@cedarjs/auth-netlify-setup 0.0.4

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Cedar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,148 @@
+# Authentication
+
+## Contributing
+
+If you want to contribute a new auth provider integration we recommend you
+start by implementing it as a custom auth provider in a Redwood App first. When
+that works you can package it up as an npm package and publish it on your own.
+You can then create a PR on this repo with support for your new auth provider
+in our `yarn rw setup auth` cli command. The easiest option is probably to just
+look at one of the existing auth providers in
+`packages/cli/src/commands/setup/auth/providers` and the corresponding
+templates in `../templates`.
+
+If you need help setting up a custom auth provider you can read the auth docs
+on the web.
+
+### Contributing to the base auth implementation
+
+If you want to contribute to our auth implementation, the interface towards
+both auth service providers and RW apps we recommend you start looking in
+`authFactory.ts` and then continue to `AuthProvider.tsx`. `AuthProvider.tsx`
+has most of our implementation together with all the custom hooks it uses.
+Another file to be accustomed with is `AuthContext.ts`. The interface in there
+has pretty good code comments, and is what will be exposed to RW apps.
+
+## getCurrentUser
+
+`getCurrentUser` returns the user information together with
+an optional collection of roles used by requireAuth() to check if the user is authenticated or has role-based access.
+
+Use in conjunction with `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param decoded - The decoded access token containing user info and JWT claims like `sub`
+@param { token, SupportedAuthTypes type } - The access token itself as well as the auth provider type
+@param { APIGatewayEvent event, Context context } - An object which contains information from the invoker
+such as headers and cookies, and the context information about the invocation such as IP Address
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+This example is the standard use of `getCurrentUser`.
+
+```js
+export const getCurrentUser = async (
+  decoded,
+  { _token, _type },
+  { _event, _context },
+) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User details fetched via database query
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return await db.user.findUnique({ where: { decoded.email } })
+}
+```
+
+#### User info is decoded from the access token
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded }
+}
+```
+
+#### User info is contained in the decoded token and roles extracted
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User record query by email with namespaced app_metadata roles as Auth0 requires custom JWT claims to be namespaced
+
+```js
+export const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { email: decoded.email },
+  })
+
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded, namespace: NAMESPACE }).roles,
+  }
+}
+```
+
+#### User record query by an identity with app_metadata roles
+
+```js
+const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { userIdentity: decoded.sub },
+  })
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded }).roles,
+  }
+}
+```
+
+#### Cookies and other request information are available in the req parameter, just in case
+
+```js
+const getCurrentUser = async (_decoded, _raw, { event, _context }) => {
+  const cookies = cookie(event.headers.cookies)
+  const session = cookies['my.cookie.name']
+  const currentUser = await db.sessions.findUnique({ where: { id: session } })
+  return currentUser
+}
+```
+
+## requireAuth
+
+Use `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param {string=} roles - An optional role or list of roles
+@param {string[]=} roles - An optional list of roles
+
+@returns {boolean} - If the currentUser is authenticated (and assigned one of the given roles)
+
+@throws {AuthenticationError} - If the currentUser is not authenticated
+@throws {ForbiddenError} If the currentUser is not allowed due to role permissions
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+```js
+requireAuth()
+```
+
+#### Checks if currentUser is authenticated and assigned one of the given roles
+
+```js
+requireAuth({ role: 'admin' })
+requireAuth({ role: ['editor', 'author'] })
+requireAuth({ role: ['publisher'] })
+```

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export * from './setup';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAA"}

package/dist/index.js

@@ -0,0 +1,22 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var index_exports = {};
+module.exports = __toCommonJS(index_exports);
+__reExport(index_exports, require("./setup"), module.exports);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ...require("./setup")
+});

package/dist/setup.d.ts

@@ -0,0 +1,13 @@
+import type yargs from 'yargs';
+export declare const command = "netlify";
+export declare const description = "Set up auth for for Netlify";
+export declare function builder(yargs: yargs.Argv): yargs.Argv<{
+    force: boolean;
+} & {
+    verbose: boolean;
+}>;
+export interface Args {
+    force: boolean;
+}
+export declare function handler(options: Args): Promise<void>;
+//# sourceMappingURL=setup.d.ts.map

package/dist/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAA;AAI9B,eAAO,MAAM,OAAO,YAAY,CAAA;AAChC,eAAO,MAAM,WAAW,gCAAgC,CAAA;AAExD,wBAAgB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI;;;;GAExC;AAED,MAAM,WAAW,IAAI;IACnB,KAAK,EAAE,OAAO,CAAA;CACf;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,IAAI,iBAG1C"}

package/dist/setup.js

@@ -0,0 +1,53 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var setup_exports = {};
+__export(setup_exports, {
+  builder: () => builder,
+  command: () => command,
+  description: () => description,
+  handler: () => handler
+});
+module.exports = __toCommonJS(setup_exports);
+var import_cli_helpers = require("@cedarjs/cli-helpers");
+const command = "netlify";
+const description = "Set up auth for for Netlify";
+function builder(yargs) {
+  return (0, import_cli_helpers.standardAuthBuilder)(yargs);
+}
+async function handler(options) {
+  const { handler: handler2 } = await import("./setupHandler.js");
+  return handler2(options);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  builder,
+  command,
+  description,
+  handler
+});

package/dist/setupHandler.d.ts

@@ -0,0 +1,3 @@
+import type { Args } from './setup';
+export declare function handler({ force: forceArg }: Args): Promise<void>;
+//# sourceMappingURL=setupHandler.d.ts.map

package/dist/setupHandler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setupHandler.d.ts","sourceRoot":"","sources":["../src/setupHandler.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,SAAS,CAAA;AAMnC,wBAAsB,OAAO,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,IAAI,iBAgBtD"}

package/dist/setupHandler.js

@@ -0,0 +1,60 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var setupHandler_exports = {};
+__export(setupHandler_exports, {
+  handler: () => handler
+});
+module.exports = __toCommonJS(setupHandler_exports);
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_cli_helpers = require("@cedarjs/cli-helpers");
+const { version } = JSON.parse(
+  import_fs.default.readFileSync(import_path.default.resolve(__dirname, "../package.json"), "utf-8")
+);
+async function handler({ force: forceArg }) {
+  (0, import_cli_helpers.standardAuthHandler)({
+    basedir: __dirname,
+    forceArg,
+    provider: "netlify",
+    authDecoderImport: `import { authDecoder } from '@cedarjs/auth-netlify-api'`,
+    apiPackages: [`@cedarjs/auth-netlify-api@${version}`],
+    webPackages: [
+      `@cedarjs/auth-netlify-web@${version}`,
+      "netlify-identity-widget@^1"
+    ],
+    notes: [
+      "You'll need to enable Identity on your Netlify site and configure the API endpoint locally.",
+      "See https://redwoodjs.com/docs/auth/netlify for a full walkthrough."
+    ]
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  handler
+});

package/dist/templates/api/lib/auth.ts.template

@@ -0,0 +1,110 @@
+import { parseJWT, Decoded } from '@cedarjs/api'
+import { AuthenticationError, ForbiddenError } from '@cedarjs/graphql-server'
+
+/**
+ * Represents the user attributes returned by the decoding the
+ * Authentication provider's JWT together with an optional list of roles.
+ */
+type RedwoodUser = Record<string, unknown> & { roles: string[] }
+
+/**
+ * getCurrentUser returns the user information together with
+ * an optional collection of roles used by requireAuth() to check
+ * if the user is authenticated or has role-based access
+ *
+ * !! BEWARE !! Anything returned from this function will be available to the
+ * client--it becomes the content of `currentUser` on the web side (as well as
+ * `context.currentUser` on the api side). You should carefully add additional
+ * fields to the return object only once you've decided they are safe to be seen
+ * if someone were to open the Web Inspector in their browser.
+ *
+ * @see https://github.com/cedarjs/cedar/tree/main/packages/auth for examples
+ *
+ * @param decoded - The decoded access token containing user info and JWT
+ *   claims like `sub`. Note, this could be null.
+ * @param { token, SupportedAuthTypes type } - The access token itself as well
+ *   as the auth provider type
+ * @param { APIGatewayEvent event, Context context } - An optional object which
+ *   contains information from the invoker such as headers and cookies, and the
+ *   context information about the invocation such as IP Address
+ * @returns RedwoodUser
+ */
+export const getCurrentUser = async (
+  decoded: Decoded
+): Promise<RedwoodUser | null> => {
+  if (!decoded) {
+    return null
+  }
+
+  const { roles } = parseJWT({ decoded })
+
+  if (roles) {
+    return { ...decoded, roles }
+  }
+
+  return { ...decoded, roles: [] }
+}
+
+/**
+ * The user is authenticated if there is a currentUser in the context
+ *
+ * @returns {boolean} - If the currentUser is authenticated
+ */
+export const isAuthenticated = (): boolean => {
+  return !!context.currentUser
+}
+
+/**
+ * When checking role membership, roles can be a single value, a list, or none.
+ * You can use Prisma enums too (if you're using them for roles), just import
+ * your enum type from `@prisma/client`
+ */
+type AllowedRoles = string | string[] | undefined
+
+/**
+ * Checks if the currentUser is authenticated (and assigned one of the given
+ * roles)
+ *
+ * @param roles: {@link AllowedRoles} - Checks if the currentUser is assigned
+ *   one of these roles
+ *
+ * @returns {boolean} - Returns true if the currentUser is logged in and
+ *   assigned one of the given roles, or when no roles are provided to check
+ *   against. Otherwise returns false.
+ */
+export const hasRole = (allowedRoles: AllowedRoles): boolean => {
+  if (!isAuthenticated() || !allowedRoles) {
+    return false
+  }
+
+  const roles = typeof allowedRoles === 'string' ? [allowedRoles] : allowedRoles
+
+  return context.currentUser.roles.some((role) => roles.includes(role))
+}
+
+/**
+ * Use requireAuth in your services to check that a user is logged in,
+ * whether or not they are assigned a role, and optionally raise an
+ * error if they're not.
+ *
+ * @param roles?: {@link AllowedRoles} - When checking role membership, these
+ *   roles grant access.
+ *
+ * @returns - If the currentUser is authenticated (and assigned one of the
+ *   given roles)
+ *
+ * @throws {@link AuthenticationError} - If the currentUser is not authenticated
+ * @throws {@link ForbiddenError} - If the currentUser is not allowed due to
+ *   role permissions
+ *
+ * @see https://github.com/cedarjs/cedar/tree/main/packages/auth for examples
+ */
+export const requireAuth = ({ roles }: { roles?: AllowedRoles } = {}) => {
+  if (!isAuthenticated()) {
+    throw new AuthenticationError("You don't have permission to do that.")
+  }
+
+  if (roles && !hasRole(roles)) {
+    throw new ForbiddenError("You don't have access to do that.")
+  }
+}

package/dist/templates/web/auth.rsc.ts.template

@@ -0,0 +1,10 @@
+'use client'
+
+import netlifyIdentity from 'netlify-identity-widget'
+
+import { createAuth } from '@cedarjs/auth-netlify-web'
+import { isBrowser } from '@cedarjs/prerender/browserUtils'
+
+isBrowser && netlifyIdentity.init()
+
+export const { AuthProvider, useAuth } = createAuth(netlifyIdentity)

package/dist/templates/web/auth.ts.template

@@ -0,0 +1,8 @@
+import netlifyIdentity from 'netlify-identity-widget'
+
+import { createAuth } from '@cedarjs/auth-netlify-web'
+import { isBrowser } from '@cedarjs/prerender/browserUtils'
+
+isBrowser && netlifyIdentity.init()
+
+export const { AuthProvider, useAuth } = createAuth(netlifyIdentity)

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@cedarjs/auth-netlify-setup",
+  "version": "0.0.4",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cedarjs/cedar.git",
+    "directory": "packages/auth-providers/netlify/setup"
+  },
+  "license": "MIT",
+  "type": "commonjs",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./dist/setup": {
+      "types": "./dist/setup.d.ts",
+      "default": "./dist/setup.js"
+    },
+    "./dist/setupHandler": {
+      "types": "./dist/setupHandler.d.ts",
+      "default": "./dist/setupHandler.js"
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsx ./build.mts && yarn build:types",
+    "build:pack": "yarn pack -o cedar-auth-netlify-setup.tgz",
+    "build:types": "tsc --build --verbose ./tsconfig.json",
+    "build:watch": "nodemon --watch src --ext \"js,jsx,ts,tsx,template\" --ignore dist --exec \"yarn build\"",
+    "check:attw": "yarn attw -P",
+    "check:package": "concurrently npm:check:attw yarn:publint",
+    "prepublishOnly": "NODE_ENV=production yarn build",
+    "test": "vitest run",
+    "test:watch": "vitest watch"
+  },
+  "dependencies": {
+    "@cedarjs/cli-helpers": "0.0.4"
+  },
+  "devDependencies": {
+    "@arethetypeswrong/cli": "0.16.4",
+    "@cedarjs/framework-tools": "0.0.4",
+    "@types/yargs": "17.0.33",
+    "concurrently": "8.2.2",
+    "publint": "0.3.11",
+    "tsx": "4.19.3",
+    "typescript": "5.6.2",
+    "vitest": "2.1.9"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "gitHead": "5b4f77f985bd86ee31ee7338312627accf0cb85b"
+}