@jskit-ai/auth-web 0.1.86 → 0.1.87

package/package.descriptor.mjs

@@ -1,7 +1,7 @@
 export default Object.freeze({
   "packageVersion": 1,
   "packageId": "@jskit-ai/auth-web",
-  "version": "0.1.86",
+  "version": "0.1.87",
   "kind": "runtime",
   "description": "Auth web module: Fastify auth routes plus web login/sign-out scaffolds.",
   "dependsOn": [
@@ -247,10 +247,10 @@ export default Object.freeze({
     "dependencies": {
       "runtime": {
         "@mdi/js": "^7.4.47",
-        "@jskit-ai/auth-core": "0.1.84",
-        "@jskit-ai/http-runtime": "0.1.84",
-        "@jskit-ai/kernel": "0.1.85",
-        "@jskit-ai/shell-web": "0.1.84"
+        "@jskit-ai/auth-core": "0.1.85",
+        "@jskit-ai/http-runtime": "0.1.85",
+        "@jskit-ai/kernel": "0.1.86",
+        "@jskit-ai/shell-web": "0.1.85"
       },
       "dev": {}
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jskit-ai/auth-web",
-  "version": "0.1.86",
+  "version": "0.1.87",
   "type": "module",
   "scripts": {
     "test": "node --test"
@@ -18,11 +18,11 @@
     "./client/runtime/useSignOut": "./src/client/runtime/useSignOut.js"
   },
   "dependencies": {
-    "@jskit-ai/auth-core": "0.1.84",
+    "@jskit-ai/auth-core": "0.1.85",
     "@mdi/js": "^7.4.47",
-    "@jskit-ai/kernel": "0.1.85",
-    "@jskit-ai/shell-web": "0.1.84",
-    "@jskit-ai/http-runtime": "0.1.84"
+    "@jskit-ai/kernel": "0.1.86",
+    "@jskit-ai/shell-web": "0.1.85",
+    "@jskit-ai/http-runtime": "0.1.85"
   },
   "peerDependencies": {
     "@tanstack/vue-query": "^5.90.5",

package/src/client/composables/loginView/useLoginViewActions.js

@@ -7,6 +7,7 @@ import { authLoginOtpVerifyCommand } from "@jskit-ai/auth-core/shared/commands/a
 import { authLoginOAuthStartCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthStartCommand";
 import { authPasswordResetRequestCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordResetRequestCommand";
 import { AUTH_PATHS, buildAuthOauthStartPath } from "@jskit-ai/auth-core/shared/authPaths";
+import { resolveAuthDeniedLoginMessage } from "@jskit-ai/auth-core/shared/authDenied";
 import { authHttpRequest } from "../../runtime/authHttpClient.js";
 import { completeOAuthCallbackFromCurrentLocation } from "../../runtime/oauthCallbackRuntime.js";
 import { normalizeAuthReturnToPath } from "../../lib/returnToPath.js";
@@ -136,6 +137,10 @@ export function useLoginViewActions({
   async function completeLogin() {
     const session = await refreshSession();
     if (!session?.authenticated) {
+      const authDeniedMessage = resolveAuthDeniedLoginMessage(session?.authDenied);
+      if (authDeniedMessage) {
+        throw new Error(authDeniedMessage);
+      }
       throw new Error("Login succeeded but the session is not active yet. Please retry.");
     }
     if (typeof window === "object" && window.location) {

package/src/client/runtime/oauthCallbackRuntime.js

@@ -1,4 +1,5 @@
 import { authLoginOAuthCompleteCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthCompleteCommand";
+import { resolveAuthDeniedLoginMessage } from "@jskit-ai/auth-core/shared/authDenied";
 import {
   OAUTH_QUERY_PARAM_PROVIDER,
   OAUTH_QUERY_PARAM_RETURN_TO
@@ -148,6 +149,10 @@ async function completeOAuthCallbackFromUrl({
     });
     const session = await refreshSession();
     if (!session?.authenticated) {
+      const authDeniedMessage = resolveAuthDeniedLoginMessage(session?.authDenied);
+      if (authDeniedMessage) {
+        throw new Error(authDeniedMessage);
+      }
       throw new Error("Login succeeded but the session is not active yet. Please retry.");
     }
 

package/src/server/controllers/AuthController.js

@@ -1,3 +1,4 @@
+import { normalizeAuthDenied } from "@jskit-ai/auth-core/shared/authDenied";
 import { AUTH_ACTION_IDS } from "../constants/authActionIds.js";
 import { AuthWebService } from "../services/AuthWebService.js";
 
@@ -146,9 +147,11 @@ class AuthController {
     }
 
     if (!authResult.authenticated) {
+      const authDenied = normalizeAuthDenied(authResult.authDenied);
       reply.code(200).send({
         authenticated: false,
         csrfToken,
+        ...(authDenied ? { authDenied } : {}),
         ...oauthCatalogPayload
       });
       return;

package/test/loginViewActions.test.js

@@ -2,6 +2,25 @@ import assert from "node:assert/strict";
 import test from "node:test";
 import { buildAuthOauthStartPath } from "@jskit-ai/auth-core/shared/authPaths";
 import { useLoginViewActions } from "../src/client/composables/loginView/useLoginViewActions.js";
+import { clearAuthCsrfTokenCache } from "../src/client/runtime/authHttpClient.js";
+
+function createJsonResponse(payload = {}, { status = 200 } = {}) {
+  return {
+    ok: status >= 200 && status < 300,
+    status,
+    headers: {
+      get(name) {
+        return String(name || "").toLowerCase() === "content-type" ? "application/json" : null;
+      }
+    },
+    async json() {
+      return payload;
+    },
+    async text() {
+      return JSON.stringify(payload);
+    }
+  };
+}
 
 function createMinimalLoginViewState(requestedReturnTo = "/") {
   return {
@@ -10,15 +29,18 @@ function createMinimalLoginViewState(requestedReturnTo = "/") {
     errorMessage: { value: "" },
     infoMessage: { value: "" },
     loading: { value: false },
+    submitAttempted: { value: false },
     email: { value: "" },
-    password: { value: "" },
+    password: { value: "password-123" },
     otpCode: { value: "" },
     otpRequestPending: { value: false },
     registerConfirmationResendPending: { value: false },
     pendingEmailConfirmationAddress: { value: "" },
+    rememberAccountOnDevice: { value: true },
     oauthProviders: { value: [] },
     oauthDefaultProvider: { value: "google" },
     isRegister: { value: false },
+    isForgot: { value: false },
     isOtp: { value: false },
     showRememberedAccount: { value: false },
     rememberedAccountDisplayName: { value: "" },
@@ -57,3 +79,102 @@ test("useLoginViewActions preserves the intended destination when starting OAuth
     assert.equal(state.errorMessage.value, "");
   });
 });
+
+async function runPasswordLoginWithPostLoginSession(sessionPayload) {
+  clearAuthCsrfTokenCache();
+  const state = createMinimalLoginViewState("/");
+  const fetchCalls = [];
+  const reports = [];
+  const originalFetch = globalThis.fetch;
+  let sessionReads = 0;
+
+  globalThis.fetch = async (url, options = {}) => {
+    const normalizedUrl = String(url || "");
+    const method = String(options.method || "GET").toUpperCase();
+    fetchCalls.push({ url: normalizedUrl, method });
+
+    if (normalizedUrl === "/api/session" && method === "GET") {
+      sessionReads += 1;
+      return createJsonResponse(
+        sessionReads === 1
+          ? { authenticated: false, csrfToken: "csrf-a" }
+          : { csrfToken: "csrf-b", ...sessionPayload }
+      );
+    }
+
+    if (normalizedUrl === "/api/login" && method === "POST") {
+      return createJsonResponse({ ok: true, username: "Ada" });
+    }
+
+    throw new Error(`Unexpected fetch call: ${method} ${normalizedUrl}`);
+  };
+
+  try {
+    const actions = useLoginViewActions({
+      state,
+      validation: {
+        canSubmit: { value: true }
+      },
+      queryClient: {
+        async fetchQuery({ queryFn }) {
+          return queryFn();
+        }
+      },
+      errorRuntime: {
+        report(entry) {
+          reports.push(entry);
+        }
+      }
+    });
+
+    await actions.submitAuth();
+    return { state, fetchCalls, reports };
+  } finally {
+    globalThis.fetch = originalFetch;
+    clearAuthCsrfTokenCache();
+  }
+}
+
+test("useLoginViewActions shows allowlist denial after successful password login", async () => {
+  const { state, fetchCalls, reports } = await runPasswordLoginWithPostLoginSession({
+    authenticated: false,
+    authDenied: {
+      code: "not_allowlisted",
+      message: "This account is not allowed to access this application."
+    }
+  });
+
+  assert.equal(
+    state.errorMessage.value,
+    "Sign-in succeeded, but this account is not allowed to access this application."
+  );
+  assert.deepEqual(fetchCalls.map((entry) => `${entry.method} ${entry.url}`), [
+    "GET /api/session",
+    "POST /api/login",
+    "GET /api/session"
+  ]);
+  assert.equal(reports[0]?.message, state.errorMessage.value);
+});
+
+test("useLoginViewActions shows blocked denial after successful password login", async () => {
+  const { state } = await runPasswordLoginWithPostLoginSession({
+    authenticated: false,
+    authDenied: {
+      code: "blocked",
+      message: "This account has been blocked from accessing this application."
+    }
+  });
+
+  assert.equal(
+    state.errorMessage.value,
+    "Sign-in succeeded, but this account has been blocked from accessing this application."
+  );
+});
+
+test("useLoginViewActions keeps retry message for generic post-login unauthenticated sessions", async () => {
+  const { state } = await runPasswordLoginWithPostLoginSession({
+    authenticated: false
+  });
+
+  assert.equal(state.errorMessage.value, "Login succeeded but the session is not active yet. Please retry.");
+});

package/test/oauthCallbackRuntime.test.js

@@ -138,6 +138,52 @@ test("completeOAuthCallbackFromUrl fails when the refreshed session is still una
   assert.equal(result.errorMessage, "Login succeeded but the session is not active yet. Please retry.");
 });
 
+test("completeOAuthCallbackFromUrl maps allowlist auth denial to a clear message", async () => {
+  const result = await completeOAuthCallbackFromUrl({
+    url: "/auth/login?oauthProvider=google&code=abc",
+    request: async () => ({
+      username: "Ada"
+    }),
+    refreshSession: async () => ({
+      authenticated: false,
+      authDenied: {
+        code: "not_allowlisted",
+        message: "This account is not allowed to access this application."
+      }
+    })
+  });
+
+  assert.equal(result.handled, true);
+  assert.equal(result.completed, false);
+  assert.equal(
+    result.errorMessage,
+    "Sign-in succeeded, but this account is not allowed to access this application."
+  );
+});
+
+test("completeOAuthCallbackFromUrl maps blocked auth denial to a clear message", async () => {
+  const result = await completeOAuthCallbackFromUrl({
+    url: "/auth/login?oauthProvider=google&code=abc",
+    request: async () => ({
+      username: "Ada"
+    }),
+    refreshSession: async () => ({
+      authenticated: false,
+      authDenied: {
+        code: "blocked",
+        message: "This account has been blocked from accessing this application."
+      }
+    })
+  });
+
+  assert.equal(result.handled, true);
+  assert.equal(result.completed, false);
+  assert.equal(
+    result.errorMessage,
+    "Sign-in succeeded, but this account has been blocked from accessing this application."
+  );
+});
+
 test("completeOAuthCallbackFromCurrentLocation reads from window.location.href", async () => {
   const originalWindow = globalThis.window;
   globalThis.window = {

package/test/providerRuntime.test.js

@@ -28,6 +28,9 @@ function createReplyStub() {
     sent: false,
     statusCode: null,
     payload: null,
+    async generateCsrf() {
+      return "csrf-test";
+    },
     code(value) {
       this.statusCode = value;
       return this;
@@ -223,3 +226,62 @@ test("auth route provider does not resolve authService during boot", async () =>
   assert.equal(loginReply.statusCode, 200);
   assert.equal(authServiceResolutions, 1);
 });
+
+test("auth session route exposes denial reason when policy clears a rejected authenticated session", async () => {
+  const events = [];
+  const fastify = createFastifyStub();
+  const app = createApplication();
+  const httpRuntime = createHttpRuntime({ app, fastify });
+
+  const authService = {
+    writeSessionCookies() {
+      events.push({ type: "writeSession" });
+    },
+    clearSessionCookies() {
+      events.push({ type: "clearSession" });
+    },
+    getOAuthProviderCatalog() {
+      return { providers: [], defaultProvider: "" };
+    }
+  };
+
+  app.instance("authService", authService);
+  app.instance("actionExecutor", {
+    async execute({ actionId }) {
+      if (actionId === "auth.session.read") {
+        return {
+          authenticated: false,
+          clearSession: true,
+          transientFailure: false,
+          authDenied: {
+            code: "not_allowlisted",
+            message: "This account is not allowed to access this application."
+          }
+        };
+      }
+      return {};
+    }
+  });
+
+  class MockAuthProvider {
+    static id = "auth.provider";
+  }
+
+  await app.start({ providers: [MockAuthProvider, AuthWebServiceProvider, AuthRouteServiceProvider] });
+
+  const registration = httpRuntime.registerRoutes();
+  assert.equal(registration.routeCount > 0, true);
+
+  const sessionRoute = fastify.routes.find((route) => route.method === "GET" && route.url === "/api/session");
+  assert.ok(sessionRoute);
+  const sessionReply = createReplyStub();
+  await sessionRoute.handler({}, sessionReply);
+
+  assert.equal(sessionReply.statusCode, 200);
+  assert.equal(sessionReply.payload.authenticated, false);
+  assert.deepEqual(sessionReply.payload.authDenied, {
+    code: "not_allowlisted",
+    message: "This account is not allowed to access this application."
+  });
+  assert.deepEqual(events, [{ type: "clearSession" }]);
+});