@jskit-ai/auth-core 0.1.54 → 0.1.56

package/package.descriptor.mjs

@@ -1,7 +1,7 @@
 export default Object.freeze({
   "packageVersion": 1,
   "packageId": "@jskit-ai/auth-core",
-  "version": "0.1.54",
+  "version": "0.1.56",
   "kind": "runtime",
   "dependsOn": [
     "@jskit-ai/value-app-config-shared"
@@ -69,7 +69,7 @@ export default Object.freeze({
   "mutations": {
     "dependencies": {
       "runtime": {
-        "@jskit-ai/kernel": "0.1.55",
+        "@jskit-ai/kernel": "0.1.57",
         "@fastify/cookie": "^11.0.2",
         "@fastify/csrf-protection": "^7.1.0",
         "@fastify/rate-limit": "^10.3.0"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jskit-ai/auth-core",
-  "version": "0.1.54",
+  "version": "0.1.56",
   "type": "module",
   "scripts": {
     "test": "node --test"
@@ -46,10 +46,10 @@
     "./shared/commands/authSessionReadCommand": "./src/shared/commands/authSessionReadCommand.js"
   },
   "dependencies": {
-    "@jskit-ai/kernel": "0.1.55",
+    "@jskit-ai/kernel": "0.1.57",
     "@fastify/cookie": "^11.0.2",
     "@fastify/csrf-protection": "^7.1.0",
     "@fastify/rate-limit": "^10.3.0",
-    "typebox": "^1.0.81"
+    "json-rest-schema": "1.x.x"
   }
 }

package/src/server/authPolicyContextResolverRegistry.js

@@ -50,6 +50,10 @@ function resolveAuthPolicyContextResolvers(scope) {
     .map((entry) => entry.resolver);
 }
 
+function resolveComposedAuthPolicyContextResolver(scope) {
+  return composeAuthPolicyContextResolvers(resolveAuthPolicyContextResolvers(scope));
+}
+
 function mergeAuthPolicyContexts(contexts = []) {
   const merged = {};
   let hasValues = false;
@@ -120,6 +124,7 @@ export {
   AUTH_POLICY_CONTEXT_RESOLVER_TAG,
   registerAuthPolicyContextResolver,
   resolveAuthPolicyContextResolvers,
+  resolveComposedAuthPolicyContextResolver,
   mergeAuthPolicyContexts,
   composeAuthPolicyContextResolvers
 };

package/src/server/providers/FastifyAuthPolicyServiceProvider.js

@@ -1,8 +1,7 @@
 import { registerActionContextContributor } from "@jskit-ai/kernel/server/actions";
 import { registerRouteVisibilityResolver } from "@jskit-ai/kernel/server/http";
 import {
-  composeAuthPolicyContextResolvers,
-  resolveAuthPolicyContextResolvers
+  resolveComposedAuthPolicyContextResolver
 } from "../authPolicyContextResolverRegistry.js";
 import { authPolicyPlugin } from "../lib/plugin.js";
 import { createAuthActionContextContributor } from "../lib/actionContextContributor.js";
@@ -77,33 +76,10 @@ class FastifyAuthPolicyServiceProvider {
 
     const env = app.has("jskit.env") ? app.make("jskit.env") : {};
     const fastify = app.make("jskit.fastify");
-    const authService = app.make("authService");
-    const legacyResolveContext =
-      typeof app.has === "function" && app.has("auth.policy.contextResolver")
-        ? app.make("auth.policy.contextResolver")
-        : null;
-
-    if (legacyResolveContext != null && typeof legacyResolveContext !== "function") {
-      throw new Error(
-        "FastifyAuthPolicyServiceProvider requires auth.policy.contextResolver to be a function when provided."
-      );
-    }
-
-    const resolveContext = composeAuthPolicyContextResolvers([
-      ...resolveAuthPolicyContextResolvers(app),
-      ...(legacyResolveContext
-        ? [
-            {
-              resolverId: "legacy.auth.policy.contextResolver",
-              order: 1000,
-              resolveAuthPolicyContext: legacyResolveContext
-            }
-          ]
-        : [])
-    ]);
 
     const pluginDeps = {
       resolveActor: async (request) => {
+        const authService = app.make("authService");
         if (authService && typeof authService.authenticateRequest === "function") {
           return authService.authenticateRequest(request);
         }
@@ -114,7 +90,15 @@ class FastifyAuthPolicyServiceProvider {
         };
       },
       hasPermission: defaultHasPermission,
-      ...(typeof resolveContext === "function" ? { resolveContext } : {})
+      resolveContext: async (input = {}) => {
+        const resolveContext = resolveComposedAuthPolicyContextResolver(app);
+
+        if (typeof resolveContext !== "function") {
+          return null;
+        }
+
+        return resolveContext(input);
+      }
     };
 
     const plugin = authPolicyPlugin(

package/src/shared/commands/authCommandValidators.js

@@ -1,4 +1,5 @@
-import { Type } from "typebox";
+import { createSchema } from "json-rest-schema";
+import { deepFreeze } from "@jskit-ai/kernel/shared/support/deepFreeze";
 import {
   AUTH_ACCESS_TOKEN_MAX_LENGTH,
   AUTH_EMAIL_MAX_LENGTH,
@@ -13,240 +14,279 @@ import {
 import { AUTH_METHOD_IDS, AUTH_METHOD_KINDS } from "../authMethods.js";
 import { OAUTH_PROVIDER_ID_PATTERN } from "../oauthProviders.js";
 
-const oauthProviderValidator = Object.freeze({
-  schema: Type.String({
-    minLength: 2,
-    maxLength: 32,
-    pattern: OAUTH_PROVIDER_ID_PATTERN
-  })
+const oauthProviderFieldDefinition = deepFreeze({
+  type: "string",
+  minLength: 2,
+  maxLength: 32,
+  pattern: OAUTH_PROVIDER_ID_PATTERN
 });
 
-const authMethodIdValidator = Object.freeze({
-  schema: Type.String({
-    minLength: 3,
-    maxLength: 38,
-    pattern: `^(?:${AUTH_METHOD_IDS.join("|")}|oauth:${OAUTH_PROVIDER_ID_PATTERN.slice(1, -1)})$`
-  })
+const authMethodIdFieldDefinition = deepFreeze({
+  type: "string",
+  minLength: 3,
+  maxLength: 38,
+  pattern: `^(?:${AUTH_METHOD_IDS.join("|")}|oauth:${OAUTH_PROVIDER_ID_PATTERN.slice(1, -1)})$`
 });
 
-const authMethodKindValidator = Object.freeze({
-  schema: Type.Union(AUTH_METHOD_KINDS.map((kind) => Type.Literal(kind)))
+const authMethodKindFieldDefinition = deepFreeze({
+  type: "string",
+  enum: AUTH_METHOD_KINDS
 });
 
 const OAUTH_RETURN_TO_PATTERN = "^(?:/(?!/).*$|https?://[^\\s]+)$";
 
-const oauthReturnToValidator = Object.freeze({
-  schema: Type.String({
-    minLength: 1,
-    maxLength: 1024,
-    pattern: OAUTH_RETURN_TO_PATTERN
-  })
+const oauthReturnToFieldDefinition = deepFreeze({
+  type: "string",
+  minLength: 1,
+  maxLength: 1024,
+  pattern: OAUTH_RETURN_TO_PATTERN
 });
 
-const authEmailValidator = Object.freeze({
-  schema: Type.String({
-    minLength: AUTH_EMAIL_MIN_LENGTH,
-    maxLength: AUTH_EMAIL_MAX_LENGTH,
-    pattern: AUTH_EMAIL_PATTERN
-  })
+const authEmailFieldDefinition = deepFreeze({
+  type: "string",
+  lowercase: true,
+  minLength: AUTH_EMAIL_MIN_LENGTH,
+  maxLength: AUTH_EMAIL_MAX_LENGTH,
+  pattern: AUTH_EMAIL_PATTERN
 });
 
-const authPasswordValidator = Object.freeze({
-  schema: Type.String({
-    minLength: AUTH_PASSWORD_MIN_LENGTH,
-    maxLength: AUTH_PASSWORD_MAX_LENGTH
-  })
+const authPasswordFieldDefinition = deepFreeze({
+  type: "string",
+  minLength: AUTH_PASSWORD_MIN_LENGTH,
+  maxLength: AUTH_PASSWORD_MAX_LENGTH
 });
 
-const authLoginPasswordValidator = Object.freeze({
-  schema: Type.String({
-    minLength: 1,
-    maxLength: AUTH_LOGIN_PASSWORD_MAX_LENGTH
-  })
+const authLoginPasswordFieldDefinition = deepFreeze({
+  type: "string",
+  minLength: 1,
+  maxLength: AUTH_LOGIN_PASSWORD_MAX_LENGTH
 });
 
-const authRecoveryTokenValidator = Object.freeze({
-  schema: Type.String({
-    minLength: 1,
-    maxLength: AUTH_RECOVERY_TOKEN_MAX_LENGTH
-  })
+const authRecoveryTokenFieldDefinition = deepFreeze({
+  type: "string",
+  minLength: 1,
+  maxLength: AUTH_RECOVERY_TOKEN_MAX_LENGTH
 });
 
-const authAccessTokenValidator = Object.freeze({
-  schema: Type.String({
-    minLength: 1,
-    maxLength: AUTH_ACCESS_TOKEN_MAX_LENGTH
-  })
+const authAccessTokenFieldDefinition = deepFreeze({
+  type: "string",
+  minLength: 1,
+  maxLength: AUTH_ACCESS_TOKEN_MAX_LENGTH
 });
 
-const authRefreshTokenValidator = Object.freeze({
-  schema: Type.String({
-    minLength: 1,
-    maxLength: AUTH_REFRESH_TOKEN_MAX_LENGTH
-  })
+const authRefreshTokenFieldDefinition = deepFreeze({
+  type: "string",
+  minLength: 1,
+  maxLength: AUTH_REFRESH_TOKEN_MAX_LENGTH
 });
 
-const okResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      ok: Type.Boolean()
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const oauthProviderValidator = deepFreeze({
+  type: "string",
+  ...oauthProviderFieldDefinition
 });
 
-const okMessageResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      ok: Type.Boolean(),
-      message: Type.String({ minLength: 1 })
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const authMethodIdValidator = deepFreeze({
+  type: "string",
+  ...authMethodIdFieldDefinition
 });
 
-const registerResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      ok: Type.Boolean(),
-      requiresEmailConfirmation: Type.Boolean(),
-      username: Type.Optional(Type.String({ minLength: 1, maxLength: 120 })),
-      message: Type.Optional(Type.String({ minLength: 1 }))
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const authMethodKindValidator = deepFreeze({
+  type: "string",
+  enum: AUTH_METHOD_KINDS
 });
 
-const loginResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      ok: Type.Boolean(),
-      username: Type.String({ minLength: 1, maxLength: 120 })
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const oauthReturnToValidator = deepFreeze({
+  type: "string",
+  ...oauthReturnToFieldDefinition
 });
 
-const otpVerifyResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      ok: Type.Boolean(),
-      username: Type.String({ minLength: 1, maxLength: 120 }),
-      email: authEmailValidator.schema
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const authEmailValidator = deepFreeze({
+  type: "string",
+  ...authEmailFieldDefinition
 });
 
-const oauthCompleteResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      ok: Type.Boolean(),
-      provider: Type.Optional(oauthProviderValidator.schema),
-      username: Type.String({ minLength: 1, maxLength: 120 }),
-      email: authEmailValidator.schema
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const authPasswordValidator = deepFreeze({
+  type: "string",
+  ...authPasswordFieldDefinition
 });
 
-const devLoginAsResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      ok: Type.Boolean(),
-      userId: Type.String({ minLength: 1 }),
-      username: Type.String({ minLength: 1, maxLength: 120 }),
-      email: authEmailValidator.schema
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const authLoginPasswordValidator = deepFreeze({
+  type: "string",
+  ...authLoginPasswordFieldDefinition
 });
 
-const logoutResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      ok: Type.Boolean()
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const authRecoveryTokenValidator = deepFreeze({
+  type: "string",
+  ...authRecoveryTokenFieldDefinition
 });
 
-const oauthProviderCatalogEntryValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      id: oauthProviderValidator.schema,
-      label: Type.String({ minLength: 1, maxLength: 120 })
-    },
-    {
-      additionalProperties: false
-    }
-  )
-});
-
-const sessionResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      authenticated: Type.Boolean(),
-      username: Type.Optional(Type.String({ minLength: 1, maxLength: 120 })),
-      email: Type.Optional(authEmailValidator.schema),
-      permissions: Type.Optional(Type.Array(Type.String({ minLength: 1, maxLength: 200 }))),
-      csrfToken: Type.String({ minLength: 1 }),
-      oauthProviders: Type.Array(oauthProviderCatalogEntryValidator.schema),
-      oauthDefaultProvider: Type.Union([oauthProviderValidator.schema, Type.Null()])
-    },
-    {
-      additionalProperties: false
-    }
-  )
+const authAccessTokenValidator = deepFreeze({
+  type: "string",
+  ...authAccessTokenFieldDefinition
 });
 
-const sessionUnavailableResponseValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      error: Type.String({ minLength: 1 }),
-      csrfToken: Type.String({ minLength: 1 }),
-      oauthProviders: Type.Array(oauthProviderCatalogEntryValidator.schema),
-      oauthDefaultProvider: Type.Union([oauthProviderValidator.schema, Type.Null()])
-    },
-    {
-      additionalProperties: false
+const authRefreshTokenValidator = deepFreeze({
+  type: "string",
+  ...authRefreshTokenFieldDefinition
+});
+
+const okOutputValidator = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true }
+  }),
+  mode: "replace"
+});
+
+const okMessageOutputValidator = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true },
+    message: { type: "string", required: true, minLength: 1 }
+  }),
+  mode: "replace"
+});
+
+const registerOutputValidator = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true },
+    requiresEmailConfirmation: { type: "boolean", required: true },
+    username: { type: "string", required: false, minLength: 1, maxLength: 120 },
+    message: { type: "string", required: false, minLength: 1 }
+  }),
+  mode: "replace"
+});
+
+const loginOutputValidator = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true },
+    username: { type: "string", required: true, minLength: 1, maxLength: 120 }
+  }),
+  mode: "replace"
+});
+
+const otpVerifyOutputValidator = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true },
+    username: { type: "string", required: true, minLength: 1, maxLength: 120 },
+    email: { ...authEmailFieldDefinition, required: true }
+  }),
+  mode: "replace"
+});
+
+const oauthCompleteOutputValidator = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true },
+    provider: { ...oauthProviderFieldDefinition, required: false },
+    username: { type: "string", required: true, minLength: 1, maxLength: 120 },
+    email: { ...authEmailFieldDefinition, required: true }
+  }),
+  mode: "replace"
+});
+
+const devLoginAsOutputValidator = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true },
+    userId: { type: "string", required: true, minLength: 1 },
+    username: { type: "string", required: true, minLength: 1, maxLength: 120 },
+    email: { ...authEmailFieldDefinition, required: true }
+  }),
+  mode: "replace"
+});
+
+const logoutOutputValidator = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true }
+  }),
+  mode: "replace"
+});
+
+const oauthProviderCatalogEntrySchema = createSchema({
+  id: { ...oauthProviderFieldDefinition, required: true },
+  label: { type: "string", required: true, minLength: 1, maxLength: 120 }
+});
+
+const oauthProviderCatalogEntryOutputValidator = deepFreeze({
+  schema: oauthProviderCatalogEntrySchema,
+  mode: "replace"
+});
+
+const sessionOutputSchema = createSchema({
+  authenticated: { type: "boolean", required: true },
+  username: { type: "string", required: false, minLength: 1, maxLength: 120 },
+  email: { ...authEmailFieldDefinition, required: false },
+  permissions: {
+    type: "array",
+    required: false,
+    items: {
+      type: "string",
+      minLength: 1,
+      maxLength: 200
     }
-  )
+  },
+  csrfToken: { type: "string", required: true, minLength: 1 },
+  oauthProviders: {
+    type: "array",
+    required: true,
+    items: oauthProviderCatalogEntrySchema
+  },
+  oauthDefaultProvider: {
+    ...oauthProviderFieldDefinition,
+    required: true,
+    nullable: true
+  }
+});
+
+const sessionOutputValidator = deepFreeze({
+  schema: sessionOutputSchema,
+  mode: "replace"
+});
+
+const sessionUnavailableOutputSchema = createSchema({
+  error: { type: "string", required: true, minLength: 1 },
+  csrfToken: { type: "string", required: true, minLength: 1 },
+  oauthProviders: {
+    type: "array",
+    required: true,
+    items: oauthProviderCatalogEntrySchema
+  },
+  oauthDefaultProvider: {
+    ...oauthProviderFieldDefinition,
+    required: true,
+    nullable: true
+  }
+});
+
+const sessionUnavailableOutputValidator = deepFreeze({
+  schema: sessionUnavailableOutputSchema,
+  mode: "replace"
 });
 
 function createCommandMessages({
   fields = {},
   defaultMessage = "Invalid value."
 } = {}) {
-  return Object.freeze({
+  return deepFreeze({
     apiValidation: "Validation failed.",
-    fields: Object.freeze({
+    fields: {
       ...(fields && typeof fields === "object" ? fields : {})
-    }),
-    keywords: Object.freeze({
+    },
+    keywords: {
       additionalProperties: "Unexpected field."
-    }),
+    },
     default: String(defaultMessage || "Invalid value.")
   });
 }
 
 export {
+  authEmailFieldDefinition,
+  authPasswordFieldDefinition,
+  authLoginPasswordFieldDefinition,
+  authRecoveryTokenFieldDefinition,
+  authAccessTokenFieldDefinition,
+  authRefreshTokenFieldDefinition,
+  oauthProviderFieldDefinition,
+  authMethodIdFieldDefinition,
+  authMethodKindFieldDefinition,
+  oauthReturnToFieldDefinition,
   authEmailValidator,
   authPasswordValidator,
   authLoginPasswordValidator,
@@ -257,16 +297,16 @@ export {
   authMethodIdValidator,
   authMethodKindValidator,
   oauthReturnToValidator,
-  okResponseValidator,
-  okMessageResponseValidator,
-  registerResponseValidator,
-  loginResponseValidator,
-  otpVerifyResponseValidator,
-  oauthCompleteResponseValidator,
-  devLoginAsResponseValidator,
-  logoutResponseValidator,
-  oauthProviderCatalogEntryValidator,
-  sessionResponseValidator,
-  sessionUnavailableResponseValidator,
+  okOutputValidator,
+  okMessageOutputValidator,
+  registerOutputValidator,
+  loginOutputValidator,
+  otpVerifyOutputValidator,
+  oauthCompleteOutputValidator,
+  devLoginAsOutputValidator,
+  logoutOutputValidator,
+  oauthProviderCatalogEntryOutputValidator,
+  sessionOutputValidator,
+  sessionUnavailableOutputValidator,
   createCommandMessages
 };

package/src/shared/commands/authDevLoginAsCommand.js

@@ -1,10 +1,10 @@
-import { Type } from "typebox";
+import { createSchema } from "json-rest-schema";
 import { recordIdInputSchema } from "@jskit-ai/kernel/shared/validators";
-import { normalizeObjectInput } from "../inputNormalization.js";
+import { deepFreeze } from "@jskit-ai/kernel/shared/support/deepFreeze";
 import {
   authEmailValidator,
   createCommandMessages,
-  devLoginAsResponseValidator
+  devLoginAsOutputValidator
 } from "./authCommandValidators.js";
 
 const AUTH_DEV_LOGIN_AS_MESSAGES = createCommandMessages({
@@ -21,18 +21,18 @@ const AUTH_DEV_LOGIN_AS_MESSAGES = createCommandMessages({
   defaultMessage: "Provide a valid user id or email."
 });
 
-const authDevLoginAsBodyValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      userId: Type.Optional(recordIdInputSchema),
-      email: Type.Optional(authEmailValidator.schema)
+const authDevLoginAsBodyValidator = deepFreeze({
+  schema: createSchema({
+    userId: {
+      ...recordIdInputSchema,
+      required: false
     },
-    {
-      additionalProperties: false,
-      anyOf: [{ required: ["userId"] }, { required: ["email"] }]
+    email: {
+      ...authEmailValidator,
+      required: false
     }
-  ),
-  normalize: normalizeObjectInput,
+  }),
+  mode: "patch",
   messages: {
     ...AUTH_DEV_LOGIN_AS_MESSAGES,
     keywords: {
@@ -42,16 +42,16 @@ const authDevLoginAsBodyValidator = Object.freeze({
   }
 });
 
-const authDevLoginAsCommand = Object.freeze({
+const authDevLoginAsCommand = deepFreeze({
   command: "auth.dev.loginAs",
-  operation: Object.freeze({
+  operation: {
     method: "POST",
-    bodyValidator: authDevLoginAsBodyValidator,
-    responseValidator: devLoginAsResponseValidator,
+    body: authDevLoginAsBodyValidator,
+    response: devLoginAsOutputValidator,
     messages: AUTH_DEV_LOGIN_AS_MESSAGES,
     idempotent: false,
-    invalidates: Object.freeze(["auth.session.read"])
-  })
+    invalidates: ["auth.session.read"]
+  }
 });
 
 export { AUTH_DEV_LOGIN_AS_MESSAGES, authDevLoginAsBodyValidator, authDevLoginAsCommand };