@marianmeres/ownsuite 2.0.0 → 2.2.1

package/dist/adapters/mock-auth.js

@@ -0,0 +1,237 @@
+/**
+ * @module adapters/mock-auth
+ *
+ * In-memory mock implementations of AuthAdapter and ProfileAdapter.
+ * Drives the unit tests for AuthManager / ProfileManager / SessionManager
+ * without a real server. Consumers can also use it to build demos or
+ * storybooks that exercise the full suite.
+ *
+ * Deliberately small: everything is held in a shared `Store` object the
+ * adapters close over, so tests can peek at or mutate state directly.
+ */
+export function createMockAuthStore(init = {}) {
+    const store = {
+        accounts: new Map(),
+        requireVerifiedEmail: init.requireVerifiedEmail ?? false,
+        jwtsByEmail: new Map(),
+    };
+    for (const a of init.seed ?? []) {
+        store.accounts.set(a.email, { ...a });
+    }
+    return store;
+}
+function mintJwt(email) {
+    return `mock.${btoa(email)}.${Date.now().toString(36)}`;
+}
+export function createMockAuthAdapter(store) {
+    return {
+        register(input, _ctx) {
+            if (store.accounts.has(input.email)) {
+                return Promise.reject(Object.assign(new Error("Conflict"), { status: 409 }));
+            }
+            const roles = (input.roles ?? ["user"]).filter((r) => !["admin", "root", "guest"].includes(r));
+            const effectiveRoles = roles.length > 0 ? roles : ["user"];
+            const account = {
+                email: input.email,
+                password: input.password,
+                roles: effectiveRoles,
+                isVerified: false,
+                hasPassword: true,
+                oauthConnections: [],
+            };
+            store.accounts.set(input.email, account);
+            if (store.requireVerifiedEmail) {
+                return Promise.resolve({
+                    email: input.email,
+                    roles: effectiveRoles,
+                    requiresVerification: true,
+                });
+            }
+            const jwt = mintJwt(input.email);
+            store.jwtsByEmail.set(input.email, jwt);
+            return Promise.resolve({
+                jwt,
+                email: input.email,
+                roles: effectiveRoles,
+                isVerified: account.isVerified,
+            });
+        },
+        login(input, _ctx) {
+            const acc = store.accounts.get(input.email);
+            if (!acc || acc.password !== input.password) {
+                return Promise.reject(Object.assign(new Error("Unauthorized"), { status: 401 }));
+            }
+            if (store.requireVerifiedEmail && !acc.isVerified) {
+                return Promise.reject(Object.assign(new Error("EMAIL_NOT_VERIFIED"), {
+                    status: 403,
+                    code: "EMAIL_NOT_VERIFIED",
+                }));
+            }
+            const jwt = mintJwt(input.email);
+            store.jwtsByEmail.set(input.email, jwt);
+            return Promise.resolve({
+                jwt,
+                email: acc.email,
+                roles: acc.roles,
+                isVerified: acc.isVerified,
+            });
+        },
+        logout(ctx) {
+            // Revoke the JWT associated with this bearer.
+            const jwt = ctx.jwt;
+            if (jwt) {
+                for (const [email, j] of store.jwtsByEmail) {
+                    if (j === jwt) {
+                        store.jwtsByEmail.delete(email);
+                        break;
+                    }
+                }
+            }
+            return Promise.resolve();
+        },
+        oauthInitUrl(provider, opts) {
+            const qs = new URLSearchParams({ action: opts.action });
+            if (opts.redirect)
+                qs.set("redirect", opts.redirect);
+            if (opts.lang)
+                qs.set("lang", opts.lang);
+            return `mock://oauth/${provider}/init?${qs}`;
+        },
+        resendVerification(input, _ctx) {
+            // Silently succeed whether or not the account exists.
+            if (!store.accounts.has(input.email))
+                return Promise.resolve();
+            // No-op in the mock — verifyMockAccount() stands in for the user
+            // clicking the link.
+            return Promise.resolve();
+        },
+        requestPasswordReset(_input, _ctx) {
+            return Promise.resolve();
+        },
+        changePassword(input, ctx) {
+            const jwt = ctx.jwt;
+            let email;
+            if (jwt) {
+                for (const [e, j] of store.jwtsByEmail) {
+                    if (j === jwt) {
+                        email = e;
+                        break;
+                    }
+                }
+            }
+            if (!email) {
+                return Promise.reject(Object.assign(new Error("Unauthorized"), { status: 401 }));
+            }
+            const acc = store.accounts.get(email);
+            if (!acc) {
+                return Promise.reject(Object.assign(new Error("NotFound"), { status: 404 }));
+            }
+            if (acc.password !== input.current_password) {
+                return Promise.reject(Object.assign(new Error("BadRequest"), { status: 400 }));
+            }
+            acc.password = input.new_password;
+            return Promise.resolve();
+        },
+        deleteAccount(_input, ctx) {
+            const jwt = ctx.jwt;
+            if (!jwt) {
+                return Promise.reject(Object.assign(new Error("Unauthorized"), { status: 401 }));
+            }
+            for (const [email, j] of store.jwtsByEmail) {
+                if (j === jwt) {
+                    store.accounts.delete(email);
+                    store.jwtsByEmail.delete(email);
+                    return Promise.resolve({ deleted: true });
+                }
+            }
+            return Promise.reject(Object.assign(new Error("Unauthorized"), { status: 401 }));
+        },
+    };
+}
+export function createMockProfileAdapter(store) {
+    function emailFromCtx(ctx) {
+        const jwt = ctx.jwt;
+        if (!jwt)
+            return null;
+        for (const [email, j] of store.jwtsByEmail) {
+            if (j === jwt)
+                return email;
+        }
+        return null;
+    }
+    return {
+        get(ctx) {
+            const email = emailFromCtx(ctx);
+            if (!email) {
+                return Promise.reject(Object.assign(new Error("Unauthorized"), { status: 401 }));
+            }
+            const acc = store.accounts.get(email);
+            if (!acc) {
+                return Promise.reject(Object.assign(new Error("NotFound"), { status: 404 }));
+            }
+            return Promise.resolve({
+                email: acc.email,
+                roles: acc.roles,
+                isVerified: acc.isVerified,
+                hasPassword: acc.hasPassword,
+                oauthConnections: [...acc.oauthConnections],
+            });
+        },
+        update(input, ctx) {
+            const email = emailFromCtx(ctx);
+            if (!email) {
+                return Promise.reject(Object.assign(new Error("Unauthorized"), { status: 401 }));
+            }
+            const acc = store.accounts.get(email);
+            if (!acc) {
+                return Promise.reject(Object.assign(new Error("NotFound"), { status: 404 }));
+            }
+            if (input.email && input.email !== acc.email) {
+                if (store.requireVerifiedEmail)
+                    acc.isVerified = false;
+                store.accounts.delete(acc.email);
+                acc.email = input.email;
+                store.accounts.set(acc.email, acc);
+                // Refresh JWT mapping too.
+                const jwt = store.jwtsByEmail.get(email);
+                if (jwt) {
+                    store.jwtsByEmail.delete(email);
+                    store.jwtsByEmail.set(acc.email, jwt);
+                }
+            }
+            return Promise.resolve({
+                email: acc.email,
+                roles: acc.roles,
+                isVerified: acc.isVerified,
+                hasPassword: acc.hasPassword,
+                oauthConnections: [...acc.oauthConnections],
+            });
+        },
+        listOAuth(ctx) {
+            const email = emailFromCtx(ctx);
+            if (!email)
+                return Promise.resolve([]);
+            const acc = store.accounts.get(email);
+            return Promise.resolve(acc ? [...acc.oauthConnections] : []);
+        },
+        unlinkOAuth(provider, ctx) {
+            const email = emailFromCtx(ctx);
+            if (!email) {
+                return Promise.reject(Object.assign(new Error("Unauthorized"), { status: 401 }));
+            }
+            const acc = store.accounts.get(email);
+            if (!acc) {
+                return Promise.reject(Object.assign(new Error("NotFound"), { status: 404 }));
+            }
+            acc.oauthConnections = acc.oauthConnections.filter((c) => c.provider !== provider);
+            return Promise.resolve();
+        },
+    };
+}
+/** Test helper — mark a mock account as verified as if the user had clicked
+ *  the link in the verification email. */
+export function verifyMockAccount(store, email) {
+    const acc = store.accounts.get(email);
+    if (acc)
+        acc.isVerified = true;
+}

package/dist/adapters/mod.d.ts

@@ -1 +1,3 @@
 export * from "./mock.js";
+export * from "./mock-auth.js";
+export * from "./stack-account.js";

package/dist/adapters/mod.js

@@ -1 +1,3 @@
 export * from "./mock.js";
+export * from "./mock-auth.js";
+export * from "./stack-account.js";

package/dist/adapters/stack-account.d.ts

@@ -0,0 +1,38 @@
+/**
+ * @module adapters/stack-account
+ *
+ * Default implementations of `AuthAdapter` and `ProfileAdapter` that target
+ * the `@marianmeres/stack-account` REST surface:
+ *
+ *   POST /api/account/register
+ *   POST /api/account/login
+ *   POST /api/account/logout
+ *   GET  /api/account/oauth/[provider]/init
+ *   POST /api/account/verify/resend
+ *   POST /api/account/password/reset
+ *   POST /api/account/password/change
+ *   GET/PUT/DELETE /api/account/me
+ *   GET  /api/account/me/oauth
+ *   DELETE /api/account/me/oauth/[provider]
+ *
+ * Apps whose server mounts stack-account at this path can just do:
+ *
+ *   const suite = createOwnsuite({
+ *     adapters: {
+ *       auth: createStackAccountAuthAdapter({ baseUrl: "/api/account" }),
+ *       profile: createStackAccountProfileAdapter({ baseUrl: "/api/account" }),
+ *     },
+ *   });
+ *
+ * Apps with custom routes should write their own adapter against the
+ * AuthAdapter / ProfileAdapter interfaces.
+ */
+import type { AuthAdapter, ProfileAdapter } from "../types/mod.js";
+export interface StackAccountAdapterOptions {
+    /** Base URL of the mounted stack-account app. Default: "/api/account". */
+    baseUrl?: string;
+    /** Override the `fetch` implementation (useful for tests / SSR). */
+    fetch?: typeof fetch;
+}
+export declare function createStackAccountAuthAdapter(opts?: StackAccountAdapterOptions): AuthAdapter;
+export declare function createStackAccountProfileAdapter(opts?: StackAccountAdapterOptions): ProfileAdapter;

package/dist/adapters/stack-account.js

@@ -0,0 +1,149 @@
+/**
+ * @module adapters/stack-account
+ *
+ * Default implementations of `AuthAdapter` and `ProfileAdapter` that target
+ * the `@marianmeres/stack-account` REST surface:
+ *
+ *   POST /api/account/register
+ *   POST /api/account/login
+ *   POST /api/account/logout
+ *   GET  /api/account/oauth/[provider]/init
+ *   POST /api/account/verify/resend
+ *   POST /api/account/password/reset
+ *   POST /api/account/password/change
+ *   GET/PUT/DELETE /api/account/me
+ *   GET  /api/account/me/oauth
+ *   DELETE /api/account/me/oauth/[provider]
+ *
+ * Apps whose server mounts stack-account at this path can just do:
+ *
+ *   const suite = createOwnsuite({
+ *     adapters: {
+ *       auth: createStackAccountAuthAdapter({ baseUrl: "/api/account" }),
+ *       profile: createStackAccountProfileAdapter({ baseUrl: "/api/account" }),
+ *     },
+ *   });
+ *
+ * Apps with custom routes should write their own adapter against the
+ * AuthAdapter / ProfileAdapter interfaces.
+ */
+function resolveFetch(opts) {
+    return opts?.fetch ?? (globalThis.fetch.bind(globalThis));
+}
+function join(base, path) {
+    if (!base)
+        return path;
+    if (base.endsWith("/"))
+        return `${base.slice(0, -1)}${path}`;
+    return `${base}${path}`;
+}
+function authHeaders(ctx) {
+    return ctx.jwt ? { Authorization: `Bearer ${ctx.jwt}` } : {};
+}
+async function postJson(doFetch, url, body, ctx) {
+    const res = await doFetch(url, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            ...authHeaders(ctx),
+        },
+        body: JSON.stringify(body),
+        signal: ctx.signal,
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw Object.assign(new Error(text || res.statusText), {
+            status: res.status,
+            body: text,
+        });
+    }
+    return (await res.json());
+}
+async function requestJson(doFetch, url, init, ctx) {
+    const res = await doFetch(url, {
+        ...init,
+        headers: {
+            ...(init.headers ?? {}),
+            ...authHeaders(ctx),
+            ...(init.body
+                ? { "Content-Type": "application/json" }
+                : {}),
+        },
+        signal: ctx.signal,
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw Object.assign(new Error(text || res.statusText), {
+            status: res.status,
+            body: text,
+        });
+    }
+    if (res.status === 204)
+        return undefined;
+    return (await res.json());
+}
+export function createStackAccountAuthAdapter(opts = {}) {
+    const base = opts.baseUrl ?? "/api/account";
+    const doFetch = resolveFetch(opts);
+    return {
+        async register(input, ctx) {
+            const r = await postJson(doFetch, join(base, "/register"), input, ctx);
+            return r.data;
+        },
+        async login(input, ctx) {
+            const r = await postJson(doFetch, join(base, "/login"), input, ctx);
+            return r.data;
+        },
+        async logout(ctx) {
+            await requestJson(doFetch, join(base, "/logout"), { method: "POST" }, ctx);
+        },
+        oauthInitUrl(provider, options, _ctx) {
+            const qs = new URLSearchParams({ action: options.action });
+            if (options.redirect)
+                qs.set("redirect", options.redirect);
+            if (options.lang)
+                qs.set("lang", options.lang);
+            return `${join(base, `/oauth/${provider}/init`)}?${qs}`;
+        },
+        async resendVerification(input, ctx) {
+            await postJson(doFetch, join(base, "/verify/resend"), input, ctx);
+        },
+        async requestPasswordReset(input, ctx) {
+            await postJson(doFetch, join(base, "/password/reset"), input, ctx);
+        },
+        async changePassword(input, ctx) {
+            await postJson(doFetch, join(base, "/password/change"), input, ctx);
+        },
+        async deleteAccount(input, ctx) {
+            await requestJson(doFetch, join(base, "/me"), {
+                method: "DELETE",
+                body: JSON.stringify(input),
+            }, ctx);
+            return { deleted: true };
+        },
+    };
+}
+export function createStackAccountProfileAdapter(opts = {}) {
+    const base = opts.baseUrl ?? "/api/account";
+    const doFetch = resolveFetch(opts);
+    return {
+        async get(ctx) {
+            const r = await requestJson(doFetch, join(base, "/me"), { method: "GET" }, ctx);
+            return r.data;
+        },
+        async update(input, ctx) {
+            const r = await requestJson(doFetch, join(base, "/me"), {
+                method: "PUT",
+                body: JSON.stringify(input),
+            }, ctx);
+            return r.data;
+        },
+        async listOAuth(ctx) {
+            const r = await requestJson(doFetch, join(base, "/me/oauth"), { method: "GET" }, ctx);
+            return r.data ?? [];
+        },
+        async unlinkOAuth(provider, ctx) {
+            await requestJson(doFetch, join(base, `/me/oauth/${provider}`), { method: "DELETE" }, ctx);
+        },
+    };
+}

package/dist/domains/auth.d.ts

@@ -0,0 +1,85 @@
+/**
+ * @module domains/auth
+ *
+ * AuthManager — verbs for the account lifecycle. Holds no state of its own:
+ *   - credentials flow through to the adapter,
+ *   - server responses are piped into the SessionManager,
+ *   - successful session changes trigger a refresh of owner-scoped domains
+ *     via a caller-supplied `switchIdentity` hook.
+ *
+ * Non-goals (explicit): password strength UI, form validation, rendering,
+ * i18n strings, CSRF/PKCE (server-side), refresh-token rotation, cookie
+ * management.
+ */
+import { type PubSub } from "@marianmeres/pubsub";
+import type { AuthActionOptions, AuthAdapter, AuthTokenResult, OAuthInitOptions, OAuthProvider, OwnsuiteContext, ProfileAdapter } from "../types/mod.js";
+import type { SessionManager } from "./session.js";
+import type { ProfileManager } from "./profile.js";
+export interface AuthManagerOptions {
+    adapter: AuthAdapter;
+    session: SessionManager;
+    /** Profile manager — auth hydrates the session subject from `/me`
+     *  immediately after login so subscribers see roles/isVerified/etc.
+     *  without a second await. */
+    profile: ProfileManager;
+    pubsub?: PubSub;
+    /** Called after a successful identity change (register/login/OAuth
+     *  login/logout). The orchestrator wires this to reset + re-init every
+     *  owner-scoped domain with the fresh context. */
+    onIdentityChanged?: (ctx: OwnsuiteContext) => Promise<void> | void;
+    /** Also passed into adapter calls (correlation id, feature flags, etc.).
+     *  The JWT + signal are added per-op by the manager. */
+    context?: OwnsuiteContext;
+    /** When the adapter provides a profile adapter explicitly, we pass it
+     *  through to resolving the subject. Kept optional for mock-driven
+     *  tests that don't need a separate profile fetch. */
+    profileAdapter?: ProfileAdapter;
+}
+export declare class AuthManager {
+    #private;
+    constructor(options: AuthManagerOptions);
+    setContext(ctx: OwnsuiteContext): void;
+    replaceContext(ctx: OwnsuiteContext): void;
+    register(input: {
+        email: string;
+        password: string;
+        password_confirm: string;
+        roles?: string[];
+        extras?: Record<string, unknown>;
+    }, options?: AuthActionOptions): Promise<AuthTokenResult>;
+    login(input: {
+        email: string;
+        password: string;
+    }, options?: AuthActionOptions): Promise<AuthTokenResult>;
+    logout(): Promise<void>;
+    resendVerification(input: {
+        email: string;
+        lang?: string;
+    }): Promise<void>;
+    requestPasswordReset(input: {
+        email: string;
+        lang?: string;
+    }): Promise<void>;
+    changePassword(input: {
+        current_password?: string;
+        new_password: string;
+        confirm_password: string;
+        token?: string;
+    }): Promise<void>;
+    deleteAccount(input: {
+        password?: string;
+        confirm?: boolean;
+    }): Promise<void>;
+    /**
+     * Begin an OAuth flow. Returns:
+     *   - For popup mode: a Promise that resolves when the popup posts back
+     *     an auth result.
+     *   - For redirect mode: nothing useful; the top window navigates away.
+     */
+    initiateOAuth(provider: OAuthProvider, opts: OAuthInitOptions): Promise<AuthTokenResult | void>;
+    /** For the redirect-mode callback page: delegate to the adapter if
+     *  available to extract the result from the current URL/page state.
+     *  `options.remember` pins the resulting session to local/session
+     *  storage — pass the same value the user picked before the redirect. */
+    handleOAuthCallback(options?: AuthActionOptions): Promise<AuthTokenResult | void>;
+}