@mostajs/auth 2.3.3 → 2.5.0

package/dist/lib/credentials-helpers.d.ts

@@ -0,0 +1,3 @@
+export declare function defaultStatusCheck(user: any): boolean;
+export declare function defaultRoleResolver(user: any, fallback: string): string;
+export declare function defaultNameResolver(user: any): string;

package/dist/lib/credentials-helpers.js

@@ -0,0 +1,23 @@
+// @mostajs/auth — Helpers partagés entre credentials providers (local, remote, server)
+//
+// Centralise les valeurs par défaut pour : check de status, résolution
+// de role, résolution de display name. Utilisé par :
+//   - credentials-provider.ts        (NextAuth provider local, ORM direct)
+//   - credentials-verify.ts          (handler serveur côté Octonet)
+//   - remote-credentials-provider.ts (NextAuth provider gateway, ne fait
+//                                     pas de bcrypt — délègue au handler)
+//
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+export function defaultStatusCheck(user) {
+    return user.status !== 'disabled' && user.status !== 'locked';
+}
+export function defaultRoleResolver(user, fallback) {
+    if (user.roles?.length > 0) {
+        const r = user.roles[0];
+        return typeof r === 'string' ? r : (r?.name ?? fallback);
+    }
+    return user.role ?? fallback;
+}
+export function defaultNameResolver(user) {
+    return `${user.firstName ?? ''} ${user.lastName ?? ''}`.trim() || (user.email ?? '');
+}

package/dist/lib/credentials-provider.d.ts

@@ -0,0 +1,57 @@
+export interface CredentialsProviderConfig {
+    /** Lookup the user row by email (case-insensitive). Return null if not found.
+     *  Conseillé : passer une fonction qui utilise UserRepository de @mostajs/rbac
+     *  pour bénéficier de findByEmail (qui lowercase l'email côté repo). */
+    findUserByEmail: (email: string) => Promise<any | null>;
+    /** Default role assigned when the user has no role relations (default: 'user'). */
+    defaultRole?: string;
+    /** Custom check before allowing login (e.g. email verified, 2FA).
+     *  Return false to block. Default: status !== 'disabled' && status !== 'locked'. */
+    checkUserAllowed?: (user: any) => boolean | Promise<boolean>;
+    /** Custom role resolution. Default: first user.roles[].name or fallback. */
+    resolveRole?: (user: any) => string | Promise<string>;
+    /** Custom display name. Default: "<firstName> <lastName>" trimmed → email. */
+    resolveName?: (user: any) => string;
+    /** Provider id (default: 'credentials'). Useful if multiple providers coexist. */
+    id?: string;
+    /** Provider display name (default: 'Email + Password'). */
+    name?: string;
+}
+/**
+ * Build a NextAuth Credentials provider config (returned as plain object,
+ * directly passable to `NextAuth({ providers: [provider], ... })` without
+ * any next-auth imports côté consumer).
+ *
+ * Usage :
+ *   import { createCredentialsProvider } from '@mostajs/auth/server'
+ *
+ *   NextAuth({
+ *     providers: [
+ *       createCredentialsProvider({
+ *         findUserByEmail: async (email) => userRepo.findByEmail(email),
+ *         defaultRole: 'user',
+ *       }),
+ *     ],
+ *   })
+ */
+export declare function createCredentialsProvider(config: CredentialsProviderConfig): {
+    id: string;
+    name: string;
+    type: "credentials";
+    credentials: {
+        email: {
+            label: string;
+            type: string;
+        };
+        password: {
+            label: string;
+            type: string;
+        };
+    };
+    authorize(credentials: any): Promise<{
+        id: any;
+        email: any;
+        name: string;
+        role: string;
+    } | null>;
+};

package/dist/lib/credentials-provider.js

@@ -0,0 +1,72 @@
+// @mostajs/auth — Email + password credentials provider for NextAuth
+//
+// Factorise le boilerplate NextAuth Credentials que chaque app refait. Le
+// consumer obtient un provider PRÊT À L'EMPLOI à passer à NextAuth({providers}) :
+// il n'importe ni `next-auth/providers/credentials`, ni bcrypt, ni le
+// UserRepository — tout est encapsulé.
+//
+// Pendant naturel de createApiKeyProvider (même style de retour : objet
+// provider config plat). Différence : authentication via email/password
+// (UI register/signin) vs API key (programmatic).
+//
+// Le caller fournit `findUserByEmail` (ou laisse passer pour un default
+// fail-closed). Pour leverager directement @mostajs/rbac, il suffit de
+// passer `(email) => new UserRepository(dialect).findByEmail(email)`.
+//
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+import { comparePassword } from './password.js';
+import { defaultStatusCheck, defaultRoleResolver, defaultNameResolver } from './credentials-helpers.js';
+/**
+ * Build a NextAuth Credentials provider config (returned as plain object,
+ * directly passable to `NextAuth({ providers: [provider], ... })` without
+ * any next-auth imports côté consumer).
+ *
+ * Usage :
+ *   import { createCredentialsProvider } from '@mostajs/auth/server'
+ *
+ *   NextAuth({
+ *     providers: [
+ *       createCredentialsProvider({
+ *         findUserByEmail: async (email) => userRepo.findByEmail(email),
+ *         defaultRole: 'user',
+ *       }),
+ *     ],
+ *   })
+ */
+export function createCredentialsProvider(config) {
+    const defaultRole = config.defaultRole ?? 'user';
+    const checkUserAllowed = config.checkUserAllowed ?? defaultStatusCheck;
+    const resolveRole = config.resolveRole ?? ((u) => defaultRoleResolver(u, defaultRole));
+    const resolveName = config.resolveName ?? defaultNameResolver;
+    return {
+        id: config.id ?? 'credentials',
+        name: config.name ?? 'Email + Password',
+        type: 'credentials',
+        credentials: {
+            email: { label: 'Email', type: 'email' },
+            password: { label: 'Password', type: 'password' },
+        },
+        async authorize(credentials) {
+            if (!credentials?.email || !credentials?.password)
+                return null;
+            const email = String(credentials.email).toLowerCase().trim();
+            const user = await config.findUserByEmail(email);
+            if (!user)
+                return null;
+            const allowed = await checkUserAllowed(user);
+            if (!allowed)
+                return null;
+            const valid = await comparePassword(String(credentials.password), user.password);
+            if (!valid)
+                return null;
+            const role = await resolveRole(user);
+            const name = resolveName(user);
+            return {
+                id: user.id,
+                email: user.email,
+                name,
+                role,
+            };
+        },
+    };
+}

package/dist/lib/credentials-verify.d.ts

@@ -0,0 +1,36 @@
+export interface CredentialsVerifyConfig {
+    /** Lookup the user row by email (case-insensitive) — must return the user
+     *  WITH the password hash field. Typically:
+     *    `(email) => new UserRepository(dialect).findByEmail(email)`
+     *  Le handler tournant côté serveur (Octonet), il bypasse le sanitizer
+     *  qui ne strippe que les responses sortant par REST. */
+    findUserByEmail: (email: string) => Promise<any | null>;
+    /** Default role assigned when the user has no role relations (default: 'user'). */
+    defaultRole?: string;
+    /** Custom check before allowing login. Default: status !== 'disabled' && !== 'locked'. */
+    checkUserAllowed?: (user: any) => boolean | Promise<boolean>;
+    /** Custom role resolution. Default: first user.roles[].name or fallback. */
+    resolveRole?: (user: any) => string | Promise<string>;
+    /** Custom display name. Default: "<firstName> <lastName>" trimmed → email. */
+    resolveName?: (user: any) => string;
+}
+/**
+ * Build a Web standard Request → Response handler that verifies (email, password)
+ * server-side and returns a sanitized user payload (no password) on success.
+ *
+ * Mount it on any HTTP framework that exposes Web Request/Response :
+ *   Next.js :     export const POST = createCredentialsVerifyHandler({...})
+ *   Fastify :     adapter via app.post(path, async (req,reply)=>{ const r = await handler(toRequest(req)); ... })
+ *   mosta-net :   monté automatiquement par le server quand auth est activé
+ *
+ * Response shape :
+ *   200 { ok: true, user: { id, email, name, role } }
+ *   400 { error: 'email and password are required' }
+ *   401 { error: 'invalid credentials' }   // user not found, password wrong, status disabled
+ *   500 { error: 'internal error' }
+ *
+ * Le handler ne renvoie JAMAIS le password hash, ni d'indication sur quelle
+ * partie a échoué (user inexistant vs password faux) — défense contre
+ * l'énumération d'emails.
+ */
+export declare function createCredentialsVerifyHandler(config: CredentialsVerifyConfig): (req: Request) => Promise<Response>;

package/dist/lib/credentials-verify.js

@@ -0,0 +1,96 @@
+// @mostajs/auth — Server-side credentials verification handler
+//
+// Frère symétrique de createCredentialsProvider. Là où celui-ci tourne
+// CÔTÉ CLIENT NextAuth (Octocloud) en faisant bcrypt.compare localement,
+// celui-ci tourne CÔTÉ SERVEUR (Octonet, là où vit la DB) et expose le
+// même contrat sous forme de Web standard handler.
+//
+// Pourquoi ce frère existe :
+//   En mode gateway (data-plug → MOSTA_DATA=net), Octocloud n'a plus
+//   accès direct au password hash — le sanitizer middleware d'Octonet
+//   strippe `password` de toute response REST (à juste titre, c'est sa
+//   fonction de défense). Faire le bcrypt.compare côté Octocloud est
+//   alors impossible.
+//
+//   La résolution propre : déplacer le bcrypt.compare LÀ où vit le hash
+//   (Octonet), et exposer juste un endpoint POST /api/auth/verify qui
+//   prend (email, password) et renvoie {ok:true, user:{id,email,name,role}}
+//   ou 401. Le hash ne quitte JAMAIS Octonet — propriété de sécurité forte.
+//
+//   Côté Octocloud, on monte createRemoteCredentialsProvider qui POST
+//   sur cet endpoint au lieu de tenter le compare local.
+//
+// Auteur des deux côtés : @mostajs/auth (un seul module, deux rôles
+// symétriques). @mostajs/net ne fait que router le HTTP.
+//
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+import { comparePassword } from './password.js';
+import { defaultStatusCheck, defaultRoleResolver, defaultNameResolver } from './credentials-helpers.js';
+/**
+ * Build a Web standard Request → Response handler that verifies (email, password)
+ * server-side and returns a sanitized user payload (no password) on success.
+ *
+ * Mount it on any HTTP framework that exposes Web Request/Response :
+ *   Next.js :     export const POST = createCredentialsVerifyHandler({...})
+ *   Fastify :     adapter via app.post(path, async (req,reply)=>{ const r = await handler(toRequest(req)); ... })
+ *   mosta-net :   monté automatiquement par le server quand auth est activé
+ *
+ * Response shape :
+ *   200 { ok: true, user: { id, email, name, role } }
+ *   400 { error: 'email and password are required' }
+ *   401 { error: 'invalid credentials' }   // user not found, password wrong, status disabled
+ *   500 { error: 'internal error' }
+ *
+ * Le handler ne renvoie JAMAIS le password hash, ni d'indication sur quelle
+ * partie a échoué (user inexistant vs password faux) — défense contre
+ * l'énumération d'emails.
+ */
+export function createCredentialsVerifyHandler(config) {
+    const defaultRole = config.defaultRole ?? 'user';
+    const checkUserAllowed = config.checkUserAllowed ?? defaultStatusCheck;
+    const resolveRole = config.resolveRole ?? ((u) => defaultRoleResolver(u, defaultRole));
+    const resolveName = config.resolveName ?? defaultNameResolver;
+    return async function POST(req) {
+        let body;
+        try {
+            body = await req.json();
+        }
+        catch {
+            return Response.json({ error: 'invalid JSON body' }, { status: 400 });
+        }
+        const email = body?.email;
+        const password = body?.password;
+        if (!email || !password) {
+            return Response.json({ error: 'email and password are required' }, { status: 400 });
+        }
+        try {
+            const user = await config.findUserByEmail(String(email).toLowerCase().trim());
+            if (!user) {
+                return Response.json({ error: 'invalid credentials' }, { status: 401 });
+            }
+            const allowed = await checkUserAllowed(user);
+            if (!allowed) {
+                return Response.json({ error: 'invalid credentials' }, { status: 401 });
+            }
+            const valid = await comparePassword(String(password), user.password);
+            if (!valid) {
+                return Response.json({ error: 'invalid credentials' }, { status: 401 });
+            }
+            const role = await resolveRole(user);
+            const name = resolveName(user);
+            return Response.json({
+                ok: true,
+                user: {
+                    id: user.id ?? user._id,
+                    email: user.email,
+                    name,
+                    role,
+                },
+            });
+        }
+        catch (e) {
+            console.error('[auth/verify] internal error:', e?.message || e);
+            return Response.json({ error: 'internal error' }, { status: 500 });
+        }
+    };
+}

package/dist/lib/remote-credentials-provider.d.ts

@@ -0,0 +1,55 @@
+export interface RemoteCredentialsProviderConfig {
+    /** URL of the verify endpoint exposed by the server (Octonet).
+     *  Absolute or relative. Le serveur doit avoir monté
+     *  createCredentialsVerifyHandler sur ce path (mosta-net le fait). */
+    verifyEndpoint: string;
+    /** API key identifiant le caller (REQUIS). Pour Octocloud c'est la portal
+     *  apikey ; pour une app C#/Java/…, c'est leur propre apikey. Octonet
+     *  est M2M : pas d'apikey = pas d'accès. */
+    apiKey: string;
+    /** Optional fetch implementation override (testing, custom transport). */
+    fetch?: typeof fetch;
+    /** Provider id (default: 'credentials'). */
+    id?: string;
+    /** Provider display name (default: 'Email + Password'). */
+    name?: string;
+    /** Optional hook called on successful auth — utile pour syncer un mirror
+     *  local (ex: une table users local côté caller, en miroir d'Octonet). */
+    onAuthorized?: (user: {
+        id: string;
+        email: string;
+        name: string;
+        role: string;
+    }) => void | Promise<void>;
+}
+/**
+ * Build a NextAuth Credentials provider config that delegates verification
+ * to a remote HTTP endpoint instead of doing bcrypt.compare locally.
+ *
+ * Returned shape is identical to createCredentialsProvider — directly
+ * passable to `NextAuth({ providers: [provider], ... })`.
+ *
+ * Le password est POST en HTTPS, le hash bcrypt ne quitte jamais Octonet,
+ * et seules les infos sanitisées {id, email, name, role} reviennent.
+ */
+export declare function createRemoteCredentialsProvider(config: RemoteCredentialsProviderConfig): {
+    id: string;
+    name: string;
+    type: "credentials";
+    credentials: {
+        email: {
+            label: string;
+            type: string;
+        };
+        password: {
+            label: string;
+            type: string;
+        };
+    };
+    authorize(credentials: any): Promise<{
+        id: any;
+        email: any;
+        name: any;
+        role: any;
+    } | null>;
+};

package/dist/lib/remote-credentials-provider.js

@@ -0,0 +1,115 @@
+// @mostajs/auth — Remote credentials provider for NextAuth (gateway mode)
+//
+// Frère client de createCredentialsVerifyHandler. Là où celui-ci tourne
+// CÔTÉ SERVEUR (Octonet, là où vit la DB) et fait bcrypt.compare local,
+// celui-ci tourne CÔTÉ NextAuth (Octocloud, app C#, app Java, …) et
+// délègue la vérification à un endpoint HTTP au lieu de tenter le
+// compare en local.
+//
+// Pourquoi : en mode gateway (data-plug → MOSTA_DATA=net), le caller n'a
+// pas accès au password hash (le sanitizer middleware d'Octonet le strippe
+// à juste titre). On ne peut pas — et on ne DOIT pas — faire le bcrypt.compare
+// côté caller. Le hash reste sur Octonet.
+//
+// L'`apiKey` est REQUIS : Octonet est M2M et toute requête s'identifie
+// par une apikey. Le caller (Octocloud, ou autre app cliente du portail)
+// envoie SA propre apikey — qui scope les users qu'il peut verify
+// (multi-tenant β via account-scope-middleware).
+//
+// Drop-in replacement de createCredentialsProvider : même shape de retour,
+// même UX NextAuth — seul le `findUserByEmail` callback est remplacé par
+// un appel HTTP à `verifyEndpoint`.
+//
+// Usage typique (Octocloud) :
+//   NextAuth({
+//     providers: [
+//       createRemoteCredentialsProvider({
+//         verifyEndpoint: 'https://octonet.amia.fr/api/auth/verify',
+//         apiKey:         process.env.OCTONET_PORTAL_API_KEY!,
+//       }),
+//     ],
+//   })
+//
+// Author: Dr Hamid MADANI <drmdh@msn.com>
+/**
+ * Build a NextAuth Credentials provider config that delegates verification
+ * to a remote HTTP endpoint instead of doing bcrypt.compare locally.
+ *
+ * Returned shape is identical to createCredentialsProvider — directly
+ * passable to `NextAuth({ providers: [provider], ... })`.
+ *
+ * Le password est POST en HTTPS, le hash bcrypt ne quitte jamais Octonet,
+ * et seules les infos sanitisées {id, email, name, role} reviennent.
+ */
+export function createRemoteCredentialsProvider(config) {
+    if (!config.apiKey) {
+        throw new Error('@mostajs/auth/createRemoteCredentialsProvider: `apiKey` is required. ' +
+            'Octonet is M2M — every caller (Octocloud, NetClient app, etc.) must identify with its own apikey.');
+    }
+    if (!config.verifyEndpoint) {
+        throw new Error('@mostajs/auth/createRemoteCredentialsProvider: `verifyEndpoint` is required.');
+    }
+    const fetchImpl = config.fetch ?? fetch;
+    return {
+        id: config.id ?? 'credentials',
+        name: config.name ?? 'Email + Password',
+        type: 'credentials',
+        credentials: {
+            email: { label: 'Email', type: 'email' },
+            password: { label: 'Password', type: 'password' },
+        },
+        async authorize(credentials) {
+            if (!credentials?.email || !credentials?.password)
+                return null;
+            const headers = {
+                'Content-Type': 'application/json',
+                'X-API-Key': config.apiKey,
+            };
+            let resp;
+            try {
+                resp = await fetchImpl(config.verifyEndpoint, {
+                    method: 'POST',
+                    headers,
+                    body: JSON.stringify({
+                        email: String(credentials.email).toLowerCase().trim(),
+                        password: String(credentials.password),
+                    }),
+                });
+            }
+            catch (e) {
+                console.error('[remote-credentials] network error:', e?.message || e);
+                return null;
+            }
+            if (!resp.ok) {
+                // 401 = invalid credentials, 400 = bad request, 500 = server error.
+                // NextAuth attend null pour reject — on ne distingue pas (defense
+                // contre l'énumération d'emails côté UI).
+                return null;
+            }
+            let payload;
+            try {
+                payload = await resp.json();
+            }
+            catch {
+                return null;
+            }
+            if (!payload?.ok || !payload?.user)
+                return null;
+            const user = payload.user;
+            if (config.onAuthorized) {
+                try {
+                    await config.onAuthorized(user);
+                }
+                catch (e) {
+                    console.warn('[remote-credentials] onAuthorized hook failed:', e?.message || e);
+                }
+            }
+            return {
+                id: user.id,
+                email: user.email,
+                name: user.name,
+                role: user.role,
+            };
+        },
+    };
+}

package/dist/server.d.ts

@@ -20,5 +20,11 @@ export { createPasswordResetHandlers, generateResetToken } from './lib/password-
 export type { PasswordResetConfig } from './lib/password-reset';
 export { createApiKeyProvider } from './lib/apikey-provider';
 export type { ApiKeyProviderConfig } from './lib/apikey-provider';
+export { createCredentialsProvider } from './lib/credentials-provider';
+export type { CredentialsProviderConfig } from './lib/credentials-provider';
+export { createCredentialsVerifyHandler } from './lib/credentials-verify';
+export type { CredentialsVerifyConfig } from './lib/credentials-verify';
+export { createRemoteCredentialsProvider } from './lib/remote-credentials-provider';
+export type { RemoteCredentialsProviderConfig } from './lib/remote-credentials-provider';
 export { enrichTokenWithPlan, enrichSessionWithPlan } from './lib/session-enrichment';
 export type { SessionEnrichmentConfig } from './lib/session-enrichment';

package/dist/server.js

@@ -27,5 +27,8 @@ export { createVerificationHandlers, generateVerifyToken } from './lib/email-ver
 export { createPasswordResetHandlers, generateResetToken } from './lib/password-reset.js';
 // API key provider
 export { createApiKeyProvider } from './lib/apikey-provider.js';
+export { createCredentialsProvider } from './lib/credentials-provider.js';
+export { createCredentialsVerifyHandler } from './lib/credentials-verify.js';
+export { createRemoteCredentialsProvider } from './lib/remote-credentials-provider.js';
 // Session enrichment
 export { enrichTokenWithPlan, enrichSessionWithPlan } from './lib/session-enrichment.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mostajs/auth",
-  "version": "2.3.3",
+  "version": "2.5.0",
   "description": "Authentication — NextAuth, password hashing, session management",
   "author": "Dr Hamid MADANI <drmdh@msn.com>",
   "license": "AGPL-3.0-or-later",
@@ -83,6 +83,11 @@
       "import": "./dist/lib/apikey-provider.js",
       "default": "./dist/lib/apikey-provider.js"
     },
+    "./lib/credentials-provider": {
+      "types": "./dist/lib/credentials-provider.d.ts",
+      "import": "./dist/lib/credentials-provider.js",
+      "default": "./dist/lib/credentials-provider.js"
+    },
     "./lib/check-request": {
       "types": "./dist/lib/check-request.d.ts",
       "import": "./dist/lib/check-request.js",
@@ -120,7 +125,7 @@
   },
   "scripts": {
     "build": "tsc && npm run fix-esm",
-    "fix-esm": "find dist -name '*.js' -exec sed -i -E \"s|from '(\\\\.{1,2}/[^']+)'(;?)|from '\\\\1.js'\\\\2|g; s|from \\\"(\\\\.{1,2}/[^\\\"]+)\\\"(;?)|from \\\"\\\\1.js\\\"\\\\2|g\" {} \\; && find dist -name '*.js' -exec sed -i -E \"s|\\\\.js\\\\.js|.js|g\" {} \\;",
+    "fix-esm": "find dist -name '*.js' -exec sed -i -E \"s|from '(\\\\.{1,2}/[^']+)'(;?)|from '\\\\1.js'\\\\2|g; s|from \\\"(\\\\.{1,2}/[^\\\"]+)\\\"(;?)|from \\\"\\\\1.js\\\"\\\\2|g\" {} \\; && find dist -name '*.js' -exec sed -i -E \"s|\\\\.js\\\\.js|.js|g; s|\\\\.json\\\\.js|.json|g; s|\\\\.css\\\\.js|.css|g\" {} \\;",
     "prepublishOnly": "npm run build"
   },
   "dependencies": {