@objectstack/plugin-auth 6.9.0 → 7.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +70 -34
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +72 -36
- package/dist/index.mjs.map +1 -1
- package/package.json +4 -4
package/dist/index.mjs
CHANGED
|
@@ -2,9 +2,10 @@
|
|
|
2
2
|
import {
|
|
3
3
|
SETUP_APP,
|
|
4
4
|
STUDIO_APP,
|
|
5
|
-
|
|
6
|
-
|
|
5
|
+
ACCOUNT_APP,
|
|
6
|
+
SystemOverviewDashboard
|
|
7
7
|
} from "@objectstack/platform-objects/apps";
|
|
8
|
+
import { SysOrganizationDetailPage, SysUserDetailPage } from "@objectstack/platform-objects/pages";
|
|
8
9
|
|
|
9
10
|
// src/objectql-adapter.ts
|
|
10
11
|
import { createAdapterFactory } from "better-auth/adapters";
|
|
@@ -630,8 +631,7 @@ var AuthManager = class {
|
|
|
630
631
|
relatedId: user.id
|
|
631
632
|
});
|
|
632
633
|
} catch (err) {
|
|
633
|
-
console.error(`[AuthManager] sendResetPassword failed: ${err?.message ?? err}`);
|
|
634
|
-
throw err;
|
|
634
|
+
console.error(`[AuthManager] sendResetPassword failed (swallowed): ${err?.message ?? err}`);
|
|
635
635
|
}
|
|
636
636
|
}
|
|
637
637
|
};
|
|
@@ -667,8 +667,7 @@ var AuthManager = class {
|
|
|
667
667
|
relatedId: user.id
|
|
668
668
|
});
|
|
669
669
|
} catch (err) {
|
|
670
|
-
console.error(`[AuthManager] sendVerificationEmail failed: ${err?.message ?? err}`);
|
|
671
|
-
throw err;
|
|
670
|
+
console.error(`[AuthManager] sendVerificationEmail failed (swallowed): ${err?.message ?? err}`);
|
|
672
671
|
}
|
|
673
672
|
}
|
|
674
673
|
}
|
|
@@ -809,12 +808,14 @@ var AuthManager = class {
|
|
|
809
808
|
async buildPluginList() {
|
|
810
809
|
const pluginConfig = this.config.plugins ?? {};
|
|
811
810
|
const plugins = [];
|
|
811
|
+
const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
|
|
812
|
+
const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
|
|
812
813
|
const enabled = {
|
|
813
814
|
organization: pluginConfig.organization ?? true,
|
|
814
815
|
twoFactor: pluginConfig.twoFactor ?? false,
|
|
815
816
|
passkeys: pluginConfig.passkeys ?? false,
|
|
816
817
|
magicLink: pluginConfig.magicLink ?? false,
|
|
817
|
-
oidcProvider: pluginConfig.oidcProvider ?? false,
|
|
818
|
+
oidcProvider: oidcFromEnv ?? pluginConfig.oidcProvider ?? false,
|
|
818
819
|
deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
|
|
819
820
|
admin: pluginConfig.admin ?? false
|
|
820
821
|
};
|
|
@@ -959,8 +960,7 @@ var AuthManager = class {
|
|
|
959
960
|
relatedId: invitation.id
|
|
960
961
|
});
|
|
961
962
|
} catch (err) {
|
|
962
|
-
console.error(`[AuthManager] sendInvitationEmail failed: ${err?.message ?? err}`);
|
|
963
|
-
throw err;
|
|
963
|
+
console.error(`[AuthManager] sendInvitationEmail failed (swallowed): ${err?.message ?? err}`);
|
|
964
964
|
}
|
|
965
965
|
}
|
|
966
966
|
}));
|
|
@@ -1291,13 +1291,15 @@ var AuthManager = class {
|
|
|
1291
1291
|
};
|
|
1292
1292
|
const termsUrl = resolveLegalUrl(rawTermsUrl, DEFAULT_TERMS_URL);
|
|
1293
1293
|
const privacyUrl = resolveLegalUrl(rawPrivacyUrl, DEFAULT_PRIVACY_URL);
|
|
1294
|
+
const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
|
|
1295
|
+
const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
|
|
1294
1296
|
const features = {
|
|
1295
1297
|
twoFactor: pluginConfig.twoFactor ?? false,
|
|
1296
1298
|
passkeys: pluginConfig.passkeys ?? false,
|
|
1297
1299
|
magicLink: pluginConfig.magicLink ?? false,
|
|
1298
1300
|
organization: pluginConfig.organization ?? true,
|
|
1299
1301
|
multiOrgEnabled,
|
|
1300
|
-
oidcProvider: pluginConfig.oidcProvider ?? false,
|
|
1302
|
+
oidcProvider: oidcFromEnv ?? pluginConfig.oidcProvider ?? false,
|
|
1301
1303
|
deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
|
|
1302
1304
|
...termsUrl ? { termsUrl } : {},
|
|
1303
1305
|
...privacyUrl ? { privacyUrl } : {}
|
|
@@ -1408,7 +1410,12 @@ var AuthPlugin = class {
|
|
|
1408
1410
|
// @objectstack/platform-objects/apps). plugin-auth is the natural
|
|
1409
1411
|
// owner of its registration since it loads first among the trio
|
|
1410
1412
|
// (auth + security + audit) that supplies the underlying objects.
|
|
1411
|
-
apps: [SETUP_APP, STUDIO_APP],
|
|
1413
|
+
apps: [SETUP_APP, STUDIO_APP, ACCOUNT_APP],
|
|
1414
|
+
// Slotted record-detail pages for system objects — currently
|
|
1415
|
+
// sys_organization gets a Members / Invitations / Teams tab strip
|
|
1416
|
+
// (see SysOrganizationDetailPage for the rationale and the
|
|
1417
|
+
// intentionally-omitted OAuth / SSO tabs).
|
|
1418
|
+
pages: [SysOrganizationDetailPage, SysUserDetailPage],
|
|
1412
1419
|
// List views for each Setup-nav object are defined on the schema
|
|
1413
1420
|
// itself via the canonical `listViews` map (e.g.
|
|
1414
1421
|
// sys_user.listViews.{all_users,unverified,two_factor}). Registering
|
|
@@ -1427,30 +1434,6 @@ var AuthPlugin = class {
|
|
|
1427
1434
|
if (!this.authManager) {
|
|
1428
1435
|
throw new Error("Auth manager not initialized");
|
|
1429
1436
|
}
|
|
1430
|
-
ctx.hook("kernel:ready", async () => {
|
|
1431
|
-
try {
|
|
1432
|
-
const i18n = ctx.getService("i18n");
|
|
1433
|
-
let loaded = 0;
|
|
1434
|
-
for (const [locale, data] of Object.entries(SetupAppTranslations)) {
|
|
1435
|
-
if (data && typeof data === "object") {
|
|
1436
|
-
try {
|
|
1437
|
-
i18n.loadTranslations(locale, data);
|
|
1438
|
-
loaded++;
|
|
1439
|
-
} catch (err) {
|
|
1440
|
-
ctx.logger.warn(
|
|
1441
|
-
`Auth: failed to load Setup App translations for '${locale}': ${err?.message ?? err}`
|
|
1442
|
-
);
|
|
1443
|
-
}
|
|
1444
|
-
}
|
|
1445
|
-
}
|
|
1446
|
-
if (loaded > 0) {
|
|
1447
|
-
ctx.logger.info(
|
|
1448
|
-
`Auth: contributed Setup App translations (${loaded} locale${loaded > 1 ? "s" : ""})`
|
|
1449
|
-
);
|
|
1450
|
-
}
|
|
1451
|
-
} catch {
|
|
1452
|
-
}
|
|
1453
|
-
});
|
|
1454
1437
|
if (this.options.registerRoutes) {
|
|
1455
1438
|
ctx.hook("kernel:ready", async () => {
|
|
1456
1439
|
if (this.authManager) {
|
|
@@ -1668,6 +1651,56 @@ var AuthPlugin = class {
|
|
|
1668
1651
|
return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
|
|
1669
1652
|
}
|
|
1670
1653
|
});
|
|
1654
|
+
rawApp.post(`${basePath}/sys-oauth-application/register`, async (c) => {
|
|
1655
|
+
try {
|
|
1656
|
+
let body = {};
|
|
1657
|
+
try {
|
|
1658
|
+
body = await c.req.json();
|
|
1659
|
+
} catch {
|
|
1660
|
+
body = {};
|
|
1661
|
+
}
|
|
1662
|
+
const name = body?.name;
|
|
1663
|
+
const redirectUrlsInput = body?.redirectURLs;
|
|
1664
|
+
const type = body?.type;
|
|
1665
|
+
if (typeof name !== "string" || name.trim().length === 0) {
|
|
1666
|
+
return c.json({ success: false, error: { code: "invalid_request", message: "name is required" } }, 400);
|
|
1667
|
+
}
|
|
1668
|
+
if (typeof redirectUrlsInput !== "string" || redirectUrlsInput.trim().length === 0) {
|
|
1669
|
+
return c.json({ success: false, error: { code: "invalid_request", message: "redirectURLs is required" } }, 400);
|
|
1670
|
+
}
|
|
1671
|
+
const redirectUris = redirectUrlsInput.split(/[\r\n]+/).map((line) => line.trim()).filter((line) => line.length > 0);
|
|
1672
|
+
if (redirectUris.length === 0) {
|
|
1673
|
+
return c.json({ success: false, error: { code: "invalid_request", message: "redirectURLs must contain at least one URL" } }, 400);
|
|
1674
|
+
}
|
|
1675
|
+
const allowedTypes = /* @__PURE__ */ new Set(["web", "native", "user-agent-based"]);
|
|
1676
|
+
const safeType = typeof type === "string" && allowedTypes.has(type) ? type : "web";
|
|
1677
|
+
const authApi = await this.authManager.getApi();
|
|
1678
|
+
if (!authApi?.createOAuthClient) {
|
|
1679
|
+
return c.json({ success: false, error: { code: "unavailable", message: "OIDC provider is not enabled on this environment" } }, 503);
|
|
1680
|
+
}
|
|
1681
|
+
let result;
|
|
1682
|
+
try {
|
|
1683
|
+
result = await authApi.createOAuthClient({
|
|
1684
|
+
body: {
|
|
1685
|
+
client_name: name.trim(),
|
|
1686
|
+
redirect_uris: redirectUris,
|
|
1687
|
+
type: safeType
|
|
1688
|
+
},
|
|
1689
|
+
headers: c.req.raw.headers
|
|
1690
|
+
});
|
|
1691
|
+
} catch (err) {
|
|
1692
|
+
const status = typeof err?.status === "number" ? err.status : 500;
|
|
1693
|
+
const code = err?.body?.error ?? "oauth_register_failed";
|
|
1694
|
+
const message = err?.body?.error_description ?? err?.message ?? "Unable to register OAuth client";
|
|
1695
|
+
return c.json({ success: false, error: { code, message } }, status);
|
|
1696
|
+
}
|
|
1697
|
+
return c.json({ success: true, data: { client: result } });
|
|
1698
|
+
} catch (error) {
|
|
1699
|
+
const err = error instanceof Error ? error : new Error(String(error));
|
|
1700
|
+
ctx.logger.error("[AuthPlugin] sys-oauth-application/register failed", err);
|
|
1701
|
+
return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
|
|
1702
|
+
}
|
|
1703
|
+
});
|
|
1671
1704
|
rawApp.all(`${basePath}/*`, async (c) => {
|
|
1672
1705
|
try {
|
|
1673
1706
|
const response = await this.authManager.handleRequest(c.req.raw);
|
|
@@ -1708,7 +1741,10 @@ var AuthPlugin = class {
|
|
|
1708
1741
|
);
|
|
1709
1742
|
}
|
|
1710
1743
|
});
|
|
1711
|
-
|
|
1744
|
+
const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
|
|
1745
|
+
const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
|
|
1746
|
+
const oidcEnabled = oidcFromEnv ?? this.options.plugins?.oidcProvider ?? false;
|
|
1747
|
+
if (oidcEnabled) {
|
|
1712
1748
|
void this.registerOidcDiscoveryRoutes(rawApp, ctx).catch((error) => {
|
|
1713
1749
|
ctx.logger.error("Failed to register OIDC discovery routes", error);
|
|
1714
1750
|
});
|