@objectstack/plugin-auth 6.8.1 → 7.0.0

package/dist/index.js

@@ -69,6 +69,7 @@ module.exports = __toCommonJS(index_exports);
 
 // src/auth-plugin.ts
 var import_apps = require("@objectstack/platform-objects/apps");
+var import_pages = require("@objectstack/platform-objects/pages");
 
 // src/objectql-adapter.ts
 var import_adapters = require("better-auth/adapters");
@@ -694,8 +695,7 @@ var AuthManager = class {
                 relatedId: user.id
               });
             } catch (err) {
-              console.error(`[AuthManager] sendResetPassword failed: ${err?.message ?? err}`);
-              throw err;
+              console.error(`[AuthManager] sendResetPassword failed (swallowed): ${err?.message ?? err}`);
             }
           }
         };
@@ -731,8 +731,7 @@ var AuthManager = class {
                 relatedId: user.id
               });
             } catch (err) {
-              console.error(`[AuthManager] sendVerificationEmail failed: ${err?.message ?? err}`);
-              throw err;
+              console.error(`[AuthManager] sendVerificationEmail failed (swallowed): ${err?.message ?? err}`);
             }
           }
         }
@@ -873,12 +872,14 @@ var AuthManager = class {
   async buildPluginList() {
     const pluginConfig = this.config.plugins ?? {};
     const plugins = [];
+    const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
+    const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
     const enabled = {
       organization: pluginConfig.organization ?? true,
       twoFactor: pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
-      oidcProvider: pluginConfig.oidcProvider ?? false,
+      oidcProvider: oidcFromEnv ?? pluginConfig.oidcProvider ?? false,
       deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
       admin: pluginConfig.admin ?? false
     };
@@ -937,14 +938,18 @@ var AuthManager = class {
         // never seed `sys_environment`) keep working: any lookup error
         // is treated as "no envs to protect".
         organizationHooks: {
-          // Gate fresh organization creation behind `OS_MULTI_ORG_ENABLED`.
+          // Gate fresh organization creation behind the multi-org flag.
           // The plugin itself is always installed (so list/update/invite endpoints
           // keep responding); only the `create` operation is denied when the
-          // deployment is provisioned in single-org mode. Default is enabled
-          // to preserve historical behaviour.
+          // deployment is provisioned in single-org mode. Resolution order:
+          // 1. explicit `OS_MULTI_ORG_ENABLED` (wins for backwards compat),
+          // 2. else `OS_MULTI_TENANT` (multi-tenant deployments are always
+          //    multi-org), default `'false'` → single-org / per-env runtime.
           beforeCreateOrganization: async () => {
+            const env = globalThis?.process?.env ?? {};
+            const explicit = env.OS_MULTI_ORG_ENABLED;
             const flag = String(
-              globalThis?.process?.env?.OS_MULTI_ORG_ENABLED ?? "true"
+              explicit ?? env.OS_MULTI_TENANT ?? "false"
             ).toLowerCase();
             if (flag === "false") {
               const { APIError } = await import("better-auth/api");
@@ -1019,8 +1024,7 @@ var AuthManager = class {
               relatedId: invitation.id
             });
           } catch (err) {
-            console.error(`[AuthManager] sendInvitationEmail failed: ${err?.message ?? err}`);
-            throw err;
+            console.error(`[AuthManager] sendInvitationEmail failed (swallowed): ${err?.message ?? err}`);
           }
         }
       }));
@@ -1335,8 +1339,9 @@ var AuthManager = class {
       requireEmailVerification: emailPasswordConfig.requireEmailVerification ?? false
     };
     const pluginConfig = this.config.plugins ?? {};
+    const multiOrgEnv = globalThis?.process?.env ?? {};
     const multiOrgEnabled = String(
-      globalThis?.process?.env?.OS_MULTI_ORG_ENABLED ?? "true"
+      multiOrgEnv.OS_MULTI_ORG_ENABLED ?? multiOrgEnv.OS_MULTI_TENANT ?? "false"
     ).toLowerCase() !== "false";
     const DEFAULT_TERMS_URL = "https://objectstack.ai/terms";
     const DEFAULT_PRIVACY_URL = "https://objectstack.ai/privacy";
@@ -1350,13 +1355,15 @@ var AuthManager = class {
     };
     const termsUrl = resolveLegalUrl(rawTermsUrl, DEFAULT_TERMS_URL);
     const privacyUrl = resolveLegalUrl(rawPrivacyUrl, DEFAULT_PRIVACY_URL);
+    const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
+    const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
     const features = {
       twoFactor: pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
       organization: pluginConfig.organization ?? true,
       multiOrgEnabled,
-      oidcProvider: pluginConfig.oidcProvider ?? false,
+      oidcProvider: oidcFromEnv ?? pluginConfig.oidcProvider ?? false,
       deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
       ...termsUrl ? { termsUrl } : {},
       ...privacyUrl ? { privacyUrl } : {}
@@ -1448,7 +1455,12 @@ var AuthPlugin = class {
       // @objectstack/platform-objects/apps). plugin-auth is the natural
       // owner of its registration since it loads first among the trio
       // (auth + security + audit) that supplies the underlying objects.
-      apps: [import_apps.SETUP_APP, import_apps.STUDIO_APP],
+      apps: [import_apps.SETUP_APP, import_apps.STUDIO_APP, import_apps.ACCOUNT_APP],
+      // Slotted record-detail pages for system objects — currently
+      // sys_organization gets a Members / Invitations / Teams tab strip
+      // (see SysOrganizationDetailPage for the rationale and the
+      // intentionally-omitted OAuth / SSO tabs).
+      pages: [import_pages.SysOrganizationDetailPage, import_pages.SysUserDetailPage],
       // List views for each Setup-nav object are defined on the schema
       // itself via the canonical `listViews` map (e.g.
       // sys_user.listViews.{all_users,unverified,two_factor}). Registering
@@ -1467,30 +1479,6 @@ var AuthPlugin = class {
     if (!this.authManager) {
       throw new Error("Auth manager not initialized");
     }
-    ctx.hook("kernel:ready", async () => {
-      try {
-        const i18n = ctx.getService("i18n");
-        let loaded = 0;
-        for (const [locale, data] of Object.entries(import_apps.SetupAppTranslations)) {
-          if (data && typeof data === "object") {
-            try {
-              i18n.loadTranslations(locale, data);
-              loaded++;
-            } catch (err) {
-              ctx.logger.warn(
-                `Auth: failed to load Setup App translations for '${locale}': ${err?.message ?? err}`
-              );
-            }
-          }
-        }
-        if (loaded > 0) {
-          ctx.logger.info(
-            `Auth: contributed Setup App translations (${loaded} locale${loaded > 1 ? "s" : ""})`
-          );
-        }
-      } catch {
-      }
-    });
     if (this.options.registerRoutes) {
       ctx.hook("kernel:ready", async () => {
         if (this.authManager) {
@@ -1748,7 +1736,10 @@ var AuthPlugin = class {
         );
       }
     });
-    if (this.options.plugins?.oidcProvider) {
+    const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
+    const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
+    const oidcEnabled = oidcFromEnv ?? this.options.plugins?.oidcProvider ?? false;
+    if (oidcEnabled) {
       void this.registerOidcDiscoveryRoutes(rawApp, ctx).catch((error) => {
         ctx.logger.error("Failed to register OIDC discovery routes", error);
       });