@objectstack/core 11.0.0 → 11.1.0

package/dist/index.d.cts

@@ -1,5 +1,5 @@
 import { Logger, IServiceRegistry } from '@objectstack/spec/contracts';
-export { DriverInterface, IDataDriver, IDataEngine, IHttpRequest, IHttpResponse, IHttpServer, Logger, Middleware, RouteHandler } from '@objectstack/spec/contracts';
+export { IDataDriver, IDataEngine, IHttpRequest, IHttpResponse, IHttpServer, Logger, Middleware, RouteHandler } from '@objectstack/spec/contracts';
 import { z } from 'zod';
 import { LoggerConfig } from '@objectstack/spec/system';
 import { ObjectLogger } from './logger.cjs';
@@ -1778,6 +1778,36 @@ declare function resolveLocalizationContext(input: ResolveLocalizationInput): Pr
     currency?: string;
 }>;
 
+/**
+ * ADR-0069 — authentication-policy session gate.
+ *
+ * Some auth policies (password expiry, enforced MFA) must block an
+ * authenticated user from PROTECTED RESOURCES until they remediate, while
+ * still letting them reach the auth endpoints (change-password, two-factor
+ * enrollment, sign-out) and a few UI-bootstrap reads.
+ *
+ * The posture is computed ONCE, in the auth `customSession` enrichment, and
+ * attached to the session user as `user.authGate = { code, message }`. The
+ * transport seams (REST middleware, dispatcher) then call
+ * {@link evaluateAuthGate} to decide whether THIS request is blocked. Keeping
+ * the allow-list + decision in one pure function means the seams can never
+ * drift on what is blocked.
+ */
+interface AuthGate {
+    /** Stable machine code, e.g. `PASSWORD_EXPIRED` / `MFA_REQUIRED`. */
+    code: string;
+    /** Human-facing message. */
+    message: string;
+}
+/** True when `path` is exempt from the auth gate (auth + remediation + health). */
+declare function isAuthGateAllowlisted(rawPath: string | undefined | null): boolean;
+/**
+ * Returns the active gate when `sessionUser` carries an `authGate` AND `path`
+ * is not allow-listed; otherwise null. Anonymous users (no `authGate`) and
+ * allow-listed paths always pass.
+ */
+declare function evaluateAuthGate(sessionUser: any, path: string): AuthGate | null;
+
 /**
  * Environment utilities for universal (Node/Browser) compatibility.
  */
@@ -2225,4 +2255,4 @@ declare class NamespaceResolver {
     private suggestAlternative;
 }
 
-export { API_KEY_PREFIX, type ApiKeyPrincipal, ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, type CalendarParts, DependencyResolver, type GeneratedApiKey, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResolveAuthzInput, type ResolveLocalizationInput, type ResolvedAuthzContext, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, calendarPartsInTz, calendarPartsInTzOrUtc, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, extractApiKey, generateApiKey, generateEd25519KeyPair, getEnv, getMemoryUsage, hashApiKey, isExpired, isNode, parseScopes, parseSignature, resolveApiKeyPrincipal, resolveAuthzContext, resolveLocale, resolveLocalizationContext, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };
+export { API_KEY_PREFIX, type ApiKeyPrincipal, ApiRegistry, type ApiRegistryPluginConfig, type AuthGate, CORE_FALLBACK_FACTORIES, type CalendarParts, DependencyResolver, type GeneratedApiKey, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResolveAuthzInput, type ResolveLocalizationInput, type ResolvedAuthzContext, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, calendarPartsInTz, calendarPartsInTzOrUtc, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, evaluateAuthGate, extractApiKey, generateApiKey, generateEd25519KeyPair, getEnv, getMemoryUsage, hashApiKey, isAuthGateAllowlisted, isExpired, isNode, parseScopes, parseSignature, resolveApiKeyPrincipal, resolveAuthzContext, resolveLocale, resolveLocalizationContext, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 import { Logger, IServiceRegistry } from '@objectstack/spec/contracts';
-export { DriverInterface, IDataDriver, IDataEngine, IHttpRequest, IHttpResponse, IHttpServer, Logger, Middleware, RouteHandler } from '@objectstack/spec/contracts';
+export { IDataDriver, IDataEngine, IHttpRequest, IHttpResponse, IHttpServer, Logger, Middleware, RouteHandler } from '@objectstack/spec/contracts';
 import { z } from 'zod';
 import { LoggerConfig } from '@objectstack/spec/system';
 import { ObjectLogger } from './logger.js';
@@ -1778,6 +1778,36 @@ declare function resolveLocalizationContext(input: ResolveLocalizationInput): Pr
     currency?: string;
 }>;
 
+/**
+ * ADR-0069 — authentication-policy session gate.
+ *
+ * Some auth policies (password expiry, enforced MFA) must block an
+ * authenticated user from PROTECTED RESOURCES until they remediate, while
+ * still letting them reach the auth endpoints (change-password, two-factor
+ * enrollment, sign-out) and a few UI-bootstrap reads.
+ *
+ * The posture is computed ONCE, in the auth `customSession` enrichment, and
+ * attached to the session user as `user.authGate = { code, message }`. The
+ * transport seams (REST middleware, dispatcher) then call
+ * {@link evaluateAuthGate} to decide whether THIS request is blocked. Keeping
+ * the allow-list + decision in one pure function means the seams can never
+ * drift on what is blocked.
+ */
+interface AuthGate {
+    /** Stable machine code, e.g. `PASSWORD_EXPIRED` / `MFA_REQUIRED`. */
+    code: string;
+    /** Human-facing message. */
+    message: string;
+}
+/** True when `path` is exempt from the auth gate (auth + remediation + health). */
+declare function isAuthGateAllowlisted(rawPath: string | undefined | null): boolean;
+/**
+ * Returns the active gate when `sessionUser` carries an `authGate` AND `path`
+ * is not allow-listed; otherwise null. Anonymous users (no `authGate`) and
+ * allow-listed paths always pass.
+ */
+declare function evaluateAuthGate(sessionUser: any, path: string): AuthGate | null;
+
 /**
  * Environment utilities for universal (Node/Browser) compatibility.
  */
@@ -2225,4 +2255,4 @@ declare class NamespaceResolver {
     private suggestAlternative;
 }
 
-export { API_KEY_PREFIX, type ApiKeyPrincipal, ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, type CalendarParts, DependencyResolver, type GeneratedApiKey, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResolveAuthzInput, type ResolveLocalizationInput, type ResolvedAuthzContext, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, calendarPartsInTz, calendarPartsInTzOrUtc, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, extractApiKey, generateApiKey, generateEd25519KeyPair, getEnv, getMemoryUsage, hashApiKey, isExpired, isNode, parseScopes, parseSignature, resolveApiKeyPrincipal, resolveAuthzContext, resolveLocale, resolveLocalizationContext, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };
+export { API_KEY_PREFIX, type ApiKeyPrincipal, ApiRegistry, type ApiRegistryPluginConfig, type AuthGate, CORE_FALLBACK_FACTORIES, type CalendarParts, DependencyResolver, type GeneratedApiKey, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResolveAuthzInput, type ResolveLocalizationInput, type ResolvedAuthzContext, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, calendarPartsInTz, calendarPartsInTzOrUtc, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, evaluateAuthGate, extractApiKey, generateApiKey, generateEd25519KeyPair, getEnv, getMemoryUsage, hashApiKey, isAuthGateAllowlisted, isExpired, isNode, parseScopes, parseSignature, resolveApiKeyPrincipal, resolveAuthzContext, resolveLocale, resolveLocalizationContext, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };

package/dist/index.js

@@ -4057,9 +4057,19 @@ async function resolveAuthzContext(input) {
   ctx.userId = userId;
   if (tenantId) ctx.tenantId = tenantId;
   if (!ql || typeof ql.find !== "function") return ctx;
+  let userRowLoaded = false;
+  let userRow;
+  const getUserRow = async () => {
+    if (!userRowLoaded) {
+      userRowLoaded = true;
+      const rows = await tryFind(ql, "sys_user", { id: userId }, 1);
+      userRow = rows[0];
+    }
+    return userRow;
+  };
   if (!ctx.email) {
-    const userRows = await tryFind(ql, "sys_user", { id: userId }, 1);
-    if (userRows[0]?.email) ctx.email = String(userRows[0].email);
+    const u = await getUserRow();
+    if (u?.email) ctx.email = String(u.email);
   }
   const memberWhere = tenantId ? { user_id: userId, organization_id: tenantId } : { user_id: userId };
   const members = await tryFind(ql, "sys_member", memberWhere, 50);
@@ -4140,8 +4150,7 @@ async function resolveAuthzContext(input) {
     ctx.roles.unshift(BUILTIN_ROLE_PLATFORM_ADMIN);
   }
   if (!ctx.permissions.includes("ai_seat")) {
-    const seatRows = await tryFind(ql, "sys_user", { id: userId }, 1);
-    const aiAccess = seatRows?.[0]?.ai_access;
+    const aiAccess = (await getUserRow())?.ai_access;
     if (aiAccess === true || aiAccess === 1 || aiAccess === "1") ctx.permissions.push("ai_seat");
   }
   return ctx;
@@ -4183,13 +4192,45 @@ async function resolveLocalizationContext(input) {
     }
   } catch {
   }
-  const tzRows = await tryFind(ql, "sys_setting", { namespace: "localization", key: "timezone", scope: "tenant" }, 1);
-  const localeRows = await tryFind(ql, "sys_setting", { namespace: "localization", key: "locale", scope: "tenant" }, 1);
-  const currencyRows = await tryFind(ql, "sys_setting", { namespace: "localization", key: "currency", scope: "tenant" }, 1);
+  const rows = await tryFind(
+    ql,
+    "sys_setting",
+    { namespace: "localization", key: { $in: ["timezone", "locale", "currency"] }, scope: "tenant" },
+    10
+  );
+  const valueOf = (k) => rows.find((r) => r.key === k)?.value;
+  return {
+    timezone: coerceTimeZone(valueOf("timezone")) ?? "UTC",
+    locale: coerceLocale(valueOf("locale")) ?? "en-US",
+    currency: coerceCurrency(valueOf("currency"))
+  };
+}
+
+// src/security/auth-gate.ts
+var ALLOW_PREFIXES = ["/api/v1/auth/", "/api/auth/", "/auth/"];
+var ALLOW_SUFFIXES = ["/health", "/ready", "/discovery", "/me/apps", "/me/localization"];
+function isAuthGateAllowlisted(rawPath) {
+  if (!rawPath) return true;
+  let path = rawPath.split("?")[0] || "/";
+  let end = path.length;
+  while (end > 1 && path.charCodeAt(end - 1) === 47) end--;
+  path = path.slice(0, end) || "/";
+  if (path.includes("/auth/")) return true;
+  for (const p of ALLOW_PREFIXES) {
+    if (path.startsWith(p) || path === p.replace(/\/$/, "")) return true;
+  }
+  for (const s of ALLOW_SUFFIXES) {
+    if (path.endsWith(s)) return true;
+  }
+  return false;
+}
+function evaluateAuthGate(sessionUser, path) {
+  const gate = sessionUser?.authGate;
+  if (!gate || typeof gate.code !== "string") return null;
+  if (isAuthGateAllowlisted(path)) return null;
   return {
-    timezone: coerceTimeZone(tzRows[0]?.value) ?? "UTC",
-    locale: coerceLocale(localeRows[0]?.value) ?? "en-US",
-    currency: coerceCurrency(currencyRows[0]?.value)
+    code: gate.code,
+    message: typeof gate.message === "string" && gate.message ? gate.message : "Access is blocked by an authentication policy."
   };
 }
 
@@ -5168,12 +5209,14 @@ export {
   createMemoryQueue,
   createPluginConfigValidator,
   createPluginPermissionEnforcer,
+  evaluateAuthGate,
   extractApiKey,
   generateApiKey,
   generateEd25519KeyPair,
   getEnv,
   getMemoryUsage,
   hashApiKey,
+  isAuthGateAllowlisted,
   isExpired,
   isNode,
   parseScopes,