@objectstack/platform-objects 13.0.0 → 14.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/apps/index.d.mts +1 -1
- package/dist/apps/index.d.ts +1 -1
- package/dist/apps/index.js +7 -6
- package/dist/apps/index.js.map +1 -1
- package/dist/apps/index.mjs +7 -6
- package/dist/apps/index.mjs.map +1 -1
- package/dist/identity/index.d.mts +668 -39
- package/dist/identity/index.d.ts +668 -39
- package/dist/identity/index.js +120 -3
- package/dist/identity/index.js.map +1 -1
- package/dist/identity/index.mjs +120 -3
- package/dist/identity/index.mjs.map +1 -1
- package/dist/index.d.mts +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +258 -265
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +258 -266
- package/dist/index.mjs.map +1 -1
- package/dist/metadata-translations/index.js +20 -256
- package/dist/metadata-translations/index.js.map +1 -1
- package/dist/metadata-translations/index.mjs +20 -256
- package/dist/metadata-translations/index.mjs.map +1 -1
- package/dist/pages/index.d.mts +34 -3
- package/dist/pages/index.d.ts +34 -3
- package/dist/pages/index.js +111 -0
- package/dist/pages/index.js.map +1 -1
- package/dist/pages/index.mjs +111 -1
- package/dist/pages/index.mjs.map +1 -1
- package/dist/plugin.js +25 -260
- package/dist/plugin.js.map +1 -1
- package/dist/plugin.mjs +25 -260
- package/dist/plugin.mjs.map +1 -1
- package/package.json +3 -3
package/dist/identity/index.mjs
CHANGED
|
@@ -101,6 +101,62 @@ var SysUser = ObjectSchema.create({
|
|
|
101
101
|
successMessage: "Account unlocked",
|
|
102
102
|
refreshAfter: true
|
|
103
103
|
},
|
|
104
|
+
{
|
|
105
|
+
// #2766 V1 — a platform admin can add a login-capable teammate without
|
|
106
|
+
// the email-dependent invite flow. Hits the plugin-auth wrapper route
|
|
107
|
+
// (NOT better-auth's stock /admin/create-user): the wrapper runs the
|
|
108
|
+
// ADR-0068 admin gate, drives the better-auth pipeline (scrypt hash +
|
|
109
|
+
// credential sys_account), stamps must_change_password, and — when
|
|
110
|
+
// "Generate temporary password" is picked — returns the password ONCE
|
|
111
|
+
// in the response for the result dialog. It is never persisted or logged.
|
|
112
|
+
name: "create_user",
|
|
113
|
+
label: "Create User",
|
|
114
|
+
icon: "user-plus",
|
|
115
|
+
variant: "secondary",
|
|
116
|
+
locations: ["list_toolbar"],
|
|
117
|
+
type: "api",
|
|
118
|
+
target: "/api/v1/auth/admin/create-user",
|
|
119
|
+
visible: "features.admin == true",
|
|
120
|
+
successMessage: "User created",
|
|
121
|
+
refreshAfter: true,
|
|
122
|
+
params: [
|
|
123
|
+
// The endpoint requires email OR phone (phone-only users get a
|
|
124
|
+
// placeholder address; requires auth.plugins.phoneNumber).
|
|
125
|
+
{ field: "email", required: false },
|
|
126
|
+
{
|
|
127
|
+
name: "phoneNumber",
|
|
128
|
+
label: "Phone Number",
|
|
129
|
+
type: "text",
|
|
130
|
+
required: false,
|
|
131
|
+
helpText: "Sign-in phone number (E.164, e.g. +8613800000000). Required when no email is given."
|
|
132
|
+
},
|
|
133
|
+
{ field: "name", required: false },
|
|
134
|
+
{
|
|
135
|
+
name: "generatePassword",
|
|
136
|
+
label: "Generate Temporary Password",
|
|
137
|
+
type: "boolean",
|
|
138
|
+
required: false,
|
|
139
|
+
defaultValue: true
|
|
140
|
+
},
|
|
141
|
+
{ name: "password", label: "Password (leave empty to generate)", type: "text", required: false },
|
|
142
|
+
{
|
|
143
|
+
name: "mustChangePassword",
|
|
144
|
+
label: "Require Password Change On First Login",
|
|
145
|
+
type: "boolean",
|
|
146
|
+
required: false,
|
|
147
|
+
defaultValue: true
|
|
148
|
+
}
|
|
149
|
+
],
|
|
150
|
+
resultDialog: {
|
|
151
|
+
title: "User Created",
|
|
152
|
+
description: "Copy the temporary password now \u2014 it is shown only once and never stored.",
|
|
153
|
+
acknowledge: "I have saved this password",
|
|
154
|
+
fields: [
|
|
155
|
+
{ path: "user.email", label: "Email", format: "text" },
|
|
156
|
+
{ path: "temporaryPassword", label: "Temporary Password", format: "secret" }
|
|
157
|
+
]
|
|
158
|
+
}
|
|
159
|
+
},
|
|
104
160
|
{
|
|
105
161
|
name: "set_user_password",
|
|
106
162
|
label: "Set Password",
|
|
@@ -108,13 +164,40 @@ var SysUser = ObjectSchema.create({
|
|
|
108
164
|
variant: "secondary",
|
|
109
165
|
locations: ["list_item"],
|
|
110
166
|
type: "api",
|
|
167
|
+
// #2766 V1 — same path as better-auth's stock route, but served by the
|
|
168
|
+
// plugin-auth wrapper registered ahead of the catch-all: it accepts the
|
|
169
|
+
// ADR-0068 platform-admin signals (the stock handler only honors the
|
|
170
|
+
// legacy role scalar), can mint a temporary password, and stamps
|
|
171
|
+
// must_change_password.
|
|
111
172
|
target: "/api/v1/auth/admin/set-user-password",
|
|
112
173
|
recordIdParam: "userId",
|
|
113
174
|
successMessage: "Password updated",
|
|
114
175
|
refreshAfter: false,
|
|
115
176
|
params: [
|
|
116
|
-
{
|
|
117
|
-
|
|
177
|
+
{
|
|
178
|
+
name: "generatePassword",
|
|
179
|
+
label: "Generate Temporary Password",
|
|
180
|
+
type: "boolean",
|
|
181
|
+
required: false,
|
|
182
|
+
defaultValue: false
|
|
183
|
+
},
|
|
184
|
+
{ name: "newPassword", label: "New Password (leave empty to generate)", type: "text", required: false },
|
|
185
|
+
{
|
|
186
|
+
name: "mustChangePassword",
|
|
187
|
+
label: "Require Password Change On Next Login",
|
|
188
|
+
type: "boolean",
|
|
189
|
+
required: false,
|
|
190
|
+
defaultValue: true
|
|
191
|
+
}
|
|
192
|
+
],
|
|
193
|
+
resultDialog: {
|
|
194
|
+
title: "Password Updated",
|
|
195
|
+
description: "If a temporary password was generated, copy it now \u2014 it is shown only once and never stored.",
|
|
196
|
+
acknowledge: "Done",
|
|
197
|
+
fields: [
|
|
198
|
+
{ path: "temporaryPassword", label: "Temporary Password", format: "secret" }
|
|
199
|
+
]
|
|
200
|
+
}
|
|
118
201
|
},
|
|
119
202
|
{
|
|
120
203
|
name: "set_user_role",
|
|
@@ -433,6 +516,37 @@ var SysUser = ObjectSchema.create({
|
|
|
433
516
|
group: "Admin",
|
|
434
517
|
description: "Timestamp of the last password change. Backs password_expiry_days; system-managed."
|
|
435
518
|
}),
|
|
519
|
+
// #2766 V1.5 — phone-number sign-in identifier (better-auth phoneNumber
|
|
520
|
+
// plugin, mapped via buildPhoneNumberPluginSchema). Unique when present;
|
|
521
|
+
// null for email-only accounts. Written through better-auth, not CRUD.
|
|
522
|
+
phone_number: Field.text({
|
|
523
|
+
label: "Phone Number",
|
|
524
|
+
required: false,
|
|
525
|
+
readonly: true,
|
|
526
|
+
searchable: true,
|
|
527
|
+
maxLength: 32,
|
|
528
|
+
group: "Account",
|
|
529
|
+
description: "Sign-in phone number (E.164 recommended). Unique per user; managed by better-auth when the phoneNumber plugin is enabled."
|
|
530
|
+
}),
|
|
531
|
+
phone_number_verified: Field.boolean({
|
|
532
|
+
label: "Phone Verified",
|
|
533
|
+
defaultValue: false,
|
|
534
|
+
readonly: true,
|
|
535
|
+
group: "Account",
|
|
536
|
+
description: "Whether the phone number has been verified (OTP verification requires SMS infrastructure; false until that ships). System-managed."
|
|
537
|
+
}),
|
|
538
|
+
// #2766 V1 — admin-issued "must change password on next sign-in" flag.
|
|
539
|
+
// Set by the /admin/create-user and /admin/set-user-password routes when
|
|
540
|
+
// a temporary password is issued; enforced through the ADR-0069 authGate
|
|
541
|
+
// (surfaces as PASSWORD_EXPIRED); cleared by stampPasswordChangedAt once
|
|
542
|
+
// the user completes a password change.
|
|
543
|
+
must_change_password: Field.boolean({
|
|
544
|
+
label: "Must Change Password",
|
|
545
|
+
defaultValue: false,
|
|
546
|
+
readonly: true,
|
|
547
|
+
group: "Admin",
|
|
548
|
+
description: "When true, the user is blocked (403 PASSWORD_EXPIRED) until they change their password. Stamped by the admin user-management routes; system-managed."
|
|
549
|
+
}),
|
|
436
550
|
// ADR-0069 D3 — when enforced MFA first applied to this user; starts the
|
|
437
551
|
// grace clock. Stamped lazily at session validation; system-managed.
|
|
438
552
|
mfa_required_at: Field.datetime({
|
|
@@ -530,7 +644,10 @@ var SysUser = ObjectSchema.create({
|
|
|
530
644
|
},
|
|
531
645
|
indexes: [
|
|
532
646
|
{ fields: ["email"], unique: true },
|
|
533
|
-
{ fields: ["created_at"], unique: false }
|
|
647
|
+
{ fields: ["created_at"], unique: false },
|
|
648
|
+
// #2766 V1.5 — phone sign-in identifier; unique when present (null for
|
|
649
|
+
// email-only accounts), also the upsert match key for identity import.
|
|
650
|
+
{ fields: ["phone_number"], unique: true }
|
|
534
651
|
],
|
|
535
652
|
enable: {
|
|
536
653
|
trackHistory: true,
|