npm - @mostajs/auth - Versions diffs - 2.3.2 → 2.4.0 - Mend

@mostajs/auth 2.3.2 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/lib/check-request.d.ts +10 -0
package/dist/lib/check-request.js +47 -2
package/dist/lib/credentials-provider.d.ts +57 -0
package/dist/lib/credentials-provider.js +84 -0
package/dist/server.d.ts +2 -0
package/dist/server.js +1 -0
package/package.json +7 -2

package/dist/lib/check-request.d.ts CHANGED Viewed

@@ -24,6 +24,16 @@ export interface CheckRequestParams {
     }>;
     /** Allow request through without apikey (legacy / public-mode). */
     openMode?: boolean;
+    /**
+     * When no apikey is provided, fall back to a labeled apikey stored in
+     * the api_keys table (typically `public-default`). The fallback's
+     * permissions still apply — so a public-default key with read-only
+     * scope keeps writes blocked even when no key is sent.
+     *
+     * Use case : MCP endpoint that wants to preserve compat with existing
+     * mcp.so / Claude Desktop users who haven't published the apikey yet.
+     */
+    fallbackPublicLabel?: string;
 }
 export interface CheckRequestResult {
     ok: boolean;

package/dist/lib/check-request.js CHANGED Viewed

@@ -36,7 +36,7 @@ function pickQuery(q, name) {
  * (e.g. `if (!result.ok) reply.code(result.status).send(result.body)`).
  */
 export async function checkRequest(params) {
-    const { dialect, headers, query, ip, transport, checks = [], openMode = false } = params;
+    const { dialect, headers, query, ip, transport, checks = [], openMode = false, fallbackPublicLabel } = params;
     // Extract auth identifiers from the request
     const apiKey = pickHeader(headers, 'x-api-key') ??
         (pickHeader(headers, 'authorization')?.replace(/^Bearer\s+/i, '').trim() || undefined) ??
@@ -53,8 +53,53 @@ export async function checkRequest(params) {
         projectName,
         meta: { ip: resolvedIp },
     };
-    // No apikey → either openMode passes through, or 401
+    // No apikey → either fallback to a public labeled key, or openMode pass-through, or 401
     if (!apiKey) {
+        // Fallback to a labeled public apikey (e.g. 'public-default') if configured.
+        // Looks up the row by label, applies its scope checks. Useful for MCP /
+        // demo endpoints that want to preserve compat with users who haven't yet
+        // published the public apikey in their config.
+        if (fallbackPublicLabel && dialect) {
+            try {
+                const { getApiKeyRepo, isScopeAuthorized } = await import('@mostajs/api-keys/server');
+                const repo = getApiKeyRepo(dialect);
+                const fallbackKey = await repo.findOne({ label: fallbackPublicLabel, enabled: true });
+                if (fallbackKey) {
+                    // Normalize legacy permission shape (move projects/operations/transports into scopes)
+                    const perms = fallbackKey.permissions || {};
+                    const scopes = { ...(perms.scopes ?? {}) };
+                    for (const k of ['projects', 'operations', 'transports']) {
+                        if (perms[k] !== undefined && scopes[k] === undefined)
+                            scopes[k] = perms[k];
+                    }
+                    const normPerms = { ...perms, scopes };
+                    // Run the same scope checks against the public key's perms
+                    for (const c of checks) {
+                        if (!isScopeAuthorized(normPerms, c.scope, c.value)) {
+                            return {
+                                ok: false, status: 403,
+                                body: { status: 'error', error: { code: 'FORBIDDEN',
+                                        message: `Public access not authorized for ${c.scope}="${c.value}"`, } },
+                            };
+                        }
+                    }
+                    return {
+                        ok: true, status: 200,
+                        apikey: fallbackKey,
+                        ctx: {
+                            ...baseCtx,
+                            subscription: fallbackKey.label || fallbackKey.id,
+                            permissions: normPerms.scopes ?? {},
+                            accountId: fallbackKey.account || fallbackKey.accountId,
+                            apikeyId: fallbackKey.id,
+                        },
+                    };
+                }
+            }
+            catch {
+                // Fallback failed — fall through to standard 401 / openMode
+            }
+        }
         if (openMode)
             return { ok: true, status: 200, ctx: baseCtx };
         return {

package/dist/lib/credentials-provider.d.ts ADDED Viewed

@@ -0,0 +1,57 @@
+export interface CredentialsProviderConfig {
+    /** Lookup the user row by email (case-insensitive). Return null if not found.
+     *  Conseillé : passer une fonction qui utilise UserRepository de @mostajs/rbac
+     *  pour bénéficier de findByEmail (qui lowercase l'email côté repo). */
+    findUserByEmail: (email: string) => Promise<any | null>;
+    /** Default role assigned when the user has no role relations (default: 'user'). */
+    defaultRole?: string;
+    /** Custom check before allowing login (e.g. email verified, 2FA).
+     *  Return false to block. Default: status !== 'disabled' && status !== 'locked'. */
+    checkUserAllowed?: (user: any) => boolean | Promise<boolean>;
+    /** Custom role resolution. Default: first user.roles[].name or fallback. */
+    resolveRole?: (user: any) => string | Promise<string>;
+    /** Custom display name. Default: "<firstName> <lastName>" trimmed → email. */
+    resolveName?: (user: any) => string;
+    /** Provider id (default: 'credentials'). Useful if multiple providers coexist. */
+    id?: string;
+    /** Provider display name (default: 'Email + Password'). */
+    name?: string;
+}
+/**
+ * Build a NextAuth Credentials provider config (returned as plain object,
+ * directly passable to `NextAuth({ providers: [provider], ... })` without
+ * any next-auth imports côté consumer).
+ *
+ * Usage :
+ *   import { createCredentialsProvider } from '@mostajs/auth/server'
+ *
+ *   NextAuth({
+ *     providers: [
+ *       createCredentialsProvider({
+ *         findUserByEmail: async (email) => userRepo.findByEmail(email),
+ *         defaultRole: 'user',
+ *       }),
+ *     ],
+ *   })
+ */
+export declare function createCredentialsProvider(config: CredentialsProviderConfig): {
+    id: string;
+    name: string;
+    type: "credentials";
+    credentials: {
+        email: {
+            label: string;
+            type: string;
+        };
+        password: {
+            label: string;
+            type: string;
+        };
+    };
+    authorize(credentials: any): Promise<{
+        id: any;
+        email: any;
+        name: string;
+        role: string;
+    } | null>;
+};

package/dist/lib/credentials-provider.js ADDED Viewed

@@ -0,0 +1,84 @@
+// @mostajs/auth — Email + password credentials provider for NextAuth
+//
+// Factorise le boilerplate NextAuth Credentials que chaque app refait. Le
+// consumer obtient un provider PRÊT À L'EMPLOI à passer à NextAuth({providers}) :
+// il n'importe ni `next-auth/providers/credentials`, ni bcrypt, ni le
+// UserRepository — tout est encapsulé.
+//
+// Pendant naturel de createApiKeyProvider (même style de retour : objet
+// provider config plat). Différence : authentication via email/password
+// (UI register/signin) vs API key (programmatic).
+//
+// Le caller fournit `findUserByEmail` (ou laisse passer pour un default
+// fail-closed). Pour leverager directement @mostajs/rbac, il suffit de
+// passer `(email) => new UserRepository(dialect).findByEmail(email)`.
+//
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+import { comparePassword } from './password.js';
+function defaultStatusCheck(user) {
+    return user.status !== 'disabled' && user.status !== 'locked';
+}
+function defaultRoleResolver(user, fallback) {
+    if (user.roles?.length > 0) {
+        const r = user.roles[0];
+        return typeof r === 'string' ? r : (r?.name ?? fallback);
+    }
+    return user.role ?? fallback;
+}
+function defaultNameResolver(user) {
+    return `${user.firstName ?? ''} ${user.lastName ?? ''}`.trim() || (user.email ?? '');
+}
+/**
+ * Build a NextAuth Credentials provider config (returned as plain object,
+ * directly passable to `NextAuth({ providers: [provider], ... })` without
+ * any next-auth imports côté consumer).
+ *
+ * Usage :
+ *   import { createCredentialsProvider } from '@mostajs/auth/server'
+ *
+ *   NextAuth({
+ *     providers: [
+ *       createCredentialsProvider({
+ *         findUserByEmail: async (email) => userRepo.findByEmail(email),
+ *         defaultRole: 'user',
+ *       }),
+ *     ],
+ *   })
+ */
+export function createCredentialsProvider(config) {
+    const defaultRole = config.defaultRole ?? 'user';
+    const checkUserAllowed = config.checkUserAllowed ?? defaultStatusCheck;
+    const resolveRole = config.resolveRole ?? ((u) => defaultRoleResolver(u, defaultRole));
+    const resolveName = config.resolveName ?? defaultNameResolver;
+    return {
+        id: config.id ?? 'credentials',
+        name: config.name ?? 'Email + Password',
+        type: 'credentials',
+        credentials: {
+            email: { label: 'Email', type: 'email' },
+            password: { label: 'Password', type: 'password' },
+        },
+        async authorize(credentials) {
+            if (!credentials?.email || !credentials?.password)
+                return null;
+            const email = String(credentials.email).toLowerCase().trim();
+            const user = await config.findUserByEmail(email);
+            if (!user)
+                return null;
+            const allowed = await checkUserAllowed(user);
+            if (!allowed)
+                return null;
+            const valid = await comparePassword(String(credentials.password), user.password);
+            if (!valid)
+                return null;
+            const role = await resolveRole(user);
+            const name = resolveName(user);
+            return {
+                id: user.id,
+                email: user.email,
+                name,
+                role,
+            };
+        },
+    };
+}

package/dist/server.d.ts CHANGED Viewed

@@ -20,5 +20,7 @@ export { createPasswordResetHandlers, generateResetToken } from './lib/password-
 export type { PasswordResetConfig } from './lib/password-reset';
 export { createApiKeyProvider } from './lib/apikey-provider';
 export type { ApiKeyProviderConfig } from './lib/apikey-provider';
+export { createCredentialsProvider } from './lib/credentials-provider';
+export type { CredentialsProviderConfig } from './lib/credentials-provider';
 export { enrichTokenWithPlan, enrichSessionWithPlan } from './lib/session-enrichment';
 export type { SessionEnrichmentConfig } from './lib/session-enrichment';

package/dist/server.js CHANGED Viewed

@@ -27,5 +27,6 @@ export { createVerificationHandlers, generateVerifyToken } from './lib/email-ver
 export { createPasswordResetHandlers, generateResetToken } from './lib/password-reset.js';
 // API key provider
 export { createApiKeyProvider } from './lib/apikey-provider.js';
+export { createCredentialsProvider } from './lib/credentials-provider.js';
 // Session enrichment
 export { enrichTokenWithPlan, enrichSessionWithPlan } from './lib/session-enrichment.js';

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mostajs/auth",
-  "version": "2.3.2",
+  "version": "2.4.0",
   "description": "Authentication — NextAuth, password hashing, session management",
   "author": "Dr Hamid MADANI <drmdh@msn.com>",
   "license": "AGPL-3.0-or-later",
@@ -83,6 +83,11 @@
       "import": "./dist/lib/apikey-provider.js",
       "default": "./dist/lib/apikey-provider.js"
     },
+    "./lib/credentials-provider": {
+      "types": "./dist/lib/credentials-provider.d.ts",
+      "import": "./dist/lib/credentials-provider.js",
+      "default": "./dist/lib/credentials-provider.js"
+    },
     "./lib/check-request": {
       "types": "./dist/lib/check-request.d.ts",
       "import": "./dist/lib/check-request.js",
@@ -120,7 +125,7 @@
   },
   "scripts": {
     "build": "tsc && npm run fix-esm",
-    "fix-esm": "find dist -name '*.js' -exec sed -i -E \"s|from '(\\\\.{1,2}/[^']+)'(;?)|from '\\\\1.js'\\\\2|g; s|from \\\"(\\\\.{1,2}/[^\\\"]+)\\\"(;?)|from \\\"\\\\1.js\\\"\\\\2|g\" {} \\; && find dist -name '*.js' -exec sed -i -E \"s|\\\\.js\\\\.js|.js|g\" {} \\;",
+    "fix-esm": "find dist -name '*.js' -exec sed -i -E \"s|from '(\\\\.{1,2}/[^']+)'(;?)|from '\\\\1.js'\\\\2|g; s|from \\\"(\\\\.{1,2}/[^\\\"]+)\\\"(;?)|from \\\"\\\\1.js\\\"\\\\2|g\" {} \\; && find dist -name '*.js' -exec sed -i -E \"s|\\\\.js\\\\.js|.js|g; s|\\\\.json\\\\.js|.json|g; s|\\\\.css\\\\.js|.css|g\" {} \\;",
     "prepublishOnly": "npm run build"
   },
   "dependencies": {