@furystack/rest-service 12.0.0 → 12.1.0

package/CHANGELOG.md

@@ -1,5 +1,57 @@
 # Changelog
 
+## [12.1.0] - 2026-02-26
+
+### 🔧 Chores
+
+- Normalized line endings in `http-user-context.ts`, `http-authentication-settings.ts`, and related spec files
+
+### ✨ Features
+
+### `LoginResponseStrategy<TResult>` type
+
+New pluggable type that decouples login actions from session/token creation. A strategy turns an authenticated `User` into an `ActionResult<TResult>` — the generic parameter flows through to the action's return type for full type inference.
+
+```typescript
+import type { LoginResponseStrategy } from '@furystack/rest-service'
+
+type LoginResponseStrategy<TResult> = {
+  createLoginResponse: (user: User, injector: Injector) => Promise<ActionResult<TResult>>
+}
+```
+
+### `createCookieLoginStrategy(injector)`
+
+Factory that creates a cookie-based `LoginResponseStrategy<User>`. On login it generates a random session ID, persists it in the session DataSet, and returns the user with a `Set-Cookie` header.
+
+```typescript
+import { createCookieLoginStrategy } from '@furystack/rest-service'
+
+const cookieStrategy = createCookieLoginStrategy(injector)
+// cookieStrategy.createLoginResponse(user, injector) → ActionResult<User> with Set-Cookie header
+```
+
+### `createPasswordLoginAction(strategy)`
+
+Factory that creates a password-based login `RequestAction`. Authenticates via `HttpUserContext.authenticateUser()` then delegates session/token creation to the provided strategy. Includes timing-attack mitigation on failure.
+
+```typescript
+import { createPasswordLoginAction, createCookieLoginStrategy } from '@furystack/rest-service'
+
+const cookieStrategy = createCookieLoginStrategy(injector)
+const loginAction = createPasswordLoginAction(cookieStrategy)
+// loginAction: RequestAction<{ result: User; body: { username: string; password: string } }>
+```
+
+### 🧪 Tests
+
+- Added `login-response-strategy.spec.ts` — tests cookie strategy session creation, Set-Cookie headers, session persistence, and session ID uniqueness
+- Added `password-login-action.spec.ts` — tests strategy delegation, user forwarding, auth failure handling, and custom strategy result types
+
+### ⬆️ Dependencies
+
+- Bumped `@types/node` from ^25.3.0 to ^25.3.1
+
 ## [12.0.0] - 2026-02-26
 
 ### ✨ Features

package/esm/actions/index.d.ts

@@ -4,4 +4,5 @@ export * from './is-authenticated.js';
 export * from './login.js';
 export * from './logout.js';
 export * from './not-found-action.js';
+export * from './password-login-action.js';
 //# sourceMappingURL=index.d.ts.map

package/esm/actions/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAA;AACjC,cAAc,uBAAuB,CAAA;AACrC,cAAc,uBAAuB,CAAA;AACrC,cAAc,YAAY,CAAA;AAC1B,cAAc,aAAa,CAAA;AAC3B,cAAc,uBAAuB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAA;AACjC,cAAc,uBAAuB,CAAA;AACrC,cAAc,uBAAuB,CAAA;AACrC,cAAc,YAAY,CAAA;AAC1B,cAAc,aAAa,CAAA;AAC3B,cAAc,uBAAuB,CAAA;AACrC,cAAc,4BAA4B,CAAA"}

package/esm/actions/index.js

@@ -4,4 +4,5 @@ export * from './is-authenticated.js';
 export * from './login.js';
 export * from './logout.js';
 export * from './not-found-action.js';
+export * from './password-login-action.js';
 //# sourceMappingURL=index.js.map

package/esm/actions/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAA;AACjC,cAAc,uBAAuB,CAAA;AACrC,cAAc,uBAAuB,CAAA;AACrC,cAAc,YAAY,CAAA;AAC1B,cAAc,aAAa,CAAA;AAC3B,cAAc,uBAAuB,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAA;AACjC,cAAc,uBAAuB,CAAA;AACrC,cAAc,uBAAuB,CAAA;AACrC,cAAc,YAAY,CAAA;AAC1B,cAAc,aAAa,CAAA;AAC3B,cAAc,uBAAuB,CAAA;AACrC,cAAc,4BAA4B,CAAA"}

package/esm/actions/login.d.ts

@@ -1,9 +1,13 @@
 import type { User } from '@furystack/core';
 import type { RequestAction } from '../request-action-implementation.js';
 /**
- * Action that logs in the current user
- * Should be called with a JSON Post body with ``username`` and ``password`` fields.
- * Returns the current user instance
+ * Action that logs in the current user.
+ * Should be called with a JSON POST body with `username` and `password` fields.
+ * Returns the current user instance.
+ *
+ * @deprecated Use `createPasswordLoginAction(createCookieLoginStrategy(injector))` instead.
+ * This static action resolves services from the request-scoped injector on
+ * every call; the factory approach captures them once at setup time.
  */
 export declare const LoginAction: RequestAction<{
     result: User;

package/esm/actions/login.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/actions/login.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAE3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAA;AAGxE;;;;GAIG;AAEH,eAAO,MAAM,WAAW,EAAE,aAAa,CAAC;IACtC,MAAM,EAAE,IAAI,CAAA;IACZ,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAA;CAC7C,CAUA,CAAA"}
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/actions/login.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAK3C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAA;AAGxE;;;;;;;;GAQG;AACH,eAAO,MAAM,WAAW,EAAE,aAAa,CAAC;IACtC,MAAM,EAAE,IAAI,CAAA;IACZ,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAA;CAC7C,CAWA,CAAA"}

package/esm/actions/login.js

@@ -1,10 +1,15 @@
-import { HttpUserContext } from '../http-user-context.js';
 import { RequestError } from '@furystack/rest';
+import { sleepAsync } from '@furystack/utils';
+import { HttpUserContext } from '../http-user-context.js';
 import { JsonResult } from '../request-action-implementation.js';
 /**
- * Action that logs in the current user
- * Should be called with a JSON Post body with ``username`` and ``password`` fields.
- * Returns the current user instance
+ * Action that logs in the current user.
+ * Should be called with a JSON POST body with `username` and `password` fields.
+ * Returns the current user instance.
+ *
+ * @deprecated Use `createPasswordLoginAction(createCookieLoginStrategy(injector))` instead.
+ * This static action resolves services from the request-scoped injector on
+ * every call; the factory approach captures them once at setup time.
  */
 export const LoginAction = async ({ injector, getBody, response }) => {
     const userContext = injector.getInstance(HttpUserContext);
@@ -14,7 +19,8 @@ export const LoginAction = async ({ injector, getBody, response }) => {
         await userContext.cookieLogin(user, response);
         return JsonResult(user, 200);
     }
-    catch (error) {
+    catch {
+        await sleepAsync(Math.random() * 1000);
         throw new RequestError('Login Failed', 400);
     }
 };

package/esm/actions/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/actions/login.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAEzD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAE9C,OAAO,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAA;AAEhE;;;;GAIG;AAEH,MAAM,CAAC,MAAM,WAAW,GAGnB,KAAK,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;IAC7C,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,eAAe,CAAC,CAAA;IACzD,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAA;IAC5B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;QAC7E,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QAC7C,OAAO,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC9B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,YAAY,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;IAC7C,CAAC;AACH,CAAC,CAAA"}
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/actions/login.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAEzD,OAAO,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAA;AAEhE;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,WAAW,GAGnB,KAAK,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;IAC7C,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,eAAe,CAAC,CAAA;IACzD,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAA;IAC5B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;QAC7E,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QAC7C,OAAO,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAA;QACtC,MAAM,IAAI,YAAY,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;IAC7C,CAAC;AACH,CAAC,CAAA"}

package/esm/actions/password-login-action.d.ts

@@ -0,0 +1,24 @@
+import type { LoginResponseStrategy } from '../login-response-strategy.js';
+import type { RequestAction } from '../request-action-implementation.js';
+/**
+ * Creates a login {@link RequestAction} that authenticates a user by
+ * username + password, then delegates session/token creation to the
+ * provided {@link LoginResponseStrategy}.
+ *
+ * The return type is inferred from the strategy:
+ * - Cookie strategy -> `ActionResult<User>`
+ * - JWT strategy   -> `ActionResult<{ accessToken: string; refreshToken: string }>`
+ *
+ * A random delay (0-1 s) is added on failure to mitigate timing attacks.
+ *
+ * @param strategy The login response strategy that produces the session/token result
+ * @returns A `RequestAction` that can be wired into a REST API route
+ */
+export declare const createPasswordLoginAction: <TResult>(strategy: LoginResponseStrategy<TResult>) => RequestAction<{
+    result: TResult;
+    body: {
+        username: string;
+        password: string;
+    };
+}>;
+//# sourceMappingURL=password-login-action.d.ts.map

package/esm/actions/password-login-action.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-login-action.d.ts","sourceRoot":"","sources":["../../src/actions/password-login-action.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAA;AAC1E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qCAAqC,CAAA;AAExE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,GAAI,OAAO,EAC/C,UAAU,qBAAqB,CAAC,OAAO,CAAC,KACvC,aAAa,CAAC;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAWjF,CAAA"}

package/esm/actions/password-login-action.js

@@ -0,0 +1,31 @@
+import { RequestError } from '@furystack/rest';
+import { sleepAsync } from '@furystack/utils';
+import { HttpUserContext } from '../http-user-context.js';
+/**
+ * Creates a login {@link RequestAction} that authenticates a user by
+ * username + password, then delegates session/token creation to the
+ * provided {@link LoginResponseStrategy}.
+ *
+ * The return type is inferred from the strategy:
+ * - Cookie strategy -> `ActionResult<User>`
+ * - JWT strategy   -> `ActionResult<{ accessToken: string; refreshToken: string }>`
+ *
+ * A random delay (0-1 s) is added on failure to mitigate timing attacks.
+ *
+ * @param strategy The login response strategy that produces the session/token result
+ * @returns A `RequestAction` that can be wired into a REST API route
+ */
+export const createPasswordLoginAction = (strategy) => {
+    return async ({ injector, getBody }) => {
+        const body = await getBody();
+        try {
+            const user = await injector.getInstance(HttpUserContext).authenticateUser(body.username, body.password);
+            return strategy.createLoginResponse(user, injector);
+        }
+        catch {
+            await sleepAsync(Math.random() * 1000);
+            throw new RequestError('Login Failed', 400);
+        }
+    };
+};
+//# sourceMappingURL=password-login-action.js.map

package/esm/actions/password-login-action.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-login-action.js","sourceRoot":"","sources":["../../src/actions/password-login-action.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAIzD;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACvC,QAAwC,EAC0C,EAAE;IACpF,OAAO,KAAK,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,MAAM,OAAO,EAAE,CAAA;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;YACvG,OAAO,QAAQ,CAAC,mBAAmB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAA;YACtC,MAAM,IAAI,YAAY,CAAC,cAAc,EAAE,GAAG,CAAC,CAAA;QAC7C,CAAC;IACH,CAAC,CAAA;AACH,CAAC,CAAA"}

package/esm/actions/password-login-action.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=password-login-action.spec.d.ts.map

package/esm/actions/password-login-action.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-login-action.spec.d.ts","sourceRoot":"","sources":["../../src/actions/password-login-action.spec.ts"],"names":[],"mappings":""}

package/esm/actions/password-login-action.spec.js

@@ -0,0 +1,105 @@
+import { InMemoryStore, StoreManager, User, addStore } from '@furystack/core';
+import { Injector } from '@furystack/inject';
+import { getRepository } from '@furystack/repository';
+import { PasswordAuthenticator, PasswordCredential, PasswordResetToken, usePasswordPolicy } from '@furystack/security';
+import { usingAsync } from '@furystack/utils';
+import { describe, expect, it, vi } from 'vitest';
+import { useHttpAuthentication } from '../helpers.js';
+import { DefaultSession } from '../models/default-session.js';
+import { JsonResult } from '../request-action-implementation.js';
+import { createPasswordLoginAction } from './password-login-action.js';
+const setupInjector = async (i, username, password) => {
+    addStore(i, new InMemoryStore({ model: User, primaryKey: 'username' }))
+        .addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }))
+        .addStore(new InMemoryStore({ model: PasswordCredential, primaryKey: 'userName' }))
+        .addStore(new InMemoryStore({ model: PasswordResetToken, primaryKey: 'token' }));
+    const repo = getRepository(i);
+    repo.createDataSet(User, 'username');
+    repo.createDataSet(DefaultSession, 'sessionId');
+    repo.createDataSet(PasswordCredential, 'userName');
+    repo.createDataSet(PasswordResetToken, 'token');
+    usePasswordPolicy(i);
+    useHttpAuthentication(i);
+    const sm = i.getInstance(StoreManager);
+    const pw = i.getInstance(PasswordAuthenticator);
+    const cred = await pw.hasher.createCredential(username, password);
+    await sm.getStoreFor(PasswordCredential, 'userName').add(cred);
+    await sm.getStoreFor(User, 'username').add({ username, roles: ['admin'] });
+};
+const mockStrategy = {
+    createLoginResponse: vi.fn(async (user) => JsonResult(user, 200)),
+};
+describe('createPasswordLoginAction', () => {
+    const request = {};
+    const response = {};
+    it('Should delegate to the strategy on successful authentication', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const action = createPasswordLoginAction(mockStrategy);
+            const result = await action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+            });
+            expect(mockStrategy.createLoginResponse).toHaveBeenCalled();
+            expect(result.chunk.username).toBe('testuser');
+        });
+    });
+    it('Should pass the correct user to the strategy', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const strategyFn = vi.fn(async (user) => JsonResult(user, 200));
+            const strategy = { createLoginResponse: strategyFn };
+            const action = createPasswordLoginAction(strategy);
+            await action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+            });
+            expect(strategyFn).toHaveBeenCalledWith(expect.objectContaining({ username: 'testuser', roles: ['admin'] }), i);
+        });
+    });
+    it('Should throw RequestError on invalid credentials', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const action = createPasswordLoginAction(mockStrategy);
+            await expect(action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'testuser', password: 'wrongpass' }),
+            })).rejects.toThrow('Login Failed');
+        });
+    });
+    it('Should throw RequestError for nonexistent user', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const action = createPasswordLoginAction(mockStrategy);
+            await expect(action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'nobody', password: 'nopass' }),
+            })).rejects.toThrow('Login Failed');
+        });
+    });
+    it('Should work with a custom result type from strategy', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            await setupInjector(i, 'testuser', 'testpass');
+            const tokenStrategy = {
+                createLoginResponse: async () => JsonResult({ accessToken: 'tok123' }, 200),
+            };
+            const action = createPasswordLoginAction(tokenStrategy);
+            const result = await action({
+                injector: i,
+                request,
+                response,
+                getBody: () => Promise.resolve({ username: 'testuser', password: 'testpass' }),
+            });
+            expect(result.chunk.accessToken).toBe('tok123');
+        });
+    });
+});
+//# sourceMappingURL=password-login-action.spec.js.map

package/esm/actions/password-login-action.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-login-action.spec.js","sourceRoot":"","sources":["../../src/actions/password-login-action.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAC7E,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AACrD,OAAO,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AACtH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAE7C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AAEjD,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAA;AAErD,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,UAAU,EAAE,MAAM,qCAAqC,CAAA;AAChE,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAA;AAEtE,MAAM,aAAa,GAAG,KAAK,EAAE,CAAW,EAAE,QAAgB,EAAE,QAAgB,EAAE,EAAE;IAC9E,QAAQ,CAAC,CAAC,EAAE,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC;SACpE,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;SAC/E,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC;SAClF,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC,CAAA;IAElF,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IAC7B,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IACpC,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;IAC/C,IAAI,CAAC,aAAa,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAA;IAClD,IAAI,CAAC,aAAa,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAA;IAE/C,iBAAiB,CAAC,CAAC,CAAC,CAAA;IACpB,qBAAqB,CAAC,CAAC,CAAC,CAAA;IAExB,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,CAAC,YAAY,CAAC,CAAA;IACtC,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,CAAC,qBAAqB,CAAC,CAAA;IAC/C,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IACjE,MAAM,EAAE,CAAC,WAAW,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC9D,MAAM,EAAE,CAAC,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;AAC5E,CAAC,CAAA;AAED,MAAM,YAAY,GAAgC;IAChD,mBAAmB,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAU,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;CACxE,CAAA;AAED,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,MAAM,OAAO,GAAG,EAAqB,CAAA;IACrC,MAAM,QAAQ,GAAG,EAAoB,CAAA;IAErC,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,MAAM,GAAG,yBAAyB,CAAC,YAAY,CAAC,CAAA;YACtD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;gBAC1B,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;aAC/E,CAAC,CAAA;YACF,MAAM,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAC,gBAAgB,EAAE,CAAA;YAC3D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAChD,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,UAAU,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,IAAU,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAA;YACrE,MAAM,QAAQ,GAAgC,EAAE,mBAAmB,EAAE,UAAU,EAAE,CAAA;YACjF,MAAM,MAAM,GAAG,yBAAyB,CAAC,QAAQ,CAAC,CAAA;YAClD,MAAM,MAAM,CAAC;gBACX,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;aAC/E,CAAC,CAAA;YACF,MAAM,CAAC,UAAU,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;QACjH,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,MAAM,GAAG,yBAAyB,CAAC,YAAY,CAAC,CAAA;YACtD,MAAM,MAAM,CACV,MAAM,CAAC;gBACL,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;aAChF,CAAC,CACH,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAA;QACnC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,MAAM,GAAG,yBAAyB,CAAC,YAAY,CAAC,CAAA;YACtD,MAAM,MAAM,CACV,MAAM,CAAC;gBACL,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;aAC3E,CAAC,CACH,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAA;QACnC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAA;YAC9C,MAAM,aAAa,GAAmD;gBACpE,mBAAmB,EAAE,KAAK,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,GAAG,CAAC;aAC5E,CAAA;YACD,MAAM,MAAM,GAAG,yBAAyB,CAAC,aAAa,CAAC,CAAA;YACvD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;gBAC1B,QAAQ,EAAE,CAAC;gBACX,OAAO;gBACP,QAAQ;gBACR,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;aAC/E,CAAC,CAAA;YACF,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/esm/index.d.ts

@@ -9,6 +9,7 @@ export * from './get-schema-from-api.js';
 export * from './helpers.js';
 export * from './http-authentication-settings.js';
 export * from './http-user-context.js';
+export * from './login-response-strategy.js';
 export * from './mime-types.js';
 export * from './models/index.js';
 export * from './proxy-manager.js';

package/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAA;AAClC,cAAc,sBAAsB,CAAA;AACpC,cAAc,kBAAkB,CAAA;AAChC,cAAc,mBAAmB,CAAA;AACjC,cAAc,qCAAqC,CAAA;AACnD,cAAc,gBAAgB,CAAA;AAC9B,cAAc,gCAAgC,CAAA;AAC9C,cAAc,0BAA0B,CAAA;AACxC,cAAc,cAAc,CAAA;AAC5B,cAAc,mCAAmC,CAAA;AACjD,cAAc,wBAAwB,CAAA;AACtC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,mBAAmB,CAAA;AACjC,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA;AACnC,cAAc,oCAAoC,CAAA;AAClD,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,iCAAiC,CAAA;AAC/C,cAAc,4BAA4B,CAAA;AAC1C,cAAc,eAAe,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAA;AAClC,cAAc,sBAAsB,CAAA;AACpC,cAAc,kBAAkB,CAAA;AAChC,cAAc,mBAAmB,CAAA;AACjC,cAAc,qCAAqC,CAAA;AACnD,cAAc,gBAAgB,CAAA;AAC9B,cAAc,gCAAgC,CAAA;AAC9C,cAAc,0BAA0B,CAAA;AACxC,cAAc,cAAc,CAAA;AAC5B,cAAc,mCAAmC,CAAA;AACjD,cAAc,wBAAwB,CAAA;AACtC,cAAc,8BAA8B,CAAA;AAC5C,cAAc,iBAAiB,CAAA;AAC/B,cAAc,mBAAmB,CAAA;AACjC,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA;AACnC,cAAc,oCAAoC,CAAA;AAClD,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,iCAAiC,CAAA;AAC/C,cAAc,4BAA4B,CAAA;AAC1C,cAAc,eAAe,CAAA"}

package/esm/index.js

@@ -9,6 +9,7 @@ export * from './get-schema-from-api.js';
 export * from './helpers.js';
 export * from './http-authentication-settings.js';
 export * from './http-user-context.js';
+export * from './login-response-strategy.js';
 export * from './mime-types.js';
 export * from './models/index.js';
 export * from './proxy-manager.js';

package/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAA;AAClC,cAAc,sBAAsB,CAAA;AACpC,cAAc,kBAAkB,CAAA;AAChC,cAAc,mBAAmB,CAAA;AACjC,cAAc,qCAAqC,CAAA;AACnD,cAAc,gBAAgB,CAAA;AAC9B,cAAc,gCAAgC,CAAA;AAC9C,cAAc,0BAA0B,CAAA;AACxC,cAAc,cAAc,CAAA;AAC5B,cAAc,mCAAmC,CAAA;AACjD,cAAc,wBAAwB,CAAA;AACtC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,mBAAmB,CAAA;AACjC,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA;AACnC,cAAc,oCAAoC,CAAA;AAClD,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,iCAAiC,CAAA;AAC/C,cAAc,4BAA4B,CAAA;AAC1C,cAAc,eAAe,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAA;AAClC,cAAc,sBAAsB,CAAA;AACpC,cAAc,kBAAkB,CAAA;AAChC,cAAc,mBAAmB,CAAA;AACjC,cAAc,qCAAqC,CAAA;AACnD,cAAc,gBAAgB,CAAA;AAC9B,cAAc,gCAAgC,CAAA;AAC9C,cAAc,0BAA0B,CAAA;AACxC,cAAc,cAAc,CAAA;AAC5B,cAAc,mCAAmC,CAAA;AACjD,cAAc,wBAAwB,CAAA;AACtC,cAAc,8BAA8B,CAAA;AAC5C,cAAc,iBAAiB,CAAA;AAC/B,cAAc,mBAAmB,CAAA;AACjC,cAAc,oBAAoB,CAAA;AAClC,cAAc,qBAAqB,CAAA;AACnC,cAAc,oCAAoC,CAAA;AAClD,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,iCAAiC,CAAA;AAC/C,cAAc,4BAA4B,CAAA;AAC1C,cAAc,eAAe,CAAA"}

package/esm/login-response-strategy.d.ts

@@ -0,0 +1,28 @@
+import type { User } from '@furystack/core';
+import type { Injector } from '@furystack/inject';
+import type { ActionResult } from './request-action-implementation.js';
+/**
+ * A pluggable strategy that turns an authenticated {@link User} into an
+ * {@link ActionResult} containing the session/token data for the client.
+ *
+ * Pass a concrete strategy to action factories like
+ * {@link createPasswordLoginAction} or `createGoogleLoginAction` to
+ * decouple the authentication mechanism from the session/token mechanism.
+ *
+ * @typeParam TResult The shape of the response body (e.g. `User` for cookies,
+ *   `{ accessToken: string; refreshToken: string }` for JWT)
+ */
+export type LoginResponseStrategy<TResult> = {
+    createLoginResponse: (user: User, injector: Injector) => Promise<ActionResult<TResult>>;
+};
+/**
+ * Creates a cookie-based {@link LoginResponseStrategy}.
+ *
+ * On each login it generates a random session ID, persists it in the session
+ * DataSet, and returns the user with a `Set-Cookie` header.
+ *
+ * @param injector The root injector (must have {@link HttpAuthenticationSettings} configured)
+ * @returns A strategy that returns `ActionResult<User>`
+ */
+export declare const createCookieLoginStrategy: (injector: Injector) => LoginResponseStrategy<User>;
+//# sourceMappingURL=login-response-strategy.d.ts.map

package/esm/login-response-strategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-response-strategy.d.ts","sourceRoot":"","sources":["../src/login-response-strategy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AAE3C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AAIjD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAGtE;;;;;;;;;;GAUG;AACH,MAAM,MAAM,qBAAqB,CAAC,OAAO,IAAI;IAC3C,mBAAmB,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,KAAK,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAAA;CACxF,CAAA;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAI,UAAU,QAAQ,KAAG,qBAAqB,CAAC,IAAI,CAcxF,CAAA"}

package/esm/login-response-strategy.js

@@ -0,0 +1,28 @@
+import { useSystemIdentityContext } from '@furystack/core';
+import { randomBytes } from 'crypto';
+import { HttpAuthenticationSettings } from './http-authentication-settings.js';
+import { JsonResult } from './request-action-implementation.js';
+/**
+ * Creates a cookie-based {@link LoginResponseStrategy}.
+ *
+ * On each login it generates a random session ID, persists it in the session
+ * DataSet, and returns the user with a `Set-Cookie` header.
+ *
+ * @param injector The root injector (must have {@link HttpAuthenticationSettings} configured)
+ * @returns A strategy that returns `ActionResult<User>`
+ */
+export const createCookieLoginStrategy = (injector) => {
+    const settings = injector.getInstance(HttpAuthenticationSettings);
+    const systemInjector = useSystemIdentityContext({ injector, username: 'CookieLoginStrategy' });
+    return {
+        createLoginResponse: async (user) => {
+            const sessionDataSet = settings.getSessionDataSet(systemInjector);
+            const sessionId = randomBytes(32).toString('hex');
+            await sessionDataSet.add(systemInjector, { sessionId, username: user.username });
+            return JsonResult(user, 200, {
+                'Set-Cookie': `${settings.cookieName}=${sessionId}; Path=/; HttpOnly`,
+            });
+        },
+    };
+};
+//# sourceMappingURL=login-response-strategy.js.map

package/esm/login-response-strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-response-strategy.js","sourceRoot":"","sources":["../src/login-response-strategy.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAA;AAE1D,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAA;AAEpC,OAAO,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAA;AAE9E,OAAO,EAAE,UAAU,EAAE,MAAM,oCAAoC,CAAA;AAiB/D;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,QAAkB,EAA+B,EAAE;IAC3F,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAW,CAAC,0BAA0B,CAAC,CAAA;IACjE,MAAM,cAAc,GAAG,wBAAwB,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,qBAAqB,EAAE,CAAC,CAAA;IAE9F,OAAO;QACL,mBAAmB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;YAClC,MAAM,cAAc,GAAG,QAAQ,CAAC,iBAAiB,CAAC,cAAc,CAAC,CAAA;YACjE,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;YACjD,MAAM,cAAc,CAAC,GAAG,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAA;YAChF,OAAO,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE;gBAC3B,YAAY,EAAE,GAAG,QAAQ,CAAC,UAAU,IAAI,SAAS,oBAAoB;aACtE,CAAC,CAAA;QACJ,CAAC;KACF,CAAA;AACH,CAAC,CAAA"}

package/esm/login-response-strategy.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=login-response-strategy.spec.d.ts.map

package/esm/login-response-strategy.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-response-strategy.spec.d.ts","sourceRoot":"","sources":["../src/login-response-strategy.spec.ts"],"names":[],"mappings":""}

package/esm/login-response-strategy.spec.js

@@ -0,0 +1,78 @@
+import { InMemoryStore, User, addStore } from '@furystack/core';
+import { Injector } from '@furystack/inject';
+import { getRepository } from '@furystack/repository';
+import { PasswordCredential, PasswordResetToken, usePasswordPolicy } from '@furystack/security';
+import { usingAsync } from '@furystack/utils';
+import { describe, expect, it } from 'vitest';
+import { useHttpAuthentication } from './helpers.js';
+import { createCookieLoginStrategy } from './login-response-strategy.js';
+import { DefaultSession } from './models/default-session.js';
+const setupInjector = (i) => {
+    addStore(i, new InMemoryStore({ model: User, primaryKey: 'username' }))
+        .addStore(new InMemoryStore({ model: DefaultSession, primaryKey: 'sessionId' }))
+        .addStore(new InMemoryStore({ model: PasswordCredential, primaryKey: 'userName' }))
+        .addStore(new InMemoryStore({ model: PasswordResetToken, primaryKey: 'token' }));
+    const repo = getRepository(i);
+    repo.createDataSet(User, 'username');
+    repo.createDataSet(DefaultSession, 'sessionId');
+    repo.createDataSet(PasswordCredential, 'userName');
+    repo.createDataSet(PasswordResetToken, 'token');
+    usePasswordPolicy(i);
+    useHttpAuthentication(i);
+};
+describe('createCookieLoginStrategy', () => {
+    const testUser = { username: 'testuser', roles: ['admin'] };
+    it('Should return the user as the response body', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            setupInjector(i);
+            const strategy = createCookieLoginStrategy(i);
+            const result = await strategy.createLoginResponse(testUser, i);
+            expect(result.chunk).toEqual(testUser);
+        });
+    });
+    it('Should return status code 200', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            setupInjector(i);
+            const strategy = createCookieLoginStrategy(i);
+            const result = await strategy.createLoginResponse(testUser, i);
+            expect(result.statusCode).toBe(200);
+        });
+    });
+    it('Should include a Set-Cookie header with the session ID', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            setupInjector(i);
+            const strategy = createCookieLoginStrategy(i);
+            const result = await strategy.createLoginResponse(testUser, i);
+            const setCookie = result.headers['Set-Cookie'];
+            expect(setCookie).toBeDefined();
+            expect(setCookie).toContain('fss=');
+            expect(setCookie).toContain('Path=/');
+            expect(setCookie).toContain('HttpOnly');
+        });
+    });
+    it('Should persist the session in the DataSet', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            setupInjector(i);
+            const strategy = createCookieLoginStrategy(i);
+            await strategy.createLoginResponse(testUser, i);
+            const repo = getRepository(i);
+            const sessionDataSet = repo.getDataSetFor(DefaultSession, 'sessionId');
+            const sessions = await sessionDataSet.find(i, { filter: { username: { $eq: 'testuser' } } });
+            expect(sessions).toHaveLength(1);
+            expect(sessions[0].username).toBe('testuser');
+            expect(sessions[0].sessionId).toBeTruthy();
+        });
+    });
+    it('Should create unique session IDs for each call', async () => {
+        await usingAsync(new Injector(), async (i) => {
+            setupInjector(i);
+            const strategy = createCookieLoginStrategy(i);
+            const result1 = await strategy.createLoginResponse(testUser, i);
+            const result2 = await strategy.createLoginResponse(testUser, i);
+            const sessionId1 = result1.headers['Set-Cookie']?.split('=')[1]?.split(';')[0];
+            const sessionId2 = result2.headers['Set-Cookie']?.split('=')[1]?.split(';')[0];
+            expect(sessionId1).not.toBe(sessionId2);
+        });
+    });
+});
+//# sourceMappingURL=login-response-strategy.spec.js.map

package/esm/login-response-strategy.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-response-strategy.spec.js","sourceRoot":"","sources":["../src/login-response-strategy.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAA;AAC/D,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AACrD,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAC/F,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AAE7C,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;AACpD,OAAO,EAAE,yBAAyB,EAAE,MAAM,8BAA8B,CAAA;AACxE,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAA;AAE5D,MAAM,aAAa,GAAG,CAAC,CAAW,EAAE,EAAE;IACpC,QAAQ,CAAC,CAAC,EAAE,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC;SACpE,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;SAC/E,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC;SAClF,QAAQ,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC,CAAA;IAElF,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IAC7B,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IACpC,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;IAC/C,IAAI,CAAC,aAAa,CAAC,kBAAkB,EAAE,UAAU,CAAC,CAAA;IAClD,IAAI,CAAC,aAAa,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAA;IAE/C,iBAAiB,CAAC,CAAC,CAAC,CAAA;IACpB,qBAAqB,CAAC,CAAC,CAAC,CAAA;AAC1B,CAAC,CAAA;AAED,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,MAAM,QAAQ,GAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,CAAA;IAEjE,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,aAAa,CAAC,CAAC,CAAC,CAAA;YAChB,MAAM,QAAQ,GAAG,yBAAyB,CAAC,CAAC,CAAC,CAAA;YAC7C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;YAC9D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QACxC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,aAAa,CAAC,CAAC,CAAC,CAAA;YAChB,MAAM,QAAQ,GAAG,yBAAyB,CAAC,CAAC,CAAC,CAAA;YAC7C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;YAC9D,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACrC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,aAAa,CAAC,CAAC,CAAC,CAAA;YAChB,MAAM,QAAQ,GAAG,yBAAyB,CAAC,CAAC,CAAC,CAAA;YAC7C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;YAC9D,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAA;YAC9C,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAA;YAC/B,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;YACnC,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;YACrC,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QACzC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,aAAa,CAAC,CAAC,CAAC,CAAA;YAChB,MAAM,QAAQ,GAAG,yBAAyB,CAAC,CAAC,CAAC,CAAA;YAC7C,MAAM,QAAQ,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;YAE/C,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;YAC7B,MAAM,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,WAAW,CAAC,CAAA;YACtE,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC,CAAA;YAC5F,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;YAChC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;YAC7C,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,UAAU,CAAC,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;YAC3C,aAAa,CAAC,CAAC,CAAC,CAAA;YAChB,MAAM,QAAQ,GAAG,yBAAyB,CAAC,CAAC,CAAC,CAAA;YAE7C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;YAC/D,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;YAE/D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;YAC9E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;YAC9E,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QACzC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@furystack/rest-service",
-  "version": "12.0.0",
+  "version": "12.1.0",
   "description": "REST API service implementation for FuryStack",
   "type": "module",
   "scripts": {
@@ -39,19 +39,19 @@
   },
   "homepage": "https://github.com/furystack/furystack",
   "dependencies": {
-    "@furystack/core": "^15.2.1",
+    "@furystack/core": "^15.2.2",
     "@furystack/inject": "^12.0.30",
-    "@furystack/repository": "^10.1.2",
-    "@furystack/rest": "^8.0.39",
-    "@furystack/security": "^7.0.0",
+    "@furystack/repository": "^10.1.3",
+    "@furystack/rest": "^8.0.40",
+    "@furystack/security": "^7.0.1",
     "@furystack/utils": "^8.1.10",
     "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
     "path-to-regexp": "^8.3.0"
   },
   "devDependencies": {
-    "@furystack/rest-client-fetch": "^8.0.39",
-    "@types/node": "^25.3.0",
+    "@furystack/rest-client-fetch": "^8.0.40",
+    "@types/node": "^25.3.1",
     "@types/ws": "^8.18.1",
     "typescript": "^5.9.3",
     "vitest": "^4.0.18",

package/src/actions/index.ts

@@ -4,3 +4,4 @@ export * from './is-authenticated.js'
 export * from './login.js'
 export * from './logout.js'
 export * from './not-found-action.js'
+export * from './password-login-action.js'

package/src/actions/login.ts

@@ -1,15 +1,20 @@
-import { HttpUserContext } from '../http-user-context.js'
 import type { User } from '@furystack/core'
 import { RequestError } from '@furystack/rest'
+import { sleepAsync } from '@furystack/utils'
+
+import { HttpUserContext } from '../http-user-context.js'
 import type { RequestAction } from '../request-action-implementation.js'
 import { JsonResult } from '../request-action-implementation.js'
 
 /**
- * Action that logs in the current user
- * Should be called with a JSON Post body with ``username`` and ``password`` fields.
- * Returns the current user instance
+ * Action that logs in the current user.
+ * Should be called with a JSON POST body with `username` and `password` fields.
+ * Returns the current user instance.
+ *
+ * @deprecated Use `createPasswordLoginAction(createCookieLoginStrategy(injector))` instead.
+ * This static action resolves services from the request-scoped injector on
+ * every call; the factory approach captures them once at setup time.
  */
-
 export const LoginAction: RequestAction<{
   result: User
   body: { username: string; password: string }
@@ -20,7 +25,8 @@ export const LoginAction: RequestAction<{
     const user = await userContext.authenticateUser(body.username, body.password)
     await userContext.cookieLogin(user, response)
     return JsonResult(user, 200)
-  } catch (error) {
+  } catch {
+    await sleepAsync(Math.random() * 1000)
     throw new RequestError('Login Failed', 400)
   }
 }