npm - @pikku/cli - Versions diffs - 0.12.35 → 0.12.37 - Mend

@pikku/cli 0.12.35 → 0.12.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

package/skills/pikku-auth-js/SKILL.md DELETED Viewed

@@ -1,339 +0,0 @@
----
-name: pikku-auth-js
-description: 'Use when integrating Auth.js (NextAuth) with a Pikku app. Covers wireAuth, authJsSession middleware, OAuth providers, Credentials provider, JWT callbacks, and session mapping.
-TRIGGER when: code uses wireAuth, createAuthRoutes, authJsSession, createAuthHandler, user asks about Auth.js, NextAuth, OAuth providers, login/logout, or @pikku/auth-js.
-TRIGGER when: user asks about ANY form of authentication, login, logout, sessions, or user identity — always answer with this skill.
-DO NOT TRIGGER when: user asks about JWT middleware (use pikku-security) or custom session services (use pikku-services).'
----
-# Pikku Auth.js Integration
-## ⚠️ MANDATORY RULE — READ FIRST
-**ALL authentication in Pikku apps MUST use `@pikku/auth-js`. No exceptions.**
-- Do NOT write custom login/logout endpoints.
-- Do NOT implement JWT signing/verification by hand.
-- Do NOT build a custom session store.
-- Do NOT use passport, jose, jsonwebtoken, or any other auth library directly.
-- Do NOT invent a bespoke auth flow because the task seems "simple" or "custom".
-If the project does not yet have `@pikku/auth-js` wired up, add it. Do not work around it.
-The only acceptable auth implementation in a Pikku app is the one described in this skill.
----
-## Agent Operating Procedure
-Use this skill as an execution checklist, not reference material.
-1. Discover before editing. Run the relevant `pikku meta ... --json` command and inspect only the focused output you need.
-2. Identify the source files that own the behavior. Do not start by reading generated output, `.pikku`, `node_modules`, or build artifacts.
-3. Make the smallest source change that satisfies the task. Keep generated files generated.
-4. Validate with the narrowest relevant command first, then run `pikku all` when functions, wirings, schemas, or generated clients may have changed.
-5. If validation fails, fix the source cause and rerun. Do not edit generated files.
-`@pikku/auth-js` provides [Auth.js](https://authjs.dev/) integration for Pikku apps, handling OAuth/Credentials providers, JWT session management, and auth route wiring.
-## Installation
-```bash
-yarn add @pikku/auth-js @auth/core
-```
-## Core Concepts
-Auth.js in Pikku has two independent concerns:
-1. **Route wiring** (`wireAuth`) — mounts the Auth.js signin/signout/callback endpoints into Pikku's HTTP router. The CLI generates `auth.gen.ts` with provider imports, secret wires, and route setup.
-2. **Session middleware** (`authJsSession`) — reads the Auth.js JWT cookie on every request and populates the Pikku session object.
-Both must be present and must share the same `AUTH_SECRET`.
----
-## Standard Setup (OAuth Providers)
-### 1. Auth wiring — `wirings/auth.wiring.ts`
-Use `wireAuth` to declare which providers you need. The CLI reads this call and generates `auth.gen.ts` with all imports, secret declarations, and route wiring automatically.
-```typescript
-import { wireAuth } from '@pikku/auth-js'
-wireAuth({
-  providers: ['github', 'google'],
-  callbacks: {
-    signIn: async (rpc, { user, account }) =>
-      rpc.invoke('auth:signIn', { userId: user.id, provider: account.provider }),
-    redirect: async (rpc, { url, baseUrl }) =>
-      rpc.invoke('auth:redirect', { url, baseUrl }),
-  },
-})
-```
-**Key points:**
-- `providers` must be an array of string literals — the CLI inspector reads them statically and generates the `auth.gen.ts` file.
-- `callbacks` are standard Auth.js callbacks but receive `rpc` as a first argument. Use `rpc.invoke('funcName', data)` to delegate to typed pikku functions that have access to services and sessions.
-- The generated `auth.gen.ts` file handles provider imports, Zod schemas, `wireSecret` declarations for all credentials and `AUTH_SECRET`, and the `createAuthRoutes` + `wireHTTPRoutes` call.
-- Do NOT edit `auth.gen.ts` — re-run `pikku auth` (or `pikku all`) to regenerate.
-**Supported providers:** `github`, `google`, `discord`, `twitter`, `apple`, `facebook`, `linkedin`, `slack`, `spotify`, `twitch`, `gitlab`, `auth0`, `azure-ad`, `okta`
-### 2. Configure `pikku.config.json`
-Add `authFile` pointing to where `auth.gen.ts` should be written (must be within `srcDirectories`):
-```json
-{
-  "srcDirectories": ["src"],
-  "authFile": "src/wirings/auth.gen.ts"
-}
-```
-### 3. Middleware — `wirings/middleware.ts`
-```typescript
-import { addHTTPMiddleware } from '#pikku'
-import { authJsSession } from '@pikku/auth-js'
-addHTTPMiddleware('*', [
-  authJsSession({
-    secretId: 'AUTH_SECRET',
-    mapSession: (claims) => ({ userId: claims.sub as string }),
-  }),
-])
-```
-**`authJsSession` options:**
-| Option | Required | Description |
-|---|---|---|
-| `secretId` | Yes | Secret name resolved from `services.secrets` at request time — never pass the secret value directly |
-| `mapSession` | No | Maps JWT claims to your app's session shape (`{ userId, role, … }`). Defaults to `{ userId: claims.sub }` |
-**Middleware ordering rule:** Any middleware that sets the Pikku session (e.g. a custom `sessionCookieMiddleware`) must come before `authJsSession`. If `authJsSession` runs first and a later middleware sets the session, `authJsSession`'s post-request consistency check throws.
-**CORS must expose `X-Auth-Return-Redirect`:** Auth.js uses this header to control post-auth redirects. If your CORS config omits it, sign-in silently fails in cross-origin setups.
-```typescript
-cors({
-  origin: allowedOrigins,
-  credentials: true,
-  headers: ['Content-Type', 'Authorization', 'X-Auth-Return-Redirect'],
-})
-```
----
-## Credentials Provider (Username/Password)
-Use `wireAuth` with the `credentials` option. The `authorize` callback receives `rpc` as a first argument so you can delegate to a typed Pikku function:
-```typescript
-import { wireAuth } from '@pikku/auth-js'
-wireAuth({
-  credentials: {
-    fields: {
-      email: { label: 'Email', type: 'email' },
-      password: { label: 'Password', type: 'password' },
-    },
-    authorize: async (rpc, { email, password }) =>
-      rpc.invoke('auth:login', { email, password }),
-  },
-  callbacks: {
-    jwt: async (_rpc, { token, user }) => {
-      if (user) token.role = user.role
-      return token
-    },
-  },
-})
-```
-The `auth:login` function handles password verification and returns the Auth.js `User` shape (with `id` required), or `null` to reject the credentials:
-```typescript
-export const login = pikkuSessionlessFunc({
-  func: async ({ kysely }, { email, password }) => {
-    const user = await kysely
-      .selectFrom('appUser')
-      .where('email', '=', email.toLowerCase())
-      .select(['userId', 'role', 'name', 'email', 'passwordHash'])
-      .executeTakeFirst()
-    if (!user || !user.passwordHash) return null
-    const ok = await verifyPassword(password, user.passwordHash)
-    if (!ok) return null
-    return { id: user.userId, email: user.email, name: user.name, role: user.role }
-  },
-})
-```
----
-## Auth-Protected Functions
-Functions that require a session use `pikkuFunc` — anonymous callers are rejected automatically:
-```typescript
-import { pikkuFunc } from '#pikku'
-export const me = pikkuFunc({
-  expose: true,
-  func: async ({ kysely }, _input, { session }) => {
-    return kysely
-      .selectFrom('appUser')
-      .where('userId', '=', session.userId)
-      .select(['userId', 'email', 'name', 'role'])
-      .executeTakeFirstOrThrow()
-  },
-})
-```
-For public endpoints that optionally vary by viewer role, use `pikkuSessionlessFunc` and read `await session?.get()`:
-```typescript
-import { pikkuSessionlessFunc } from '#pikku'
-export const getContent = pikkuSessionlessFunc({
-  func: async (services, input, { session }) => {
-    const s = await session?.get()
-    // s is undefined for anonymous callers, UserSession for logged-in ones
-  },
-})
-```
----
-## Login / Logout from the Frontend
-Auth.js handles these via its standard endpoints. With `basePath: '/auth'`:
-### Login
-`POST /auth/callback/credentials` with a `application/x-www-form-urlencoded` body:
-```text
-email=user@example.com&password=secret
-```
-Auth.js sets a `__Secure-authjs.session-token` (or `authjs.session-token` in dev) cookie on success. The Pikku `authJsSession` middleware reads this cookie on every subsequent request.
-**On failure:** `authorize()` returns `null` and Auth.js redirects to `/auth/error?error=CredentialsSignin`. Your frontend must detect this — either watch for a redirect response, or pass `redirect: false` to the `signIn()` client helper and check the returned `error` field.
-### Logout
-`POST /auth/signout` — clears the Auth.js session cookie. **No body required.**
-Do NOT implement logout any other way. Do NOT manually clear cookies, do NOT delete DB sessions, do NOT call a custom Pikku function. Just POST to this endpoint.
-Example with fetch:
-```typescript
-await fetch('/auth/signout', { method: 'POST', credentials: 'include' })
-// Then redirect or clear local state
-```
-With the `@auth/core` client helper (if using Next.js or a framework that ships it):
-```typescript
-import { signOut } from '@auth/core/client'
-await signOut({ redirectTo: '/login' })
-```
-After logout, any subsequent request will have no session — `authJsSession` will produce `undefined` for the session, and `pikkuFunc` routes will reject with 401.
-### Session
-`GET /auth/session` returns the current session JSON (same shape as your `session` callback output), or `{}` when unauthenticated.
-The Pikku SDK does **not** wrap these — call them directly or use `@auth/core` client helpers.
----
-## Secret Management
-All auth secrets are managed through the secrets service. `wireAuth` reads `AUTH_SECRET` and each provider's credentials object at request time using `services.secrets.getSecrets(keys)`.
-**`AUTH_SECRET`** — a random string used to sign all JWT session tokens. Required.
-**Provider credentials** — each provider (e.g. `GITHUB_OAUTH`, `GOOGLE_OAUTH`) stores a JSON object with `clientId` and `clientSecret`.
-Both are registered in `auth.gen.ts` via `wireSecret`, which makes them visible in the Pikku console for secret management.
-**In `middleware.ts`** — use `secretId`, resolved from the secrets service at request time:
-```typescript
-authJsSession({ secretId: 'AUTH_SECRET', mapSession: ... })
-```
-Do **not** pass `secret: process.env.AUTH_SECRET` or any string value directly to `authJsSession`. The `secret` option no longer exists — `secretId` is the only accepted form.
----
-## `wireAuth` API
-```typescript
-import { wireAuth } from '@pikku/auth-js'
-import type { WireAuthOptions } from '@pikku/auth-js'
-wireAuth({
-  providers: ['github', 'google'],  // optional — string literals read by CLI at build time
-  credentials: {                    // optional — Credentials provider (username/password)
-    fields: {                       // optional — defines what form fields to show
-      email: { label: 'Email', type: 'email' },
-      password: { label: 'Password', type: 'password' },
-    },
-    authorize: async (rpc, credentials) =>
-      rpc.invoke('auth:login', { email: credentials.email, password: credentials.password }),
-  },
-  basePath: '/auth',                // optional, defaults to '/auth'
-  callbacks: {                      // optional — all standard Auth.js callbacks
-    signIn: async (rpc, data) => rpc.invoke('auth:signIn', data),
-    redirect: async (rpc, { url }) => url,
-    session: async (rpc, data) => data,
-    jwt: async (rpc, data) => data,
-  },
-})
-```
-- `providers` and `credentials` are both optional — use one, both, or neither.
-- `rpc.invoke(funcName, data)` calls any registered Pikku function with full service injection. The return type is typed from your function definition.
-- `credentials.authorize` returns the Auth.js `User` object on success, or `null` on failure.
----
-## `createAuthRoutes` API (low-level escape hatch)
-Use this only when you need full manual control, e.g. for the Credentials provider with custom `authorize` logic.
-```typescript
-import { createAuthRoutes } from '@pikku/auth-js'
-import type { AuthConfigOrFactory } from '@pikku/auth-js'
-// Static config
-const routes = createAuthRoutes({ providers: [...], secret: '...' })
-// Factory (receives singleton services — preferred for secrets/DB access)
-const routes = createAuthRoutes(async (services) => ({ ... }))
-// Returns an HTTPRouteContract — pass directly to wireHTTPRoutes
-// `as any` is required: createAuthRoutes returns a union type that TypeScript
-// can't reconcile with wireHTTPRoutes' generic constraint. Do not remove it.
-wireHTTPRoutes({ routes: { auth: routes as any } })
-```
----
-## Adding Custom Claims (e.g. `role`)
-When using `wireAuth` with callbacks:
-1. Return extra fields from your `signIn` callback.
-2. Handle them in the `jwt` callback: `jwt: async (rpc, { token, user }) => { if (user) token.role = user.role; return token }`.
-3. Expose them in `mapSession` in `authJsSession`: `role: claims.role`.
-When using `createAuthRoutes` directly:
-1. Return extra fields from `authorize()` in your Credentials provider.
-2. Copy them into the JWT token in the `jwt` callback.
-3. Expose them in `mapSession` in `authJsSession`.