@fonoster/identity 0.18.1 → 0.19.1

package/dist/generated/@prisma/client/wasm.js

@@ -36,11 +36,11 @@ exports.Prisma = Prisma
 exports.$Enums = {}
 
 /**
- * Prisma Client JS version: 6.19.1
+ * Prisma Client JS version: 6.19.2
  * Query Engine version: c2990dca591cba766e3b7ef5d9e8a84796e47ab7
  */
 Prisma.prismaVersion = {
-  client: "6.19.1",
+  client: "6.19.2",
   engine: "c2990dca591cba766e3b7ef5d9e8a84796e47ab7"
 }
 
@@ -228,7 +228,7 @@ const config = {
     "rootEnvPath": null
   },
   "relativePath": "../../../..",
-  "clientVersion": "6.19.1",
+  "clientVersion": "6.19.2",
   "engineVersion": "c2990dca591cba766e3b7ef5d9e8a84796e47ab7",
   "datasourceNames": [
     "db"

package/dist/index.d.ts

@@ -16,6 +16,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+export * from "./allowList";
 export * from "./apikeys";
 export * from "./exchanges";
 export * from "./invites";

package/dist/index.js

@@ -32,6 +32,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+__exportStar(require("./allowList"), exports);
 __exportStar(require("./apikeys"), exports);
 __exportStar(require("./exchanges"), exports);
 __exportStar(require("./invites"), exports);

package/dist/server/config.d.ts

@@ -0,0 +1,276 @@
+import { z } from "zod";
+import { IdentityConfig } from "../exchanges/types";
+declare const identityServiceConfigSchema: z.ZodObject<{
+    server: z.ZodDefault<z.ZodObject<{
+        bindAddr: z.ZodDefault<z.ZodString>;
+        httpBridgePort: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        bindAddr?: string;
+        httpBridgePort?: number;
+    }, {
+        bindAddr?: string;
+        httpBridgePort?: number;
+    }>>;
+    database: z.ZodObject<{
+        url: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        url?: string;
+    }, {
+        url?: string;
+    }>;
+    encryptionKey: z.ZodString;
+    issuer: z.ZodString;
+    audience: z.ZodString;
+    keys: z.ZodEffects<z.ZodObject<{
+        privateKey: z.ZodOptional<z.ZodString>;
+        publicKey: z.ZodOptional<z.ZodString>;
+        privateKeyPath: z.ZodOptional<z.ZodString>;
+        publicKeyPath: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        privateKey?: string;
+        publicKey?: string;
+        privateKeyPath?: string;
+        publicKeyPath?: string;
+    }, {
+        privateKey?: string;
+        publicKey?: string;
+        privateKeyPath?: string;
+        publicKeyPath?: string;
+    }>, {
+        privateKey?: string;
+        publicKey?: string;
+        privateKeyPath?: string;
+        publicKeyPath?: string;
+    }, {
+        privateKey?: string;
+        publicKey?: string;
+        privateKeyPath?: string;
+        publicKeyPath?: string;
+    }>;
+    tokens: z.ZodDefault<z.ZodObject<{
+        accessTokenExpiresIn: z.ZodDefault<z.ZodString>;
+        refreshTokenExpiresIn: z.ZodDefault<z.ZodString>;
+        idTokenExpiresIn: z.ZodDefault<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        idTokenExpiresIn?: string;
+        accessTokenExpiresIn?: string;
+        refreshTokenExpiresIn?: string;
+    }, {
+        idTokenExpiresIn?: string;
+        accessTokenExpiresIn?: string;
+        refreshTokenExpiresIn?: string;
+    }>>;
+    security: z.ZodDefault<z.ZodObject<{
+        contactVerificationRequired: z.ZodDefault<z.ZodBoolean>;
+        twoFactorAuthenticationRequired: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        contactVerificationRequired?: boolean;
+        twoFactorAuthenticationRequired?: boolean;
+    }, {
+        contactVerificationRequired?: boolean;
+        twoFactorAuthenticationRequired?: boolean;
+    }>>;
+    invite: z.ZodDefault<z.ZodObject<{
+        url: z.ZodDefault<z.ZodString>;
+        failUrl: z.ZodDefault<z.ZodString>;
+        expiration: z.ZodDefault<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        url?: string;
+        failUrl?: string;
+        expiration?: string;
+    }, {
+        url?: string;
+        failUrl?: string;
+        expiration?: string;
+    }>>;
+    appUrl: z.ZodDefault<z.ZodString>;
+    smtp: z.ZodOptional<z.ZodObject<{
+        host: z.ZodString;
+        port: z.ZodNumber;
+        secure: z.ZodDefault<z.ZodBoolean>;
+        sender: z.ZodString;
+        auth: z.ZodDefault<z.ZodObject<{
+            user: z.ZodDefault<z.ZodString>;
+            pass: z.ZodDefault<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            user?: string;
+            pass?: string;
+        }, {
+            user?: string;
+            pass?: string;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        host?: string;
+        port?: number;
+        secure?: boolean;
+        sender?: string;
+        auth?: {
+            user?: string;
+            pass?: string;
+        };
+    }, {
+        host?: string;
+        port?: number;
+        secure?: boolean;
+        sender?: string;
+        auth?: {
+            user?: string;
+            pass?: string;
+        };
+    }>>;
+    oauth2: z.ZodOptional<z.ZodObject<{
+        github: z.ZodObject<{
+            clientId: z.ZodString;
+            clientSecret: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            clientId?: string;
+            clientSecret?: string;
+        }, {
+            clientId?: string;
+            clientSecret?: string;
+        }>;
+    }, "strip", z.ZodTypeAny, {
+        github?: {
+            clientId?: string;
+            clientSecret?: string;
+        };
+    }, {
+        github?: {
+            clientId?: string;
+            clientSecret?: string;
+        };
+    }>>;
+    defaultUser: z.ZodOptional<z.ZodObject<{
+        name: z.ZodString;
+        email: z.ZodString;
+        password: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        name?: string;
+        email?: string;
+        password?: string;
+    }, {
+        name?: string;
+        email?: string;
+        password?: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    keys?: {
+        privateKey?: string;
+        publicKey?: string;
+        privateKeyPath?: string;
+        publicKeyPath?: string;
+    };
+    issuer?: string;
+    audience?: string;
+    server?: {
+        bindAddr?: string;
+        httpBridgePort?: number;
+    };
+    database?: {
+        url?: string;
+    };
+    encryptionKey?: string;
+    tokens?: {
+        idTokenExpiresIn?: string;
+        accessTokenExpiresIn?: string;
+        refreshTokenExpiresIn?: string;
+    };
+    security?: {
+        contactVerificationRequired?: boolean;
+        twoFactorAuthenticationRequired?: boolean;
+    };
+    invite?: {
+        url?: string;
+        failUrl?: string;
+        expiration?: string;
+    };
+    appUrl?: string;
+    smtp?: {
+        host?: string;
+        port?: number;
+        secure?: boolean;
+        sender?: string;
+        auth?: {
+            user?: string;
+            pass?: string;
+        };
+    };
+    oauth2?: {
+        github?: {
+            clientId?: string;
+            clientSecret?: string;
+        };
+    };
+    defaultUser?: {
+        name?: string;
+        email?: string;
+        password?: string;
+    };
+}, {
+    keys?: {
+        privateKey?: string;
+        publicKey?: string;
+        privateKeyPath?: string;
+        publicKeyPath?: string;
+    };
+    issuer?: string;
+    audience?: string;
+    server?: {
+        bindAddr?: string;
+        httpBridgePort?: number;
+    };
+    database?: {
+        url?: string;
+    };
+    encryptionKey?: string;
+    tokens?: {
+        idTokenExpiresIn?: string;
+        accessTokenExpiresIn?: string;
+        refreshTokenExpiresIn?: string;
+    };
+    security?: {
+        contactVerificationRequired?: boolean;
+        twoFactorAuthenticationRequired?: boolean;
+    };
+    invite?: {
+        url?: string;
+        failUrl?: string;
+        expiration?: string;
+    };
+    appUrl?: string;
+    smtp?: {
+        host?: string;
+        port?: number;
+        secure?: boolean;
+        sender?: string;
+        auth?: {
+            user?: string;
+            pass?: string;
+        };
+    };
+    oauth2?: {
+        github?: {
+            clientId?: string;
+            clientSecret?: string;
+        };
+    };
+    defaultUser?: {
+        name?: string;
+        email?: string;
+        password?: string;
+    };
+}>;
+type IdentityServiceConfig = z.infer<typeof identityServiceConfigSchema>;
+/** Loads and validates the service configuration from the file, failing fast. */
+declare function loadConfig(argv?: string[]): {
+    bindAddr: string;
+    httpBridgePort: number;
+    appUrl: string;
+    defaultUser: {
+        name?: string;
+        email?: string;
+        password?: string;
+    };
+    identityConfig: IdentityConfig;
+};
+export { identityServiceConfigSchema, IdentityServiceConfig, loadConfig };

package/dist/server/config.js

@@ -0,0 +1,154 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.identityServiceConfigSchema = void 0;
+exports.loadConfig = loadConfig;
+/**
+ * Copyright (C) 2025 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const fs_1 = require("fs");
+const path_1 = require("path");
+const zod_1 = require("zod");
+const zod_validation_error_1 = require("zod-validation-error");
+/**
+ * Configuration for the standalone Identity service.
+ *
+ * The service is configured exclusively from a JSON configuration file — no
+ * environment variables. The file path is taken from a `--config <path>` CLI
+ * flag, defaulting to `./config/identity.json` relative to the working
+ * directory.
+ */
+const keysSchema = zod_1.z
+    .object({
+    privateKey: zod_1.z.string().optional(),
+    publicKey: zod_1.z.string().optional(),
+    privateKeyPath: zod_1.z.string().optional(),
+    publicKeyPath: zod_1.z.string().optional()
+})
+    .refine((k) => (k.privateKey || k.privateKeyPath) && (k.publicKey || k.publicKeyPath), {
+    message: "keys must provide a private and public key, inline or by path"
+});
+const smtpSchema = zod_1.z.object({
+    host: zod_1.z.string(),
+    port: zod_1.z.number(),
+    secure: zod_1.z.boolean().default(false),
+    sender: zod_1.z.string(),
+    auth: zod_1.z
+        .object({ user: zod_1.z.string().default(""), pass: zod_1.z.string().default("") })
+        .default({})
+});
+const identityServiceConfigSchema = zod_1.z.object({
+    server: zod_1.z
+        .object({
+        bindAddr: zod_1.z.string().default("0.0.0.0:50051"),
+        httpBridgePort: zod_1.z.number().default(9000)
+    })
+        .default({}),
+    database: zod_1.z.object({ url: zod_1.z.string().min(1) }),
+    encryptionKey: zod_1.z.string().min(1),
+    issuer: zod_1.z.string().min(1),
+    audience: zod_1.z.string().min(1),
+    keys: keysSchema,
+    tokens: zod_1.z
+        .object({
+        accessTokenExpiresIn: zod_1.z.string().default("15m"),
+        refreshTokenExpiresIn: zod_1.z.string().default("30d"),
+        idTokenExpiresIn: zod_1.z.string().default("15m")
+    })
+        .default({}),
+    security: zod_1.z
+        .object({
+        contactVerificationRequired: zod_1.z.boolean().default(false),
+        twoFactorAuthenticationRequired: zod_1.z.boolean().default(false)
+    })
+        .default({}),
+    invite: zod_1.z
+        .object({
+        url: zod_1.z.string().default(""),
+        failUrl: zod_1.z.string().default(""),
+        expiration: zod_1.z.string().default("2d")
+    })
+        .default({}),
+    appUrl: zod_1.z.string().default(""),
+    smtp: smtpSchema.optional(),
+    oauth2: zod_1.z
+        .object({
+        github: zod_1.z.object({ clientId: zod_1.z.string(), clientSecret: zod_1.z.string() })
+    })
+        .optional(),
+    defaultUser: zod_1.z
+        .object({
+        name: zod_1.z.string(),
+        email: zod_1.z.string().email(),
+        password: zod_1.z.string()
+    })
+        .optional()
+});
+exports.identityServiceConfigSchema = identityServiceConfigSchema;
+function configPathFromArgv(argv) {
+    const i = argv.indexOf("--config");
+    const fromFlag = i >= 0 ? argv[i + 1] : undefined;
+    return (0, path_1.resolve)(process.cwd(), fromFlag !== null && fromFlag !== void 0 ? fromFlag : "./config/identity.json");
+}
+function readKey(inline, path) {
+    return inline !== null && inline !== void 0 ? inline : (0, fs_1.readFileSync)((0, path_1.resolve)(process.cwd(), path), "utf8");
+}
+/** Maps the file config into the `IdentityConfig` shape `buildIdentityService` expects. */
+function toIdentityConfig(c) {
+    var _a;
+    return {
+        dbUrl: c.database.url,
+        issuer: c.issuer,
+        audience: c.audience,
+        privateKey: readKey(c.keys.privateKey, c.keys.privateKeyPath),
+        publicKey: readKey(c.keys.publicKey, c.keys.publicKeyPath),
+        encryptionKey: c.encryptionKey,
+        accessTokenExpiresIn: c.tokens.accessTokenExpiresIn,
+        refreshTokenExpiresIn: c.tokens.refreshTokenExpiresIn,
+        idTokenExpiresIn: c.tokens.idTokenExpiresIn,
+        workspaceInviteExpiration: c.invite.expiration,
+        workspaceInviteUrl: c.invite.url,
+        workspaceInviteFailUrl: c.invite.failUrl,
+        contactVerificationRequired: c.security.contactVerificationRequired,
+        twoFactorAuthenticationRequired: c.security.twoFactorAuthenticationRequired,
+        smtpConfig: c.smtp,
+        githubOauth2Config: (_a = c.oauth2) === null || _a === void 0 ? void 0 : _a.github
+    };
+}
+/** Loads and validates the service configuration from the file, failing fast. */
+function loadConfig(argv = process.argv) {
+    const path = configPathFromArgv(argv);
+    let raw;
+    try {
+        raw = JSON.parse((0, fs_1.readFileSync)(path, "utf8"));
+    }
+    catch (e) {
+        throw new Error(`unable to read Identity config at ${path}: ${e.message}`);
+    }
+    const result = identityServiceConfigSchema.safeParse(raw);
+    if (!result.success) {
+        throw new Error(`invalid Identity config at ${path}: ${(0, zod_validation_error_1.fromError)(result.error).toString()}`);
+    }
+    const config = result.data;
+    return {
+        bindAddr: config.server.bindAddr,
+        httpBridgePort: config.server.httpBridgePort,
+        appUrl: config.appUrl,
+        defaultUser: config.defaultUser,
+        identityConfig: toIdentityConfig(config)
+    };
+}

package/dist/server/httpBridge.d.ts

@@ -0,0 +1,10 @@
+import { IdentityConfig } from "../exchanges/types";
+/**
+ * Minimal HTTP bridge for the standalone Identity service. It serves only the
+ * accept-invite endpoint (the apiserver's bridge also serves telephony routes).
+ */
+declare function startHttpBridge(identityConfig: IdentityConfig, params: {
+    port: number;
+    appUrl: string;
+}): import("express-serve-static-core").Express;
+export { startHttpBridge };

package/dist/server/httpBridge.js

@@ -0,0 +1,59 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startHttpBridge = startHttpBridge;
+/**
+ * Copyright (C) 2025 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const logger_1 = require("@fonoster/logger");
+const express_1 = __importDefault(require("express"));
+const utils_1 = require("../utils");
+const logger = (0, logger_1.getLogger)({ service: "identity", filePath: __filename });
+/**
+ * Minimal HTTP bridge for the standalone Identity service. It serves only the
+ * accept-invite endpoint (the apiserver's bridge also serves telephony routes).
+ */
+function startHttpBridge(identityConfig, params) {
+    const { port, appUrl } = params;
+    const app = (0, express_1.default)();
+    app.get("/api/identity/accept-invite", (req, res) => __awaiter(this, void 0, void 0, function* () {
+        try {
+            yield (0, utils_1.createUpdateMembershipStatus)(identityConfig)(req.query.token);
+            res.redirect(appUrl);
+        }
+        catch (error) {
+            logger.verbose("error updating membership status", error);
+            res.redirect(identityConfig.workspaceInviteFailUrl);
+        }
+    }));
+    app.listen(port, () => {
+        logger.info(`Identity HTTP bridge running on port ${port}`);
+    });
+    return app;
+}

package/dist/server/index.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/server/index.js

@@ -0,0 +1,104 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Copyright (C) 2025 by Fonoster Inc (https://fonoster.com)
+ * http://github.com/fonoster/fonoster
+ *
+ * This file is part of Fonoster
+ *
+ * Licensed under the MIT License (the "License");
+ * you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    https://opensource.org/licenses/MIT
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+const common_1 = require("@fonoster/common");
+const logger_1 = require("@fonoster/logger");
+const grpc = __importStar(require("@grpc/grpc-js"));
+const grpc_health_check_1 = require("grpc-health-check");
+const __1 = require("..");
+const config_1 = require("./config");
+const httpBridge_1 = require("./httpBridge");
+const logger = (0, logger_1.getLogger)({ service: "identity", filePath: __filename });
+/**
+ * Standalone Identity gRPC service. Wraps `buildIdentityService` with the auth
+ * interceptor, the identity allow-list, a health service, and the accept-invite
+ * HTTP bridge — without any telephony subsystem. Configured entirely from a
+ * file (see `./config`); no environment variables.
+ */
+function main() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { bindAddr, httpBridgePort, appUrl, defaultUser, identityConfig } = (0, config_1.loadConfig)();
+        const { definition, handlers } = (0, __1.buildIdentityService)(identityConfig);
+        const authorization = (0, common_1.createAuthInterceptor)(identityConfig.publicKey, __1.identityAllowList);
+        const credentials = yield (0, common_1.getServerCredentials)({});
+        const healthImpl = new grpc_health_check_1.HealthImplementation(common_1.statusMap);
+        const server = new grpc.Server({ interceptors: [authorization] });
+        healthImpl.addToServer(server);
+        server.addService((0, common_1.createServiceDefinition)(definition), handlers);
+        if (defaultUser) {
+            yield (0, __1.upsertDefaultUser)(identityConfig, defaultUser);
+        }
+        (0, httpBridge_1.startHttpBridge)(identityConfig, { port: httpBridgePort, appUrl });
+        server.bindAsync(bindAddr, credentials, (error) => {
+            if (error) {
+                logger.error("failed to start Identity service", error);
+                process.exit(1);
+            }
+            healthImpl.setStatus("", common_1.GRPC_SERVING_STATUS);
+            logger.info(`Identity service running at ${bindAddr}`);
+        });
+    });
+}
+main().catch((error) => {
+    logger.error(error);
+    process.exit(1);
+});