@jskit-ai/auth-provider-supabase-core 0.1.4

package/src/server/lib/standaloneProfileSyncService.js

@@ -0,0 +1,92 @@
+import { normalizeLowerText, normalizeText } from "@jskit-ai/kernel/shared/actions/textNormalization";
+
+const USER_PROFILE_EMAIL_CONFLICT_CODE = "USER_PROFILE_EMAIL_CONFLICT";
+
+function buildIdentityKey({ authProvider, authProviderUserId } = {}) {
+  return `${normalizeLowerText(authProvider)}:${normalizeText(authProviderUserId)}`;
+}
+
+function normalizeIdentity(identityLike) {
+  const source = identityLike && typeof identityLike === "object" ? identityLike : {};
+  const authProvider = normalizeLowerText(source.authProvider || source.provider);
+  const authProviderUserId = normalizeText(source.authProviderUserId || source.providerUserId);
+  if (!authProvider || !authProviderUserId) {
+    throw new TypeError("Standalone profile sync requires authProvider and authProviderUserId.");
+  }
+  return {
+    authProvider,
+    authProviderUserId
+  };
+}
+
+function normalizeProfile(profileLike) {
+  const source = profileLike && typeof profileLike === "object" ? profileLike : {};
+  const identity = normalizeIdentity(source);
+  const email = normalizeLowerText(source.email);
+  const displayName = normalizeText(source.displayName);
+  if (!email || !displayName) {
+    throw new TypeError("Standalone profile sync requires email and displayName.");
+  }
+  return {
+    authProvider: identity.authProvider,
+    authProviderUserId: identity.authProviderUserId,
+    email,
+    displayName
+  };
+}
+
+function cloneProfile(profile) {
+  return profile ? { ...profile } : null;
+}
+
+function createEmailConflictError() {
+  const error = new Error("Email is already linked to a different profile.");
+  error.code = USER_PROFILE_EMAIL_CONFLICT_CODE;
+  return error;
+}
+
+function createStandaloneProfileSyncService() {
+  const profilesByIdentityKey = new Map();
+  const identityKeyByEmail = new Map();
+  let nextId = 1;
+
+  async function findByIdentity(identityLike) {
+    const identity = normalizeIdentity(identityLike);
+    return cloneProfile(profilesByIdentityKey.get(buildIdentityKey(identity)) || null);
+  }
+
+  async function syncIdentityProfile(profileLike) {
+    const normalizedProfile = normalizeProfile(profileLike);
+    const identityKey = buildIdentityKey(normalizedProfile);
+    const existing = profilesByIdentityKey.get(identityKey) || null;
+
+    const existingOwnerIdentityKey = identityKeyByEmail.get(normalizedProfile.email);
+    if (existingOwnerIdentityKey && existingOwnerIdentityKey !== identityKey) {
+      throw createEmailConflictError();
+    }
+
+    const next = {
+      id: Number(existing?.id || nextId++),
+      authProvider: normalizedProfile.authProvider,
+      authProviderUserId: normalizedProfile.authProviderUserId,
+      email: normalizedProfile.email,
+      displayName: normalizedProfile.displayName
+    };
+
+    if (existing?.email && existing.email !== next.email) {
+      identityKeyByEmail.delete(existing.email);
+    }
+
+    profilesByIdentityKey.set(identityKey, next);
+    identityKeyByEmail.set(next.email, identityKey);
+    return cloneProfile(next);
+  }
+
+  return Object.freeze({
+    findByIdentity,
+    syncIdentityProfile
+  });
+}
+
+export { createStandaloneProfileSyncService };
+export { USER_PROFILE_EMAIL_CONFLICT_CODE };

package/src/server/lib/test-utils.js

@@ -0,0 +1,47 @@
+export { createAccountFlows } from "./accountFlows.js";
+export { createOauthFlows } from "./oauthFlows.js";
+export { createPasswordSecurityFlows } from "./passwordSecurityFlows.js";
+
+export {
+  mapAuthError,
+  validationError,
+  isUserNotFoundLikeAuthError,
+  mapRecoveryError,
+  mapPasswordUpdateError,
+  mapOtpVerifyError,
+  mapProfileUpdateError,
+  mapCurrentPasswordError,
+  isTransientAuthMessage,
+  isTransientSupabaseError
+} from "./authErrorMappers.js";
+
+export {
+  buildOtpLoginRedirectUrl,
+  normalizeOAuthIntent,
+  normalizeReturnToPath,
+  buildOAuthRedirectUrl,
+  buildOAuthLoginRedirectUrl,
+  buildOAuthLinkRedirectUrl
+} from "./authRedirectUrls.js";
+
+export {
+  normalizeOAuthProviderInput,
+  parseOAuthCompletePayload,
+  parseOtpLoginVerifyPayload,
+  mapOAuthCallbackError,
+  validatePasswordRecoveryPayload
+} from "./authInputParsers.js";
+
+export {
+  resolveSupabaseOAuthProviderCatalog,
+  resolveOAuthProviderQueryParams,
+  buildOAuthProviderCatalogResponse
+} from "./oauthProviderCatalog.js";
+
+export {
+  buildAuthMethodsStatusFromProviderIds,
+  collectProviderIdsFromSupabaseUser,
+  findAuthMethodById,
+  findLinkedIdentityByProvider,
+  buildSecurityStatusFromAuthMethodsStatus
+} from "./authMethodStatus.js";

package/src/server/providers/AuthProviderServiceProvider.js

@@ -0,0 +1,9 @@
+class AuthProviderServiceProvider {
+  static id = "auth.provider";
+
+  static dependsOn = ["auth.provider.supabase"];
+
+  register() {}
+}
+
+export { AuthProviderServiceProvider };

package/src/server/providers/AuthSupabaseServiceProvider.js

@@ -0,0 +1,217 @@
+import { KERNEL_TOKENS } from "@jskit-ai/kernel/shared/support/tokens";
+import { resolveAllowedOriginsFromSurfaceDefinitions } from "@jskit-ai/kernel/shared/support/returnToPath";
+import { withActionDefaults } from "@jskit-ai/kernel/shared/actions";
+import { createService } from "../lib/service.js";
+import { createStandaloneProfileSyncService } from "../lib/standaloneProfileSyncService.js";
+import { createAuthSessionEventsService } from "../lib/authSessionEventsService.js";
+import { authActions } from "../lib/actions/auth.contributor.js";
+
+const AUTH_SESSION_EVENTS_SERVICE_TOKEN = "auth.session.events.service";
+const AUTH_SESSION_CHANGED_EVENT = "auth.session.changed";
+const USERS_BOOTSTRAP_CHANGED_EVENT = "users.bootstrap.changed";
+const AUTH_PROFILE_MODE_STANDALONE = "standalone";
+const AUTH_PROFILE_MODE_USERS = "users";
+const SUPPORTED_AUTH_PROFILE_MODES = Object.freeze([AUTH_PROFILE_MODE_STANDALONE, AUTH_PROFILE_MODE_USERS]);
+
+function splitCsv(value) {
+  return String(value || "")
+    .split(",")
+    .map((entry) => entry.trim())
+    .filter(Boolean);
+}
+
+function resolveAllowedReturnToOrigins({ appConfig = {}, appPublicUrl = "" } = {}) {
+  const surfaceDefinitions =
+    appConfig && typeof appConfig === "object" && appConfig.surfaceDefinitions && typeof appConfig.surfaceDefinitions === "object"
+      ? appConfig.surfaceDefinitions
+      : {};
+
+  return resolveAllowedOriginsFromSurfaceDefinitions(surfaceDefinitions, {
+    seedOrigins: [appPublicUrl]
+  });
+}
+
+function resolveAuthProviderConfig(env) {
+  const source = env && typeof env === "object" ? env : {};
+  return {
+    id: "supabase",
+    supabaseUrl: String(source.AUTH_SUPABASE_URL || source.SUPABASE_URL || "").trim(),
+    supabasePublishableKey: String(
+      source.AUTH_SUPABASE_PUBLISHABLE_KEY || source.SUPABASE_PUBLISHABLE_KEY || ""
+    ).trim(),
+    jwtAudience: String(source.AUTH_JWT_AUDIENCE || "authenticated").trim(),
+    oauthProviders: splitCsv(source.AUTH_OAUTH_PROVIDERS),
+    oauthDefaultProvider: String(source.AUTH_OAUTH_DEFAULT_PROVIDER || "").trim()
+  };
+}
+
+function resolveAuthProfileMode(env) {
+  const source = env && typeof env === "object" ? env : {};
+  const mode = String(source.AUTH_PROFILE_MODE || AUTH_PROFILE_MODE_STANDALONE)
+    .trim()
+    .toLowerCase();
+  if (SUPPORTED_AUTH_PROFILE_MODES.includes(mode)) {
+    return mode;
+  }
+  throw new Error(
+    `Unsupported AUTH_PROFILE_MODE "${mode}". Supported values: ${SUPPORTED_AUTH_PROFILE_MODES.join(", ")}.`
+  );
+}
+
+function createInMemoryUserSettingsRepository() {
+  const settingsByUserId = new Map();
+
+  function ensure(userId) {
+    const numericUserId = Number(userId);
+    if (!settingsByUserId.has(numericUserId)) {
+      settingsByUserId.set(numericUserId, {
+        userId: numericUserId,
+        passwordSignInEnabled: true,
+        passwordSetupRequired: false
+      });
+    }
+    return settingsByUserId.get(numericUserId);
+  }
+
+  return Object.freeze({
+    async ensureForUserId(userId) {
+      return { ...ensure(userId) };
+    },
+    async updatePasswordSignInEnabled(userId, enabled) {
+      const settings = ensure(userId);
+      settings.passwordSignInEnabled = enabled !== false;
+      return { ...settings };
+    },
+    async updatePasswordSetupRequired(userId, required) {
+      const settings = ensure(userId);
+      settings.passwordSetupRequired = required === true;
+      return { ...settings };
+    }
+  });
+}
+
+const fallbackUserSettingsRepository = createInMemoryUserSettingsRepository();
+const fallbackStandaloneProfileSyncService = createStandaloneProfileSyncService();
+
+function resolveCommonDependencies(scope) {
+  const dependencies = {};
+  if (scope.has(KERNEL_TOKENS.Env)) {
+    dependencies.env = scope.make(KERNEL_TOKENS.Env);
+  }
+  if (scope.has(KERNEL_TOKENS.Logger)) {
+    dependencies.logger = scope.make(KERNEL_TOKENS.Logger);
+  }
+  return dependencies;
+}
+
+function resolveOptionalRepositories(scope) {
+  const repositories = {};
+  if (scope.has("userSettingsRepository")) {
+    repositories.userSettingsRepository = scope.make("userSettingsRepository");
+  }
+  return repositories;
+}
+
+class AuthSupabaseServiceProvider {
+  static id = "auth.provider.supabase";
+
+  static dependsOn = ["runtime.actions"];
+
+  register(app) {
+    if (
+      !app ||
+      typeof app.singleton !== "function" ||
+      typeof app.has !== "function" ||
+      typeof app.actions !== "function" ||
+      typeof app.service !== "function"
+    ) {
+      throw new Error("AuthSupabaseServiceProvider requires application singleton()/has()/actions()/service().");
+    }
+
+    if (!app.has("authService")) {
+      app.singleton("authService", (scope) => {
+        const dependencies = resolveCommonDependencies(scope);
+        const envFromDependencies =
+          dependencies?.env && typeof dependencies.env === "object" ? dependencies.env : {};
+        const env = {
+          ...process.env,
+          ...envFromDependencies
+        };
+        const appConfig = scope.has("appConfig") ? scope.make("appConfig") : {};
+        const authProvider = resolveAuthProviderConfig(env);
+        const repositories = resolveOptionalRepositories(scope);
+        const userSettingsRepository = repositories.userSettingsRepository || fallbackUserSettingsRepository;
+        if (!authProvider.supabaseUrl || !authProvider.supabasePublishableKey) {
+          return null;
+        }
+        const authProfileMode = resolveAuthProfileMode(env);
+        let userProfileSyncService = fallbackStandaloneProfileSyncService;
+        if (authProfileMode === AUTH_PROFILE_MODE_USERS) {
+          if (!scope.has("users.profile.sync.service")) {
+            throw new Error(
+              "AuthSupabaseServiceProvider requires users.profile.sync.service when AUTH_PROFILE_MODE=users."
+            );
+          }
+          userProfileSyncService = scope.make("users.profile.sync.service");
+        }
+
+        return createService({
+          authProvider,
+          appPublicUrl: String(env.APP_PUBLIC_URL || "").trim(),
+          authAllowedReturnToOrigins: resolveAllowedReturnToOrigins({
+            appConfig,
+            appPublicUrl: String(env.APP_PUBLIC_URL || "").trim()
+          }),
+          nodeEnv: String(env.NODE_ENV || "development").trim() || "development",
+          userSettingsRepository,
+          userProfileSyncService
+        });
+      });
+    }
+
+    app.service(
+      AUTH_SESSION_EVENTS_SERVICE_TOKEN,
+      () => createAuthSessionEventsService(),
+      {
+        events: {
+          notifySessionChanged: [
+            {
+              type: "entity.changed",
+              source: "auth",
+              entity: "session",
+              operation: "updated",
+              entityId: ({ result }) => result?.id,
+              realtime: {
+                event: AUTH_SESSION_CHANGED_EVENT,
+                audience: "actor_user"
+              }
+            },
+            {
+              type: "entity.changed",
+              source: "users",
+              entity: "bootstrap",
+              operation: "updated",
+              entityId: ({ result }) => result?.id,
+              realtime: {
+                event: USERS_BOOTSTRAP_CHANGED_EVENT,
+                audience: "actor_user"
+              }
+            }
+          ]
+        }
+      }
+    );
+
+    app.actions(
+      withActionDefaults(authActions, {
+        domain: "auth",
+        dependencies: {
+          authService: "authService",
+          authSessionEventsService: AUTH_SESSION_EVENTS_SERVICE_TOKEN
+        }
+      })
+    );
+  }
+}
+
+export { AuthSupabaseServiceProvider };

package/test/auth.provider.supabase.test.js

@@ -0,0 +1,7 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import * as authProviderSupabase from "../src/server/lib/index.js";
+
+test("auth.provider.supabase exports required symbols", () => {
+  assert.equal(typeof authProviderSupabase.createService, "function");
+});

package/test/authRedirectUrls.test.js

@@ -0,0 +1,47 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import {
+  buildOAuthLoginRedirectUrl,
+  buildOtpLoginRedirectUrl
+} from "../src/server/lib/authRedirectUrls.js";
+
+test("buildOAuthLoginRedirectUrl targets /auth/login callback route", () => {
+  const redirectTo = buildOAuthLoginRedirectUrl({
+    appPublicUrl: "http://localhost:5173",
+    provider: "google",
+    providerIds: ["google"],
+    returnTo: "/app"
+  });
+
+  const url = new URL(redirectTo);
+  assert.equal(url.origin, "http://localhost:5173");
+  assert.equal(url.pathname, "/auth/login");
+  assert.equal(url.searchParams.get("oauthProvider"), "google");
+  assert.equal(url.searchParams.get("oauthIntent"), "login");
+  assert.equal(url.searchParams.get("oauthReturnTo"), "/app");
+});
+
+test("buildOAuthLoginRedirectUrl preserves app base path", () => {
+  const redirectTo = buildOAuthLoginRedirectUrl({
+    appPublicUrl: "https://example.com/tenant",
+    provider: "google",
+    providerIds: ["google"],
+    returnTo: "/app"
+  });
+
+  const url = new URL(redirectTo);
+  assert.equal(url.origin, "https://example.com");
+  assert.equal(url.pathname, "/tenant/auth/login");
+});
+
+test("buildOtpLoginRedirectUrl targets /auth/login", () => {
+  const redirectTo = buildOtpLoginRedirectUrl({
+    appPublicUrl: "http://localhost:5173",
+    returnTo: "/app"
+  });
+
+  const url = new URL(redirectTo);
+  assert.equal(url.origin, "http://localhost:5173");
+  assert.equal(url.pathname, "/auth/login");
+  assert.equal(url.searchParams.get("returnTo"), "/app");
+});

package/test/entrypoints.boundary.test.js

@@ -0,0 +1,20 @@
+import assert from "node:assert/strict";
+import { readFile } from "node:fs/promises";
+import test from "node:test";
+
+const EXPECTED_EXPORTS = Object.freeze({
+  "./server/providers/AuthSupabaseServiceProvider": "./src/server/providers/AuthSupabaseServiceProvider.js",
+  "./server/providers/AuthProviderServiceProvider": "./src/server/providers/AuthProviderServiceProvider.js",
+  "./server/lib/index": "./src/server/lib/index.js",
+  "./client": "./src/client/index.js"
+});
+
+test("auth-provider-supabase-core exports only curated entrypoints", async () => {
+  const packageJson = JSON.parse(await readFile(new URL("../package.json", import.meta.url), "utf8"));
+  const exportsMap = packageJson && typeof packageJson === "object" ? packageJson.exports : {};
+
+  assert.deepEqual(exportsMap, EXPECTED_EXPORTS);
+  assert.equal(exportsMap["./server/lib/service"], undefined);
+  assert.equal(exportsMap["./server/lib/test-utils"], undefined);
+  assert.equal(exportsMap["./server/lib/oauthFlows"], undefined);
+});

package/test/index.test.js

@@ -0,0 +1,7 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createService } from "../src/server/lib/index.js";
+
+test("auth provider supabase core validates required provider options", () => {
+  assert.throws(() => createService({}), /authProvider is required/);
+});

package/test/providerRuntime.test.js

@@ -0,0 +1,156 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createApplication } from "@jskit-ai/kernel/_testable";
+import { KERNEL_TOKENS } from "@jskit-ai/kernel/shared/support/tokens";
+import { ActionRuntimeServiceProvider } from "@jskit-ai/kernel/server/actions";
+import { AuthSupabaseServiceProvider } from "../src/server/providers/AuthSupabaseServiceProvider.js";
+
+function createAppConfigFixture() {
+  return {
+    surfaceModeAll: "all",
+    surfaceDefaultId: "home",
+    surfaceDefinitions: {
+      home: { id: "home", pagesRoot: "", enabled: true, requiresAuth: false, requiresWorkspace: false },
+      console: {
+        id: "console",
+        pagesRoot: "console",
+        enabled: true,
+        requiresAuth: true,
+        requiresWorkspace: false
+      }
+    }
+  };
+}
+
+test("auth supabase provider registers authService and contributes auth actions in users mode", async () => {
+  const app = createApplication();
+  app.instance("appConfig", createAppConfigFixture());
+  app.instance(KERNEL_TOKENS.Env, {
+    AUTH_SUPABASE_URL: "https://example.supabase.co",
+    AUTH_SUPABASE_PUBLISHABLE_KEY: "sb_publishable_test_key",
+    AUTH_PROFILE_MODE: "users",
+    APP_PUBLIC_URL: "http://localhost:5173",
+    NODE_ENV: "test"
+  });
+  app.instance(KERNEL_TOKENS.Logger, {
+    info() {},
+    warn() {},
+    error() {},
+    debug() {}
+  });
+  app.instance("domainEvents", {
+    async publish() {}
+  });
+  app.instance("users.profile.sync.service", {
+    async findByIdentity() {
+      return null;
+    },
+    async syncIdentityProfile(profile) {
+      return {
+        id: 1,
+        authProvider: String(profile?.authProvider || "supabase"),
+        authProviderUserId: String(profile?.authProviderUserId || "user-1"),
+        email: String(profile?.email || "test@example.com"),
+        displayName: String(profile?.displayName || "Test User")
+      };
+    }
+  });
+
+  await app.start({
+    providers: [ActionRuntimeServiceProvider, AuthSupabaseServiceProvider]
+  });
+
+  const authService = app.make("authService");
+  assert.equal(typeof authService?.login, "function");
+
+  const actionExecutor = app.make("actionExecutor");
+  assert.equal(typeof actionExecutor?.execute, "function");
+
+  const definitions = actionExecutor.listDefinitions();
+  assert.equal(Array.isArray(definitions), true);
+  assert.equal(definitions.some((definition) => definition.id === "auth.login.password"), true);
+  const sessionRead = definitions.find((definition) => definition.id === "auth.session.read");
+  assert.deepEqual(sessionRead?.surfaces, ["home", "console"]);
+});
+
+test("auth supabase provider registers authService in standalone mode without users.profile.sync.service", async () => {
+  const app = createApplication();
+  app.instance("appConfig", createAppConfigFixture());
+  app.instance(KERNEL_TOKENS.Env, {
+    AUTH_SUPABASE_URL: "https://example.supabase.co",
+    AUTH_SUPABASE_PUBLISHABLE_KEY: "sb_publishable_test_key",
+    AUTH_PROFILE_MODE: "standalone",
+    APP_PUBLIC_URL: "http://localhost:5173",
+    NODE_ENV: "test"
+  });
+  app.instance(KERNEL_TOKENS.Logger, {
+    info() {},
+    warn() {},
+    error() {},
+    debug() {}
+  });
+  app.instance("domainEvents", {
+    async publish() {}
+  });
+
+  await app.start({
+    providers: [ActionRuntimeServiceProvider, AuthSupabaseServiceProvider]
+  });
+
+  const authService = app.make("authService");
+  assert.equal(typeof authService?.login, "function");
+});
+
+test("auth supabase provider requires users.profile.sync.service when AUTH_PROFILE_MODE=users", async () => {
+  const app = createApplication();
+  app.instance("appConfig", createAppConfigFixture());
+  app.instance(KERNEL_TOKENS.Env, {
+    AUTH_SUPABASE_URL: "https://example.supabase.co",
+    AUTH_SUPABASE_PUBLISHABLE_KEY: "sb_publishable_test_key",
+    AUTH_PROFILE_MODE: "users",
+    APP_PUBLIC_URL: "http://localhost:5173",
+    NODE_ENV: "test"
+  });
+  app.instance(KERNEL_TOKENS.Logger, {
+    info() {},
+    warn() {},
+    error() {},
+    debug() {}
+  });
+  app.instance("domainEvents", {
+    async publish() {}
+  });
+
+  await app.start({
+    providers: [ActionRuntimeServiceProvider, AuthSupabaseServiceProvider]
+  });
+
+  assert.throws(() => app.make("authService"), /AUTH_PROFILE_MODE=users/);
+});
+
+test("auth supabase provider rejects unsupported AUTH_PROFILE_MODE values", async () => {
+  const app = createApplication();
+  app.instance("appConfig", createAppConfigFixture());
+  app.instance(KERNEL_TOKENS.Env, {
+    AUTH_SUPABASE_URL: "https://example.supabase.co",
+    AUTH_SUPABASE_PUBLISHABLE_KEY: "sb_publishable_test_key",
+    AUTH_PROFILE_MODE: "invalid",
+    APP_PUBLIC_URL: "http://localhost:5173",
+    NODE_ENV: "test"
+  });
+  app.instance(KERNEL_TOKENS.Logger, {
+    info() {},
+    warn() {},
+    error() {},
+    debug() {}
+  });
+  app.instance("domainEvents", {
+    async publish() {}
+  });
+
+  await app.start({
+    providers: [ActionRuntimeServiceProvider, AuthSupabaseServiceProvider]
+  });
+
+  assert.throws(() => app.make("authService"), /Unsupported AUTH_PROFILE_MODE/);
+});