npm - @objectstack/plugin-auth - Versions diffs - 8.0.1 → 9.0.1 - Mend

@objectstack/plugin-auth 8.0.1 → 9.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.mjs CHANGED Viewed

@@ -5,7 +5,8 @@ import {
   SETUP_NAV_CONTRIBUTIONS,
   STUDIO_APP,
   ACCOUNT_APP,
-  SystemOverviewDashboard
+  SystemOverviewDashboard,
+  SystemOverviewDatasets
 } from "@objectstack/platform-objects/apps";
 import { SysOrganizationDetailPage, SysUserDetailPage } from "@objectstack/platform-objects/pages";
@@ -511,6 +512,18 @@ function installWebContainerRequestStatePolyfill() {
     );
   }
 }
+function readBooleanEnv(name, legacyName) {
+  const env = globalThis?.process?.env;
+  const raw = env?.[name] ?? (legacyName ? env?.[legacyName] : void 0);
+  if (raw == null) return void 0;
+  const normalized = String(raw).trim().toLowerCase();
+  return !["0", "false", "off", "no"].includes(normalized);
+}
+function readDisableSignUpEnv() {
+  const signupEnabled = readBooleanEnv("OS_AUTH_SIGNUP_ENABLED");
+  if (signupEnabled != null) return !signupEnabled;
+  return readBooleanEnv("OS_DISABLE_SIGNUP");
+}
 var AuthManager = class {
   constructor(config) {
     this.auth = null;
@@ -594,13 +607,10 @@ var AuthManager = class {
       // Social / OAuth providers
       ...this.config.socialProviders ? { socialProviders: this.config.socialProviders } : {},
       // Email and password configuration.
-      // `disableSignUp`: the env var `OS_DISABLE_SIGNUP=true` overrides
-      // the config-file value so deployments can flip the toggle without
-      // a code change (`getPublicConfig()` applies the same precedence so
-      // `/auth/config` stays consistent with the server enforcement).
+      // `disableSignUp`: env overrides config/settings so deployments can
+      // lock the registration policy without relying on UI state.
       emailAndPassword: (() => {
-        const disableSignUpEnv = globalThis?.process?.env?.OS_DISABLE_SIGNUP;
-        const disableSignUpFromEnv = disableSignUpEnv != null ? String(disableSignUpEnv).toLowerCase() === "true" : void 0;
+        const disableSignUpFromEnv = readDisableSignUpEnv();
         const effectiveDisableSignUp = disableSignUpFromEnv ?? this.config.emailAndPassword?.disableSignUp;
         return {
           enabled: this.config.emailAndPassword?.enabled ?? true,
@@ -815,9 +825,10 @@ var AuthManager = class {
     const plugins = [];
     const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
     const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
+    const twoFactorFromEnv = readBooleanEnv("OS_AUTH_TWO_FACTOR");
     const enabled = {
       organization: pluginConfig.organization ?? true,
-      twoFactor: pluginConfig.twoFactor ?? false,
+      twoFactor: twoFactorFromEnv ?? pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
       oidcProvider: oidcFromEnv ?? pluginConfig.oidcProvider ?? false,
@@ -1088,16 +1099,19 @@ var AuthManager = class {
             });
             return (Array.isArray(members) ? members : []).some((m) => {
               const raw = typeof m?.role === "string" ? m.role : "";
-              const roles = raw.split(",").map((s) => s.trim().toLowerCase());
-              return roles.includes("owner") || roles.includes("admin");
+              const roles2 = raw.split(",").map((s) => s.trim().toLowerCase());
+              return roles2.includes("owner") || roles2.includes("admin");
             });
           } catch {
             return false;
           }
         };
         const promote = await isPlatformAdmin() || await isActiveOrgAdmin();
-        if (!promote) return { user, session };
-        return { user: { ...user, role: "admin" }, session };
+        const storedRole = typeof user.role === "string" ? user.role : "";
+        const roles = storedRole.split(",").map((s) => s.trim()).filter(Boolean);
+        if (promote && !roles.includes("admin")) roles.push("admin");
+        if (!promote) return { user: { ...user, roles }, session };
+        return { user: { ...user, role: "admin", roles }, session };
       }));
     }
     return plugins;
@@ -1159,6 +1173,39 @@ var AuthManager = class {
     }
     this.config = { ...this.config, baseUrl: url };
   }
+  /**
+   * Merge runtime configuration into the manager.
+   *
+   * Settings-backed auth policy can change after the manager is constructed.
+   * better-auth itself is created lazily, so changing config before the first
+   * request is enough. If an instance already exists, reset it so the next
+   * request rebuilds with the new policy.
+   */
+  applyConfigPatch(patch) {
+    const next = {
+      ...this.config,
+      ...patch,
+      ...patch.emailAndPassword ? {
+        emailAndPassword: {
+          ...this.config.emailAndPassword ?? {},
+          ...patch.emailAndPassword
+        }
+      } : {},
+      ...patch.plugins ? {
+        plugins: {
+          ...this.config.plugins ?? {},
+          ...patch.plugins
+        }
+      } : {}
+    };
+    if ("socialProviders" in patch) {
+      next.socialProviders = patch.socialProviders;
+    }
+    this.config = next;
+    if (this.auth && !patch.authInstance) {
+      this.auth = null;
+    }
+  }
   /**
    * Inject (or replace) the outbound email service used by better-auth
    * callbacks. Safe to call after construction but BEFORE the first
@@ -1291,8 +1338,7 @@ var AuthManager = class {
       }
     }
     const emailPasswordConfig = this.config.emailAndPassword ?? {};
-    const disableSignUpEnv = globalThis?.process?.env?.OS_DISABLE_SIGNUP;
-    const disableSignUpFromEnv = disableSignUpEnv != null ? String(disableSignUpEnv).toLowerCase() === "true" : void 0;
+    const disableSignUpFromEnv = readDisableSignUpEnv();
     const emailPassword = {
       enabled: emailPasswordConfig.enabled !== false,
       // Default to true
@@ -1317,14 +1363,16 @@ var AuthManager = class {
     const privacyUrl = resolveLegalUrl(rawPrivacyUrl, DEFAULT_PRIVACY_URL);
     const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
     const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
+    const twoFactorFromEnv = readBooleanEnv("OS_AUTH_TWO_FACTOR");
     const features = {
-      twoFactor: pluginConfig.twoFactor ?? false,
+      twoFactor: twoFactorFromEnv ?? pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
       organization: pluginConfig.organization ?? true,
       multiOrgEnabled,
       oidcProvider: oidcFromEnv ?? pluginConfig.oidcProvider ?? false,
       deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
+      admin: pluginConfig.admin ?? false,
       ...termsUrl ? { termsUrl } : {},
       ...privacyUrl ? { privacyUrl } : {}
     };
@@ -1443,6 +1491,30 @@ var AuthPlugin = class {
       ...options
     };
   }
+  /**
+   * Open-source provider fallback: enable Google sign-in from conventional
+   * provider env vars when the application did not configure Google itself.
+   * Enterprise / product packages can contribute richer provider sets through
+   * the `auth:configure` hook below.
+   */
+  applyEnvSocialProviderFallbacks(config) {
+    const env = globalThis?.process?.env;
+    if (String(env?.OS_AUTH_GOOGLE_ENABLED ?? "true").toLowerCase() === "false") return;
+    const googleClientId = env?.GOOGLE_CLIENT_ID;
+    const googleClientSecret = env?.GOOGLE_CLIENT_SECRET;
+    if (!googleClientId || !googleClientSecret) return;
+    const socialProviders = {
+      ...config.socialProviders ?? {}
+    };
+    if (!socialProviders.google) {
+      socialProviders.google = {
+        clientId: googleClientId,
+        clientSecret: googleClientSecret,
+        enabled: true
+      };
+      config.socialProviders = socialProviders;
+    }
+  }
   async init(ctx) {
     ctx.logger.info("Initializing Auth Plugin...");
     if (!this.options.secret) {
@@ -1452,10 +1524,14 @@ var AuthPlugin = class {
     if (!dataEngine) {
       ctx.logger.warn("No data engine service found - auth will use in-memory storage");
     }
-    this.authManager = new AuthManager({
+    const authConfig = {
       ...this.options,
       dataEngine
-    });
+    };
+    this.applyEnvSocialProviderFallbacks(authConfig);
+    await ctx.trigger("auth:configure", authConfig, ctx);
+    this.configuredSocialProviders = authConfig.socialProviders ? { ...authConfig.socialProviders } : void 0;
+    this.authManager = new AuthManager(authConfig);
     ctx.registerService("auth", this.authManager);
     ctx.getService("manifest").register({
       ...authPluginManifestHeader,
@@ -1484,7 +1560,9 @@ var AuthPlugin = class {
       // (e.g. legacy `users.view` had phone/status/active columns that do
       // not exist on sys_user). Schema-embedded listViews is the single
       // source of truth.
-      dashboards: [SystemOverviewDashboard]
+      dashboards: [SystemOverviewDashboard],
+      // ADR-0021 — datasets backing the System Overview dashboard's widgets.
+      datasets: SystemOverviewDatasets
     });
     ctx.logger.info("Auth Plugin initialized successfully");
   }
@@ -1496,6 +1574,7 @@ var AuthPlugin = class {
     if (this.options.registerRoutes) {
       ctx.hook("kernel:ready", async () => {
         if (this.authManager) {
+          await this.bindAuthSettings(ctx);
           try {
             const emailSvc = ctx.getService("email");
             if (emailSvc) {
@@ -1582,6 +1661,97 @@ var AuthPlugin = class {
     }
     ctx.logger.info("Auth Plugin started successfully");
   }
+  /**
+   * Bind the small open-source auth settings namespace to better-auth config.
+   *
+   * Only explicit settings values (stored or OS_AUTH_* env overrides) affect
+   * runtime config. Manifest defaults are UI defaults and do not mask code or
+   * deployment configuration.
+   */
+  async bindAuthSettings(ctx) {
+    if (!this.authManager) return;
+    let settings;
+    try {
+      settings = ctx.getService("settings");
+    } catch {
+      return;
+    }
+    if (!settings || typeof settings.getNamespace !== "function") return;
+    const applySettings = async () => {
+      if (!this.authManager) return;
+      try {
+        const payload = await settings.getNamespace("auth");
+        const values = {};
+        const sources = {};
+        for (const [key, entry] of Object.entries(payload.values)) {
+          values[key] = entry?.value;
+          sources[key] = entry?.source;
+        }
+        const isExplicit = (key) => (sources[key] ?? "default") !== "default";
+        const asBoolean = (value, fallback) => {
+          if (typeof value === "boolean") return value;
+          if (typeof value === "string") return value.toLowerCase() !== "false";
+          if (typeof value === "number") return value !== 0;
+          return fallback;
+        };
+        const asTrimmedString = (value) => {
+          if (typeof value !== "string") return void 0;
+          const trimmed = value.trim();
+          return trimmed ? trimmed : void 0;
+        };
+        const patch = {};
+        const emailAndPassword = {};
+        if (isExplicit("email_password_enabled")) {
+          emailAndPassword.enabled = asBoolean(values.email_password_enabled, true);
+        }
+        if (isExplicit("signup_enabled")) {
+          emailAndPassword.disableSignUp = !asBoolean(values.signup_enabled, true);
+        }
+        if (isExplicit("require_email_verification")) {
+          emailAndPassword.requireEmailVerification = asBoolean(
+            values.require_email_verification,
+            false
+          );
+        }
+        if (Object.keys(emailAndPassword).length > 0) {
+          patch.emailAndPassword = emailAndPassword;
+        }
+        if (isExplicit("google_enabled") || isExplicit("google_client_id") || isExplicit("google_client_secret")) {
+          const socialProviders = {
+            ...this.configuredSocialProviders ?? {}
+          };
+          const env = globalThis?.process?.env;
+          const googleEnabledFromEnv = env?.OS_AUTH_GOOGLE_ENABLED != null ? asBoolean(env.OS_AUTH_GOOGLE_ENABLED, true) : void 0;
+          const googleClientId = asTrimmedString(values.google_client_id) ?? env?.GOOGLE_CLIENT_ID;
+          const googleClientSecret = asTrimmedString(values.google_client_secret) ?? env?.GOOGLE_CLIENT_SECRET;
+          if (googleEnabledFromEnv ?? (isExplicit("google_enabled") ? asBoolean(values.google_enabled, true) : true)) {
+            if (!socialProviders.google && googleClientId && googleClientSecret) {
+              socialProviders.google = {
+                clientId: googleClientId,
+                clientSecret: googleClientSecret,
+                enabled: true
+              };
+            }
+          } else {
+            delete socialProviders.google;
+          }
+          patch.socialProviders = Object.keys(socialProviders).length > 0 ? socialProviders : void 0;
+        }
+        if (Object.keys(patch).length > 0) {
+          this.authManager.applyConfigPatch(patch);
+        }
+      } catch (err) {
+        ctx.logger.warn("Auth: failed to apply auth settings: " + (err?.message ?? err));
+      }
+    };
+    await applySettings();
+    if (typeof settings.subscribe === "function") {
+      settings.subscribe("auth", () => {
+        void applySettings();
+      });
+      ctx.logger.info("Auth: bound to settings namespace=auth");
+    }
+  }
   async destroy() {
     this.authManager = null;
   }