@qwickapps/server 1.3.0 → 1.4.0

package/dist/plugins/auth/adapters/supertokens-adapter.js

@@ -0,0 +1,267 @@
+/**
+ * Supertokens Auth Adapter
+ *
+ * Provides Supertokens authentication using EmailPassword and ThirdParty recipes.
+ * Supports email/password and social logins (Google, Apple, GitHub).
+ *
+ * Note: Requires supertokens-node v20+
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+// Keys for storing data on the request object
+const REQUEST_USER_KEY = '_supertokensUser';
+const REQUEST_RES_KEY = '_supertokensRes';
+const REQUEST_SESSION_KEY = '_supertokensSession';
+/**
+ * Create a Supertokens authentication adapter
+ *
+ * Uses EmailPassword and ThirdParty recipes (Supertokens v20+)
+ */
+export function supertokensAdapter(config) {
+    // Track initialization state
+    let initialized = false;
+    let initializationError = null;
+    return {
+        name: 'supertokens',
+        initialize() {
+            // Return middleware that lazily initializes Supertokens
+            const initMiddleware = async (req, res, next) => {
+                // Store response on request for later use in getUser()
+                req[REQUEST_RES_KEY] = res;
+                // Skip if already initialized with error
+                if (initializationError) {
+                    return res.status(500).json({
+                        error: 'Auth Configuration Error',
+                        message: 'Supertokens is not properly configured. Install supertokens-node package: npm install supertokens-node',
+                        details: initializationError.message,
+                    });
+                }
+                // Lazy initialize Supertokens
+                if (!initialized) {
+                    try {
+                        const supertokens = await import('supertokens-node');
+                        const Session = await import('supertokens-node/recipe/session');
+                        const EmailPassword = await import('supertokens-node/recipe/emailpassword');
+                        const ThirdParty = await import('supertokens-node/recipe/thirdparty');
+                        // Build recipe list - using any[] for Supertokens internal types
+                        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                        const recipeList = [];
+                        // Add EmailPassword recipe if enabled (default: true)
+                        if (config.enableEmailPassword !== false) {
+                            recipeList.push(EmailPassword.default.init());
+                        }
+                        // Add ThirdParty recipe if any social providers configured
+                        if (config.socialProviders) {
+                            // Build provider configurations using Supertokens ProviderInput type
+                            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                            const providers = [];
+                            if (config.socialProviders.google) {
+                                providers.push({
+                                    config: {
+                                        thirdPartyId: 'google',
+                                        clients: [
+                                            {
+                                                clientId: config.socialProviders.google.clientId,
+                                                clientSecret: config.socialProviders.google.clientSecret,
+                                            },
+                                        ],
+                                    },
+                                });
+                            }
+                            if (config.socialProviders.apple) {
+                                // Apple requires keyId, teamId, and privateKey in additionalConfig
+                                providers.push({
+                                    config: {
+                                        thirdPartyId: 'apple',
+                                        clients: [
+                                            {
+                                                clientId: config.socialProviders.apple.clientId,
+                                                clientSecret: config.socialProviders.apple.clientSecret,
+                                                additionalConfig: {
+                                                    keyId: config.socialProviders.apple.keyId,
+                                                    teamId: config.socialProviders.apple.teamId,
+                                                },
+                                            },
+                                        ],
+                                    },
+                                });
+                            }
+                            if (config.socialProviders.github) {
+                                providers.push({
+                                    config: {
+                                        thirdPartyId: 'github',
+                                        clients: [
+                                            {
+                                                clientId: config.socialProviders.github.clientId,
+                                                clientSecret: config.socialProviders.github.clientSecret,
+                                            },
+                                        ],
+                                    },
+                                });
+                            }
+                            if (providers.length > 0) {
+                                recipeList.push(ThirdParty.default.init({
+                                    signInAndUpFeature: {
+                                        providers,
+                                    },
+                                }));
+                            }
+                        }
+                        // Always add Session recipe
+                        recipeList.push(Session.default.init());
+                        // Initialize Supertokens
+                        supertokens.default.init({
+                            framework: 'express',
+                            supertokens: {
+                                connectionURI: config.connectionUri,
+                                apiKey: config.apiKey,
+                            },
+                            appInfo: {
+                                appName: config.appName,
+                                apiDomain: config.apiDomain,
+                                websiteDomain: config.websiteDomain,
+                                apiBasePath: config.apiBasePath ?? '/auth',
+                                websiteBasePath: config.websiteBasePath ?? '/auth',
+                            },
+                            recipeList,
+                        });
+                        initialized = true;
+                    }
+                    catch (error) {
+                        initializationError =
+                            error instanceof Error ? error : new Error('Failed to initialize Supertokens');
+                        console.error('[SupertokensAdapter] Initialization error:', error);
+                        return res.status(500).json({
+                            error: 'Auth Configuration Error',
+                            message: 'Supertokens is not properly configured. Install supertokens-node package: npm install supertokens-node',
+                            details: initializationError.message,
+                        });
+                    }
+                }
+                next();
+            };
+            // Supertokens middleware for handling auth routes
+            const supertokensMiddleware = async (req, res, next) => {
+                if (!initialized) {
+                    return next();
+                }
+                try {
+                    const { middleware } = await import('supertokens-node/framework/express');
+                    middleware()(req, res, next);
+                }
+                catch {
+                    next();
+                }
+            };
+            return [initMiddleware, supertokensMiddleware];
+        },
+        isAuthenticated(req) {
+            const extReq = req;
+            // Check if we already validated this request
+            if (extReq[REQUEST_USER_KEY]) {
+                return true;
+            }
+            // Check if session was already retrieved
+            if (extReq[REQUEST_SESSION_KEY]) {
+                return true;
+            }
+            // For synchronous check, we can only check if session cookies exist
+            // Full validation happens in getUser()
+            // Supertokens uses cookies, so we check for session tokens
+            const cookies = req.cookies || {};
+            const accessToken = cookies.sAccessToken;
+            const refreshToken = cookies.sRefreshToken;
+            // Also check for Authorization header (for API clients)
+            const authHeader = req.headers.authorization;
+            const hasBearerToken = authHeader?.startsWith('Bearer ');
+            return !!(accessToken || refreshToken || hasBearerToken);
+        },
+        async getUser(req) {
+            const extReq = req;
+            // Return cached user if available
+            const cachedUser = extReq[REQUEST_USER_KEY];
+            if (cachedUser) {
+                return cachedUser;
+            }
+            if (!initialized) {
+                return null;
+            }
+            // Get response object stored during middleware
+            const res = extReq[REQUEST_RES_KEY];
+            if (!res) {
+                console.error('[SupertokensAdapter] Response object not found on request');
+                return null;
+            }
+            try {
+                const Session = await import('supertokens-node/recipe/session');
+                const supertokens = await import('supertokens-node');
+                // Get session - sessionRequired: false means it won't throw if no session
+                const session = await Session.default.getSession(req, res, {
+                    sessionRequired: false,
+                });
+                if (!session) {
+                    return null;
+                }
+                // Cache session for isAuthenticated check
+                extReq[REQUEST_SESSION_KEY] = session;
+                const userId = session.getUserId();
+                // Get user info from Supertokens
+                const userInfo = await supertokens.default.getUser(userId);
+                if (!userInfo) {
+                    return null;
+                }
+                // Get roles from session access token payload if available
+                const accessTokenPayload = session.getAccessTokenPayload();
+                const roles = accessTokenPayload?.roles || [];
+                // Map Supertokens user to AuthenticatedUser
+                const user = {
+                    id: userId,
+                    email: userInfo.emails?.[0] ?? '',
+                    name: accessTokenPayload?.name ||
+                        userInfo.thirdParty?.[0]?.userId ||
+                        userInfo.emails?.[0]?.split('@')[0],
+                    picture: accessTokenPayload?.picture,
+                    emailVerified: userInfo.emails?.[0] ? true : false,
+                    roles,
+                    raw: {
+                        ...userInfo,
+                        sessionHandle: session.getHandle(),
+                        accessTokenPayload,
+                    },
+                };
+                // Cache on request object
+                extReq[REQUEST_USER_KEY] = user;
+                return user;
+            }
+            catch (error) {
+                console.error('[SupertokensAdapter] Error getting user:', error);
+                return null;
+            }
+        },
+        hasRoles(req, roles) {
+            const extReq = req;
+            const user = extReq[REQUEST_USER_KEY];
+            if (!user?.roles)
+                return false;
+            return roles.every((role) => user.roles?.includes(role));
+        },
+        getAccessToken(_req) {
+            // Supertokens uses session cookies, not access tokens
+            // Return null as per the design decision
+            return null;
+        },
+        onUnauthorized(_req, res) {
+            res.status(401).json({
+                error: 'Unauthorized',
+                message: 'Authentication required. Please sign in.',
+                hint: 'Use the /auth endpoints to authenticate',
+            });
+        },
+        async shutdown() {
+            // Supertokens doesn't require explicit cleanup
+            initialized = false;
+            initializationError = null;
+        },
+    };
+}
+//# sourceMappingURL=supertokens-adapter.js.map

package/dist/plugins/auth/adapters/supertokens-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"supertokens-adapter.js","sourceRoot":"","sources":["../../../../src/plugins/auth/adapters/supertokens-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,8CAA8C;AAC9C,MAAM,gBAAgB,GAAG,kBAAkB,CAAC;AAC5C,MAAM,eAAe,GAAG,iBAAiB,CAAC;AAC1C,MAAM,mBAAmB,GAAG,qBAAqB,CAAC;AASlD;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAgC;IACjE,6BAA6B;IAC7B,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,IAAI,mBAAmB,GAAiB,IAAI,CAAC;IAE7C,OAAO;QACL,IAAI,EAAE,aAAa;QAEnB,UAAU;YACR,wDAAwD;YACxD,MAAM,cAAc,GAAmB,KAAK,EAC1C,GAAY,EACZ,GAAa,EACb,IAA6B,EAC7B,EAAE;gBACF,uDAAuD;gBACtD,GAAkC,CAAC,eAAe,CAAC,GAAG,GAAG,CAAC;gBAE3D,yCAAyC;gBACzC,IAAI,mBAAmB,EAAE,CAAC;oBACxB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;wBAC1B,KAAK,EAAE,0BAA0B;wBACjC,OAAO,EACL,wGAAwG;wBAC1G,OAAO,EAAE,mBAAmB,CAAC,OAAO;qBACrC,CAAC,CAAC;gBACL,CAAC;gBAED,8BAA8B;gBAC9B,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,IAAI,CAAC;wBACH,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;wBACrD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;wBAChE,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,uCAAuC,CAAC,CAAC;wBAC5E,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,oCAAoC,CAAC,CAAC;wBAEtE,iEAAiE;wBACjE,8DAA8D;wBAC9D,MAAM,UAAU,GAAU,EAAE,CAAC;wBAE7B,sDAAsD;wBACtD,IAAI,MAAM,CAAC,mBAAmB,KAAK,KAAK,EAAE,CAAC;4BACzC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;wBAChD,CAAC;wBAED,2DAA2D;wBAC3D,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;4BAC3B,qEAAqE;4BACrE,8DAA8D;4BAC9D,MAAM,SAAS,GAAU,EAAE,CAAC;4BAE5B,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC;gCAClC,SAAS,CAAC,IAAI,CAAC;oCACb,MAAM,EAAE;wCACN,YAAY,EAAE,QAAQ;wCACtB,OAAO,EAAE;4CACP;gDACE,QAAQ,EAAE,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ;gDAChD,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,YAAY;6CACzD;yCACF;qCACF;iCACF,CAAC,CAAC;4BACL,CAAC;4BAED,IAAI,MAAM,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;gCACjC,mEAAmE;gCACnE,SAAS,CAAC,IAAI,CAAC;oCACb,MAAM,EAAE;wCACN,YAAY,EAAE,OAAO;wCACrB,OAAO,EAAE;4CACP;gDACE,QAAQ,EAAE,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,QAAQ;gDAC/C,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,YAAY;gDACvD,gBAAgB,EAAE;oDAChB,KAAK,EAAE,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,KAAK;oDACzC,MAAM,EAAE,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,MAAM;iDAC5C;6CACF;yCACF;qCACF;iCACF,CAAC,CAAC;4BACL,CAAC;4BAED,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC;gCAClC,SAAS,CAAC,IAAI,CAAC;oCACb,MAAM,EAAE;wCACN,YAAY,EAAE,QAAQ;wCACtB,OAAO,EAAE;4CACP;gDACE,QAAQ,EAAE,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ;gDAChD,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,YAAY;6CACzD;yCACF;qCACF;iCACF,CAAC,CAAC;4BACL,CAAC;4BAED,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gCACzB,UAAU,CAAC,IAAI,CACb,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC;oCACtB,kBAAkB,EAAE;wCAClB,SAAS;qCACV;iCACF,CAAC,CACH,CAAC;4BACJ,CAAC;wBACH,CAAC;wBAED,4BAA4B;wBAC5B,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;wBAExC,yBAAyB;wBACzB,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;4BACvB,SAAS,EAAE,SAAS;4BACpB,WAAW,EAAE;gCACX,aAAa,EAAE,MAAM,CAAC,aAAa;gCACnC,MAAM,EAAE,MAAM,CAAC,MAAM;6BACtB;4BACD,OAAO,EAAE;gCACP,OAAO,EAAE,MAAM,CAAC,OAAO;gCACvB,SAAS,EAAE,MAAM,CAAC,SAAS;gCAC3B,aAAa,EAAE,MAAM,CAAC,aAAa;gCACnC,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,OAAO;gCAC1C,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,OAAO;6BACnD;4BACD,UAAU;yBACX,CAAC,CAAC;wBAEH,WAAW,GAAG,IAAI,CAAC;oBACrB,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,mBAAmB;4BACjB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;wBACjF,OAAO,CAAC,KAAK,CAAC,4CAA4C,EAAE,KAAK,CAAC,CAAC;wBACnE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;4BAC1B,KAAK,EAAE,0BAA0B;4BACjC,OAAO,EACL,wGAAwG;4BAC1G,OAAO,EAAE,mBAAmB,CAAC,OAAO;yBACrC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,IAAI,EAAE,CAAC;YACT,CAAC,CAAC;YAEF,kDAAkD;YAClD,MAAM,qBAAqB,GAAmB,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;gBACrE,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,IAAI,EAAE,CAAC;gBAChB,CAAC;gBAED,IAAI,CAAC;oBACH,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,oCAAoC,CAAC,CAAC;oBAC1E,UAAU,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;gBAC/B,CAAC;gBAAC,MAAM,CAAC;oBACP,IAAI,EAAE,CAAC;gBACT,CAAC;YACH,CAAC,CAAC;YAEF,OAAO,CAAC,cAAc,EAAE,qBAAqB,CAAC,CAAC;QACjD,CAAC;QAED,eAAe,CAAC,GAAY;YAC1B,MAAM,MAAM,GAAG,GAAiC,CAAC;YAEjD,6CAA6C;YAC7C,IAAI,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC7B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,yCAAyC;YACzC,IAAI,MAAM,CAAC,mBAAmB,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,oEAAoE;YACpE,uCAAuC;YACvC,2DAA2D;YAC3D,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;YAClC,MAAM,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC;YACzC,MAAM,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC;YAE3C,wDAAwD;YACxD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,MAAM,cAAc,GAAG,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;YAEzD,OAAO,CAAC,CAAC,CAAC,WAAW,IAAI,YAAY,IAAI,cAAc,CAAC,CAAC;QAC3D,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,GAAY;YACxB,MAAM,MAAM,GAAG,GAAiC,CAAC;YAEjD,kCAAkC;YAClC,MAAM,UAAU,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAC5C,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,UAAU,CAAC;YACpB,CAAC;YAED,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,CAAC;YACpC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;gBAC3E,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;gBAChE,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;gBAErD,0EAA0E;gBAC1E,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE;oBACzD,eAAe,EAAE,KAAK;iBACvB,CAAC,CAAC;gBAEH,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,0CAA0C;gBAC1C,MAAM,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAAC;gBAEtC,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;gBAEnC,iCAAiC;gBACjC,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBAE3D,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,OAAO,IAAI,CAAC;gBACd,CAAC;gBAED,2DAA2D;gBAC3D,MAAM,kBAAkB,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;gBAC3D,MAAM,KAAK,GAAa,kBAAkB,EAAE,KAAK,IAAI,EAAE,CAAC;gBAExD,4CAA4C;gBAC5C,MAAM,IAAI,GAAsB;oBAC9B,EAAE,EAAE,MAAM;oBACV,KAAK,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE;oBACjC,IAAI,EACF,kBAAkB,EAAE,IAAI;wBACxB,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM;wBAChC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBACrC,OAAO,EAAE,kBAAkB,EAAE,OAAO;oBACpC,aAAa,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK;oBAClD,KAAK;oBACL,GAAG,EAAE;wBACH,GAAG,QAAQ;wBACX,aAAa,EAAE,OAAO,CAAC,SAAS,EAAE;wBAClC,kBAAkB;qBACQ;iBAC7B,CAAC;gBAEF,0BAA0B;gBAC1B,MAAM,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;gBAEhC,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;gBACjE,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,QAAQ,CAAC,GAAY,EAAE,KAAe;YACpC,MAAM,MAAM,GAAG,GAAiC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACtC,IAAI,CAAC,IAAI,EAAE,KAAK;gBAAE,OAAO,KAAK,CAAC;YAC/B,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3D,CAAC;QAED,cAAc,CAAC,IAAa;YAC1B,sDAAsD;YACtD,yCAAyC;YACzC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,cAAc,CAAC,IAAa,EAAE,GAAa;YACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,0CAA0C;gBACnD,IAAI,EAAE,yCAAyC;aAChD,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,QAAQ;YACZ,+CAA+C;YAC/C,WAAW,GAAG,KAAK,CAAC;YACpB,mBAAmB,GAAG,IAAI,CAAC;QAC7B,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/plugins/auth/config-store.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Auth Configuration Store
+ *
+ * PostgreSQL-based storage for runtime auth configuration.
+ * Supports pg_notify for cross-instance hot-reload in scaled deployments.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+import type { AuthConfigStore, PostgresAuthConfigStoreConfig } from './types.js';
+export declare function postgresAuthConfigStore(config: PostgresAuthConfigStoreConfig): AuthConfigStore;
+//# sourceMappingURL=config-store.d.ts.map

package/dist/plugins/auth/config-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-store.d.ts","sourceRoot":"","sources":["../../../src/plugins/auth/config-store.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,eAAe,EAEf,6BAA6B,EAC9B,MAAM,YAAY,CAAC;AAgDpB,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,6BAA6B,GAAG,eAAe,CAmP9F"}

package/dist/plugins/auth/config-store.js

@@ -0,0 +1,232 @@
+/**
+ * Auth Configuration Store
+ *
+ * PostgreSQL-based storage for runtime auth configuration.
+ * Supports pg_notify for cross-instance hot-reload in scaled deployments.
+ *
+ * Copyright (c) 2025 QwickApps.com. All rights reserved.
+ */
+/**
+ * Create a PostgreSQL-backed auth configuration store
+ *
+ * @param config Configuration including a pg Pool instance
+ * @returns AuthConfigStore implementation
+ *
+ * @example
+ * ```ts
+ * import { Pool } from 'pg';
+ * import { postgresAuthConfigStore } from '@qwickapps/server';
+ *
+ * const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+ * const store = postgresAuthConfigStore({ pool });
+ *
+ * // Or with lazy initialization:
+ * const store = postgresAuthConfigStore({ pool: () => getPostgres().getPool() });
+ * ```
+ */
+// Valid identifier pattern (alphanumeric + underscore, starting with letter or underscore)
+const VALID_IDENTIFIER = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+/**
+ * Validate SQL identifier to prevent SQL injection
+ */
+function validateIdentifier(name, type) {
+    if (!VALID_IDENTIFIER.test(name)) {
+        throw new Error(`Invalid ${type}: must be alphanumeric with underscores, starting with letter or underscore`);
+    }
+    if (name.length > 63) {
+        throw new Error(`Invalid ${type}: must be 63 characters or less`);
+    }
+}
+export function postgresAuthConfigStore(config) {
+    const { pool: poolOrFn, tableName = 'auth_config', schema = 'public', autoCreateTable = true, enableNotify = true, notifyChannel = 'auth_config_changed', } = config;
+    // Validate identifiers to prevent SQL injection
+    validateIdentifier(tableName, 'table name');
+    validateIdentifier(schema, 'schema name');
+    validateIdentifier(notifyChannel, 'notify channel');
+    // Helper to get pool (supports lazy initialization via function)
+    const getPool = () => {
+        const pool = typeof poolOrFn === 'function' ? poolOrFn() : poolOrFn;
+        if (!pool || typeof pool.query !== 'function') {
+            throw new Error('Invalid pool: must have query method');
+        }
+        return pool;
+    };
+    const tableFullName = `"${schema}"."${tableName}"`;
+    // Listeners for config changes
+    const listeners = new Set();
+    // Client dedicated to listening for notifications
+    let listenerClient = null;
+    // Reconnection state for exponential backoff
+    let reconnectAttempt = 0;
+    const maxReconnectDelay = 60000; // Max 60 seconds
+    const baseReconnectDelay = 1000; // Start at 1 second
+    /**
+     * Calculate reconnect delay with exponential backoff
+     */
+    function getReconnectDelay() {
+        // Exponential backoff: 1s, 2s, 4s, 8s, 16s, 32s, 60s (capped)
+        const delay = Math.min(baseReconnectDelay * Math.pow(2, reconnectAttempt), maxReconnectDelay);
+        reconnectAttempt++;
+        return delay;
+    }
+    /**
+     * Reset reconnection state after successful connection
+     */
+    function resetReconnectState() {
+        reconnectAttempt = 0;
+    }
+    /**
+     * Start listening for pg_notify events
+     */
+    async function startListening() {
+        if (!enableNotify || listenerClient)
+            return;
+        try {
+            const pool = getPool();
+            listenerClient = await pool.connect();
+            // Subscribe to the notification channel
+            await listenerClient.query(`LISTEN ${notifyChannel}`);
+            // Reset backoff on successful connection
+            resetReconnectState();
+            // Handle notifications
+            listenerClient.on('notification', async (msg) => {
+                if (msg.channel === notifyChannel) {
+                    // Reload config from database and notify listeners
+                    const newConfig = await loadFromDb();
+                    for (const listener of listeners) {
+                        try {
+                            listener(newConfig);
+                        }
+                        catch (err) {
+                            console.error('[AuthConfigStore] Listener error:', err);
+                        }
+                    }
+                }
+            });
+            // Handle errors - try to reconnect with exponential backoff
+            // Note: pg client emits 'error' events with Error objects, but our interface
+            // only defines 'notification'. We cast to any to handle this.
+            listenerClient.on('error', (err) => {
+                console.error('[AuthConfigStore] Listener connection error:', err);
+                listenerClient?.release(true);
+                listenerClient = null;
+                // Try to reconnect with exponential backoff
+                const delay = getReconnectDelay();
+                console.log(`[AuthConfigStore] Reconnecting in ${delay}ms (attempt ${reconnectAttempt})`);
+                setTimeout(() => startListening(), delay);
+            });
+        }
+        catch (err) {
+            console.error('[AuthConfigStore] Failed to start listener:', err);
+            listenerClient = null;
+            // Also apply backoff on initial connection failure
+            const delay = getReconnectDelay();
+            console.log(`[AuthConfigStore] Retrying connection in ${delay}ms (attempt ${reconnectAttempt})`);
+            setTimeout(() => startListening(), delay);
+        }
+    }
+    /**
+     * Load config from database
+     */
+    async function loadFromDb() {
+        const pool = getPool();
+        const result = await pool.query(`SELECT adapter, config, settings, updated_at, updated_by
+       FROM ${tableFullName}
+       LIMIT 1`);
+        if (result.rows.length === 0) {
+            return null;
+        }
+        const row = result.rows[0];
+        return {
+            adapter: row.adapter,
+            config: row.config,
+            settings: row.settings,
+            updatedAt: row.updated_at.toISOString(),
+            updatedBy: row.updated_by || undefined,
+        };
+    }
+    return {
+        name: 'postgres',
+        async initialize() {
+            if (!autoCreateTable) {
+                await startListening();
+                return;
+            }
+            const pool = getPool();
+            // Create table with singleton pattern (only one row allowed)
+            await pool.query(`
+        CREATE TABLE IF NOT EXISTS ${tableFullName} (
+          id SERIAL PRIMARY KEY,
+          adapter VARCHAR(50),
+          config JSONB NOT NULL DEFAULT '{}',
+          settings JSONB NOT NULL DEFAULT '{}',
+          created_at TIMESTAMPTZ DEFAULT NOW(),
+          updated_at TIMESTAMPTZ DEFAULT NOW(),
+          updated_by VARCHAR(255)
+        );
+
+        -- Ensure only one config row (singleton pattern)
+        CREATE UNIQUE INDEX IF NOT EXISTS idx_${tableName}_singleton
+        ON ${tableFullName} ((true));
+      `);
+            // Start listening for notifications
+            await startListening();
+        },
+        async load() {
+            return loadFromDb();
+        },
+        async save(runtimeConfig) {
+            const pool = getPool();
+            // Upsert the configuration
+            await pool.query(`INSERT INTO ${tableFullName} (adapter, config, settings, updated_at, updated_by)
+         VALUES ($1, $2, $3, NOW(), $4)
+         ON CONFLICT ((true)) DO UPDATE SET
+           adapter = $1,
+           config = $2,
+           settings = $3,
+           updated_at = NOW(),
+           updated_by = $4`, [
+                runtimeConfig.adapter,
+                JSON.stringify(runtimeConfig.config),
+                JSON.stringify(runtimeConfig.settings),
+                runtimeConfig.updatedBy || null,
+            ]);
+            // Notify other instances
+            if (enableNotify) {
+                await pool.query(`NOTIFY ${notifyChannel}`);
+            }
+        },
+        async delete() {
+            const pool = getPool();
+            const result = await pool.query(`DELETE FROM ${tableFullName}`);
+            // Notify other instances
+            if (enableNotify) {
+                await pool.query(`NOTIFY ${notifyChannel}`);
+            }
+            return (result.rowCount ?? 0) > 0;
+        },
+        onChange(callback) {
+            listeners.add(callback);
+            // Return unsubscribe function
+            return () => {
+                listeners.delete(callback);
+            };
+        },
+        async shutdown() {
+            // Release the listener client
+            if (listenerClient) {
+                try {
+                    await listenerClient.query(`UNLISTEN ${notifyChannel}`);
+                }
+                catch {
+                    // Ignore errors during shutdown
+                }
+                listenerClient.release(true);
+                listenerClient = null;
+            }
+            // Clear listeners
+            listeners.clear();
+        },
+    };
+}
+//# sourceMappingURL=config-store.js.map

package/dist/plugins/auth/config-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-store.js","sourceRoot":"","sources":["../../../src/plugins/auth/config-store.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAqBH;;;;;;;;;;;;;;;;;GAiBG;AACH,2FAA2F;AAC3F,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAEpD;;GAEG;AACH,SAAS,kBAAkB,CAAC,IAAY,EAAE,IAAY;IACpD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,WAAW,IAAI,6EAA6E,CAAC,CAAC;IAChH,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,WAAW,IAAI,iCAAiC,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,MAAqC;IAC3E,MAAM,EACJ,IAAI,EAAE,QAAQ,EACd,SAAS,GAAG,aAAa,EACzB,MAAM,GAAG,QAAQ,EACjB,eAAe,GAAG,IAAI,EACtB,YAAY,GAAG,IAAI,EACnB,aAAa,GAAG,qBAAqB,GACtC,GAAG,MAAM,CAAC;IAEX,gDAAgD;IAChD,kBAAkB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAC5C,kBAAkB,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAC1C,kBAAkB,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAEpD,iEAAiE;IACjE,MAAM,OAAO,GAAG,GAAW,EAAE;QAC3B,MAAM,IAAI,GAAG,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC;QACpE,IAAI,CAAC,IAAI,IAAI,OAAQ,IAAe,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,IAAc,CAAC;IACxB,CAAC,CAAC;IAEF,MAAM,aAAa,GAAG,IAAI,MAAM,MAAM,SAAS,GAAG,CAAC;IAEnD,+BAA+B;IAC/B,MAAM,SAAS,GAAoD,IAAI,GAAG,EAAE,CAAC;IAE7E,kDAAkD;IAClD,IAAI,cAAc,GAAwB,IAAI,CAAC;IAE/C,6CAA6C;IAC7C,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,MAAM,iBAAiB,GAAG,KAAK,CAAC,CAAC,iBAAiB;IAClD,MAAM,kBAAkB,GAAG,IAAI,CAAC,CAAC,oBAAoB;IAErD;;OAEG;IACH,SAAS,iBAAiB;QACxB,8DAA8D;QAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,gBAAgB,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAC9F,gBAAgB,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,SAAS,mBAAmB;QAC1B,gBAAgB,GAAG,CAAC,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,UAAU,cAAc;QAC3B,IAAI,CAAC,YAAY,IAAI,cAAc;YAAE,OAAO;QAE5C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YACvB,cAAc,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YAEtC,wCAAwC;YACxC,MAAM,cAAc,CAAC,KAAK,CAAC,UAAU,aAAa,EAAE,CAAC,CAAC;YAEtD,yCAAyC;YACzC,mBAAmB,EAAE,CAAC;YAEtB,uBAAuB;YACvB,cAAc,CAAC,EAAE,CAAC,cAAc,EAAE,KAAK,EAAE,GAA0C,EAAE,EAAE;gBACrF,IAAI,GAAG,CAAC,OAAO,KAAK,aAAa,EAAE,CAAC;oBAClC,mDAAmD;oBACnD,MAAM,SAAS,GAAG,MAAM,UAAU,EAAE,CAAC;oBACrC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;wBACjC,IAAI,CAAC;4BACH,QAAQ,CAAC,SAAS,CAAC,CAAC;wBACtB,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,CAAC,CAAC;wBAC1D,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,4DAA4D;YAC5D,6EAA6E;YAC7E,8DAA8D;YAC7D,cAAoF,CAAC,EAAE,CACtF,OAAO,EACP,CAAC,GAAU,EAAE,EAAE;gBACb,OAAO,CAAC,KAAK,CAAC,8CAA8C,EAAE,GAAG,CAAC,CAAC;gBACnE,cAAc,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC9B,cAAc,GAAG,IAAI,CAAC;gBACtB,4CAA4C;gBAC5C,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;gBAClC,OAAO,CAAC,GAAG,CAAC,qCAAqC,KAAK,eAAe,gBAAgB,GAAG,CAAC,CAAC;gBAC1F,UAAU,CAAC,GAAG,EAAE,CAAC,cAAc,EAAE,EAAE,KAAK,CAAC,CAAC;YAC5C,CAAC,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAC;YAClE,cAAc,GAAG,IAAI,CAAC;YACtB,mDAAmD;YACnD,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,4CAA4C,KAAK,eAAe,gBAAgB,GAAG,CAAC,CAAC;YACjG,UAAU,CAAC,GAAG,EAAE,CAAC,cAAc,EAAE,EAAE,KAAK,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,UAAU,UAAU;QACvB,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;cACQ,aAAa;eACZ,CACV,CAAC;QAEF,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAMxB,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,GAAG,CAAC,OAAuC;YACpD,MAAM,EAAE,GAAG,CAAC,MAAqC;YACjD,QAAQ,EAAE,GAAG,CAAC,QAAyC;YACvD,SAAS,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;YACvC,SAAS,EAAE,GAAG,CAAC,UAAU,IAAI,SAAS;SACvC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,UAAU;QAEhB,KAAK,CAAC,UAAU;YACd,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,cAAc,EAAE,CAAC;gBACvB,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YAEvB,6DAA6D;YAC7D,MAAM,IAAI,CAAC,KAAK,CAAC;qCACc,aAAa;;;;;;;;;;;gDAWF,SAAS;aAC5C,aAAa;OACnB,CAAC,CAAC;YAEH,oCAAoC;YACpC,MAAM,cAAc,EAAE,CAAC;QACzB,CAAC;QAED,KAAK,CAAC,IAAI;YACR,OAAO,UAAU,EAAE,CAAC;QACtB,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,aAAgC;YACzC,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YAEvB,2BAA2B;YAC3B,MAAM,IAAI,CAAC,KAAK,CACd,eAAe,aAAa;;;;;;;2BAOT,EACnB;gBACE,aAAa,CAAC,OAAO;gBACrB,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC;gBACpC,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,QAAQ,CAAC;gBACtC,aAAa,CAAC,SAAS,IAAI,IAAI;aAChC,CACF,CAAC;YAEF,yBAAyB;YACzB,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,aAAa,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,KAAK,CAAC,MAAM;YACV,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YAEvB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,aAAa,EAAE,CAAC,CAAC;YAEhE,yBAAyB;YACzB,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,aAAa,EAAE,CAAC,CAAC;YAC9C,CAAC;YAED,OAAO,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACpC,CAAC;QAED,QAAQ,CAAC,QAAoD;YAC3D,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAExB,8BAA8B;YAC9B,OAAO,GAAG,EAAE;gBACV,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC7B,CAAC,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,QAAQ;YACZ,8BAA8B;YAC9B,IAAI,cAAc,EAAE,CAAC;gBACnB,IAAI,CAAC;oBACH,MAAM,cAAc,CAAC,KAAK,CAAC,YAAY,aAAa,EAAE,CAAC,CAAC;gBAC1D,CAAC;gBAAC,MAAM,CAAC;oBACP,gCAAgC;gBAClC,CAAC;gBACD,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC7B,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC;YAED,kBAAkB;YAClB,SAAS,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/plugins/auth/config-store.test.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Auth Config Store Tests
+ *
+ * Unit tests for PostgreSQL-backed auth configuration store.
+ */
+export {};
+//# sourceMappingURL=config-store.test.d.ts.map

package/dist/plugins/auth/config-store.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-store.test.d.ts","sourceRoot":"","sources":["../../../src/plugins/auth/config-store.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}