@jskit-ai/auth-core 0.1.54 → 0.1.56

package/src/shared/commands/authRegisterCommand.js

@@ -1,10 +1,10 @@
-import { Type } from "typebox";
-import { normalizeObjectInput } from "../inputNormalization.js";
+import { createSchema } from "json-rest-schema";
+import { deepFreeze } from "@jskit-ai/kernel/shared/support/deepFreeze";
 import {
-  authEmailValidator,
-  authPasswordValidator,
+  authEmailFieldDefinition,
+  authPasswordFieldDefinition,
   createCommandMessages,
-  registerResponseValidator
+  registerOutputValidator
 } from "./authCommandValidators.js";
 
 const AUTH_REGISTER_MESSAGES = createCommandMessages({
@@ -23,35 +23,30 @@ const AUTH_REGISTER_MESSAGES = createCommandMessages({
   }
 });
 
-const authRegisterBodyValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      email: authEmailValidator.schema,
-      password: authPasswordValidator.schema
-    },
-    {
-      additionalProperties: false
-    }
-  ),
-  normalize: normalizeObjectInput,
+const authRegisterBodyValidator = deepFreeze({
+  schema: createSchema({
+    email: { ...authEmailFieldDefinition, required: true },
+    password: { ...authPasswordFieldDefinition, required: true }
+  }),
+  mode: "create",
   messages: AUTH_REGISTER_MESSAGES
 });
 
-const authRegisterCommand = Object.freeze({
+const authRegisterCommand = deepFreeze({
   command: "auth.register",
-  operation: Object.freeze({
+  operation: {
     method: "POST",
-    bodyValidator: authRegisterBodyValidator,
-    responseValidator: registerResponseValidator,
+    body: authRegisterBodyValidator,
+    response: registerOutputValidator,
     messages: AUTH_REGISTER_MESSAGES,
     idempotent: false,
-    invalidates: Object.freeze(["auth.session.read"])
-  })
+    invalidates: ["auth.session.read"]
+  }
 });
 
 export {
   authRegisterBodyValidator,
-  registerResponseValidator,
+  registerOutputValidator,
   AUTH_REGISTER_MESSAGES,
   authRegisterCommand
 };

package/src/shared/commands/authRegisterConfirmationResendCommand.js

@@ -1,9 +1,9 @@
-import { Type } from "typebox";
-import { normalizeObjectInput } from "../inputNormalization.js";
+import { createSchema } from "json-rest-schema";
+import { deepFreeze } from "@jskit-ai/kernel/shared/support/deepFreeze";
 import {
-  authEmailValidator,
+  authEmailFieldDefinition,
   createCommandMessages,
-  okMessageResponseValidator
+  okMessageOutputValidator
 } from "./authCommandValidators.js";
 
 const AUTH_REGISTER_CONFIRMATION_RESEND_MESSAGES = createCommandMessages({
@@ -17,29 +17,24 @@ const AUTH_REGISTER_CONFIRMATION_RESEND_MESSAGES = createCommandMessages({
   }
 });
 
-const authRegisterConfirmationResendBodyValidator = Object.freeze({
-  schema: Type.Object(
-    {
-      email: authEmailValidator.schema
-    },
-    {
-      additionalProperties: false
-    }
-  ),
-  normalize: normalizeObjectInput,
+const authRegisterConfirmationResendBodyValidator = deepFreeze({
+  schema: createSchema({
+    email: { ...authEmailFieldDefinition, required: true }
+  }),
+  mode: "create",
   messages: AUTH_REGISTER_CONFIRMATION_RESEND_MESSAGES
 });
 
-const authRegisterConfirmationResendCommand = Object.freeze({
+const authRegisterConfirmationResendCommand = deepFreeze({
   command: "auth.register.confirmation.resend",
-  operation: Object.freeze({
+  operation: {
     method: "POST",
-    bodyValidator: authRegisterConfirmationResendBodyValidator,
-    responseValidator: okMessageResponseValidator,
+    body: authRegisterConfirmationResendBodyValidator,
+    response: okMessageOutputValidator,
     messages: AUTH_REGISTER_CONFIRMATION_RESEND_MESSAGES,
     idempotent: false,
-    invalidates: Object.freeze([])
-  })
+    invalidates: []
+  }
 });
 
 export {

package/src/shared/commands/authSessionReadCommand.js

@@ -1,26 +1,27 @@
 import {
   createCommandMessages,
-  sessionResponseValidator,
-  sessionUnavailableResponseValidator
+  sessionOutputValidator,
+  sessionUnavailableOutputValidator
 } from "./authCommandValidators.js";
+import { deepFreeze } from "@jskit-ai/kernel/shared/support/deepFreeze";
 
 const AUTH_SESSION_READ_MESSAGES = createCommandMessages();
 
-const authSessionReadCommand = Object.freeze({
+const authSessionReadCommand = deepFreeze({
   command: "auth.session.read",
-  operation: Object.freeze({
+  operation: {
     method: "GET",
-    responseValidator: sessionResponseValidator,
-    unavailableResponseValidator: sessionUnavailableResponseValidator,
+    response: sessionOutputValidator,
+    unavailableResponse: sessionUnavailableOutputValidator,
     messages: AUTH_SESSION_READ_MESSAGES,
     idempotent: true,
-    invalidates: Object.freeze([])
-  })
+    invalidates: []
+  }
 });
 
 export {
-  sessionResponseValidator,
-  sessionUnavailableResponseValidator,
+  sessionOutputValidator,
+  sessionUnavailableOutputValidator,
   AUTH_SESSION_READ_MESSAGES,
   authSessionReadCommand
 };

package/test/authPolicyContextResolverRegistry.test.js

@@ -5,7 +5,8 @@ import {
   AUTH_POLICY_CONTEXT_RESOLVER_TAG,
   composeAuthPolicyContextResolvers,
   registerAuthPolicyContextResolver,
-  resolveAuthPolicyContextResolvers
+  resolveAuthPolicyContextResolvers,
+  resolveComposedAuthPolicyContextResolver
 } from "../src/server/authPolicyContextResolverRegistry.js";
 
 test("auth policy context resolver registry resolves resolvers in order", async () => {
@@ -54,3 +55,40 @@ test("auth policy context resolver registry resolves resolvers in order", async
 test("auth policy context resolver registry exports canonical tag", () => {
   assert.equal(AUTH_POLICY_CONTEXT_RESOLVER_TAG, "jskit.auth.policy.context.resolvers");
 });
+
+test("auth policy context resolver registry resolves composed resolver directly from scope", async () => {
+  const app = createApplication();
+
+  registerAuthPolicyContextResolver(app, "test.auth.policy.context.permissions", () => ({
+    resolverId: "permissions",
+    order: 20,
+    async resolveAuthPolicyContext() {
+      return {
+        permissions: ["alpha.read"]
+      };
+    }
+  }));
+
+  registerAuthPolicyContextResolver(app, "test.auth.policy.context.workspace", () => ({
+    resolverId: "workspace",
+    order: 10,
+    async resolveAuthPolicyContext() {
+      return {
+        workspace: { id: "11" },
+        membership: { roleSid: "member" },
+        permissions: ["workspace.read"]
+      };
+    }
+  }));
+
+  const resolveContext = resolveComposedAuthPolicyContextResolver(app);
+  const context = await resolveContext({
+    actor: { id: "7" }
+  });
+
+  assert.deepEqual(context, {
+    workspace: { id: "11" },
+    membership: { roleSid: "member" },
+    permissions: ["workspace.read", "alpha.read"]
+  });
+});

package/test/commandValidators.test.js

@@ -1,5 +1,6 @@
 import test from "node:test";
 import assert from "node:assert/strict";
+import { resolveStructuredSchemaTransportSchema } from "@jskit-ai/kernel/shared/validators";
 import { authRegisterCommand } from "../src/shared/commands/authRegisterCommand.js";
 import { authRegisterConfirmationResendCommand } from "../src/shared/commands/authRegisterConfirmationResendCommand.js";
 import { authLoginPasswordCommand } from "../src/shared/commands/authLoginPasswordCommand.js";
@@ -35,11 +36,76 @@ test("auth commands expose canonical operation validator messages", () => {
 });
 
 test("oauth complete command allows provider-less session-pair callbacks", () => {
-  const bodySchema = authLoginOAuthCompleteCommand.operation.bodyValidator.schema;
+  const bodySchema = resolveStructuredSchemaTransportSchema(
+    authLoginOAuthCompleteCommand.operation.body,
+    {
+      context: "auth login oauth complete body",
+      defaultMode: "patch"
+    }
+  );
   const bodyRequired = Array.isArray(bodySchema?.required) ? bodySchema.required : [];
   assert.equal(bodyRequired.includes("provider"), false);
 
-  const responseSchema = authLoginOAuthCompleteCommand.operation.responseValidator.schema;
+  const responseSchema = resolveStructuredSchemaTransportSchema(
+    authLoginOAuthCompleteCommand.operation.response,
+    {
+      context: "auth login oauth complete response",
+      defaultMode: "replace"
+    }
+  );
   const responseRequired = Array.isArray(responseSchema?.required) ? responseSchema.required : [];
   assert.equal(responseRequired.includes("provider"), false);
 });
+
+test("auth command body validators lowercase email inputs", () => {
+  const commands = [
+    authRegisterCommand,
+    authRegisterConfirmationResendCommand,
+    authLoginPasswordCommand,
+    authLoginOtpRequestCommand,
+    authLoginOtpVerifyCommand,
+    authPasswordResetRequestCommand
+  ];
+
+  for (const command of commands) {
+    const result = command.operation.body.schema.patch({
+      email: "  ADA@EXAMPLE.COM  "
+    });
+    if (Object.hasOwn(result.validatedObject, "email")) {
+      assert.equal(result.validatedObject.email, "ada@example.com");
+    }
+  }
+});
+
+test("auth session and oauth start commands expose explicit nested response schemas", () => {
+  const sessionResponseSchema = resolveStructuredSchemaTransportSchema(
+    authSessionReadCommand.operation.response,
+    {
+      context: "auth session read response",
+      defaultMode: "replace"
+    }
+  );
+  const sessionUnavailableSchema = resolveStructuredSchemaTransportSchema(
+    authSessionReadCommand.operation.unavailableResponse,
+    {
+      context: "auth session read unavailable response",
+      defaultMode: "replace"
+    }
+  );
+  const oauthStartResponseSchema = resolveStructuredSchemaTransportSchema(
+    authLoginOAuthStartCommand.operation.response,
+    {
+      context: "auth login oauth start response",
+      defaultMode: "replace"
+    }
+  );
+
+  assert.equal(sessionResponseSchema.properties.oauthProviders.type, "array");
+  assert.equal(sessionResponseSchema.properties.oauthProviders.items["x-json-rest-schema"]?.castType, "object");
+  assert.equal(Array.isArray(sessionResponseSchema.properties.oauthProviders.items.allOf), true);
+  assert.match(sessionResponseSchema.properties.oauthProviders.items.allOf[0]?.$ref || "", /^#\/definitions\//);
+  assert.equal(Array.isArray(sessionUnavailableSchema.properties.oauthDefaultProvider.anyOf), true);
+  assert.equal(oauthStartResponseSchema.properties.provider.type, "string");
+  assert.equal(oauthStartResponseSchema.properties.returnTo.type, "string");
+  assert.equal(oauthStartResponseSchema.properties.url.type, "string");
+});

package/test/providerRuntime.test.js

@@ -50,6 +50,8 @@ test("FastifyAuthPolicyServiceProvider registers auth policy plugin through prov
 
 test("FastifyAuthPolicyServiceProvider wires optional auth policy context resolver", async () => {
   const { fastify, state } = createFakeFastifyPolicyRuntime();
+  const makeCalls = [];
+  const resolveTagCalls = [];
   const bag = new Map([
     ["jskit.fastify", fastify],
     ["jskit.env", { NODE_ENV: "test" }],
@@ -65,14 +67,6 @@ test("FastifyAuthPolicyServiceProvider wires optional auth policy context resolv
           };
         }
       }
-    ],
-    [
-      "auth.policy.contextResolver",
-      async ({ actor, request }) => ({
-        workspace: { id: 11, slug: String(request?.params?.workspaceSlug || "").toLowerCase() },
-        membership: { roleSid: "member" },
-        permissions: actor?.id === 7 ? ["projects.read"] : []
-      })
     ]
   ]);
 
@@ -81,17 +75,30 @@ test("FastifyAuthPolicyServiceProvider wires optional auth policy context resolv
       return bag.has(token);
     },
     make(token) {
+      makeCalls.push(String(token));
       if (!bag.has(token)) {
         throw new Error(`Missing token ${String(token)}`);
       }
       return bag.get(token);
     },
     resolveTag(tag) {
+      resolveTagCalls.push(String(tag));
       if (tag !== AUTH_POLICY_CONTEXT_RESOLVER_TAG) {
         return [];
       }
 
       return [
+        {
+          resolverId: "workspace",
+          order: 10,
+          async resolveAuthPolicyContext({ actor, request }) {
+            return {
+              workspace: { id: 11, slug: String(request?.params?.workspaceSlug || "").toLowerCase() },
+              membership: { roleSid: "member" },
+              permissions: actor?.id === 7 ? ["projects.read"] : []
+            };
+          }
+        },
         async () => ({
           permissions: ["settings.manage"]
         })
@@ -103,6 +110,9 @@ test("FastifyAuthPolicyServiceProvider wires optional auth policy context resolv
   provider.register(app);
   await provider.boot(app);
 
+  assert.deepEqual(makeCalls, ["jskit.env", "jskit.fastify"]);
+  assert.deepEqual(resolveTagCalls, []);
+
   const request = {
     method: "GET",
     raw: { url: "/api/w/acme/projects" },
@@ -117,6 +127,8 @@ test("FastifyAuthPolicyServiceProvider wires optional auth policy context resolv
   };
 
   await state.preHandler(request, {});
+  assert.ok(makeCalls.includes("authService"));
+  assert.deepEqual(resolveTagCalls, [AUTH_POLICY_CONTEXT_RESOLVER_TAG]);
   assert.equal(request.workspace?.id, 11);
   assert.equal(request.workspace?.slug, "acme");
   assert.equal(request.membership?.roleSid, "member");