npm - @objectstack/plugin-auth - Versions diffs - 7.9.0 → 8.0.0 - Mend

@objectstack/plugin-auth 7.9.0 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1128,14 +1128,17 @@ var AuthManager = class {
    */
   generateSecret() {
     const envSecret = readEnvWithDeprecation("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]);
-    if (!envSecret) {
-      const fallbackSecret = "dev-secret-" + Date.now();
-      console.warn(
-        "\u26A0\uFE0F  WARNING: No OS_AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set OS_AUTH_SECRET in your environment variables."
+    if (envSecret) return envSecret;
+    if (process.env.NODE_ENV === "production") {
+      throw new Error(
+        "[auth] OS_AUTH_SECRET is required in production but is not set. Refusing to boot with a temporary development secret \u2014 session tokens would be forgeable. Set OS_AUTH_SECRET to a strong random value."
       );
-      return fallbackSecret;
     }
-    return envSecret;
+    const fallbackSecret = "dev-secret-" + Date.now();
+    console.warn(
+      "\u26A0\uFE0F  WARNING: No OS_AUTH_SECRET environment variable set! Using a temporary development secret. This is NOT secure for production use. Please set OS_AUTH_SECRET in your environment variables."
+    );
+    return fallbackSecret;
   }
   /**
    * Update the base URL at runtime.
@@ -1341,6 +1344,37 @@ var AuthManager = class {
   }
 };
+// src/set-initial-password.ts
+async function runSetInitialPassword(authApi, request) {
+  let parsed;
+  try {
+    parsed = await request.json();
+  } catch {
+    parsed = {};
+  }
+  const newPassword = parsed?.newPassword;
+  if (typeof newPassword !== "string" || newPassword.length === 0) {
+    return {
+      status: 400,
+      body: { success: false, error: { code: "invalid_request", message: "newPassword is required" } }
+    };
+  }
+  try {
+    await authApi.setPassword({ body: { newPassword }, headers: request.headers });
+    return { status: 200, body: { success: true } };
+  } catch (error) {
+    return mapSetPasswordError(error);
+  }
+}
+function mapSetPasswordError(error) {
+  const e = error;
+  const code = e?.body?.code ?? "internal";
+  const message = e?.body?.message ?? e?.message ?? "set-initial-password failed";
+  const rawStatus = typeof e?.statusCode === "number" ? e.statusCode : typeof e?.status === "number" ? e.status : 500;
+  const status = code === "PASSWORD_ALREADY_SET" ? 409 : rawStatus;
+  return { status, body: { success: false, error: { code, message } } };
+}
 // src/manifest.ts
 import {
   SysAccount,
@@ -1657,53 +1691,9 @@ var AuthPlugin = class {
     });
     rawApp.post(`${basePath}/set-initial-password`, async (c) => {
       try {
-        let body = {};
-        try {
-          body = await c.req.json();
-        } catch {
-          body = {};
-        }
-        const newPassword = body?.newPassword;
-        if (typeof newPassword !== "string" || newPassword.length === 0) {
-          return c.json({ success: false, error: { code: "invalid_request", message: "newPassword is required" } }, 400);
-        }
         const authApi = await this.authManager.getApi();
-        const session = await authApi.getSession({ headers: c.req.raw.headers });
-        if (!session?.user?.id) {
-          return c.json({ success: false, error: { code: "unauthorized", message: "Sign in first" } }, 401);
-        }
-        const userId = session.user.id;
-        const authCtx = await this.authManager.getAuthContext();
-        if (!authCtx?.internalAdapter || !authCtx?.password) {
-          return c.json({ success: false, error: { code: "unavailable", message: "Auth context unavailable" } }, 503);
-        }
-        const minLen = authCtx.password?.config?.minPasswordLength ?? 8;
-        const maxLen = authCtx.password?.config?.maxPasswordLength ?? 128;
-        if (newPassword.length < minLen) {
-          return c.json({ success: false, error: { code: "password_too_short", message: `Password must be at least ${minLen} characters` } }, 400);
-        }
-        if (newPassword.length > maxLen) {
-          return c.json({ success: false, error: { code: "password_too_long", message: `Password must be at most ${maxLen} characters` } }, 400);
-        }
-        const accounts = await authCtx.internalAdapter.findAccounts(userId);
-        const existingCredential = accounts?.find?.((a) => a.providerId === "credential" && a.password);
-        if (existingCredential) {
-          return c.json({
-            success: false,
-            error: {
-              code: "credential_account_exists",
-              message: "A local password is already set for this account. Use change-password instead."
-            }
-          }, 409);
-        }
-        const passwordHash = await authCtx.password.hash(newPassword);
-        await authCtx.internalAdapter.createAccount({
-          userId,
-          providerId: "credential",
-          accountId: userId,
-          password: passwordHash
-        });
-        return c.json({ success: true });
+        const { status, body } = await runSetInitialPassword(authApi, c.req.raw);
+        return c.json(body, status);
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
         ctx.logger.error("[AuthPlugin] set-initial-password failed", err);
@@ -1928,6 +1918,7 @@ export {
   buildTwoFactorPluginSchema,
   createObjectQLAdapter,
   createObjectQLAdapterFactory,
-  resolveProtocolName
+  resolveProtocolName,
+  runSetInitialPassword
 };
 //# sourceMappingURL=index.mjs.map