npm - @objectstack/plugin-auth - Versions diffs - 7.8.0 → 8.0.0 - Mend

@objectstack/plugin-auth 7.8.0 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -403,6 +403,57 @@ declare class AuthManager {
     getDataEngine(): IDataEngine | undefined;
 }
+/**
+ * Shared `set-initial-password` handler.
+ *
+ * better-auth ships a `setPassword` operation that does EXACTLY what we want
+ * (require a session, enforce min/max length, link a `credential` account if
+ * none exists, refuse if one already does). But it is registered with
+ * `createAuthEndpoint({ ... })` — note: NO leading path string — which means
+ * better-auth deliberately exposes it as a **server-only** `auth.api.setPassword`
+ * call and gives it no HTTP route. Setting a password without proving the old
+ * one is privilege-sensitive, so it must not be reachable over the wire by
+ * default.
+ *
+ * To let an SSO-onboarded user set an *initial* local password from the
+ * browser, we wrap that server API in our own authenticated HTTP route. This
+ * helper is the single source of truth for that route body so the two mount
+ * points — the full `AuthPlugin` (host kernel) and the cloud `AuthProxyPlugin`
+ * (per-environment runtime) — stay in lockstep instead of hand-copying ~50
+ * lines of hash/createAccount logic (the original drift that let #1544 ship a
+ * route on one path but not the other).
+ */
+/** Minimal shape of the better-auth server API we depend on. */
+interface SetPasswordCapableApi {
+    setPassword(opts: {
+        body: {
+            newPassword: string;
+        };
+        headers: Headers;
+    }): Promise<unknown>;
+}
+interface SetInitialPasswordResult {
+    /** HTTP status to return to the caller. */
+    status: number;
+    /** JSON body; mirrors the `{ success, error: { code, message } }` envelope the client parses. */
+    body: {
+        success: boolean;
+        error?: {
+            code: string;
+            message: string;
+        };
+    };
+}
+/**
+ * Run set-initial-password against the environment's better-auth API.
+ *
+ * @param authApi   the better-auth server api (`auth.api`, via `AuthManager.getApi()`)
+ * @param request   the raw Web `Request` — its `headers` carry the session
+ *                  cookie that better-auth's session middleware reads, and its
+ *                  body carries `{ newPassword }`.
+ */
+declare function runSetInitialPassword(authApi: SetPasswordCapableApi, request: Request): Promise<SetInitialPasswordResult>;
 /**
  * Mapping from better-auth model names to ObjectStack protocol object names.
  *
@@ -1172,4 +1223,4 @@ declare function buildDeviceAuthorizationPluginSchema(): {
     };
 };
-export { AUTH_ACCOUNT_CONFIG, AUTH_ADMIN_SESSION_FIELDS, AUTH_ADMIN_USER_FIELDS, AUTH_DEVICE_CODE_SCHEMA, AUTH_INVITATION_SCHEMA, AUTH_JWKS_SCHEMA, AUTH_MEMBER_SCHEMA, AUTH_MODEL_TO_PROTOCOL, AUTH_OAUTH_ACCESS_TOKEN_SCHEMA, AUTH_OAUTH_APPLICATION_SCHEMA, AUTH_OAUTH_CLIENT_SCHEMA, AUTH_OAUTH_CONSENT_SCHEMA, AUTH_OAUTH_REFRESH_TOKEN_SCHEMA, AUTH_ORGANIZATION_SCHEMA, AUTH_ORG_SESSION_FIELDS, AUTH_SESSION_CONFIG, AUTH_TEAM_MEMBER_SCHEMA, AUTH_TEAM_SCHEMA, AUTH_TWO_FACTOR_SCHEMA, AUTH_TWO_FACTOR_USER_FIELDS, AUTH_USER_CONFIG, AUTH_VERIFICATION_CONFIG, AuthManager, type AuthManagerOptions, AuthPlugin, type AuthPluginOptions, buildAdminPluginSchema, buildDeviceAuthorizationPluginSchema, buildJwtPluginSchema, buildOauthProviderPluginSchema, buildOidcProviderPluginSchema, buildOrganizationPluginSchema, buildTwoFactorPluginSchema, createObjectQLAdapter, createObjectQLAdapterFactory, resolveProtocolName };
+export { AUTH_ACCOUNT_CONFIG, AUTH_ADMIN_SESSION_FIELDS, AUTH_ADMIN_USER_FIELDS, AUTH_DEVICE_CODE_SCHEMA, AUTH_INVITATION_SCHEMA, AUTH_JWKS_SCHEMA, AUTH_MEMBER_SCHEMA, AUTH_MODEL_TO_PROTOCOL, AUTH_OAUTH_ACCESS_TOKEN_SCHEMA, AUTH_OAUTH_APPLICATION_SCHEMA, AUTH_OAUTH_CLIENT_SCHEMA, AUTH_OAUTH_CONSENT_SCHEMA, AUTH_OAUTH_REFRESH_TOKEN_SCHEMA, AUTH_ORGANIZATION_SCHEMA, AUTH_ORG_SESSION_FIELDS, AUTH_SESSION_CONFIG, AUTH_TEAM_MEMBER_SCHEMA, AUTH_TEAM_SCHEMA, AUTH_TWO_FACTOR_SCHEMA, AUTH_TWO_FACTOR_USER_FIELDS, AUTH_USER_CONFIG, AUTH_VERIFICATION_CONFIG, AuthManager, type AuthManagerOptions, AuthPlugin, type AuthPluginOptions, type SetInitialPasswordResult, type SetPasswordCapableApi, buildAdminPluginSchema, buildDeviceAuthorizationPluginSchema, buildJwtPluginSchema, buildOauthProviderPluginSchema, buildOidcProviderPluginSchema, buildOrganizationPluginSchema, buildTwoFactorPluginSchema, createObjectQLAdapter, createObjectQLAdapterFactory, resolveProtocolName, runSetInitialPassword };

package/dist/index.d.ts CHANGED Viewed

@@ -403,6 +403,57 @@ declare class AuthManager {
     getDataEngine(): IDataEngine | undefined;
 }
+/**
+ * Shared `set-initial-password` handler.
+ *
+ * better-auth ships a `setPassword` operation that does EXACTLY what we want
+ * (require a session, enforce min/max length, link a `credential` account if
+ * none exists, refuse if one already does). But it is registered with
+ * `createAuthEndpoint({ ... })` — note: NO leading path string — which means
+ * better-auth deliberately exposes it as a **server-only** `auth.api.setPassword`
+ * call and gives it no HTTP route. Setting a password without proving the old
+ * one is privilege-sensitive, so it must not be reachable over the wire by
+ * default.
+ *
+ * To let an SSO-onboarded user set an *initial* local password from the
+ * browser, we wrap that server API in our own authenticated HTTP route. This
+ * helper is the single source of truth for that route body so the two mount
+ * points — the full `AuthPlugin` (host kernel) and the cloud `AuthProxyPlugin`
+ * (per-environment runtime) — stay in lockstep instead of hand-copying ~50
+ * lines of hash/createAccount logic (the original drift that let #1544 ship a
+ * route on one path but not the other).
+ */
+/** Minimal shape of the better-auth server API we depend on. */
+interface SetPasswordCapableApi {
+    setPassword(opts: {
+        body: {
+            newPassword: string;
+        };
+        headers: Headers;
+    }): Promise<unknown>;
+}
+interface SetInitialPasswordResult {
+    /** HTTP status to return to the caller. */
+    status: number;
+    /** JSON body; mirrors the `{ success, error: { code, message } }` envelope the client parses. */
+    body: {
+        success: boolean;
+        error?: {
+            code: string;
+            message: string;
+        };
+    };
+}
+/**
+ * Run set-initial-password against the environment's better-auth API.
+ *
+ * @param authApi   the better-auth server api (`auth.api`, via `AuthManager.getApi()`)
+ * @param request   the raw Web `Request` — its `headers` carry the session
+ *                  cookie that better-auth's session middleware reads, and its
+ *                  body carries `{ newPassword }`.
+ */
+declare function runSetInitialPassword(authApi: SetPasswordCapableApi, request: Request): Promise<SetInitialPasswordResult>;
 /**
  * Mapping from better-auth model names to ObjectStack protocol object names.
  *
@@ -1172,4 +1223,4 @@ declare function buildDeviceAuthorizationPluginSchema(): {
     };
 };
-export { AUTH_ACCOUNT_CONFIG, AUTH_ADMIN_SESSION_FIELDS, AUTH_ADMIN_USER_FIELDS, AUTH_DEVICE_CODE_SCHEMA, AUTH_INVITATION_SCHEMA, AUTH_JWKS_SCHEMA, AUTH_MEMBER_SCHEMA, AUTH_MODEL_TO_PROTOCOL, AUTH_OAUTH_ACCESS_TOKEN_SCHEMA, AUTH_OAUTH_APPLICATION_SCHEMA, AUTH_OAUTH_CLIENT_SCHEMA, AUTH_OAUTH_CONSENT_SCHEMA, AUTH_OAUTH_REFRESH_TOKEN_SCHEMA, AUTH_ORGANIZATION_SCHEMA, AUTH_ORG_SESSION_FIELDS, AUTH_SESSION_CONFIG, AUTH_TEAM_MEMBER_SCHEMA, AUTH_TEAM_SCHEMA, AUTH_TWO_FACTOR_SCHEMA, AUTH_TWO_FACTOR_USER_FIELDS, AUTH_USER_CONFIG, AUTH_VERIFICATION_CONFIG, AuthManager, type AuthManagerOptions, AuthPlugin, type AuthPluginOptions, buildAdminPluginSchema, buildDeviceAuthorizationPluginSchema, buildJwtPluginSchema, buildOauthProviderPluginSchema, buildOidcProviderPluginSchema, buildOrganizationPluginSchema, buildTwoFactorPluginSchema, createObjectQLAdapter, createObjectQLAdapterFactory, resolveProtocolName };
+export { AUTH_ACCOUNT_CONFIG, AUTH_ADMIN_SESSION_FIELDS, AUTH_ADMIN_USER_FIELDS, AUTH_DEVICE_CODE_SCHEMA, AUTH_INVITATION_SCHEMA, AUTH_JWKS_SCHEMA, AUTH_MEMBER_SCHEMA, AUTH_MODEL_TO_PROTOCOL, AUTH_OAUTH_ACCESS_TOKEN_SCHEMA, AUTH_OAUTH_APPLICATION_SCHEMA, AUTH_OAUTH_CLIENT_SCHEMA, AUTH_OAUTH_CONSENT_SCHEMA, AUTH_OAUTH_REFRESH_TOKEN_SCHEMA, AUTH_ORGANIZATION_SCHEMA, AUTH_ORG_SESSION_FIELDS, AUTH_SESSION_CONFIG, AUTH_TEAM_MEMBER_SCHEMA, AUTH_TEAM_SCHEMA, AUTH_TWO_FACTOR_SCHEMA, AUTH_TWO_FACTOR_USER_FIELDS, AUTH_USER_CONFIG, AUTH_VERIFICATION_CONFIG, AuthManager, type AuthManagerOptions, AuthPlugin, type AuthPluginOptions, type SetInitialPasswordResult, type SetPasswordCapableApi, buildAdminPluginSchema, buildDeviceAuthorizationPluginSchema, buildJwtPluginSchema, buildOauthProviderPluginSchema, buildOidcProviderPluginSchema, buildOrganizationPluginSchema, buildTwoFactorPluginSchema, createObjectQLAdapter, createObjectQLAdapterFactory, resolveProtocolName, runSetInitialPassword };

package/dist/index.js CHANGED Viewed

@@ -63,7 +63,8 @@ __export(index_exports, {
   buildTwoFactorPluginSchema: () => buildTwoFactorPluginSchema,
   createObjectQLAdapter: () => createObjectQLAdapter,
   createObjectQLAdapterFactory: () => createObjectQLAdapterFactory,
-  resolveProtocolName: () => resolveProtocolName
+  resolveProtocolName: () => resolveProtocolName,
+  runSetInitialPassword: () => runSetInitialPassword
 });
 module.exports = __toCommonJS(index_exports);
@@ -1191,14 +1192,17 @@ var AuthManager = class {
    */
   generateSecret() {
     const envSecret = (0, import_types.readEnvWithDeprecation)("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]);
-    if (!envSecret) {
-      const fallbackSecret = "dev-secret-" + Date.now();
-      console.warn(
-        "\u26A0\uFE0F  WARNING: No OS_AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set OS_AUTH_SECRET in your environment variables."
+    if (envSecret) return envSecret;
+    if (process.env.NODE_ENV === "production") {
+      throw new Error(
+        "[auth] OS_AUTH_SECRET is required in production but is not set. Refusing to boot with a temporary development secret \u2014 session tokens would be forgeable. Set OS_AUTH_SECRET to a strong random value."
       );
-      return fallbackSecret;
     }
-    return envSecret;
+    const fallbackSecret = "dev-secret-" + Date.now();
+    console.warn(
+      "\u26A0\uFE0F  WARNING: No OS_AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set OS_AUTH_SECRET in your environment variables."
+    );
+    return fallbackSecret;
   }
   /**
    * Update the base URL at runtime.
@@ -1404,6 +1408,37 @@ var AuthManager = class {
   }
 };
+// src/set-initial-password.ts
+async function runSetInitialPassword(authApi, request) {
+  let parsed;
+  try {
+    parsed = await request.json();
+  } catch {
+    parsed = {};
+  }
+  const newPassword = parsed?.newPassword;
+  if (typeof newPassword !== "string" || newPassword.length === 0) {
+    return {
+      status: 400,
+      body: { success: false, error: { code: "invalid_request", message: "newPassword is required" } }
+    };
+  }
+  try {
+    await authApi.setPassword({ body: { newPassword }, headers: request.headers });
+    return { status: 200, body: { success: true } };
+  } catch (error) {
+    return mapSetPasswordError(error);
+  }
+}
+function mapSetPasswordError(error) {
+  const e = error;
+  const code = e?.body?.code ?? "internal";
+  const message = e?.body?.message ?? e?.message ?? "set-initial-password failed";
+  const rawStatus = typeof e?.statusCode === "number" ? e.statusCode : typeof e?.status === "number" ? e.status : 500;
+  const status = code === "PASSWORD_ALREADY_SET" ? 409 : rawStatus;
+  return { status, body: { success: false, error: { code, message } } };
+}
 // src/manifest.ts
 var import_identity = require("@objectstack/platform-objects/identity");
 var AUTH_PLUGIN_ID = "com.objectstack.plugin-auth";
@@ -1701,53 +1736,9 @@ var AuthPlugin = class {
     });
     rawApp.post(`${basePath}/set-initial-password`, async (c) => {
       try {
-        let body = {};
-        try {
-          body = await c.req.json();
-        } catch {
-          body = {};
-        }
-        const newPassword = body?.newPassword;
-        if (typeof newPassword !== "string" || newPassword.length === 0) {
-          return c.json({ success: false, error: { code: "invalid_request", message: "newPassword is required" } }, 400);
-        }
         const authApi = await this.authManager.getApi();
-        const session = await authApi.getSession({ headers: c.req.raw.headers });
-        if (!session?.user?.id) {
-          return c.json({ success: false, error: { code: "unauthorized", message: "Sign in first" } }, 401);
-        }
-        const userId = session.user.id;
-        const authCtx = await this.authManager.getAuthContext();
-        if (!authCtx?.internalAdapter || !authCtx?.password) {
-          return c.json({ success: false, error: { code: "unavailable", message: "Auth context unavailable" } }, 503);
-        }
-        const minLen = authCtx.password?.config?.minPasswordLength ?? 8;
-        const maxLen = authCtx.password?.config?.maxPasswordLength ?? 128;
-        if (newPassword.length < minLen) {
-          return c.json({ success: false, error: { code: "password_too_short", message: `Password must be at least ${minLen} characters` } }, 400);
-        }
-        if (newPassword.length > maxLen) {
-          return c.json({ success: false, error: { code: "password_too_long", message: `Password must be at most ${maxLen} characters` } }, 400);
-        }
-        const accounts = await authCtx.internalAdapter.findAccounts(userId);
-        const existingCredential = accounts?.find?.((a) => a.providerId === "credential" && a.password);
-        if (existingCredential) {
-          return c.json({
-            success: false,
-            error: {
-              code: "credential_account_exists",
-              message: "A local password is already set for this account. Use change-password instead."
-            }
-          }, 409);
-        }
-        const passwordHash = await authCtx.password.hash(newPassword);
-        await authCtx.internalAdapter.createAccount({
-          userId,
-          providerId: "credential",
-          accountId: userId,
-          password: passwordHash
-        });
-        return c.json({ success: true });
+        const { status, body } = await runSetInitialPassword(authApi, c.req.raw);
+        return c.json(body, status);
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
         ctx.logger.error("[AuthPlugin] set-initial-password failed", err);
@@ -1973,6 +1964,7 @@ var AuthPlugin = class {
   buildTwoFactorPluginSchema,
   createObjectQLAdapter,
   createObjectQLAdapterFactory,
-  resolveProtocolName
+  resolveProtocolName,
+  runSetInitialPassword
 });
 //# sourceMappingURL=index.js.map