@jskit-ai/auth-provider-supabase-core 0.1.4

package/src/server/lib/authProfileNames.js

@@ -0,0 +1,24 @@
+function displayNameFromEmail(email) {
+  const local = String(email || "").split("@")[0] || "user";
+  return local.slice(0, 120);
+}
+
+function resolveDisplayName(supabaseUser, fallbackEmail) {
+  const metadataDisplayName = String(supabaseUser?.user_metadata?.display_name || "").trim();
+  if (metadataDisplayName) {
+    return metadataDisplayName.slice(0, 120);
+  }
+
+  return displayNameFromEmail(fallbackEmail);
+}
+
+function resolveDisplayNameFromClaims(claims, fallbackEmail) {
+  const metadataDisplayName = String(claims?.user_metadata?.display_name || "").trim();
+  if (metadataDisplayName) {
+    return metadataDisplayName.slice(0, 120);
+  }
+
+  return displayNameFromEmail(fallbackEmail);
+}
+
+export { displayNameFromEmail, resolveDisplayName, resolveDisplayNameFromClaims };

package/src/server/lib/authRedirectUrls.js

@@ -0,0 +1,135 @@
+import {
+  OAUTH_QUERY_PARAM_INTENT,
+  OAUTH_QUERY_PARAM_PROVIDER,
+  OAUTH_QUERY_PARAM_RETURN_TO
+} from "@jskit-ai/auth-core/shared/oauthCallbackParams";
+import { normalizeOAuthProviderList } from "@jskit-ai/auth-core/shared/oauthProviders";
+import { normalizeOAuthProviderFromCatalog } from "./oauthProviderCatalog.js";
+import { normalizeOAuthIntent, normalizeReturnToPath } from "@jskit-ai/auth-core/server/utils";
+
+const PASSWORD_RESET_PATH = "reset-password";
+const OAUTH_LOGIN_PATH = "auth/login";
+const OAUTH_LOGIN_INTENT = "login";
+const OAUTH_LINK_INTENT = "link";
+
+function parseHttpUrl(rawValue, variableName) {
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(rawValue);
+  } catch {
+    throw new Error(`${variableName} must be a valid absolute URL.`);
+  }
+
+  if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+    throw new Error(`${variableName} must start with http:// or https://.`);
+  }
+
+  return parsedUrl;
+}
+
+function buildPasswordResetRedirectUrl(options) {
+  const appPublicUrl = String(options.appPublicUrl || "").trim();
+
+  if (!appPublicUrl) {
+    throw new Error("APP_PUBLIC_URL is required to build password reset links.");
+  }
+
+  const baseUrl = parseHttpUrl(appPublicUrl, "APP_PUBLIC_URL");
+  if (!baseUrl.pathname.endsWith("/")) {
+    baseUrl.pathname = `${baseUrl.pathname}/`;
+  }
+  baseUrl.search = "";
+  baseUrl.hash = "";
+  return new URL(PASSWORD_RESET_PATH, baseUrl).toString();
+}
+
+function buildOtpLoginRedirectUrl(options) {
+  const appPublicUrl = String(options.appPublicUrl || "").trim();
+  const returnTo = normalizeReturnToPath(options.returnTo, { fallback: "" });
+
+  if (!appPublicUrl) {
+    throw new Error("APP_PUBLIC_URL is required to build OTP login redirects.");
+  }
+
+  const baseUrl = parseHttpUrl(appPublicUrl, "APP_PUBLIC_URL");
+  if (!baseUrl.pathname.endsWith("/")) {
+    baseUrl.pathname = `${baseUrl.pathname}/`;
+  }
+  baseUrl.search = "";
+  baseUrl.hash = "";
+  const redirectUrl = new URL(OAUTH_LOGIN_PATH, baseUrl);
+  if (returnTo) {
+    redirectUrl.searchParams.set("returnTo", returnTo);
+  }
+  return redirectUrl.toString();
+}
+
+function buildOAuthRedirectUrl(options) {
+  const appPublicUrl = String(options.appPublicUrl || "").trim();
+  const providerIds = normalizeOAuthProviderList(options.providerIds, { fallback: [] });
+  const provider = normalizeOAuthProviderFromCatalog(options.provider, {
+    providerIds,
+    fallback: null
+  });
+  const intent = normalizeOAuthIntent(options.intent, { fallback: OAUTH_LOGIN_INTENT });
+  const callbackPath = String(options.callbackPath || OAUTH_LOGIN_PATH).trim();
+  const returnTo = normalizeReturnToPath(options.returnTo, { fallback: "/" });
+
+  if (!appPublicUrl) {
+    throw new Error("APP_PUBLIC_URL is required to build OAuth login redirects.");
+  }
+
+  if (providerIds.length < 1) {
+    throw new Error("OAuth providers are not configured.");
+  }
+
+  if (!provider) {
+    throw new Error(`OAuth provider must be one of: ${providerIds.join(", ")}.`);
+  }
+
+  if (!callbackPath) {
+    throw new Error("OAuth callback path is required.");
+  }
+
+  const baseUrl = parseHttpUrl(appPublicUrl, "APP_PUBLIC_URL");
+  if (!baseUrl.pathname.endsWith("/")) {
+    baseUrl.pathname = `${baseUrl.pathname}/`;
+  }
+  baseUrl.search = "";
+  baseUrl.hash = "";
+
+  const redirectUrl = new URL(callbackPath, baseUrl);
+  redirectUrl.searchParams.set(OAUTH_QUERY_PARAM_PROVIDER, provider);
+  redirectUrl.searchParams.set(OAUTH_QUERY_PARAM_INTENT, intent);
+  if (returnTo) {
+    redirectUrl.searchParams.set(OAUTH_QUERY_PARAM_RETURN_TO, returnTo);
+  }
+  return redirectUrl.toString();
+}
+
+function buildOAuthLoginRedirectUrl(options) {
+  return buildOAuthRedirectUrl({
+    ...options,
+    intent: OAUTH_LOGIN_INTENT,
+    callbackPath: OAUTH_LOGIN_PATH
+  });
+}
+
+function buildOAuthLinkRedirectUrl(options) {
+  return buildOAuthRedirectUrl({
+    ...options,
+    intent: OAUTH_LINK_INTENT,
+    callbackPath: OAUTH_LOGIN_PATH
+  });
+}
+
+export {
+  parseHttpUrl,
+  buildPasswordResetRedirectUrl,
+  buildOtpLoginRedirectUrl,
+  normalizeOAuthIntent,
+  normalizeReturnToPath,
+  buildOAuthRedirectUrl,
+  buildOAuthLoginRedirectUrl,
+  buildOAuthLinkRedirectUrl
+};

package/src/server/lib/authSecrets.js

@@ -0,0 +1,9 @@
+import { randomBytes } from "node:crypto";
+
+function buildDisabledPasswordSecret() {
+  const randomSegment = randomBytes(24).toString("base64url");
+  // Supabase password updates follow bcrypt's 72-byte input limit.
+  return `disabled-A1!-${randomSegment}`;
+}
+
+export { buildDisabledPasswordSecret };

package/src/server/lib/authSessionEventsService.js

@@ -0,0 +1,20 @@
+import { normalizePositiveInteger } from "@jskit-ai/kernel/shared/support/normalize";
+
+function createAuthSessionEventsService() {
+  async function notifySessionChanged(options = {}) {
+    const actorId = normalizePositiveInteger(options?.context?.actor?.id);
+    if (!actorId) {
+      return null;
+    }
+
+    return {
+      id: actorId
+    };
+  }
+
+  return Object.freeze({
+    notifySessionChanged
+  });
+}
+
+export { createAuthSessionEventsService };

package/src/server/lib/index.js

@@ -0,0 +1,2 @@
+export { createService, __testables } from "./service.js";
+export { authActions } from "./actions/auth.contributor.js";

package/src/server/lib/oauthFlows.js

@@ -0,0 +1,201 @@
+import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+
+function createOauthFlows(deps) {
+  const {
+    ensureConfigured,
+    normalizeOAuthProviderInput,
+    normalizeReturnToPath,
+    buildOAuthLoginRedirectUrl,
+    appPublicUrl,
+    authOAuthDefaultProvider,
+    resolveOAuthProviderQueryParams = () => null,
+    getSupabaseClient,
+    mapAuthError,
+    setSessionFromRequestCookies,
+    buildOAuthLinkRedirectUrl,
+    parseOAuthCompletePayload,
+    validationError,
+    mapOAuthCallbackError,
+    mapRecoveryError,
+    syncProfileFromSupabaseUser,
+    resolveCurrentAuthContext,
+    buildOAuthMethodId,
+    findAuthMethodById,
+    findLinkedIdentityByProvider,
+    buildSecurityStatusFromAuthMethodsStatus
+  } = deps;
+
+  async function requestOAuthRedirectUrl(supabase, provider, redirectTo, requestFlow) {
+    let response;
+    try {
+      const queryParams = resolveOAuthProviderQueryParams(provider);
+      response = await requestFlow({
+        provider,
+        options: {
+          redirectTo,
+          queryParams: queryParams || undefined
+        }
+      });
+    } catch (error) {
+      throw mapAuthError(error, 500);
+    }
+
+    if (response.error || !response.data?.url) {
+      throw mapAuthError(response.error, 400);
+    }
+
+    return String(response.data.url);
+  }
+
+  async function oauthStart(payload = {}) {
+    ensureConfigured();
+
+    const provider = normalizeOAuthProviderInput(payload.provider || authOAuthDefaultProvider);
+    const returnTo = normalizeReturnToPath(payload.returnTo, { fallback: "/" });
+    const redirectTo = buildOAuthLoginRedirectUrl({
+      appPublicUrl,
+      provider,
+      returnTo
+    });
+    const supabase = getSupabaseClient();
+    const url = await requestOAuthRedirectUrl(supabase, provider, redirectTo, (input) =>
+      supabase.auth.signInWithOAuth(input)
+    );
+
+    return {
+      provider,
+      returnTo,
+      url
+    };
+  }
+
+  async function startProviderLink(request, payload = {}) {
+    ensureConfigured();
+
+    const supabase = getSupabaseClient();
+    const provider = normalizeOAuthProviderInput(payload.provider || authOAuthDefaultProvider);
+    const returnTo = normalizeReturnToPath(payload.returnTo, { fallback: "/" });
+    await setSessionFromRequestCookies(request, {
+      supabaseClient: supabase
+    });
+
+    if (typeof supabase.auth.linkIdentity !== "function") {
+      throw new AppError(500, "Supabase client does not support identity linking in this environment.");
+    }
+
+    const redirectTo = buildOAuthLinkRedirectUrl({
+      appPublicUrl,
+      provider,
+      returnTo
+    });
+    const url = await requestOAuthRedirectUrl(supabase, provider, redirectTo, (input) =>
+      supabase.auth.linkIdentity(input)
+    );
+
+    return {
+      provider,
+      returnTo,
+      url
+    };
+  }
+
+  async function oauthComplete(payload = {}) {
+    ensureConfigured();
+
+    const parsed = parseOAuthCompletePayload(payload);
+    if (Object.keys(parsed.fieldErrors).length > 0) {
+      throw validationError(parsed.fieldErrors);
+    }
+
+    if (parsed.errorCode) {
+      throw mapOAuthCallbackError(parsed.errorCode, parsed.errorDescription);
+    }
+
+    const supabase = getSupabaseClient();
+    let response;
+    try {
+      if (parsed.hasSessionPair) {
+        response = await supabase.auth.setSession({
+          access_token: parsed.accessToken,
+          refresh_token: parsed.refreshToken
+        });
+      } else {
+        response = await supabase.auth.exchangeCodeForSession(parsed.code);
+      }
+    } catch (error) {
+      throw mapRecoveryError(error);
+    }
+
+    if (response.error || !response.data?.session || !response.data?.user) {
+      throw mapRecoveryError(response.error);
+    }
+
+    const profile = await syncProfileFromSupabaseUser(response.data.user, response.data.user.email);
+
+    return {
+      provider: parsed.provider,
+      profile,
+      session: response.data.session
+    };
+  }
+
+  async function unlinkProvider(request, payload = {}) {
+    ensureConfigured();
+
+    const provider = normalizeOAuthProviderInput(payload.provider);
+    const supabase = getSupabaseClient();
+    if (typeof supabase.auth.unlinkIdentity !== "function") {
+      throw new AppError(500, "Supabase client does not support identity unlinking in this environment.");
+    }
+
+    await setSessionFromRequestCookies(request, {
+      supabaseClient: supabase
+    });
+    const current = await resolveCurrentAuthContext(request, {
+      supabaseClient: supabase
+    });
+    const methodId = buildOAuthMethodId(provider);
+    const providerMethod = findAuthMethodById(current.authMethodsStatus, methodId);
+    if (!providerMethod || !providerMethod.configured) {
+      throw validationError({
+        provider: `${provider} is not linked to this account.`
+      });
+    }
+
+    if (!providerMethod.canDisable) {
+      throw new AppError(409, "At least one sign-in method must remain enabled.");
+    }
+
+    const identity = findLinkedIdentityByProvider(current.user, provider);
+    if (!identity) {
+      throw new AppError(409, "Linked identity details could not be resolved for this provider.");
+    }
+
+    let response;
+    try {
+      response = await supabase.auth.unlinkIdentity(identity);
+    } catch (error) {
+      throw mapAuthError(error, 500);
+    }
+
+    if (response.error) {
+      throw mapAuthError(response.error, Number(response.error?.status || 400));
+    }
+
+    const refreshed = await resolveCurrentAuthContext(request, {
+      supabaseClient: supabase
+    });
+    return {
+      securityStatus: buildSecurityStatusFromAuthMethodsStatus(refreshed.authMethodsStatus)
+    };
+  }
+
+  return {
+    oauthStart,
+    startProviderLink,
+    oauthComplete,
+    unlinkProvider
+  };
+}
+
+export { createOauthFlows };

package/src/server/lib/oauthProviderCatalog.js

@@ -0,0 +1,272 @@
+import {
+  normalizeOAuthProviderId,
+  normalizeOAuthProviderList
+} from "@jskit-ai/auth-core/shared/oauthProviders";
+
+const SUPABASE_OAUTH_PROVIDER_METADATA = Object.freeze({
+  apple: Object.freeze({ id: "apple", label: "Apple" }),
+  azure: Object.freeze({ id: "azure", label: "Microsoft" }),
+  bitbucket: Object.freeze({ id: "bitbucket", label: "Bitbucket" }),
+  discord: Object.freeze({ id: "discord", label: "Discord" }),
+  facebook: Object.freeze({ id: "facebook", label: "Facebook" }),
+  figma: Object.freeze({ id: "figma", label: "Figma" }),
+  github: Object.freeze({ id: "github", label: "GitHub" }),
+  gitlab: Object.freeze({ id: "gitlab", label: "GitLab" }),
+  google: Object.freeze({ id: "google", label: "Google", queryParams: { prompt: "select_account" } }),
+  kakao: Object.freeze({ id: "kakao", label: "Kakao" }),
+  keycloak: Object.freeze({ id: "keycloak", label: "Keycloak" }),
+  linkedin_oidc: Object.freeze({ id: "linkedin_oidc", label: "LinkedIn" }),
+  notion: Object.freeze({ id: "notion", label: "Notion" }),
+  slack: Object.freeze({ id: "slack", label: "Slack" }),
+  spotify: Object.freeze({ id: "spotify", label: "Spotify" }),
+  twitch: Object.freeze({ id: "twitch", label: "Twitch" }),
+  twitter: Object.freeze({ id: "twitter", label: "X" }),
+  workos: Object.freeze({ id: "workos", label: "WorkOS" }),
+  zoom: Object.freeze({ id: "zoom", label: "Zoom" })
+});
+
+const DEFAULT_SUPABASE_OAUTH_PROVIDER_IDS = Object.freeze(["google"]);
+
+function normalizeProviderLabel(value, fallback) {
+  const normalized = String(value || "").trim();
+  if (normalized.length > 0) {
+    return normalized;
+  }
+  return String(fallback || "OAuth provider");
+}
+
+function normalizeProviderQueryParams(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+
+  const params = {};
+  for (const [key, entryValue] of Object.entries(value)) {
+    const normalizedKey = String(key || "").trim();
+    const normalizedValue = String(entryValue || "").trim();
+    if (!normalizedKey || !normalizedValue) {
+      continue;
+    }
+    params[normalizedKey] = normalizedValue;
+  }
+
+  if (Object.keys(params).length < 1) {
+    return null;
+  }
+
+  return Object.freeze(params);
+}
+
+function normalizeProviderLabelOverrides(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return new Map();
+  }
+
+  const overrides = new Map();
+  for (const [providerId, label] of Object.entries(value)) {
+    const normalizedProviderId = normalizeOAuthProviderId(providerId, { fallback: null });
+    if (!normalizedProviderId) {
+      continue;
+    }
+
+    overrides.set(normalizedProviderId, normalizeProviderLabel(label, normalizedProviderId));
+  }
+
+  return overrides;
+}
+
+function normalizeProviderQueryParamOverrides(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return new Map();
+  }
+
+  const overrides = new Map();
+  for (const [providerId, queryParams] of Object.entries(value)) {
+    const normalizedProviderId = normalizeOAuthProviderId(providerId, { fallback: null });
+    if (!normalizedProviderId) {
+      continue;
+    }
+
+    const normalizedQueryParams = normalizeProviderQueryParams(queryParams);
+    if (normalizedQueryParams) {
+      overrides.set(normalizedProviderId, normalizedQueryParams);
+    }
+  }
+
+  return overrides;
+}
+
+function normalizeExplicitProviderCatalogEntry(entry) {
+  if (typeof entry === "string") {
+    const providerId = normalizeOAuthProviderId(entry, { fallback: null });
+    if (!providerId) {
+      return null;
+    }
+
+    return {
+      id: providerId,
+      label: normalizeProviderLabel(SUPABASE_OAUTH_PROVIDER_METADATA[providerId]?.label, providerId),
+      queryParams: normalizeProviderQueryParams(SUPABASE_OAUTH_PROVIDER_METADATA[providerId]?.queryParams)
+    };
+  }
+
+  if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+    return null;
+  }
+
+  const providerId = normalizeOAuthProviderId(entry.id, { fallback: null });
+  if (!providerId) {
+    return null;
+  }
+
+  const fallbackMetadata = SUPABASE_OAUTH_PROVIDER_METADATA[providerId] || {};
+  return {
+    id: providerId,
+    label: normalizeProviderLabel(entry.label, fallbackMetadata.label || providerId),
+    queryParams: normalizeProviderQueryParams(entry.queryParams ?? fallbackMetadata.queryParams)
+  };
+}
+
+function normalizeExplicitProviderCatalog(value) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+
+  const entries = [];
+  for (const entry of value) {
+    const normalized = normalizeExplicitProviderCatalogEntry(entry);
+    if (!normalized || entries.some((existing) => existing.id === normalized.id)) {
+      continue;
+    }
+
+    entries.push(
+      Object.freeze({
+        id: normalized.id,
+        label: normalized.label,
+        queryParams: normalized.queryParams
+      })
+    );
+  }
+
+  return entries;
+}
+
+function resolveSupabaseOAuthProviderCatalog(options = {}) {
+  const explicitCatalog = normalizeExplicitProviderCatalog(options.oauthProviderCatalog);
+  const labelOverrides = normalizeProviderLabelOverrides(options.oauthProviderLabels);
+  const queryParamOverrides = normalizeProviderQueryParamOverrides(options.oauthProviderQueryParams);
+
+  let providers;
+  if (explicitCatalog.length > 0) {
+    providers = explicitCatalog.map((entry) => {
+      const label = labelOverrides.get(entry.id) || entry.label;
+      const queryParams = queryParamOverrides.get(entry.id) || entry.queryParams || null;
+      return Object.freeze({
+        id: entry.id,
+        label,
+        queryParams
+      });
+    });
+  } else {
+    const providerIds = normalizeOAuthProviderList(options.oauthProviders, {
+      fallback: DEFAULT_SUPABASE_OAUTH_PROVIDER_IDS
+    });
+
+    providers = providerIds.map((providerId) => {
+      const fallbackMetadata = SUPABASE_OAUTH_PROVIDER_METADATA[providerId] || {};
+      const label = labelOverrides.get(providerId) || normalizeProviderLabel(fallbackMetadata.label, providerId);
+      const queryParams =
+        queryParamOverrides.get(providerId) || normalizeProviderQueryParams(fallbackMetadata.queryParams) || null;
+
+      return Object.freeze({
+        id: providerId,
+        label,
+        queryParams
+      });
+    });
+  }
+
+  const providerIds = Object.freeze(providers.map((provider) => provider.id));
+  const providerQueryParamsById = Object.freeze(
+    providers.reduce((accumulator, provider) => {
+      if (provider.queryParams) {
+        accumulator[provider.id] = provider.queryParams;
+      }
+      return accumulator;
+    }, {})
+  );
+
+  const defaultProvider = normalizeOAuthProviderId(options.oauthDefaultProvider, {
+    fallback: providerIds[0] || null
+  });
+
+  return {
+    providers: Object.freeze(
+      providers.map((provider) =>
+        Object.freeze({
+          id: provider.id,
+          label: provider.label,
+          queryParams: provider.queryParams
+        })
+      )
+    ),
+    providerIds,
+    defaultProvider: providerIds.includes(defaultProvider) ? defaultProvider : providerIds[0] || null,
+    providerQueryParamsById
+  };
+}
+
+function normalizeOAuthProviderFromCatalog(value, { providerIds = [], fallback = null } = {}) {
+  const normalizedProviderId = normalizeOAuthProviderId(value, { fallback: null });
+  if (normalizedProviderId && providerIds.includes(normalizedProviderId)) {
+    return normalizedProviderId;
+  }
+
+  const normalizedFallbackProviderId = normalizeOAuthProviderId(fallback, { fallback: null });
+  if (normalizedFallbackProviderId && providerIds.includes(normalizedFallbackProviderId)) {
+    return normalizedFallbackProviderId;
+  }
+
+  return null;
+}
+
+function resolveOAuthProviderQueryParams(providerId, { providerQueryParamsById = {} } = {}) {
+  const normalizedProviderId = normalizeOAuthProviderId(providerId, { fallback: null });
+  if (!normalizedProviderId) {
+    return null;
+  }
+
+  const queryParams = providerQueryParamsById[normalizedProviderId];
+  if (!queryParams || typeof queryParams !== "object") {
+    return null;
+  }
+
+  return queryParams;
+}
+
+function buildOAuthProviderCatalogResponse(catalog) {
+  const providers = Array.isArray(catalog?.providers) ? catalog.providers : [];
+  const providerIds = providers.map((provider) => provider.id);
+
+  const defaultProvider = normalizeOAuthProviderFromCatalog(catalog?.defaultProvider, {
+    providerIds,
+    fallback: providerIds[0] || null
+  });
+
+  return {
+    providers: providers.map((provider) => ({
+      id: provider.id,
+      label: provider.label
+    })),
+    defaultProvider
+  };
+}
+
+export {
+  SUPABASE_OAUTH_PROVIDER_METADATA,
+  DEFAULT_SUPABASE_OAUTH_PROVIDER_IDS,
+  resolveSupabaseOAuthProviderCatalog,
+  normalizeOAuthProviderFromCatalog,
+  resolveOAuthProviderQueryParams,
+  buildOAuthProviderCatalogResponse
+};