@rebasepro/server-core 0.1.0 → 0.2.1

package/src/auth/interfaces.ts

@@ -20,6 +20,7 @@ export interface UserData {
     emailVerified: boolean;
     emailVerificationToken?: string | null;
     emailVerificationSentAt?: Date | null;
+    metadata?: Record<string, unknown>;
     createdAt: Date;
     updatedAt: Date;
 }
@@ -33,6 +34,7 @@ export interface CreateUserData {
     displayName?: string;
     photoUrl?: string;
     emailVerified?: boolean;
+    metadata?: Record<string, unknown>;
 }
 
 /**

package/src/auth/jwt.ts

@@ -42,7 +42,9 @@ export function configureJwt(config: JwtConfig): void {
         "example-secret",
         "please-change-me",
         "replace-this-with-a-real-secret",
-        "default-secret"
+        "default-secret",
+        "rebase_saas_jwt_secret_must_be_long_long_long_long",
+        "rebase_saas_service_key_must_be_long_long_long_long"
     ]);
 
     if (!config.secret || config.secret.length < 32) {

package/src/auth/middleware.ts

@@ -2,7 +2,8 @@ import { MiddlewareHandler, Context } from "hono";
 import { DataDriver } from "@rebasepro/types";
 import { verifyAccessToken, AccessTokenPayload } from "./jwt";
 import { HonoEnv } from "../api/types";
-import { timingSafeEqual } from "crypto";
+import { scopeDataDriver } from "./rls-scope";
+import { safeCompare } from "./crypto-utils";
 
 /**
  * Result from a custom auth validator.
@@ -202,23 +203,6 @@ export function extractUserFromToken(token: string): AccessTokenPayload | null {
     return verifyAccessToken(token);
 }
 
-/**
- * Helper to scope a DataDriver via withAuth() for RLS.
- * SECURITY: If withAuth() is available but fails, the error is re-thrown
- * so the request is denied rather than proceeding with unscoped access.
- */
-async function scopeDataDriver(
-    driver: DataDriver,
-    user: { uid: string; roles?: string[] }
-): Promise<DataDriver> {
-    if ("withAuth" in driver && typeof (driver as Record<string, unknown>).withAuth === "function") {
-        // Fail closed — do NOT catch and swallow errors here.
-        // If RLS scoping fails the request must be rejected.
-        return await (driver as unknown as { withAuth: (user: Record<string, unknown>) => Promise<DataDriver> }).withAuth(user);
-    }
-    return driver;
-}
-
 /**
  * Create a configurable auth middleware that handles:
  * 1. Token extraction (via custom validator or JWT Bearer token)
@@ -237,34 +221,6 @@ async function scopeDataDriver(
  * This is the single source of truth for HTTP auth in Rebase.
  * Use this instead of manually parsing tokens in route handlers.
  */
-/**
- * Constant-time string comparison to prevent timing attacks on service keys.
- *
- * We intentionally avoid early-returning on length mismatch because that
- * would leak the key's length through timing differences. Instead, both
- * inputs are padded to the same length so `timingSafeEqual` always runs
- * over equal-length buffers.
- */
-function safeCompare(a: string, b: string): boolean {
-    const maxLen = Math.max(a.length, b.length);
-    // Pad both to maxLen so timingSafeEqual always compares equal-length buffers.
-    // If the original lengths differ the result will be false due to the padding
-    // difference, but the comparison still takes constant time.
-    const bufA = Buffer.alloc(maxLen);
-    const bufB = Buffer.alloc(maxLen);
-    bufA.write(a);
-    bufB.write(b);
-    try {
-        const isEqual = timingSafeEqual(bufA, bufB);
-        // Even though padding makes mismatched-length strings compare as
-        // different bytes, we still need to verify lengths match to avoid
-        // a padded shorter string accidentally equaling a longer one that
-        // has trailing null bytes.
-        return isEqual && a.length === b.length;
-    } catch {
-        return false;
-    }
-}
 
 export function createAuthMiddleware(options: AuthMiddlewareOptions): MiddlewareHandler<HonoEnv> {
     const { driver, requireAuth: enforceAuth = true, validator, serviceKey } = options;

package/src/auth/rls-scope.ts

@@ -0,0 +1,58 @@
+/**
+ * Shared RLS (Row-Level Security) scoping helper.
+ *
+ * DataDrivers may implement a `withAuth()` method that returns a scoped
+ * clone of the driver with RLS policies applied for the given user.
+ * This is database-specific (e.g. Postgres SET LOCAL ROLE) and is not
+ * part of the core DataDriver interface.
+ *
+ * This module provides the shared duck-typing logic used by the
+ * adapter-aware middleware.
+ *
+ * @module
+ */
+
+import type { DataDriver } from "@rebasepro/types";
+
+/**
+ * A DataDriver that supports RLS scoping via `withAuth()`.
+ *
+ * This is not part of the public DataDriver interface because not all
+ * database implementations support RLS. Drivers that do (e.g. Postgres)
+ * extend DataDriver with this method.
+ */
+interface RLSScopedDriver extends DataDriver {
+    withAuth(user: { uid: string; roles?: string[] }): Promise<DataDriver>;
+}
+
+/**
+ * Returns true if the driver supports RLS scoping via `withAuth()`.
+ */
+function isRLSScopedDriver(driver: DataDriver): driver is RLSScopedDriver {
+    return "withAuth" in driver && typeof (driver as Record<string, unknown>).withAuth === "function";
+}
+
+/**
+ * Scope a DataDriver via `withAuth()` for RLS.
+ *
+ * SECURITY: If `withAuth()` is available but fails, the error is re-thrown
+ * so the request is **denied** rather than proceeding with unscoped access
+ * (fail-closed behavior).
+ *
+ * If the driver does not support RLS, the original driver is returned.
+ *
+ * @param driver - The DataDriver to scope.
+ * @param user   - The authenticated user identity for RLS.
+ * @returns The RLS-scoped DataDriver (or the original if RLS is unsupported).
+ */
+export async function scopeDataDriver(
+    driver: DataDriver,
+    user: { uid: string; roles?: string[] },
+): Promise<DataDriver> {
+    if (isRLSScopedDriver(driver)) {
+        // Fail closed — do NOT catch and swallow errors here.
+        // If RLS scoping fails the request must be rejected.
+        return await driver.withAuth(user);
+    }
+    return driver;
+}

package/src/auth/routes.ts

@@ -3,7 +3,8 @@ import { ApiError, errorHandler } from "../api/errors";
 import { randomBytes, createHash } from "crypto";
 import type { AuthRepository, OAuthProvider } from "./interfaces";
 import { generateAccessToken, generateRefreshToken, hashRefreshToken, getRefreshTokenExpiry, getAccessTokenExpiry } from "./jwt";
-import { hashPassword, verifyPassword, validatePasswordStrength } from "./password";
+import type { AuthOverrides } from "./auth-overrides";
+import { resolveAuthOverrides } from "./auth-overrides";
 import { requireAuth } from "./middleware";
 import { EmailService, EmailConfig } from "../email";
 import { getPasswordResetTemplate, getEmailVerificationTemplate, getWelcomeEmailTemplate } from "../email/templates";
@@ -23,9 +24,15 @@ export interface AuthModuleConfig {
     /** Default role ID to assign to new users (default: none). Must NOT be "admin". */
     defaultRole?: string;
     /** Optional array of OAuth providers */
-    oauthProviders?: OAuthProvider[];
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    oauthProviders?: OAuthProvider<any>[];
     /** When true, blocks all self-registration regardless of `allowRegistration`. */
     disableSelfRegistration?: boolean;
+    /**
+     * Auth overrides for customizing password hashing, credential
+     * verification, lifecycle hooks, etc.
+     */
+    overrides?: AuthOverrides;
     /**
      * Callback that checks if bootstrap has already been completed.
      * Used by GET /auth/config to report `needsSetup` status.
@@ -38,7 +45,7 @@ export interface AuthModuleConfig {
  * Helper to build standard auth response output
  */
 function buildAuthResponse(
-    user: { id: string; email: string; displayName?: string | null; photoUrl?: string | null },
+    user: { id: string; email: string; displayName?: string | null; photoUrl?: string | null; metadata?: Record<string, unknown> | null },
     roleIds: string[],
     accessToken: string,
     refreshToken: string
@@ -49,7 +56,8 @@ function buildAuthResponse(
             email: user.email,
             displayName: user.displayName ?? null,
             photoURL: user.photoUrl ?? null,
-            roles: roleIds
+            roles: roleIds,
+            metadata: user.metadata ?? {}
         },
         tokens: {
             accessToken,
@@ -93,7 +101,8 @@ export function createAuthRoutes(config: AuthModuleConfig): Hono<HonoEnv> {
     router.onError(errorHandler);
 
     const authRepo = config.authRepo;
-    const { emailService, emailConfig, allowRegistration = false } = config;
+    const { emailService, emailConfig, allowRegistration = false, overrides } = config;
+    const ops = resolveAuthOverrides(overrides);
 
     // ── Zod input schemas ──────────────────────────────────────────────
     const registerSchema = z.object({
@@ -214,7 +223,7 @@ export function createAuthRoutes(config: AuthModuleConfig): Hono<HonoEnv> {
         }
 
         // Validate password strength
-        const passwordValidation = validatePasswordStrength(password);
+        const passwordValidation = ops.validatePasswordStrength(password);
         if (!passwordValidation.valid) {
             throw ApiError.badRequest(passwordValidation.errors.join(". "), "WEAK_PASSWORD");
         }
@@ -226,12 +235,16 @@ export function createAuthRoutes(config: AuthModuleConfig): Hono<HonoEnv> {
         }
 
         // Create user
-        const passwordHash = await hashPassword(password);
-        const user = await authRepo.createUser({
+        const passwordHash = await ops.hashPassword(password);
+        let createData: import("./interfaces").CreateUserData = {
             email: email.toLowerCase(),
             passwordHash,
             displayName: displayName || undefined
-        });
+        };
+        if (overrides?.beforeUserCreate) {
+            createData = await overrides.beforeUserCreate(createData);
+        }
+        const user = await authRepo.createUser(createData);
 
         // Auto-bootstrap: if this is the very first user in the system, promote to admin.
         // This avoids the chicken-and-egg problem where the first user has no permissions
@@ -256,6 +269,20 @@ export function createAuthRoutes(config: AuthModuleConfig): Hono<HonoEnv> {
         sendWelcomeEmail({ email: user.email,
 displayName: user.displayName });
 
+        // Fire afterUserCreate hook (fire-and-forget)
+        if (overrides?.afterUserCreate) {
+            overrides.afterUserCreate(user).catch(err => {
+                console.error("[AuthOverrides] afterUserCreate error:", err instanceof Error ? err.message : err);
+            });
+        }
+
+        // Fire onAuthenticated hook (fire-and-forget)
+        if (overrides?.onAuthenticated) {
+            overrides.onAuthenticated(user, "register").catch(err => {
+                console.error("[AuthOverrides] onAuthenticated error:", err instanceof Error ? err.message : err);
+            });
+        }
+
         return c.json(buildAuthResponse(user, roleIds, accessToken, refreshToken), 201);
     });
 
@@ -266,18 +293,29 @@ displayName: user.displayName });
     router.post("/login", defaultAuthLimiter, async (c) => {
         const { email, password } = parseBody(loginSchema, await c.req.json());
 
-        const user = await authRepo.getUserByEmail(email);
-        if (!user) {
-            throw ApiError.unauthorized("Invalid email or password", "INVALID_CREDENTIALS");
-        }
+        let user;
 
-        if (!user.passwordHash) {
-            throw ApiError.unauthorized("Invalid email or password", "INVALID_CREDENTIALS");
-        }
+        if (overrides?.verifyCredentials) {
+            // Full credential verification override
+            user = await overrides.verifyCredentials(email, password, authRepo);
+            if (!user) {
+                throw ApiError.unauthorized("Invalid email or password", "INVALID_CREDENTIALS");
+            }
+        } else {
+            // Default: email lookup + password hash verification
+            user = await authRepo.getUserByEmail(email);
+            if (!user) {
+                throw ApiError.unauthorized("Invalid email or password", "INVALID_CREDENTIALS");
+            }
 
-        const isValidPassword = await verifyPassword(password, user.passwordHash);
-        if (!isValidPassword) {
-            throw ApiError.unauthorized("Invalid email or password", "INVALID_CREDENTIALS");
+            if (!user.passwordHash) {
+                throw ApiError.unauthorized("Invalid email or password", "INVALID_CREDENTIALS");
+            }
+
+            const isValidPassword = await ops.verifyPassword(password, user.passwordHash);
+            if (!isValidPassword) {
+                throw ApiError.unauthorized("Invalid email or password", "INVALID_CREDENTIALS");
+            }
         }
 
         const { roleIds, accessToken, refreshToken } = await createSessionAndTokens(
@@ -286,6 +324,13 @@ displayName: user.displayName });
             c.req.header("x-forwarded-for") || "unknown"
         );
 
+        // Fire onAuthenticated hook (fire-and-forget)
+        if (overrides?.onAuthenticated) {
+            overrides.onAuthenticated(user, "login").catch(err => {
+                console.error("[AuthOverrides] onAuthenticated error:", err instanceof Error ? err.message : err);
+            });
+        }
+
         return c.json(buildAuthResponse(user, roleIds, accessToken, refreshToken));
     });
 
@@ -434,7 +479,7 @@ displayName: user.displayName }, appName);
         const { token, password } = parseBody(resetPasswordSchema, await c.req.json());
 
         // Validate password strength
-        const passwordValidation = validatePasswordStrength(password);
+        const passwordValidation = ops.validatePasswordStrength(password);
         if (!passwordValidation.valid) {
             throw ApiError.badRequest(passwordValidation.errors.join(". "), "WEAK_PASSWORD");
         }
@@ -448,7 +493,7 @@ displayName: user.displayName }, appName);
         }
 
         // Update password
-        const passwordHash = await hashPassword(password);
+        const passwordHash = await ops.hashPassword(password);
         await authRepo.updatePassword(storedToken.userId, passwordHash);
 
         // Mark token as used
@@ -480,19 +525,19 @@ message: "Password has been reset successfully" });
         }
 
         // Verify old password
-        const isValidOldPassword = await verifyPassword(oldPassword, user.passwordHash);
+        const isValidOldPassword = await ops.verifyPassword(oldPassword, user.passwordHash);
         if (!isValidOldPassword) {
             throw ApiError.unauthorized("Current password is incorrect", "INVALID_CREDENTIALS");
         }
 
         // Validate new password strength
-        const passwordValidation = validatePasswordStrength(newPassword);
+        const passwordValidation = ops.validatePasswordStrength(newPassword);
         if (!passwordValidation.valid) {
             throw ApiError.badRequest(passwordValidation.errors.join(". "), "WEAK_PASSWORD");
         }
 
         // Update password
-        const passwordHash = await hashPassword(newPassword);
+        const passwordHash = await ops.hashPassword(newPassword);
         await authRepo.updatePassword(user.id, passwordHash);
 
         // Invalidate all refresh tokens (security: log out all sessions)
@@ -727,7 +772,8 @@ message: "Session revoked successfully" });
                 displayName: result.user.displayName,
                 photoURL: result.user.photoUrl,
                 emailVerified: result.user.emailVerified,
-                roles: result.roles.map(r => r.id)
+                roles: result.roles.map(r => r.id),
+                metadata: result.user.metadata ?? {}
             }
         });
     });
@@ -765,7 +811,8 @@ message: "Session revoked successfully" });
                 displayName: result.user.displayName,
                 photoURL: result.user.photoUrl,
                 emailVerified: result.user.emailVerified,
-                roles: result.roles.map(r => r.id)
+                roles: result.roles.map(r => r.id),
+                metadata: result.user.metadata ?? {}
             }
         });
     });
@@ -788,18 +835,13 @@ message: "Session revoked successfully" });
         // Registration is allowed when explicitly enabled OR during initial setup
         const registrationAllowed = needsSetup || !!allowRegistration;
 
-        // Build a dynamic map of enabled providers for frontend discovery.
-        // Also maintain legacy boolean fields for backward compatibility.
+        // Build the list of enabled OAuth providers for frontend discovery.
         const enabledProviders = (config.oauthProviders || []).map(p => p.id);
 
         return c.json({
             needsSetup,
             registrationEnabled: registrationAllowed,
-            // Legacy fields (kept for backward compat)
-            googleEnabled: enabledProviders.includes("google"),
-            linkedinEnabled: enabledProviders.includes("linkedin"),
             emailServiceEnabled: isEmailConfigured(),
-            // New: complete list of available OAuth providers
             enabledProviders
         });
     });

package/src/cron/cron-scheduler.test.ts

@@ -1,6 +1,6 @@
 import { describe, it, expect, beforeEach, afterEach, jest } from "@jest/globals";
 import { CronScheduler, validateCronExpression } from "./cron-scheduler";
-import type { CronJobDefinition } from "@rebasepro/types";
+import type { CronJobDefinition, CronJobLogEntry } from "@rebasepro/types";
 import type { LoadedCronJob } from "./cron-loader";
 
 // ─── Helpers ────────────────────────────────────────────────────────
@@ -475,12 +475,12 @@ describe("CronScheduler", () => {
         beforeEach(() => { jest.useRealTimers(); });
 
         it("persists logs to store after execution", async () => {
-            const insertLog = jest.fn<(entry: any) => Promise<void>>().mockResolvedValue(undefined);
+            const insertLog = jest.fn<(entry: CronJobLogEntry) => Promise<void>>().mockResolvedValue(undefined);
             const mockStore = {
                 ensureTable: jest.fn<() => Promise<void>>().mockResolvedValue(undefined),
                 insertLog,
-                fetchLogs: jest.fn<() => Promise<any[]>>().mockResolvedValue([]),
-                fetchJobStats: jest.fn<() => Promise<Map<string, any>>>().mockResolvedValue(new Map()),
+                fetchLogs: jest.fn<() => Promise<CronJobLogEntry[]>>().mockResolvedValue([]),
+                fetchJobStats: jest.fn<() => Promise<Map<string, { totalRuns: number; totalFailures: number; lastRunAt?: string | Date | null }>>>().mockResolvedValue(new Map()),
             };
             scheduler.setStore(mockStore);
             scheduler.registerJobs([makeJob("persisted")]);
@@ -493,8 +493,8 @@ describe("CronScheduler", () => {
             const mockStore = {
                 ensureTable: jest.fn<() => Promise<void>>().mockResolvedValue(undefined),
                 insertLog: jest.fn<() => Promise<void>>().mockRejectedValue(new Error("DB down")),
-                fetchLogs: jest.fn<() => Promise<any[]>>().mockResolvedValue([]),
-                fetchJobStats: jest.fn<() => Promise<Map<string, any>>>().mockResolvedValue(new Map()),
+                fetchLogs: jest.fn<() => Promise<CronJobLogEntry[]>>().mockResolvedValue([]),
+                fetchJobStats: jest.fn<() => Promise<Map<string, { totalRuns: number; totalFailures: number; lastRunAt?: string | Date | null }>>>().mockResolvedValue(new Map()),
             };
             scheduler.setStore(mockStore);
             scheduler.registerJobs([makeJob("resilient")]);
@@ -504,13 +504,13 @@ describe("CronScheduler", () => {
         });
 
         it("seeds counters from store on start", async () => {
-            const stats = new Map<string, any>();
+            const stats = new Map<string, { totalRuns: number; totalFailures: number; lastRunAt?: string | Date | null }>();
             stats.set("seeded", { totalRuns: 42, totalFailures: 3, lastRunAt: "2026-01-01T00:00:00Z" });
             const mockStore = {
                 ensureTable: jest.fn<() => Promise<void>>().mockResolvedValue(undefined),
                 insertLog: jest.fn<() => Promise<void>>().mockResolvedValue(undefined),
-                fetchLogs: jest.fn<() => Promise<any[]>>().mockResolvedValue([]),
-                fetchJobStats: jest.fn<() => Promise<Map<string, any>>>().mockResolvedValue(stats),
+                fetchLogs: jest.fn<() => Promise<CronJobLogEntry[]>>().mockResolvedValue([]),
+                fetchJobStats: jest.fn<() => Promise<Map<string, { totalRuns: number; totalFailures: number; lastRunAt?: string | Date | null }>>>().mockResolvedValue(stats),
             };
             scheduler.setStore(mockStore);
             scheduler.registerJobs([makeJob("seeded")]);

package/src/cron/cron-scheduler.ts

@@ -15,7 +15,7 @@ import type { CronStore } from "./cron-store";
 
 /**
  * Expand a single cron field into an ordered array of allowed values.
- * Supports: `*`, `N`, `N-M`, `N/S`, `N-M/S`, `*​/S`, and comma-separated combinations.
+ * Supports: `*`, `N`, `N-M`, `N/S`, `N-M/S`, `*\/S`, and comma-separated combinations.
  */
 function expandCronField(field: string, min: number, max: number): number[] {
     const results = new Set<number>();