@jskit-ai/auth-core 0.1.4

package/src/shared/commands/authCommandValidators.js

@@ -0,0 +1,255 @@
+import { Type } from "typebox";
+import {
+  AUTH_ACCESS_TOKEN_MAX_LENGTH,
+  AUTH_EMAIL_MAX_LENGTH,
+  AUTH_EMAIL_MIN_LENGTH,
+  AUTH_EMAIL_PATTERN,
+  AUTH_LOGIN_PASSWORD_MAX_LENGTH,
+  AUTH_PASSWORD_MAX_LENGTH,
+  AUTH_PASSWORD_MIN_LENGTH,
+  AUTH_RECOVERY_TOKEN_MAX_LENGTH,
+  AUTH_REFRESH_TOKEN_MAX_LENGTH
+} from "../authConstraints.js";
+import { AUTH_METHOD_IDS, AUTH_METHOD_KINDS } from "../authMethods.js";
+import { OAUTH_PROVIDER_ID_PATTERN } from "../oauthProviders.js";
+
+const oauthProviderValidator = Object.freeze({
+  schema: Type.String({
+    minLength: 2,
+    maxLength: 32,
+    pattern: OAUTH_PROVIDER_ID_PATTERN
+  })
+});
+
+const authMethodIdValidator = Object.freeze({
+  schema: Type.String({
+    minLength: 3,
+    maxLength: 38,
+    pattern: `^(?:${AUTH_METHOD_IDS.join("|")}|oauth:${OAUTH_PROVIDER_ID_PATTERN.slice(1, -1)})$`
+  })
+});
+
+const authMethodKindValidator = Object.freeze({
+  schema: Type.Union(AUTH_METHOD_KINDS.map((kind) => Type.Literal(kind)))
+});
+
+const OAUTH_RETURN_TO_PATTERN = "^(?:/(?!/).*$|https?://[^\\s]+)$";
+
+const oauthReturnToValidator = Object.freeze({
+  schema: Type.String({
+    minLength: 1,
+    maxLength: 1024,
+    pattern: OAUTH_RETURN_TO_PATTERN
+  })
+});
+
+const authEmailValidator = Object.freeze({
+  schema: Type.String({
+    minLength: AUTH_EMAIL_MIN_LENGTH,
+    maxLength: AUTH_EMAIL_MAX_LENGTH,
+    pattern: AUTH_EMAIL_PATTERN
+  })
+});
+
+const authPasswordValidator = Object.freeze({
+  schema: Type.String({
+    minLength: AUTH_PASSWORD_MIN_LENGTH,
+    maxLength: AUTH_PASSWORD_MAX_LENGTH
+  })
+});
+
+const authLoginPasswordValidator = Object.freeze({
+  schema: Type.String({
+    minLength: 1,
+    maxLength: AUTH_LOGIN_PASSWORD_MAX_LENGTH
+  })
+});
+
+const authRecoveryTokenValidator = Object.freeze({
+  schema: Type.String({
+    minLength: 1,
+    maxLength: AUTH_RECOVERY_TOKEN_MAX_LENGTH
+  })
+});
+
+const authAccessTokenValidator = Object.freeze({
+  schema: Type.String({
+    minLength: 1,
+    maxLength: AUTH_ACCESS_TOKEN_MAX_LENGTH
+  })
+});
+
+const authRefreshTokenValidator = Object.freeze({
+  schema: Type.String({
+    minLength: 1,
+    maxLength: AUTH_REFRESH_TOKEN_MAX_LENGTH
+  })
+});
+
+const okResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      ok: Type.Boolean()
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const okMessageResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      ok: Type.Boolean(),
+      message: Type.String({ minLength: 1 })
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const registerResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      ok: Type.Boolean(),
+      requiresEmailConfirmation: Type.Boolean(),
+      username: Type.Optional(Type.String({ minLength: 1, maxLength: 120 })),
+      message: Type.Optional(Type.String({ minLength: 1 }))
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const loginResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      ok: Type.Boolean(),
+      username: Type.String({ minLength: 1, maxLength: 120 })
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const otpVerifyResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      ok: Type.Boolean(),
+      username: Type.String({ minLength: 1, maxLength: 120 }),
+      email: authEmailValidator.schema
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const oauthCompleteResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      ok: Type.Boolean(),
+      provider: oauthProviderValidator.schema,
+      username: Type.String({ minLength: 1, maxLength: 120 }),
+      email: authEmailValidator.schema
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const logoutResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      ok: Type.Boolean()
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const oauthProviderCatalogEntryValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      id: oauthProviderValidator.schema,
+      label: Type.String({ minLength: 1, maxLength: 120 })
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const sessionResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      authenticated: Type.Boolean(),
+      username: Type.Optional(Type.String({ minLength: 1, maxLength: 120 })),
+      csrfToken: Type.String({ minLength: 1 }),
+      oauthProviders: Type.Array(oauthProviderCatalogEntryValidator.schema),
+      oauthDefaultProvider: Type.Union([oauthProviderValidator.schema, Type.Null()])
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+const sessionUnavailableResponseValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      error: Type.String({ minLength: 1 }),
+      csrfToken: Type.String({ minLength: 1 }),
+      oauthProviders: Type.Array(oauthProviderCatalogEntryValidator.schema),
+      oauthDefaultProvider: Type.Union([oauthProviderValidator.schema, Type.Null()])
+    },
+    {
+      additionalProperties: false
+    }
+  )
+});
+
+function createCommandMessages({
+  fields = {},
+  defaultMessage = "Invalid value."
+} = {}) {
+  return Object.freeze({
+    apiValidation: "Validation failed.",
+    fields: Object.freeze({
+      ...(fields && typeof fields === "object" ? fields : {})
+    }),
+    keywords: Object.freeze({
+      additionalProperties: "Unexpected field."
+    }),
+    default: String(defaultMessage || "Invalid value.")
+  });
+}
+
+export {
+  authEmailValidator,
+  authPasswordValidator,
+  authLoginPasswordValidator,
+  authRecoveryTokenValidator,
+  authAccessTokenValidator,
+  authRefreshTokenValidator,
+  oauthProviderValidator,
+  authMethodIdValidator,
+  authMethodKindValidator,
+  oauthReturnToValidator,
+  okResponseValidator,
+  okMessageResponseValidator,
+  registerResponseValidator,
+  loginResponseValidator,
+  otpVerifyResponseValidator,
+  oauthCompleteResponseValidator,
+  logoutResponseValidator,
+  oauthProviderCatalogEntryValidator,
+  sessionResponseValidator,
+  sessionUnavailableResponseValidator,
+  createCommandMessages
+};

package/src/shared/commands/authLoginOAuthCompleteCommand.js

@@ -0,0 +1,68 @@
+import { Type } from "typebox";
+import { normalizeObjectInput } from "../inputNormalization.js";
+import {
+  authAccessTokenValidator,
+  authRecoveryTokenValidator,
+  authRefreshTokenValidator,
+  createCommandMessages,
+  oauthCompleteResponseValidator,
+  oauthProviderValidator
+} from "./authCommandValidators.js";
+
+const AUTH_LOGIN_OAUTH_COMPLETE_MESSAGES = createCommandMessages({
+  fields: {
+    provider: {
+      required: "OAuth provider is required.",
+      pattern: "OAuth provider id is invalid.",
+      default: "OAuth provider id is invalid."
+    },
+    code: {
+      default: "OAuth code is invalid."
+    },
+    accessToken: {
+      default: "Access token is invalid."
+    },
+    refreshToken: {
+      default: "Refresh token is invalid."
+    }
+  }
+});
+
+const authLoginOAuthCompleteBodyValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      provider: oauthProviderValidator.schema,
+      code: Type.Optional(authRecoveryTokenValidator.schema),
+      accessToken: Type.Optional(authAccessTokenValidator.schema),
+      refreshToken: Type.Optional(authRefreshTokenValidator.schema),
+      error: Type.Optional(Type.String({ minLength: 1, maxLength: 128 })),
+      errorDescription: Type.Optional(Type.String({ minLength: 1, maxLength: 1024 })),
+      error_code: Type.Optional(Type.String({ minLength: 1, maxLength: 128 })),
+      error_description: Type.Optional(Type.String({ minLength: 1, maxLength: 1024 }))
+    },
+    {
+      additionalProperties: false
+    }
+  ),
+  normalize: normalizeObjectInput,
+  messages: AUTH_LOGIN_OAUTH_COMPLETE_MESSAGES
+});
+
+const authLoginOAuthCompleteCommand = Object.freeze({
+  command: "auth.login.oauth.complete",
+  operation: Object.freeze({
+    method: "POST",
+    bodyValidator: authLoginOAuthCompleteBodyValidator,
+    responseValidator: oauthCompleteResponseValidator,
+    messages: AUTH_LOGIN_OAUTH_COMPLETE_MESSAGES,
+    idempotent: false,
+    invalidates: Object.freeze(["auth.session.read"])
+  })
+});
+
+export {
+  authLoginOAuthCompleteBodyValidator,
+  oauthCompleteResponseValidator,
+  AUTH_LOGIN_OAUTH_COMPLETE_MESSAGES,
+  authLoginOAuthCompleteCommand
+};

package/src/shared/commands/authLoginOAuthStartCommand.js

@@ -0,0 +1,72 @@
+import { Type } from "typebox";
+import { normalizeObjectInput } from "../inputNormalization.js";
+import {
+  createCommandMessages,
+  oauthProviderValidator,
+  oauthReturnToValidator
+} from "./authCommandValidators.js";
+
+const AUTH_LOGIN_OAUTH_START_MESSAGES = createCommandMessages({
+  fields: {
+    provider: {
+      required: "OAuth provider is required.",
+      pattern: "OAuth provider id is invalid.",
+      default: "OAuth provider id is invalid."
+    },
+    returnTo: {
+      pattern: "Return target must be an absolute path or URL.",
+      default: "Return target must be an absolute path or URL."
+    }
+  }
+});
+
+const authLoginOAuthStartParamsValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      provider: oauthProviderValidator.schema
+    },
+    {
+      additionalProperties: false
+    }
+  ),
+  normalize: normalizeObjectInput,
+  messages: AUTH_LOGIN_OAUTH_START_MESSAGES
+});
+
+const authLoginOAuthStartQueryValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      returnTo: Type.Optional(oauthReturnToValidator.schema)
+    },
+    {
+      additionalProperties: false
+    }
+  ),
+  normalize: normalizeObjectInput,
+  messages: AUTH_LOGIN_OAUTH_START_MESSAGES
+});
+
+const authLoginOAuthStartResponseValidator = Object.freeze({
+  schema: Type.Unknown()
+});
+
+const authLoginOAuthStartCommand = Object.freeze({
+  command: "auth.login.oauth.start",
+  operation: Object.freeze({
+    method: "GET",
+    paramsValidator: authLoginOAuthStartParamsValidator,
+    queryValidator: authLoginOAuthStartQueryValidator,
+    responseValidator: authLoginOAuthStartResponseValidator,
+    messages: AUTH_LOGIN_OAUTH_START_MESSAGES,
+    idempotent: true,
+    invalidates: Object.freeze([])
+  })
+});
+
+export {
+  authLoginOAuthStartParamsValidator,
+  authLoginOAuthStartQueryValidator,
+  authLoginOAuthStartResponseValidator,
+  AUTH_LOGIN_OAUTH_START_MESSAGES,
+  authLoginOAuthStartCommand
+};

package/src/shared/commands/authLoginOtpRequestCommand.js

@@ -0,0 +1,56 @@
+import { Type } from "typebox";
+import { normalizeObjectInput } from "../inputNormalization.js";
+import {
+  authEmailValidator,
+  createCommandMessages,
+  oauthReturnToValidator,
+  okMessageResponseValidator
+} from "./authCommandValidators.js";
+
+const AUTH_LOGIN_OTP_REQUEST_MESSAGES = createCommandMessages({
+  fields: {
+    email: {
+      required: "Email is required.",
+      minLength: "Email is required.",
+      pattern: "Enter a valid email address.",
+      default: "Enter a valid email address."
+    },
+    returnTo: {
+      pattern: "Return target must be an absolute path or URL.",
+      default: "Return target must be an absolute path or URL."
+    }
+  }
+});
+
+const authLoginOtpRequestBodyValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      email: authEmailValidator.schema,
+      returnTo: Type.Optional(oauthReturnToValidator.schema)
+    },
+    {
+      additionalProperties: false
+    }
+  ),
+  normalize: normalizeObjectInput,
+  messages: AUTH_LOGIN_OTP_REQUEST_MESSAGES
+});
+
+const authLoginOtpRequestCommand = Object.freeze({
+  command: "auth.login.otp.request",
+  operation: Object.freeze({
+    method: "POST",
+    bodyValidator: authLoginOtpRequestBodyValidator,
+    responseValidator: okMessageResponseValidator,
+    messages: AUTH_LOGIN_OTP_REQUEST_MESSAGES,
+    idempotent: false,
+    invalidates: Object.freeze([])
+  })
+});
+
+export {
+  authLoginOtpRequestBodyValidator,
+  okMessageResponseValidator,
+  AUTH_LOGIN_OTP_REQUEST_MESSAGES,
+  authLoginOtpRequestCommand
+};

package/src/shared/commands/authLoginOtpVerifyCommand.js

@@ -0,0 +1,64 @@
+import { Type } from "typebox";
+import { normalizeObjectInput } from "../inputNormalization.js";
+import {
+  authEmailValidator,
+  authRecoveryTokenValidator,
+  createCommandMessages,
+  otpVerifyResponseValidator
+} from "./authCommandValidators.js";
+
+const AUTH_LOGIN_OTP_VERIFY_MESSAGES = createCommandMessages({
+  fields: {
+    email: {
+      pattern: "Enter a valid email address.",
+      default: "Enter a valid email address."
+    },
+    token: {
+      minLength: "One-time code is required.",
+      default: "One-time code is required."
+    },
+    tokenHash: {
+      default: "One-time token hash is invalid."
+    },
+    type: {
+      const: "Only email OTP verification is supported.",
+      default: "Only email OTP verification is supported."
+    }
+  }
+});
+
+const authLoginOtpVerifyBodyValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      email: Type.Optional(authEmailValidator.schema),
+      token: Type.Optional(authRecoveryTokenValidator.schema),
+      tokenHash: Type.Optional(authRecoveryTokenValidator.schema),
+      type: Type.Optional(Type.Literal("email"))
+    },
+    {
+      additionalProperties: false,
+      minProperties: 1
+    }
+  ),
+  normalize: normalizeObjectInput,
+  messages: AUTH_LOGIN_OTP_VERIFY_MESSAGES
+});
+
+const authLoginOtpVerifyCommand = Object.freeze({
+  command: "auth.login.otp.verify",
+  operation: Object.freeze({
+    method: "POST",
+    bodyValidator: authLoginOtpVerifyBodyValidator,
+    responseValidator: otpVerifyResponseValidator,
+    messages: AUTH_LOGIN_OTP_VERIFY_MESSAGES,
+    idempotent: false,
+    invalidates: Object.freeze(["auth.session.read"])
+  })
+});
+
+export {
+  authLoginOtpVerifyBodyValidator,
+  otpVerifyResponseValidator,
+  AUTH_LOGIN_OTP_VERIFY_MESSAGES,
+  authLoginOtpVerifyCommand
+};

package/src/shared/commands/authLoginPasswordCommand.js

@@ -0,0 +1,57 @@
+import { Type } from "typebox";
+import { normalizeObjectInput } from "../inputNormalization.js";
+import {
+  authEmailValidator,
+  authLoginPasswordValidator,
+  createCommandMessages,
+  loginResponseValidator
+} from "./authCommandValidators.js";
+
+const AUTH_LOGIN_PASSWORD_MESSAGES = createCommandMessages({
+  fields: {
+    email: {
+      required: "Email is required.",
+      minLength: "Email is required.",
+      pattern: "Enter a valid email address.",
+      default: "Enter a valid email address."
+    },
+    password: {
+      required: "Password is required.",
+      minLength: "Password is required.",
+      default: "Password is required."
+    }
+  }
+});
+
+const authLoginPasswordBodyValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      email: authEmailValidator.schema,
+      password: authLoginPasswordValidator.schema
+    },
+    {
+      additionalProperties: false
+    }
+  ),
+  normalize: normalizeObjectInput,
+  messages: AUTH_LOGIN_PASSWORD_MESSAGES
+});
+
+const authLoginPasswordCommand = Object.freeze({
+  command: "auth.login.password",
+  operation: Object.freeze({
+    method: "POST",
+    bodyValidator: authLoginPasswordBodyValidator,
+    responseValidator: loginResponseValidator,
+    messages: AUTH_LOGIN_PASSWORD_MESSAGES,
+    idempotent: false,
+    invalidates: Object.freeze(["auth.session.read"])
+  })
+});
+
+export {
+  authLoginPasswordBodyValidator,
+  loginResponseValidator,
+  AUTH_LOGIN_PASSWORD_MESSAGES,
+  authLoginPasswordCommand
+};

package/src/shared/commands/authLogoutCommand.js

@@ -0,0 +1,23 @@
+import {
+  createCommandMessages,
+  logoutResponseValidator
+} from "./authCommandValidators.js";
+
+const AUTH_LOGOUT_MESSAGES = createCommandMessages();
+
+const authLogoutCommand = Object.freeze({
+  command: "auth.logout",
+  operation: Object.freeze({
+    method: "POST",
+    responseValidator: logoutResponseValidator,
+    messages: AUTH_LOGOUT_MESSAGES,
+    idempotent: false,
+    invalidates: Object.freeze(["auth.session.read"])
+  })
+});
+
+export {
+  logoutResponseValidator,
+  AUTH_LOGOUT_MESSAGES,
+  authLogoutCommand
+};

package/src/shared/commands/authPasswordRecoveryCompleteCommand.js

@@ -0,0 +1,67 @@
+import { Type } from "typebox";
+import { normalizeObjectInput } from "../inputNormalization.js";
+import {
+  authAccessTokenValidator,
+  authRecoveryTokenValidator,
+  authRefreshTokenValidator,
+  createCommandMessages,
+  okResponseValidator
+} from "./authCommandValidators.js";
+
+const AUTH_PASSWORD_RECOVERY_COMPLETE_MESSAGES = createCommandMessages({
+  fields: {
+    code: {
+      default: "Recovery code is invalid."
+    },
+    tokenHash: {
+      default: "Recovery token hash is invalid."
+    },
+    accessToken: {
+      default: "Access token is invalid."
+    },
+    refreshToken: {
+      default: "Refresh token is invalid."
+    },
+    type: {
+      const: "Only recovery links are supported.",
+      default: "Only recovery links are supported."
+    }
+  }
+});
+
+const authPasswordRecoveryCompleteBodyValidator = Object.freeze({
+  schema: Type.Object(
+    {
+      code: Type.Optional(authRecoveryTokenValidator.schema),
+      tokenHash: Type.Optional(authRecoveryTokenValidator.schema),
+      accessToken: Type.Optional(authAccessTokenValidator.schema),
+      refreshToken: Type.Optional(authRefreshTokenValidator.schema),
+      type: Type.Optional(Type.Literal("recovery"))
+    },
+    {
+      additionalProperties: false,
+      minProperties: 1
+    }
+  ),
+  normalize: normalizeObjectInput,
+  messages: AUTH_PASSWORD_RECOVERY_COMPLETE_MESSAGES
+});
+
+const authPasswordRecoveryCompleteCommand = Object.freeze({
+  command: "auth.password.recovery.complete",
+  operation: Object.freeze({
+    method: "POST",
+    bodyValidator: authPasswordRecoveryCompleteBodyValidator,
+    responseValidator: okResponseValidator,
+    messages: AUTH_PASSWORD_RECOVERY_COMPLETE_MESSAGES,
+    idempotent: false,
+    invalidates: Object.freeze(["auth.session.read"])
+  })
+});
+
+export {
+  authPasswordRecoveryCompleteBodyValidator,
+  okResponseValidator,
+  AUTH_PASSWORD_RECOVERY_COMPLETE_MESSAGES,
+  authPasswordRecoveryCompleteCommand
+};