@jskit-ai/auth-provider-supabase-core 0.1.4

package/package.descriptor.mjs

@@ -0,0 +1,138 @@
+export default Object.freeze({
+  "packageVersion": 1,
+  "packageId": "@jskit-ai/auth-provider-supabase-core",
+  "version": "0.1.4",
+  "options": {
+    "auth-supabase-url": {
+      "required": true,
+      "values": [],
+      "promptLabel": "Supabase URL",
+      "promptHint": "https://YOUR-PROJECT.supabase.co"
+    },
+    "auth-supabase-publishable-key": {
+      "required": true,
+      "values": [],
+      "promptLabel": "Supabase publishable key",
+      "promptHint": "sb_publishable_..."
+    },
+    "app-public-url": {
+      "required": true,
+      "values": [],
+      "defaultValue": "http://localhost:5173",
+      "promptLabel": "App public URL",
+      "promptHint": "Browser URL used for auth redirects"
+    }
+  },
+  "dependsOn": [
+    "@jskit-ai/auth-core",
+    "@jskit-ai/value-app-config-shared"
+  ],
+  "capabilities": {
+    "provides": [
+      "auth.provider.supabase",
+      "auth.provider"
+    ],
+    "requires": [
+      "auth.access"
+    ]
+  },
+  "runtime": {
+    "server": {
+      "providerEntrypoint": "src/server/providers/AuthSupabaseServiceProvider.js",
+      "providers": [
+        {
+          "entrypoint": "src/server/providers/AuthSupabaseServiceProvider.js",
+          "export": "AuthSupabaseServiceProvider"
+        },
+        {
+          "entrypoint": "src/server/providers/AuthProviderServiceProvider.js",
+          "export": "AuthProviderServiceProvider"
+        }
+      ]
+    }
+  },
+  "metadata": {
+    "apiSummary": {
+      "surfaces": [
+        {
+          "subpath": "./server/providers/AuthSupabaseServiceProvider",
+          "summary": "Exports the Supabase auth provider service provider."
+        },
+        {
+          "subpath": "./server/providers/AuthProviderServiceProvider",
+          "summary": "Exports the generic auth provider registration service provider."
+        },
+        {
+          "subpath": "./server/lib/index",
+          "summary": "Exports curated server-side Supabase auth service helpers."
+        },
+        {
+          "subpath": "./client",
+          "summary": "Exports no runtime API today (reserved client entrypoint)."
+        }
+      ],
+      "containerTokens": {
+        "server": [
+          "authService",
+          "auth.provider.supabase.actionContributor"
+        ],
+        "client": []
+      }
+    }
+  },
+  "mutations": {
+    "dependencies": {
+      "runtime": {
+        "@jskit-ai/auth-core": "0.1.4",
+        "@jskit-ai/kernel": "0.1.4",
+        "dotenv": "^16.4.5",
+        "@supabase/supabase-js": "^2.57.4",
+        "jose": "^6.1.0"
+      },
+      "dev": {}
+    },
+    "packageJson": {
+      "scripts": {}
+    },
+    "procfile": {},
+    "files": [],
+    "text": [
+      {
+        "file": ".env",
+        "op": "upsert-env",
+        "key": "AUTH_PROVIDER",
+        "value": "supabase",
+        "reason": "Select Supabase as the auth provider.",
+        "category": "runtime-config",
+        "id": "auth-provider"
+      },
+      {
+        "file": ".env",
+        "op": "upsert-env",
+        "key": "AUTH_SUPABASE_URL",
+        "value": "${option:auth-supabase-url}",
+        "reason": "Configure Supabase project URL for auth.",
+        "category": "runtime-config",
+        "id": "auth-supabase-url"
+      },
+      {
+        "file": ".env",
+        "op": "upsert-env",
+        "key": "AUTH_SUPABASE_PUBLISHABLE_KEY",
+        "value": "${option:auth-supabase-publishable-key}",
+        "reason": "Configure Supabase publishable key for auth.",
+        "category": "runtime-config",
+        "id": "auth-supabase-publishable-key"
+      },
+      {
+        "file": ".env",
+        "op": "upsert-env",
+        "key": "APP_PUBLIC_URL",
+        "value": "${option:app-public-url}",
+        "reason": "Configure application public URL for auth redirect flows.",
+        "category": "runtime-config",
+        "id": "auth-app-public-url"
+      }
+    ]
+  }
+});

package/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "@jskit-ai/auth-provider-supabase-core",
+  "version": "0.1.4",
+  "type": "module",
+  "scripts": {
+    "test": "node --test"
+  },
+  "exports": {
+    "./server/providers/AuthSupabaseServiceProvider": "./src/server/providers/AuthSupabaseServiceProvider.js",
+    "./server/providers/AuthProviderServiceProvider": "./src/server/providers/AuthProviderServiceProvider.js",
+    "./server/lib/index": "./src/server/lib/index.js",
+    "./client": "./src/client/index.js"
+  },
+  "dependencies": {
+    "@jskit-ai/auth-core": "0.1.4",
+    "@jskit-ai/kernel": "0.1.4",
+    "jose": "^6.1.0",
+    "@supabase/supabase-js": "^2.57.4"
+  }
+}

package/src/client/index.js

@@ -0,0 +1 @@
+export {};

package/src/server/lib/accountFlows.js

@@ -0,0 +1,276 @@
+import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+
+function normalizeLocalReturnToPath(value, { fallback = "" } = {}) {
+  const normalized = String(value || "").trim();
+  if (!normalized) {
+    return fallback;
+  }
+
+  if (!normalized.startsWith("/") || normalized.startsWith("//")) {
+    return fallback;
+  }
+
+  return normalized;
+}
+
+function createAccountFlows(deps) {
+  const {
+    ensureConfigured,
+    validators,
+    validationError,
+    getSupabaseClient,
+    displayNameFromEmail,
+    mapAuthError,
+    syncProfileFromSupabaseUser,
+    resolvePasswordSignInPolicyForUserId,
+    otpLoginRedirectUrl,
+    buildOtpLoginRedirectUrl,
+    appPublicUrl,
+    isTransientSupabaseError,
+    isUserNotFoundLikeAuthError,
+    parseOtpLoginVerifyPayload,
+    mapOtpVerifyError,
+    setSessionFromRequestCookies,
+    mapProfileUpdateError,
+    normalizeReturnToPath = normalizeLocalReturnToPath
+  } = deps;
+
+  function resolveOtpEmailRedirectTo(returnToValue) {
+    const returnTo = normalizeReturnToPath(returnToValue, { fallback: "" });
+    if (!returnTo) {
+      return otpLoginRedirectUrl;
+    }
+
+    if (typeof buildOtpLoginRedirectUrl === "function") {
+      try {
+        return buildOtpLoginRedirectUrl({
+          appPublicUrl,
+          returnTo
+        });
+      } catch {
+        // Fall through to the pre-built URL fallback below.
+      }
+    }
+
+    try {
+      const redirectUrl = new URL(String(otpLoginRedirectUrl || ""));
+      redirectUrl.searchParams.set("returnTo", returnTo);
+      return redirectUrl.toString();
+    } catch {
+      return otpLoginRedirectUrl;
+    }
+  }
+
+  async function register(payload) {
+    ensureConfigured();
+
+    const parsed = validators.registerInput(payload);
+    if (Object.keys(parsed.fieldErrors).length > 0) {
+      throw validationError(parsed.fieldErrors);
+    }
+
+    const supabase = getSupabaseClient();
+    const response = await supabase.auth.signUp({
+      email: parsed.email,
+      password: parsed.password,
+      options: {
+        data: {
+          display_name: displayNameFromEmail(parsed.email)
+        }
+      }
+    });
+
+    if (response.error) {
+      throw mapAuthError(response.error, 400);
+    }
+
+    if (!response.data?.user) {
+      throw new AppError(500, "Supabase sign-up did not return a user.");
+    }
+
+    const profile = await syncProfileFromSupabaseUser(response.data.user, parsed.email);
+
+    if (!response.data.session) {
+      return {
+        requiresEmailConfirmation: true,
+        email: parsed.email,
+        profile,
+        session: null
+      };
+    }
+
+    return {
+      requiresEmailConfirmation: false,
+      profile,
+      session: response.data.session
+    };
+  }
+
+  async function login(payload) {
+    ensureConfigured();
+
+    const parsed = validators.loginInput(payload);
+    if (Object.keys(parsed.fieldErrors).length > 0) {
+      throw validationError(parsed.fieldErrors);
+    }
+
+    const supabase = getSupabaseClient();
+    const response = await supabase.auth.signInWithPassword({
+      email: parsed.email,
+      password: parsed.password
+    });
+
+    if (response.error || !response.data?.user || !response.data?.session) {
+      throw mapAuthError(response.error, 401);
+    }
+
+    const profile = await syncProfileFromSupabaseUser(response.data.user, parsed.email);
+    const passwordSignInPolicy = await resolvePasswordSignInPolicyForUserId(profile.id);
+    if (!passwordSignInPolicy.passwordSignInEnabled) {
+      throw new AppError(401, "Invalid email or password.");
+    }
+
+    return {
+      profile,
+      session: response.data.session
+    };
+  }
+
+  async function requestOtpLogin(payload) {
+    ensureConfigured();
+
+    const parsed = validators.forgotPasswordInput(payload);
+    if (Object.keys(parsed.fieldErrors).length > 0) {
+      throw validationError(parsed.fieldErrors);
+    }
+
+    const emailRedirectTo = resolveOtpEmailRedirectTo(payload?.returnTo);
+    const supabase = getSupabaseClient();
+    let response;
+    try {
+      response = await supabase.auth.signInWithOtp({
+        email: parsed.email,
+        options: {
+          shouldCreateUser: false,
+          emailRedirectTo
+        }
+      });
+    } catch (error) {
+      if (isTransientSupabaseError(error)) {
+        throw mapAuthError(error, 503);
+      }
+
+      return {
+        ok: true,
+        message: "If an account exists for that email, a one-time code has been sent."
+      };
+    }
+
+    if (response.error) {
+      if (isTransientSupabaseError(response.error)) {
+        throw mapAuthError(response.error, 503);
+      }
+
+      if (isUserNotFoundLikeAuthError(response.error)) {
+        return {
+          ok: true,
+          message: "If an account exists for that email, a one-time code has been sent."
+        };
+      }
+
+      throw mapAuthError(response.error, Number(response.error?.status || 400));
+    }
+
+    return {
+      ok: true,
+      message: "If an account exists for that email, a one-time code has been sent."
+    };
+  }
+
+  async function verifyOtpLogin(payload) {
+    ensureConfigured();
+
+    const parsed = parseOtpLoginVerifyPayload(payload);
+    if (Object.keys(parsed.fieldErrors).length > 0) {
+      throw validationError(parsed.fieldErrors);
+    }
+
+    const supabase = getSupabaseClient();
+    let response;
+    try {
+      if (parsed.tokenHash) {
+        response = await supabase.auth.verifyOtp({
+          token_hash: parsed.tokenHash,
+          type: parsed.type
+        });
+      } else {
+        response = await supabase.auth.verifyOtp({
+          email: parsed.email,
+          token: parsed.token,
+          type: parsed.type
+        });
+      }
+    } catch (error) {
+      throw mapOtpVerifyError(error);
+    }
+
+    if (response.error || !response.data?.session || !response.data?.user) {
+      throw mapOtpVerifyError(response.error);
+    }
+
+    const profile = await syncProfileFromSupabaseUser(response.data.user, response.data.user.email || parsed.email);
+
+    return {
+      profile,
+      session: response.data.session
+    };
+  }
+
+  async function updateDisplayName(request, displayName) {
+    ensureConfigured();
+
+    const normalizedDisplayName = String(displayName || "").trim();
+    if (!normalizedDisplayName) {
+      throw validationError({
+        displayName: "Display name is required."
+      });
+    }
+
+    const supabase = getSupabaseClient();
+    const sessionResponse = await setSessionFromRequestCookies(request, {
+      supabaseClient: supabase
+    });
+
+    let updateResponse;
+    try {
+      updateResponse = await supabase.auth.updateUser({
+        data: {
+          display_name: normalizedDisplayName
+        }
+      });
+    } catch (error) {
+      throw mapProfileUpdateError(error);
+    }
+
+    if (updateResponse.error || !updateResponse.data?.user) {
+      throw mapProfileUpdateError(updateResponse.error);
+    }
+
+    const profile = await syncProfileFromSupabaseUser(updateResponse.data.user, updateResponse.data.user.email);
+
+    return {
+      profile,
+      session: sessionResponse.data.session
+    };
+  }
+
+  return {
+    register,
+    login,
+    requestOtpLogin,
+    verifyOtpLogin,
+    updateDisplayName
+  };
+}
+
+export { createAccountFlows };

package/src/server/lib/actions/auth.contributor.js

@@ -0,0 +1,225 @@
+import {
+  EMPTY_INPUT_VALIDATOR
+} from "@jskit-ai/kernel/shared/actions/actionContributorHelpers";
+import { authRegisterCommand } from "@jskit-ai/auth-core/shared/commands/authRegisterCommand";
+import { authLoginPasswordCommand } from "@jskit-ai/auth-core/shared/commands/authLoginPasswordCommand";
+import { authLoginOtpRequestCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOtpRequestCommand";
+import { authLoginOtpVerifyCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOtpVerifyCommand";
+import { authLoginOAuthStartCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthStartCommand";
+import { authLoginOAuthCompleteCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthCompleteCommand";
+import { authPasswordResetRequestCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordResetRequestCommand";
+import { authPasswordRecoveryCompleteCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordRecoveryCompleteCommand";
+import { authPasswordResetCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordResetCommand";
+
+function requireRequestContext(context, actionId) {
+  const request = context?.requestMeta?.request || null;
+  if (request) {
+    return request;
+  }
+
+  throw new Error(`${actionId} requires request context.`);
+}
+
+const authActions = Object.freeze([
+  {
+    id: "auth.register",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authRegisterCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.register"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.register(input);
+    }
+  },
+  {
+    id: "auth.login.password",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authLoginPasswordCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.login.password"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.login(input);
+    }
+  },
+  {
+    id: "auth.login.otp.request",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authLoginOtpRequestCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.login.otp.request"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.requestOtpLogin(input);
+    }
+  },
+  {
+    id: "auth.login.otp.verify",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authLoginOtpVerifyCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.login.otp.verify"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.verifyOtpLogin(input);
+    }
+  },
+  {
+    id: "auth.login.oauth.start",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: [authLoginOAuthStartCommand.operation.paramsValidator, authLoginOAuthStartCommand.operation.queryValidator],
+    idempotency: "none",
+    audit: {
+      actionName: "auth.login.oauth.start"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.oauthStart(input);
+    }
+  },
+  {
+    id: "auth.login.oauth.complete",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authLoginOAuthCompleteCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.login.oauth.complete"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.oauthComplete(input);
+    }
+  },
+  {
+    id: "auth.password.reset.request",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authPasswordResetRequestCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.password.reset.request"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.requestPasswordReset(input);
+    }
+  },
+  {
+    id: "auth.password.recovery.complete",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authPasswordRecoveryCompleteCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.password.recovery.complete"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.completePasswordRecovery(input);
+    }
+  },
+  {
+    id: "auth.password.reset",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authPasswordResetCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.password.reset"
+    },
+    observability: {},
+    async execute(input, context, deps) {
+      return deps.authService.resetPassword(requireRequestContext(context, "auth.password.reset"), input);
+    }
+  },
+  {
+    id: "auth.logout",
+    version: 1,
+    kind: "command",
+    channels: ["api", "automation", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: EMPTY_INPUT_VALIDATOR,
+    outputValidator: {
+      schema: {
+        type: "object",
+        properties: {
+          ok: {
+            type: "boolean"
+          },
+          clearSession: {
+            type: "boolean"
+          }
+        },
+        required: ["ok", "clearSession"],
+        additionalProperties: false
+      }
+    },
+    idempotency: "none",
+    audit: {
+      actionName: "auth.logout"
+    },
+    observability: {},
+    async execute(_input, context, deps) {
+      if (deps.authSessionEventsService && typeof deps.authSessionEventsService.notifySessionChanged === "function") {
+        await deps.authSessionEventsService.notifySessionChanged({
+          context
+        });
+      }
+      return {
+        ok: true,
+        clearSession: true
+      };
+    }
+  },
+  {
+    id: "auth.session.read",
+    version: 1,
+    kind: "query",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: EMPTY_INPUT_VALIDATOR,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.session.read"
+    },
+    observability: {},
+    async execute(_input, context, deps) {
+      return deps.authService.authenticateRequest(requireRequestContext(context, "auth.session.read"));
+    }
+  }
+]);
+
+export { authActions };

package/src/server/lib/authCookies.js

@@ -0,0 +1,24 @@
+function safeRequestCookies(request) {
+  if (request?.cookies && typeof request.cookies === "object") {
+    return request.cookies;
+  }
+
+  return {};
+}
+
+function cookieOptions(isProduction, maxAge) {
+  const options = {
+    httpOnly: true,
+    sameSite: "lax",
+    secure: isProduction,
+    path: "/"
+  };
+
+  if (Number.isFinite(maxAge)) {
+    options.maxAge = Math.max(0, Math.floor(maxAge));
+  }
+
+  return options;
+}
+
+export { safeRequestCookies, cookieOptions };