@jskit-ai/auth-web 0.1.4

package/src/server/controllers/AuthController.js

@@ -0,0 +1,183 @@
+import { AUTH_ACTION_IDS } from "../constants/authActionIds.js";
+import { AuthWebService } from "../services/AuthWebService.js";
+
+class AuthController {
+  constructor({ service } = {}) {
+    if (!service) {
+      throw new Error("AuthController requires AuthWebService instance.");
+    }
+    this.service = service;
+  }
+
+  getOAuthProviderCatalogPayload() {
+    return this.service.getOAuthProviderCatalogPayload();
+  }
+
+  async register(request, reply) {
+    const payload = request.body || {};
+    const result = await this.service.register(request, payload);
+
+    this.service.writeSessionCookies(reply, result.session);
+
+    if (result.requiresEmailConfirmation) {
+      reply.code(201).send({
+        ok: true,
+        requiresEmailConfirmation: true,
+        message: "Check your email to confirm the account before logging in."
+      });
+      return;
+    }
+
+    reply.code(201).send({
+      ok: true,
+      username: result.profile.displayName,
+      requiresEmailConfirmation: false
+    });
+  }
+
+  async login(request, reply) {
+    const payload = request.body || {};
+    const result = await this.service.login(request, payload);
+
+    this.service.writeSessionCookies(reply, result.session);
+
+    reply.code(200).send({
+      ok: true,
+      username: result.profile.displayName
+    });
+  }
+
+  async requestOtpLogin(request, reply) {
+    const payload = request.body || {};
+    const result = await this.service.requestOtpLogin(request, payload);
+    reply.code(200).send(result);
+  }
+
+  async verifyOtpLogin(request, reply) {
+    const payload = request.body || {};
+    const result = await this.service.verifyOtpLogin(request, payload);
+
+    this.service.writeSessionCookies(reply, result.session);
+    reply.code(200).send({
+      ok: true,
+      username: result.profile.displayName,
+      email: result.profile.email
+    });
+  }
+
+  async oauthStart(request, reply) {
+    const provider = request.params?.provider;
+    const returnTo = request.query?.returnTo;
+    const result = await this.service.oauthStart(request, { provider, returnTo });
+    reply.redirect(result.url);
+  }
+
+  async oauthComplete(request, reply) {
+    const payload = request.body || {};
+    const result = await this.service.oauthComplete(request, payload);
+    this.service.writeSessionCookies(reply, result.session);
+
+    reply.code(200).send({
+      ok: true,
+      provider: result.provider,
+      username: result.profile.displayName,
+      email: result.profile.email
+    });
+  }
+
+  async logout(request, reply) {
+    let clearSession = true;
+    try {
+      const result = await this.service.logout(request);
+      clearSession = result?.clearSession !== false;
+    } catch (error) {
+      if (request?.log && typeof request.log.warn === "function") {
+        request.log.warn({ err: error }, "Auth logout fallback: clearing local session cookies.");
+      }
+      clearSession = true;
+    }
+
+    if (clearSession) {
+      this.service.clearSessionCookies(reply);
+    }
+
+    reply.code(200).send({
+      ok: true
+    });
+  }
+
+  async session(request, reply) {
+    const csrfToken = await reply.generateCsrf();
+    const oauthCatalogPayload = this.getOAuthProviderCatalogPayload();
+    const authResult = await this.service.session(request);
+
+    if (authResult.clearSession) {
+      this.service.clearSessionCookies(reply);
+    }
+    if (authResult.session) {
+      this.service.writeSessionCookies(reply, authResult.session);
+    }
+
+    if (authResult.transientFailure) {
+      reply.code(503).send({
+        error: "Authentication service temporarily unavailable. Please retry.",
+        csrfToken,
+        ...oauthCatalogPayload
+      });
+      return;
+    }
+
+    if (!authResult.authenticated) {
+      reply.code(200).send({
+        authenticated: false,
+        csrfToken,
+        ...oauthCatalogPayload
+      });
+      return;
+    }
+
+    reply.code(200).send({
+      authenticated: true,
+      username: authResult.profile.displayName,
+      csrfToken,
+      ...oauthCatalogPayload
+    });
+  }
+
+  async requestPasswordReset(request, reply) {
+    const payload = request.body || {};
+    const result = await this.service.requestPasswordReset(request, payload);
+    reply.code(200).send(result);
+  }
+
+  async completePasswordRecovery(request, reply) {
+    const payload = request.body || {};
+    const result = await this.service.completePasswordRecovery(request, payload);
+    this.service.writeSessionCookies(reply, result.session);
+    reply.code(200).send({
+      ok: true
+    });
+  }
+
+  async resetPassword(request, reply) {
+    const payload = request.body || {};
+    await this.service.resetPassword(request, payload);
+    this.service.clearSessionCookies(reply);
+    reply.code(200).send({
+      ok: true,
+      message: "Password updated. Sign in with your new password."
+    });
+  }
+}
+
+function createController({ service, authService } = {}) {
+  if (!service) {
+    if (!authService) {
+      throw new Error("createController requires either service or authService.");
+    }
+    service = new AuthWebService({ authService });
+  }
+  return new AuthController({ service });
+}
+
+export { AuthController, AUTH_ACTION_IDS, createController };

package/src/server/providers/AuthRouteServiceProvider.js

@@ -0,0 +1,31 @@
+import { KERNEL_TOKENS } from "@jskit-ai/kernel/shared/support/tokens";
+import { AuthController } from "../controllers/AuthController.js";
+import { buildRoutes } from "../routes/authRoutes.js";
+
+class AuthRouteServiceProvider {
+  static id = "auth.routes";
+
+  static dependsOn = ["auth.web"];
+
+  register(app) {
+    if (!app || typeof app.has !== "function") {
+      throw new Error("AuthRouteServiceProvider requires application has().");
+    }
+  }
+
+  boot(app) {
+    if (!app || typeof app.make !== "function") {
+      throw new Error("AuthRouteServiceProvider requires application make().");
+    }
+
+    const router = app.make(KERNEL_TOKENS.HttpRouter);
+    const authWebService = app.make("auth.web.service");
+    const controller = new AuthController({ service: authWebService });
+    const routes = buildRoutes(controller);
+    for (const route of routes) {
+      router.register(route.method, route.path, route, route.handler);
+    }
+  }
+}
+
+export { AuthRouteServiceProvider };

package/src/server/providers/AuthWebServiceProvider.js

@@ -0,0 +1,23 @@
+import { AuthWebService } from "../services/AuthWebService.js";
+
+class AuthWebServiceProvider {
+  static id = "auth.web";
+
+  static dependsOn = ["auth.provider"];
+
+  register(app) {
+    if (!app || typeof app.singleton !== "function" || typeof app.has !== "function") {
+      throw new Error("AuthWebServiceProvider requires application singleton()/has().");
+    }
+    if (!app.has("actionExecutor")) {
+      throw new Error("AuthWebServiceProvider requires actionExecutor binding.");
+    }
+
+    app.singleton("auth.web.service", (scope) => {
+      const authService = scope.make("authService");
+      return new AuthWebService({ authService });
+    });
+  }
+}
+
+export { AuthWebServiceProvider };

package/src/server/routes/authRoutes.js

@@ -0,0 +1,244 @@
+import { withStandardErrorResponses } from "@jskit-ai/http-runtime/shared/validators/errorResponses";
+import { authRegisterCommand } from "@jskit-ai/auth-core/shared/commands/authRegisterCommand";
+import { authLoginPasswordCommand } from "@jskit-ai/auth-core/shared/commands/authLoginPasswordCommand";
+import { authLoginOtpRequestCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOtpRequestCommand";
+import { authLoginOtpVerifyCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOtpVerifyCommand";
+import { authLoginOAuthStartCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthStartCommand";
+import { authLoginOAuthCompleteCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthCompleteCommand";
+import { authPasswordResetRequestCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordResetRequestCommand";
+import { authPasswordRecoveryCompleteCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordRecoveryCompleteCommand";
+import { authPasswordResetCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordResetCommand";
+import { authLogoutCommand } from "@jskit-ai/auth-core/shared/commands/authLogoutCommand";
+import { authSessionReadCommand } from "@jskit-ai/auth-core/shared/commands/authSessionReadCommand";
+import { AUTH_PATHS } from "@jskit-ai/auth-core/shared/authPaths";
+
+function buildRoutes(controller) {
+  if (!controller) {
+    throw new Error("Auth routes require a controller instance.");
+  }
+
+  const handler = (methodName) => controller[methodName].bind(controller);
+
+  return [
+    {
+      path: AUTH_PATHS.REGISTER,
+      method: "POST",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Register a new user"
+      },
+      bodyValidator: authRegisterCommand.operation.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          201: authRegisterCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 10,
+        timeWindow: "1 minute"
+      },
+      handler: handler("register")
+    },
+    {
+      path: AUTH_PATHS.LOGIN,
+      method: "POST",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Log in with configured credentials"
+      },
+      bodyValidator: authLoginPasswordCommand.operation.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: authLoginPasswordCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 10,
+        timeWindow: "1 minute"
+      },
+      handler: handler("login")
+    },
+    {
+      path: AUTH_PATHS.LOGIN_OTP_REQUEST,
+      method: "POST",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Request one-time email login code"
+      },
+      bodyValidator: authLoginOtpRequestCommand.operation.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: authLoginOtpRequestCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 10,
+        timeWindow: "1 minute"
+      },
+      handler: handler("requestOtpLogin")
+    },
+    {
+      path: AUTH_PATHS.LOGIN_OTP_VERIFY,
+      method: "POST",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Verify one-time email login code and create session"
+      },
+      bodyValidator: authLoginOtpVerifyCommand.operation.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: authLoginOtpVerifyCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 10,
+        timeWindow: "1 minute"
+      },
+      handler: handler("verifyOtpLogin")
+    },
+    {
+      path: AUTH_PATHS.OAUTH_START_TEMPLATE,
+      method: "GET",
+      auth: "public",
+      csrfProtection: false,
+      meta: {
+        tags: ["auth"],
+        summary: "Start OAuth login with configured provider"
+      },
+      paramsValidator: authLoginOAuthStartCommand.operation.paramsValidator,
+      queryValidator: authLoginOAuthStartCommand.operation.queryValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          302: authLoginOAuthStartCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 20,
+        timeWindow: "1 minute"
+      },
+      handler: handler("oauthStart")
+    },
+    {
+      path: AUTH_PATHS.OAUTH_COMPLETE,
+      method: "POST",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Complete OAuth code exchange and set session cookies"
+      },
+      bodyValidator: authLoginOAuthCompleteCommand.operation.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: authLoginOAuthCompleteCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 20,
+        timeWindow: "1 minute"
+      },
+      handler: handler("oauthComplete")
+    },
+    {
+      path: AUTH_PATHS.PASSWORD_FORGOT,
+      method: "POST",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Request a password reset email"
+      },
+      bodyValidator: authPasswordResetRequestCommand.operation.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: authPasswordResetRequestCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 5,
+        timeWindow: "1 minute"
+      },
+      handler: handler("requestPasswordReset")
+    },
+    {
+      path: AUTH_PATHS.PASSWORD_RECOVERY,
+      method: "POST",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Complete password recovery link exchange"
+      },
+      bodyValidator: authPasswordRecoveryCompleteCommand.operation.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: authPasswordRecoveryCompleteCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 20,
+        timeWindow: "1 minute"
+      },
+      handler: handler("completePasswordRecovery")
+    },
+    {
+      path: AUTH_PATHS.PASSWORD_RESET,
+      method: "POST",
+      auth: "required",
+      meta: {
+        tags: ["auth"],
+        summary: "Set a new password for authenticated recovery session"
+      },
+      bodyValidator: authPasswordResetCommand.operation.bodyValidator,
+      responseValidators: withStandardErrorResponses(
+        {
+          200: authPasswordResetCommand.operation.responseValidator
+        },
+        { includeValidation400: true }
+      ),
+      rateLimit: {
+        max: 20,
+        timeWindow: "1 minute"
+      },
+      handler: handler("resetPassword")
+    },
+    {
+      path: AUTH_PATHS.LOGOUT,
+      method: "POST",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Log out and clear session cookies"
+      },
+      responseValidators: withStandardErrorResponses({
+        200: authLogoutCommand.operation.responseValidator
+      }),
+      handler: handler("logout")
+    },
+    {
+      path: AUTH_PATHS.SESSION,
+      method: "GET",
+      auth: "public",
+      meta: {
+        tags: ["auth"],
+        summary: "Get current session status and CSRF token"
+      },
+      responseValidators: withStandardErrorResponses({
+        200: authSessionReadCommand.operation.responseValidator,
+        503: authSessionReadCommand.operation.unavailableResponseValidator
+      }),
+      handler: handler("session")
+    }
+  ];
+}
+
+export { buildRoutes };

package/src/server/services/AuthWebService.js

@@ -0,0 +1,126 @@
+import { AUTH_ACTION_IDS } from "../constants/authActionIds.js";
+
+class AuthWebService {
+  constructor({ authService } = {}) {
+    if (!authService) {
+      throw new Error("authService is required.");
+    }
+    this.authService = authService;
+  }
+
+  static get actionIds() {
+    return AUTH_ACTION_IDS;
+  }
+
+  async register(request, payload) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.REGISTER,
+      input: payload
+    });
+  }
+
+  async login(request, payload) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.LOGIN_PASSWORD,
+      input: payload
+    });
+  }
+
+  async requestOtpLogin(request, payload) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.LOGIN_OTP_REQUEST,
+      input: payload
+    });
+  }
+
+  async verifyOtpLogin(request, payload) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.LOGIN_OTP_VERIFY,
+      input: payload
+    });
+  }
+
+  async oauthStart(request, input) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.LOGIN_OAUTH_START,
+      input
+    });
+  }
+
+  async oauthComplete(request, payload) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.LOGIN_OAUTH_COMPLETE,
+      input: payload
+    });
+  }
+
+  async logout(request) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.LOGOUT
+    });
+  }
+
+  async session(request) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.SESSION_READ
+    });
+  }
+
+  async requestPasswordReset(request, payload) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.PASSWORD_RESET_REQUEST,
+      input: payload
+    });
+  }
+
+  async completePasswordRecovery(request, payload) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.PASSWORD_RECOVERY_COMPLETE,
+      input: payload
+    });
+  }
+
+  async resetPassword(request, payload) {
+    return request.executeAction({
+      actionId: AUTH_ACTION_IDS.PASSWORD_RESET,
+      input: payload
+    });
+  }
+
+  writeSessionCookies(reply, session) {
+    if (session && reply) {
+      this.authService.writeSessionCookies(reply, session);
+    }
+  }
+
+  clearSessionCookies(reply) {
+    if (reply) {
+      this.authService.clearSessionCookies(reply);
+    }
+  }
+
+  getOAuthProviderCatalogPayload() {
+    const catalog =
+      typeof this.authService.getOAuthProviderCatalog === "function"
+        ? this.authService.getOAuthProviderCatalog()
+        : null;
+    const providers = Array.isArray(catalog?.providers)
+      ? catalog.providers
+          .map((provider) => ({
+            id: String(provider?.id || "").trim().toLowerCase(),
+            label: String(provider?.label || "").trim()
+          }))
+          .filter((provider) => provider.id && provider.label)
+      : [];
+    const defaultProvider = String(catalog?.defaultProvider || "").trim().toLowerCase();
+
+    return {
+      oauthProviders: providers,
+      oauthDefaultProvider: providers.some((provider) => provider.id === defaultProvider)
+        ? defaultProvider
+        : null
+    };
+  }
+}
+
+export { AuthWebService };

package/templates/src/pages/auth/login.vue

@@ -0,0 +1,17 @@
+<route lang="json">
+{
+  "meta": {
+    "guard": {
+      "policy": "public"
+    }
+  }
+}
+</route>
+
+<script setup>
+import DefaultLoginView from "@jskit-ai/auth-web/client/views/DefaultLoginView";
+</script>
+
+<template>
+  <DefaultLoginView />
+</template>

package/templates/src/pages/auth/signout.vue

@@ -0,0 +1,17 @@
+<route lang="json">
+{
+  "meta": {
+    "guard": {
+      "policy": "public"
+    }
+  }
+}
+</route>
+
+<script setup>
+import DefaultSignOutView from "@jskit-ai/auth-web/client/views/DefaultSignOutView";
+</script>
+
+<template>
+  <DefaultSignOutView />
+</template>

package/templates/src/runtime/authGuardRuntime.js

@@ -0,0 +1,7 @@
+export {
+  createAuthGuardRuntime,
+  isAuthGuardRuntime,
+  initializeAuthGuardRuntime,
+  refreshAuthGuardState,
+  getAuthGuardState
+} from "@jskit-ai/auth-web/client/runtime/authGuardRuntime";

package/templates/src/runtime/authHttpClient.js

@@ -0,0 +1 @@
+export { authHttpRequest, clearAuthCsrfTokenCache } from "@jskit-ai/auth-web/client/runtime/authHttpClient";

package/templates/src/runtime/useSignOut.js

@@ -0,0 +1 @@
+export { useSignOut, createSignOutAction, performSignOutRequest } from "@jskit-ai/auth-web/client/runtime/useSignOut";

package/templates/src/views/auth/LoginView.vue

@@ -0,0 +1,7 @@
+<script setup>
+import DefaultLoginView from "@jskit-ai/auth-web/client/views/DefaultLoginView";
+</script>
+
+<template>
+  <DefaultLoginView />
+</template>

package/templates/src/views/auth/SignOutView.vue

@@ -0,0 +1,7 @@
+<script setup>
+import DefaultSignOutView from "@jskit-ai/auth-web/client/views/DefaultSignOutView";
+</script>
+
+<template>
+  <DefaultSignOutView />
+</template>