@objectstack/platform-objects 13.0.0 → 14.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -101,6 +101,62 @@ var SysUser = ObjectSchema.create({
101
101
  successMessage: "Account unlocked",
102
102
  refreshAfter: true
103
103
  },
104
+ {
105
+ // #2766 V1 — a platform admin can add a login-capable teammate without
106
+ // the email-dependent invite flow. Hits the plugin-auth wrapper route
107
+ // (NOT better-auth's stock /admin/create-user): the wrapper runs the
108
+ // ADR-0068 admin gate, drives the better-auth pipeline (scrypt hash +
109
+ // credential sys_account), stamps must_change_password, and — when
110
+ // "Generate temporary password" is picked — returns the password ONCE
111
+ // in the response for the result dialog. It is never persisted or logged.
112
+ name: "create_user",
113
+ label: "Create User",
114
+ icon: "user-plus",
115
+ variant: "secondary",
116
+ locations: ["list_toolbar"],
117
+ type: "api",
118
+ target: "/api/v1/auth/admin/create-user",
119
+ visible: "features.admin == true",
120
+ successMessage: "User created",
121
+ refreshAfter: true,
122
+ params: [
123
+ // The endpoint requires email OR phone (phone-only users get a
124
+ // placeholder address; requires auth.plugins.phoneNumber).
125
+ { field: "email", required: false },
126
+ {
127
+ name: "phoneNumber",
128
+ label: "Phone Number",
129
+ type: "text",
130
+ required: false,
131
+ helpText: "Sign-in phone number (E.164, e.g. +8613800000000). Required when no email is given."
132
+ },
133
+ { field: "name", required: false },
134
+ {
135
+ name: "generatePassword",
136
+ label: "Generate Temporary Password",
137
+ type: "boolean",
138
+ required: false,
139
+ defaultValue: true
140
+ },
141
+ { name: "password", label: "Password (leave empty to generate)", type: "text", required: false },
142
+ {
143
+ name: "mustChangePassword",
144
+ label: "Require Password Change On First Login",
145
+ type: "boolean",
146
+ required: false,
147
+ defaultValue: true
148
+ }
149
+ ],
150
+ resultDialog: {
151
+ title: "User Created",
152
+ description: "Copy the temporary password now \u2014 it is shown only once and never stored.",
153
+ acknowledge: "I have saved this password",
154
+ fields: [
155
+ { path: "user.email", label: "Email", format: "text" },
156
+ { path: "temporaryPassword", label: "Temporary Password", format: "secret" }
157
+ ]
158
+ }
159
+ },
104
160
  {
105
161
  name: "set_user_password",
106
162
  label: "Set Password",
@@ -108,13 +164,40 @@ var SysUser = ObjectSchema.create({
108
164
  variant: "secondary",
109
165
  locations: ["list_item"],
110
166
  type: "api",
167
+ // #2766 V1 — same path as better-auth's stock route, but served by the
168
+ // plugin-auth wrapper registered ahead of the catch-all: it accepts the
169
+ // ADR-0068 platform-admin signals (the stock handler only honors the
170
+ // legacy role scalar), can mint a temporary password, and stamps
171
+ // must_change_password.
111
172
  target: "/api/v1/auth/admin/set-user-password",
112
173
  recordIdParam: "userId",
113
174
  successMessage: "Password updated",
114
175
  refreshAfter: false,
115
176
  params: [
116
- { name: "newPassword", label: "New Password", type: "text", required: true }
117
- ]
177
+ {
178
+ name: "generatePassword",
179
+ label: "Generate Temporary Password",
180
+ type: "boolean",
181
+ required: false,
182
+ defaultValue: false
183
+ },
184
+ { name: "newPassword", label: "New Password (leave empty to generate)", type: "text", required: false },
185
+ {
186
+ name: "mustChangePassword",
187
+ label: "Require Password Change On Next Login",
188
+ type: "boolean",
189
+ required: false,
190
+ defaultValue: true
191
+ }
192
+ ],
193
+ resultDialog: {
194
+ title: "Password Updated",
195
+ description: "If a temporary password was generated, copy it now \u2014 it is shown only once and never stored.",
196
+ acknowledge: "Done",
197
+ fields: [
198
+ { path: "temporaryPassword", label: "Temporary Password", format: "secret" }
199
+ ]
200
+ }
118
201
  },
119
202
  {
120
203
  name: "set_user_role",
@@ -433,6 +516,37 @@ var SysUser = ObjectSchema.create({
433
516
  group: "Admin",
434
517
  description: "Timestamp of the last password change. Backs password_expiry_days; system-managed."
435
518
  }),
519
+ // #2766 V1.5 — phone-number sign-in identifier (better-auth phoneNumber
520
+ // plugin, mapped via buildPhoneNumberPluginSchema). Unique when present;
521
+ // null for email-only accounts. Written through better-auth, not CRUD.
522
+ phone_number: Field.text({
523
+ label: "Phone Number",
524
+ required: false,
525
+ readonly: true,
526
+ searchable: true,
527
+ maxLength: 32,
528
+ group: "Account",
529
+ description: "Sign-in phone number (E.164 recommended). Unique per user; managed by better-auth when the phoneNumber plugin is enabled."
530
+ }),
531
+ phone_number_verified: Field.boolean({
532
+ label: "Phone Verified",
533
+ defaultValue: false,
534
+ readonly: true,
535
+ group: "Account",
536
+ description: "Whether the phone number has been verified (OTP verification requires SMS infrastructure; false until that ships). System-managed."
537
+ }),
538
+ // #2766 V1 — admin-issued "must change password on next sign-in" flag.
539
+ // Set by the /admin/create-user and /admin/set-user-password routes when
540
+ // a temporary password is issued; enforced through the ADR-0069 authGate
541
+ // (surfaces as PASSWORD_EXPIRED); cleared by stampPasswordChangedAt once
542
+ // the user completes a password change.
543
+ must_change_password: Field.boolean({
544
+ label: "Must Change Password",
545
+ defaultValue: false,
546
+ readonly: true,
547
+ group: "Admin",
548
+ description: "When true, the user is blocked (403 PASSWORD_EXPIRED) until they change their password. Stamped by the admin user-management routes; system-managed."
549
+ }),
436
550
  // ADR-0069 D3 — when enforced MFA first applied to this user; starts the
437
551
  // grace clock. Stamped lazily at session validation; system-managed.
438
552
  mfa_required_at: Field.datetime({
@@ -530,7 +644,10 @@ var SysUser = ObjectSchema.create({
530
644
  },
531
645
  indexes: [
532
646
  { fields: ["email"], unique: true },
533
- { fields: ["created_at"], unique: false }
647
+ { fields: ["created_at"], unique: false },
648
+ // #2766 V1.5 — phone sign-in identifier; unique when present (null for
649
+ // email-only accounts), also the upsert match key for identity import.
650
+ { fields: ["phone_number"], unique: true }
534
651
  ],
535
652
  enable: {
536
653
  trackHistory: true,