npm - @edcalderon/auth - Versions diffs - 1.3.0 → 1.4.1 - Mend

@edcalderon/auth 1.3.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/CHANGELOG.md +22 -0
package/README.md +4 -4
package/dist/AuthentikOidcClient.js +4 -2
package/dist/authentik/callback.d.ts +71 -0
package/dist/authentik/callback.js +163 -0
package/dist/authentik/config.d.ts +53 -0
package/dist/authentik/config.js +169 -0
package/dist/authentik/index.d.ts +17 -0
package/dist/authentik/index.js +22 -0
package/dist/authentik/logout.d.ts +50 -0
package/dist/authentik/logout.js +96 -0
package/dist/authentik/provisioning.d.ts +124 -0
package/dist/authentik/provisioning.js +342 -0
package/dist/authentik/redirect.d.ts +20 -0
package/dist/authentik/redirect.js +52 -0
package/dist/authentik/relay.d.ts +48 -0
package/dist/authentik/relay.js +146 -0
package/dist/authentik/types.d.ts +264 -0
package/dist/authentik/types.js +8 -0
package/docs/authentik-integration-guide.md +286 -0
package/docs/cig-reference-map.md +118 -0
package/docs/nextjs-examples.md +784 -0
package/docs/provisioning-model.md +416 -0
package/docs/upgrade-migration.md +256 -0
package/package.json +19 -1
package/supabase/migrations/003_authentik_shadow_auth_users.sql +81 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@edcalderon/auth",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "description": "A universal, provider-agnostic authentication package (Web + Next.js + Expo/React Native)",
   "exports": {
     ".": {
@@ -9,6 +9,11 @@
       "require": "./dist/index.js",
       "react-native": "./dist/index.js"
     },
+    "./authentik": {
+      "types": "./dist/authentik/index.d.ts",
+      "import": "./dist/authentik/index.js",
+      "require": "./dist/authentik/index.js"
+    },
     "./supabase": {
       "types": "./dist/providers/SupabaseClient.d.ts",
       "import": "./dist/providers/SupabaseClient.js",
@@ -42,6 +47,9 @@
   "scripts": {
     "build": "tsc",
     "dev": "tsc --watch",
+    "test": "jest",
+    "test:watch": "jest --watch",
+    "test:coverage": "jest --coverage",
     "prepublishOnly": "npm run build",
     "update-readme": "versioning update-readme"
   },
@@ -90,10 +98,20 @@
     }
   },
   "devDependencies": {
+    "@types/jest": "^29.5.12",
     "@types/react": "^19.2.7",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.2",
     "typescript": "^5.9.3"
   },
   "engines": {
     "node": ">=18.0.0"
+  },
+  "jest": {
+    "testEnvironment": "node",
+    "testMatch": ["**/__tests__/**/*.test.ts"],
+    "transform": {
+      "^.+\\.ts$": "ts-jest"
+    }
   }
 }

package/supabase/migrations/003_authentik_shadow_auth_users.sql ADDED Viewed

@@ -0,0 +1,81 @@
+-- ============================================================================
+-- 003_authentik_shadow_auth_users.sql
+-- Optional migration for projects using the Authentik ↔ Supabase integrated
+-- sync mode in @edcalderon/auth.
+--
+-- This migration adds app_metadata columns and an index to support the
+-- shadow auth.users pattern where Authentik-authenticated users are mirrored
+-- into Supabase auth.users with identity-first matching.
+--
+-- The public.users table is already created by 001_create_app_users.sql.
+-- This migration adds columns to support the shadow-user linkage and
+-- rollback-safe provisioning.
+--
+-- Reference: CIG apps/dashboard/lib/authSync.ts
+-- ============================================================================
+-- Add optional column to track the linked Supabase auth.users shadow ID
+alter table public.users
+  add column if not exists shadow_auth_user_id uuid;
+-- Add optional column to record when the shadow link was established
+alter table public.users
+  add column if not exists shadow_linked_at timestamptz;
+-- Index for quick lookup by shadow auth user ID
+create index if not exists users_shadow_auth_user_id_idx
+  on public.users (shadow_auth_user_id)
+  where shadow_auth_user_id is not null;
+-- ============================================================================
+-- Helper RPC: link a public.users row to a Supabase auth.users shadow record.
+-- Called by the SupabaseSyncAdapter after creating/finding the shadow user.
+--
+-- This is an additive helper — the core upsert_oidc_user RPC from migration
+-- 001 continues to work unchanged.  The raw_claims payload can optionally
+-- carry shadow_supabase_auth_user_id to record the linkage.
+-- ============================================================================
+create or replace function public.link_shadow_auth_user(
+  p_sub               text,
+  p_iss               text,
+  p_shadow_auth_user_id uuid
+)
+returns public.users
+language plpgsql
+security definer
+set search_path = public
+as $$
+declare
+  v_claims jsonb := coalesce(
+    nullif(current_setting('request.jwt.claims', true), ''),
+    '{}'
+  )::jsonb;
+  v_role text := coalesce(nullif(v_claims ->> 'role', ''), 'unknown');
+  v_user public.users;
+begin
+  if v_role <> 'service_role' then
+    raise exception 'link_shadow_auth_user() requires a trusted server-side caller';
+  end if;
+  update public.users
+    set shadow_auth_user_id = p_shadow_auth_user_id,
+        shadow_linked_at    = timezone('utc', now()),
+        updated_at          = timezone('utc', now())
+  where sub = p_sub
+    and iss = p_iss
+  returning * into v_user;
+  if not found then
+    raise exception 'No public.users row found for sub=% iss=%', p_sub, p_iss;
+  end if;
+  return v_user;
+end;
+$$;
+revoke all on function public.link_shadow_auth_user(text, text, uuid)
+  from public, anon, authenticated;
+grant execute on function public.link_shadow_auth_user(text, text, uuid)
+  to service_role;