@memberjunction/server 5.38.0 → 5.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (180) hide show
  1. package/README.md +67 -0
  2. package/dist/apolloServer/index.d.ts +0 -8
  3. package/dist/apolloServer/index.d.ts.map +1 -1
  4. package/dist/apolloServer/index.js +61 -0
  5. package/dist/apolloServer/index.js.map +1 -1
  6. package/dist/auth/index.js +1 -1
  7. package/dist/auth/index.js.map +1 -1
  8. package/dist/auth/magicLink/MagicLinkKeys.d.ts +58 -0
  9. package/dist/auth/magicLink/MagicLinkKeys.d.ts.map +1 -0
  10. package/dist/auth/magicLink/MagicLinkKeys.js +99 -0
  11. package/dist/auth/magicLink/MagicLinkKeys.js.map +1 -0
  12. package/dist/auth/magicLink/MagicLinkRouter.d.ts +33 -0
  13. package/dist/auth/magicLink/MagicLinkRouter.d.ts.map +1 -0
  14. package/dist/auth/magicLink/MagicLinkRouter.js +184 -0
  15. package/dist/auth/magicLink/MagicLinkRouter.js.map +1 -0
  16. package/dist/auth/magicLink/MagicLinkService.d.ts +123 -0
  17. package/dist/auth/magicLink/MagicLinkService.d.ts.map +1 -0
  18. package/dist/auth/magicLink/MagicLinkService.js +605 -0
  19. package/dist/auth/magicLink/MagicLinkService.js.map +1 -0
  20. package/dist/auth/magicLink/index.d.ts +6 -0
  21. package/dist/auth/magicLink/index.d.ts.map +1 -0
  22. package/dist/auth/magicLink/index.js +6 -0
  23. package/dist/auth/magicLink/index.js.map +1 -0
  24. package/dist/auth/magicLink/magicLinkCore.d.ts +82 -0
  25. package/dist/auth/magicLink/magicLinkCore.d.ts.map +1 -0
  26. package/dist/auth/magicLink/magicLinkCore.js +164 -0
  27. package/dist/auth/magicLink/magicLinkCore.js.map +1 -0
  28. package/dist/auth/magicLink/redeemLanding.d.ts +22 -0
  29. package/dist/auth/magicLink/redeemLanding.d.ts.map +1 -0
  30. package/dist/auth/magicLink/redeemLanding.js +61 -0
  31. package/dist/auth/magicLink/redeemLanding.js.map +1 -0
  32. package/dist/auth/magicLink/types.d.ts +131 -0
  33. package/dist/auth/magicLink/types.d.ts.map +1 -0
  34. package/dist/auth/magicLink/types.js +6 -0
  35. package/dist/auth/magicLink/types.js.map +1 -0
  36. package/dist/config.d.ts +479 -0
  37. package/dist/config.d.ts.map +1 -1
  38. package/dist/config.js +84 -0
  39. package/dist/config.js.map +1 -1
  40. package/dist/context.d.ts.map +1 -1
  41. package/dist/context.js +223 -19
  42. package/dist/context.js.map +1 -1
  43. package/dist/generated/generated.d.ts +952 -4
  44. package/dist/generated/generated.d.ts.map +1 -1
  45. package/dist/generated/generated.js +25663 -20321
  46. package/dist/generated/generated.js.map +1 -1
  47. package/dist/generic/FireAndForgetHeartbeat.d.ts +51 -0
  48. package/dist/generic/FireAndForgetHeartbeat.d.ts.map +1 -0
  49. package/dist/generic/FireAndForgetHeartbeat.js +44 -0
  50. package/dist/generic/FireAndForgetHeartbeat.js.map +1 -0
  51. package/dist/generic/ResolverBase.d.ts.map +1 -1
  52. package/dist/generic/ResolverBase.js +35 -7
  53. package/dist/generic/ResolverBase.js.map +1 -1
  54. package/dist/index.d.ts +5 -0
  55. package/dist/index.d.ts.map +1 -1
  56. package/dist/index.js +145 -2
  57. package/dist/index.js.map +1 -1
  58. package/dist/logging/NoLog.d.ts +50 -0
  59. package/dist/logging/NoLog.d.ts.map +1 -0
  60. package/dist/logging/NoLog.js +80 -0
  61. package/dist/logging/NoLog.js.map +1 -0
  62. package/dist/logging/bootAudit.d.ts +43 -0
  63. package/dist/logging/bootAudit.d.ts.map +1 -0
  64. package/dist/logging/bootAudit.js +83 -0
  65. package/dist/logging/bootAudit.js.map +1 -0
  66. package/dist/logging/boundaryLogPayload.d.ts +18 -0
  67. package/dist/logging/boundaryLogPayload.d.ts.map +1 -0
  68. package/dist/logging/boundaryLogPayload.js +18 -0
  69. package/dist/logging/boundaryLogPayload.js.map +1 -0
  70. package/dist/logging/secretRedactor.d.ts +23 -0
  71. package/dist/logging/secretRedactor.d.ts.map +1 -0
  72. package/dist/logging/secretRedactor.js +53 -0
  73. package/dist/logging/secretRedactor.js.map +1 -0
  74. package/dist/logging/shortenForLog.d.ts +8 -0
  75. package/dist/logging/shortenForLog.d.ts.map +1 -0
  76. package/dist/logging/shortenForLog.js +21 -0
  77. package/dist/logging/shortenForLog.js.map +1 -0
  78. package/dist/logging/variablesLoggingMiddleware.d.ts +22 -0
  79. package/dist/logging/variablesLoggingMiddleware.d.ts.map +1 -0
  80. package/dist/logging/variablesLoggingMiddleware.js +127 -0
  81. package/dist/logging/variablesLoggingMiddleware.js.map +1 -0
  82. package/dist/resolvers/CurrentUserContextResolver.d.ts +9 -3
  83. package/dist/resolvers/CurrentUserContextResolver.d.ts.map +1 -1
  84. package/dist/resolvers/CurrentUserContextResolver.js +19 -5
  85. package/dist/resolvers/CurrentUserContextResolver.js.map +1 -1
  86. package/dist/resolvers/EntityResolver.d.ts.map +1 -1
  87. package/dist/resolvers/EntityResolver.js +13 -2
  88. package/dist/resolvers/EntityResolver.js.map +1 -1
  89. package/dist/resolvers/GenerateSeedTaxonomyResolver.d.ts +28 -0
  90. package/dist/resolvers/GenerateSeedTaxonomyResolver.d.ts.map +1 -0
  91. package/dist/resolvers/GenerateSeedTaxonomyResolver.js +100 -0
  92. package/dist/resolvers/GenerateSeedTaxonomyResolver.js.map +1 -0
  93. package/dist/resolvers/GetDataResolver.d.ts.map +1 -1
  94. package/dist/resolvers/GetDataResolver.js +8 -4
  95. package/dist/resolvers/GetDataResolver.js.map +1 -1
  96. package/dist/resolvers/IntegrationDiscoveryResolver.d.ts +259 -2
  97. package/dist/resolvers/IntegrationDiscoveryResolver.d.ts.map +1 -1
  98. package/dist/resolvers/IntegrationDiscoveryResolver.js +1276 -117
  99. package/dist/resolvers/IntegrationDiscoveryResolver.js.map +1 -1
  100. package/dist/resolvers/IntegrationProgressResolver.d.ts +90 -0
  101. package/dist/resolvers/IntegrationProgressResolver.d.ts.map +1 -0
  102. package/dist/resolvers/IntegrationProgressResolver.js +196 -0
  103. package/dist/resolvers/IntegrationProgressResolver.js.map +1 -0
  104. package/dist/resolvers/MCPResolver.d.ts.map +1 -1
  105. package/dist/resolvers/MCPResolver.js +19 -14
  106. package/dist/resolvers/MCPResolver.js.map +1 -1
  107. package/dist/resolvers/RunAIAgentResolver.d.ts.map +1 -1
  108. package/dist/resolvers/RunAIAgentResolver.js +26 -5
  109. package/dist/resolvers/RunAIAgentResolver.js.map +1 -1
  110. package/dist/resolvers/RunClusterAnalysisResolver.d.ts +74 -0
  111. package/dist/resolvers/RunClusterAnalysisResolver.d.ts.map +1 -0
  112. package/dist/resolvers/RunClusterAnalysisResolver.js +243 -0
  113. package/dist/resolvers/RunClusterAnalysisResolver.js.map +1 -0
  114. package/dist/resolvers/RunTestResolver.d.ts.map +1 -1
  115. package/dist/resolvers/RunTestResolver.js +12 -2
  116. package/dist/resolvers/RunTestResolver.js.map +1 -1
  117. package/dist/resolvers/SearchEntitiesResolver.d.ts +46 -0
  118. package/dist/resolvers/SearchEntitiesResolver.d.ts.map +1 -0
  119. package/dist/resolvers/SearchEntitiesResolver.js +216 -0
  120. package/dist/resolvers/SearchEntitiesResolver.js.map +1 -0
  121. package/dist/resolvers/UserResolver.d.ts +16 -2
  122. package/dist/resolvers/UserResolver.d.ts.map +1 -1
  123. package/dist/resolvers/UserResolver.js +45 -2
  124. package/dist/resolvers/UserResolver.js.map +1 -1
  125. package/dist/resolvers/VectorizeEntityResolver.d.ts.map +1 -1
  126. package/dist/resolvers/VectorizeEntityResolver.js +14 -1
  127. package/dist/resolvers/VectorizeEntityResolver.js.map +1 -1
  128. package/dist/rest/SignatureWebhookHandler.d.ts +19 -0
  129. package/dist/rest/SignatureWebhookHandler.d.ts.map +1 -0
  130. package/dist/rest/SignatureWebhookHandler.js +86 -0
  131. package/dist/rest/SignatureWebhookHandler.js.map +1 -0
  132. package/dist/services/ScheduledJobsService.d.ts.map +1 -1
  133. package/dist/services/ScheduledJobsService.js +14 -2
  134. package/dist/services/ScheduledJobsService.js.map +1 -1
  135. package/package.json +79 -74
  136. package/src/__tests__/NoLog.test.ts +76 -0
  137. package/src/__tests__/bootAudit.test.ts +188 -0
  138. package/src/__tests__/boundaryLogPayload.test.ts +31 -0
  139. package/src/__tests__/getDataTokenRedaction.test.ts +84 -0
  140. package/src/__tests__/magicLink.test.ts +387 -0
  141. package/src/__tests__/secretRedactor.test.ts +163 -0
  142. package/src/__tests__/subscriptionRedaction.test.ts +217 -0
  143. package/src/apolloServer/index.ts +58 -0
  144. package/src/auth/index.ts +2 -2
  145. package/src/auth/magicLink/MagicLinkKeys.ts +122 -0
  146. package/src/auth/magicLink/MagicLinkRouter.ts +209 -0
  147. package/src/auth/magicLink/MagicLinkService.ts +724 -0
  148. package/src/auth/magicLink/index.ts +17 -0
  149. package/src/auth/magicLink/magicLinkCore.ts +216 -0
  150. package/src/auth/magicLink/redeemLanding.ts +62 -0
  151. package/src/auth/magicLink/types.ts +137 -0
  152. package/src/config.ts +89 -0
  153. package/src/context.ts +249 -17
  154. package/src/generated/generated.ts +12528 -8866
  155. package/src/generic/FireAndForgetHeartbeat.ts +85 -0
  156. package/src/generic/ResolverBase.ts +35 -7
  157. package/src/generic/__tests__/FireAndForgetHeartbeat.test.ts +99 -0
  158. package/src/index.ts +165 -2
  159. package/src/logging/NoLog.ts +88 -0
  160. package/src/logging/bootAudit.ts +117 -0
  161. package/src/logging/boundaryLogPayload.ts +19 -0
  162. package/src/logging/secretRedactor.ts +82 -0
  163. package/src/logging/shortenForLog.ts +17 -0
  164. package/src/logging/variablesLoggingMiddleware.ts +191 -0
  165. package/src/resolvers/CurrentUserContextResolver.ts +21 -5
  166. package/src/resolvers/EntityResolver.ts +17 -5
  167. package/src/resolvers/GenerateSeedTaxonomyResolver.ts +90 -0
  168. package/src/resolvers/GetDataResolver.ts +9 -5
  169. package/src/resolvers/IntegrationDiscoveryResolver.ts +1111 -120
  170. package/src/resolvers/IntegrationProgressResolver.ts +220 -0
  171. package/src/resolvers/MCPResolver.ts +18 -14
  172. package/src/resolvers/RunAIAgentResolver.ts +28 -5
  173. package/src/resolvers/RunClusterAnalysisResolver.ts +249 -0
  174. package/src/resolvers/RunTestResolver.ts +14 -2
  175. package/src/resolvers/SearchEntitiesResolver.ts +173 -0
  176. package/src/resolvers/UserResolver.ts +38 -2
  177. package/src/resolvers/VectorizeEntityResolver.ts +14 -1
  178. package/src/resolvers/__tests__/IntegrationProgressResolver.test.ts +170 -0
  179. package/src/rest/SignatureWebhookHandler.ts +103 -0
  180. package/src/services/ScheduledJobsService.ts +15 -2
@@ -0,0 +1,123 @@
1
+ /**
2
+ * @fileoverview Imperative shell for magic links: invite creation, redemption,
3
+ * user provisioning, and session-token minting. The pure logic lives in
4
+ * `magicLinkCore.ts`; this module wires it to the DB, key manager, and
5
+ * communication engine.
6
+ *
7
+ * @module @memberjunction/server/auth/magicLink
8
+ */
9
+ import { UserInfo, type IMetadataProvider } from '@memberjunction/core';
10
+ import { type MagicLinkConfig } from '../../config.js';
11
+ import type { CreateMagicLinkInviteParams, CreateMagicLinkInviteResult, RedeemMagicLinkResult, RedeemAuditContext } from './types.js';
12
+ /**
13
+ * Magic-link service. One instance per server, constructed with the resolved
14
+ * public URL and the validated config.
15
+ */
16
+ export declare class MagicLinkService {
17
+ private readonly publicUrl;
18
+ private readonly config;
19
+ constructor(publicUrl: string, config: MagicLinkConfig);
20
+ /**
21
+ * Creates a single-use, app-scoped invite, persists its hashed token, and
22
+ * (when a communication provider is configured) emails the link.
23
+ *
24
+ * @param params invite parameters
25
+ * @param creatingUser the authenticated internal user issuing the invite
26
+ * @param provider the request's metadata provider; falls back to the global default
27
+ */
28
+ CreateInvite(params: CreateMagicLinkInviteParams, creatingUser: UserInfo, provider?: IMetadataProvider): Promise<CreateMagicLinkInviteResult>;
29
+ /**
30
+ * Redeems a raw token: validates the invite, atomically consumes one use,
31
+ * provisions/links the user with the restricted role + app, and mints a
32
+ * session JWT. Runs in the public (pre-auth) path, so it uses the global
33
+ * provider and a configured provisioning context user.
34
+ *
35
+ * Single-use is enforced by a compare-and-swap UPDATE ({@link consumeInvite})
36
+ * BEFORE the token is minted — two concurrent redemptions of a single-use
37
+ * link race on the same row and exactly one wins. The consume is the gate:
38
+ * if a later step fails, the use is already burned (fail-closed). That is the
39
+ * correct trade-off for a single-use credential — burning a token on a server
40
+ * error is recoverable (re-issue); allowing replay is not.
41
+ */
42
+ RedeemInvite(rawToken: string, audit?: RedeemAuditContext): Promise<RedeemMagicLinkResult>;
43
+ /**
44
+ * Writes one MagicLinkRedemption audit row for a redemption attempt. Best-effort:
45
+ * a failure here is logged but never fails the redemption (the user already has,
46
+ * or has been denied, their session — losing an audit row must not change that).
47
+ *
48
+ * InviteID/ProvisionedUserID are null when the attempt didn't get far enough to
49
+ * resolve them (e.g. a malformed or unknown token — exactly the scan/brute-force
50
+ * signal we want recorded). IP/User-Agent/Origin are stored as supplied by the
51
+ * router per the deployment's audit policy.
52
+ */
53
+ private recordRedemption;
54
+ /**
55
+ * Writes the Phase-2 multi-scope child rows (one application + one role) that
56
+ * mirror the invite's single ApplicationID/RoleID. The columns remain the
57
+ * source of truth for redemption today; these rows pre-stage the data for the
58
+ * eventual switch to multi-scope reads, avoiding a breaking migration later.
59
+ * Best-effort: a child-write failure is logged but does not fail invite
60
+ * issuance (the columns alone keep the one-of-each flow working).
61
+ */
62
+ private writeInviteScopeChildRows;
63
+ /** Resolves the configured restricted role's ID, if present. */
64
+ private resolveRestrictedRoleId;
65
+ /** Builds the shareable redemption URL. */
66
+ private buildRedemptionUrl;
67
+ /**
68
+ * Provisions the redeeming user: finds them by email or creates them, then
69
+ * ensures the restricted role and the single app assignment exist.
70
+ */
71
+ private provisionUser;
72
+ /**
73
+ * Resolves the shared Anonymous principal for an anonymous-mode redemption. This
74
+ * principal is an ATTRIBUTION ANCHOR only — it holds no scenario roles and gets no
75
+ * UserRole/UserApplication rows here, so concurrent anon visitors can never accrete
76
+ * scope onto a shared identity. Their actual scope lives in the per-session JWT
77
+ * claims (mj_scopes) and is enforced claims-side. Fail-closed if the principal was
78
+ * never seeded (the Phase-4 migration is required).
79
+ */
80
+ private resolveAnonymousPrincipal;
81
+ /**
82
+ * True if an existing account is "protected" from magic-link provisioning: an
83
+ * Owner, or a user holding any role OUTSIDE the set of roles magic-link may
84
+ * legitimately grant. That allowed set is: the configured restricted role, the
85
+ * deployment's `grantableRoleNames`, AND the role THIS invite grants. So a prior
86
+ * magic-link guest holding only magic-link-grantable roles (e.g. the invite's own
87
+ * granted role) is NOT protected — re-redeeming a multi-use link is the intended
88
+ * flow. A user holding e.g. Developer/Admin is still protected and blocked.
89
+ *
90
+ * @param user the existing account being re-provisioned
91
+ * @param invitedRoleName the role name this invite grants
92
+ */
93
+ private isProtectedAccount;
94
+ /** Creates a new user with exactly the restricted role + single app, transactionally. */
95
+ private createScopedUser;
96
+ /** Idempotently ensures an existing user has the given role and app assignment. */
97
+ private ensureRoleAndApp;
98
+ /** Idempotently ensures the role has CanAccess to the application (Application Role). */
99
+ private ensureAppAccess;
100
+ /**
101
+ * Atomically consumes one use of the invite via a compare-and-swap UPDATE.
102
+ * The WHERE clause re-checks every eligibility condition (Active, not
103
+ * exhausted, not expired) at the DB level, so the increment and the guard are
104
+ * a single atomic operation. Returns true ONLY when this call updated the row
105
+ * (won the race); concurrent redemptions of a single-use link see 0 rows.
106
+ *
107
+ * Fail-closed: any DB error returns false and the redemption is rejected.
108
+ */
109
+ private consumeInvite;
110
+ /** Pushes a freshly created user into the UserCache with its single role. */
111
+ private pushUserToCache;
112
+ /**
113
+ * True iff the invite's creator resolves to a still-active user. Used to
114
+ * fail-closed at redeem time so a deactivated/removed inviter's outstanding
115
+ * links stop working. A missing/blank CreatedByUserID is treated as inactive.
116
+ */
117
+ private isInviterActive;
118
+ /** Resolves the user whose context provisions magic-link users. */
119
+ private resolveProvisioningContextUser;
120
+ /** Sends the invite email via the configured communication provider. Best-effort. */
121
+ private sendInviteEmail;
122
+ }
123
+ //# sourceMappingURL=MagicLinkService.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"MagicLinkService.d.ts","sourceRoot":"","sources":["../../../src/auth/magicLink/MagicLinkService.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAGL,QAAQ,EAIR,KAAK,iBAAiB,EAEvB,MAAM,sBAAsB,CAAC;AAgB9B,OAAO,EAAc,KAAK,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAGnE,OAAO,KAAK,EACV,2BAA2B,EAC3B,2BAA2B,EAC3B,qBAAqB,EACrB,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAkBpB;;;GAGG;AACH,qBAAa,gBAAgB;IAEzB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,MAAM;gBADN,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,eAAe;IAG1C;;;;;;;OAOG;IACU,YAAY,CACvB,MAAM,EAAE,2BAA2B,EACnC,YAAY,EAAE,QAAQ,EACtB,QAAQ,CAAC,EAAE,iBAAiB,GAC3B,OAAO,CAAC,2BAA2B,CAAC;IAsFvC;;;;;;;;;;;;OAYG;IACU,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAmIvG;;;;;;;;;OASG;YACW,gBAAgB;IAoC9B;;;;;;;OAOG;YACW,yBAAyB;IA4BvC,gEAAgE;IAChE,OAAO,CAAC,uBAAuB;IAM/B,2CAA2C;IAC3C,OAAO,CAAC,kBAAkB;IAK1B;;;OAGG;YACW,aAAa;IAgD3B;;;;;;;OAOG;IACH,OAAO,CAAC,yBAAyB;IASjC;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,kBAAkB;IAY1B,yFAAyF;YAC3E,gBAAgB;IA2D9B,mFAAmF;YACrE,gBAAgB;IA4C9B,yFAAyF;YAC3E,eAAe;IA6B7B;;;;;;;;OAQG;YACW,aAAa;IAkB3B,6EAA6E;IAC7E,OAAO,CAAC,eAAe;IAOvB;;;;OAIG;IACH,OAAO,CAAC,eAAe;IAQvB,mEAAmE;IACnE,OAAO,CAAC,8BAA8B;IAYtC,qFAAqF;YACvE,eAAe;CA0B9B"}