@jskit-ai/auth-provider-supabase-core 0.1.54 → 0.1.56

package/package.descriptor.mjs

@@ -1,7 +1,7 @@
 export default Object.freeze({
   "packageVersion": 1,
   "packageId": "@jskit-ai/auth-provider-supabase-core",
-  "version": "0.1.54",
+  "version": "0.1.56",
   "kind": "runtime",
   "options": {
     "auth-supabase-url": {
@@ -83,8 +83,8 @@ export default Object.freeze({
   "mutations": {
     "dependencies": {
       "runtime": {
-        "@jskit-ai/auth-core": "0.1.54",
-        "@jskit-ai/kernel": "0.1.55",
+        "@jskit-ai/auth-core": "0.1.56",
+        "@jskit-ai/kernel": "0.1.57",
         "dotenv": "^16.4.5",
         "@supabase/supabase-js": "^2.57.4",
         "jose": "^6.1.0"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jskit-ai/auth-provider-supabase-core",
-  "version": "0.1.54",
+  "version": "0.1.56",
   "type": "module",
   "scripts": {
     "test": "node --test"
@@ -12,8 +12,9 @@
     "./client": "./src/client/index.js"
   },
   "dependencies": {
-    "@jskit-ai/auth-core": "0.1.54",
-    "@jskit-ai/kernel": "0.1.55",
+    "@jskit-ai/auth-core": "0.1.56",
+    "@jskit-ai/kernel": "0.1.57",
+    "json-rest-schema": "1.x.x",
     "jose": "^6.1.0",
     "@supabase/supabase-js": "^2.57.4"
   }

package/src/server/lib/accountFlows.js

@@ -1,8 +1,12 @@
 import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import { authRegisterBodyValidator } from "@jskit-ai/auth-core/shared/commands/authRegisterCommand";
+import { authRegisterConfirmationResendBodyValidator } from "@jskit-ai/auth-core/shared/commands/authRegisterConfirmationResendCommand";
+import { authLoginPasswordBodyValidator } from "@jskit-ai/auth-core/shared/commands/authLoginPasswordCommand";
+import { authLoginOtpRequestBodyValidator } from "@jskit-ai/auth-core/shared/commands/authLoginOtpRequestCommand";
+import { authLoginOtpVerifyBodyValidator } from "@jskit-ai/auth-core/shared/commands/authLoginOtpVerifyCommand";
 import {
   requireAuthUser,
-  requireAuthUserSession,
-  requireNoFieldErrors
+  requireAuthUserSession
 } from "./flowGuards.js";
 
 function normalizeLocalReturnToPath(value, { fallback = "" } = {}) {
@@ -21,7 +25,6 @@ function normalizeLocalReturnToPath(value, { fallback = "" } = {}) {
 function createAccountFlows(deps) {
   const {
     ensureConfigured,
-    validators,
     validationError,
     getSupabaseClient,
     displayNameFromEmail,
@@ -33,7 +36,6 @@ function createAccountFlows(deps) {
     appPublicUrl,
     isTransientSupabaseError,
     isUserNotFoundLikeAuthError,
-    parseOtpLoginVerifyPayload,
     mapOtpVerifyError,
     setSessionFromRequestCookies,
     mapProfileUpdateError,
@@ -82,8 +84,11 @@ function createAccountFlows(deps) {
   async function register(payload) {
     ensureConfigured();
 
-    const parsed = validators.registerInput(payload);
-    requireNoFieldErrors(parsed, validationError);
+    const result = authRegisterBodyValidator.schema.create(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
 
     const supabase = getSupabaseClient();
     const response = await supabase.auth.signUp({
@@ -126,8 +131,11 @@ function createAccountFlows(deps) {
   async function resendRegisterConfirmation(payload) {
     ensureConfigured();
 
-    const parsed = validators.forgotPasswordInput(payload);
-    requireNoFieldErrors(parsed, validationError);
+    const result = authRegisterConfirmationResendBodyValidator.schema.create(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
 
     const supabase = getSupabaseClient();
     const emailRedirectTo = resolveRegisterEmailRedirectTo();
@@ -175,8 +183,11 @@ function createAccountFlows(deps) {
   async function login(payload) {
     ensureConfigured();
 
-    const parsed = validators.loginInput(payload);
-    requireNoFieldErrors(parsed, validationError);
+    const result = authLoginPasswordBodyValidator.schema.create(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
 
     const supabase = getSupabaseClient();
     const response = await supabase.auth.signInWithPassword({
@@ -201,10 +212,13 @@ function createAccountFlows(deps) {
   async function requestOtpLogin(payload) {
     ensureConfigured();
 
-    const parsed = validators.forgotPasswordInput(payload);
-    requireNoFieldErrors(parsed, validationError);
+    const result = authLoginOtpRequestBodyValidator.schema.create(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
 
-    const emailRedirectTo = resolveOtpEmailRedirectTo(payload?.returnTo);
+    const emailRedirectTo = resolveOtpEmailRedirectTo(parsed.returnTo);
     const supabase = getSupabaseClient();
     let response;
     try {
@@ -250,22 +264,41 @@ function createAccountFlows(deps) {
   async function verifyOtpLogin(payload) {
     ensureConfigured();
 
-    const parsed = parseOtpLoginVerifyPayload(payload);
-    requireNoFieldErrors(parsed, validationError);
+    const result = authLoginOtpVerifyBodyValidator.schema.patch(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
+    const fieldErrors = {};
+    const token = String(parsed.token || "").trim();
+    const tokenHash = String(parsed.tokenHash || "").trim();
+    const type = String(parsed.type || "email").trim().toLowerCase();
+
+    if (!token && !tokenHash) {
+      fieldErrors.token = "One-time code is required.";
+    }
+
+    if (!tokenHash && !parsed.email) {
+      fieldErrors.email = "Email is required.";
+    }
+
+    if (Object.keys(fieldErrors).length > 0) {
+      throw validationError(fieldErrors);
+    }
 
     const supabase = getSupabaseClient();
     let response;
     try {
-      if (parsed.tokenHash) {
+      if (tokenHash) {
         response = await supabase.auth.verifyOtp({
-          token_hash: parsed.tokenHash,
-          type: parsed.type
+          token_hash: tokenHash,
+          type
         });
       } else {
         response = await supabase.auth.verifyOtp({
           email: parsed.email,
-          token: parsed.token,
-          type: parsed.type
+          token,
+          type
         });
       }
     } catch (error) {

package/src/server/lib/actions/auth.contributor.js

@@ -1,6 +1,11 @@
+import { createSchema } from "json-rest-schema";
 import {
-  EMPTY_INPUT_VALIDATOR
+  emptyInputValidator
 } from "@jskit-ai/kernel/shared/actions/actionContributorHelpers";
+import {
+  composeSchemaDefinitions
+} from "@jskit-ai/kernel/shared/validators";
+import { deepFreeze } from "@jskit-ai/kernel/shared/support/deepFreeze";
 import {
   authRegisterCommand,
   authRegisterConfirmationResendCommand,
@@ -15,6 +20,22 @@ import {
   authPasswordResetCommand
 } from "@jskit-ai/auth-core/shared/commands";
 
+const authLoginOAuthStartInput = composeSchemaDefinitions([
+  authLoginOAuthStartCommand.operation.params,
+  authLoginOAuthStartCommand.operation.query
+], {
+  mode: "patch",
+  context: "authContributor.authLoginOAuthStartInput"
+});
+
+const authLogoutOutput = deepFreeze({
+  schema: createSchema({
+    ok: { type: "boolean", required: true },
+    clearSession: { type: "boolean", required: true }
+  }),
+  mode: "replace"
+});
+
 function requireRequestContext(context, actionId) {
   const request = context?.requestMeta?.request || null;
   if (request) {
@@ -30,7 +51,7 @@ const devLoginAsAction = Object.freeze({
   kind: "command",
   channels: ["api", "internal"],
   surfacesFrom: "enabled",
-  inputValidator: authDevLoginAsCommand.operation.bodyValidator,
+  input: authDevLoginAsCommand.operation.body,
   idempotency: "none",
   audit: {
     actionName: "auth.dev.loginAs"
@@ -48,7 +69,7 @@ const authActionsBeforeDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authRegisterCommand.operation.bodyValidator,
+    input: authRegisterCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.register"
@@ -64,7 +85,7 @@ const authActionsBeforeDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authRegisterConfirmationResendCommand.operation.bodyValidator,
+    input: authRegisterConfirmationResendCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.register.confirmation.resend"
@@ -80,7 +101,7 @@ const authActionsBeforeDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authLoginPasswordCommand.operation.bodyValidator,
+    input: authLoginPasswordCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.login.password"
@@ -96,7 +117,7 @@ const authActionsBeforeDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authLoginOtpRequestCommand.operation.bodyValidator,
+    input: authLoginOtpRequestCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.login.otp.request"
@@ -112,7 +133,7 @@ const authActionsBeforeDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authLoginOtpVerifyCommand.operation.bodyValidator,
+    input: authLoginOtpVerifyCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.login.otp.verify"
@@ -128,7 +149,7 @@ const authActionsBeforeDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: [authLoginOAuthStartCommand.operation.paramsValidator, authLoginOAuthStartCommand.operation.queryValidator],
+    input: authLoginOAuthStartInput,
     idempotency: "none",
     audit: {
       actionName: "auth.login.oauth.start"
@@ -144,7 +165,7 @@ const authActionsBeforeDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authLoginOAuthCompleteCommand.operation.bodyValidator,
+    input: authLoginOAuthCompleteCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.login.oauth.complete"
@@ -163,7 +184,7 @@ const authActionsAfterDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authPasswordResetRequestCommand.operation.bodyValidator,
+    input: authPasswordResetRequestCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.password.reset.request"
@@ -179,7 +200,7 @@ const authActionsAfterDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authPasswordRecoveryCompleteCommand.operation.bodyValidator,
+    input: authPasswordRecoveryCompleteCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.password.recovery.complete"
@@ -195,7 +216,7 @@ const authActionsAfterDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: authPasswordResetCommand.operation.bodyValidator,
+    input: authPasswordResetCommand.operation.body,
     idempotency: "none",
     audit: {
       actionName: "auth.password.reset"
@@ -211,22 +232,8 @@ const authActionsAfterDevLogin = Object.freeze([
     kind: "command",
     channels: ["api", "automation", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: EMPTY_INPUT_VALIDATOR,
-    outputValidator: {
-      schema: {
-        type: "object",
-        properties: {
-          ok: {
-            type: "boolean"
-          },
-          clearSession: {
-            type: "boolean"
-          }
-        },
-        required: ["ok", "clearSession"],
-        additionalProperties: false
-      }
-    },
+    input: emptyInputValidator,
+    output: authLogoutOutput,
     idempotency: "none",
     audit: {
       actionName: "auth.logout"
@@ -250,7 +257,7 @@ const authActionsAfterDevLogin = Object.freeze([
     kind: "query",
     channels: ["api", "internal"],
     surfacesFrom: "enabled",
-    inputValidator: EMPTY_INPUT_VALIDATOR,
+    input: emptyInputValidator,
     idempotency: "none",
     audit: {
       actionName: "auth.session.read"

package/src/server/lib/authInputParsers.js

@@ -1,31 +1,8 @@
 import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
-import {
-  AUTH_ACCESS_TOKEN_MAX_LENGTH,
-  AUTH_RECOVERY_TOKEN_MAX_LENGTH,
-  AUTH_REFRESH_TOKEN_MAX_LENGTH
-} from "@jskit-ai/auth-core/shared/authConstraints";
 import { normalizeOAuthProviderList } from "@jskit-ai/auth-core/shared/oauthProviders";
-import { validators } from "@jskit-ai/auth-core/server/validators";
 import { normalizeOAuthProviderFromCatalog } from "./oauthProviderCatalog.js";
 import { validationError } from "./authErrorMappers.js";
 
-const OTP_VERIFY_TYPE = "email";
-const SESSION_PAIR_REQUIRED_ERRORS = Object.freeze({
-  accessToken: "Access token is required when a refresh token is provided.",
-  refreshToken: "Refresh token is required when an access token is provided."
-});
-
-function applySessionPairValidation(accessToken, refreshToken, fieldErrors) {
-  if ((accessToken && !refreshToken) || (!accessToken && refreshToken)) {
-    if (!accessToken) {
-      fieldErrors.accessToken = SESSION_PAIR_REQUIRED_ERRORS.accessToken;
-    }
-    if (!refreshToken) {
-      fieldErrors.refreshToken = SESSION_PAIR_REQUIRED_ERRORS.refreshToken;
-    }
-  }
-}
-
 function resolveConfiguredOAuthProviders(options = {}) {
   return normalizeOAuthProviderList(options.providerIds, { fallback: [] });
 }
@@ -51,154 +28,6 @@ function normalizeOAuthProviderInput(value, options = {}) {
   });
 }
 
-function validatePasswordRecoveryPayload(payload) {
-  const code = String(payload?.code || "").trim();
-  const tokenHash = String(payload?.tokenHash || "").trim();
-  const type = String(payload?.type || "recovery")
-    .trim()
-    .toLowerCase();
-  const accessToken = String(payload?.accessToken || "").trim();
-  const refreshToken = String(payload?.refreshToken || "").trim();
-
-  const fieldErrors = {};
-
-  if (type !== "recovery") {
-    fieldErrors.type = "Only recovery password reset links are supported.";
-  }
-
-  if (code.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
-    fieldErrors.code = "Recovery code is too long.";
-  }
-
-  if (tokenHash.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
-    fieldErrors.tokenHash = "Recovery token is too long.";
-  }
-
-  if (accessToken.length > AUTH_ACCESS_TOKEN_MAX_LENGTH) {
-    fieldErrors.accessToken = "Access token is too long.";
-  }
-
-  if (refreshToken.length > AUTH_REFRESH_TOKEN_MAX_LENGTH) {
-    fieldErrors.refreshToken = "Refresh token is too long.";
-  }
-
-  applySessionPairValidation(accessToken, refreshToken, fieldErrors);
-
-  const hasCode = Boolean(code);
-  const hasTokenHash = Boolean(tokenHash);
-  const hasSessionPair = Boolean(accessToken && refreshToken);
-
-  if (!hasCode && !hasTokenHash && !hasSessionPair) {
-    fieldErrors.recovery = "Recovery token is required.";
-  }
-
-  return {
-    code,
-    tokenHash,
-    type,
-    accessToken,
-    refreshToken,
-    hasCode,
-    hasTokenHash,
-    hasSessionPair,
-    fieldErrors
-  };
-}
-
-function parseOAuthCompletePayload(payload = {}, options = {}) {
-  const code = String(payload.code || "").trim();
-  const accessToken = String(payload.accessToken || "").trim();
-  const refreshToken = String(payload.refreshToken || "").trim();
-  const errorCode = String(payload.error || payload.error_code || "").trim();
-  const errorDescription = String(payload.errorDescription || payload.error_description || "").trim();
-  const fieldErrors = {};
-
-  if (code.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
-    fieldErrors.code = "OAuth code is too long.";
-  }
-
-  if (errorCode.length > 128) {
-    fieldErrors.error = "OAuth error code is too long.";
-  }
-
-  if (errorDescription.length > 1024) {
-    fieldErrors.errorDescription = "OAuth error description is too long.";
-  }
-
-  if (accessToken.length > AUTH_ACCESS_TOKEN_MAX_LENGTH) {
-    fieldErrors.accessToken = "Access token is too long.";
-  }
-
-  if (refreshToken.length > AUTH_REFRESH_TOKEN_MAX_LENGTH) {
-    fieldErrors.refreshToken = "Refresh token is too long.";
-  }
-
-  applySessionPairValidation(accessToken, refreshToken, fieldErrors);
-
-  const hasSessionPair = Boolean(accessToken && refreshToken);
-  const provider =
-    !hasSessionPair || code || errorCode
-      ? normalizeOAuthProviderInput(payload.provider || options.defaultProvider, options)
-      : null;
-
-  if (!code && !errorCode && !hasSessionPair) {
-    fieldErrors.code = "OAuth code is required when access/refresh tokens are not provided.";
-  }
-
-  return {
-    provider,
-    code,
-    accessToken,
-    refreshToken,
-    hasSessionPair,
-    errorCode,
-    errorDescription,
-    fieldErrors
-  };
-}
-
-function parseOtpLoginVerifyPayload(payload = {}) {
-  const parsedEmail = validators.forgotPasswordInput(payload);
-  const token = String(payload?.token || "").trim();
-  const tokenHash = String(payload?.tokenHash || "").trim();
-  const type = String(payload?.type || OTP_VERIFY_TYPE)
-    .trim()
-    .toLowerCase();
-  const fieldErrors = {
-    ...parsedEmail.fieldErrors
-  };
-
-  if (type !== OTP_VERIFY_TYPE) {
-    fieldErrors.type = "Only email OTP verification is supported.";
-  }
-
-  if (!token && !tokenHash) {
-    fieldErrors.token = "One-time code is required.";
-  }
-
-  if (token && token.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
-    fieldErrors.token = "One-time code is too long.";
-  }
-
-  if (tokenHash && tokenHash.length > AUTH_RECOVERY_TOKEN_MAX_LENGTH) {
-    fieldErrors.tokenHash = "One-time token hash is too long.";
-  }
-
-  if (token && parsedEmail.fieldErrors.email) {
-    fieldErrors.email = parsedEmail.fieldErrors.email;
-  } else if (tokenHash) {
-    delete fieldErrors.email;
-  }
-
-  return {
-    email: parsedEmail.email,
-    token,
-    tokenHash,
-    type,
-    fieldErrors
-  };
-}
-
 function mapOAuthCallbackError(errorCode) {
   const normalizedCode = String(errorCode || "")
     .trim()
@@ -213,8 +42,5 @@ function mapOAuthCallbackError(errorCode) {
 
 export {
   normalizeOAuthProviderInput,
-  validatePasswordRecoveryPayload,
-  parseOAuthCompletePayload,
-  parseOtpLoginVerifyPayload,
   mapOAuthCallbackError
 };

package/src/server/lib/authenticatedProfile.js

@@ -0,0 +1,78 @@
+import { createSchema } from "json-rest-schema";
+import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import { RECORD_ID_PATTERN } from "@jskit-ai/kernel/shared/validators";
+
+const authenticatedProfileSchema = createSchema({
+  id: {
+    type: "string",
+    required: true,
+    minLength: 1,
+    pattern: RECORD_ID_PATTERN
+  },
+  email: {
+    type: "string",
+    required: true,
+    minLength: 1,
+    lowercase: true
+  },
+  username: {
+    type: "string",
+    required: false,
+    lowercase: true
+  },
+  displayName: {
+    type: "string",
+    required: true,
+    minLength: 1
+  },
+  authProvider: {
+    type: "string",
+    required: true,
+    minLength: 1,
+    lowercase: true
+  },
+  authProviderUserSid: {
+    type: "string",
+    required: true,
+    minLength: 1
+  },
+  avatarStorageKey: {
+    type: "string",
+    required: false,
+    nullable: true
+  },
+  avatarVersion: {
+    type: "string",
+    required: false,
+    nullable: true
+  }
+});
+
+function requireAuthenticatedProfile(profileLike, { context = "authenticated profile" } = {}) {
+  const source = profileLike && typeof profileLike === "object" && !Array.isArray(profileLike) ? profileLike : {};
+  const candidate = {
+    id: source.id,
+    email: source.email,
+    displayName: source.displayName,
+    authProvider: source.authProvider,
+    authProviderUserSid: source.authProviderUserSid
+  };
+  if (Object.hasOwn(source, "username")) {
+    candidate.username = source.username;
+  }
+  if (Object.hasOwn(source, "avatarStorageKey")) {
+    candidate.avatarStorageKey = source.avatarStorageKey;
+  }
+  if (Object.hasOwn(source, "avatarVersion")) {
+    candidate.avatarVersion = source.avatarVersion;
+  }
+
+  const { validatedObject, errors } = authenticatedProfileSchema.create(candidate);
+  if (Object.keys(errors).length > 0) {
+    throw new AppError(500, `${context} is invalid.`);
+  }
+
+  return validatedObject;
+}
+
+export { requireAuthenticatedProfile };

package/src/server/lib/oauthFlows.js

@@ -1,4 +1,6 @@
 import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import { authLoginOAuthStartParamsValidator, authLoginOAuthStartQueryValidator } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthStartCommand";
+import { authLoginOAuthCompleteBodyValidator } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthCompleteCommand";
 
 function createOauthFlows(deps) {
   const {
@@ -13,7 +15,6 @@ function createOauthFlows(deps) {
     mapAuthError,
     setSessionFromRequestCookies,
     buildOAuthLinkRedirectUrl,
-    parseOAuthCompletePayload,
     validationError,
     mapOAuthCallbackError,
     mapRecoveryError,
@@ -50,8 +51,22 @@ function createOauthFlows(deps) {
   async function oauthStart(payload = {}) {
     ensureConfigured();
 
-    const provider = normalizeOAuthProviderInput(payload.provider || authOAuthDefaultProvider);
-    const returnTo = normalizeReturnToPath(payload.returnTo, { fallback: "/" });
+    const paramsResult = authLoginOAuthStartParamsValidator.schema.patch({
+      provider: payload.provider || authOAuthDefaultProvider
+    });
+    if (Object.keys(paramsResult.errors).length > 0) {
+      throw validationError(paramsResult.errors);
+    }
+
+    const queryResult = authLoginOAuthStartQueryValidator.schema.patch({
+      returnTo: payload.returnTo
+    });
+    if (Object.keys(queryResult.errors).length > 0) {
+      throw validationError(queryResult.errors);
+    }
+
+    const provider = normalizeOAuthProviderInput(paramsResult.validatedObject.provider);
+    const returnTo = normalizeReturnToPath(queryResult.validatedObject.returnTo, { fallback: "/" });
     const redirectTo = buildOAuthLoginRedirectUrl({
       appPublicUrl,
       provider,
@@ -72,9 +87,23 @@ function createOauthFlows(deps) {
   async function startProviderLink(request, payload = {}) {
     ensureConfigured();
 
+    const paramsResult = authLoginOAuthStartParamsValidator.schema.patch({
+      provider: payload.provider || authOAuthDefaultProvider
+    });
+    if (Object.keys(paramsResult.errors).length > 0) {
+      throw validationError(paramsResult.errors);
+    }
+
+    const queryResult = authLoginOAuthStartQueryValidator.schema.patch({
+      returnTo: payload.returnTo
+    });
+    if (Object.keys(queryResult.errors).length > 0) {
+      throw validationError(queryResult.errors);
+    }
+
+    const provider = normalizeOAuthProviderInput(paramsResult.validatedObject.provider);
+    const returnTo = normalizeReturnToPath(queryResult.validatedObject.returnTo, { fallback: "/" });
     const supabase = getSupabaseClient();
-    const provider = normalizeOAuthProviderInput(payload.provider || authOAuthDefaultProvider);
-    const returnTo = normalizeReturnToPath(payload.returnTo, { fallback: "/" });
     await setSessionFromRequestCookies(request, {
       supabaseClient: supabase
     });
@@ -102,25 +131,55 @@ function createOauthFlows(deps) {
   async function oauthComplete(payload = {}) {
     ensureConfigured();
 
-    const parsed = parseOAuthCompletePayload(payload);
-    if (Object.keys(parsed.fieldErrors).length > 0) {
-      throw validationError(parsed.fieldErrors);
+    const result = authLoginOAuthCompleteBodyValidator.schema.patch(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
+    const code = String(parsed.code || "").trim();
+    const accessToken = String(parsed.accessToken || "").trim();
+    const refreshToken = String(parsed.refreshToken || "").trim();
+    const errorCode = String(parsed.error || parsed.error_code || "").trim();
+    const errorDescription = String(parsed.errorDescription || parsed.error_description || "").trim();
+    const hasSessionPair = Boolean(accessToken && refreshToken);
+    const fieldErrors = {};
+
+    if ((accessToken && !refreshToken) || (!accessToken && refreshToken)) {
+      if (!accessToken) {
+        fieldErrors.accessToken = "Access token is required when a refresh token is provided.";
+      }
+      if (!refreshToken) {
+        fieldErrors.refreshToken = "Refresh token is required when an access token is provided.";
+      }
     }
 
-    if (parsed.errorCode) {
-      throw mapOAuthCallbackError(parsed.errorCode, parsed.errorDescription);
+    if (!code && !errorCode && !hasSessionPair) {
+      fieldErrors.code = "OAuth code is required when access/refresh tokens are not provided.";
+    }
+
+    if (Object.keys(fieldErrors).length > 0) {
+      throw validationError(fieldErrors);
+    }
+
+    const provider =
+      !hasSessionPair || code || errorCode
+        ? normalizeOAuthProviderInput(parsed.provider || authOAuthDefaultProvider)
+        : null;
+
+    if (errorCode) {
+      throw mapOAuthCallbackError(errorCode, errorDescription);
     }
 
     const supabase = getSupabaseClient();
     let response;
     try {
-      if (parsed.hasSessionPair) {
+      if (hasSessionPair) {
         response = await supabase.auth.setSession({
-          access_token: parsed.accessToken,
-          refresh_token: parsed.refreshToken
+          access_token: accessToken,
+          refresh_token: refreshToken
         });
       } else {
-        response = await supabase.auth.exchangeCodeForSession(parsed.code);
+        response = await supabase.auth.exchangeCodeForSession(code);
       }
     } catch (error) {
       throw mapRecoveryError(error);
@@ -133,7 +192,7 @@ function createOauthFlows(deps) {
     const profile = await syncProfileFromSupabaseUser(response.data.user, response.data.user.email);
 
     return {
-      provider: parsed.provider,
+      provider,
       profile,
       session: response.data.session
     };

package/src/server/lib/passwordSecurityFlows.js

@@ -1,20 +1,20 @@
 import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import { authPasswordResetRequestBodyValidator } from "@jskit-ai/auth-core/shared/commands/authPasswordResetRequestCommand";
+import { authPasswordRecoveryCompleteBodyValidator } from "@jskit-ai/auth-core/shared/commands/authPasswordRecoveryCompleteCommand";
+import { authPasswordResetBodyValidator } from "@jskit-ai/auth-core/shared/commands/authPasswordResetCommand";
 import {
   requireAuthUser,
   requireAuthSession,
-  requireAuthUserSession,
-  requireNoFieldErrors
+  requireAuthUserSession
 } from "./flowGuards.js";
 
 function createPasswordSecurityFlows(deps) {
   const {
     ensureConfigured,
-    validators,
     validationError,
     getSupabaseClient,
     passwordResetRedirectUrl,
     mapAuthError,
-    validatePasswordRecoveryPayload,
     mapRecoveryError,
     syncProfileFromSupabaseUser,
     setSessionFromRequestCookies,
@@ -38,8 +38,11 @@ function createPasswordSecurityFlows(deps) {
   async function requestPasswordReset(payload) {
     ensureConfigured();
 
-    const parsed = validators.forgotPasswordInput(payload);
-    requireNoFieldErrors(parsed, validationError);
+    const result = authPasswordResetRequestBodyValidator.schema.create(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
 
     const supabase = getSupabaseClient();
     const options = { redirectTo: passwordResetRedirectUrl };
@@ -65,23 +68,51 @@ function createPasswordSecurityFlows(deps) {
   async function completePasswordRecovery(payload) {
     ensureConfigured();
 
-    const parsed = validatePasswordRecoveryPayload(payload);
-    requireNoFieldErrors(parsed, validationError);
+    const result = authPasswordRecoveryCompleteBodyValidator.schema.patch(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
+    const code = String(parsed.code || "").trim();
+    const tokenHash = String(parsed.tokenHash || "").trim();
+    const accessToken = String(parsed.accessToken || "").trim();
+    const refreshToken = String(parsed.refreshToken || "").trim();
+    const hasCode = Boolean(code);
+    const hasTokenHash = Boolean(tokenHash);
+    const hasSessionPair = Boolean(accessToken && refreshToken);
+    const fieldErrors = {};
+
+    if ((accessToken && !refreshToken) || (!accessToken && refreshToken)) {
+      if (!accessToken) {
+        fieldErrors.accessToken = "Access token is required when a refresh token is provided.";
+      }
+      if (!refreshToken) {
+        fieldErrors.refreshToken = "Refresh token is required when an access token is provided.";
+      }
+    }
+
+    if (!hasCode && !hasTokenHash && !hasSessionPair) {
+      fieldErrors.recovery = "Recovery token is required.";
+    }
+
+    if (Object.keys(fieldErrors).length > 0) {
+      throw validationError(fieldErrors);
+    }
 
     const supabase = getSupabaseClient();
     let response;
     try {
-      if (parsed.hasCode) {
-        response = await supabase.auth.exchangeCodeForSession(parsed.code);
-      } else if (parsed.hasTokenHash) {
+      if (hasCode) {
+        response = await supabase.auth.exchangeCodeForSession(code);
+      } else if (hasTokenHash) {
         response = await supabase.auth.verifyOtp({
           type: "recovery",
-          token_hash: parsed.tokenHash
+          token_hash: tokenHash
         });
       } else {
         response = await supabase.auth.setSession({
-          access_token: parsed.accessToken,
-          refresh_token: parsed.refreshToken
+          access_token: accessToken,
+          refresh_token: refreshToken
         });
       }
       /* c8 ignore next 3 -- defensive: supabase-js usually surfaces failures via response.error. */
@@ -105,8 +136,11 @@ function createPasswordSecurityFlows(deps) {
   async function resetPassword(request, payload) {
     ensureConfigured();
 
-    const parsed = validators.resetPasswordInput(payload);
-    requireNoFieldErrors(parsed, validationError);
+    const result = authPasswordResetBodyValidator.schema.create(payload);
+    if (Object.keys(result.errors).length > 0) {
+      throw validationError(result.errors);
+    }
+    const parsed = result.validatedObject;
 
     const supabase = getSupabaseClient();
     const sessionResponse = await setSessionFromRequestCookies(request, {
@@ -267,6 +301,10 @@ function createPasswordSecurityFlows(deps) {
     if (response.error) {
       throw mapAuthError(response.error, Number(response.error?.status || 400));
     }
+
+    return {
+      ok: true
+    };
   }
 
   async function getSecurityStatus(request) {

package/src/server/lib/service.js

@@ -6,8 +6,6 @@ import {
   buildOAuthMethodId
 } from "@jskit-ai/auth-core/shared/authMethods";
 import { normalizeEmail } from "@jskit-ai/auth-core/server/utils";
-import { normalizeRecordId } from "@jskit-ai/kernel/shared/support/normalize";
-import { validators } from "@jskit-ai/auth-core/server/validators";
 import {
   isTransientAuthMessage,
   isTransientSupabaseError,
@@ -23,9 +21,6 @@ import {
 import { displayNameFromEmail, resolveDisplayName, resolveDisplayNameFromClaims } from "./authProfileNames.js";
 import {
   normalizeOAuthProviderInput as normalizeOAuthProviderInputFromCatalog,
-  validatePasswordRecoveryPayload,
-  parseOAuthCompletePayload as parseOAuthCompletePayloadFromCatalog,
-  parseOtpLoginVerifyPayload,
   mapOAuthCallbackError
 } from "./authInputParsers.js";
 import {
@@ -62,6 +57,7 @@ import {
   resolveDevAuthConfig,
   resolveDevAuthProfile
 } from "./devAuthBootstrap.js";
+import { requireAuthenticatedProfile } from "./authenticatedProfile.js";
 import {
   buildOAuthProviderCatalogResponse,
   resolveOAuthProviderQueryParams,
@@ -166,13 +162,6 @@ function createService(options) {
     });
   }
 
-  function parseOAuthCompletePayload(payload) {
-    return parseOAuthCompletePayloadFromCatalog(payload, {
-      providerIds: authOAuthProviderIds,
-      defaultProvider: authOAuthDefaultProvider
-    });
-  }
-
   function buildOAuthLoginRedirectUrlWithCatalog(payload) {
     return buildOAuthLoginRedirectUrl({
       ...payload,
@@ -408,11 +397,16 @@ function createService(options) {
   }
 
   function requireSynchronizedProfile(profile) {
-    if (profile && normalizeRecordId(profile.id, { fallback: null }) && String(profile.displayName || "").trim()) {
-      return profile;
+    try {
+      return requireAuthenticatedProfile(profile, {
+        context: "authentication profile"
+      });
+    } catch (error) {
+      if (error instanceof AppError) {
+        throw new AppError(500, "Authentication profile synchronization failed. Please retry.");
+      }
+      throw error;
     }
-
-    throw new AppError(500, "Authentication profile synchronization failed. Please retry.");
   }
 
   function buildNormalizedIdentityKey(identityLike) {
@@ -583,7 +577,6 @@ function createService(options) {
 
   const { register, resendRegisterConfirmation, login, requestOtpLogin, verifyOtpLogin, updateDisplayName } = createAccountFlows({
     ensureConfigured,
-    validators,
     validationError,
     getSupabaseClient,
     displayNameFromEmail,
@@ -595,7 +588,6 @@ function createService(options) {
     appPublicUrl,
     isTransientSupabaseError,
     isUserNotFoundLikeAuthError,
-    parseOtpLoginVerifyPayload,
     mapOtpVerifyError,
     setSessionFromRequestCookies,
     mapProfileUpdateError,
@@ -614,7 +606,6 @@ function createService(options) {
     mapAuthError,
     setSessionFromRequestCookies,
     buildOAuthLinkRedirectUrl: buildOAuthLinkRedirectUrlWithCatalog,
-    parseOAuthCompletePayload,
     validationError,
     mapOAuthCallbackError,
     mapRecoveryError,
@@ -636,12 +627,10 @@ function createService(options) {
     getSecurityStatus
   } = createPasswordSecurityFlows({
     ensureConfigured,
-    validators,
     validationError,
     getSupabaseClient,
     passwordResetRedirectUrl,
     mapAuthError,
-    validatePasswordRecoveryPayload,
     mapRecoveryError,
     syncProfileFromSupabaseUser,
     setSessionFromRequestCookies,
@@ -687,6 +676,14 @@ function createService(options) {
       }
     );
     if (devAuthResult) {
+      if (devAuthResult.authenticated === true) {
+        return {
+          ...devAuthResult,
+          profile: requireAuthenticatedProfile(devAuthResult.profile, {
+            context: "dev auth profile"
+          })
+        };
+      }
       return devAuthResult;
     }
 
@@ -837,10 +834,13 @@ function createService(options) {
 
   async function devLoginAs(request, input = {}) {
     ensureDevAuthBootstrapAvailable(devAuthConfig, request);
-    const profile = await resolveDevAuthProfile(input, {
+    const rawProfile = await resolveDevAuthProfile(input, {
       userProfilesRepository,
       validationError
     });
+    const profile = requireAuthenticatedProfile(rawProfile, {
+      context: "dev auth profile"
+    });
     return {
       profile,
       session: await createDevAuthSession(profile, devAuthConfig)
@@ -878,7 +878,6 @@ function createService(options) {
 }
 
 const __testables = {
-  validatePasswordRecoveryPayload,
   displayNameFromEmail,
   resolveDisplayName,
   resolveDisplayNameFromClaims,
@@ -901,8 +900,6 @@ const __testables = {
   buildOAuthLoginRedirectUrl,
   buildOAuthLinkRedirectUrl,
   normalizeOAuthProviderInput: normalizeOAuthProviderInputFromCatalog,
-  parseOAuthCompletePayload: parseOAuthCompletePayloadFromCatalog,
-  parseOtpLoginVerifyPayload,
   mapOAuthCallbackError,
   resolveSupabaseOAuthProviderCatalog,
   resolveOAuthProviderQueryParams,

package/src/server/lib/test-utils.js

@@ -26,10 +26,7 @@ export {
 
 export {
   normalizeOAuthProviderInput,
-  parseOAuthCompletePayload,
-  parseOtpLoginVerifyPayload,
-  mapOAuthCallbackError,
-  validatePasswordRecoveryPayload
+  mapOAuthCallbackError
 } from "./authInputParsers.js";
 
 export {

package/test/authInputParsers.test.js

@@ -1,36 +1,23 @@
 import assert from "node:assert/strict";
 import test from "node:test";
-import { parseOAuthCompletePayload } from "../src/server/lib/authInputParsers.js";
+import { normalizeOAuthProviderInput } from "../src/server/lib/authInputParsers.js";
 
-test("parseOAuthCompletePayload accepts provider-less session pairs", () => {
-  const parsed = parseOAuthCompletePayload(
-    {
-      accessToken: "access-token",
-      refreshToken: "refresh-token"
-    },
-    {
-      providerIds: [],
-      defaultProvider: null
-    }
-  );
+test("normalizeOAuthProviderInput uses the configured default provider", () => {
+  const provider = normalizeOAuthProviderInput("", {
+    providerIds: ["github", "google"],
+    defaultProvider: "github"
+  });
 
-  assert.equal(parsed.hasSessionPair, true);
-  assert.equal(parsed.provider, null);
-  assert.deepEqual(parsed.fieldErrors, {});
+  assert.equal(provider, "github");
 });
 
-test("parseOAuthCompletePayload still requires OAuth provider for code exchanges", () => {
+test("normalizeOAuthProviderInput rejects oauth sign-in when no providers are configured", () => {
   assert.throws(
     () =>
-      parseOAuthCompletePayload(
-        {
-          code: "oauth-code"
-        },
-        {
-          providerIds: [],
-          defaultProvider: null
-        }
-      ),
+      normalizeOAuthProviderInput("github", {
+        providerIds: [],
+        defaultProvider: null
+      }),
     (error) => {
       assert.equal(error?.status, 400);
       assert.equal(String(error?.details?.fieldErrors?.provider || "").length > 0, true);

package/test/devAuthBootstrap.test.js

@@ -120,6 +120,38 @@ test("dev auth bootstrap supports email lookup", async () => {
   assert.equal(result.profile.email, "ada@example.com");
 });
 
+test("dev auth bootstrap canonicalizes producer profiles before returning them", async () => {
+  const rawProfile = createProfile({
+    email: " ADA@EXAMPLE.COM ",
+    username: " Ada ",
+    displayName: " Ada Example ",
+    authProvider: " SUPABASE ",
+    authProviderUserSid: " supabase-user-7 ",
+    avatarStorageKey: " avatars/7.png ",
+    avatarVersion: 7,
+    avatarUpdatedAt: "2026-01-01T00:00:00.000Z",
+    createdAt: "2026-01-01T00:00:00.000Z"
+  });
+  const authService = createServiceFixture({
+    userProfilesRepository: createUserProfilesRepository(rawProfile)
+  });
+
+  const loginResult = await authService.devLoginAs(createLocalRequest(), {
+    userId: "7"
+  });
+
+  assert.deepEqual(loginResult.profile, {
+    id: "7",
+    email: "ada@example.com",
+    username: "ada",
+    displayName: "Ada Example",
+    authProvider: "supabase",
+    authProviderUserSid: "supabase-user-7",
+    avatarStorageKey: "avatars/7.png",
+    avatarVersion: "7"
+  });
+});
+
 test("dev auth bootstrap rejects non-local requests and clears leaked dev sessions", async () => {
   const authService = createServiceFixture();
   const issued = await authService.devLoginAs(createLocalRequest(), {