@lobb-js/lobb-ext-auth 0.13.0 → 0.14.0

package/dist/auth.js

@@ -17,7 +17,7 @@ export class Auth {
     async login(payload) {
         const response = await this.utils.lobb.request({
             method: "POST",
-            route: "/api/collections/auth_sessions",
+            route: "/api/actions/auth_login",
             payload: {
                 data: payload,
             },
@@ -41,8 +41,8 @@ export class Auth {
     }
     async logout() {
         await this.utils.lobb.request({
-            method: "DELETE",
-            route: "/api/extensions/auth/logout",
+            method: "POST",
+            route: "/api/actions/auth_logout",
         });
         localStorage.removeItem("lobb_session");
         const currentPath = window.location.pathname;

package/extensions/auth/database/init.ts

@@ -12,7 +12,7 @@ async function syncincAdminUserInDB(lobb: Lobb, extensionConfig: ExtensionConfig
   // syncinc the admin user in users collection
   const config = extensionConfig;
   const { email, password, ...extraFields } = config.admin;
-  const entries = (await lobb.collectionService.findAll({
+  const entries = (await lobb.collectionStore.findAll({
     collectionName: "auth_users",
     params: {
       filter: {
@@ -23,7 +23,7 @@ async function syncincAdminUserInDB(lobb: Lobb, extensionConfig: ExtensionConfig
   })).data;
   const adminUser = entries[0];
   if (!adminUser) {
-    await lobb.collectionService.createOne({
+    await lobb.collectionStore.createOne({
       collectionName: "auth_users",
       data: {
         ...extraFields,
@@ -39,7 +39,7 @@ async function syncincAdminUserInDB(lobb: Lobb, extensionConfig: ExtensionConfig
     );
 
     if (adminUser.email !== email || !passwordIdentical) {
-      await lobb.collectionService.updateOne({
+      await lobb.collectionStore.updateOne({
         collectionName: "auth_users",
         id: adminUser.id,
         data: {

package/extensions/auth/index.ts

@@ -5,12 +5,14 @@ import { collections } from "./collections/collections.ts";
 import { meta } from "./meta/meta.ts";
 import { migrations } from "./database/migrations.ts";
 import { getWorkflows } from "./workflows/index.ts";
+import { getAuthActions } from "./workflows/actions.ts";
 
 export default function auth(extensionConfig: ExtensionConfig): Extension {
   return {
     name: "auth",
     icon: "Key",
     collections: (lobb) => collections(lobb, extensionConfig),
+    actions: getAuthActions(extensionConfig),
     migrations: migrations,
     meta: (lobb) => meta(lobb, extensionConfig),
     workflows: getWorkflows(extensionConfig),

package/extensions/auth/openapi.ts

@@ -35,7 +35,7 @@ export const openapi = {
     },
   },
   paths: {
-    "/api/extensions/auth/login": {
+    "/api/actions/auth_login": {
       post: {
         tags: [
           "auth",
@@ -223,8 +223,8 @@ export const openapi = {
         },
       },
     },
-    "/api/extensions/auth/logout": {
-      delete: {
+    "/api/actions/auth_logout": {
+      post: {
         tags: [
           "auth",
         ],

package/extensions/auth/studio/auth.ts

@@ -26,7 +26,7 @@ export class Auth {
   public async login(payload: LoginPayload) {
     const response = await this.utils.lobb.request({
       method: "POST",
-      route: "/api/collections/auth_sessions",
+      route: "/api/actions/auth_login",
       payload: {
         data: payload,
       },
@@ -55,8 +55,8 @@ export class Auth {
 
   public async logout() {
     await this.utils.lobb.request({
-      method: "DELETE",
-      route: "/api/extensions/auth/logout",
+      method: "POST",
+      route: "/api/actions/auth_logout",
     });
     localStorage.removeItem("lobb_session");
     const currentPath = window.location.pathname;

package/extensions/auth/workflows/actionController.ts

@@ -0,0 +1,34 @@
+import type { Workflow } from "@lobb-js/core";
+import type { Context } from "hono";
+import { getBearerToken } from "../utils.ts";
+
+// `auth_logout` needs the session token, which arrives as a bearer header. Read
+// it off the Hono context here and pass it to the action (keeping the action
+// pure + internally callable with an explicit token), then return 204.
+//
+// `auth_login` needs no HTTP adaptation — its JSON body { email, password } maps
+// straight to the default action flow.
+
+export function getAuthActionControllerWorkflows(): Workflow[] {
+  return [
+    {
+      name: "authLogoutActionController",
+      eventName: "core.actions.controller.override",
+      handler: async (input, ctx) => {
+        if (input.name !== "auth_logout") return;
+
+        const context = input.context as Context;
+        const token = getBearerToken(context);
+        if (!token) {
+          throw new ctx.LobbError({
+            code: "BAD_REQUEST",
+            message: "You should pass session's token through the bearer header",
+          });
+        }
+
+        await ctx.lobb.runAction("auth_logout", { token });
+        return context.body(null, 204);
+      },
+    },
+  ];
+}

package/extensions/auth/workflows/actions.ts

@@ -0,0 +1,89 @@
+import type { ActionsConfig } from "@lobb-js/core";
+import { LobbError } from "@lobb-js/core";
+import type { ExtensionConfig, User } from "../config/extensionConfigSchema.ts";
+import { generateRandomId } from "../utils.ts";
+import { verify } from "argon2";
+
+// Login and logout used to hijack the auth_sessions CRUD endpoints (create =
+// login, deleteMany = logout), which made it impossible to manage session rows
+// normally. They're now first-class actions; the auth_sessions collection is a
+// plain CRUD collection again.
+
+export function getAuthActions(_extensionConfig: ExtensionConfig): ActionsConfig {
+  return {
+    // POST /api/actions/auth_login  { data: { email, password } }
+    auth_login: {
+      handler: async (input: any, ctx) => {
+        const email = input.data?.email ?? input.email;
+        const password = input.data?.password ?? input.password;
+
+        const users = await ctx.lobb.collectionStore.findAll({
+          collectionName: "auth_users",
+          params: { filter: { email } },
+        });
+
+        if (!users.data.length) {
+          throw new LobbError({
+            code: "NOT_FOUND",
+            message: `The user with this email (${email}) doesnt exist.`,
+          });
+        }
+
+        const user = users.data[0] as User;
+
+        const passwordIsCorrect = await verify(user.password, password);
+        if (!passwordIsCorrect) {
+          throw new LobbError({
+            code: "UNAUTHORIZED",
+            message: "The password provided is incorrect. Please verify and try again.",
+          });
+        }
+
+        const sessionPayload = {
+          token: generateRandomId(),
+          expires_at: new Date(Date.now() + 3600 * 1000),
+          user_id: user.id,
+        };
+
+        const sessionResult = await ctx.lobb.collectionStore.createOne({
+          collectionName: "auth_sessions",
+          data: sessionPayload,
+        });
+
+        return {
+          data: {
+            access_token: {
+              token: sessionPayload.token,
+              expires_at: sessionResult.data.expires_at,
+            },
+            user: {
+              id: user.id,
+              email: user.email,
+              role: user.role,
+            },
+          },
+        };
+      },
+    },
+
+    // POST /api/actions/auth_logout  (bearer header → resolved to { token })
+    auth_logout: {
+      handler: async (input: any, ctx) => {
+        const token = input.token;
+        if (!token) {
+          throw new LobbError({
+            code: "BAD_REQUEST",
+            message: "You should pass session's token through the bearer header",
+          });
+        }
+
+        await ctx.lobb.collectionStore.deleteMany({
+          collectionName: "auth_sessions",
+          filter: { token },
+        });
+
+        return { success: true };
+      },
+    },
+  };
+}

package/extensions/auth/workflows/baseWorkflow.ts

@@ -1,16 +1,16 @@
 import type { Workflow } from "@lobb-js/core";
 import type { Context } from "hono";
-import type { ExtensionConfig, User } from "../config/extensionConfigSchema.ts";
-import { generateRandomId, getBearerToken } from "../utils.ts";
-import { verify } from "argon2";
+import type { ExtensionConfig } from "../config/extensionConfigSchema.ts";
+import { getBearerToken } from "../utils.ts";
 
 export function getBaseWorkflows(_extensionConfig: ExtensionConfig): Workflow[] {
   return [
   {
     name: "auth_preventAdminUserDeletion",
-    eventName: "core.service.preDeleteOne",
+    eventName: "core.store.preDeleteOne",
     handler: async (input, ctx) => {
-      if (input.collectionName !== "auth_users") return;
+      if (input.collectionName !== "auth_users") return input;
+      if (input.triggeredBy !== "API") return input;
 
       if (Number(input.id) === 1) {
         throw new ctx.LobbError({
@@ -18,13 +18,15 @@ export function getBaseWorkflows(_extensionConfig: ExtensionConfig): Workflow[]
           message: "The admin user cannot be deleted.",
         });
       }
+      return input;
     },
   },
   {
     name: "auth_preventAdminUserUpdate",
-    eventName: "core.service.preUpdateOne",
+    eventName: "core.store.preUpdateOne",
     handler: async (input, ctx) => {
-      if (input.collectionName !== "auth_users") return;
+      if (input.collectionName !== "auth_users") return input;
+      if (input.triggeredBy !== "API") return input;
 
       if (Number(input.id) === 1) {
         throw new ctx.LobbError({
@@ -32,6 +34,7 @@ export function getBaseWorkflows(_extensionConfig: ExtensionConfig): Workflow[]
           message: "The admin user cannot be updated.",
         });
       }
+      return input;
     },
   },
   ...baseWorkflows,
@@ -53,7 +56,7 @@ export const baseWorkflows: Workflow[] = [
       const context = input.context as Context;
 
       // 1) Try the token as a normal user session.
-      const sessionsResult = await ctx.workflows.collectionService({
+      const sessionsResult = await ctx.workflows.collectionStore({
         method: "findAll",
         props: {
           collectionName: "auth_sessions",
@@ -63,7 +66,7 @@ export const baseWorkflows: Workflow[] = [
       const session = sessionsResult.data[0];
 
       if (session) {
-        const usersResult = await ctx.workflows.collectionService({
+        const usersResult = await ctx.workflows.collectionStore({
           method: "findAll",
           props: {
             collectionName: "auth_users",
@@ -79,7 +82,7 @@ export const baseWorkflows: Workflow[] = [
 
       // 2) Otherwise try the token as a share. Shares carry their own
       //    permissions snapshot and have a fixed expiry — no user identity.
-      const sharesResult = await ctx.workflows.collectionService({
+      const sharesResult = await ctx.workflows.collectionStore({
         method: "findAll",
         props: {
           collectionName: "auth_shares",
@@ -102,114 +105,4 @@ export const baseWorkflows: Workflow[] = [
       return input;
     },
   },
-  // auth_logins workflows
-  {
-    name: "auth_userLoginsHandler",
-    eventName: "core.controllers.preCreateOne",
-    handler: async (input, ctx) => {
-      if (input.collectionName === "auth_sessions") {
-        const payloadEmail = input.body.data.email;
-        const payloadPassword = input.body.data.password;
-
-        const users = await ctx.workflows.collectionService({
-          method: "findAll",
-          props: {
-            collectionName: "auth_users",
-            params: {
-              filter: {
-                email: payloadEmail,
-              },
-            },
-          },
-        });
-
-        if (!users.data.length) {
-          throw new ctx.LobbError({
-            code: "NOT_FOUND",
-            message: `The user with this email (${payloadEmail}) doesnt exist.`,
-          });
-        }
-
-        const user = users.data[0] as User;
-        const hashedPassword = user.password;
-
-        const passwordIsCorrect = await verify(
-          hashedPassword,
-          payloadPassword,
-        );
-        if (!passwordIsCorrect) {
-          throw new ctx.LobbError({
-            code: "UNAUTHORIZED",
-            message:
-              "The password provided is incorrect. Please verify and try again.",
-          });
-        }
-
-        const sessionPayload = {
-          token: generateRandomId(),
-          expires_at: new Date(Date.now() + 3600 * 1000),
-          user_id: user.id,
-        };
-
-        const sessionResult = await ctx.workflows.collectionService({
-          method: "createOne",
-          props: {
-            collectionName: "auth_sessions",
-            data: sessionPayload,
-          },
-        });
-
-        throw new Response(
-          JSON.stringify({
-            data: {
-              access_token: {
-                token: sessionPayload.token,
-                expires_at: sessionResult.data.expires_at,
-              },
-              user: {
-                id: user.id,
-                email: user.email,
-                role: user.role,
-              },
-            },
-          }),
-        );
-      }
-    },
-  },
-  {
-    name: "auth_userLogoutHandler",
-    eventName: "core.controllers.preDeleteMany",
-    handler: async (input, ctx) => {
-      if (input.collectionName === "auth_sessions") {
-        const context = input.context as Context;
-        const token = getBearerToken(context);
-
-        if (!token) {
-          throw new ctx.LobbError({
-            code: "BAD_REQUEST",
-            message:
-              "You should pass session's token through the bearer header",
-          });
-        }
-
-        await ctx.workflows.collectionService({
-          method: "deleteMany",
-          props: {
-            collectionName: "auth_sessions",
-            filter: {
-              token: token,
-            },
-          },
-        });
-
-        throw new Response(
-          null,
-          {
-            status: 204,
-          },
-        );
-      }
-    },
-  },
 ];

package/extensions/auth/workflows/index.ts

@@ -5,6 +5,7 @@ import { meAliasWorkflows } from "./meAliasWorkflows.ts";
 import { getCurrentUserPermissionsWorkflow } from "./currentUserPermissionsWorkflow.ts";
 import { getBaseWorkflows } from "./baseWorkflow.ts";
 import { getSharesWorkflows } from "./sharesWorkflows.ts";
+import { getAuthActionControllerWorkflows } from "./actionController.ts";
 import { init } from "../database/init.ts";
 export function getWorkflows(extensionConfig: ExtensionConfig): Workflow[] {
   return [
@@ -17,6 +18,7 @@ export function getWorkflows(extensionConfig: ExtensionConfig): Workflow[] {
     },
     ...getBaseWorkflows(extensionConfig),
     ...getSharesWorkflows(extensionConfig),
+    ...getAuthActionControllerWorkflows(),
 
     // TODO: think about putting the below workflows above at the beggining
     // this will give us the ability to specify which roles have the ability to login, register etc

package/extensions/auth/workflows/sharesWorkflows.ts

@@ -26,15 +26,16 @@ export function getSharesWorkflows(extensionConfig: ExtensionConfig): Workflow[]
       },
     },
     // Normalize the two ways a caller can specify share lifetime into the
-    // single `expires_at` column the rest of the system uses. Runs at the
-    // service layer, which fires before the store-level required-field
-    // check — so `expires_at` can stay schema-required while still letting
-    // callers send only `expires_in_seconds`. Keeps an explicit "neither
-    // provided" throw for a friendlier error message than the generic
-    // required-field error.
+    // single `expires_at` column the rest of the system uses. `order: "pre"`
+    // makes it run before the unordered subscribers of preCreateOne — crucially
+    // before the required-field check — so `expires_at` can stay schema-required
+    // while still letting callers send only `expires_in_seconds`. Keeps an
+    // explicit "neither provided" throw for a friendlier error message than the
+    // generic required-field error.
     {
       name: "auth_normalizeShareExpiry",
-      eventName: "core.service.preCreateOne",
+      eventName: "core.store.preCreateOne",
+      order: "pre",
       handler: async (input, ctx) => {
         if (input.collectionName !== "auth_shares") return input;
 
@@ -82,7 +83,7 @@ export function getSharesWorkflows(extensionConfig: ExtensionConfig): Workflow[]
     // subset of the creator's own permissions. Without this, any user who can
     // create rows in auth_shares could mint a token that grants admin-level
     // access. Only runs for API-triggered creates — internal callers (server
-    // code, tests using collectionService directly) are trusted.
+    // code, tests using collectionStore directly) are trusted.
     {
       name: "auth_validateShareSubset",
       eventName: "core.store.preCreateOne",
@@ -125,7 +126,7 @@ export function getSharesWorkflows(extensionConfig: ExtensionConfig): Workflow[]
       name: "auth_cleanupExpiredShares",
       eventName: "0 3 * * *",
       handler: async (_input, ctx) => {
-        await ctx.lobb.collectionService.deleteMany({
+        await ctx.lobb.collectionStore.deleteMany({
           collectionName: "auth_shares",
           filter: { expires_at: { $lt: new Date().toISOString() } },
         });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobb-js/lobb-ext-auth",
-  "version": "0.13.0",
+  "version": "0.14.0",
   "license": "UNLICENSED",
   "type": "module",
   "publishConfig": {
@@ -32,12 +32,12 @@
     "package": "svelte-package --input extensions/auth/studio"
   },
   "dependencies": {
-    "@lobb-js/core": "^0.40.0",
+    "@lobb-js/core": "^0.41.0",
     "argon2": "^0.40.3",
     "hono": "^4.7.0"
   },
   "devDependencies": {
-    "@lobb-js/studio": "^0.47.0",
+    "@lobb-js/studio": "^0.49.0",
     "@lucide/svelte": "^0.563.1",
     "@sveltejs/adapter-node": "^5.5.4",
     "@sveltejs/kit": "^2.60.1",