@objectstack/plugin-auth 2.0.2

package/src/auth-plugin.test.ts

@@ -0,0 +1,216 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { AuthPlugin } from './auth-plugin';
+import type { PluginContext } from '@objectstack/core';
+
+describe('AuthPlugin', () => {
+  let mockContext: PluginContext;
+  let authPlugin: AuthPlugin;
+
+  beforeEach(() => {
+    mockContext = {
+      registerService: vi.fn(),
+      getService: vi.fn(),
+      getServices: vi.fn(() => new Map()),
+      hook: vi.fn(),
+      trigger: vi.fn(),
+      logger: {
+        info: vi.fn(),
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      },
+      getKernel: vi.fn(),
+    };
+  });
+
+  describe('Plugin Metadata', () => {
+    it('should have correct plugin metadata', () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret',
+      });
+
+      expect(authPlugin.name).toBe('com.objectstack.auth');
+      expect(authPlugin.type).toBe('standard');
+      expect(authPlugin.version).toBe('1.0.0');
+      expect(authPlugin.dependencies).toContain('com.objectstack.server.hono');
+    });
+  });
+
+  describe('Initialization', () => {
+    it('should throw error if secret is not provided', async () => {
+      authPlugin = new AuthPlugin({});
+
+      await expect(authPlugin.init(mockContext)).rejects.toThrow(
+        'AuthPlugin: secret is required'
+      );
+    });
+
+    it('should initialize successfully with required config', async () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+
+      await authPlugin.init(mockContext);
+
+      expect(mockContext.logger.info).toHaveBeenCalledWith('Initializing Auth Plugin...');
+      expect(mockContext.registerService).toHaveBeenCalledWith('auth', expect.anything());
+      expect(mockContext.logger.info).toHaveBeenCalledWith('Auth Plugin initialized successfully');
+    });
+
+    it('should configure OAuth providers', async () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        providers: [
+          {
+            id: 'google',
+            clientId: 'google-client-id',
+            clientSecret: 'google-client-secret',
+            scope: ['email', 'profile'],
+          },
+        ],
+      });
+
+      await authPlugin.init(mockContext);
+
+      expect(mockContext.registerService).toHaveBeenCalled();
+    });
+
+    it('should configure plugins', async () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        plugins: {
+          organization: true,
+          twoFactor: true,
+          passkeys: true,
+          magicLink: true,
+        },
+      });
+
+      await authPlugin.init(mockContext);
+
+      expect(mockContext.registerService).toHaveBeenCalled();
+    });
+  });
+
+  describe('Start Phase', () => {
+    beforeEach(async () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+      });
+      await authPlugin.init(mockContext);
+    });
+
+    it('should register routes with HTTP server when enabled', async () => {
+      const mockHttpServer = {
+        post: vi.fn(),
+        get: vi.fn(),
+        put: vi.fn(),
+        delete: vi.fn(),
+        patch: vi.fn(),
+        use: vi.fn(),
+      };
+
+      mockContext.getService = vi.fn((name: string) => {
+        if (name === 'http-server') return mockHttpServer;
+        throw new Error(`Service not found: ${name}`);
+      });
+
+      await authPlugin.start(mockContext);
+
+      expect(mockContext.getService).toHaveBeenCalledWith('http-server');
+      expect(mockHttpServer.post).toHaveBeenCalled();
+      expect(mockHttpServer.get).toHaveBeenCalled();
+      expect(mockContext.logger.info).toHaveBeenCalledWith(
+        expect.stringContaining('Auth routes registered')
+      );
+    });
+
+    it('should skip route registration when disabled', async () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        registerRoutes: false,
+      });
+
+      await authPlugin.init(mockContext);
+      await authPlugin.start(mockContext);
+
+      expect(mockContext.getService).not.toHaveBeenCalledWith('http-server');
+    });
+
+    it('should throw error if auth not initialized', async () => {
+      const uninitializedPlugin = new AuthPlugin({
+        secret: 'test-secret',
+      });
+
+      await expect(uninitializedPlugin.start(mockContext)).rejects.toThrow(
+        'Auth manager not initialized'
+      );
+    });
+  });
+
+  describe('Destroy Phase', () => {
+    it('should cleanup resources', async () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+      });
+
+      await authPlugin.init(mockContext);
+      await authPlugin.destroy();
+
+      // Should not throw
+      expect(true).toBe(true);
+    });
+  });
+
+  describe('Configuration Options', () => {
+    it('should use custom base path', async () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        basePath: '/custom/auth',
+      });
+
+      await authPlugin.init(mockContext);
+
+      const mockHttpServer = {
+        post: vi.fn(),
+        get: vi.fn(),
+        put: vi.fn(),
+        delete: vi.fn(),
+        patch: vi.fn(),
+        use: vi.fn(),
+      };
+
+      mockContext.getService = vi.fn(() => mockHttpServer);
+
+      await authPlugin.start(mockContext);
+
+      expect(mockHttpServer.post).toHaveBeenCalledWith(
+        '/custom/auth/login',
+        expect.any(Function)
+      );
+    });
+
+    it('should configure session options', async () => {
+      authPlugin = new AuthPlugin({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        session: {
+          expiresIn: 60 * 60 * 24 * 30, // 30 days
+          updateAge: 60 * 60 * 24, // 1 day
+        },
+      });
+
+      await authPlugin.init(mockContext);
+
+      expect(mockContext.registerService).toHaveBeenCalled();
+    });
+  });
+});

package/src/auth-plugin.ts

@@ -0,0 +1,222 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { Plugin, PluginContext, IHttpServer } from '@objectstack/core';
+import { AuthConfig } from '@objectstack/spec/system';
+
+/**
+ * Auth Plugin Options
+ * Extends AuthConfig from spec with additional runtime options
+ */
+export interface AuthPluginOptions extends Partial<AuthConfig> {
+  /**
+   * Whether to automatically register auth routes
+   * @default true
+   */
+  registerRoutes?: boolean;
+  
+  /**
+   * Base path for auth routes
+   * @default '/api/v1/auth'
+   */
+  basePath?: string;
+}
+
+/**
+ * Authentication Plugin
+ * 
+ * Provides authentication and identity services for ObjectStack applications.
+ * 
+ * Features:
+ * - Session management
+ * - User registration/login
+ * - OAuth providers (Google, GitHub, etc.)
+ * - Organization/team support
+ * - 2FA, passkeys, magic links
+ * 
+ * This plugin registers:
+ * - `auth` service (auth manager instance)
+ * - HTTP routes for authentication endpoints
+ * 
+ * @planned This is a stub implementation. Full better-auth integration
+ * will be added in a future version. For now, it provides the plugin
+ * structure and basic route registration.
+ */
+export class AuthPlugin implements Plugin {
+  name = 'com.objectstack.auth';
+  type = 'standard';
+  version = '1.0.0';
+  dependencies = ['com.objectstack.server.hono']; // Requires HTTP server
+  
+  private options: AuthPluginOptions;
+  private authManager: AuthManager | null = null;
+
+  constructor(options: AuthPluginOptions = {}) {
+    this.options = {
+      registerRoutes: true,
+      basePath: '/api/v1/auth',
+      ...options
+    };
+  }
+
+  async init(ctx: PluginContext): Promise<void> {
+    ctx.logger.info('Initializing Auth Plugin...');
+
+    // Validate required configuration
+    if (!this.options.secret) {
+      throw new Error('AuthPlugin: secret is required');
+    }
+
+    // Initialize auth manager
+    this.authManager = new AuthManager(this.options);
+
+    // Register auth service
+    ctx.registerService('auth', this.authManager);
+    
+    ctx.logger.info('Auth Plugin initialized successfully');
+  }
+
+  async start(ctx: PluginContext): Promise<void> {
+    ctx.logger.info('Starting Auth Plugin...');
+
+    if (!this.authManager) {
+      throw new Error('Auth manager not initialized');
+    }
+
+    // Register HTTP routes if enabled
+    if (this.options.registerRoutes) {
+      try {
+        const httpServer = ctx.getService<IHttpServer>('http-server');
+        this.registerAuthRoutes(httpServer, ctx);
+        ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error('Failed to register auth routes:', err);
+        throw err;
+      }
+    }
+
+    ctx.logger.info('Auth Plugin started successfully');
+  }
+
+  async destroy(): Promise<void> {
+    // Cleanup if needed
+    this.authManager = null;
+  }
+
+  /**
+   * Register authentication routes with HTTP server
+   */
+  private registerAuthRoutes(httpServer: IHttpServer, ctx: PluginContext): void {
+    if (!this.authManager) return;
+
+    const basePath = this.options.basePath || '/api/v1/auth';
+
+    // Login endpoint
+    httpServer.post(`${basePath}/login`, async (req, res) => {
+      try {
+        const body = req.body;
+        const result = await this.authManager!.login(body);
+        res.status(200).json(result);
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error('Login error:', err);
+        res.status(401).json({
+          success: false,
+          error: err.message,
+        });
+      }
+    });
+
+    // Register endpoint
+    httpServer.post(`${basePath}/register`, async (req, res) => {
+      try {
+        const body = req.body;
+        const result = await this.authManager!.register(body);
+        res.status(201).json(result);
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error('Registration error:', err);
+        res.status(400).json({
+          success: false,
+          error: err.message,
+        });
+      }
+    });
+
+    // Logout endpoint
+    httpServer.post(`${basePath}/logout`, async (req, res) => {
+      try {
+        const authHeader = req.headers['authorization'];
+        const token = typeof authHeader === 'string' ? authHeader.replace('Bearer ', '') : undefined;
+        await this.authManager!.logout(token);
+        res.status(200).json({ success: true });
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error('Logout error:', err);
+        res.status(400).json({
+          success: false,
+          error: err.message,
+        });
+      }
+    });
+
+    // Session endpoint
+    httpServer.get(`${basePath}/session`, async (req, res) => {
+      try {
+        const authHeader = req.headers['authorization'];
+        const token = typeof authHeader === 'string' ? authHeader.replace('Bearer ', '') : undefined;
+        const session = await this.authManager!.getSession(token);
+        res.status(200).json({ success: true, data: session });
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        res.status(401).json({
+          success: false,
+          error: err.message,
+        });
+      }
+    });
+
+    ctx.logger.debug('Auth routes registered:', {
+      basePath,
+      routes: [
+        `POST ${basePath}/login`,
+        `POST ${basePath}/register`,
+        `POST ${basePath}/logout`,
+        `GET ${basePath}/session`,
+      ],
+    });
+  }
+}
+
+/**
+ * Auth Manager
+ * 
+ * @planned This is a stub implementation. Real authentication logic
+ * will be implemented using better-auth or similar library in future versions.
+ */
+class AuthManager {
+  constructor(_config: AuthPluginOptions) {
+    // Store config for future use
+  }
+
+  async login(_credentials: any): Promise<any> {
+    // @planned Implement actual login logic with better-auth
+    throw new Error('Login not yet implemented');
+  }
+
+  async register(_userData: any): Promise<any> {
+    // @planned Implement actual registration logic with better-auth
+    throw new Error('Registration not yet implemented');
+  }
+
+  async logout(_token?: string): Promise<void> {
+    // @planned Implement actual logout logic
+    throw new Error('Logout not yet implemented');
+  }
+
+  async getSession(_token?: string): Promise<any> {
+    // @planned Implement actual session retrieval
+    throw new Error('Session retrieval not yet implemented');
+  }
+}
+

package/src/index.ts

@@ -0,0 +1,11 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+/**
+ * @objectstack/plugin-auth
+ * 
+ * Authentication & Identity Plugin for ObjectStack
+ * Powered by better-auth for robust, secure authentication
+ */
+
+export * from './auth-plugin';
+export type { AuthConfig, AuthProviderConfig, AuthPluginConfig } from '@objectstack/spec/system';

package/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": ["src/**/*"],
+  "exclude": ["dist", "node_modules", "**/*.test.ts"]
+}