@objectstack/plugin-auth 8.0.0 → 9.0.0

package/dist/index.mjs

@@ -5,7 +5,8 @@ import {
   SETUP_NAV_CONTRIBUTIONS,
   STUDIO_APP,
   ACCOUNT_APP,
-  SystemOverviewDashboard
+  SystemOverviewDashboard,
+  SystemOverviewDatasets
 } from "@objectstack/platform-objects/apps";
 import { SysOrganizationDetailPage, SysUserDetailPage } from "@objectstack/platform-objects/pages";
 
@@ -511,6 +512,18 @@ function installWebContainerRequestStatePolyfill() {
     );
   }
 }
+function readBooleanEnv(name, legacyName) {
+  const env = globalThis?.process?.env;
+  const raw = env?.[name] ?? (legacyName ? env?.[legacyName] : void 0);
+  if (raw == null) return void 0;
+  const normalized = String(raw).trim().toLowerCase();
+  return !["0", "false", "off", "no"].includes(normalized);
+}
+function readDisableSignUpEnv() {
+  const signupEnabled = readBooleanEnv("OS_AUTH_SIGNUP_ENABLED");
+  if (signupEnabled != null) return !signupEnabled;
+  return readBooleanEnv("OS_DISABLE_SIGNUP");
+}
 var AuthManager = class {
   constructor(config) {
     this.auth = null;
@@ -594,13 +607,10 @@ var AuthManager = class {
       // Social / OAuth providers
       ...this.config.socialProviders ? { socialProviders: this.config.socialProviders } : {},
       // Email and password configuration.
-      // `disableSignUp`: the env var `OS_DISABLE_SIGNUP=true` overrides
-      // the config-file value so deployments can flip the toggle without
-      // a code change (`getPublicConfig()` applies the same precedence so
-      // `/auth/config` stays consistent with the server enforcement).
+      // `disableSignUp`: env overrides config/settings so deployments can
+      // lock the registration policy without relying on UI state.
       emailAndPassword: (() => {
-        const disableSignUpEnv = globalThis?.process?.env?.OS_DISABLE_SIGNUP;
-        const disableSignUpFromEnv = disableSignUpEnv != null ? String(disableSignUpEnv).toLowerCase() === "true" : void 0;
+        const disableSignUpFromEnv = readDisableSignUpEnv();
         const effectiveDisableSignUp = disableSignUpFromEnv ?? this.config.emailAndPassword?.disableSignUp;
         return {
           enabled: this.config.emailAndPassword?.enabled ?? true,
@@ -815,9 +825,10 @@ var AuthManager = class {
     const plugins = [];
     const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
     const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
+    const twoFactorFromEnv = readBooleanEnv("OS_AUTH_TWO_FACTOR");
     const enabled = {
       organization: pluginConfig.organization ?? true,
-      twoFactor: pluginConfig.twoFactor ?? false,
+      twoFactor: twoFactorFromEnv ?? pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
       oidcProvider: oidcFromEnv ?? pluginConfig.oidcProvider ?? false,
@@ -1159,6 +1170,39 @@ var AuthManager = class {
     }
     this.config = { ...this.config, baseUrl: url };
   }
+  /**
+   * Merge runtime configuration into the manager.
+   *
+   * Settings-backed auth policy can change after the manager is constructed.
+   * better-auth itself is created lazily, so changing config before the first
+   * request is enough. If an instance already exists, reset it so the next
+   * request rebuilds with the new policy.
+   */
+  applyConfigPatch(patch) {
+    const next = {
+      ...this.config,
+      ...patch,
+      ...patch.emailAndPassword ? {
+        emailAndPassword: {
+          ...this.config.emailAndPassword ?? {},
+          ...patch.emailAndPassword
+        }
+      } : {},
+      ...patch.plugins ? {
+        plugins: {
+          ...this.config.plugins ?? {},
+          ...patch.plugins
+        }
+      } : {}
+    };
+    if ("socialProviders" in patch) {
+      next.socialProviders = patch.socialProviders;
+    }
+    this.config = next;
+    if (this.auth && !patch.authInstance) {
+      this.auth = null;
+    }
+  }
   /**
    * Inject (or replace) the outbound email service used by better-auth
    * callbacks. Safe to call after construction but BEFORE the first
@@ -1291,8 +1335,7 @@ var AuthManager = class {
       }
     }
     const emailPasswordConfig = this.config.emailAndPassword ?? {};
-    const disableSignUpEnv = globalThis?.process?.env?.OS_DISABLE_SIGNUP;
-    const disableSignUpFromEnv = disableSignUpEnv != null ? String(disableSignUpEnv).toLowerCase() === "true" : void 0;
+    const disableSignUpFromEnv = readDisableSignUpEnv();
     const emailPassword = {
       enabled: emailPasswordConfig.enabled !== false,
       // Default to true
@@ -1317,14 +1360,16 @@ var AuthManager = class {
     const privacyUrl = resolveLegalUrl(rawPrivacyUrl, DEFAULT_PRIVACY_URL);
     const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
     const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
+    const twoFactorFromEnv = readBooleanEnv("OS_AUTH_TWO_FACTOR");
     const features = {
-      twoFactor: pluginConfig.twoFactor ?? false,
+      twoFactor: twoFactorFromEnv ?? pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
       organization: pluginConfig.organization ?? true,
       multiOrgEnabled,
       oidcProvider: oidcFromEnv ?? pluginConfig.oidcProvider ?? false,
       deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
+      admin: pluginConfig.admin ?? false,
       ...termsUrl ? { termsUrl } : {},
       ...privacyUrl ? { privacyUrl } : {}
     };
@@ -1443,6 +1488,30 @@ var AuthPlugin = class {
       ...options
     };
   }
+  /**
+   * Open-source provider fallback: enable Google sign-in from conventional
+   * provider env vars when the application did not configure Google itself.
+   * Enterprise / product packages can contribute richer provider sets through
+   * the `auth:configure` hook below.
+   */
+  applyEnvSocialProviderFallbacks(config) {
+    const env = globalThis?.process?.env;
+    if (String(env?.OS_AUTH_GOOGLE_ENABLED ?? "true").toLowerCase() === "false") return;
+    const googleClientId = env?.GOOGLE_CLIENT_ID;
+    const googleClientSecret = env?.GOOGLE_CLIENT_SECRET;
+    if (!googleClientId || !googleClientSecret) return;
+    const socialProviders = {
+      ...config.socialProviders ?? {}
+    };
+    if (!socialProviders.google) {
+      socialProviders.google = {
+        clientId: googleClientId,
+        clientSecret: googleClientSecret,
+        enabled: true
+      };
+      config.socialProviders = socialProviders;
+    }
+  }
   async init(ctx) {
     ctx.logger.info("Initializing Auth Plugin...");
     if (!this.options.secret) {
@@ -1452,10 +1521,14 @@ var AuthPlugin = class {
     if (!dataEngine) {
       ctx.logger.warn("No data engine service found - auth will use in-memory storage");
     }
-    this.authManager = new AuthManager({
+    const authConfig = {
       ...this.options,
       dataEngine
-    });
+    };
+    this.applyEnvSocialProviderFallbacks(authConfig);
+    await ctx.trigger("auth:configure", authConfig, ctx);
+    this.configuredSocialProviders = authConfig.socialProviders ? { ...authConfig.socialProviders } : void 0;
+    this.authManager = new AuthManager(authConfig);
     ctx.registerService("auth", this.authManager);
     ctx.getService("manifest").register({
       ...authPluginManifestHeader,
@@ -1484,7 +1557,9 @@ var AuthPlugin = class {
       // (e.g. legacy `users.view` had phone/status/active columns that do
       // not exist on sys_user). Schema-embedded listViews is the single
       // source of truth.
-      dashboards: [SystemOverviewDashboard]
+      dashboards: [SystemOverviewDashboard],
+      // ADR-0021 — datasets backing the System Overview dashboard's widgets.
+      datasets: SystemOverviewDatasets
     });
     ctx.logger.info("Auth Plugin initialized successfully");
   }
@@ -1496,6 +1571,7 @@ var AuthPlugin = class {
     if (this.options.registerRoutes) {
       ctx.hook("kernel:ready", async () => {
         if (this.authManager) {
+          await this.bindAuthSettings(ctx);
           try {
             const emailSvc = ctx.getService("email");
             if (emailSvc) {
@@ -1582,6 +1658,97 @@ var AuthPlugin = class {
     }
     ctx.logger.info("Auth Plugin started successfully");
   }
+  /**
+   * Bind the small open-source auth settings namespace to better-auth config.
+   *
+   * Only explicit settings values (stored or OS_AUTH_* env overrides) affect
+   * runtime config. Manifest defaults are UI defaults and do not mask code or
+   * deployment configuration.
+   */
+  async bindAuthSettings(ctx) {
+    if (!this.authManager) return;
+    let settings;
+    try {
+      settings = ctx.getService("settings");
+    } catch {
+      return;
+    }
+    if (!settings || typeof settings.getNamespace !== "function") return;
+    const applySettings = async () => {
+      if (!this.authManager) return;
+      try {
+        const payload = await settings.getNamespace("auth");
+        const values = {};
+        const sources = {};
+        for (const [key, entry] of Object.entries(payload.values)) {
+          values[key] = entry?.value;
+          sources[key] = entry?.source;
+        }
+        const isExplicit = (key) => (sources[key] ?? "default") !== "default";
+        const asBoolean = (value, fallback) => {
+          if (typeof value === "boolean") return value;
+          if (typeof value === "string") return value.toLowerCase() !== "false";
+          if (typeof value === "number") return value !== 0;
+          return fallback;
+        };
+        const asTrimmedString = (value) => {
+          if (typeof value !== "string") return void 0;
+          const trimmed = value.trim();
+          return trimmed ? trimmed : void 0;
+        };
+        const patch = {};
+        const emailAndPassword = {};
+        if (isExplicit("email_password_enabled")) {
+          emailAndPassword.enabled = asBoolean(values.email_password_enabled, true);
+        }
+        if (isExplicit("signup_enabled")) {
+          emailAndPassword.disableSignUp = !asBoolean(values.signup_enabled, true);
+        }
+        if (isExplicit("require_email_verification")) {
+          emailAndPassword.requireEmailVerification = asBoolean(
+            values.require_email_verification,
+            false
+          );
+        }
+        if (Object.keys(emailAndPassword).length > 0) {
+          patch.emailAndPassword = emailAndPassword;
+        }
+        if (isExplicit("google_enabled") || isExplicit("google_client_id") || isExplicit("google_client_secret")) {
+          const socialProviders = {
+            ...this.configuredSocialProviders ?? {}
+          };
+          const env = globalThis?.process?.env;
+          const googleEnabledFromEnv = env?.OS_AUTH_GOOGLE_ENABLED != null ? asBoolean(env.OS_AUTH_GOOGLE_ENABLED, true) : void 0;
+          const googleClientId = asTrimmedString(values.google_client_id) ?? env?.GOOGLE_CLIENT_ID;
+          const googleClientSecret = asTrimmedString(values.google_client_secret) ?? env?.GOOGLE_CLIENT_SECRET;
+          if (googleEnabledFromEnv ?? (isExplicit("google_enabled") ? asBoolean(values.google_enabled, true) : true)) {
+            if (!socialProviders.google && googleClientId && googleClientSecret) {
+              socialProviders.google = {
+                clientId: googleClientId,
+                clientSecret: googleClientSecret,
+                enabled: true
+              };
+            }
+          } else {
+            delete socialProviders.google;
+          }
+          patch.socialProviders = Object.keys(socialProviders).length > 0 ? socialProviders : void 0;
+        }
+        if (Object.keys(patch).length > 0) {
+          this.authManager.applyConfigPatch(patch);
+        }
+      } catch (err) {
+        ctx.logger.warn("Auth: failed to apply auth settings: " + (err?.message ?? err));
+      }
+    };
+    await applySettings();
+    if (typeof settings.subscribe === "function") {
+      settings.subscribe("auth", () => {
+        void applySettings();
+      });
+      ctx.logger.info("Auth: bound to settings namespace=auth");
+    }
+  }
   async destroy() {
     this.authManager = null;
   }