@cosmicdrift/kumiko-bundled-features 0.35.0 → 0.37.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cosmicdrift/kumiko-bundled-features",
-  "version": "0.35.0",
+  "version": "0.37.0",
   "description": "Built-in features — tenant, user, auth, delivery. The stuff you'd rewrite anyway, already typed.",
   "license": "BUSL-1.1",
   "author": "Marc Frost <marc@cosmicdriftgamestudio.com>",
@@ -74,10 +74,10 @@
     "./step-dispatcher": "./src/step-dispatcher/index.ts"
   },
   "dependencies": {
-    "@cosmicdrift/kumiko-dispatcher-live": "0.21.0",
-    "@cosmicdrift/kumiko-framework": "0.21.0",
-    "@cosmicdrift/kumiko-renderer": "0.21.0",
-    "@cosmicdrift/kumiko-renderer-web": "0.21.0",
+    "@cosmicdrift/kumiko-dispatcher-live": "0.35.0",
+    "@cosmicdrift/kumiko-framework": "0.35.0",
+    "@cosmicdrift/kumiko-renderer": "0.35.0",
+    "@cosmicdrift/kumiko-renderer-web": "0.35.0",
     "@mollie/api-client": "^4.5.0",
     "@node-rs/argon2": "^2.0.2",
     "@types/nodemailer": "^8.0.0",

package/src/auth-email-password/__tests__/auth-mailer.test.ts

@@ -0,0 +1,138 @@
+import { describe, expect, test } from "bun:test";
+import { createInMemoryTransport } from "../../channel-email";
+import { createAuthMailerConfig } from "../auth-mailer";
+
+function makeArgs(overrides?: Record<string, unknown>) {
+  const mailSender = createInMemoryTransport();
+  return {
+    mailSender,
+    hmacSecret: "test-hmac-secret",
+    baseUrl: "https://admin.example.com",
+    paths: {
+      resetPassword: "/reset-password",
+      verifyEmail: "/verify-email",
+      signupComplete: "/signup/complete",
+      inviteAccept: "/invite/accept",
+    },
+    appName: "TestApp",
+    locale: "en" as const,
+    ...overrides,
+  };
+}
+
+describe("createAuthMailerConfig", () => {
+  test("returns all 4 setups", () => {
+    const config = createAuthMailerConfig(makeArgs());
+    expect(config.passwordReset).toBeDefined();
+    expect(config.emailVerification).toBeDefined();
+    expect(config.signup).toBeDefined();
+    expect(config.invite).toBeDefined();
+  });
+
+  test("constructs URLs from baseUrl + paths", () => {
+    const config = createAuthMailerConfig(makeArgs());
+    expect(config.passwordReset.appResetUrl).toBe("https://admin.example.com/reset-password");
+    expect(config.emailVerification.appVerifyUrl).toBe("https://admin.example.com/verify-email");
+    expect(config.signup.appActivationUrl).toBe("https://admin.example.com/signup/complete");
+    expect(config.invite.appAcceptUrl).toBe("https://admin.example.com/invite/accept");
+  });
+
+  test("forwards hmacSecret", () => {
+    const config = createAuthMailerConfig(makeArgs());
+    expect(config.passwordReset.hmacSecret).toBe("test-hmac-secret");
+    expect(config.emailVerification.hmacSecret).toBe("test-hmac-secret");
+  });
+
+  test("sendResetEmail calls mailSender.send with rendered content", async () => {
+    const args = makeArgs();
+    const config = createAuthMailerConfig(args);
+
+    await config.passwordReset.sendResetEmail({
+      email: "user@example.com",
+      resetUrl: "https://admin.example.com/reset?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+    });
+
+    expect(args.mailSender.sent).toHaveLength(1);
+    expect(args.mailSender.sent[0]!.to).toBe("user@example.com");
+    expect(args.mailSender.sent[0]!.subject).toContain("TestApp");
+    expect(args.mailSender.sent[0]!.subject).toContain("Reset");
+    expect(args.mailSender.sent[0]!.html).toContain("https://admin.example.com/reset?token=abc");
+  });
+
+  test("sendVerificationEmail calls mailSender.send", async () => {
+    const args = makeArgs();
+    const config = createAuthMailerConfig(args);
+
+    await config.emailVerification.sendVerificationEmail({
+      email: "user@example.com",
+      verificationUrl: "https://admin.example.com/verify?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+    });
+
+    expect(args.mailSender.sent).toHaveLength(1);
+    expect(args.mailSender.sent[0]!.to).toBe("user@example.com");
+    expect(args.mailSender.sent[0]!.subject).toContain("TestApp");
+    expect(args.mailSender.sent[0]!.subject).toContain("Verify");
+  });
+
+  test("sendActivationEmail calls mailSender.send", async () => {
+    const args = makeArgs();
+    const config = createAuthMailerConfig(args);
+
+    await config.signup.sendActivationEmail({
+      email: "user@example.com",
+      activationUrl: "https://admin.example.com/signup/complete?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+    });
+
+    expect(args.mailSender.sent).toHaveLength(1);
+    expect(args.mailSender.sent[0]!.to).toBe("user@example.com");
+    expect(args.mailSender.sent[0]!.subject).toContain("TestApp");
+  });
+
+  test("sendInviteEmail calls mailSender.send with role", async () => {
+    const args = makeArgs();
+    const config = createAuthMailerConfig(args);
+
+    await config.invite.sendInviteEmail({
+      email: "user@example.com",
+      inviteUrl: "https://admin.example.com/invite/accept?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+      role: "Admin",
+    });
+
+    expect(args.mailSender.sent).toHaveLength(1);
+    expect(args.mailSender.sent[0]!.to).toBe("user@example.com");
+    expect(args.mailSender.sent[0]!.subject).toContain("TestApp");
+    expect(args.mailSender.sent[0]!.html).toContain("Admin");
+  });
+
+  test("uses defaults when appName is omitted", () => {
+    const config = createAuthMailerConfig(makeArgs({ appName: undefined }));
+    expect(config.passwordReset.appResetUrl).toBeDefined();
+  });
+
+  test("emailVerificationMode is absent when not provided", () => {
+    const config = createAuthMailerConfig(makeArgs());
+    expect("mode" in config.emailVerification).toBe(false);
+  });
+
+  test("emailVerificationMode is set when provided", () => {
+    const config = createAuthMailerConfig(makeArgs({ emailVerificationMode: "strict" }));
+    expect(config.emailVerification).toHaveProperty("mode", "strict");
+  });
+
+  test("locale 'de' renders German subject", async () => {
+    const args = makeArgs({ locale: "de" });
+    const config = createAuthMailerConfig(args);
+
+    await config.passwordReset.sendResetEmail({
+      email: "user@example.com",
+      resetUrl: "https://example.com/reset?token=abc",
+      expiresAt: "2026-06-09T12:00:00.000Z",
+    });
+
+    expect(args.mailSender.sent[0]!.subject).toContain("Passwort");
+  });
+});

package/src/auth-email-password/auth-mailer.ts

@@ -0,0 +1,137 @@
+import type { EmailTransport } from "../channel-email";
+import type { AuthMailLocale } from "./email-templates";
+import {
+  renderActivationEmail,
+  renderInviteEmail,
+  renderResetPasswordEmail,
+  renderVerifyEmail,
+} from "./email-templates";
+import type {
+  EmailVerificationOptions,
+  InviteOptions,
+  PasswordResetOptions,
+  SignupOptions,
+} from "./feature";
+
+/**
+ * Komplette Konfiguration für die 4 Auth-Mail-Flows einer App.
+ *
+ * Strukturell kompatibel mit den `*Setup`-Typen aus
+ * `@cosmicdrift/kumiko-dev-server` (`PasswordResetSetup`,
+ * `EmailVerificationSetup`, `SignupSetup`, `InviteSetup`).
+ */
+export type AuthMailerConfig = {
+  readonly passwordReset: PasswordResetOptions & {
+    readonly appResetUrl: string;
+    readonly sendResetEmail: (args: {
+      email: string;
+      resetUrl: string;
+      expiresAt: string;
+    }) => Promise<void>;
+  };
+  readonly emailVerification: EmailVerificationOptions & {
+    readonly appVerifyUrl: string;
+    readonly sendVerificationEmail: (args: {
+      email: string;
+      verificationUrl: string;
+      expiresAt: string;
+    }) => Promise<void>;
+  };
+  readonly signup: SignupOptions & {
+    readonly appActivationUrl: string;
+    readonly sendActivationEmail: (args: {
+      email: string;
+      activationUrl: string;
+      expiresAt: string;
+    }) => Promise<void>;
+  };
+  readonly invite: InviteOptions & {
+    readonly appAcceptUrl: string;
+    readonly sendInviteEmail: (args: {
+      email: string;
+      inviteUrl: string;
+      expiresAt: string;
+      role: string;
+    }) => Promise<void>;
+  };
+};
+
+export type CreateAuthMailerConfigArgs = {
+  readonly mailSender: EmailTransport;
+  readonly hmacSecret: string;
+  /** Basis-URL der App inkl. Schema (z.B. "https://admin.example.com").
+   *  Die factory hängt paths.resetPassword etc. an. */
+  readonly baseUrl: string;
+  /** Pfad-Konstanten für die Auth-Seiten — jede App hat ihre eigenen
+   *  in `./auth-paths.ts`. */
+  readonly paths: {
+    readonly resetPassword: string;
+    readonly verifyEmail: string;
+    readonly signupComplete: string;
+    readonly inviteAccept: string;
+  };
+  /** App-Name für Mail-Subject + Body. Default "Account". */
+  readonly appName?: string;
+  /** Locale für die Mail-Templates. Default "de". */
+  readonly locale?: AuthMailLocale;
+  /** Email-verification mode. Default undefined (kein Gate).
+   *  "strict" blockt Login solange `emailVerified=false`.
+   *  "off" mountet die Routes ohne login-gating. */
+  readonly emailVerificationMode?: "strict" | "off";
+};
+
+/**
+ * Factory für `AuthMailerConfig` — baut die 4 Auth-Mail-Setups
+ * (passwordReset / emailVerification / signup / invite) inklusive
+ * `send*Email`-Wrapper + URL-Konstruktion.
+ *
+ * Jede App ruft das einmal auf und spreadet das Resultat in die
+ * `auth`-Option von `runProdApp` / `runDevApp`.
+ */
+export function createAuthMailerConfig(args: CreateAuthMailerConfigArgs): AuthMailerConfig {
+  const appName = args.appName ?? "Account";
+  const locale = args.locale ?? "de";
+  return {
+    passwordReset: {
+      hmacSecret: args.hmacSecret,
+      appResetUrl: `${args.baseUrl}${args.paths.resetPassword}`,
+      sendResetEmail: async ({ email, resetUrl, expiresAt }) => {
+        await args.mailSender.send({
+          to: email,
+          ...renderResetPasswordEmail({ resetUrl, expiresAt, locale, appName }),
+        });
+      },
+    },
+    emailVerification: {
+      hmacSecret: args.hmacSecret,
+      ...(args.emailVerificationMode !== undefined && {
+        mode: args.emailVerificationMode,
+      }),
+      appVerifyUrl: `${args.baseUrl}${args.paths.verifyEmail}`,
+      sendVerificationEmail: async ({ email, verificationUrl, expiresAt }) => {
+        await args.mailSender.send({
+          to: email,
+          ...renderVerifyEmail({ verificationUrl, expiresAt, locale, appName }),
+        });
+      },
+    },
+    signup: {
+      appActivationUrl: `${args.baseUrl}${args.paths.signupComplete}`,
+      sendActivationEmail: async ({ email, activationUrl, expiresAt }) => {
+        await args.mailSender.send({
+          to: email,
+          ...renderActivationEmail({ activationUrl, expiresAt, locale, appName }),
+        });
+      },
+    },
+    invite: {
+      appAcceptUrl: `${args.baseUrl}${args.paths.inviteAccept}`,
+      sendInviteEmail: async ({ email, inviteUrl, expiresAt, role }) => {
+        await args.mailSender.send({
+          to: email,
+          ...renderInviteEmail({ inviteUrl, expiresAt, role, locale, appName }),
+        });
+      },
+    },
+  };
+}

package/src/auth-email-password/email-templates.ts

@@ -20,6 +20,7 @@
 //
 // Locale: de + en. Apps mit anderen Sprachen rendern selbst.
 
+import { escapeHtml, escapeHtmlAttr } from "@cosmicdrift/kumiko-headless";
 import { Temporal } from "temporal-polyfill";
 
 export type AuthMailLocale = "de" | "en";
@@ -182,11 +183,11 @@ function renderShell(args: { title: string; bodyHtml: string }): string {
 }
 
 function renderButton(args: { url: string; label: string }): string {
-  return `<a href="${escapeAttr(args.url)}" style="display: inline-block; background: #1a1a1a; color: #ffffff; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 500;">${escapeHtml(args.label)}</a>`;
+  return `<a href="${escapeHtmlAttr(args.url)}" style="display: inline-block; background: #1a1a1a; color: #ffffff; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 500;">${escapeHtml(args.label)}</a>`;
 }
 
 function renderFallbackUrl(args: { url: string; label: string }): string {
-  return `<p style="margin: 24px 0 0; font-size: 12px; color: #666;">${escapeHtml(args.label)}<br /><a href="${escapeAttr(args.url)}" style="color: #1a1a1a; word-break: break-all;">${escapeHtml(args.url)}</a></p>`;
+  return `<p style="margin: 24px 0 0; font-size: 12px; color: #666;">${escapeHtml(args.label)}<br /><a href="${escapeHtmlAttr(args.url)}" style="color: #1a1a1a; word-break: break-all;">${escapeHtml(args.url)}</a></p>`;
 }
 
 export function renderResetPasswordEmail(args: RenderResetPasswordEmailArgs): RenderedEmail {
@@ -270,14 +271,3 @@ function formatExpiry(iso: string): string {
 function pad2(n: number): string {
   return String(n).padStart(2, "0");
 }
-
-function escapeHtml(s: string): string {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
-}
-function escapeAttr(s: string): string {
-  return s
-    .replace(/&/g, "&amp;")
-    .replace(/"/g, "&quot;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;");
-}

package/src/auth-email-password/index.ts

@@ -1,3 +1,12 @@
+// Factory für app-spezifische Auth-Mail-Configs. Baut passwordReset,
+// emailVerification, signup und invite Setups gegen mailSender + Render-
+// Funktionen — eliminiert Duplikate zwischen kumiko-studio, publicstatus
+// und solon (jede App hatte identische send*Email-Wrapper kopiert).
+export {
+  type AuthMailerConfig,
+  type CreateAuthMailerConfigArgs,
+  createAuthMailerConfig,
+} from "./auth-mailer";
 export { AUTH_EMAIL_PASSWORD_FEATURE, AuthErrors, AuthHandlers } from "./constants";
 // Default-HTML-Renderer für die Reset-Password + Verify-Email Mails.
 // Apps wiren die `sendResetEmail` / `sendVerificationEmail` callbacks

package/src/legal-pages/markdown.ts

@@ -1,3 +1,4 @@
+import { escapeHtml, escapeHtmlAttr } from "@cosmicdrift/kumiko-headless";
 import { Marked } from "marked";
 
 // Markdown→HTML mit eigener `marked`-Instance. GFM aus, breaks aus —
@@ -54,16 +55,3 @@ ${opts.bodyHtml}
 </body>
 </html>`;
 }
-
-function escapeHtml(s: string): string {
-  return s
-    .replace(/&/g, "&amp;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&#39;");
-}
-
-function escapeHtmlAttr(s: string): string {
-  return escapeHtml(s);
-}

package/src/renderer-simple/simple-renderer.ts

@@ -1,3 +1,4 @@
+import { escapeHtml } from "@cosmicdrift/kumiko-headless";
 import type { NotificationRenderer } from "../delivery";
 
 type Section =
@@ -14,14 +15,6 @@ type EmailTemplateData = {
   readonly body?: string;
 };
 
-function escapeHtml(str: string): string {
-  return str
-    .replace(/&/g, "&")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;");
-}
-
 function renderSection(section: Section): string {
   if ("text" in section) {
     return `<p style="margin:0 0 16px;color:#333;font-size:14px;line-height:1.5">${escapeHtml(section.text)}</p>`;