@camstack/core 0.1.38 → 0.1.39

package/dist/builtins/local-auth/local-auth.addon.mjs

@@ -1,5 +1,6 @@
 import { i as __toESM, r as __require, t as __commonJSMin } from "../../chunk-hT5z_Zn9.mjs";
 import * as crypto$1 from "node:crypto";
+import { randomUUID } from "node:crypto";
 import { ApiKeyRecordSchema, BaseAddon, ScopedTokenSchema, UserRecordSchema, authProviderCapability, userManagementCapability } from "@camstack/types";
 //#region ../../node_modules/safe-buffer/index.js
 var require_safe_buffer = /* @__PURE__ */ __commonJSMin(((exports, module) => {
@@ -6238,7 +6239,12 @@ var AuthManager = class {
 			provider: payload.provider,
 			...payload.email !== void 0 ? { email: payload.email } : {},
 			...payload.displayName !== void 0 ? { displayName: payload.displayName } : {},
-			...payload.hubUrl !== void 0 ? { hubUrl: payload.hubUrl } : {}
+			...payload.hubUrl !== void 0 ? { hubUrl: payload.hubUrl } : {},
+			...payload.scopes !== void 0 ? { scopes: payload.scopes } : {},
+			...payload.redirectUri !== void 0 ? { redirectUri: payload.redirectUri } : {},
+			...payload.integrationId !== void 0 ? { integrationId: payload.integrationId } : {},
+			...payload.jti !== void 0 ? { jti: payload.jti } : {},
+			...payload.sessionId !== void 0 ? { sessionId: payload.sessionId } : {}
 		};
 		return import_jsonwebtoken.sign(body, this.jwtSecret, { expiresIn: ttlSec });
 	}
@@ -6260,6 +6266,11 @@ var AuthManager = class {
 			const email = typeof decoded["email"] === "string" ? decoded["email"] : void 0;
 			const displayName = typeof decoded["displayName"] === "string" ? decoded["displayName"] : void 0;
 			const hubUrl = typeof decoded["hubUrl"] === "string" ? decoded["hubUrl"] : void 0;
+			const scopes = Array.isArray(decoded["scopes"]) ? decoded["scopes"] : void 0;
+			const redirectUri = typeof decoded["redirectUri"] === "string" ? decoded["redirectUri"] : void 0;
+			const integrationId = typeof decoded["integrationId"] === "string" ? decoded["integrationId"] : void 0;
+			const jti = typeof decoded["jti"] === "string" ? decoded["jti"] : void 0;
+			const sessionId = typeof decoded["sessionId"] === "string" ? decoded["sessionId"] : void 0;
 			return {
 				userId,
 				username,
@@ -6267,7 +6278,12 @@ var AuthManager = class {
 				provider,
 				...email !== void 0 ? { email } : {},
 				...displayName !== void 0 ? { displayName } : {},
-				...hubUrl !== void 0 ? { hubUrl } : {}
+				...hubUrl !== void 0 ? { hubUrl } : {},
+				...scopes !== void 0 ? { scopes } : {},
+				...redirectUri !== void 0 ? { redirectUri } : {},
+				...integrationId !== void 0 ? { integrationId } : {},
+				...jti !== void 0 ? { jti } : {},
+				...sessionId !== void 0 ? { sessionId } : {}
 			};
 		} catch {
 			return null;
@@ -6664,6 +6680,138 @@ var ScopedTokenManager = class {
 	}
 };
 //#endregion
+//#region src/builtins/local-auth/oauth-session-manager.ts
+/**
+* Manages OAuth session records in the `oauth_sessions` collection.
+*
+* Each record represents one Alexa-style account link. Sessions can be
+* active (`revokedAt = null`) or revoked (`revokedAt = <unix-ms>`).
+* `list()` returns both — callers decide whether to filter.
+*
+* Mirrors the pattern of `ScopedTokenManager`: takes a `SettingsStoreClient`
+* in its constructor and performs all reads/writes via the store's
+* `insert`, `update`, `delete`, and `query` primitives.
+*/
+var SESSIONS_COLLECTION = "oauth_sessions";
+function parseSession(data) {
+	const id = data["id"];
+	const userId = data["userId"];
+	const username = data["username"];
+	const integrationId = data["integrationId"];
+	const scopes = data["scopes"];
+	const createdAt = data["createdAt"];
+	const lastUsedAt = data["lastUsedAt"];
+	const revokedAt = data["revokedAt"];
+	if (typeof id !== "string") throw new Error("oauth_sessions row: missing id");
+	if (typeof userId !== "string") throw new Error("oauth_sessions row: missing userId");
+	if (typeof username !== "string") throw new Error("oauth_sessions row: missing username");
+	if (typeof integrationId !== "string") throw new Error("oauth_sessions row: missing integrationId");
+	if (!Array.isArray(scopes)) throw new Error("oauth_sessions row: scopes must be an array");
+	if (typeof createdAt !== "number") throw new Error("oauth_sessions row: missing createdAt");
+	if (typeof lastUsedAt !== "number") throw new Error("oauth_sessions row: missing lastUsedAt");
+	return {
+		id,
+		userId,
+		username,
+		integrationId,
+		scopes,
+		createdAt,
+		lastUsedAt,
+		revokedAt: typeof revokedAt === "number" ? revokedAt : null
+	};
+}
+var OauthSessionManager = class {
+	constructor(store) {
+		this.store = store;
+	}
+	/**
+	* Create a new OAuth session record. Generates a UUID as the session id,
+	* sets `createdAt` and `lastUsedAt` to now, `revokedAt` to null.
+	*/
+	async create(input) {
+		const now = Date.now();
+		const session = {
+			id: crypto$1.randomUUID(),
+			userId: input.userId,
+			username: input.username,
+			integrationId: input.integrationId,
+			scopes: input.scopes.map((s) => ({ ...s })),
+			createdAt: now,
+			lastUsedAt: now,
+			revokedAt: null
+		};
+		await this.store.insert.mutate({
+			collection: SESSIONS_COLLECTION,
+			record: {
+				id: session.id,
+				data: { ...session }
+			}
+		});
+		return session;
+	}
+	/**
+	* Return all sessions — both active and revoked. Callers decide
+	* whether to filter by `revokedAt`.
+	*/
+	async list() {
+		return (await this.store.query.query({
+			collection: SESSIONS_COLLECTION,
+			filter: {}
+		})).map((r) => parseSession(r.data));
+	}
+	/**
+	* Look up a session by its id. Returns null when not found.
+	*/
+	async getById(id) {
+		const results = await this.store.query.query({
+			collection: SESSIONS_COLLECTION,
+			filter: { where: { id } }
+		});
+		if (results.length === 0) return null;
+		return parseSession(results[0].data);
+	}
+	/**
+	* Mark a session as revoked by setting `revokedAt = now`.
+	*
+	* - Returns `true` on success (including idempotent re-revoke — the
+	*   existing `revokedAt` timestamp is preserved; it is NOT updated).
+	* - Returns `false` when the session id is not found.
+	*/
+	async markRevoked(id) {
+		const existing = await this.getById(id);
+		if (existing === null) return false;
+		if (existing.revokedAt !== null) return true;
+		const updated = {
+			...existing,
+			revokedAt: Date.now()
+		};
+		await this.store.update.mutate({
+			collection: SESSIONS_COLLECTION,
+			id,
+			data: { ...updated }
+		});
+		return true;
+	}
+	/**
+	* Update `lastUsedAt` to now. No-op (does not throw) when the session
+	* id is not found — the caller (token-use hot path) should not fail
+	* for a missing session that may have been concurrently revoked.
+	*/
+	async touch(id) {
+		const existing = await this.getById(id);
+		if (existing === null) return;
+		const updated = {
+			...existing,
+			lastUsedAt: Date.now()
+		};
+		await this.store.update.mutate({
+			collection: SESSIONS_COLLECTION,
+			id,
+			data: { ...updated }
+		});
+	}
+};
+//#endregion
 //#region ../../node_modules/@otplib/plugin-crypto/index.js
 /**
 * @otplib/plugin-crypto
@@ -7374,7 +7522,6 @@ function parseRow(data) {
 var TotpManager = class {
 	constructor(store, opts = {}) {
 		this.store = store;
-		this.opts = opts;
 		import_otplib.authenticator.options = { window: opts.window ?? 1 };
 	}
 	/**
@@ -7485,6 +7632,7 @@ var TotpManager = class {
 var USERS_COLLECTION = "users";
 var API_KEYS_COLLECTION = "api_keys";
 var SCOPED_TOKENS_COLLECTION = "scoped_tokens";
+var OAUTH_SESSIONS_COLLECTION = "oauth_sessions";
 /**
 * TOTP enrollment table — split off from `users` to avoid the
 * destructive drop-+-recreate migration `ensureTable` performs when a
@@ -7659,6 +7807,47 @@ var SCOPED_TOKENS_COLUMNS = [
 		notNull: true
 	}
 ];
+var OAUTH_SESSIONS_COLUMNS = [
+	{
+		name: "id",
+		type: "TEXT",
+		primaryKey: true,
+		notNull: true
+	},
+	{
+		name: "userId",
+		type: "TEXT",
+		notNull: true
+	},
+	{
+		name: "username",
+		type: "TEXT",
+		notNull: true
+	},
+	{
+		name: "integrationId",
+		type: "TEXT",
+		notNull: true
+	},
+	{
+		name: "scopes",
+		type: "JSON"
+	},
+	{
+		name: "createdAt",
+		type: "INTEGER",
+		notNull: true
+	},
+	{
+		name: "lastUsedAt",
+		type: "INTEGER",
+		notNull: true
+	},
+	{
+		name: "revokedAt",
+		type: "INTEGER"
+	}
+];
 /**
 * Declare every auth collection with the typed schema. Called by
 * `LocalAuthAddon.onInitialize` before constructing the per-collection
@@ -7690,6 +7879,124 @@ async function declareAuthSchema(store) {
 		collection: USER_TOTP_COLLECTION,
 		columns: USER_TOTP_COLUMNS
 	});
+	await store.declareCollection.mutate({
+		collection: OAUTH_SESSIONS_COLLECTION,
+		columns: OAUTH_SESSIONS_COLUMNS,
+		indexes: [{
+			name: "idx_oauth_sessions_user_id",
+			columns: ["userId"]
+		}]
+	});
+}
+//#endregion
+//#region src/builtins/local-auth/oauth-grants.ts
+var TTL = {
+	"oauth-code": 60,
+	"oauth-access": 3600,
+	"oauth-refresh": 2592e3
+};
+/** OAuth account-linking grant logic. Pure over an injected sso-bridge
+*  signer so it is unit-testable without the capability registry.
+*
+*  Authorization codes are short-lived (60 s). The `redirectUri`,
+*  `integrationId`, and a unique `jti` are embedded in the signed JWT
+*  so the HMAC signature is the real security boundary. Single-use is
+*  enforced by a `jti` consumed-set. The old in-process `pendingCodes`
+*  Map is gone — a hub restart no longer breaks in-flight exchanges,
+*  only risking a single replay within the remaining 60 s TTL. */
+function createOauthGrants(ssoBridge, sessionManager) {
+	const consumedJtis = /* @__PURE__ */ new Map();
+	const baseClaims = (userId, username, scopes, hubUrl) => ({
+		userId,
+		username,
+		isAdmin: false,
+		scopes,
+		hubUrl
+	});
+	async function mintPair(userId, username, scopes, hubUrl, sessionId) {
+		const access = await ssoBridge.signBridgeToken({
+			claims: {
+				...baseClaims(userId, username, scopes, hubUrl),
+				provider: "oauth-access",
+				sessionId
+			},
+			ttlSec: TTL["oauth-access"]
+		});
+		const refresh = await ssoBridge.signBridgeToken({
+			claims: {
+				...baseClaims(userId, username, scopes, hubUrl),
+				provider: "oauth-refresh",
+				sessionId
+			},
+			ttlSec: TTL["oauth-refresh"]
+		});
+		return {
+			accessToken: access.token,
+			refreshToken: refresh.token,
+			expiresIn: TTL["oauth-access"]
+		};
+	}
+	return {
+		async oauthIssueCode(input) {
+			const jti = randomUUID();
+			const { token } = await ssoBridge.signBridgeToken({
+				claims: {
+					...baseClaims(input.userId, input.username, input.scopes, input.hubUrl),
+					provider: "oauth-code",
+					redirectUri: input.redirectUri,
+					integrationId: input.integrationId,
+					jti
+				},
+				ttlSec: TTL["oauth-code"]
+			});
+			return { code: token };
+		},
+		async oauthExchangeCode(input) {
+			const claims = await ssoBridge.verifyBridgeToken({ token: input.code });
+			if (!claims || claims.provider !== "oauth-code") return null;
+			if (claims.redirectUri !== input.redirectUri) return null;
+			const jti = claims.jti;
+			if (!jti) return null;
+			const expiryMs = Date.now() + TTL["oauth-code"] * 1e3;
+			if (consumedJtis.has(jti)) return null;
+			consumedJtis.set(jti, expiryMs);
+			setTimeout(() => {
+				consumedJtis.delete(jti);
+			}, TTL["oauth-code"] * 1e3).unref?.();
+			const scopes = claims.scopes ?? [];
+			const session = await sessionManager.create({
+				userId: claims.userId,
+				username: claims.username,
+				integrationId: typeof claims.integrationId === "string" ? claims.integrationId : "<unknown>",
+				scopes
+			});
+			return mintPair(claims.userId, claims.username, scopes, claims.hubUrl ?? "", session.id);
+		},
+		async oauthRefresh(input) {
+			const claims = await ssoBridge.verifyBridgeToken({ token: input.refreshToken });
+			if (!claims || claims.provider !== "oauth-refresh") return null;
+			const sessionId = typeof claims.sessionId === "string" ? claims.sessionId : null;
+			if (!sessionId) return null;
+			const session = await sessionManager.getById(sessionId);
+			if (!session || session.revokedAt != null) return null;
+			await sessionManager.touch(sessionId);
+			const scopes = claims.scopes ?? [];
+			return mintPair(claims.userId, claims.username, scopes, claims.hubUrl ?? "", sessionId);
+		},
+		async oauthVerifyAccessToken(input) {
+			const claims = await ssoBridge.verifyBridgeToken({ token: input.token });
+			if (!claims || claims.provider !== "oauth-access") return null;
+			const sessionId = typeof claims.sessionId === "string" ? claims.sessionId : null;
+			if (!sessionId) return null;
+			const session = await sessionManager.getById(sessionId);
+			if (!session || session.revokedAt != null) return null;
+			return {
+				userId: claims.userId,
+				username: claims.username,
+				scopes: claims.scopes ?? []
+			};
+		}
+	};
 }
 //#endregion
 //#region src/builtins/local-auth/local-auth.addon.ts
@@ -7706,6 +8013,7 @@ var LocalAuthAddon = class extends BaseAddon {
 	userManager = null;
 	apiKeyManager = null;
 	scopedTokenManager = null;
+	oauthSessionManager = null;
 	totpManager = null;
 	constructor() {
 		super({
@@ -7739,6 +8047,7 @@ var LocalAuthAddon = class extends BaseAddon {
 			this.userManager = new UserManager(storageAccess, this.authManager, reader);
 			this.apiKeyManager = new ApiKeyManager(storageAccess, this.authManager);
 			this.scopedTokenManager = new ScopedTokenManager(store);
+			this.oauthSessionManager = new OauthSessionManager(store);
 			this.totpManager = new TotpManager(store);
 			try {
 				await this.userManager.ensureAdminExists();
@@ -7775,6 +8084,19 @@ var LocalAuthAddon = class extends BaseAddon {
 				}
 			}
 		};
+		let cachedOauthGrants = null;
+		const lazyOauthGrants = () => {
+			if (cachedOauthGrants) return cachedOauthGrants;
+			const bridgeApi = this.ctx.api?.ssoBridge;
+			if (!bridgeApi) throw new Error("local-auth: sso-bridge capability not available via ctx.api — hub boot incomplete");
+			const ssoBridgeProvider = {
+				signBridgeToken: (input) => bridgeApi.signBridgeToken.query(input),
+				verifyBridgeToken: (input) => bridgeApi.verifyBridgeToken.query(input)
+			};
+			if (!this.oauthSessionManager) throw new Error("local-auth: oauthSessionManager not initialized — hub boot incomplete");
+			cachedOauthGrants = createOauthGrants(ssoBridgeProvider, this.oauthSessionManager);
+			return cachedOauthGrants;
+		};
 		const userMgmt = {
 			listUsers: async () => {
 				if (!this.userManager) return [];
@@ -7874,6 +8196,35 @@ var LocalAuthAddon = class extends BaseAddon {
 				if (!this.scopedTokenManager) return [];
 				return this.scopedTokenManager.listForUser(input.userId);
 			},
+			oauthIssueCode: async (input) => {
+				return lazyOauthGrants().oauthIssueCode(input);
+			},
+			oauthExchangeCode: async (input) => {
+				return lazyOauthGrants().oauthExchangeCode(input);
+			},
+			oauthRefresh: async (input) => {
+				return lazyOauthGrants().oauthRefresh(input);
+			},
+			oauthVerifyAccessToken: async (input) => {
+				return lazyOauthGrants().oauthVerifyAccessToken(input);
+			},
+			listOauthSessions: async () => {
+				if (!this.oauthSessionManager) return [];
+				return (await this.oauthSessionManager.list()).map((s) => ({
+					id: s.id,
+					userId: s.userId,
+					username: s.username,
+					integrationId: s.integrationId,
+					scopes: s.scopes,
+					createdAt: s.createdAt,
+					lastUsedAt: s.lastUsedAt,
+					revokedAt: s.revokedAt
+				}));
+			},
+			revokeOauthSession: async (input) => {
+				if (!this.oauthSessionManager) return { success: false };
+				return { success: await this.oauthSessionManager.markRevoked(input.id) };
+			},
 			setupTotp: async (input) => {
 				if (!this.totpManager || !this.userManager) throw new Error("TOTP management not available");
 				const user = await this.userManager.findById(input.userId);
@@ -7916,6 +8267,7 @@ var LocalAuthAddon = class extends BaseAddon {
 		this.userManager = null;
 		this.apiKeyManager = null;
 		this.scopedTokenManager = null;
+		this.oauthSessionManager = null;
 	}
 };
 //#endregion