@checkstack/auth-backend 0.4.11 → 0.4.12

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @checkstack/auth-backend
 
+## 0.4.12
+
+### Patch Changes
+
+- c0c0ed2: Introduce generic "Login Flows" to allow authentication strategies to define their own interaction patterns (form, redirect, or oauth) during registration. This fixes an issue where LDAP login attempts were incorrectly routed through the standard social login flow by instead providing a dedicated credential collection form for LDAP.
+- c0c0ed2: Refactor manual session creation to use a secure, bridged oRPC endpoint. This ensures that custom authentication strategies (LDAP, SAML) leverage Better-Auth's native session establishment utilities, including cryptographic signing and reliable cookie attribute management.
+- Updated dependencies [c0c0ed2]
+- Updated dependencies [c0c0ed2]
+  - @checkstack/backend-api@0.9.0
+  - @checkstack/auth-common@0.6.0
+  - @checkstack/command-backend@0.1.14
+
 ## 0.4.11
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-backend",
-  "version": "0.4.11",
+  "version": "0.4.12",
   "type": "module",
   "main": "src/index.ts",
   "checkstack": {
@@ -14,22 +14,22 @@
     "test": "bun test"
   },
   "dependencies": {
-    "@checkstack/auth-common": "0.5.6",
-    "@checkstack/backend-api": "0.8.1",
-    "@checkstack/notification-common": "0.2.6",
-    "@checkstack/command-backend": "0.1.12",
+    "@checkstack/auth-common": "0.5.7",
+    "@checkstack/backend-api": "0.8.2",
+    "@checkstack/notification-common": "0.2.7",
+    "@checkstack/command-backend": "0.1.13",
     "better-auth": "^1.4.7",
     "drizzle-orm": "^0.45.0",
     "hono": "^4.12.14",
     "jose": "^6.1.3",
     "zod": "^4.2.1",
-    "@checkstack/common": "0.6.3",
+    "@checkstack/common": "0.6.4",
     "@orpc/server": "^1.13.2"
   },
   "devDependencies": {
-    "@checkstack/drizzle-helper": "0.0.3",
-    "@checkstack/scripts": "0.1.1",
-    "@checkstack/tsconfig": "0.0.3",
+    "@checkstack/drizzle-helper": "0.0.4",
+    "@checkstack/scripts": "0.1.2",
+    "@checkstack/tsconfig": "0.0.4",
     "@types/node": "^20.0.0",
     "typescript": "^5.0.0"
   }

package/src/index.ts

@@ -1,7 +1,9 @@
 import { betterAuth } from "better-auth";
 import * as socialProviderFactories from "better-auth/social-providers";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
-import { APIError } from "better-auth/api";
+import { APIError, createAuthEndpoint } from "better-auth/api";
+import { setSessionCookie } from "better-auth/cookies";
+import { z } from "zod";
 import {
   createBackendPlugin,
   coreServices,
@@ -549,6 +551,74 @@ export default createBackendPlugin({
           // Default to true on fresh installs (no meta config)
           const credentialEnabled = credentialMetaConfig?.enabled ?? true;
 
+          const baseUrl = process.env.BASE_URL;
+          if (!baseUrl) {
+            throw new Error(
+              "[auth-backend] BASE_URL environment variable is not defined.",
+            );
+          }
+
+          const betterAuthSecret = process.env.BETTER_AUTH_SECRET;
+          if (!betterAuthSecret) {
+            throw new Error(
+              "[auth-backend] BETTER_AUTH_SECRET environment variable is not defined.",
+            );
+          }
+
+          const checkstackBridge = {
+            id: "checkstack-bridge",
+            endpoints: {
+              trustedLogin: createAuthEndpoint(
+                "/internal/trusted-login",
+                {
+                  method: "POST",
+                  body: z.object({ userId: z.string() }),
+                },
+                async (ctx) => {
+                  const secretHeader = ctx.request?.headers.get(
+                    "x-checkstack-internal",
+                  );
+                  if (
+                    !secretHeader ||
+                    secretHeader !== betterAuthSecret
+                  ) {
+                    throw new APIError("UNAUTHORIZED");
+                  }
+
+                  const { userId } = ctx.body;
+                  const ipAddress =
+                    ctx.request?.headers
+                      .get("x-forwarded-for")
+                      ?.split(",")[0]
+                      .trim() || undefined;
+                  const userAgent =
+                    ctx.request?.headers.get("user-agent") || undefined;
+
+                  const session =
+                    await ctx.context.internalAdapter.createSession(
+                      userId,
+                      false,
+                      {
+                        ipAddress,
+                        userAgent,
+                      },
+                    );
+                  const user =
+                    await ctx.context.internalAdapter.findUserById(userId);
+
+                  if (!user) {
+                    throw new APIError("NOT_FOUND", {
+                      message: "User not found",
+                    });
+                  }
+
+                  await setSessionCookie(ctx, { session, user });
+                  return ctx.json({ success: true, sessionId: session.id });
+                },
+              ),
+            },
+          };
+
           // Check platform registration setting
           const platformRegistrationConfig = await config.get(
             PLATFORM_REGISTRATION_CONFIG_ID,
@@ -579,8 +649,7 @@ export default createBackendPlugin({
                 // Send password reset notification via all enabled strategies
                 // Using void to prevent timing attacks revealing email existence
                 const notificationClient = rpcClient.forPlugin(NotificationApi);
-                const frontendUrl =
-                  process.env.BASE_URL || "http://localhost:5173";
+                const frontendUrl = baseUrl;
                 // SECURITY: Use URL parsing instead of brittle string splitting
                 const parsedUrl = new URL(url);
                 const resetToken = parsedUrl.searchParams.get("token");
@@ -614,8 +683,8 @@ export default createBackendPlugin({
             },
             socialProviders,
             basePath: "/api/auth",
-            baseURL: process.env.BASE_URL || "http://localhost:5173",
-            trustedOrigins: [process.env.BASE_URL || "http://localhost:5173"],
+            baseURL: baseUrl,
+            trustedOrigins: [baseUrl],
             databaseHooks: {
               user: {
                 create: {
@@ -651,6 +720,7 @@ export default createBackendPlugin({
                 },
               },
             },
+            plugins: [checkstackBridge],
           };
 
           return betterAuth(authOptions);
@@ -737,6 +807,8 @@ export default createBackendPlugin({
           reloadAuth,
           config,
           accessRuleRegistry,
+          () => auth,
+          logger,
         );
         rpc.registerRouter(authRouter, authContract);
 

package/src/router.test.ts

@@ -89,6 +89,7 @@ describe("Auth Router", () => {
     async () => {},
     mockConfigService,
     mockAccessRuleRegistry,
+    () => undefined,
   );
 
   it("getAccessRules returns current user access rules", async () => {
@@ -349,23 +350,53 @@ describe("Auth Router", () => {
     expect(mockDb.update).toHaveBeenCalled();
   });
 
-  it("createSession creates session record", async () => {
+  it("createSession calls the internal auth bridge", async () => {
     const context = createMockRpcContext({ user: mockServiceUser });
 
-    const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
+    // Setup environment variables for the bridge call
+    process.env.BASE_URL = "http://localhost:3000";
+    process.env.BETTER_AUTH_SECRET = "test-secret";
+
+    const mockResponse = { sessionId: "session-123" };
+    const mockHandler = mock(async (_req: Request) => {
+      return new Response(JSON.stringify(mockResponse), {
+        status: 200,
+        headers: {
+          "Set-Cookie": "better-auth.session_token=test-token; Path=/; HttpOnly",
+        },
+      });
+    });
+
+    // We need to use a router instance that has access to our mock handler
+    const testRouter = createAuthRouter(
+      mockDb,
+      mockRegistry,
+      async () => {},
+      mockConfigService,
+      mockAccessRuleRegistry,
+      () => ({ handler: mockHandler }),
+    );
 
     const result = await call(
-      router.createSession,
+      testRouter.createSession,
       {
         userId: "user-123",
-        token: "session-token",
-        expiresAt,
       },
       { context },
     );
 
-    expect(result.sessionId).toBeDefined();
-    expect(mockDb.insert).toHaveBeenCalled();
+    expect(result.sessionId).toBe("session-123");
+    expect(result.setCookie).toContain("better-auth.session_token=test-token");
+    expect(mockHandler).toHaveBeenCalled();
+
+    // Verify the virtual request headers
+    const lastCall = mockHandler.mock.calls[0][0] as unknown as Request;
+    expect(lastCall.headers.get("Host")).toBe("localhost:3000");
+    expect(lastCall.url).toBe("http://localhost:3000/api/auth/internal/trusted-login");
+
+    // Cleanup environment variables
+    delete process.env.BASE_URL;
+    delete process.env.BETTER_AUTH_SECRET;
   });
 
   it("upsertExternalUser syncs roles when syncRoles provided for new user", async () => {

package/src/router.ts

@@ -8,7 +8,12 @@ import {
   type ConfigService,
   toJsonSchema,
 } from "@checkstack/backend-api";
-import { authContract, passwordSchema, authAccess, pluginMetadata } from "@checkstack/auth-common";
+import {
+  authContract,
+  passwordSchema,
+  authAccess,
+  pluginMetadata,
+} from "@checkstack/auth-common";
 import { qualifyAccessRuleId } from "@checkstack/common";
 import { hashPassword } from "better-auth/crypto";
 import * as schema from "./schema";
@@ -132,7 +137,9 @@ async function assertTeamManagementAccess({
 
   const hasGlobalManage =
     user?.accessRules?.includes("*") ||
-    user?.accessRules?.includes(qualifyAccessRuleId(pluginMetadata, authAccess.teams.manage));
+    user?.accessRules?.includes(
+      qualifyAccessRuleId(pluginMetadata, authAccess.teams.manage),
+    );
 
   if (hasGlobalManage) return; // Global manage allows all teams
 
@@ -157,6 +164,12 @@ async function assertTeamManagementAccess({
   });
 }
 
+const DEFAULT_LOGGER = {
+  info: () => {},
+  error: () => {},
+  debug: () => {},
+};
+
 export const createAuthRouter = (
   internalDb: SafeDatabase<typeof schema>,
   strategyRegistry: { getStrategies: () => AuthStrategy<unknown>[] },
@@ -170,6 +183,14 @@ export const createAuthRouter = (
       isPublic?: boolean;
     }[];
   },
+  getBetterAuth: () =>
+    | { handler: (request: Request) => Promise<Response> }
+    | undefined,
+  logger: {
+    info: (msg: string, metadata?: Record<string, unknown>) => void;
+    error: (msg: string, metadata?: Record<string, unknown>) => void;
+    debug: (msg: string, metadata?: Record<string, unknown>) => void;
+  } = DEFAULT_LOGGER,
 ) => {
   // Public endpoint for enabled strategies (no authentication required)
   const getEnabledStrategies = os.getEnabledStrategies.handler(async () => {
@@ -180,9 +201,15 @@ export const createAuthRouter = (
         // Get enabled state from meta config
         const enabled = await getStrategyEnabled(strategy.id, configService);
 
-        // Determine strategy type
-        const type: "credential" | "social" =
-          strategy.id === "credential" ? "credential" : "social";
+        // Determine strategy type (backward compatibility)
+        let type: "credential" | "social" | "ldap" | "saml" = "social";
+        if (strategy.id === "credential") {
+          type = "credential";
+        } else if (strategy.clientFlow?.type === "form") {
+          type = "ldap"; // Map generic 'form' to 'ldap' for frontend compat
+        } else if (strategy.clientFlow?.type === "redirect") {
+          type = "saml"; // Map generic 'redirect' to 'saml' for frontend compat
+        }
 
         return {
           id: strategy.id,
@@ -192,6 +219,7 @@ export const createAuthRouter = (
           enabled,
           icon: strategy.icon,
           requiresManualRegistration: strategy.requiresManualRegistration,
+          clientFlow: strategy.clientFlow,
         };
       }),
     );
@@ -1031,20 +1059,82 @@ export const createAuthRouter = (
   );
 
   const createSession = os.createSession.handler(async ({ input }) => {
-    const { userId, token, expiresAt } = input;
-    const sessionId = crypto.randomUUID();
-    const now = new Date();
+    const { userId, ipAddress, userAgent } = input;
+    const auth = getBetterAuth();
 
-    await internalDb.insert(schema.session).values({
-      id: sessionId,
-      userId,
-      token,
-      expiresAt,
-      createdAt: now,
-      updatedAt: now,
+    if (!auth) {
+      throw new ORPCError("INTERNAL_SERVER_ERROR", {
+        message: "Authentication service not fully initialized.",
+      });
+    }
+
+    // Construct virtual request to the internal trusted login endpoint
+    // This allows better-auth to handle cookie signing and database persistence
+    const baseUrl = process.env.BASE_URL;
+    if (!baseUrl) {
+      throw new ORPCError("INTERNAL_SERVER_ERROR", {
+        message: "BASE_URL environment variable is not defined.",
+      });
+    }
+
+    const secret = process.env.BETTER_AUTH_SECRET;
+    if (!secret) {
+      throw new ORPCError("INTERNAL_SERVER_ERROR", {
+        message: "BETTER_AUTH_SECRET environment variable is not defined.",
+      });
+    }
+
+    const url = new URL(baseUrl);
+    const req = new Request(`${url.origin}/api/auth/internal/trusted-login`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-checkstack-internal": secret,
+        "x-forwarded-for": ipAddress || "",
+        "user-agent": userAgent || "",
+        Host: url.host,
+      },
+      body: JSON.stringify({ userId }),
     });
 
-    return { sessionId };
+    const res = await auth.handler(req);
+
+    if (!res.ok) {
+      const errorText = await res.text();
+      throw new ORPCError("INTERNAL_SERVER_ERROR", {
+        message: `Failed to create session via bridge: ${res.status} ${errorText}`,
+      });
+    }
+
+    // Extract Set-Cookie. Use getSetCookie() if available (Bun/Node 20+), otherwise fallback to get()
+    // get() usually joins multiple cookies with a comma, which is often correct but sometimes brittle
+    const setCookie =
+      typeof res.headers.getSetCookie === "function"
+        ? res.headers.getSetCookie().join(", ")
+        : res.headers.get("set-cookie");
+
+    if (!setCookie) {
+      const headers: Record<string, string> = {};
+      // eslint-disable-next-line unicorn/no-array-for-each
+      res.headers.forEach((value, key) => {
+        headers[key] = value;
+      });
+
+      logger.error("Authentication bridge did not return session cookies", {
+        status: res.status,
+        headers,
+      });
+      throw new ORPCError("INTERNAL_SERVER_ERROR", {
+        message: "Authentication service did not return session cookies.",
+      });
+    }
+
+    const body = (await res.json()) as { sessionId: string };
+
+    return {
+      sessionId: body.sessionId,
+      setCookie,
+    };
   });
 
   // ==========================================================================
@@ -1500,33 +1590,37 @@ export const createAuthRouter = (
     },
   );
 
-  const addTeamManager = os.addTeamManager.handler(async ({ input, context }) => {
-    await assertTeamManagementAccess({
-      user: context.user,
-      teamId: input.teamId,
-      internalDb,
-    });
-    await internalDb
-      .insert(schema.teamManager)
-      .values({ userId: input.userId, teamId: input.teamId })
-      .onConflictDoNothing();
-  });
+  const addTeamManager = os.addTeamManager.handler(
+    async ({ input, context }) => {
+      await assertTeamManagementAccess({
+        user: context.user,
+        teamId: input.teamId,
+        internalDb,
+      });
+      await internalDb
+        .insert(schema.teamManager)
+        .values({ userId: input.userId, teamId: input.teamId })
+        .onConflictDoNothing();
+    },
+  );
 
-  const removeTeamManager = os.removeTeamManager.handler(async ({ input, context }) => {
-    await assertTeamManagementAccess({
-      user: context.user,
-      teamId: input.teamId,
-      internalDb,
-    });
-    await internalDb
-      .delete(schema.teamManager)
-      .where(
-        and(
-          eq(schema.teamManager.userId, input.userId),
-          eq(schema.teamManager.teamId, input.teamId),
-        ),
-      );
-  });
+  const removeTeamManager = os.removeTeamManager.handler(
+    async ({ input, context }) => {
+      await assertTeamManagementAccess({
+        user: context.user,
+        teamId: input.teamId,
+        internalDb,
+      });
+      await internalDb
+        .delete(schema.teamManager)
+        .where(
+          and(
+            eq(schema.teamManager.userId, input.userId),
+            eq(schema.teamManager.teamId, input.teamId),
+          ),
+        );
+    },
+  );
 
   const getResourceTeamAccess = os.getResourceTeamAccess.handler(
     async ({ input }) => {
@@ -1787,6 +1881,50 @@ export const createAuthRouter = (
     },
   );
 
+  const getOwnStrategyConfig = os.getOwnStrategyConfig.handler(
+    async ({ context }) => {
+      if (context.user?.type !== "service") {
+        throw new ORPCError("UNAUTHORIZED", {
+          message: "This endpoint is only callable by services.",
+        });
+      }
+
+      const callerPluginId = context.user?.pluginId;
+
+      // Infer strategyId from pluginId (e.g. auth-ldap-backend -> ldap)
+      const strategyId = callerPluginId
+        .replace(/^auth-/, "")
+        .replace(/-backend$/, "");
+
+      const strategy = strategyRegistry
+        .getStrategies()
+        .find((s) => s.id === strategyId);
+
+      if (!strategy) {
+        throw new ORPCError("NOT_FOUND", {
+          message: `No strategy found for plugin ${callerPluginId} (inferred strategy ID: ${strategyId})`,
+        });
+      }
+
+      // Load full (non-redacted) config from ConfigService
+      // These configurations are stored in the auth-backend's scope
+      const config = await configService.get(
+        strategy.id,
+        strategy.configSchema,
+        strategy.configVersion,
+        strategy.migrations,
+      );
+
+      if (!config) {
+        throw new ORPCError("NOT_FOUND", {
+          message: `Configuration not found for strategy ${strategyId}`,
+        });
+      }
+
+      return { config: config as Record<string, unknown> };
+    },
+  );
+
   return os.router({
     getEnabledStrategies,
     accessRules: accessRulesHandler,
@@ -1820,6 +1958,7 @@ export const createAuthRouter = (
     updateApplication,
     deleteApplication,
     regenerateApplicationSecret,
+    getOwnStrategyConfig,
     // Teams
     getTeams,
     getTeam,

package/src/teams.test.ts

@@ -137,7 +137,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -187,7 +188,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -252,7 +254,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       // Use mockRegularUser who has only auth.teams.read access
@@ -309,7 +312,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockRegularUser });
@@ -333,7 +337,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -389,7 +394,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -423,7 +429,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -453,7 +460,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -487,7 +495,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -520,7 +529,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -557,7 +567,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -596,7 +607,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -621,7 +633,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -658,7 +671,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -683,7 +697,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -716,7 +731,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -763,7 +779,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -808,7 +825,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -848,7 +866,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -878,7 +897,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockAdminUser });
@@ -914,7 +934,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -947,7 +968,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -998,7 +1020,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1049,7 +1072,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1102,7 +1126,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1155,7 +1180,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1206,7 +1232,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1252,7 +1279,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1303,7 +1331,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1356,7 +1385,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1414,7 +1444,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1465,7 +1496,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1518,7 +1550,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1571,7 +1604,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1601,7 +1635,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1639,7 +1674,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1702,7 +1738,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1750,7 +1787,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1813,7 +1851,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1870,7 +1909,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1933,7 +1973,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });
@@ -1966,7 +2007,8 @@ describe("Teams and Resource Access Control", () => {
         mockRegistry,
         async () => {},
         mockConfigService,
-        mockAccessRuleRegistry
+        mockAccessRuleRegistry,
+        () => undefined
       );
 
       const context = createMockRpcContext({ user: mockServiceUser });