
|
|
6521
|
+
/**
|
|
6522
|
+
* One-shot migration: drop tokens whose owner can't be resolved.
|
|
6523
|
+
*
|
|
6524
|
+
* Two ways a token can end up orphan:
|
|
6525
|
+
* • Pre-fix tokens minted via the CLI were owned by the literal
|
|
6526
|
+
* string `"system"` (provider hardcode, fixed 2026-05-11).
|
|
6527
|
+
* • A user gets deleted but their tokens were not cascade-revoked.
|
|
6528
|
+
*
|
|
6529
|
+
* Either way the UI's `listScopedTokens({ userId: u.id })` never
|
|
6530
|
+
* returns them, so the operator can't revoke through the normal flow.
|
|
6531
|
+
* We sweep both classes by passing the live user-id set in.
|
|
6532
|
+
*
|
|
6533
|
+
* Idempotent: if no orphans exist the method is a no-op.
|
|
6534
|
+
* Returns the number of tokens removed.
|
|
6535
|
+
*/
|
|
6536
|
+
async cleanupOrphans(validUserIds) {
|
|
6537
|
+
const all = await this.store.query.query({
|
|
6538
|
+
collection: TOKENS_COLLECTION,
|
|
6539
|
+
filter: {}
|
|
6540
|
+
});
|
|
6541
|
+
let removed = 0;
|
|
6542
|
+
for (const entry of all) {
|
|
6543
|
+
const record = parseToken(entry.data);
|
|
6544
|
+
if (record.userId === "system" || !validUserIds.has(record.userId)) {
|
|
6545
|
+
await this.store.delete.mutate({
|
|
6546
|
+
collection: TOKENS_COLLECTION,
|
|
6547
|
+
key: record.id
|
|
6548
|
+
});
|
|
6549
|
+
removed++;
|
|
6550
|
+
}
|
|
6551
|
+
}
|
|
6552
|
+
return removed;
|
|
6553
|
+
}
|
|
6521
6554
|
};
|
|
6522
6555
|
//#endregion
|
|
6523
6556
|
//#region src/builtins/local-auth/auth-schema.ts
|
|
@@ -6735,6 +6768,10 @@ var LocalAuthAddon = class extends BaseAddon {
|
|
|
6735
6768
|
this.scopedTokenManager = new ScopedTokenManager(store);
|
|
6736
6769
|
try {
|
|
6737
6770
|
await this.userManager.ensureAdminExists();
|
|
6771
|
+
const liveUsers = await this.userManager.listAll();
|
|
6772
|
+
const liveIds = new Set(liveUsers.map((u) => u.id));
|
|
6773
|
+
const removed = await this.scopedTokenManager.cleanupOrphans(liveIds);
|
|
6774
|
+
if (removed > 0) this.ctx.logger.warn(`cleaned up ${removed} orphan scoped-token(s) on boot`);
|
|
6738
6775
|
} catch (err) {
|
|
6739
6776
|
const detail = err instanceof Error ? err.message : String(err);
|
|
6740
6777
|
throw new Error(`local-auth bootstrap failed: ensureAdminExists threw before \`user-management\` could be registered. Most likely a \`users\` collection schema mismatch in the settings-store. Underlying: ${detail}`, { cause: err });
|