@jskit-ai/auth-core 0.1.51 → 0.1.53

package/package.descriptor.mjs

@@ -1,7 +1,7 @@
 export default Object.freeze({
   "packageVersion": 1,
   "packageId": "@jskit-ai/auth-core",
-  "version": "0.1.51",
+  "version": "0.1.53",
   "kind": "runtime",
   "dependsOn": [
     "@jskit-ai/value-app-config-shared"
@@ -69,7 +69,7 @@ export default Object.freeze({
   "mutations": {
     "dependencies": {
       "runtime": {
-        "@jskit-ai/kernel": "0.1.52",
+        "@jskit-ai/kernel": "0.1.54",
         "@fastify/cookie": "^11.0.2",
         "@fastify/csrf-protection": "^7.1.0",
         "@fastify/rate-limit": "^10.3.0"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jskit-ai/auth-core",
-  "version": "0.1.51",
+  "version": "0.1.53",
   "type": "module",
   "scripts": {
     "test": "node --test"
@@ -8,6 +8,8 @@
   "exports": {
     "./server/providers/AccessCoreServiceProvider": "./src/server/providers/AccessCoreServiceProvider.js",
     "./server/providers/FastifyAuthPolicyServiceProvider": "./src/server/providers/FastifyAuthPolicyServiceProvider.js",
+    "./server/authPolicyContextResolverRegistry": "./src/server/authPolicyContextResolverRegistry.js",
+    "./server/authServiceDecoratorRegistry": "./src/server/authServiceDecoratorRegistry.js",
     "./server/utils": "./src/server/utils.js",
     "./server/validators": "./src/server/validators.js",
     "./server/inviteTokens": "./src/server/inviteTokens.js",
@@ -44,7 +46,7 @@
     "./shared/commands/authSessionReadCommand": "./src/shared/commands/authSessionReadCommand.js"
   },
   "dependencies": {
-    "@jskit-ai/kernel": "0.1.52",
+    "@jskit-ai/kernel": "0.1.54",
     "@fastify/cookie": "^11.0.2",
     "@fastify/csrf-protection": "^7.1.0",
     "@fastify/rate-limit": "^10.3.0",

package/src/server/authPolicyContextResolverRegistry.js

@@ -0,0 +1,125 @@
+import { normalizePermissionList } from "@jskit-ai/kernel/shared/support/permissions";
+import { registerTaggedSingleton, resolveTaggedEntries } from "@jskit-ai/kernel/server/registries";
+
+const AUTH_POLICY_CONTEXT_RESOLVER_TAG = "jskit.auth.policy.context.resolvers";
+
+function normalizeAuthPolicyContextResolver(entry) {
+  if (typeof entry === "function") {
+    return Object.freeze({
+      resolverId: String(entry.name || "anonymous"),
+      order: 0,
+      resolveAuthPolicyContext: entry
+    });
+  }
+
+  if (!entry || typeof entry !== "object" || typeof entry.resolveAuthPolicyContext !== "function") {
+    return null;
+  }
+
+  const resolverId = String(entry.resolverId || "anonymous");
+  const order = Number.isFinite(entry.order) ? Number(entry.order) : 0;
+
+  return Object.freeze({
+    ...entry,
+    resolverId,
+    order,
+    resolveAuthPolicyContext: entry.resolveAuthPolicyContext
+  });
+}
+
+function registerAuthPolicyContextResolver(app, token, factory) {
+  registerTaggedSingleton(app, token, factory, AUTH_POLICY_CONTEXT_RESOLVER_TAG, {
+    context: "registerAuthPolicyContextResolver"
+  });
+}
+
+function resolveAuthPolicyContextResolvers(scope) {
+  return resolveTaggedEntries(scope, AUTH_POLICY_CONTEXT_RESOLVER_TAG)
+    .map((entry, index) => ({
+      resolver: normalizeAuthPolicyContextResolver(entry),
+      index
+    }))
+    .filter((entry) => Boolean(entry.resolver))
+    .sort((left, right) => {
+      if (left.resolver.order !== right.resolver.order) {
+        return left.resolver.order - right.resolver.order;
+      }
+
+      return left.index - right.index;
+    })
+    .map((entry) => entry.resolver);
+}
+
+function mergeAuthPolicyContexts(contexts = []) {
+  const merged = {};
+  let hasValues = false;
+  const permissions = new Set();
+
+  for (const context of Array.isArray(contexts) ? contexts : [contexts]) {
+    if (!context || typeof context !== "object") {
+      continue;
+    }
+
+    for (const [key, value] of Object.entries(context)) {
+      if (key === "permissions") {
+        for (const permission of normalizePermissionList(value)) {
+          permissions.add(permission);
+        }
+        continue;
+      }
+
+      if (value === undefined) {
+        continue;
+      }
+
+      merged[key] = value;
+      hasValues = true;
+    }
+  }
+
+  if (permissions.size > 0) {
+    merged.permissions = Object.freeze([...permissions]);
+    hasValues = true;
+  }
+
+  return hasValues ? Object.freeze(merged) : null;
+}
+
+function composeAuthPolicyContextResolvers(resolvers = []) {
+  const normalizedResolvers = (Array.isArray(resolvers) ? resolvers : [resolvers])
+    .map((entry, index) => ({
+      resolver: normalizeAuthPolicyContextResolver(entry),
+      index
+    }))
+    .filter((entry) => Boolean(entry.resolver))
+    .sort((left, right) => {
+      if (left.resolver.order !== right.resolver.order) {
+        return left.resolver.order - right.resolver.order;
+      }
+
+      return left.index - right.index;
+    })
+    .map((entry) => entry.resolver);
+
+  if (normalizedResolvers.length < 1) {
+    return null;
+  }
+
+  return async function resolveComposedAuthPolicyContext(input = {}) {
+    const contexts = [];
+
+    for (const resolver of normalizedResolvers) {
+      contexts.push(await resolver.resolveAuthPolicyContext(input));
+    }
+
+    return mergeAuthPolicyContexts(contexts);
+  };
+}
+
+export {
+  AUTH_POLICY_CONTEXT_RESOLVER_TAG,
+  registerAuthPolicyContextResolver,
+  resolveAuthPolicyContextResolvers,
+  mergeAuthPolicyContexts,
+  composeAuthPolicyContextResolvers
+};

package/src/server/authServiceDecoratorRegistry.js

@@ -0,0 +1,56 @@
+import { registerTaggedSingleton, resolveTaggedEntries } from "@jskit-ai/kernel/server/registries";
+
+const AUTH_SERVICE_DECORATOR_TAG = "jskit.auth.service.decorators";
+
+function normalizeAuthServiceDecorator(entry) {
+  if (typeof entry === "function") {
+    return Object.freeze({
+      decoratorId: String(entry.name || "anonymous"),
+      order: 0,
+      decorateAuthService: entry
+    });
+  }
+
+  if (!entry || typeof entry !== "object" || typeof entry.decorateAuthService !== "function") {
+    return null;
+  }
+
+  const decoratorId = String(entry.decoratorId || "anonymous");
+  const order = Number.isFinite(entry.order) ? Number(entry.order) : 0;
+
+  return Object.freeze({
+    ...entry,
+    decoratorId,
+    order,
+    decorateAuthService: entry.decorateAuthService
+  });
+}
+
+function registerAuthServiceDecorator(app, token, factory) {
+  registerTaggedSingleton(app, token, factory, AUTH_SERVICE_DECORATOR_TAG, {
+    context: "registerAuthServiceDecorator"
+  });
+}
+
+function resolveAuthServiceDecorators(scope) {
+  return resolveTaggedEntries(scope, AUTH_SERVICE_DECORATOR_TAG)
+    .map((entry, index) => ({
+      decorator: normalizeAuthServiceDecorator(entry),
+      index
+    }))
+    .filter((entry) => Boolean(entry.decorator))
+    .sort((left, right) => {
+      if (left.decorator.order !== right.decorator.order) {
+        return left.decorator.order - right.decorator.order;
+      }
+
+      return left.index - right.index;
+    })
+    .map((entry) => entry.decorator);
+}
+
+export {
+  AUTH_SERVICE_DECORATOR_TAG,
+  registerAuthServiceDecorator,
+  resolveAuthServiceDecorators
+};

package/src/server/providers/FastifyAuthPolicyServiceProvider.js

@@ -1,5 +1,9 @@
 import { registerActionContextContributor } from "@jskit-ai/kernel/server/actions";
 import { registerRouteVisibilityResolver } from "@jskit-ai/kernel/server/http";
+import {
+  composeAuthPolicyContextResolvers,
+  resolveAuthPolicyContextResolvers
+} from "../authPolicyContextResolverRegistry.js";
 import { authPolicyPlugin } from "../lib/plugin.js";
 import { createAuthActionContextContributor } from "../lib/actionContextContributor.js";
 import { createAuthRouteVisibilityResolver } from "../lib/routeVisibilityResolver.js";
@@ -74,17 +78,30 @@ class FastifyAuthPolicyServiceProvider {
     const env = app.has("jskit.env") ? app.make("jskit.env") : {};
     const fastify = app.make("jskit.fastify");
     const authService = app.make("authService");
-    const resolveContext =
+    const legacyResolveContext =
       typeof app.has === "function" && app.has("auth.policy.contextResolver")
         ? app.make("auth.policy.contextResolver")
         : null;
 
-    if (resolveContext != null && typeof resolveContext !== "function") {
+    if (legacyResolveContext != null && typeof legacyResolveContext !== "function") {
       throw new Error(
         "FastifyAuthPolicyServiceProvider requires auth.policy.contextResolver to be a function when provided."
       );
     }
 
+    const resolveContext = composeAuthPolicyContextResolvers([
+      ...resolveAuthPolicyContextResolvers(app),
+      ...(legacyResolveContext
+        ? [
+            {
+              resolverId: "legacy.auth.policy.contextResolver",
+              order: 1000,
+              resolveAuthPolicyContext: legacyResolveContext
+            }
+          ]
+        : [])
+    ]);
+
     const pluginDeps = {
       resolveActor: async (request) => {
         if (authService && typeof authService.authenticateRequest === "function") {

package/src/shared/commands/authCommandValidators.js

@@ -204,6 +204,8 @@ const sessionResponseValidator = Object.freeze({
     {
       authenticated: Type.Boolean(),
       username: Type.Optional(Type.String({ minLength: 1, maxLength: 120 })),
+      email: Type.Optional(authEmailValidator.schema),
+      permissions: Type.Optional(Type.Array(Type.String({ minLength: 1, maxLength: 200 }))),
       csrfToken: Type.String({ minLength: 1 }),
       oauthProviders: Type.Array(oauthProviderCatalogEntryValidator.schema),
       oauthDefaultProvider: Type.Union([oauthProviderValidator.schema, Type.Null()])

package/test/authApi.test.js

@@ -21,6 +21,7 @@ test("authApi exposes the expected methods and request routes", async () => {
     "verifyOtp",
     "oauthStartUrl",
     "oauthComplete",
+    "devLoginAs",
     "requestPasswordReset",
     "completePasswordRecovery",
     "resetPassword",
@@ -30,6 +31,7 @@ test("authApi exposes the expected methods and request routes", async () => {
   await api.session();
   await api.resendRegisterConfirmation({ email: "x@example.com" });
   await api.login({ email: "x@example.com" });
+  await api.devLoginAs({ userId: "42" });
   await api.logout();
 
   assert.equal(calls[0].url, "/api/session");
@@ -37,8 +39,10 @@ test("authApi exposes the expected methods and request routes", async () => {
   assert.equal(calls[1].options.method, "POST");
   assert.equal(calls[2].url, "/api/login");
   assert.equal(calls[2].options.method, "POST");
-  assert.equal(calls[3].url, "/api/logout");
+  assert.equal(calls[3].url, "/api/dev-auth/login-as");
   assert.equal(calls[3].options.method, "POST");
+  assert.equal(calls[4].url, "/api/logout");
+  assert.equal(calls[4].options.method, "POST");
 });
 
 test("authApi oauthStartUrl builds provider path with optional returnTo", () => {

package/test/authPolicyContextResolverRegistry.test.js

@@ -0,0 +1,56 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createApplication } from "@jskit-ai/kernel/_testable";
+import {
+  AUTH_POLICY_CONTEXT_RESOLVER_TAG,
+  composeAuthPolicyContextResolvers,
+  registerAuthPolicyContextResolver,
+  resolveAuthPolicyContextResolvers
+} from "../src/server/authPolicyContextResolverRegistry.js";
+
+test("auth policy context resolver registry resolves resolvers in order", async () => {
+  const app = createApplication();
+
+  registerAuthPolicyContextResolver(app, "test.auth.policy.context.permissions", () => ({
+    resolverId: "permissions",
+    order: 20,
+    async resolveAuthPolicyContext() {
+      return {
+        permissions: ["alpha.read"]
+      };
+    }
+  }));
+
+  registerAuthPolicyContextResolver(app, "test.auth.policy.context.workspace", () => ({
+    resolverId: "workspace",
+    order: 10,
+    async resolveAuthPolicyContext() {
+      return {
+        workspace: { id: "11" },
+        membership: { roleSid: "member" },
+        permissions: ["workspace.read"]
+      };
+    }
+  }));
+
+  const resolvers = resolveAuthPolicyContextResolvers(app);
+  assert.deepEqual(
+    resolvers.map((entry) => entry.resolverId),
+    ["workspace", "permissions"]
+  );
+
+  const resolveContext = composeAuthPolicyContextResolvers(resolvers);
+  const context = await resolveContext({
+    actor: { id: "7" }
+  });
+
+  assert.deepEqual(context, {
+    workspace: { id: "11" },
+    membership: { roleSid: "member" },
+    permissions: ["workspace.read", "alpha.read"]
+  });
+});
+
+test("auth policy context resolver registry exports canonical tag", () => {
+  assert.equal(AUTH_POLICY_CONTEXT_RESOLVER_TAG, "jskit.auth.policy.context.resolvers");
+});

package/test/authServiceDecoratorRegistry.test.js

@@ -0,0 +1,51 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createApplication } from "@jskit-ai/kernel/_testable";
+import {
+  AUTH_SERVICE_DECORATOR_TAG,
+  registerAuthServiceDecorator,
+  resolveAuthServiceDecorators
+} from "../src/server/authServiceDecoratorRegistry.js";
+
+test("auth service decorator registry resolves decorators in order", () => {
+  const app = createApplication();
+
+  registerAuthServiceDecorator(app, "test.auth.decorator.zeta", () => ({
+    decoratorId: "zeta",
+    order: 50,
+    decorateAuthService(service) {
+      return {
+        ...service,
+        trace: [...service.trace, "zeta"]
+      };
+    }
+  }));
+
+  registerAuthServiceDecorator(app, "test.auth.decorator.alpha", () => ({
+    decoratorId: "alpha",
+    order: 10,
+    decorateAuthService(service) {
+      return {
+        ...service,
+        trace: [...service.trace, "alpha"]
+      };
+    }
+  }));
+
+  const decorators = resolveAuthServiceDecorators(app);
+  assert.equal(decorators.length, 2);
+  assert.deepEqual(
+    decorators.map((entry) => entry.decoratorId),
+    ["alpha", "zeta"]
+  );
+
+  const decorated = decorators.reduce(
+    (service, decorator) => decorator.decorateAuthService(service),
+    { trace: [] }
+  );
+  assert.deepEqual(decorated.trace, ["alpha", "zeta"]);
+});
+
+test("auth service decorator registry exports canonical tag", () => {
+  assert.equal(AUTH_SERVICE_DECORATOR_TAG, "jskit.auth.service.decorators");
+});

package/test/providerRuntime.test.js

@@ -1,6 +1,7 @@
 import assert from "node:assert/strict";
 import test from "node:test";
 import { FastifyAuthPolicyServiceProvider } from "../src/server/providers/FastifyAuthPolicyServiceProvider.js";
+import { AUTH_POLICY_CONTEXT_RESOLVER_TAG } from "../src/server/authPolicyContextResolverRegistry.js";
 import { createFakeFastifyPolicyRuntime } from "../../../tooling/testUtils/fakeFastify.mjs";
 
 test("FastifyAuthPolicyServiceProvider registers auth policy plugin through provider boot", async () => {
@@ -84,6 +85,17 @@ test("FastifyAuthPolicyServiceProvider wires optional auth policy context resolv
         throw new Error(`Missing token ${String(token)}`);
       }
       return bag.get(token);
+    },
+    resolveTag(tag) {
+      if (tag !== AUTH_POLICY_CONTEXT_RESOLVER_TAG) {
+        return [];
+      }
+
+      return [
+        async () => ({
+          permissions: ["settings.manage"]
+        })
+      ];
     }
   };
 
@@ -108,5 +120,5 @@ test("FastifyAuthPolicyServiceProvider wires optional auth policy context resolv
   assert.equal(request.workspace?.id, 11);
   assert.equal(request.workspace?.slug, "acme");
   assert.equal(request.membership?.roleSid, "member");
-  assert.deepEqual(request.permissions, ["projects.read"]);
+  assert.deepEqual(request.permissions, ["settings.manage", "projects.read"]);
 });