@objectstack/plugin-auth 3.2.5 → 3.2.6

package/src/objects/auth-session.object.ts

@@ -1,89 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
-import { ObjectSchema, Field } from '@objectstack/spec/data';
-
 /**
- * Auth Session Object
- * 
- * Uses better-auth's native schema for seamless migration:
- * - id: string
- * - created_at: Date
- * - updated_at: Date
- * - user_id: string
- * - expires_at: Date
- * - token: string
- * - ip_address: string | null
- * - user_agent: string | null
+ * @deprecated Use `SysSession` from `./sys-session.object` instead.
+ *             This re-export is kept for backward compatibility.
  */
-export const AuthSession = ObjectSchema.create({
-  name: 'sys_session',
-  label: 'Session',
-  pluralLabel: 'Sessions',
-  icon: 'key',
-  description: 'Active user sessions',
-  titleFormat: 'Session {token}',
-  compactLayout: ['user_id', 'expires_at', 'ip_address'],
-  
-  fields: {
-    id: Field.text({
-      label: 'Session ID',
-      required: true,
-      readonly: true,
-    }),
-    
-    created_at: Field.datetime({
-      label: 'Created At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    updated_at: Field.datetime({
-      label: 'Updated At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    user_id: Field.text({
-      label: 'User ID',
-      required: true,
-    }),
-    
-    expires_at: Field.datetime({
-      label: 'Expires At',
-      required: true,
-    }),
-    
-    token: Field.text({
-      label: 'Session Token',
-      required: true,
-    }),
-    
-    ip_address: Field.text({
-      label: 'IP Address',
-      required: false,
-      maxLength: 45, // Support IPv6
-    }),
-    
-    user_agent: Field.textarea({
-      label: 'User Agent',
-      required: false,
-    }),
-  },
-  
-  // Database indexes for performance
-  indexes: [
-    { fields: ['token'], unique: true },
-    { fields: ['user_id'], unique: false },
-    { fields: ['expires_at'], unique: false },
-  ],
-  
-  // Enable features
-  enable: {
-    trackHistory: false, // Sessions don't need history tracking
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ['get', 'list', 'create', 'delete'], // No update for sessions
-    trash: false, // Sessions should be hard deleted
-    mru: false,
-  },
-});
+export { SysSession as AuthSession } from './sys-session.object.js';

package/src/objects/auth-user.object.ts

@@ -1,97 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
-import { ObjectSchema, Field } from '@objectstack/spec/data';
-
 /**
- * Auth User Object
- * 
- * Uses better-auth's native schema for seamless migration:
- * - id: string
- * - created_at: Date
- * - updated_at: Date
- * - email: string (unique, lowercase)
- * - email_verified: boolean
- * - name: string
- * - image: string | null
+ * @deprecated Use `SysUser` from `./sys-user.object` instead.
+ *             This re-export is kept for backward compatibility.
  */
-export const AuthUser = ObjectSchema.create({
-  name: 'sys_user',
-  label: 'User',
-  pluralLabel: 'Users',
-  icon: 'user',
-  description: 'User accounts for authentication',
-  titleFormat: '{name} ({email})',
-  compactLayout: ['name', 'email', 'email_verified'],
-  
-  fields: {
-    // ID is auto-generated by ObjectQL
-    id: Field.text({
-      label: 'User ID',
-      required: true,
-      readonly: true,
-    }),
-    
-    created_at: Field.datetime({
-      label: 'Created At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    updated_at: Field.datetime({
-      label: 'Updated At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    email: Field.email({
-      label: 'Email',
-      required: true,
-      searchable: true,
-    }),
-    
-    email_verified: Field.boolean({
-      label: 'Email Verified',
-      defaultValue: false,
-    }),
-    
-    name: Field.text({
-      label: 'Name',
-      required: true,
-      searchable: true,
-      maxLength: 255,
-    }),
-    
-    image: Field.url({
-      label: 'Profile Image',
-      required: false,
-    }),
-  },
-  
-  // Database indexes for performance
-  indexes: [
-    { fields: ['email'], unique: true },
-    { fields: ['created_at'], unique: false },
-  ],
-  
-  // Enable features
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
-    trash: true,
-    mru: true,
-  },
-  
-  // Validation Rules
-  validations: [
-    {
-      name: 'email_unique',
-      type: 'unique',
-      severity: 'error',
-      message: 'Email must be unique',
-      fields: ['email'],
-      caseSensitive: false,
-    },
-  ],
-});
+export { SysUser as AuthUser } from './sys-user.object.js';

package/src/objects/auth-verification.object.ts

@@ -1,78 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
-import { ObjectSchema, Field } from '@objectstack/spec/data';
-
 /**
- * Auth Verification Object
- * 
- * Uses better-auth's native schema for seamless migration:
- * - id: string
- * - created_at: Date
- * - updated_at: Date
- * - value: string (verification token/code)
- * - expires_at: Date
- * - identifier: string (email or phone number)
+ * @deprecated Use `SysVerification` from `./sys-verification.object` instead.
+ *             This re-export is kept for backward compatibility.
  */
-export const AuthVerification = ObjectSchema.create({
-  name: 'sys_verification',
-  label: 'Verification',
-  pluralLabel: 'Verifications',
-  icon: 'shield-check',
-  description: 'Email and phone verification tokens',
-  titleFormat: 'Verification for {identifier}',
-  compactLayout: ['identifier', 'expires_at', 'created_at'],
-  
-  fields: {
-    id: Field.text({
-      label: 'Verification ID',
-      required: true,
-      readonly: true,
-    }),
-    
-    created_at: Field.datetime({
-      label: 'Created At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    updated_at: Field.datetime({
-      label: 'Updated At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    value: Field.text({
-      label: 'Verification Token',
-      required: true,
-      description: 'Token or code for verification',
-    }),
-    
-    expires_at: Field.datetime({
-      label: 'Expires At',
-      required: true,
-    }),
-    
-    identifier: Field.text({
-      label: 'Identifier',
-      required: true,
-      description: 'Email address or phone number',
-    }),
-  },
-  
-  // Database indexes for performance
-  indexes: [
-    { fields: ['value'], unique: true },
-    { fields: ['identifier'], unique: false },
-    { fields: ['expires_at'], unique: false },
-  ],
-  
-  // Enable features
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ['get', 'create', 'delete'], // No list or update
-    trash: false, // Hard delete expired tokens
-    mru: false,
-  },
-});
+export { SysVerification as AuthVerification } from './sys-verification.object.js';

package/src/objects/index.ts

@@ -1,13 +1,39 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 /**
- * Auth Objects
- * 
- * ObjectQL-based object definitions for authentication database schema.
- * These objects replace the need for third-party ORMs like drizzle-orm.
+ * Auth Plugin — System Object Definitions (sys namespace)
+ *
+ * Canonical ObjectSchema definitions for all authentication-related system objects.
+ * All objects belong to the `sys` namespace and follow the unified naming convention:
+ *   - File: `sys-{name}.object.ts`
+ *   - Export: `Sys{PascalCase}`
+ *   - Object name: `{name}` (snake_case, no prefix)
+ *   - Table name: `sys_{name}` (auto-derived from namespace)
  */
 
+// ── Core Auth Objects ──────────────────────────────────────────────────────
+export { SysUser } from './sys-user.object.js';
+export { SysSession } from './sys-session.object.js';
+export { SysAccount } from './sys-account.object.js';
+export { SysVerification } from './sys-verification.object.js';
+
+// ── Organization Objects ───────────────────────────────────────────────────
+export { SysOrganization } from './sys-organization.object.js';
+export { SysMember } from './sys-member.object.js';
+export { SysInvitation } from './sys-invitation.object.js';
+export { SysTeam } from './sys-team.object.js';
+export { SysTeamMember } from './sys-team-member.object.js';
+
+// ── Additional Auth Objects ────────────────────────────────────────────────
+export { SysApiKey } from './sys-api-key.object.js';
+export { SysTwoFactor } from './sys-two-factor.object.js';
+
+// ── Backward Compatibility (deprecated) ────────────────────────────────────
+/** @deprecated Use `SysUser` instead */
 export { AuthUser } from './auth-user.object.js';
+/** @deprecated Use `SysSession` instead */
 export { AuthSession } from './auth-session.object.js';
+/** @deprecated Use `SysAccount` instead */
 export { AuthAccount } from './auth-account.object.js';
+/** @deprecated Use `SysVerification` instead */
 export { AuthVerification } from './auth-verification.object.js';

package/src/objects/sys-account.object.ts

@@ -0,0 +1,111 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * sys_account — System Account Object
+ *
+ * OAuth / credential provider account record.
+ * Backed by better-auth's `account` model with ObjectStack field conventions.
+ *
+ * @namespace sys
+ */
+export const SysAccount = ObjectSchema.create({
+  namespace: 'sys',
+  name: 'account',
+  label: 'Account',
+  pluralLabel: 'Accounts',
+  icon: 'link',
+  isSystem: true,
+  description: 'OAuth and authentication provider accounts',
+  titleFormat: '{provider_id} - {account_id}',
+  compactLayout: ['provider_id', 'user_id', 'account_id'],
+  
+  fields: {
+    id: Field.text({
+      label: 'Account ID',
+      required: true,
+      readonly: true,
+    }),
+    
+    created_at: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    updated_at: Field.datetime({
+      label: 'Updated At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    provider_id: Field.text({
+      label: 'Provider ID',
+      required: true,
+      description: 'OAuth provider identifier (google, github, etc.)',
+    }),
+    
+    account_id: Field.text({
+      label: 'Provider Account ID',
+      required: true,
+      description: "User's ID in the provider's system",
+    }),
+    
+    user_id: Field.text({
+      label: 'User ID',
+      required: true,
+      description: 'Link to user table',
+    }),
+    
+    access_token: Field.textarea({
+      label: 'Access Token',
+      required: false,
+    }),
+    
+    refresh_token: Field.textarea({
+      label: 'Refresh Token',
+      required: false,
+    }),
+    
+    id_token: Field.textarea({
+      label: 'ID Token',
+      required: false,
+    }),
+    
+    access_token_expires_at: Field.datetime({
+      label: 'Access Token Expires At',
+      required: false,
+    }),
+    
+    refresh_token_expires_at: Field.datetime({
+      label: 'Refresh Token Expires At',
+      required: false,
+    }),
+    
+    scope: Field.text({
+      label: 'OAuth Scope',
+      required: false,
+    }),
+    
+    password: Field.text({
+      label: 'Password Hash',
+      required: false,
+      description: 'Hashed password for email/password provider',
+    }),
+  },
+  
+  indexes: [
+    { fields: ['user_id'], unique: false },
+    { fields: ['provider_id', 'account_id'], unique: true },
+  ],
+  
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
+    trash: true,
+    mru: false,
+  },
+});

package/src/objects/sys-api-key.object.ts

@@ -0,0 +1,104 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * sys_api_key — System API Key Object
+ *
+ * API keys for programmatic/machine access to the platform.
+ *
+ * @namespace sys
+ */
+export const SysApiKey = ObjectSchema.create({
+  namespace: 'sys',
+  name: 'api_key',
+  label: 'API Key',
+  pluralLabel: 'API Keys',
+  icon: 'key-round',
+  isSystem: true,
+  description: 'API keys for programmatic access',
+  titleFormat: '{name}',
+  compactLayout: ['name', 'user_id', 'expires_at'],
+  
+  fields: {
+    id: Field.text({
+      label: 'API Key ID',
+      required: true,
+      readonly: true,
+    }),
+    
+    created_at: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    updated_at: Field.datetime({
+      label: 'Updated At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    name: Field.text({
+      label: 'Name',
+      required: true,
+      maxLength: 255,
+      description: 'Human-readable label for the API key',
+    }),
+    
+    key: Field.text({
+      label: 'Key',
+      required: true,
+      description: 'Hashed API key value',
+    }),
+    
+    prefix: Field.text({
+      label: 'Prefix',
+      required: false,
+      maxLength: 16,
+      description: 'Visible prefix for identifying the key (e.g., "osk_")',
+    }),
+    
+    user_id: Field.text({
+      label: 'User ID',
+      required: true,
+      description: 'Owner user of this API key',
+    }),
+    
+    scopes: Field.textarea({
+      label: 'Scopes',
+      required: false,
+      description: 'JSON array of permission scopes',
+    }),
+    
+    expires_at: Field.datetime({
+      label: 'Expires At',
+      required: false,
+    }),
+    
+    last_used_at: Field.datetime({
+      label: 'Last Used At',
+      required: false,
+    }),
+    
+    revoked: Field.boolean({
+      label: 'Revoked',
+      defaultValue: false,
+    }),
+  },
+  
+  indexes: [
+    { fields: ['key'], unique: true },
+    { fields: ['user_id'] },
+    { fields: ['prefix'] },
+  ],
+  
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
+    trash: false,
+    mru: false,
+  },
+});

package/src/objects/sys-invitation.object.ts

@@ -0,0 +1,93 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * sys_invitation — System Invitation Object
+ *
+ * Organization invitation tokens for inviting users.
+ * Backed by better-auth's organization plugin.
+ *
+ * @namespace sys
+ */
+export const SysInvitation = ObjectSchema.create({
+  namespace: 'sys',
+  name: 'invitation',
+  label: 'Invitation',
+  pluralLabel: 'Invitations',
+  icon: 'mail',
+  isSystem: true,
+  description: 'Organization invitations for user onboarding',
+  titleFormat: 'Invitation to {organization_id}',
+  compactLayout: ['email', 'organization_id', 'status'],
+  
+  fields: {
+    id: Field.text({
+      label: 'Invitation ID',
+      required: true,
+      readonly: true,
+    }),
+    
+    created_at: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    organization_id: Field.text({
+      label: 'Organization ID',
+      required: true,
+    }),
+    
+    email: Field.email({
+      label: 'Email',
+      required: true,
+      description: 'Email address of the invited user',
+    }),
+    
+    role: Field.text({
+      label: 'Role',
+      required: false,
+      maxLength: 100,
+      description: 'Role to assign upon acceptance',
+    }),
+    
+    status: Field.select(['pending', 'accepted', 'rejected', 'expired', 'canceled'], {
+      label: 'Status',
+      required: true,
+      defaultValue: 'pending',
+    }),
+    
+    inviter_id: Field.text({
+      label: 'Inviter ID',
+      required: true,
+      description: 'User ID of the person who sent the invitation',
+    }),
+    
+    expires_at: Field.datetime({
+      label: 'Expires At',
+      required: true,
+    }),
+    
+    team_id: Field.text({
+      label: 'Team ID',
+      required: false,
+      description: 'Optional team to assign upon acceptance',
+    }),
+  },
+  
+  indexes: [
+    { fields: ['organization_id'] },
+    { fields: ['email'] },
+    { fields: ['expires_at'] },
+  ],
+  
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
+    trash: false,
+    mru: false,
+  },
+});

package/src/objects/sys-member.object.ts

@@ -0,0 +1,68 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * sys_member — System Member Object
+ *
+ * Organization membership linking users to organizations with roles.
+ * Backed by better-auth's organization plugin.
+ *
+ * @namespace sys
+ */
+export const SysMember = ObjectSchema.create({
+  namespace: 'sys',
+  name: 'member',
+  label: 'Member',
+  pluralLabel: 'Members',
+  icon: 'user-check',
+  isSystem: true,
+  description: 'Organization membership records',
+  titleFormat: '{user_id} in {organization_id}',
+  compactLayout: ['user_id', 'organization_id', 'role'],
+  
+  fields: {
+    id: Field.text({
+      label: 'Member ID',
+      required: true,
+      readonly: true,
+    }),
+    
+    created_at: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+    
+    organization_id: Field.text({
+      label: 'Organization ID',
+      required: true,
+    }),
+    
+    user_id: Field.text({
+      label: 'User ID',
+      required: true,
+    }),
+    
+    role: Field.text({
+      label: 'Role',
+      required: false,
+      description: 'Member role within the organization (e.g. admin, member)',
+      maxLength: 100,
+    }),
+  },
+  
+  indexes: [
+    { fields: ['organization_id', 'user_id'], unique: true },
+    { fields: ['user_id'] },
+  ],
+  
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
+    trash: false,
+    mru: false,
+  },
+});