@memberjunction/server 5.38.0 → 5.40.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +67 -0
- package/dist/apolloServer/index.d.ts +0 -8
- package/dist/apolloServer/index.d.ts.map +1 -1
- package/dist/apolloServer/index.js +61 -0
- package/dist/apolloServer/index.js.map +1 -1
- package/dist/auth/index.js +1 -1
- package/dist/auth/index.js.map +1 -1
- package/dist/auth/magicLink/MagicLinkKeys.d.ts +58 -0
- package/dist/auth/magicLink/MagicLinkKeys.d.ts.map +1 -0
- package/dist/auth/magicLink/MagicLinkKeys.js +99 -0
- package/dist/auth/magicLink/MagicLinkKeys.js.map +1 -0
- package/dist/auth/magicLink/MagicLinkRouter.d.ts +33 -0
- package/dist/auth/magicLink/MagicLinkRouter.d.ts.map +1 -0
- package/dist/auth/magicLink/MagicLinkRouter.js +184 -0
- package/dist/auth/magicLink/MagicLinkRouter.js.map +1 -0
- package/dist/auth/magicLink/MagicLinkService.d.ts +123 -0
- package/dist/auth/magicLink/MagicLinkService.d.ts.map +1 -0
- package/dist/auth/magicLink/MagicLinkService.js +605 -0
- package/dist/auth/magicLink/MagicLinkService.js.map +1 -0
- package/dist/auth/magicLink/index.d.ts +6 -0
- package/dist/auth/magicLink/index.d.ts.map +1 -0
- package/dist/auth/magicLink/index.js +6 -0
- package/dist/auth/magicLink/index.js.map +1 -0
- package/dist/auth/magicLink/magicLinkCore.d.ts +82 -0
- package/dist/auth/magicLink/magicLinkCore.d.ts.map +1 -0
- package/dist/auth/magicLink/magicLinkCore.js +164 -0
- package/dist/auth/magicLink/magicLinkCore.js.map +1 -0
- package/dist/auth/magicLink/redeemLanding.d.ts +22 -0
- package/dist/auth/magicLink/redeemLanding.d.ts.map +1 -0
- package/dist/auth/magicLink/redeemLanding.js +61 -0
- package/dist/auth/magicLink/redeemLanding.js.map +1 -0
- package/dist/auth/magicLink/types.d.ts +131 -0
- package/dist/auth/magicLink/types.d.ts.map +1 -0
- package/dist/auth/magicLink/types.js +6 -0
- package/dist/auth/magicLink/types.js.map +1 -0
- package/dist/config.d.ts +479 -0
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +84 -0
- package/dist/config.js.map +1 -1
- package/dist/context.d.ts.map +1 -1
- package/dist/context.js +223 -19
- package/dist/context.js.map +1 -1
- package/dist/generated/generated.d.ts +952 -4
- package/dist/generated/generated.d.ts.map +1 -1
- package/dist/generated/generated.js +25663 -20321
- package/dist/generated/generated.js.map +1 -1
- package/dist/generic/FireAndForgetHeartbeat.d.ts +51 -0
- package/dist/generic/FireAndForgetHeartbeat.d.ts.map +1 -0
- package/dist/generic/FireAndForgetHeartbeat.js +44 -0
- package/dist/generic/FireAndForgetHeartbeat.js.map +1 -0
- package/dist/generic/ResolverBase.d.ts.map +1 -1
- package/dist/generic/ResolverBase.js +35 -7
- package/dist/generic/ResolverBase.js.map +1 -1
- package/dist/index.d.ts +5 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +145 -2
- package/dist/index.js.map +1 -1
- package/dist/logging/NoLog.d.ts +50 -0
- package/dist/logging/NoLog.d.ts.map +1 -0
- package/dist/logging/NoLog.js +80 -0
- package/dist/logging/NoLog.js.map +1 -0
- package/dist/logging/bootAudit.d.ts +43 -0
- package/dist/logging/bootAudit.d.ts.map +1 -0
- package/dist/logging/bootAudit.js +83 -0
- package/dist/logging/bootAudit.js.map +1 -0
- package/dist/logging/boundaryLogPayload.d.ts +18 -0
- package/dist/logging/boundaryLogPayload.d.ts.map +1 -0
- package/dist/logging/boundaryLogPayload.js +18 -0
- package/dist/logging/boundaryLogPayload.js.map +1 -0
- package/dist/logging/secretRedactor.d.ts +23 -0
- package/dist/logging/secretRedactor.d.ts.map +1 -0
- package/dist/logging/secretRedactor.js +53 -0
- package/dist/logging/secretRedactor.js.map +1 -0
- package/dist/logging/shortenForLog.d.ts +8 -0
- package/dist/logging/shortenForLog.d.ts.map +1 -0
- package/dist/logging/shortenForLog.js +21 -0
- package/dist/logging/shortenForLog.js.map +1 -0
- package/dist/logging/variablesLoggingMiddleware.d.ts +22 -0
- package/dist/logging/variablesLoggingMiddleware.d.ts.map +1 -0
- package/dist/logging/variablesLoggingMiddleware.js +127 -0
- package/dist/logging/variablesLoggingMiddleware.js.map +1 -0
- package/dist/resolvers/CurrentUserContextResolver.d.ts +9 -3
- package/dist/resolvers/CurrentUserContextResolver.d.ts.map +1 -1
- package/dist/resolvers/CurrentUserContextResolver.js +19 -5
- package/dist/resolvers/CurrentUserContextResolver.js.map +1 -1
- package/dist/resolvers/EntityResolver.d.ts.map +1 -1
- package/dist/resolvers/EntityResolver.js +13 -2
- package/dist/resolvers/EntityResolver.js.map +1 -1
- package/dist/resolvers/GenerateSeedTaxonomyResolver.d.ts +28 -0
- package/dist/resolvers/GenerateSeedTaxonomyResolver.d.ts.map +1 -0
- package/dist/resolvers/GenerateSeedTaxonomyResolver.js +100 -0
- package/dist/resolvers/GenerateSeedTaxonomyResolver.js.map +1 -0
- package/dist/resolvers/GetDataResolver.d.ts.map +1 -1
- package/dist/resolvers/GetDataResolver.js +8 -4
- package/dist/resolvers/GetDataResolver.js.map +1 -1
- package/dist/resolvers/IntegrationDiscoveryResolver.d.ts +259 -2
- package/dist/resolvers/IntegrationDiscoveryResolver.d.ts.map +1 -1
- package/dist/resolvers/IntegrationDiscoveryResolver.js +1276 -117
- package/dist/resolvers/IntegrationDiscoveryResolver.js.map +1 -1
- package/dist/resolvers/IntegrationProgressResolver.d.ts +90 -0
- package/dist/resolvers/IntegrationProgressResolver.d.ts.map +1 -0
- package/dist/resolvers/IntegrationProgressResolver.js +196 -0
- package/dist/resolvers/IntegrationProgressResolver.js.map +1 -0
- package/dist/resolvers/MCPResolver.d.ts.map +1 -1
- package/dist/resolvers/MCPResolver.js +19 -14
- package/dist/resolvers/MCPResolver.js.map +1 -1
- package/dist/resolvers/RunAIAgentResolver.d.ts.map +1 -1
- package/dist/resolvers/RunAIAgentResolver.js +26 -5
- package/dist/resolvers/RunAIAgentResolver.js.map +1 -1
- package/dist/resolvers/RunClusterAnalysisResolver.d.ts +74 -0
- package/dist/resolvers/RunClusterAnalysisResolver.d.ts.map +1 -0
- package/dist/resolvers/RunClusterAnalysisResolver.js +243 -0
- package/dist/resolvers/RunClusterAnalysisResolver.js.map +1 -0
- package/dist/resolvers/RunTestResolver.d.ts.map +1 -1
- package/dist/resolvers/RunTestResolver.js +12 -2
- package/dist/resolvers/RunTestResolver.js.map +1 -1
- package/dist/resolvers/SearchEntitiesResolver.d.ts +46 -0
- package/dist/resolvers/SearchEntitiesResolver.d.ts.map +1 -0
- package/dist/resolvers/SearchEntitiesResolver.js +216 -0
- package/dist/resolvers/SearchEntitiesResolver.js.map +1 -0
- package/dist/resolvers/UserResolver.d.ts +16 -2
- package/dist/resolvers/UserResolver.d.ts.map +1 -1
- package/dist/resolvers/UserResolver.js +45 -2
- package/dist/resolvers/UserResolver.js.map +1 -1
- package/dist/resolvers/VectorizeEntityResolver.d.ts.map +1 -1
- package/dist/resolvers/VectorizeEntityResolver.js +14 -1
- package/dist/resolvers/VectorizeEntityResolver.js.map +1 -1
- package/dist/rest/SignatureWebhookHandler.d.ts +19 -0
- package/dist/rest/SignatureWebhookHandler.d.ts.map +1 -0
- package/dist/rest/SignatureWebhookHandler.js +86 -0
- package/dist/rest/SignatureWebhookHandler.js.map +1 -0
- package/dist/services/ScheduledJobsService.d.ts.map +1 -1
- package/dist/services/ScheduledJobsService.js +14 -2
- package/dist/services/ScheduledJobsService.js.map +1 -1
- package/package.json +79 -74
- package/src/__tests__/NoLog.test.ts +76 -0
- package/src/__tests__/bootAudit.test.ts +188 -0
- package/src/__tests__/boundaryLogPayload.test.ts +31 -0
- package/src/__tests__/getDataTokenRedaction.test.ts +84 -0
- package/src/__tests__/magicLink.test.ts +387 -0
- package/src/__tests__/secretRedactor.test.ts +163 -0
- package/src/__tests__/subscriptionRedaction.test.ts +217 -0
- package/src/apolloServer/index.ts +58 -0
- package/src/auth/index.ts +2 -2
- package/src/auth/magicLink/MagicLinkKeys.ts +122 -0
- package/src/auth/magicLink/MagicLinkRouter.ts +209 -0
- package/src/auth/magicLink/MagicLinkService.ts +724 -0
- package/src/auth/magicLink/index.ts +17 -0
- package/src/auth/magicLink/magicLinkCore.ts +216 -0
- package/src/auth/magicLink/redeemLanding.ts +62 -0
- package/src/auth/magicLink/types.ts +137 -0
- package/src/config.ts +89 -0
- package/src/context.ts +249 -17
- package/src/generated/generated.ts +12528 -8866
- package/src/generic/FireAndForgetHeartbeat.ts +85 -0
- package/src/generic/ResolverBase.ts +35 -7
- package/src/generic/__tests__/FireAndForgetHeartbeat.test.ts +99 -0
- package/src/index.ts +165 -2
- package/src/logging/NoLog.ts +88 -0
- package/src/logging/bootAudit.ts +117 -0
- package/src/logging/boundaryLogPayload.ts +19 -0
- package/src/logging/secretRedactor.ts +82 -0
- package/src/logging/shortenForLog.ts +17 -0
- package/src/logging/variablesLoggingMiddleware.ts +191 -0
- package/src/resolvers/CurrentUserContextResolver.ts +21 -5
- package/src/resolvers/EntityResolver.ts +17 -5
- package/src/resolvers/GenerateSeedTaxonomyResolver.ts +90 -0
- package/src/resolvers/GetDataResolver.ts +9 -5
- package/src/resolvers/IntegrationDiscoveryResolver.ts +1111 -120
- package/src/resolvers/IntegrationProgressResolver.ts +220 -0
- package/src/resolvers/MCPResolver.ts +18 -14
- package/src/resolvers/RunAIAgentResolver.ts +28 -5
- package/src/resolvers/RunClusterAnalysisResolver.ts +249 -0
- package/src/resolvers/RunTestResolver.ts +14 -2
- package/src/resolvers/SearchEntitiesResolver.ts +173 -0
- package/src/resolvers/UserResolver.ts +38 -2
- package/src/resolvers/VectorizeEntityResolver.ts +14 -1
- package/src/resolvers/__tests__/IntegrationProgressResolver.test.ts +170 -0
- package/src/rest/SignatureWebhookHandler.ts +103 -0
- package/src/services/ScheduledJobsService.ts +15 -2
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Imperative shell for magic links: invite creation, redemption,
|
|
3
|
+
* user provisioning, and session-token minting. The pure logic lives in
|
|
4
|
+
* `magicLinkCore.ts`; this module wires it to the DB, key manager, and
|
|
5
|
+
* communication engine.
|
|
6
|
+
*
|
|
7
|
+
* @module @memberjunction/server/auth/magicLink
|
|
8
|
+
*/
|
|
9
|
+
import { UserInfo, type IMetadataProvider } from '@memberjunction/core';
|
|
10
|
+
import { type MagicLinkConfig } from '../../config.js';
|
|
11
|
+
import type { CreateMagicLinkInviteParams, CreateMagicLinkInviteResult, RedeemMagicLinkResult, RedeemAuditContext } from './types.js';
|
|
12
|
+
/**
|
|
13
|
+
* Magic-link service. One instance per server, constructed with the resolved
|
|
14
|
+
* public URL and the validated config.
|
|
15
|
+
*/
|
|
16
|
+
export declare class MagicLinkService {
|
|
17
|
+
private readonly publicUrl;
|
|
18
|
+
private readonly config;
|
|
19
|
+
constructor(publicUrl: string, config: MagicLinkConfig);
|
|
20
|
+
/**
|
|
21
|
+
* Creates a single-use, app-scoped invite, persists its hashed token, and
|
|
22
|
+
* (when a communication provider is configured) emails the link.
|
|
23
|
+
*
|
|
24
|
+
* @param params invite parameters
|
|
25
|
+
* @param creatingUser the authenticated internal user issuing the invite
|
|
26
|
+
* @param provider the request's metadata provider; falls back to the global default
|
|
27
|
+
*/
|
|
28
|
+
CreateInvite(params: CreateMagicLinkInviteParams, creatingUser: UserInfo, provider?: IMetadataProvider): Promise<CreateMagicLinkInviteResult>;
|
|
29
|
+
/**
|
|
30
|
+
* Redeems a raw token: validates the invite, atomically consumes one use,
|
|
31
|
+
* provisions/links the user with the restricted role + app, and mints a
|
|
32
|
+
* session JWT. Runs in the public (pre-auth) path, so it uses the global
|
|
33
|
+
* provider and a configured provisioning context user.
|
|
34
|
+
*
|
|
35
|
+
* Single-use is enforced by a compare-and-swap UPDATE ({@link consumeInvite})
|
|
36
|
+
* BEFORE the token is minted — two concurrent redemptions of a single-use
|
|
37
|
+
* link race on the same row and exactly one wins. The consume is the gate:
|
|
38
|
+
* if a later step fails, the use is already burned (fail-closed). That is the
|
|
39
|
+
* correct trade-off for a single-use credential — burning a token on a server
|
|
40
|
+
* error is recoverable (re-issue); allowing replay is not.
|
|
41
|
+
*/
|
|
42
|
+
RedeemInvite(rawToken: string, audit?: RedeemAuditContext): Promise<RedeemMagicLinkResult>;
|
|
43
|
+
/**
|
|
44
|
+
* Writes one MagicLinkRedemption audit row for a redemption attempt. Best-effort:
|
|
45
|
+
* a failure here is logged but never fails the redemption (the user already has,
|
|
46
|
+
* or has been denied, their session — losing an audit row must not change that).
|
|
47
|
+
*
|
|
48
|
+
* InviteID/ProvisionedUserID are null when the attempt didn't get far enough to
|
|
49
|
+
* resolve them (e.g. a malformed or unknown token — exactly the scan/brute-force
|
|
50
|
+
* signal we want recorded). IP/User-Agent/Origin are stored as supplied by the
|
|
51
|
+
* router per the deployment's audit policy.
|
|
52
|
+
*/
|
|
53
|
+
private recordRedemption;
|
|
54
|
+
/**
|
|
55
|
+
* Writes the Phase-2 multi-scope child rows (one application + one role) that
|
|
56
|
+
* mirror the invite's single ApplicationID/RoleID. The columns remain the
|
|
57
|
+
* source of truth for redemption today; these rows pre-stage the data for the
|
|
58
|
+
* eventual switch to multi-scope reads, avoiding a breaking migration later.
|
|
59
|
+
* Best-effort: a child-write failure is logged but does not fail invite
|
|
60
|
+
* issuance (the columns alone keep the one-of-each flow working).
|
|
61
|
+
*/
|
|
62
|
+
private writeInviteScopeChildRows;
|
|
63
|
+
/** Resolves the configured restricted role's ID, if present. */
|
|
64
|
+
private resolveRestrictedRoleId;
|
|
65
|
+
/** Builds the shareable redemption URL. */
|
|
66
|
+
private buildRedemptionUrl;
|
|
67
|
+
/**
|
|
68
|
+
* Provisions the redeeming user: finds them by email or creates them, then
|
|
69
|
+
* ensures the restricted role and the single app assignment exist.
|
|
70
|
+
*/
|
|
71
|
+
private provisionUser;
|
|
72
|
+
/**
|
|
73
|
+
* Resolves the shared Anonymous principal for an anonymous-mode redemption. This
|
|
74
|
+
* principal is an ATTRIBUTION ANCHOR only — it holds no scenario roles and gets no
|
|
75
|
+
* UserRole/UserApplication rows here, so concurrent anon visitors can never accrete
|
|
76
|
+
* scope onto a shared identity. Their actual scope lives in the per-session JWT
|
|
77
|
+
* claims (mj_scopes) and is enforced claims-side. Fail-closed if the principal was
|
|
78
|
+
* never seeded (the Phase-4 migration is required).
|
|
79
|
+
*/
|
|
80
|
+
private resolveAnonymousPrincipal;
|
|
81
|
+
/**
|
|
82
|
+
* True if an existing account is "protected" from magic-link provisioning: an
|
|
83
|
+
* Owner, or a user holding any role OUTSIDE the set of roles magic-link may
|
|
84
|
+
* legitimately grant. That allowed set is: the configured restricted role, the
|
|
85
|
+
* deployment's `grantableRoleNames`, AND the role THIS invite grants. So a prior
|
|
86
|
+
* magic-link guest holding only magic-link-grantable roles (e.g. the invite's own
|
|
87
|
+
* granted role) is NOT protected — re-redeeming a multi-use link is the intended
|
|
88
|
+
* flow. A user holding e.g. Developer/Admin is still protected and blocked.
|
|
89
|
+
*
|
|
90
|
+
* @param user the existing account being re-provisioned
|
|
91
|
+
* @param invitedRoleName the role name this invite grants
|
|
92
|
+
*/
|
|
93
|
+
private isProtectedAccount;
|
|
94
|
+
/** Creates a new user with exactly the restricted role + single app, transactionally. */
|
|
95
|
+
private createScopedUser;
|
|
96
|
+
/** Idempotently ensures an existing user has the given role and app assignment. */
|
|
97
|
+
private ensureRoleAndApp;
|
|
98
|
+
/** Idempotently ensures the role has CanAccess to the application (Application Role). */
|
|
99
|
+
private ensureAppAccess;
|
|
100
|
+
/**
|
|
101
|
+
* Atomically consumes one use of the invite via a compare-and-swap UPDATE.
|
|
102
|
+
* The WHERE clause re-checks every eligibility condition (Active, not
|
|
103
|
+
* exhausted, not expired) at the DB level, so the increment and the guard are
|
|
104
|
+
* a single atomic operation. Returns true ONLY when this call updated the row
|
|
105
|
+
* (won the race); concurrent redemptions of a single-use link see 0 rows.
|
|
106
|
+
*
|
|
107
|
+
* Fail-closed: any DB error returns false and the redemption is rejected.
|
|
108
|
+
*/
|
|
109
|
+
private consumeInvite;
|
|
110
|
+
/** Pushes a freshly created user into the UserCache with its single role. */
|
|
111
|
+
private pushUserToCache;
|
|
112
|
+
/**
|
|
113
|
+
* True iff the invite's creator resolves to a still-active user. Used to
|
|
114
|
+
* fail-closed at redeem time so a deactivated/removed inviter's outstanding
|
|
115
|
+
* links stop working. A missing/blank CreatedByUserID is treated as inactive.
|
|
116
|
+
*/
|
|
117
|
+
private isInviterActive;
|
|
118
|
+
/** Resolves the user whose context provisions magic-link users. */
|
|
119
|
+
private resolveProvisioningContextUser;
|
|
120
|
+
/** Sends the invite email via the configured communication provider. Best-effort. */
|
|
121
|
+
private sendInviteEmail;
|
|
122
|
+
}
|
|
123
|
+
//# sourceMappingURL=MagicLinkService.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"MagicLinkService.d.ts","sourceRoot":"","sources":["../../../src/auth/magicLink/MagicLinkService.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAGL,QAAQ,EAIR,KAAK,iBAAiB,EAEvB,MAAM,sBAAsB,CAAC;AAgB9B,OAAO,EAAc,KAAK,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAGnE,OAAO,KAAK,EACV,2BAA2B,EAC3B,2BAA2B,EAC3B,qBAAqB,EACrB,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAkBpB;;;GAGG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,MAAM;gBADN,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,eAAe;IAG1C;;;;;;;OAOG;IACU,YAAY,CACvB,MAAM,EAAE,2BAA2B,EACnC,YAAY,EAAE,QAAQ,EACtB,QAAQ,CAAC,EAAE,iBAAiB,GAC3B,OAAO,CAAC,2BAA2B,CAAC;IAsFvC;;;;;;;;;;;;OAYG;IACU,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAmIvG;;;;;;;;;OASG;YACW,gBAAgB;IAoC9B;;;;;;;OAOG;YACW,yBAAyB;IA4BvC,gEAAgE;IAChE,OAAO,CAAC,uBAAuB;IAM/B,2CAA2C;IAC3C,OAAO,CAAC,kBAAkB;IAK1B;;;OAGG;YACW,aAAa;IAgD3B;;;;;;;OAOG;IACH,OAAO,CAAC,yBAAyB;IASjC;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,kBAAkB;IAY1B,yFAAyF;YAC3E,gBAAgB;IA2D9B,mFAAmF;YACrE,gBAAgB;IA4C9B,yFAAyF;YAC3E,eAAe;IA6B7B;;;;;;;;OAQG;YACW,aAAa;IAkB3B,6EAA6E;IAC7E,OAAO,CAAC,eAAe;IAOvB;;;;OAIG;IACH,OAAO,CAAC,eAAe;IAQvB,mEAAmE;IACnE,OAAO,CAAC,8BAA8B;IAYtC,qFAAqF;YACvE,eAAe;CA0B9B"}
|