@cosmicdrift/kumiko-bundled-features 0.1.0

package/src/auth-email-password/handlers/invite-accept-with-login.write.ts

@@ -0,0 +1,203 @@
+// Tenant-Invite Step 2 — Branch 2 (anon User mit existing email).
+//
+// Flow:
+//   1. User (nicht eingeloggt) klickt Invite-Link → /invite/accept?token=...
+//   2. Frontend zeigt Login-Form mit pre-filled email (von der Invitation-
+//      Page geliefert via separate Lookup-Query, oder vom User getippt)
+//   3. User submitted email + password + token an diesen Handler
+//   4. Server: login + accept in einem Schritt:
+//      a. Token → invitationId → invitation row
+//      b. Login-Check: Password gegen userTable für invitation.email
+//      c. Email-Match (vom User-Input) === invitation.email
+//      d. Membership-Add im invited Tenant
+//      e. Invitation → status=accepted, Token gelöscht
+//   5. Response: SessionUser + tenantKey für Auto-Login (analog signup-confirm)
+//
+// Anders als signup-confirm: KEIN neuer Tenant entsteht, KEIN neuer
+// User entsteht — beide existieren bereits. Magic ist die kombinierte
+// Login+Accept-Operation in einem Roundtrip.
+
+import {
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+  fetchOne,
+} from "@cosmicdrift/kumiko-framework/db";
+import {
+  createSystemUser,
+  defineWriteHandler,
+  type SessionUser,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import {
+  InternalError,
+  UnprocessableError,
+  writeFailure,
+} from "@cosmicdrift/kumiko-framework/errors";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+// kumiko-lint-ignore cross-feature-import invite-flow
+import {
+  INVITATION_STATUS,
+  tenantInvitationEntity,
+  tenantInvitationsTable,
+} from "../../tenant/invitation-table";
+// kumiko-lint-ignore cross-feature-import membership-seed-helper für privilegierten cross-tenant-add
+import { seedTenantMembership } from "../../tenant/seeding";
+// kumiko-lint-ignore cross-feature-import login-style password-check
+import { userTable } from "../../user/schema/user";
+import { AuthErrors } from "../constants";
+import {
+  burnInviteToken,
+  deleteInviteToken,
+  getInvitationIdForToken,
+  unburnInviteToken,
+} from "../invite-token-store";
+import { verifyPassword } from "../password-hashing";
+
+const InviteAcceptWithLoginSchema = z.object({
+  token: z.string().min(1),
+  email: z.email(),
+  password: z.string().min(8).max(200),
+});
+
+export type InviteAcceptWithLoginData = {
+  readonly kind: "auth-session";
+  readonly session: SessionUser;
+  readonly tenantId: TenantId;
+  readonly role: string;
+};
+
+const invitationExecutor = createEventStoreExecutor(
+  tenantInvitationsTable,
+  tenantInvitationEntity,
+  { entityName: "tenant-invitation" },
+);
+
+function invalidInviteToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidInviteToken, {
+      i18nKey: "auth.errors.invalidInviteToken",
+    }),
+  );
+}
+
+export function createInviteAcceptWithLoginHandler() {
+  return defineWriteHandler<
+    "invite-accept-with-login",
+    typeof InviteAcceptWithLoginSchema,
+    InviteAcceptWithLoginData
+  >({
+    name: "invite-accept-with-login",
+    schema: InviteAcceptWithLoginSchema,
+    access: { roles: ["all"] },
+    handler: async (event, ctx) => {
+      if (!ctx.redis) {
+        return writeFailure(
+          new InternalError({ message: "invite-accept-with-login requires ctx.redis" }),
+        );
+      }
+
+      const invitationId = await getInvitationIdForToken(ctx.redis, event.payload.token);
+      if (!invitationId) return invalidInviteToken();
+
+      const burn = await burnInviteToken(ctx.redis, event.payload.token);
+      if (burn === "already-used") return invalidInviteToken();
+
+      let committed = false;
+      try {
+        const invitation = await fetchOne(
+          ctx.db.raw,
+          tenantInvitationsTable,
+          eq(tenantInvitationsTable.id, invitationId),
+        );
+        if (!invitation || invitation["status"] !== INVITATION_STATUS.pending)
+          return invalidInviteToken();
+
+        const invitationTenantId = invitation["tenantId"] as TenantId;
+        const invitationEmail = invitation["email"] as string;
+        const invitationRole = invitation["role"] as string;
+        const invitationVersion = invitation["version"] as number;
+
+        // Email-Match vom User-Input (nicht aus session — User ist anon)
+        if (event.payload.email.toLowerCase() !== invitationEmail) {
+          return writeFailure(
+            new UnprocessableError(AuthErrors.inviteEmailMismatch, {
+              i18nKey: "auth.errors.inviteEmailMismatch",
+            }),
+          );
+        }
+
+        // Password-Check gegen userTable. Anti-enumeration: bei
+        // user-not-found ODER wrong-password collapsed beides auf
+        // invalidInviteToken (gleicher anti-enum-Trade-off wie reset).
+        const userRow = await fetchOne(ctx.db.raw, userTable, eq(userTable.email, invitationEmail));
+        if (!userRow?.["passwordHash"]) return invalidInviteToken();
+        const passwordValid = await verifyPassword(
+          userRow["passwordHash"] as string,
+          event.payload.password,
+        );
+        if (!passwordValid) return invalidInviteToken();
+
+        const userId = userRow["id"] as string;
+
+        // Already-Member-Check (idempotent)
+        const memberships = (await ctx.queryAs(
+          createSystemUser(invitationTenantId),
+          "tenant:query:memberships",
+          { userId },
+        )) as Array<{ tenantId: string }>;
+        const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
+
+        // @cast-boundary db-runner — TenantDb.raw is DbRunner
+        const dbConn = ctx.db.raw as DbConnection;
+
+        if (!alreadyMember) {
+          await seedTenantMembership(dbConn, {
+            userId,
+            tenantId: invitationTenantId,
+            roles: [invitationRole],
+          });
+        }
+
+        // Invitation → accepted: TenantDb für invitation-tenant.
+        const invitationTdb = createTenantDb(dbConn, invitationTenantId, "system");
+        const updateResult = await invitationExecutor.update(
+          {
+            id: invitationId,
+            version: invitationVersion,
+            changes: { status: INVITATION_STATUS.accepted },
+          },
+          createSystemUser(invitationTenantId),
+          invitationTdb,
+        );
+        if (!updateResult.isSuccess) return updateResult;
+
+        await deleteInviteToken(ctx.redis, { invitationId, token: event.payload.token });
+
+        // SessionUser für JWT-Mint im invited Tenant. Roles =
+        // [invitationRole] (Admin/Editor/User je nach invite).
+        const session: SessionUser = {
+          id: userId,
+          tenantId: invitationTenantId,
+          roles: [invitationRole],
+        };
+
+        committed = true;
+        return {
+          isSuccess: true,
+          data: {
+            kind: "auth-session",
+            session,
+            tenantId: invitationTenantId,
+            role: invitationRole,
+          },
+        };
+      } finally {
+        if (!committed && ctx.redis) {
+          await unburnInviteToken(ctx.redis, event.payload.token);
+        }
+      }
+    },
+  });
+}

package/src/auth-email-password/handlers/invite-accept.write.ts

@@ -0,0 +1,189 @@
+// Tenant-Invite Step 2 — Branch 1 (logged-in user accepts).
+//
+// User ist eingeloggt (in irgendeinem Tenant), klickt Accept-Link.
+// Server:
+//   1. Token → invitationId (Redis)
+//   2. Burn (single-use)
+//   3. Invitation-Row aus DB
+//   4. Email-Match: invitation.email === user.email (sonst inviteEmailMismatch)
+//   5. Already-Member-Check: User schon Member im invited Tenant → no-op success
+//   6. Membership-Add via system-dispatcher (TenantHandlers.addMember)
+//   7. Invitation-Row → status=accepted
+//   8. Redis-Keys löschen (Burn-Key bleibt für Replay-Schutz)
+//
+// Branch 1 ist der klassische "shared workspace bei eingeloggter
+// Session"-Flow. Branch 2 (anon + existing email) und Branch 3 (anon +
+// new email) kommen als separate Handler.
+
+import {
+  createEventStoreExecutor,
+  createTenantDb,
+  type DbConnection,
+  fetchOne,
+} from "@cosmicdrift/kumiko-framework/db";
+import {
+  createSystemUser,
+  defineWriteHandler,
+  type TenantId,
+} from "@cosmicdrift/kumiko-framework/engine";
+import {
+  InternalError,
+  UnprocessableError,
+  writeFailure,
+} from "@cosmicdrift/kumiko-framework/errors";
+import { eq } from "drizzle-orm";
+import { z } from "zod";
+// kumiko-lint-ignore cross-feature-import invite-flow lebt in auth-email-password (Magic-Link), DB-row-owner ist tenant-feature
+import {
+  INVITATION_STATUS,
+  tenantInvitationEntity,
+  tenantInvitationsTable,
+} from "../../tenant/invitation-table";
+// kumiko-lint-ignore cross-feature-import membership-seed-helper für privilegierten cross-tenant-add (analog provisionSignupAccount)
+import { seedTenantMembership } from "../../tenant/seeding";
+// kumiko-lint-ignore cross-feature-import auth handler reads user-row für email-match
+import { userTable } from "../../user/schema/user";
+import { AuthErrors } from "../constants";
+import {
+  burnInviteToken,
+  deleteInviteToken,
+  getInvitationIdForToken,
+  unburnInviteToken,
+} from "../invite-token-store";
+
+const InviteAcceptSchema = z.object({
+  token: z.string().min(1),
+});
+
+export type InviteAcceptData = {
+  readonly kind: "invite-accepted";
+  readonly tenantId: TenantId;
+  readonly role: string;
+  readonly alreadyMember: boolean;
+};
+
+const invitationExecutor = createEventStoreExecutor(
+  tenantInvitationsTable,
+  tenantInvitationEntity,
+  { entityName: "tenant-invitation" },
+);
+
+function invalidInviteToken() {
+  return writeFailure(
+    new UnprocessableError(AuthErrors.invalidInviteToken, {
+      i18nKey: "auth.errors.invalidInviteToken",
+    }),
+  );
+}
+
+export function createInviteAcceptHandler() {
+  return defineWriteHandler<"invite-accept", typeof InviteAcceptSchema, InviteAcceptData>({
+    name: "invite-accept",
+    schema: InviteAcceptSchema,
+    // openToAll: any authenticated user (Branch 1). Branch 2+3 (anon)
+    // nutzen `roles: ["all"]` weil dort GUEST_USER mit ["all"]-role
+    // dispatched wird.
+    access: { openToAll: true },
+    handler: async (event, ctx) => {
+      if (!ctx.redis) {
+        return writeFailure(
+          new InternalError({ message: "invite-accept requires ctx.redis for token consumption" }),
+        );
+      }
+
+      const invitationId = await getInvitationIdForToken(ctx.redis, event.payload.token);
+      if (!invitationId) return invalidInviteToken();
+
+      const burn = await burnInviteToken(ctx.redis, event.payload.token);
+      if (burn === "already-used") return invalidInviteToken();
+
+      let committed = false;
+      try {
+        const invitation = await fetchOne(
+          ctx.db.raw,
+          tenantInvitationsTable,
+          eq(tenantInvitationsTable.id, invitationId),
+        );
+        if (!invitation || invitation["status"] !== INVITATION_STATUS.pending)
+          return invalidInviteToken();
+
+        const invitationTenantId = invitation["tenantId"] as TenantId;
+        const invitationEmail = invitation["email"] as string;
+        const invitationRole = invitation["role"] as string;
+        const invitationVersion = invitation["version"] as number;
+
+        // Email-Match: User muss mit der eingeladenen Email matchen.
+        // Sonst kann ein Angreifer mit Zugriff zur invitee-Mail seinen
+        // eigenen Account dem Tenant zuschlagen.
+        const userRow = await fetchOne(ctx.db.raw, userTable, eq(userTable.id, event.user.id));
+        if (!userRow || (userRow["email"] as string).toLowerCase() !== invitationEmail) {
+          return writeFailure(
+            new UnprocessableError(AuthErrors.inviteEmailMismatch, {
+              i18nKey: "auth.errors.inviteEmailMismatch",
+            }),
+          );
+        }
+
+        // Already-Member-Check via memberships-query. Wenn der User schon
+        // im invited Tenant Member ist, kein Error — no-op + 200 mit
+        // alreadyMember=true (advisor-Constraint #4: idempotent).
+        const memberships = (await ctx.queryAs(
+          createSystemUser(invitationTenantId),
+          "tenant:query:memberships",
+          { userId: event.user.id },
+        )) as Array<{ tenantId: string }>;
+        const alreadyMember = memberships.some((m) => m.tenantId === invitationTenantId);
+
+        // @cast-boundary db-runner — TenantDb.raw is DbRunner
+        const dbConn = ctx.db.raw as DbConnection;
+
+        if (!alreadyMember) {
+          // Membership-Add via seedTenantMembership-helper (event-store-
+          // executor pattern, gleich wie provisionSignupAccount). Nicht
+          // dispatcher.writeAs(addMember) weil addMember-Handler nur
+          // ["SystemAdmin"]-Role akzeptiert; createSystemUser produziert
+          // "system"-Role die NICHT matcht. Direkt-via-Executor bypassed
+          // den Access-Check für privilegierte Cross-Tenant-Operationen.
+          await seedTenantMembership(dbConn, {
+            userId: event.user.id,
+            tenantId: invitationTenantId,
+            roles: [invitationRole],
+          });
+        }
+
+        // Invitation-Status → accepted via event-store-executor.
+        // Tenant-scoping: ctx.db ist auf event.user.tenantId gescopt
+        // (= NICHT der invitation-tenant). Eigene TenantDb für den
+        // invitation-tenant bauen damit der executor die row findet.
+        const invitationTdb = createTenantDb(dbConn, invitationTenantId, "system");
+        const updateResult = await invitationExecutor.update(
+          {
+            id: invitationId,
+            version: invitationVersion,
+            changes: { status: INVITATION_STATUS.accepted },
+          },
+          createSystemUser(invitationTenantId),
+          invitationTdb,
+        );
+        if (!updateResult.isSuccess) return updateResult;
+
+        await deleteInviteToken(ctx.redis, { invitationId, token: event.payload.token });
+
+        committed = true;
+        return {
+          isSuccess: true,
+          data: {
+            kind: "invite-accepted",
+            tenantId: invitationTenantId,
+            role: invitationRole,
+            alreadyMember,
+          },
+        };
+      } finally {
+        if (!committed && ctx.redis) {
+          await unburnInviteToken(ctx.redis, event.payload.token);
+        }
+      }
+    },
+  });
+}

package/src/auth-email-password/handlers/invite-create.write.ts

@@ -0,0 +1,145 @@
+// Tenant-Invite Step 1 (create).
+//
+// Admin invitet email → DB-Row entsteht via event-store-executor (oder
+// wird re-used bei Re-Invite), Random-Token in Redis bidirektional,
+// Route-Layer schickt Mail mit Activation-URL.
+//
+// Resend-Idempotenz: Re-Invite für gleiche (tenantId, email) während
+// pending → existing row + token re-genutzt + TTL refresh + zweite Mail
+// mit GLEICHEM Link. Bei status="cancelled" oder "accepted": existing
+// row updated zurück auf status=pending + neuer token.
+//
+// Always-200 für unbekannten User: bei invitee-Email die nicht in users
+// existiert wird trotzdem ein Invite erstellt — Branch-3-Accept-Flow
+// erlaubt new-user-signup mit dem Token. Keine Enumeration durchs
+// invite-create.
+
+import { generateToken } from "@cosmicdrift/kumiko-framework/api";
+import { createEventStoreExecutor, fetchOne } from "@cosmicdrift/kumiko-framework/db";
+import { defineWriteHandler } from "@cosmicdrift/kumiko-framework/engine";
+import { InternalError, writeFailure } from "@cosmicdrift/kumiko-framework/errors";
+import { eq } from "drizzle-orm";
+import { Temporal } from "temporal-polyfill";
+import { z } from "zod";
+// kumiko-lint-ignore cross-feature-import invite-flow lebt in auth-email-password (Magic-Link-Pattern), DB-row-owner ist tenant-feature
+import {
+  INVITATION_STATUS,
+  tenantInvitationEntity,
+  tenantInvitationsTable,
+} from "../../tenant/invitation-table";
+import { AUTH_INVITE_DEFAULT_TTL_MINUTES } from "../constants";
+import { getTokenForInvitation, storeInviteToken } from "../invite-token-store";
+
+const InviteCreateSchema = z.object({
+  email: z.email(),
+  role: z.string().min(1).max(50),
+});
+
+export type InviteCreateData = {
+  readonly kind: "invite-created";
+  readonly invitationId: string;
+  readonly tenantId: string;
+  readonly email: string;
+  readonly role: string;
+  readonly token: string;
+  readonly expiresAt: string;
+};
+
+export type InviteCreateOptions = {
+  /** TTL für den Activation-Token. Default 7 Tage. */
+  readonly tokenTtlMinutes?: number;
+};
+
+const executor = createEventStoreExecutor(tenantInvitationsTable, tenantInvitationEntity, {
+  entityName: "tenant-invitation",
+});
+
+export function createInviteCreateHandler(opts: InviteCreateOptions = {}) {
+  const ttlMinutes = opts.tokenTtlMinutes ?? AUTH_INVITE_DEFAULT_TTL_MINUTES;
+  const ttlSeconds = ttlMinutes * 60;
+
+  return defineWriteHandler<"invite-create", typeof InviteCreateSchema, InviteCreateData>({
+    name: "invite-create",
+    schema: InviteCreateSchema,
+    access: { roles: ["Admin"] },
+    handler: async (event, ctx) => {
+      if (!ctx.redis) {
+        return writeFailure(
+          new InternalError({ message: "invite-create requires ctx.redis for token store" }),
+        );
+      }
+
+      const email = event.payload.email.toLowerCase();
+      const tenantId = event.user.tenantId;
+      const expiresAt = Temporal.Now.instant().add({ seconds: ttlSeconds });
+
+      // Existing row für (tenantId, email) — unique-index garantiert
+      // max. eine Row. Status egal (cancelled/accepted/expired/pending);
+      // wir setzen sie auf pending zurück und vergeben einen frischen
+      // Token wenn der bisherige nicht mehr lebt.
+      const existing = await fetchOne(
+        ctx.db.raw,
+        tenantInvitationsTable,
+        eq(tenantInvitationsTable.tenantId, tenantId),
+        eq(tenantInvitationsTable.email, email),
+      );
+
+      let invitationId: string;
+      let token: string;
+      if (existing) {
+        invitationId = existing["id"] as string;
+        const existingVersion = existing["version"] as number;
+        // Resend-Idempotenz: Token aus Redis re-use wenn noch lebend.
+        // Sonst neuen mintinen (alter ist abgelaufen).
+        const existingToken = await getTokenForInvitation(ctx.redis, invitationId);
+        token = existingToken ?? generateToken();
+
+        const updateResult = await executor.update(
+          {
+            id: invitationId,
+            version: existingVersion,
+            changes: {
+              role: event.payload.role,
+              status: INVITATION_STATUS.pending,
+              invitedBy: event.user.id,
+              expiresAt,
+            },
+          },
+          event.user,
+          ctx.db,
+        );
+        if (!updateResult.isSuccess) return updateResult;
+      } else {
+        const createResult = await executor.create(
+          {
+            email,
+            role: event.payload.role,
+            status: INVITATION_STATUS.pending,
+            invitedBy: event.user.id,
+            expiresAt,
+          },
+          event.user,
+          ctx.db,
+        );
+        if (!createResult.isSuccess) return createResult;
+        invitationId = (createResult.data as { id: string }).id;
+        token = generateToken();
+      }
+
+      await storeInviteToken(ctx.redis, { invitationId, token, ttlSeconds });
+
+      return {
+        isSuccess: true,
+        data: {
+          kind: "invite-created",
+          invitationId,
+          tenantId,
+          email,
+          role: event.payload.role,
+          token,
+          expiresAt: expiresAt.toString(),
+        },
+      };
+    },
+  });
+}