@nixxie-cms/auth 1.0.1

package/dist/nixxie-cms-auth.esm.js

@@ -0,0 +1,548 @@
+import { assertInputObjectType, GraphQLInputObjectType, GraphQLString, GraphQLID, parse, validate } from 'graphql';
+import { g } from '@nixxie-cms/core';
+import { getPasswordFieldKDF } from '@nixxie-cms/core/fields/types/password';
+
+const AUTHENTICATION_FAILURE$1 = {
+  code: 'FAILURE',
+  message: 'Authentication failed.'
+};
+function getBaseAuthSchema({
+  authGqlNames,
+  listKey,
+  identityField,
+  secretField,
+  base
+}) {
+  const kdf = getPasswordFieldKDF(base.schema, listKey, secretField);
+  if (!kdf) {
+    throw new Error(`${listKey}.${secretField} is not a valid password field.`);
+  }
+  const ItemAuthenticationWithPasswordSuccess = g.object()({
+    name: authGqlNames.ItemAuthenticationWithPasswordSuccess,
+    fields: {
+      sessionToken: g.field({
+        type: g.nonNull(g.String)
+      }),
+      item: g.field({
+        type: g.nonNull(base.object(listKey))
+      })
+    }
+  });
+  const ItemAuthenticationWithPasswordFailure = g.object()({
+    name: authGqlNames.ItemAuthenticationWithPasswordFailure,
+    fields: {
+      message: g.field({
+        type: g.nonNull(g.String)
+      })
+    }
+  });
+  const AuthenticationResult = g.union({
+    name: authGqlNames.ItemAuthenticationWithPasswordResult,
+    types: [ItemAuthenticationWithPasswordSuccess, ItemAuthenticationWithPasswordFailure],
+    resolveType(val) {
+      if ('sessionToken' in val) return authGqlNames.ItemAuthenticationWithPasswordSuccess;
+      return authGqlNames.ItemAuthenticationWithPasswordFailure;
+    }
+  });
+  const extension = {
+    query: {
+      authenticatedItem: g.field({
+        type: base.object(listKey),
+        resolve(rootVal, args, context) {
+          const {
+            session
+          } = context;
+          if (!(session !== null && session !== void 0 && session.itemId)) return null;
+          return context.db[listKey].findOne({
+            where: {
+              id: session.itemId
+            }
+          });
+        }
+      })
+    },
+    mutation: {
+      endSession: g.field({
+        type: g.nonNull(g.Boolean),
+        async resolve(rootVal, args, context) {
+          var _context$sessionStrat;
+          await ((_context$sessionStrat = context.sessionStrategy) === null || _context$sessionStrat === void 0 ? void 0 : _context$sessionStrat.end({
+            context
+          }));
+          return true;
+        }
+      }),
+      [authGqlNames.authenticateItemWithPassword]: g.field({
+        type: AuthenticationResult,
+        args: {
+          [identityField]: g.arg({
+            type: g.nonNull(g.String)
+          }),
+          [secretField]: g.arg({
+            type: g.nonNull(g.String)
+          })
+        },
+        async resolve(rootVal, {
+          [identityField]: identity,
+          [secretField]: secret
+        }, context) {
+          if (!context.sessionStrategy) throw new Error('No session strategy on context');
+          const item = await context.sudo().db[listKey].findOne({
+            where: {
+              [identityField]: identity
+            }
+          });
+          if (typeof (item === null || item === void 0 ? void 0 : item[secretField]) !== 'string') {
+            await kdf.hash('simulated-password-to-counter-timing-attack');
+            return AUTHENTICATION_FAILURE$1;
+          }
+          const equal = await kdf.compare(secret, item[secretField]);
+          if (!equal) return AUTHENTICATION_FAILURE$1;
+          const sessionToken = await context.sessionStrategy.start({
+            data: {
+              listKey,
+              itemId: item.id
+            },
+            context
+          });
+          if (typeof sessionToken !== 'string' || sessionToken.length === 0) {
+            return AUTHENTICATION_FAILURE$1;
+          }
+          return {
+            sessionToken,
+            item
+          };
+        }
+      })
+    }
+  };
+  return {
+    extension,
+    ItemAuthenticationWithPasswordSuccess
+  };
+}
+
+const AUTHENTICATION_FAILURE = 'Authentication failed.';
+function getInitFirstItemSchema({
+  authGqlNames,
+  listKey,
+  fields,
+  defaultItemData,
+  graphQLSchema,
+  ItemAuthenticationWithPasswordSuccess
+}) {
+  const createInputConfig = assertInputObjectType(graphQLSchema.getType(`${listKey}CreateInput`)).toConfig();
+  const fieldsSet = new Set(fields);
+  const initialCreateInput = new GraphQLInputObjectType({
+    ...createInputConfig,
+    fields: Object.fromEntries(Object.entries(createInputConfig.fields).filter(([fieldKey]) => fieldsSet.has(fieldKey))),
+    name: authGqlNames.CreateInitialInput
+  });
+  return {
+    mutation: {
+      [authGqlNames.createInitialItem]: g.field({
+        type: g.nonNull(ItemAuthenticationWithPasswordSuccess),
+        args: {
+          data: g.arg({
+            type: g.nonNull(initialCreateInput)
+          })
+        },
+        async resolve(rootVal, {
+          data
+        }, context) {
+          if (!context.sessionStrategy) throw new Error('No session strategy on context');
+          const sudoContext = context.sudo();
+
+          // should approximate hasInitFirstItemConditions
+          const count = await sudoContext.db[listKey].count();
+          if (count !== 0) throw AUTHENTICATION_FAILURE;
+
+          // Update system state
+          // this is strictly speaking incorrect. the db API will do GraphQL coercion on a value which has already been coerced
+          // (this is also mostly fine, the chance that people are using things where
+          // the input value can't round-trip like the Upload scalar here is quite low)
+          const item = await sudoContext.db[listKey].createOne({
+            data: {
+              ...defaultItemData,
+              ...data
+            }
+          });
+          const sessionToken = await context.sessionStrategy.start({
+            data: {
+              listKey,
+              itemId: item.id
+            },
+            context
+          });
+          if (typeof sessionToken !== 'string' || sessionToken.length === 0) {
+            throw AUTHENTICATION_FAILURE;
+          }
+          return {
+            sessionToken,
+            item
+          };
+        }
+      })
+    }
+  };
+}
+
+const getSchemaExtension = ({
+  authGqlNames,
+  listKey,
+  identityField,
+  secretField,
+  initFirstItem,
+  sessionData
+}) => g.extend(base => {
+  const uniqueWhereInputType = assertInputObjectType(base.schema.getType(authGqlNames.whereUniqueInputName));
+  const identityFieldOnUniqueWhere = uniqueWhereInputType.getFields()[identityField];
+  if (base.schema.extensions.sudo && (identityFieldOnUniqueWhere === null || identityFieldOnUniqueWhere === void 0 ? void 0 : identityFieldOnUniqueWhere.type) !== GraphQLString && (identityFieldOnUniqueWhere === null || identityFieldOnUniqueWhere === void 0 ? void 0 : identityFieldOnUniqueWhere.type) !== GraphQLID) {
+    throw new Error(`createAuth was called with an identityField of ${identityField} on the list ${listKey} ` + `but that field doesn't allow being searched uniquely with a String or ID. ` + `You should likely add \`isIndexed: 'unique'\` ` + `to the field at ${listKey}.${identityField}`);
+  }
+  const baseSchema = getBaseAuthSchema({
+    authGqlNames: authGqlNames,
+    identityField,
+    listKey,
+    secretField,
+    base
+  });
+
+  // technically this will incorrectly error if someone has a schema extension that adds a field to the list output type
+  // and then wants to fetch that field with `sessionData` but it's extremely unlikely someone will do that since if
+  // they want to add a GraphQL field, they'll probably use a virtual field
+  const query = `query($id: ID!) { ${authGqlNames.itemQueryName}(where: { id: $id }) { ${sessionData} } }`;
+  let ast;
+  try {
+    ast = parse(query);
+  } catch (err) {
+    throw new Error(`The query to get session data has a syntax error, the sessionData option in your createAuth usage is likely incorrect\n${err}`);
+  }
+  const errors = validate(base.schema, ast);
+  if (errors.length) {
+    throw new Error(`The query to get session data has validation errors, the sessionData option in your createAuth usage is likely incorrect\n${errors.join('\n')}`);
+  }
+  return [baseSchema.extension, initFirstItem && getInitFirstItemSchema({
+    authGqlNames,
+    listKey,
+    fields: initFirstItem.fields,
+    defaultItemData: initFirstItem.itemData,
+    graphQLSchema: base.schema,
+    ItemAuthenticationWithPasswordSuccess: baseSchema.ItemAuthenticationWithPasswordSuccess
+  })].filter(x => x !== undefined);
+});
+
+function configTemplate ({
+  labelField
+}) {
+  return `import { type AdminConfig } from '@nixxie-cms/core/types'
+import makeNavigation from '@nixxie-cms/auth/components/Navigation'
+
+export const components: AdminConfig['components'] = {
+  Navigation: makeNavigation({ labelField: '${labelField}' }),
+}
+`;
+}
+
+function signinTemplate ({
+  authGqlNames,
+  identityField,
+  secretField
+}) {
+  return `import makeSigninPage from '@nixxie-cms/auth/pages/SigninPage'
+
+export default makeSigninPage(${JSON.stringify({
+    authGqlNames,
+    identityField,
+    secretField
+  })})
+`;
+}
+
+function initTemplate ({
+  authGqlNames,
+  listKey,
+  initFirstItem
+}) {
+  return `import makeInitPage from '@nixxie-cms/auth/pages/InitPage'
+
+export default makeInitPage(${JSON.stringify({
+    listKey,
+    authGqlNames,
+    fieldPaths: initFirstItem.fields,
+    enableWelcome: !initFirstItem.skipNixxieWelcome
+  })})
+`;
+}
+
+function getAuthGqlNames(singular) {
+  const lowerSingularName = singular.charAt(0).toLowerCase() + singular.slice(1);
+  return {
+    itemQueryName: lowerSingularName,
+    whereUniqueInputName: `${singular}WhereUniqueInput`,
+    authenticateItemWithPassword: `authenticate${singular}WithPassword`,
+    ItemAuthenticationWithPasswordResult: `${singular}AuthenticationWithPasswordResult`,
+    ItemAuthenticationWithPasswordSuccess: `${singular}AuthenticationWithPasswordSuccess`,
+    ItemAuthenticationWithPasswordFailure: `${singular}AuthenticationWithPasswordFailure`,
+    CreateInitialInput: `CreateInitial${singular}Input`,
+    createInitialItem: `createInitial${singular}`
+  };
+}
+
+// TODO: use TypeInfo and listKey for types
+/**
+ * createAuth function
+ *
+ * Generates config for Nixxie to implement standard auth features.
+ */
+function createAuth({
+  listKey,
+  secretField,
+  initFirstItem,
+  identityField,
+  sessionData = 'id'
+}) {
+  /**
+   * getAdditionalFiles
+   *
+   * This function adds files to be generated into the Admin UI build. Must be added to the
+   * ui.getAdditionalFiles config.
+   *
+   * The signin page is always included, and the init page is included when initFirstItem is set
+   */
+  const authGetAdditionalFiles = config => {
+    var _listConfig$ui$labelF, _listConfig$ui, _listConfig$graphql$s, _listConfig$graphql;
+    // TODO: FIXME: this is a duplication of initialise-lists:747
+    const listConfig = config.lists[listKey];
+    const labelField = (_listConfig$ui$labelF = (_listConfig$ui = listConfig.ui) === null || _listConfig$ui === void 0 ? void 0 : _listConfig$ui.labelField) !== null && _listConfig$ui$labelF !== void 0 ? _listConfig$ui$labelF : listConfig.fields.label ? 'label' : listConfig.fields.name ? 'name' : listConfig.fields.title ? 'title' : 'id';
+    const authGqlNames = getAuthGqlNames((_listConfig$graphql$s = (_listConfig$graphql = listConfig.graphql) === null || _listConfig$graphql === void 0 ? void 0 : _listConfig$graphql.singular) !== null && _listConfig$graphql$s !== void 0 ? _listConfig$graphql$s : listKey);
+    const filesToWrite = [{
+      mode: 'write',
+      src: signinTemplate({
+        authGqlNames,
+        identityField,
+        secretField
+      }),
+      outputPath: 'pages/signin.js'
+    }, {
+      mode: 'write',
+      src: configTemplate({
+        labelField
+      }),
+      outputPath: 'config.ts'
+    }];
+    if (initFirstItem) {
+      filesToWrite.push({
+        mode: 'write',
+        src: initTemplate({
+          authGqlNames,
+          listKey,
+          initFirstItem
+        }),
+        outputPath: 'pages/init.js'
+      });
+    }
+    return filesToWrite;
+  };
+  function throwIfInvalidConfig(config) {
+    if (!(listKey in config.lists)) {
+      throw new Error(`withAuth cannot find the list "${listKey}"`);
+    }
+
+    // TODO: verify that the identity field is unique
+    // TODO: verify that the field is required
+    const list = config.lists[listKey];
+    if (!(identityField in list.fields)) {
+      throw new Error(`withAuth cannot find the identity field "${listKey}.${identityField}"`);
+    }
+    if (!(secretField in list.fields)) {
+      throw new Error(`withAuth cannot find the secret field "${listKey}.${secretField}"`);
+    }
+    for (const fieldKey of (initFirstItem === null || initFirstItem === void 0 ? void 0 : initFirstItem.fields) || []) {
+      if (fieldKey in list.fields) continue;
+      throw new Error(`initFirstItem.fields has unknown field "${listKey}.${fieldKey}"`);
+    }
+  }
+
+  // this strategy wraps the existing session strategy,
+  //   and injects the requested session.data before returning
+  function authSessionStrategy(_sessionStrategy) {
+    const {
+      get,
+      ...sessionStrategy
+    } = _sessionStrategy;
+    return {
+      ...sessionStrategy,
+      get: async ({
+        context
+      }) => {
+        const session = await get({
+          context
+        });
+        const sudoContext = context.sudo();
+        if (!(session !== null && session !== void 0 && session.itemId)) return;
+
+        // TODO: replace with SessionSecret: HMAC({ listKey, identityField, secretField }, SessionSecretVar)
+        // if (session.listKey !== listKey) return null
+
+        try {
+          const data = await sudoContext.query[listKey].findOne({
+            where: {
+              id: session.itemId
+            },
+            query: sessionData
+          });
+          if (!data) return;
+          return {
+            ...session,
+            itemId: session.itemId,
+            data
+          };
+        } catch (e) {
+          console.error(e);
+          // WARNING: this is probably an invalid configuration
+          return;
+        }
+      }
+    };
+  }
+  async function hasInitFirstItemConditions(context) {
+    // do nothing if they aren't using this feature
+    if (!initFirstItem) return false;
+
+    // if they have a session, there is no initialisation necessary
+    if (context.session) return false;
+    const count = await context.sudo().db[listKey].count({});
+    return count === 0;
+  }
+  async function authMiddleware({
+    context,
+    wasAccessAllowed,
+    basePath
+  }) {
+    const {
+      req
+    } = context;
+    const {
+      pathname
+    } = new URL(req.url, 'http://_');
+
+    // redirect to init if initFirstItem conditions are met
+    if (pathname !== `${basePath}/init` && (await hasInitFirstItemConditions(context))) {
+      return {
+        kind: 'redirect',
+        to: `${basePath}/init`
+      };
+    }
+
+    // redirect to / if attempting to /init and initFirstItem conditions are not met
+    if (pathname === `${basePath}/init` && !(await hasInitFirstItemConditions(context))) {
+      return {
+        kind: 'redirect',
+        to: basePath
+      };
+    }
+
+    // don't redirect if we have access
+    if (wasAccessAllowed) return;
+
+    // otherwise, redirect to signin
+    return {
+      kind: 'redirect',
+      to: `${basePath}/signin`
+    };
+  }
+  function defaultIsAccessAllowed({
+    session
+  }) {
+    return session !== undefined;
+  }
+  function defaultExtendGraphqlSchema(schema) {
+    return schema;
+  }
+
+  /**
+   * withAuth
+   *
+   * Automatically extends your configuration with a prescriptive implementation.
+   */
+  function withAuth(config) {
+    var _ui, _listConfig$graphql$s2, _listConfig$graphql2;
+    throwIfInvalidConfig(config);
+    let {
+      ui
+    } = config;
+    if (!((_ui = ui) !== null && _ui !== void 0 && _ui.isDisabled)) {
+      var _ui$basePath, _ui2;
+      const {
+        getAdditionalFiles = () => [],
+        isAccessAllowed = defaultIsAccessAllowed,
+        pageMiddleware,
+        publicPages = []
+      } = ui || {};
+      const authPublicPages = [`${(_ui$basePath = (_ui2 = ui) === null || _ui2 === void 0 ? void 0 : _ui2.basePath) !== null && _ui$basePath !== void 0 ? _ui$basePath : ''}/signin`];
+      ui = {
+        ...ui,
+        publicPages: [...publicPages, ...authPublicPages],
+        getAdditionalFiles: async () => [...(await getAdditionalFiles()), ...authGetAdditionalFiles(config)],
+        isAccessAllowed: async context => {
+          if (await hasInitFirstItemConditions(context)) return true;
+          return isAccessAllowed(context);
+        },
+        pageMiddleware: async args => {
+          const shouldRedirect = await authMiddleware(args);
+          if (shouldRedirect) return shouldRedirect;
+          return pageMiddleware === null || pageMiddleware === void 0 ? void 0 : pageMiddleware(args);
+        }
+      };
+    }
+    if (!config.session) throw new TypeError('Missing .session configuration');
+    const {
+      graphql
+    } = config;
+    const {
+      extendGraphqlSchema = defaultExtendGraphqlSchema
+    } = graphql !== null && graphql !== void 0 ? graphql : {};
+    const listConfig = config.lists[listKey];
+
+    /**
+     * extendGraphqlSchema
+     *
+     * Must be added to the extendGraphqlSchema config. Can be composed.
+     */
+    const authGqlNames = getAuthGqlNames((_listConfig$graphql$s2 = (_listConfig$graphql2 = listConfig.graphql) === null || _listConfig$graphql2 === void 0 ? void 0 : _listConfig$graphql2.singular) !== null && _listConfig$graphql$s2 !== void 0 ? _listConfig$graphql$s2 : listKey);
+    const authExtendGraphqlSchema = getSchemaExtension({
+      authGqlNames,
+      listKey,
+      identityField,
+      secretField,
+      initFirstItem,
+      sessionData
+    });
+    return {
+      ...config,
+      graphql: {
+        ...config.graphql,
+        extendGraphqlSchema: schema => {
+          return extendGraphqlSchema(authExtendGraphqlSchema(schema));
+        }
+      },
+      ui,
+      session: authSessionStrategy(config.session),
+      lists: {
+        ...config.lists,
+        [listKey]: {
+          ...listConfig,
+          fields: {
+            ...listConfig.fields
+          }
+        }
+      }
+    };
+  }
+  return {
+    withAuth
+  };
+}
+
+export { createAuth };

package/dist/useFromRedirect-2de239a9.cjs.js

@@ -0,0 +1,26 @@
+'use strict';
+
+var react = require('react');
+var router = require('@nixxie-cms/core/admin-ui/router');
+
+/**
+ * Returns a safe, site-relative path to redirect to after authentication.
+ *
+ * Reads the `from` query parameter and only honours it when it is a
+ * site-relative path (starts with a single `/`). Absolute URLs and
+ * protocol-relative URLs (`//evil.com`) are rejected to prevent open
+ * redirects; in those cases it falls back to `/`.
+ */
+function useRedirect() {
+  const router$1 = router.useRouter();
+  const raw = router$1.query.from;
+  const from = Array.isArray(raw) ? raw[0] : raw;
+  return react.useMemo(() => {
+    if (typeof from === 'string' && from.startsWith('/') && !from.startsWith('//')) {
+      return from;
+    }
+    return '/';
+  }, [from]);
+}
+
+exports.useRedirect = useRedirect;

package/dist/useFromRedirect-b3deee00.esm.js

@@ -0,0 +1,24 @@
+import { useMemo } from 'react';
+import { useRouter } from '@nixxie-cms/core/admin-ui/router';
+
+/**
+ * Returns a safe, site-relative path to redirect to after authentication.
+ *
+ * Reads the `from` query parameter and only honours it when it is a
+ * site-relative path (starts with a single `/`). Absolute URLs and
+ * protocol-relative URLs (`//evil.com`) are rejected to prevent open
+ * redirects; in those cases it falls back to `/`.
+ */
+function useRedirect() {
+  const router = useRouter();
+  const raw = router.query.from;
+  const from = Array.isArray(raw) ? raw[0] : raw;
+  return useMemo(() => {
+    if (typeof from === 'string' && from.startsWith('/') && !from.startsWith('//')) {
+      return from;
+    }
+    return '/';
+  }, [from]);
+}
+
+export { useRedirect as u };

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "@nixxie-cms/auth",
+  "version": "1.0.1",
+  "license": "MIT",
+  "main": "dist/nixxie-cms-auth.cjs.js",
+  "module": "dist/nixxie-cms-auth.esm.js",
+  "exports": {
+    ".": {
+      "types": "./dist/nixxie-cms-auth.cjs.js",
+      "module": "./dist/nixxie-cms-auth.esm.js",
+      "default": "./dist/nixxie-cms-auth.cjs.js"
+    },
+    "./pages/InitPage": {
+      "types": "./pages/InitPage/dist/nixxie-cms-auth-pages-InitPage.cjs.js",
+      "module": "./pages/InitPage/dist/nixxie-cms-auth-pages-InitPage.esm.js",
+      "default": "./pages/InitPage/dist/nixxie-cms-auth-pages-InitPage.cjs.js"
+    },
+    "./pages/SigninPage": {
+      "types": "./pages/SigninPage/dist/nixxie-cms-auth-pages-SigninPage.cjs.js",
+      "module": "./pages/SigninPage/dist/nixxie-cms-auth-pages-SigninPage.esm.js",
+      "default": "./pages/SigninPage/dist/nixxie-cms-auth-pages-SigninPage.cjs.js"
+    },
+    "./components/Navigation": {
+      "types": "./components/Navigation/dist/nixxie-cms-auth-components-Navigation.cjs.js",
+      "module": "./components/Navigation/dist/nixxie-cms-auth-components-Navigation.esm.js",
+      "default": "./components/Navigation/dist/nixxie-cms-auth-components-Navigation.cjs.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "dependencies": {
+    "@babel/runtime": "^7.24.7",
+    "@keystar/ui": "^0.7.21",
+    "fast-deep-equal": "^3.1.3",
+    "graphql": "^16.8.1",
+    "next": "^15.5.12"
+  },
+  "devDependencies": {
+    "react": "^19.2.4",
+    "@nixxie-cms/core": "^1.0.1"
+  },
+  "peerDependencies": {
+    "@nixxie-cms/core": "^1.0.1",
+    "react": "^19.2.4"
+  },
+  "preconstruct": {
+    "entrypoints": [
+      "index.ts",
+      "components/Navigation.tsx",
+      "pages/*.tsx"
+    ]
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nixxiecms/nixxie/tree/main/packages/auth"
+  }
+}

package/pages/InitPage/dist/nixxie-cms-auth-pages-InitPage.cjs.d.ts

@@ -0,0 +1,3 @@
+export * from "../../../dist/declarations/src/pages/InitPage.js";
+export { default } from "../../../dist/declarations/src/pages/InitPage.js";
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibml4eGllLWNtcy1hdXRoLXBhZ2VzLUluaXRQYWdlLmNqcy5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vZGlzdC9kZWNsYXJhdGlvbnMvc3JjL3BhZ2VzL0luaXRQYWdlLmQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEifQ==