@jskit-ai/auth-provider-supabase-core 0.1.4

package/src/server/lib/authErrorMappers.js

@@ -0,0 +1,194 @@
+import { AppError, createValidationError } from "@jskit-ai/kernel/server/runtime/errors";
+
+const TRANSIENT_AUTH_MESSAGE_PARTS = [
+  "network",
+  "fetch",
+  "timeout",
+  "timed out",
+  "econn",
+  "enotfound",
+  "socket",
+  "temporar"
+];
+
+const validationError = createValidationError;
+
+function isTransientAuthMessage(message) {
+  const normalized = String(message || "").toLowerCase();
+  return TRANSIENT_AUTH_MESSAGE_PARTS.some((part) => normalized.includes(part));
+}
+
+function isTransientSupabaseError(error) {
+  if (!error) {
+    return false;
+  }
+
+  const status = Number(error.status || error.statusCode);
+  if (Number.isFinite(status) && status >= 500) {
+    return true;
+  }
+
+  return isTransientAuthMessage(error.message);
+}
+
+function sanitizeAuthMessage(message, fallback = "Authentication request could not be processed.") {
+  const normalized = String(message || "")
+    .replace(/\s+/g, " ")
+    .trim();
+  if (!normalized) {
+    return fallback;
+  }
+
+  return normalized.slice(0, 320);
+}
+
+function mapAuthError(error, fallbackStatus) {
+  if (isTransientSupabaseError(error)) {
+    return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
+  }
+
+  const message = sanitizeAuthMessage(error?.message, "Authentication failed.");
+  const lower = message.toLowerCase();
+
+  if (lower.includes("already registered") || lower.includes("already been registered")) {
+    return new AppError(409, "Email is already registered.");
+  }
+
+  if (lower.includes("email not confirmed") || lower.includes("confirm your email")) {
+    return new AppError(403, "Account exists but email confirmation is required before login.");
+  }
+
+  if (lower.includes("invalid login credentials") || lower.includes("invalid credentials")) {
+    return new AppError(401, "Invalid email or password.");
+  }
+
+  if (
+    lower.includes("already linked") ||
+    lower.includes("identity is already linked") ||
+    (lower.includes("identity") && lower.includes("already exists"))
+  ) {
+    return new AppError(409, "This sign-in method is already linked.");
+  }
+
+  if (lower.includes("manual linking is disabled")) {
+    return new AppError(
+      409,
+      "Provider linking is disabled in Supabase. Enable Manual Linking in Supabase Auth settings to link or unlink providers."
+    );
+  }
+
+  if (
+    lower.includes("last identity") ||
+    lower.includes("only identity") ||
+    (lower.includes("at least one") && lower.includes("identity"))
+  ) {
+    return new AppError(409, "At least one linked sign-in method must remain available.");
+  }
+
+  if (lower.includes("identity") && lower.includes("not found")) {
+    return new AppError(409, "This sign-in method is not currently linked.");
+  }
+
+  const status = Number.isInteger(Number(fallbackStatus)) ? Number(fallbackStatus) : 400;
+  if (status >= 500) {
+    return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
+  }
+  if (status === 401) {
+    return new AppError(401, "Invalid email or password.");
+  }
+  if (status >= 400 && status < 500) {
+    return new AppError(status, "Authentication request could not be processed.");
+  }
+
+  return new AppError(status, "Authentication request could not be processed.");
+}
+
+function isUserNotFoundLikeAuthError(error) {
+  const message = String(error?.message || "").toLowerCase();
+  return (
+    message.includes("user not found") ||
+    message.includes("no user") ||
+    message.includes("email not found") ||
+    message.includes("signup is disabled") ||
+    message.includes("signups not allowed")
+  );
+}
+
+function mapRecoveryError(error) {
+  if (isTransientSupabaseError(error)) {
+    return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
+  }
+
+  const status = Number(error?.status || error?.statusCode);
+  if (status === 429) {
+    return new AppError(429, "Too many recovery attempts. Please wait and try again.");
+  }
+
+  return new AppError(401, "Recovery link is invalid or has expired.");
+}
+
+function mapPasswordUpdateError(error) {
+  if (isTransientSupabaseError(error)) {
+    return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
+  }
+
+  const message = String(error?.message || "").toLowerCase();
+  if (message.includes("same") && message.includes("password")) {
+    return createValidationError({
+      password: "New password must be different from the current password."
+    });
+  }
+
+  return createValidationError({
+    password: "Unable to update password with the provided value."
+  });
+}
+
+function mapOtpVerifyError(error) {
+  if (isTransientSupabaseError(error)) {
+    return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
+  }
+
+  return new AppError(401, "One-time code is invalid or expired.");
+}
+
+function mapProfileUpdateError(error) {
+  if (isTransientSupabaseError(error)) {
+    return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
+  }
+
+  return validationError({
+    displayName: "Unable to update profile details."
+  });
+}
+
+function mapCurrentPasswordError(error) {
+  if (isTransientSupabaseError(error)) {
+    return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
+  }
+
+  const status = Number(error?.status || error?.statusCode);
+  if (status === 400 || status === 401 || status === 403) {
+    return validationError({
+      currentPassword: "Current password is incorrect."
+    });
+  }
+
+  return validationError({
+    currentPassword: "Unable to verify current password."
+  });
+}
+
+export {
+  isTransientAuthMessage,
+  isTransientSupabaseError,
+  sanitizeAuthMessage,
+  mapAuthError,
+  validationError,
+  isUserNotFoundLikeAuthError,
+  mapRecoveryError,
+  mapPasswordUpdateError,
+  mapOtpVerifyError,
+  mapProfileUpdateError,
+  mapCurrentPasswordError
+};

package/src/server/lib/authInputParsers.js

@@ -0,0 +1,217 @@
+import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import {
+  AUTH_ACCESS_TOKEN_MAX_LENGTH,
+  AUTH_RECOVERY_TOKEN_MAX_LENGTH,
+  AUTH_REFRESH_TOKEN_MAX_LENGTH
+} from "@jskit-ai/auth-core/shared/authConstraints";
+import { normalizeOAuthProviderList } from "@jskit-ai/auth-core/shared/oauthProviders";
+import { validators } from "@jskit-ai/auth-core/server/validators";
+import { normalizeOAuthProviderFromCatalog } from "./oauthProviderCatalog.js";
+import { validationError } from "./authErrorMappers.js";
+
+const OTP_VERIFY_TYPE = "email";
+const SESSION_PAIR_REQUIRED_ERRORS = Object.freeze({
+  accessToken: "Access token is required when a refresh token is provided.",
+  refreshToken: "Refresh token is required when an access token is provided."
+});
+
+function applySessionPairValidation(accessToken, refreshToken, fieldErrors) {
+  if ((accessToken && !refreshToken) || (!accessToken && refreshToken)) {
+    if (!accessToken) {
+      fieldErrors.accessToken = SESSION_PAIR_REQUIRED_ERRORS.accessToken;
+    }
+    if (!refreshToken) {
+      fieldErrors.refreshToken = SESSION_PAIR_REQUIRED_ERRORS.refreshToken;
+    }
+  }
+}
+
+function resolveConfiguredOAuthProviders(options = {}) {
+  return normalizeOAuthProviderList(options.providerIds, { fallback: [] });
+}
+
+function normalizeOAuthProviderInput(value, options = {}) {
+  const providerIds = resolveConfiguredOAuthProviders(options);
+  if (providerIds.length < 1) {
+    throw validationError({
+      provider: "OAuth sign-in is not enabled."
+    });
+  }
+
+  const provider = normalizeOAuthProviderFromCatalog(value, {
+    providerIds,
+    fallback: options.defaultProvider
+  });
+  if (provider) {
+    return provider;
+  }
+
+  throw validationError({
+    provider: `OAuth provider must be one of: ${providerIds.join(", ")}.`
+  });
+}
+
+function validatePasswordRecoveryPayload(payload) {
+  const code = String(payload?.code || "").trim();
+  const tokenHash = String(payload?.tokenHash || "").trim();
+  const type = String(payload?.type || "recovery")
+    .trim()
+    .toLowerCase();
+  const accessToken = String(payload?.accessToken || "").trim();
+  const refreshToken = String(payload?.refreshToken || "").trim();
+
+  const fieldErrors = {};
+
+  if (type !== "recovery") {
+    fieldErrors.type = "Only recovery password reset links are supported.";
+  }
+
+  if (code.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
+    fieldErrors.code = "Recovery code is too long.";
+  }
+
+  if (tokenHash.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
+    fieldErrors.tokenHash = "Recovery token is too long.";
+  }
+
+  if (accessToken.length > AUTH_ACCESS_TOKEN_MAX_LENGTH) {
+    fieldErrors.accessToken = "Access token is too long.";
+  }
+
+  if (refreshToken.length > AUTH_REFRESH_TOKEN_MAX_LENGTH) {
+    fieldErrors.refreshToken = "Refresh token is too long.";
+  }
+
+  applySessionPairValidation(accessToken, refreshToken, fieldErrors);
+
+  const hasCode = Boolean(code);
+  const hasTokenHash = Boolean(tokenHash);
+  const hasSessionPair = Boolean(accessToken && refreshToken);
+
+  if (!hasCode && !hasTokenHash && !hasSessionPair) {
+    fieldErrors.recovery = "Recovery token is required.";
+  }
+
+  return {
+    code,
+    tokenHash,
+    type,
+    accessToken,
+    refreshToken,
+    hasCode,
+    hasTokenHash,
+    hasSessionPair,
+    fieldErrors
+  };
+}
+
+function parseOAuthCompletePayload(payload = {}, options = {}) {
+  const provider = normalizeOAuthProviderInput(payload.provider || options.defaultProvider, options);
+  const code = String(payload.code || "").trim();
+  const accessToken = String(payload.accessToken || "").trim();
+  const refreshToken = String(payload.refreshToken || "").trim();
+  const errorCode = String(payload.error || payload.error_code || "").trim();
+  const errorDescription = String(payload.errorDescription || payload.error_description || "").trim();
+  const fieldErrors = {};
+
+  if (code.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
+    fieldErrors.code = "OAuth code is too long.";
+  }
+
+  if (errorCode.length > 128) {
+    fieldErrors.error = "OAuth error code is too long.";
+  }
+
+  if (errorDescription.length > 1024) {
+    fieldErrors.errorDescription = "OAuth error description is too long.";
+  }
+
+  if (accessToken.length > AUTH_ACCESS_TOKEN_MAX_LENGTH) {
+    fieldErrors.accessToken = "Access token is too long.";
+  }
+
+  if (refreshToken.length > AUTH_REFRESH_TOKEN_MAX_LENGTH) {
+    fieldErrors.refreshToken = "Refresh token is too long.";
+  }
+
+  applySessionPairValidation(accessToken, refreshToken, fieldErrors);
+
+  const hasSessionPair = Boolean(accessToken && refreshToken);
+
+  if (!code && !errorCode && !hasSessionPair) {
+    fieldErrors.code = "OAuth code is required when access/refresh tokens are not provided.";
+  }
+
+  return {
+    provider,
+    code,
+    accessToken,
+    refreshToken,
+    hasSessionPair,
+    errorCode,
+    errorDescription,
+    fieldErrors
+  };
+}
+
+function parseOtpLoginVerifyPayload(payload = {}) {
+  const parsedEmail = validators.forgotPasswordInput(payload);
+  const token = String(payload?.token || "").trim();
+  const tokenHash = String(payload?.tokenHash || "").trim();
+  const type = String(payload?.type || OTP_VERIFY_TYPE)
+    .trim()
+    .toLowerCase();
+  const fieldErrors = {
+    ...parsedEmail.fieldErrors
+  };
+
+  if (type !== OTP_VERIFY_TYPE) {
+    fieldErrors.type = "Only email OTP verification is supported.";
+  }
+
+  if (!token && !tokenHash) {
+    fieldErrors.token = "One-time code is required.";
+  }
+
+  if (token && token.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
+    fieldErrors.token = "One-time code is too long.";
+  }
+
+  if (tokenHash && tokenHash.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
+    fieldErrors.tokenHash = "One-time token hash is too long.";
+  }
+
+  if (token && parsedEmail.fieldErrors.email) {
+    fieldErrors.email = parsedEmail.fieldErrors.email;
+  } else if (tokenHash) {
+    delete fieldErrors.email;
+  }
+
+  return {
+    email: parsedEmail.email,
+    token,
+    tokenHash,
+    type,
+    fieldErrors
+  };
+}
+
+function mapOAuthCallbackError(errorCode) {
+  const normalizedCode = String(errorCode || "")
+    .trim()
+    .toLowerCase();
+
+  if (normalizedCode === "access_denied") {
+    return new AppError(401, "OAuth sign-in was cancelled.");
+  }
+
+  return new AppError(401, "OAuth sign-in failed.");
+}
+
+export {
+  normalizeOAuthProviderInput,
+  validatePasswordRecoveryPayload,
+  parseOAuthCompletePayload,
+  parseOtpLoginVerifyPayload,
+  mapOAuthCallbackError
+};

package/src/server/lib/authJwt.js

@@ -0,0 +1,49 @@
+import { isTransientAuthMessage } from "./authErrorMappers.js";
+
+const INVALID_JWT_ERROR_CODES = new Set([
+  "ERR_JWS_SIGNATURE_VERIFICATION_FAILED",
+  "ERR_JWT_INVALID",
+  "ERR_JWT_CLAIM_VALIDATION_FAILED",
+  "ERR_JWS_INVALID",
+  "ERR_JOSE_ALG_NOT_ALLOWED",
+  "ERR_JWKS_NO_MATCHING_KEY"
+]);
+
+const TRANSIENT_JWT_ERROR_CODES = new Set(["ERR_JWKS_TIMEOUT", "ERR_JOSE_GENERIC", "ERR_JWKS_INVALID"]);
+
+let joseImportPromise = null;
+function loadJose() {
+  if (!joseImportPromise) {
+    joseImportPromise = import("jose");
+  }
+  return joseImportPromise;
+}
+
+function isExpiredJwtError(error) {
+  const code = String(error?.code || "");
+  const name = String(error?.name || "");
+  return code === "ERR_JWT_EXPIRED" || name === "JWTExpired";
+}
+
+function classifyJwtVerifyError(error) {
+  if (isExpiredJwtError(error)) {
+    return "expired";
+  }
+
+  const code = String(error?.code || "");
+  if (INVALID_JWT_ERROR_CODES.has(code)) {
+    return "invalid";
+  }
+
+  if (TRANSIENT_JWT_ERROR_CODES.has(code)) {
+    return "transient";
+  }
+
+  if (isTransientAuthMessage(error?.message)) {
+    return "transient";
+  }
+
+  return "invalid";
+}
+
+export { loadJose, isExpiredJwtError, classifyJwtVerifyError };

package/src/server/lib/authMethodStatus.js

@@ -0,0 +1,233 @@
+import {
+  AUTH_METHOD_EMAIL_OTP_ID,
+  AUTH_METHOD_EMAIL_OTP_PROVIDER,
+  AUTH_METHOD_KIND_OAUTH,
+  AUTH_METHOD_KIND_OTP,
+  AUTH_METHOD_KIND_PASSWORD,
+  AUTH_METHOD_MINIMUM_ENABLED,
+  AUTH_METHOD_PASSWORD_ID,
+  AUTH_METHOD_PASSWORD_PROVIDER,
+  buildAuthMethodDefinitions,
+  buildOAuthMethodId
+} from "@jskit-ai/auth-core/shared/authMethods";
+
+function normalizeIdentityProviderId(value) {
+  return String(value || "")
+    .trim()
+    .toLowerCase();
+}
+
+function normalizeProviderIdList(providerIds) {
+  const normalized = [];
+  for (const providerId of Array.isArray(providerIds) ? providerIds : []) {
+    const provider = normalizeIdentityProviderId(providerId);
+    if (!provider) {
+      continue;
+    }
+    normalized.push(provider);
+  }
+  return normalized;
+}
+
+function countEnabledMethods(methods) {
+  let count = 0;
+  for (const method of methods) {
+    if (method?.enabled === true) {
+      count += 1;
+    }
+  }
+  return count;
+}
+
+function countConfiguredIdentityMethods(methods) {
+  let count = 0;
+  for (const method of methods) {
+    if (method.kind === AUTH_METHOD_KIND_OAUTH && method.configured) {
+      count += 1;
+      continue;
+    }
+    if (method.kind === AUTH_METHOD_KIND_PASSWORD && method.configured) {
+      count += 1;
+    }
+  }
+  return count;
+}
+
+function collectProviderIdsFromSupabaseUser(user) {
+  const providerIds = new Set();
+
+  const appProvider = normalizeIdentityProviderId(user?.app_metadata?.provider);
+  if (appProvider) {
+    providerIds.add(appProvider);
+  }
+
+  const appProviders = Array.isArray(user?.app_metadata?.providers) ? user.app_metadata.providers : [];
+  for (const provider of appProviders) {
+    const normalized = normalizeIdentityProviderId(provider);
+    if (normalized) {
+      providerIds.add(normalized);
+    }
+  }
+
+  const identities = Array.isArray(user?.identities) ? user.identities : [];
+  for (const identity of identities) {
+    const normalized = normalizeIdentityProviderId(identity?.provider);
+    if (normalized) {
+      providerIds.add(normalized);
+    }
+  }
+
+  return [...providerIds];
+}
+
+function buildAuthMethodsStatusFromProviderIds(providerIds, options = {}) {
+  const normalizedProviders = normalizeProviderIdList(providerIds);
+  const uniqueProviders = new Set(normalizedProviders);
+  const passwordSignInEnabled = options.passwordSignInEnabled !== false;
+  const passwordSetupRequired = options.passwordSetupRequired === true;
+  const oauthProviders = Array.isArray(options.oauthProviders) ? options.oauthProviders : [];
+  const methodDefinitions = buildAuthMethodDefinitions({ oauthProviders });
+  const methods = [];
+
+  for (const definition of methodDefinitions) {
+    if (definition.kind === AUTH_METHOD_KIND_PASSWORD) {
+      const configured = uniqueProviders.has(AUTH_METHOD_PASSWORD_PROVIDER);
+      const enabled = configured && passwordSignInEnabled;
+      methods.push({
+        id: AUTH_METHOD_PASSWORD_ID,
+        kind: AUTH_METHOD_KIND_PASSWORD,
+        provider: AUTH_METHOD_PASSWORD_PROVIDER,
+        label: definition.label,
+        configured,
+        enabled,
+        canEnable: configured && !enabled,
+        canDisable: false,
+        supportsSecretUpdate: true,
+        requiresCurrentPassword: enabled && !passwordSetupRequired
+      });
+      continue;
+    }
+
+    if (definition.kind === AUTH_METHOD_KIND_OTP) {
+      methods.push({
+        id: AUTH_METHOD_EMAIL_OTP_ID,
+        kind: AUTH_METHOD_KIND_OTP,
+        provider: AUTH_METHOD_EMAIL_OTP_PROVIDER,
+        label: definition.label,
+        configured: true,
+        enabled: true,
+        canEnable: false,
+        canDisable: false,
+        supportsSecretUpdate: false,
+        requiresCurrentPassword: false
+      });
+      continue;
+    }
+
+    if (definition.kind === AUTH_METHOD_KIND_OAUTH) {
+      const provider = normalizeIdentityProviderId(definition.provider);
+      const configured = uniqueProviders.has(provider);
+      methods.push({
+        id: buildOAuthMethodId(provider),
+        kind: AUTH_METHOD_KIND_OAUTH,
+        provider,
+        label: definition.label,
+        configured,
+        enabled: configured,
+        canEnable: !configured,
+        canDisable: false,
+        supportsSecretUpdate: false,
+        requiresCurrentPassword: false
+      });
+    }
+  }
+
+  const enabledMethodsCount = countEnabledMethods(methods);
+  const minimumEnabledMethods = AUTH_METHOD_MINIMUM_ENABLED;
+  const canDisableAny = enabledMethodsCount > minimumEnabledMethods;
+  const configuredIdentityMethodCount = countConfiguredIdentityMethods(methods);
+
+  for (const method of methods) {
+    if (method.kind === AUTH_METHOD_KIND_OAUTH) {
+      method.canDisable = method.enabled && configuredIdentityMethodCount > 1;
+      continue;
+    }
+
+    method.canDisable = method.enabled && canDisableAny;
+  }
+
+  return {
+    methods,
+    enabledMethodsCount,
+    minimumEnabledMethods,
+    canDisableAny
+  };
+}
+
+function buildAuthMethodsStatusFromSupabaseUser(user, options = {}) {
+  return buildAuthMethodsStatusFromProviderIds(collectProviderIdsFromSupabaseUser(user), options);
+}
+
+function buildSecurityStatusFromAuthMethodsStatus(authMethodsStatus) {
+  const minimumEnabledMethods = Number(authMethodsStatus?.minimumEnabledMethods || AUTH_METHOD_MINIMUM_ENABLED);
+  let enabledMethodsCount = 0;
+
+  const storedCount = Number(authMethodsStatus?.enabledMethodsCount);
+  if (Number.isFinite(storedCount)) {
+    enabledMethodsCount = storedCount;
+  } else if (Array.isArray(authMethodsStatus?.methods)) {
+    enabledMethodsCount = countEnabledMethods(authMethodsStatus.methods);
+  }
+
+  return {
+    mfa: {
+      status: "not_enabled",
+      enrolled: false,
+      methods: []
+    },
+    authPolicy: {
+      minimumEnabledMethods,
+      enabledMethodsCount
+    },
+    authMethods: Array.isArray(authMethodsStatus?.methods) ? authMethodsStatus.methods : []
+  };
+}
+
+function findAuthMethodById(authMethodsStatus, methodId) {
+  const normalizedMethodId = String(methodId || "")
+    .trim()
+    .toLowerCase();
+  if (!normalizedMethodId || !Array.isArray(authMethodsStatus?.methods)) {
+    return null;
+  }
+
+  return authMethodsStatus.methods.find(
+    (method) =>
+      String(method?.id || "")
+        .trim()
+        .toLowerCase() === normalizedMethodId
+  );
+}
+
+function findLinkedIdentityByProvider(user, provider) {
+  const normalizedProvider = normalizeIdentityProviderId(provider);
+  const identities = Array.isArray(user?.identities) ? user.identities : [];
+
+  for (const identity of identities) {
+    if (normalizeIdentityProviderId(identity?.provider) === normalizedProvider) {
+      return identity;
+    }
+  }
+
+  return null;
+}
+
+export {
+  normalizeIdentityProviderId,
+  collectProviderIdsFromSupabaseUser,
+  buildAuthMethodsStatusFromProviderIds,
+  buildAuthMethodsStatusFromSupabaseUser,
+  buildSecurityStatusFromAuthMethodsStatus,
+  findAuthMethodById,
+  findLinkedIdentityByProvider
+};