@classytic/arc 2.11.4 → 2.14.0

package/dist/auth/audit.mjs

@@ -0,0 +1,288 @@
+//#region src/auth/audit.ts
+function compileGlobs(patterns) {
+	if (patterns.length === 0) return () => false;
+	const regexes = patterns.map((p) => new RegExp(`^${globToRegexBody(p)}$`));
+	return (name) => regexes.some((r) => r.test(name));
+}
+function globToRegexBody(pattern) {
+	let out = "";
+	for (let i = 0; i < pattern.length; i++) {
+		const c = pattern[i];
+		if (c === "*") {
+			if (pattern[i + 1] === "*") {
+				out += ".*";
+				i++;
+			} else out += "[^.]+";
+			continue;
+		}
+		if (/[.+?^${}()|[\]\\]/.test(c ?? "")) out += `\\${c}`;
+		else out += c;
+	}
+	return out;
+}
+const ENDPOINT_TO_EVENT = [
+	{
+		test: /\/two-factor\/(verify|verify-totp|verify-otp)\b/,
+		phase: "after",
+		name: "mfa.verify"
+	},
+	{
+		test: /\/two-factor\/(enable|enroll|setup)\b/,
+		phase: "after",
+		name: "mfa.enroll"
+	},
+	{
+		test: /\/two-factor\/disable\b/,
+		phase: "after",
+		name: "mfa.disable"
+	},
+	{
+		test: /\/forget-password\b|\/forgot-password\b/,
+		phase: "after",
+		name: "password.reset.request"
+	},
+	{
+		test: /\/reset-password\b/,
+		phase: "after",
+		name: "password.reset.complete"
+	},
+	{
+		test: /\/verify-email\b/,
+		phase: "after",
+		name: "email.verify"
+	},
+	{
+		test: /\/organization\/create\b/,
+		phase: "after",
+		name: "org.create"
+	},
+	{
+		test: /\/organization\/delete\b/,
+		phase: "after",
+		name: "org.delete"
+	},
+	{
+		test: /\/organization\/invite\b(?!.*accept|.*reject)/,
+		phase: "after",
+		name: "org.invite.create"
+	},
+	{
+		test: /\/organization\/(accept-invitation|invite\/accept)\b/,
+		phase: "after",
+		name: "org.invite.accept"
+	},
+	{
+		test: /\/organization\/(reject-invitation|invite\/reject)\b/,
+		phase: "after",
+		name: "org.invite.reject"
+	},
+	{
+		test: /\/organization\/add-member\b/,
+		phase: "after",
+		name: "org.member.add"
+	},
+	{
+		test: /\/organization\/remove-member\b/,
+		phase: "after",
+		name: "org.member.remove"
+	},
+	{
+		test: /\/organization\/update-member-role\b/,
+		phase: "after",
+		name: "org.member.role.update"
+	},
+	{
+		test: /\/api-key\/create\b/,
+		phase: "after",
+		name: "apikey.create"
+	},
+	{
+		test: /\/api-key\/delete\b/,
+		phase: "after",
+		name: "apikey.delete"
+	}
+];
+function classifyEndpoint(phase, ctx) {
+	const path = ctx.path ?? "";
+	for (const entry of ENDPOINT_TO_EVENT) if (entry.phase === phase && entry.test.test(path)) return entry.name;
+	if (phase === "error" && /\/two-factor\/verify/.test(path)) return "mfa.failed";
+	if (phase === "error" && /\/api-key\/create\b/.test(path)) return "apikey.failed";
+	return null;
+}
+const DEFAULT_EVENTS = [
+	"session.create",
+	"session.delete",
+	"user.create",
+	"user.delete"
+];
+function wireBetterAuthAudit(opts = {}) {
+	const matches = compileGlobs(opts.events ?? DEFAULT_EVENTS);
+	const bufferSize = opts.bufferSize ?? 1e3;
+	const transform = opts.transform;
+	const resolveEndpointEvent = opts.resolveEndpointEvent ?? classifyEndpoint;
+	const buffer = [];
+	let liveAudit = null;
+	let liveLog = null;
+	let droppedFromBuffer = 0;
+	let dispatchFailures = 0;
+	let dispatchAttempts = 0;
+	async function dispatch(event) {
+		dispatchAttempts++;
+		if (!matches(event.name)) return;
+		const finalEvent = transform ? await transform(event) : event;
+		if (!finalEvent) return;
+		if (!liveAudit) {
+			if (buffer.length >= bufferSize) {
+				buffer.shift();
+				droppedFromBuffer++;
+			}
+			buffer.push(finalEvent);
+			return;
+		}
+		try {
+			await liveAudit.custom("auth", finalEvent.subjectId, finalEvent.name, finalEvent.payload, {
+				user: finalEvent.userId ? { id: finalEvent.userId } : void 0,
+				organizationId: finalEvent.organizationId
+			});
+		} catch (err) {
+			dispatchFailures++;
+			liveLog?.warn?.({
+				err,
+				event: finalEvent.name
+			}, "auth audit bridge: dispatch failed");
+		}
+	}
+	async function dispatchEndpoint(phase, ctx) {
+		const name = resolveEndpointEvent(phase, ctx);
+		if (!name) return;
+		const session = ctx.context?.session;
+		await dispatch({
+			name,
+			subjectId: session?.user?.id ?? "",
+			userId: session?.user?.id,
+			organizationId: session?.activeOrganizationId,
+			payload: {
+				path: ctx.path,
+				method: ctx.method,
+				ip: ctx.context?.request?.ip,
+				...phase === "error" && ctx.error ? { error: ctx.error instanceof Error ? ctx.error.message : String(ctx.error) } : {}
+			}
+		});
+	}
+	function makeEndpointHook(phase) {
+		return {
+			matcher: () => true,
+			handler: async (ctx) => {
+				await dispatchEndpoint(phase, ctx);
+				return {};
+			}
+		};
+	}
+	return {
+		hooks: {
+			before: async (ctx) => {
+				await dispatchEndpoint("before", ctx);
+				return {};
+			},
+			after: async (ctx) => {
+				await dispatchEndpoint("after", ctx);
+				return {};
+			}
+		},
+		asPluginHooks() {
+			return {
+				before: [makeEndpointHook("before")],
+				after: [makeEndpointHook("after")]
+			};
+		},
+		databaseHooks: {
+			user: {
+				create: { after: async (user) => {
+					await dispatch({
+						name: "user.create",
+						subjectId: user.id ?? "",
+						userId: user.id
+					});
+				} },
+				update: { after: async (user) => {
+					await dispatch({
+						name: "user.update",
+						subjectId: user.id ?? "",
+						userId: user.id
+					});
+				} },
+				delete: { after: async (user) => {
+					await dispatch({
+						name: "user.delete",
+						subjectId: user.id ?? "",
+						userId: user.id
+					});
+				} }
+			},
+			session: {
+				create: { after: async (session) => {
+					await dispatch({
+						name: "session.create",
+						subjectId: session.id ?? "",
+						userId: session.userId,
+						organizationId: session.activeOrganizationId,
+						payload: {
+							ip: session.ipAddress,
+							userAgent: session.userAgent,
+							impersonatedBy: session.impersonatedBy
+						}
+					});
+				} },
+				update: { after: async (session) => {
+					await dispatch({
+						name: "session.update",
+						subjectId: session.id ?? "",
+						userId: session.userId,
+						organizationId: session.activeOrganizationId
+					});
+				} },
+				delete: { after: async (session) => {
+					await dispatch({
+						name: "session.delete",
+						subjectId: session.id ?? "",
+						userId: session.userId,
+						organizationId: session.activeOrganizationId
+					});
+				} }
+			}
+		},
+		attach(app) {
+			liveAudit = app.audit;
+			liveLog = app.log;
+			const pending = buffer.splice(0);
+			if (droppedFromBuffer > 0) liveLog?.warn?.({
+				dropped: droppedFromBuffer,
+				bufferSize
+			}, "auth audit bridge: pre-attach buffer overflowed; oldest events lost");
+			if (pending.length === 0) return;
+			Promise.all(pending.map((event) => liveAudit?.custom("auth", event.subjectId, event.name, event.payload, {
+				user: event.userId ? { id: event.userId } : void 0,
+				organizationId: event.organizationId
+			}).catch((err) => {
+				dispatchFailures++;
+				liveLog?.warn?.({
+					err,
+					event: event.name
+				}, "auth audit bridge: buffered drain failed");
+			})));
+		},
+		emit(event) {
+			dispatch(event);
+		},
+		getStats() {
+			return {
+				droppedFromBuffer,
+				dispatchFailures,
+				dispatchAttempts,
+				pendingBuffered: buffer.length
+			};
+		}
+	};
+}
+//#endregion
+export { wireBetterAuthAudit };

package/dist/auth/index.d.mts

@@ -1,5 +1,5 @@
-import { Ot as AuthHelpers, kt as AuthPluginOptions } from "../index-CXXRbnf8.mjs";
-import { c as PermissionCheck } from "../fields-BRjxOAFp.mjs";
+import { Rt as AuthHelpers, zt as AuthPluginOptions } from "../index-BtW7qYwa.mjs";
+import { c as PermissionCheck } from "../fields-COhcH3fk.mjs";
 import { t as ExternalOpenApiPaths } from "../externalPaths-BD5nw6St.mjs";
 import { a as SessionManagerOptions, c as createSessionManager, i as SessionData, n as MemorySessionStoreOptions, o as SessionManagerResult, r as SessionCookieOptions, s as SessionStore, t as MemorySessionStore } from "../sessionManager-C4Le_UB3.mjs";
 import { FastifyPluginAsync, FastifyReply as FastifyReply$1, FastifyRequest } from "fastify";
@@ -61,7 +61,7 @@ interface BetterAuthAdapterOptions {
   /**
    * OpenAPI documentation for auth endpoints.
    * - `true` (default): auto-extract from auth.api if available
-   * - `false`: disable (auth routes won't appear in OpenAPI docs)
+   * - `false`: disable (auth routes won't appear in OpenAPI data)
    * - `ExternalOpenApiPaths`: manual spec override
    */
   openapi?: boolean | ExternalOpenApiPaths;