@objectstack/plugin-auth 4.0.2 → 4.0.4

package/src/auth-manager.test.ts

@@ -434,7 +434,7 @@ describe('AuthManager', () => {
       ]);
     });
 
-    it('should NOT include trustedOrigins key when not provided', () => {
+    it('should default to localhost wildcard when trustedOrigins not provided', () => {
       let capturedConfig: any;
       (betterAuth as any).mockImplementation((config: any) => {
         capturedConfig = config;
@@ -449,10 +449,10 @@ describe('AuthManager', () => {
       manager.getAuthInstance();
       warnSpy.mockRestore();
 
-      expect(capturedConfig).not.toHaveProperty('trustedOrigins');
+      expect(capturedConfig.trustedOrigins).toEqual(['http://localhost:*']);
     });
 
-    it('should NOT include trustedOrigins key when array is empty', () => {
+    it('should default to localhost wildcard when trustedOrigins array is empty', () => {
       let capturedConfig: any;
       (betterAuth as any).mockImplementation((config: any) => {
         capturedConfig = config;
@@ -468,7 +468,7 @@ describe('AuthManager', () => {
       manager.getAuthInstance();
       warnSpy.mockRestore();
 
-      expect(capturedConfig).not.toHaveProperty('trustedOrigins');
+      expect(capturedConfig.trustedOrigins).toEqual(['http://localhost:*']);
     });
   });
 
@@ -755,4 +755,129 @@ describe('AuthManager', () => {
       expect(capturedConfig).not.toHaveProperty('advanced');
     });
   });
+
+  describe('getPublicConfig', () => {
+    it('should return safe public configuration', () => {
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        baseUrl: 'http://localhost:3000',
+        socialProviders: {
+          google: {
+            clientId: 'google-client-id',
+            clientSecret: 'google-client-secret',
+            enabled: true,
+          },
+          github: {
+            clientId: 'github-client-id',
+            clientSecret: 'github-client-secret',
+          },
+        },
+        emailAndPassword: {
+          enabled: true,
+          disableSignUp: false,
+          requireEmailVerification: true,
+        },
+        plugins: {
+          twoFactor: true,
+          organization: true,
+        },
+      });
+      warnSpy.mockRestore();
+
+      const config = manager.getPublicConfig();
+
+      // Should include social providers without secrets
+      expect(config.socialProviders).toHaveLength(2);
+      expect(config.socialProviders[0]).toEqual({
+        id: 'google',
+        name: 'Google',
+        enabled: true,
+      });
+      expect(config.socialProviders[1]).toEqual({
+        id: 'github',
+        name: 'GitHub',
+        enabled: true,
+      });
+
+      // Should NOT include sensitive data
+      expect(config).not.toHaveProperty('secret');
+      expect(config.socialProviders[0]).not.toHaveProperty('clientSecret');
+      expect(config.socialProviders[0]).not.toHaveProperty('clientId');
+
+      // Should include email/password config
+      expect(config.emailPassword).toEqual({
+        enabled: true,
+        disableSignUp: false,
+        requireEmailVerification: true,
+      });
+
+      // Should include features
+      expect(config.features).toEqual({
+        twoFactor: true,
+        passkeys: false,
+        magicLink: false,
+        organization: true,
+      });
+    });
+
+    it('should filter out disabled providers', () => {
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        socialProviders: {
+          google: {
+            clientId: 'google-client-id',
+            clientSecret: 'google-client-secret',
+            enabled: true,
+          },
+          github: {
+            clientId: 'github-client-id',
+            clientSecret: 'github-client-secret',
+            enabled: false,
+          },
+        },
+      });
+      warnSpy.mockRestore();
+
+      const config = manager.getPublicConfig();
+
+      expect(config.socialProviders).toHaveLength(1);
+      expect(config.socialProviders[0].id).toBe('google');
+    });
+
+    it('should default email/password to enabled', () => {
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+      });
+      warnSpy.mockRestore();
+
+      const config = manager.getPublicConfig();
+
+      expect(config.emailPassword.enabled).toBe(true);
+    });
+
+    it('should handle unknown provider names', () => {
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const manager = new AuthManager({
+        secret: 'test-secret-at-least-32-chars-long',
+        socialProviders: {
+          customProvider: {
+            clientId: 'custom-client-id',
+            clientSecret: 'custom-client-secret',
+          },
+        },
+      });
+      warnSpy.mockRestore();
+
+      const config = manager.getPublicConfig();
+
+      expect(config.socialProviders[0]).toEqual({
+        id: 'customProvider',
+        name: 'CustomProvider',
+        enabled: true,
+      });
+    });
+  });
 });

package/src/auth-manager.ts

@@ -5,7 +5,11 @@ import type { Auth, BetterAuthOptions } from 'better-auth';
 import { organization } from 'better-auth/plugins/organization';
 import { twoFactor } from 'better-auth/plugins/two-factor';
 import { magicLink } from 'better-auth/plugins/magic-link';
-import type { AuthConfig } from '@objectstack/spec/system';
+import type {
+  AuthConfig,
+  EmailAndPasswordConfig,
+  AuthPluginConfig,
+} from '@objectstack/spec/system';
 import type { IDataEngine } from '@objectstack/core';
 import { createObjectQLAdapterFactory } from './objectql-adapter.js';
 import {
@@ -153,7 +157,23 @@ export class AuthManager {
       plugins: this.buildPluginList(),
 
       // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
-      ...(this.config.trustedOrigins?.length ? { trustedOrigins: this.config.trustedOrigins } : {}),
+      // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
+      ...(() => {
+        const origins: string[] = [...(this.config.trustedOrigins || [])];
+        // Sync with CORS_ORIGIN env var (comma-separated)
+        const corsOrigin = process.env.CORS_ORIGIN;
+        if (corsOrigin && corsOrigin !== '*') {
+          corsOrigin.split(',').map(s => s.trim()).filter(Boolean).forEach(o => {
+            if (!origins.includes(o)) origins.push(o);
+          });
+        }
+        // When CORS allows all origins (default) and no explicit trustedOrigins,
+        // trust all localhost ports in development for convenience.
+        if (!origins.length && (!corsOrigin || corsOrigin === '*')) {
+          origins.push('http://localhost:*');
+        }
+        return origins.length ? { trustedOrigins: origins } : {};
+      })(),
 
       // Advanced options (cross-subdomain cookies, secure cookies, CSRF, etc.)
       ...(this.config.advanced ? {
@@ -335,4 +355,65 @@ export class AuthManager {
   get api() {
     return this.getOrCreateAuth().api;
   }
+
+  /**
+   * Get public authentication configuration
+   * Returns safe, non-sensitive configuration that can be exposed to the frontend
+   *
+   * This allows the frontend to discover:
+   * - Which social/OAuth providers are available
+   * - Whether email/password login is enabled
+   * - Which advanced features are enabled (2FA, magic links, etc.)
+   */
+  getPublicConfig() {
+    // Extract social providers info (without sensitive data)
+    const socialProviders = [];
+    if (this.config.socialProviders) {
+      for (const [id, providerConfig] of Object.entries(this.config.socialProviders)) {
+        if (providerConfig.enabled !== false) {
+          // Map provider ID to friendly name
+          const nameMap: Record<string, string> = {
+            google: 'Google',
+            github: 'GitHub',
+            microsoft: 'Microsoft',
+            apple: 'Apple',
+            facebook: 'Facebook',
+            twitter: 'Twitter',
+            discord: 'Discord',
+            gitlab: 'GitLab',
+            linkedin: 'LinkedIn',
+          };
+
+          socialProviders.push({
+            id,
+            name: nameMap[id] || id.charAt(0).toUpperCase() + id.slice(1),
+            enabled: true,
+          });
+        }
+      }
+    }
+
+    // Extract email/password config (safe fields only)
+    const emailPasswordConfig: Partial<EmailAndPasswordConfig> = this.config.emailAndPassword ?? {};
+    const emailPassword = {
+      enabled: emailPasswordConfig.enabled !== false, // Default to true
+      disableSignUp: emailPasswordConfig.disableSignUp ?? false,
+      requireEmailVerification: emailPasswordConfig.requireEmailVerification ?? false,
+    };
+
+    // Extract enabled features
+    const pluginConfig: Partial<AuthPluginConfig> = this.config.plugins ?? {};
+    const features = {
+      twoFactor: pluginConfig.twoFactor ?? false,
+      passkeys: pluginConfig.passkeys ?? false,
+      magicLink: pluginConfig.magicLink ?? false,
+      organization: pluginConfig.organization ?? false,
+    };
+
+    return {
+      emailPassword,
+      socialProviders,
+      features,
+    };
+  }
 }

package/src/auth-plugin.test.ts

@@ -24,7 +24,11 @@ describe('AuthPlugin', () => {
   beforeEach(() => {
     mockContext = {
       registerService: vi.fn(),
-      getService: vi.fn(),
+      getService: vi.fn((name: string) => {
+        if (name === 'manifest') return { register: vi.fn() };
+        if (name === 'data') return undefined;
+        return undefined;
+      }),
       getServices: vi.fn(() => new Map()),
       hook: vi.fn(),
       trigger: vi.fn(),
@@ -47,7 +51,7 @@ describe('AuthPlugin', () => {
       expect(authPlugin.name).toBe('com.objectstack.auth');
       expect(authPlugin.type).toBe('standard');
       expect(authPlugin.version).toBe('1.0.0');
-      expect(authPlugin.dependencies).toEqual([]);
+      expect(authPlugin.dependencies).toEqual(['com.objectstack.engine.objectql']);
     });
   });
 
@@ -133,6 +137,7 @@ describe('AuthPlugin', () => {
     it('should register routes with HTTP server on kernel:ready', async () => {
       const mockRawApp = {
         all: vi.fn(),
+        get: vi.fn(),
       };
 
       const mockHttpServer = {
@@ -169,6 +174,7 @@ describe('AuthPlugin', () => {
     it('should log via ctx.logger when better-auth returns a 500 response', async () => {
       const mockRawApp = {
         all: vi.fn(),
+        get: vi.fn(),
       };
 
       const mockHttpServer = {
@@ -266,7 +272,7 @@ describe('AuthPlugin', () => {
     });
 
     it('should auto-detect baseUrl from http-server port when port differs', async () => {
-      const mockRawApp = { all: vi.fn() };
+      const mockRawApp = { all: vi.fn(), get: vi.fn() };
       const mockHttpServer = {
         post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
         patch: vi.fn(), use: vi.fn(),
@@ -302,7 +308,7 @@ describe('AuthPlugin', () => {
       (mockContext.registerService as any).mockClear();
       await localPlugin.init(mockContext);
 
-      const mockRawApp = { all: vi.fn() };
+      const mockRawApp = { all: vi.fn(), get: vi.fn() };
       const mockHttpServer = {
         post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
         patch: vi.fn(), use: vi.fn(),
@@ -334,7 +340,7 @@ describe('AuthPlugin', () => {
       (mockContext.registerService as any).mockClear();
       await localPlugin.init(mockContext);
 
-      const mockRawApp = { all: vi.fn() };
+      const mockRawApp = { all: vi.fn(), get: vi.fn() };
       const mockHttpServer = {
         post: vi.fn(), get: vi.fn(), put: vi.fn(), delete: vi.fn(),
         patch: vi.fn(), use: vi.fn(),
@@ -396,6 +402,7 @@ describe('AuthPlugin', () => {
 
       const mockRawApp = {
         all: vi.fn(),
+        get: vi.fn(),
       };
 
       const mockHttpServer = {

package/src/auth-plugin.ts

@@ -7,7 +7,7 @@ import {
   SysUser, SysSession, SysAccount, SysVerification,
   SysOrganization, SysMember, SysInvitation,
   SysTeam, SysTeamMember,
-  SysApiKey, SysTwoFactor,
+  SysApiKey, SysTwoFactor, SysUserPreference,
 } from './objects/index.js';
 
 /**
@@ -107,7 +107,7 @@ export class AuthPlugin implements Plugin {
         SysUser, SysSession, SysAccount, SysVerification,
         SysOrganization, SysMember, SysInvitation,
         SysTeam, SysTeamMember,
-        SysApiKey, SysTwoFactor,
+        SysApiKey, SysTwoFactor, SysUserPreference,
       ],
     });
 
@@ -245,6 +245,28 @@ export class AuthPlugin implements Plugin {
 
     const rawApp = (httpServer as any).getRawApp();
 
+    // Register auth config endpoint - public endpoint for frontend discovery
+    rawApp.get(`${basePath}/config`, async (c: any) => {
+      try {
+        const config = this.authManager!.getPublicConfig();
+        return c.json({
+          success: true,
+          data: config,
+        });
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error('Auth config error:', err);
+
+        return c.json({
+          success: false,
+          error: {
+            code: 'auth_config_error',
+            message: err.message,
+          },
+        }, 500);
+      }
+    });
+
     // Register wildcard route to forward all auth requests to better-auth.
     // better-auth is configured with basePath matching our route prefix, so we
     // forward the original request directly — no path rewriting needed.

package/src/objects/index.ts

@@ -27,6 +27,7 @@ export { SysTeamMember } from './sys-team-member.object.js';
 // ── Additional Auth Objects ────────────────────────────────────────────────
 export { SysApiKey } from './sys-api-key.object.js';
 export { SysTwoFactor } from './sys-two-factor.object.js';
+export { SysUserPreference } from './sys-user-preference.object.js';
 
 // ── Backward Compatibility (deprecated) ────────────────────────────────────
 /** @deprecated Use `SysUser` instead */

package/src/objects/sys-user-preference.object.ts

@@ -0,0 +1,82 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * sys_user_preference — System User Preference Object
+ *
+ * Per-user key-value preferences for storing UI state, settings, and personalization.
+ * Supports the User Preferences layer in the Config Resolution hierarchy
+ * (Runtime > User Preferences > Tenant > Env).
+ *
+ * Common use cases:
+ * - UI preferences: theme, locale, timezone, sidebar state
+ * - Feature flags: plugin.ai.auto_save, plugin.dev.debug_mode
+ * - User-specific settings: default_view, notifications_enabled
+ *
+ * @namespace sys
+ */
+export const SysUserPreference = ObjectSchema.create({
+  namespace: 'sys',
+  name: 'user_preference',
+  label: 'User Preference',
+  pluralLabel: 'User Preferences',
+  icon: 'settings',
+  isSystem: true,
+  description: 'Per-user key-value preferences (theme, locale, etc.)',
+  titleFormat: '{key}',
+  compactLayout: ['user_id', 'key'],
+
+  fields: {
+    id: Field.text({
+      label: 'Preference ID',
+      required: true,
+      readonly: true,
+    }),
+
+    created_at: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+
+    updated_at: Field.datetime({
+      label: 'Updated At',
+      defaultValue: 'NOW()',
+      readonly: true,
+    }),
+
+    user_id: Field.text({
+      label: 'User ID',
+      required: true,
+      maxLength: 255,
+      description: 'Owner user of this preference',
+    }),
+
+    key: Field.text({
+      label: 'Key',
+      required: true,
+      maxLength: 255,
+      description: 'Preference key (e.g., theme, locale, plugin.ai.auto_save)',
+    }),
+
+    value: Field.json({
+      label: 'Value',
+      description: 'Preference value (any JSON-serializable type)',
+    }),
+  },
+
+  indexes: [
+    { fields: ['user_id', 'key'], unique: true },
+    { fields: ['user_id'], unique: false },
+  ],
+
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
+    trash: false,
+    mru: false,
+  },
+});