npm - @objectstack/platform-objects - Versions diffs - 6.5.1 → 6.6.0 - Mend

@objectstack/platform-objects 6.5.1 → 6.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/apps/index.d.mts +14 -0
package/dist/apps/index.d.ts +14 -0
package/dist/identity/index.d.mts +110 -1
package/dist/identity/index.d.ts +110 -1
package/dist/identity/index.js +120 -1
package/dist/identity/index.js.map +1 -1
package/dist/identity/index.mjs +120 -1
package/dist/identity/index.mjs.map +1 -1
package/dist/index.js +255 -1
package/dist/index.js.map +1 -1
package/dist/index.mjs +255 -1
package/dist/index.mjs.map +1 -1
package/dist/security/index.d.mts +150 -0
package/dist/security/index.d.ts +150 -0
package/dist/security/index.js +135 -0
package/dist/security/index.js.map +1 -1
package/dist/security/index.mjs +135 -0
package/dist/security/index.mjs.map +1 -1
package/package.json +2 -2

package/dist/identity/index.mjs CHANGED Viewed

@@ -421,6 +421,30 @@ var SysAccount = ObjectSchema.create({
   description: "OAuth and authentication provider accounts",
   titleFormat: "{provider_id} - {account_id}",
   compactLayout: ["provider_id", "user_id", "account_id"],
+  // Custom actions — sysadmins routinely need to revoke a user's OAuth
+  // link (e.g. when an SSO provider is decommissioned or the user
+  // requests it). Better-auth exposes `/unlink-account { providerId,
+  // accountId }` for this. The form is locked to the row's values so
+  // it acts as a one-click confirmation rather than a free-form edit.
+  actions: [
+    {
+      name: "unlink_account",
+      label: "Unlink Account",
+      icon: "unlink",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      target: "/api/v1/auth/unlink-account",
+      confirmText: "Unlink this identity link? The user will no longer be able to sign in with this provider until they re-link it from their account settings.",
+      successMessage: "Identity link removed",
+      refreshAfter: true,
+      params: [
+        { name: "providerId", field: "provider_id", defaultFromRow: true, required: true },
+        { name: "accountId", field: "account_id", defaultFromRow: true, required: true }
+      ]
+    }
+  ],
   listViews: {
     mine: {
       type: "grid",
@@ -1975,6 +1999,96 @@ var SysOauthApplication = ObjectSchema.create({
   displayNameField: "name",
   titleFormat: "{name}",
   compactLayout: ["name", "client_id", "type", "disabled"],
+  // Custom actions — all OAuth-application mutations are routed through
+  // better-auth's `@better-auth/oauth-provider` endpoints (and a thin
+  // ObjectStack-added auth route for the enable/disable toggle) rather
+  // than the generic data layer, so server-side validation, secret
+  // hashing, and audit hooks all run. The generic `delete` API method
+  // is intentionally dropped from `apiMethods` below so the only delete
+  // path is the better-auth wrapper.
+  //
+  // Upstream gap (better-auth 1.6.11): the stock `/admin/oauth2/update-client`
+  // endpoint's Zod body schema does NOT accept the `disabled` flag, even
+  // though the column exists and the runtime honours it. We bridge the
+  // gap with `POST /api/v1/auth/admin/oauth2/toggle-disabled`, registered
+  // by plugin-auth, which writes through better-auth's own adapter under
+  // the auth namespace (no generic data-layer bypass). When upstream
+  // ships `disabled` support, retarget the enable/disable actions and
+  // delete the bridge route.
+  actions: [
+    {
+      name: "disable_oauth_application",
+      label: "Disable OAuth Application",
+      icon: "pause-circle",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/admin/oauth2/toggle-disabled",
+      confirmText: "Disable this OAuth application? Active access/refresh tokens issued to it will continue to be rejected at the token, authorize, and introspect endpoints. Existing integrations will stop working immediately.",
+      successMessage: "OAuth application disabled",
+      refreshAfter: true,
+      visible: "!record.disabled",
+      bodyExtra: { disabled: true },
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "enable_oauth_application",
+      label: "Enable OAuth Application",
+      icon: "play-circle",
+      variant: "primary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/admin/oauth2/toggle-disabled",
+      confirmText: "Re-enable this OAuth application? Token issuance, authorization, and introspection will resume immediately.",
+      successMessage: "OAuth application enabled",
+      refreshAfter: true,
+      visible: "record.disabled",
+      bodyExtra: { disabled: false },
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "rotate_client_secret",
+      label: "Rotate Client Secret",
+      icon: "refresh-cw",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/oauth2/client/rotate-secret",
+      confirmText: "Rotate this OAuth client's secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.",
+      successMessage: "Client secret rotated \u2014 copy the new value from the response now.",
+      refreshAfter: true,
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "delete_oauth_application",
+      label: "Delete OAuth Application",
+      icon: "trash-2",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/oauth2/delete-client",
+      confirmText: "Permanently delete this OAuth application? All issued tokens and consents will be invalidated and integrations using this client_id will stop working immediately. This cannot be undone.",
+      successMessage: "OAuth application deleted",
+      refreshAfter: true,
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    }
+  ],
   listViews: {
     active: {
       type: "grid",
@@ -2206,7 +2320,12 @@ var SysOauthApplication = ObjectSchema.create({
     trackHistory: true,
     searchable: true,
     apiEnabled: true,
-    apiMethods: ["get", "list", "delete"],
+    // All mutations (create/update/delete) must go through better-auth's
+    // oauth-provider endpoints under /api/v1/auth/{admin/,}oauth2/* — the
+    // generic data layer is read-only for this object so sysadmins cannot
+    // bypass server-side OAuth validation. The Delete row action above is
+    // wired to /api/v1/auth/oauth2/delete-client.
+    apiMethods: ["get", "list"],
     trash: false,
     mru: false
   }