@rebasepro/server-core 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +14 -14
- package/src/api/errors.ts +16 -2
- package/src/api/graphql/graphql-schema-generator.ts +45 -10
- package/src/api/rest/api-generator.ts +19 -2
- package/src/api/server.ts +10 -2
- package/src/api/types.ts +6 -0
- package/src/auth/adapter-middleware.ts +10 -2
- package/src/auth/admin-roles-route.ts +36 -0
- package/src/auth/admin-users-route.ts +302 -0
- package/src/auth/api-keys/api-key-middleware.ts +4 -3
- package/src/auth/api-keys/api-key-routes.ts +12 -2
- package/src/auth/api-keys/api-key-store.ts +83 -66
- package/src/auth/api-keys/api-key-types.ts +8 -0
- package/src/auth/apple-oauth.ts +2 -1
- package/src/auth/auth-hooks.ts +21 -0
- package/src/auth/bitbucket-oauth.ts +2 -1
- package/src/auth/builtin-auth-adapter.ts +28 -4
- package/src/auth/custom-auth-adapter.ts +2 -0
- package/src/auth/discord-oauth.ts +2 -1
- package/src/auth/facebook-oauth.ts +2 -1
- package/src/auth/github-oauth.ts +2 -1
- package/src/auth/gitlab-oauth.ts +2 -1
- package/src/auth/google-oauth.ts +8 -4
- package/src/auth/index.ts +2 -0
- package/src/auth/interfaces.ts +27 -0
- package/src/auth/linkedin-oauth.ts +2 -1
- package/src/auth/magic-link-routes.ts +167 -0
- package/src/auth/mfa-crypto.ts +91 -0
- package/src/auth/mfa-routes.ts +34 -10
- package/src/auth/microsoft-oauth.ts +2 -1
- package/src/auth/middleware.ts +10 -1
- package/src/auth/reset-password-admin.ts +17 -1
- package/src/auth/routes.ts +77 -8
- package/src/auth/session-routes.ts +15 -3
- package/src/auth/slack-oauth.ts +2 -1
- package/src/auth/spotify-oauth.ts +2 -1
- package/src/auth/twitter-oauth.ts +8 -1
- package/src/cron/cron-store.ts +25 -23
- package/src/email/index.ts +3 -2
- package/src/email/templates.ts +82 -0
- package/src/email/types.ts +16 -0
- package/src/init.ts +137 -5
- package/src/services/routed-realtime-service.ts +113 -0
- package/src/storage/routes.ts +4 -0
- package/src/utils/dev-port.ts +13 -7
- package/test/auth-routes.test.ts +54 -4
- package/test/custom-auth-adapter.test.ts +20 -1
- package/test/env.test.ts +9 -19
- package/test/multi-datasource-routing.test.ts +113 -0
- package/test/routed-realtime-service.test.ts +86 -0
- package/test/transform-auth-response.test.ts +305 -0
- package/vite.config.ts +5 -0
- package/build-errors.txt +0 -52
- package/dist/api/ast-schema-editor.d.ts +0 -21
- package/dist/api/collections_for_test/callbacks_test_collection.d.ts +0 -2
- package/dist/api/errors.d.ts +0 -53
- package/dist/api/graphql/graphql-schema-generator.d.ts +0 -35
- package/dist/api/graphql/index.d.ts +0 -1
- package/dist/api/index.d.ts +0 -9
- package/dist/api/logs-routes.d.ts +0 -37
- package/dist/api/openapi-generator.d.ts +0 -16
- package/dist/api/rest/api-generator.d.ts +0 -88
- package/dist/api/rest/index.d.ts +0 -1
- package/dist/api/rest/query-parser.d.ts +0 -11
- package/dist/api/schema-editor-routes.d.ts +0 -3
- package/dist/api/server.d.ts +0 -40
- package/dist/api/types.d.ts +0 -98
- package/dist/auth/adapter-middleware.d.ts +0 -37
- package/dist/auth/admin-user-ops.d.ts +0 -79
- package/dist/auth/api-keys/api-key-middleware.d.ts +0 -39
- package/dist/auth/api-keys/api-key-permission-guard.d.ts +0 -32
- package/dist/auth/api-keys/api-key-routes.d.ts +0 -20
- package/dist/auth/api-keys/api-key-store.d.ts +0 -35
- package/dist/auth/api-keys/api-key-types.d.ts +0 -88
- package/dist/auth/api-keys/index.d.ts +0 -17
- package/dist/auth/apple-oauth.d.ts +0 -30
- package/dist/auth/auth-hooks.d.ts +0 -225
- package/dist/auth/bitbucket-oauth.d.ts +0 -11
- package/dist/auth/builtin-auth-adapter.d.ts +0 -49
- package/dist/auth/crypto-utils.d.ts +0 -16
- package/dist/auth/custom-auth-adapter.d.ts +0 -39
- package/dist/auth/discord-oauth.d.ts +0 -14
- package/dist/auth/facebook-oauth.d.ts +0 -14
- package/dist/auth/github-oauth.d.ts +0 -15
- package/dist/auth/gitlab-oauth.d.ts +0 -13
- package/dist/auth/google-oauth.d.ts +0 -47
- package/dist/auth/index.d.ts +0 -36
- package/dist/auth/interfaces.d.ts +0 -401
- package/dist/auth/jwt.d.ts +0 -55
- package/dist/auth/linkedin-oauth.d.ts +0 -18
- package/dist/auth/mfa-routes.d.ts +0 -6
- package/dist/auth/mfa.d.ts +0 -49
- package/dist/auth/microsoft-oauth.d.ts +0 -16
- package/dist/auth/middleware.d.ts +0 -106
- package/dist/auth/password.d.ts +0 -22
- package/dist/auth/rate-limiter.d.ts +0 -50
- package/dist/auth/reset-password-admin.d.ts +0 -29
- package/dist/auth/rls-scope.d.ts +0 -31
- package/dist/auth/routes.d.ts +0 -33
- package/dist/auth/session-routes.d.ts +0 -25
- package/dist/auth/slack-oauth.d.ts +0 -12
- package/dist/auth/spotify-oauth.d.ts +0 -12
- package/dist/auth/twitter-oauth.d.ts +0 -18
- package/dist/backend-CIxN4FVm.js +0 -15
- package/dist/backend-CIxN4FVm.js.map +0 -1
- package/dist/chunk-Dze3rakg.js +0 -42
- package/dist/collections/BackendCollectionRegistry.d.ts +0 -13
- package/dist/collections/loader.d.ts +0 -5
- package/dist/cron/cron-loader.d.ts +0 -17
- package/dist/cron/cron-routes.d.ts +0 -14
- package/dist/cron/cron-scheduler.d.ts +0 -106
- package/dist/cron/cron-store.d.ts +0 -32
- package/dist/cron/index.d.ts +0 -6
- package/dist/db/interfaces.d.ts +0 -18
- package/dist/dist-CZKP-Xz4.js +0 -832
- package/dist/dist-CZKP-Xz4.js.map +0 -1
- package/dist/email/index.d.ts +0 -6
- package/dist/email/smtp-email-service.d.ts +0 -25
- package/dist/email/templates.d.ts +0 -42
- package/dist/email/types.d.ts +0 -108
- package/dist/env.d.ts +0 -102
- package/dist/from-VbwD7xRf.js +0 -3849
- package/dist/from-VbwD7xRf.js.map +0 -1
- package/dist/functions/function-loader.d.ts +0 -17
- package/dist/functions/function-routes.d.ts +0 -10
- package/dist/functions/index.d.ts +0 -3
- package/dist/history/history-routes.d.ts +0 -23
- package/dist/history/index.d.ts +0 -1
- package/dist/index.d.ts +0 -33
- package/dist/index.es.js +0 -61726
- package/dist/index.es.js.map +0 -1
- package/dist/index.umd.js +0 -73216
- package/dist/index.umd.js.map +0 -1
- package/dist/init/docs.d.ts +0 -4
- package/dist/init/health.d.ts +0 -2
- package/dist/init/middlewares.d.ts +0 -10
- package/dist/init/shutdown.d.ts +0 -11
- package/dist/init/storage.d.ts +0 -5
- package/dist/init.d.ts +0 -258
- package/dist/jwt-DHcQRGC3.js +0 -4168
- package/dist/jwt-DHcQRGC3.js.map +0 -1
- package/dist/logger-BYU66ENZ.js +0 -94
- package/dist/logger-BYU66ENZ.js.map +0 -1
- package/dist/ms-BeBSuOXN.js +0 -125
- package/dist/ms-BeBSuOXN.js.map +0 -1
- package/dist/multipart-parser-CedBDOeC.js +0 -299
- package/dist/multipart-parser-CedBDOeC.js.map +0 -1
- package/dist/serve-spa.d.ts +0 -30
- package/dist/services/driver-registry.d.ts +0 -78
- package/dist/services/webhook-service.d.ts +0 -29
- package/dist/singleton.d.ts +0 -35
- package/dist/src-COaj0G3P.js +0 -1182
- package/dist/src-COaj0G3P.js.map +0 -1
- package/dist/storage/LocalStorageController.d.ts +0 -46
- package/dist/storage/S3StorageController.d.ts +0 -36
- package/dist/storage/image-transform.d.ts +0 -50
- package/dist/storage/index.d.ts +0 -28
- package/dist/storage/routes.d.ts +0 -38
- package/dist/storage/storage-registry.d.ts +0 -78
- package/dist/storage/tus-handler.d.ts +0 -51
- package/dist/storage/types.d.ts +0 -103
- package/dist/types/index.d.ts +0 -11
- package/dist/utils/dev-port.d.ts +0 -35
- package/dist/utils/logger.d.ts +0 -31
- package/dist/utils/logging.d.ts +0 -9
- package/dist/utils/request-id.d.ts +0 -4
- package/dist/utils/request-logger.d.ts +0 -19
- package/dist/utils/sql.d.ts +0 -27
|
@@ -1,225 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* AuthHooks
|
|
3
|
-
*
|
|
4
|
-
* Customize specific behaviors of the built-in Rebase auth system.
|
|
5
|
-
*
|
|
6
|
-
* Each method replaces one piece of the default implementation.
|
|
7
|
-
* Unset methods fall through to the built-in defaults (scrypt passwords,
|
|
8
|
-
* standard validation rules, etc.).
|
|
9
|
-
*
|
|
10
|
-
* This interface is intentionally open for extension — new hooks
|
|
11
|
-
* can be added as optional methods without breaking existing configurations.
|
|
12
|
-
*
|
|
13
|
-
* @example bcrypt password support
|
|
14
|
-
* ```ts
|
|
15
|
-
* import bcrypt from "bcrypt";
|
|
16
|
-
*
|
|
17
|
-
* const hooks: AuthHooks = {
|
|
18
|
-
* hashPassword: (pw) => bcrypt.hash(pw, 12),
|
|
19
|
-
* verifyPassword: (pw, hash) => bcrypt.compare(pw, hash),
|
|
20
|
-
* validatePasswordStrength: (pw) => ({
|
|
21
|
-
* valid: pw.length >= 6,
|
|
22
|
-
* errors: pw.length < 6 ? ["Password must be at least 6 characters"] : []
|
|
23
|
-
* })
|
|
24
|
-
* };
|
|
25
|
-
* ```
|
|
26
|
-
*
|
|
27
|
-
* @example Override the entire login credential check
|
|
28
|
-
* ```ts
|
|
29
|
-
* const hooks: AuthHooks = {
|
|
30
|
-
* verifyCredentials: async (email, password, repo) => {
|
|
31
|
-
* const user = await repo.getUserByEmail(email);
|
|
32
|
-
* if (!user || !user.passwordHash) return null;
|
|
33
|
-
* const valid = await myCustomVerify(password, user.passwordHash);
|
|
34
|
-
* return valid ? user : null;
|
|
35
|
-
* }
|
|
36
|
-
* };
|
|
37
|
-
* ```
|
|
38
|
-
*/
|
|
39
|
-
import type { PasswordValidationResult } from "./password";
|
|
40
|
-
import type { AuthRepository, UserData, CreateUserData } from "./interfaces";
|
|
41
|
-
import type { EmailService, EmailConfig } from "../email";
|
|
42
|
-
/**
|
|
43
|
-
* Authentication method identifier for lifecycle hooks.
|
|
44
|
-
*/
|
|
45
|
-
export type AuthMethod = "login" | "register" | "oauth" | "refresh" | "password-reset" | "anonymous" | "magic-link" | "mfa";
|
|
46
|
-
/**
|
|
47
|
-
* Hook specific parts of the built-in Rebase auth implementation.
|
|
48
|
-
*
|
|
49
|
-
* Every method is optional. The built-in defaults apply for any method
|
|
50
|
-
* that is not provided.
|
|
51
|
-
*/
|
|
52
|
-
export interface AuthHooks {
|
|
53
|
-
/**
|
|
54
|
-
* Hash a cleartext password for storage.
|
|
55
|
-
*
|
|
56
|
-
* Default: scrypt (Node.js crypto, 64-byte key, random 32-byte salt).
|
|
57
|
-
*
|
|
58
|
-
* @param password - The cleartext password.
|
|
59
|
-
* @returns The hashed password string (format is implementation-defined).
|
|
60
|
-
*/
|
|
61
|
-
hashPassword?(password: string): Promise<string>;
|
|
62
|
-
/**
|
|
63
|
-
* Verify a cleartext password against a stored hash.
|
|
64
|
-
*
|
|
65
|
-
* Default: scrypt verification with timing-safe comparison.
|
|
66
|
-
*
|
|
67
|
-
* @param password - The cleartext password to check.
|
|
68
|
-
* @param storedHash - The hash string retrieved from the database.
|
|
69
|
-
* @returns `true` if the password matches the hash.
|
|
70
|
-
*/
|
|
71
|
-
verifyPassword?(password: string, storedHash: string): Promise<boolean>;
|
|
72
|
-
/**
|
|
73
|
-
* Validate password strength before hashing.
|
|
74
|
-
*
|
|
75
|
-
* Default: minimum 8 characters, at least one uppercase, one lowercase, one digit.
|
|
76
|
-
*
|
|
77
|
-
* @param password - The cleartext password to validate.
|
|
78
|
-
* @returns Validation result with `valid` flag and error messages.
|
|
79
|
-
*/
|
|
80
|
-
validatePasswordStrength?(password: string): PasswordValidationResult;
|
|
81
|
-
/**
|
|
82
|
-
* Override the complete credential verification during email/password login.
|
|
83
|
-
*
|
|
84
|
-
* When set, this replaces the default flow:
|
|
85
|
-
* 1. Look up user by email
|
|
86
|
-
* 2. Verify password hash
|
|
87
|
-
*
|
|
88
|
-
* The auth repository is provided for database access. Return the user
|
|
89
|
-
* data if credentials are valid, or `null` to reject the login.
|
|
90
|
-
*
|
|
91
|
-
* Default: `getUserByEmail(email)` + `verifyPassword(password, user.passwordHash)`.
|
|
92
|
-
*/
|
|
93
|
-
verifyCredentials?(email: string, password: string, repo: AuthRepository): Promise<UserData | null>;
|
|
94
|
-
/**
|
|
95
|
-
* Called after any successful authentication event (login, register,
|
|
96
|
-
* OAuth, token refresh, password reset).
|
|
97
|
-
*
|
|
98
|
-
* Use for audit logging, syncing external state, updating
|
|
99
|
-
* last-login timestamps, etc.
|
|
100
|
-
*
|
|
101
|
-
* This is fire-and-forget — errors are logged but do not fail the request.
|
|
102
|
-
*/
|
|
103
|
-
onAuthenticated?(user: UserData, method: AuthMethod): Promise<void>;
|
|
104
|
-
/**
|
|
105
|
-
* Called before a new user is created (registration or admin creation).
|
|
106
|
-
*
|
|
107
|
-
* Return modified data to alter what gets stored, or throw an error
|
|
108
|
-
* to reject the creation entirely.
|
|
109
|
-
*
|
|
110
|
-
* Default: passthrough (returns data unchanged).
|
|
111
|
-
*/
|
|
112
|
-
beforeUserCreate?(data: CreateUserData): Promise<CreateUserData>;
|
|
113
|
-
/**
|
|
114
|
-
* Called after a new user is created.
|
|
115
|
-
*
|
|
116
|
-
* Use for provisioning external resources, sending notifications
|
|
117
|
-
* to third-party systems, etc.
|
|
118
|
-
*
|
|
119
|
-
* This is fire-and-forget — errors are logged but do not fail the request.
|
|
120
|
-
*/
|
|
121
|
-
afterUserCreate?(user: UserData): Promise<void>;
|
|
122
|
-
/**
|
|
123
|
-
* Pre-login validation. Called before credential verification.
|
|
124
|
-
*
|
|
125
|
-
* Throw an error to reject the login attempt (e.g. for account lockout,
|
|
126
|
-
* IP-based restrictions, etc.).
|
|
127
|
-
*/
|
|
128
|
-
beforeLogin?(email: string, method: AuthMethod): Promise<void>;
|
|
129
|
-
/**
|
|
130
|
-
* Post-logout cleanup.
|
|
131
|
-
*
|
|
132
|
-
* Called after a user's session has been invalidated.
|
|
133
|
-
* Use for audit logging, cleanup of temporary resources, etc.
|
|
134
|
-
*
|
|
135
|
-
* This is fire-and-forget — errors are logged but do not fail the request.
|
|
136
|
-
*/
|
|
137
|
-
afterLogout?(userId: string): Promise<void>;
|
|
138
|
-
/**
|
|
139
|
-
* Called after successful MFA verification.
|
|
140
|
-
*
|
|
141
|
-
* Use for audit logging, notifying external systems, etc.
|
|
142
|
-
*
|
|
143
|
-
* This is fire-and-forget — errors are logged but do not fail the request.
|
|
144
|
-
*/
|
|
145
|
-
onMfaVerified?(userId: string, factorId: string): Promise<void>;
|
|
146
|
-
/**
|
|
147
|
-
* Customize JWT access token claims before signing.
|
|
148
|
-
*
|
|
149
|
-
* Return the modified claims object. The returned claims are merged
|
|
150
|
-
* into the JWT payload alongside standard claims (userId, roles).
|
|
151
|
-
*
|
|
152
|
-
* @param claims - The default claims that would be included.
|
|
153
|
-
* @param user - The authenticated user data.
|
|
154
|
-
* @returns Modified claims to include in the JWT.
|
|
155
|
-
*/
|
|
156
|
-
customizeAccessToken?(claims: Record<string, unknown>, user: UserData): Promise<Record<string, unknown>>;
|
|
157
|
-
/**
|
|
158
|
-
* Called after a successful password reset.
|
|
159
|
-
*
|
|
160
|
-
* Use for audit logging, sending confirmation notifications, etc.
|
|
161
|
-
*
|
|
162
|
-
* This is fire-and-forget — errors are logged but do not fail the request.
|
|
163
|
-
*/
|
|
164
|
-
onPasswordReset?(userId: string): Promise<void>;
|
|
165
|
-
/**
|
|
166
|
-
* Called before a user is deleted.
|
|
167
|
-
*
|
|
168
|
-
* Throw an error to prevent deletion (e.g. for users with active
|
|
169
|
-
* subscriptions, pending transactions, etc.).
|
|
170
|
-
*/
|
|
171
|
-
beforeUserDelete?(userId: string): Promise<void>;
|
|
172
|
-
/**
|
|
173
|
-
* Called after a user is deleted.
|
|
174
|
-
*
|
|
175
|
-
* Use for cleaning up external resources, audit logging, etc.
|
|
176
|
-
*
|
|
177
|
-
* This is fire-and-forget — errors are logged but do not fail the request.
|
|
178
|
-
*/
|
|
179
|
-
afterUserDelete?(userId: string): Promise<void>;
|
|
180
|
-
/**
|
|
181
|
-
* Optional hook to customize or override the default user creation flow via the admin panel/REST API.
|
|
182
|
-
* When provided, this replaces the built-in password generation, hashing, and invitation email logic.
|
|
183
|
-
*/
|
|
184
|
-
onAdminCreateUser?(values: Record<string, unknown>, ctx: {
|
|
185
|
-
authRepo: AuthRepository;
|
|
186
|
-
emailService?: EmailService;
|
|
187
|
-
emailConfig?: EmailConfig;
|
|
188
|
-
hashPassword: (password: string) => Promise<string>;
|
|
189
|
-
}): Promise<{
|
|
190
|
-
values: Record<string, unknown>;
|
|
191
|
-
temporaryPassword?: string;
|
|
192
|
-
invitationSent?: boolean;
|
|
193
|
-
}>;
|
|
194
|
-
/**
|
|
195
|
-
* Optional hook to customize or override the default password reset flow via the admin panel.
|
|
196
|
-
* When provided, this replaces the built-in password reset token generation, hashing, and email logic.
|
|
197
|
-
*/
|
|
198
|
-
onAdminResetPassword?(userId: string, ctx: {
|
|
199
|
-
authRepo: AuthRepository;
|
|
200
|
-
emailService?: EmailService;
|
|
201
|
-
emailConfig?: EmailConfig;
|
|
202
|
-
}): Promise<{
|
|
203
|
-
temporaryPassword?: string;
|
|
204
|
-
invitationSent?: boolean;
|
|
205
|
-
}>;
|
|
206
|
-
}
|
|
207
|
-
/**
|
|
208
|
-
* Resolved auth hooks — password operations are guaranteed to exist,
|
|
209
|
-
* all other hooks are passed through as-is (optional).
|
|
210
|
-
*
|
|
211
|
-
* Created by `resolveAuthHooks()` which merges user hooks
|
|
212
|
-
* with built-in defaults.
|
|
213
|
-
*
|
|
214
|
-
* Consumers should use the resolved object exclusively —
|
|
215
|
-
* never access the raw `AuthHooks` directly.
|
|
216
|
-
*/
|
|
217
|
-
export type ResolvedAuthHooks = Required<Pick<AuthHooks, "hashPassword" | "verifyPassword" | "validatePasswordStrength">> & Omit<AuthHooks, "hashPassword" | "verifyPassword" | "validatePasswordStrength">;
|
|
218
|
-
/**
|
|
219
|
-
* Merge user-provided hooks with the built-in defaults to produce
|
|
220
|
-
* a complete set of resolved hooks.
|
|
221
|
-
*
|
|
222
|
-
* This is the single point where defaults are applied — all consumers
|
|
223
|
-
* call this once and use the resolved hooks throughout.
|
|
224
|
-
*/
|
|
225
|
-
export declare function resolveAuthHooks(hooks?: AuthHooks): ResolvedAuthHooks;
|
|
@@ -1,11 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
/**
|
|
3
|
-
* Creates a Bitbucket OAuth Provider integration (OAuth 2.0 consumer).
|
|
4
|
-
*/
|
|
5
|
-
export declare function createBitbucketProvider(config: {
|
|
6
|
-
clientId: string;
|
|
7
|
-
clientSecret: string;
|
|
8
|
-
}): OAuthProvider<{
|
|
9
|
-
code: string;
|
|
10
|
-
redirectUri: string;
|
|
11
|
-
}>;
|
|
@@ -1,49 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* RebaseBuiltinAuthAdapter
|
|
3
|
-
*
|
|
4
|
-
* Wraps Rebase's existing built-in JWT auth system (routes, middleware, user/role
|
|
5
|
-
* management) into the `AuthAdapter` interface. This is the default adapter used
|
|
6
|
-
* when the user passes a plain `RebaseAuthConfig` object.
|
|
7
|
-
*
|
|
8
|
-
* This is NOT a rewrite — it delegates to the existing `createAuthRoutes()`,
|
|
9
|
-
* `createResetPasswordRoute()`, and `verifyAccessToken()` functions. The goal is to
|
|
10
|
-
* present the same functionality through the pluggable `AuthAdapter` contract.
|
|
11
|
-
*/
|
|
12
|
-
import type { AuthAdapter } from "@rebasepro/types";
|
|
13
|
-
import type { AuthRepository, OAuthProvider } from "./interfaces";
|
|
14
|
-
import type { AuthHooks } from "./auth-hooks";
|
|
15
|
-
import type { EmailService, EmailConfig } from "../email";
|
|
16
|
-
/**
|
|
17
|
-
* Configuration for the built-in Rebase auth adapter.
|
|
18
|
-
*
|
|
19
|
-
* This mirrors the existing `RebaseAuthConfig` — users pass this and
|
|
20
|
-
* server-core auto-wraps it in a `RebaseBuiltinAuthAdapter`.
|
|
21
|
-
*/
|
|
22
|
-
export interface BuiltinAuthAdapterConfig {
|
|
23
|
-
/** The bootstrapper-provided auth repository (users, roles, tokens). */
|
|
24
|
-
authRepository: AuthRepository;
|
|
25
|
-
/** Email service for password resets, verification, etc. */
|
|
26
|
-
emailService?: EmailService;
|
|
27
|
-
/** Email configuration. */
|
|
28
|
-
emailConfig?: EmailConfig;
|
|
29
|
-
/** Whether to allow new user registration. */
|
|
30
|
-
allowRegistration?: boolean;
|
|
31
|
-
/** Default role to assign to new users. */
|
|
32
|
-
defaultRole?: string;
|
|
33
|
-
/** OAuth providers to register. */
|
|
34
|
-
oauthProviders?: OAuthProvider<any>[];
|
|
35
|
-
/** Static service key for server-to-server auth. */
|
|
36
|
-
serviceKey?: string;
|
|
37
|
-
/** Auth hooks for customizing password, credentials, lifecycle, etc. */
|
|
38
|
-
authHooks?: AuthHooks;
|
|
39
|
-
/** The parsed auth config from the collection (if `auth` is an object, not just `true`). */
|
|
40
|
-
collectionAuthConfig?: import("@rebasepro/types").AuthCollectionConfig;
|
|
41
|
-
}
|
|
42
|
-
/**
|
|
43
|
-
* Create the built-in Rebase auth adapter.
|
|
44
|
-
*
|
|
45
|
-
* This wraps the existing auth infrastructure (JWT, OAuth, user/role management)
|
|
46
|
-
* into the `AuthAdapter` interface. It's used internally by `initializeRebaseBackend()`
|
|
47
|
-
* when the user passes a plain `RebaseAuthConfig` object.
|
|
48
|
-
*/
|
|
49
|
-
export declare function createBuiltinAuthAdapter(config: BuiltinAuthAdapterConfig): AuthAdapter;
|
|
@@ -1,16 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Cryptographic utility functions for auth.
|
|
3
|
-
*
|
|
4
|
-
* @module
|
|
5
|
-
*/
|
|
6
|
-
/**
|
|
7
|
-
* Constant-time string comparison to prevent timing attacks.
|
|
8
|
-
*
|
|
9
|
-
* Used for comparing service keys, tokens, and other secrets where
|
|
10
|
-
* timing side-channels could leak information about the expected value.
|
|
11
|
-
*
|
|
12
|
-
* @param a - First string to compare.
|
|
13
|
-
* @param b - Second string to compare.
|
|
14
|
-
* @returns `true` if the strings are identical, `false` otherwise.
|
|
15
|
-
*/
|
|
16
|
-
export declare function safeCompare(a: string, b: string): boolean;
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Custom Auth Adapter Factory
|
|
3
|
-
*
|
|
4
|
-
* Provides a minimal-config way for users with existing auth systems
|
|
5
|
-
* to plug into Rebase. Only `verifyRequest` is required — everything
|
|
6
|
-
* else is optional.
|
|
7
|
-
*
|
|
8
|
-
* @example
|
|
9
|
-
* ```ts
|
|
10
|
-
* import { createCustomAuthAdapter } from "@rebasepro/server-core";
|
|
11
|
-
*
|
|
12
|
-
* const auth = createCustomAuthAdapter({
|
|
13
|
-
* verifyRequest: async (request) => {
|
|
14
|
-
* const token = request.headers.get("Authorization")?.replace("Bearer ", "");
|
|
15
|
-
* if (!token) return null;
|
|
16
|
-
* const decoded = jwt.verify(token, MY_SECRET);
|
|
17
|
-
* return {
|
|
18
|
-
* uid: decoded.sub,
|
|
19
|
-
* email: decoded.email,
|
|
20
|
-
* displayName: decoded.name,
|
|
21
|
-
* roles: decoded.roles || [],
|
|
22
|
-
* isAdmin: decoded.roles?.includes("admin") ?? false,
|
|
23
|
-
* };
|
|
24
|
-
* },
|
|
25
|
-
* });
|
|
26
|
-
* ```
|
|
27
|
-
*/
|
|
28
|
-
import type { AuthAdapter, CustomAuthAdapterOptions } from "@rebasepro/types";
|
|
29
|
-
/**
|
|
30
|
-
* Create a custom auth adapter from minimal options.
|
|
31
|
-
*
|
|
32
|
-
* This is the recommended entry point for users who already have their own
|
|
33
|
-
* auth system and just need to tell Rebase how to extract the user from
|
|
34
|
-
* incoming requests.
|
|
35
|
-
*
|
|
36
|
-
* @param options - Configuration options. Only `verifyRequest` is required.
|
|
37
|
-
* @returns A fully-formed `AuthAdapter` ready for `initializeRebaseBackend()`.
|
|
38
|
-
*/
|
|
39
|
-
export declare function createCustomAuthAdapter(options: CustomAuthAdapterOptions): AuthAdapter;
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
/**
|
|
3
|
-
* Creates a Discord OAuth2 Provider integration.
|
|
4
|
-
*
|
|
5
|
-
* Uses the authorization code flow. Requires the "identify" and "email"
|
|
6
|
-
* scopes to retrieve the user's email and profile information.
|
|
7
|
-
*/
|
|
8
|
-
export declare function createDiscordProvider(config: {
|
|
9
|
-
clientId: string;
|
|
10
|
-
clientSecret: string;
|
|
11
|
-
}): OAuthProvider<{
|
|
12
|
-
code: string;
|
|
13
|
-
redirectUri: string;
|
|
14
|
-
}>;
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
/**
|
|
3
|
-
* Creates a Facebook / Meta OAuth Provider integration.
|
|
4
|
-
*
|
|
5
|
-
* Uses the authorization code flow to exchange a code for an access token,
|
|
6
|
-
* then fetches user profile from the Facebook Graph API.
|
|
7
|
-
*/
|
|
8
|
-
export declare function createFacebookProvider(config: {
|
|
9
|
-
clientId: string;
|
|
10
|
-
clientSecret: string;
|
|
11
|
-
}): OAuthProvider<{
|
|
12
|
-
code: string;
|
|
13
|
-
redirectUri: string;
|
|
14
|
-
}>;
|
|
@@ -1,15 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
/**
|
|
3
|
-
* Creates a GitHub OAuth Provider integration.
|
|
4
|
-
*
|
|
5
|
-
* Flow: Frontend receives an authorization `code` via the GitHub OAuth redirect.
|
|
6
|
-
* This provider exchanges the code for an access token, then fetches the user's
|
|
7
|
-
* profile and primary email from the GitHub API.
|
|
8
|
-
*/
|
|
9
|
-
export declare function createGitHubProvider(config: {
|
|
10
|
-
clientId: string;
|
|
11
|
-
clientSecret: string;
|
|
12
|
-
}): OAuthProvider<{
|
|
13
|
-
code: string;
|
|
14
|
-
redirectUri: string;
|
|
15
|
-
}>;
|
|
@@ -1,13 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
/**
|
|
3
|
-
* Creates a GitLab OAuth Provider integration.
|
|
4
|
-
* Works with both GitLab.com and self-hosted instances.
|
|
5
|
-
*/
|
|
6
|
-
export declare function createGitLabProvider(config: {
|
|
7
|
-
clientId: string;
|
|
8
|
-
clientSecret: string;
|
|
9
|
-
baseUrl?: string;
|
|
10
|
-
}): OAuthProvider<{
|
|
11
|
-
code: string;
|
|
12
|
-
redirectUri: string;
|
|
13
|
-
}>;
|
|
@@ -1,47 +0,0 @@
|
|
|
1
|
-
import type { OAuthProvider } from "./interfaces";
|
|
2
|
-
export interface GoogleUserInfo {
|
|
3
|
-
googleId: string;
|
|
4
|
-
email: string;
|
|
5
|
-
displayName: string | null;
|
|
6
|
-
photoUrl: string | null;
|
|
7
|
-
emailVerified: boolean;
|
|
8
|
-
}
|
|
9
|
-
export interface GoogleProviderConfig {
|
|
10
|
-
clientId: string;
|
|
11
|
-
/**
|
|
12
|
-
* The OAuth 2.0 client secret from Google Cloud Console.
|
|
13
|
-
*
|
|
14
|
-
* Required for the **authorization code flow** (Path 3), where the
|
|
15
|
-
* frontend sends an authorization `code` and the backend exchanges it
|
|
16
|
-
* server-side for tokens. This is the most secure flow because tokens
|
|
17
|
-
* never touch the browser.
|
|
18
|
-
*
|
|
19
|
-
* When omitted, only ID-token and access-token verification are available
|
|
20
|
-
* (Paths 1 & 2), which rely on the frontend obtaining tokens directly.
|
|
21
|
-
*/
|
|
22
|
-
clientSecret?: string;
|
|
23
|
-
}
|
|
24
|
-
/**
|
|
25
|
-
* Creates a Google OAuth Provider integration.
|
|
26
|
-
*
|
|
27
|
-
* Supports three verification paths:
|
|
28
|
-
*
|
|
29
|
-
* **Path 1 – ID Token** (One Tap / Sign In With Google button):
|
|
30
|
-
* Frontend sends `idToken`. Backend verifies cryptographically using
|
|
31
|
-
* Google's public keys. No secret required.
|
|
32
|
-
*
|
|
33
|
-
* **Path 2 – Access Token** (popup via `initTokenClient`):
|
|
34
|
-
* Frontend sends `accessToken`. Backend validates by calling Google's
|
|
35
|
-
* userinfo endpoint. No secret required.
|
|
36
|
-
*
|
|
37
|
-
* **Path 3 – Authorization Code** (most secure, requires `clientSecret`):
|
|
38
|
-
* Frontend sends `code` + `redirectUri`. Backend exchanges the code
|
|
39
|
-
* server-side for an ID token using `clientId` + `clientSecret`, then
|
|
40
|
-
* verifies the ID token. Tokens never touch the browser.
|
|
41
|
-
*/
|
|
42
|
-
export declare function createGoogleProvider(config: GoogleProviderConfig | string): OAuthProvider<{
|
|
43
|
-
idToken?: string;
|
|
44
|
-
accessToken?: string;
|
|
45
|
-
code?: string;
|
|
46
|
-
redirectUri?: string;
|
|
47
|
-
}>;
|
package/dist/auth/index.d.ts
DELETED
|
@@ -1,36 +0,0 @@
|
|
|
1
|
-
export * from "./interfaces";
|
|
2
|
-
export { configureJwt, generateAccessToken, verifyAccessToken, generateRefreshToken, hashRefreshToken, getRefreshTokenExpiry, getAccessTokenExpiry } from "./jwt";
|
|
3
|
-
export type { JwtConfig, AccessTokenPayload } from "./jwt";
|
|
4
|
-
export { hashPassword, verifyPassword, validatePasswordStrength } from "./password";
|
|
5
|
-
export type { PasswordValidationResult } from "./password";
|
|
6
|
-
export type { AuthHooks, AuthMethod, ResolvedAuthHooks } from "./auth-hooks";
|
|
7
|
-
export { resolveAuthHooks } from "./auth-hooks";
|
|
8
|
-
export { generateSecurePassword, generateSecureToken, hashToken, prepareAdminUserValues, finalizeAdminUserCreation } from "./admin-user-ops";
|
|
9
|
-
export type { AdminUserContext, AdminUserPrepareResult } from "./admin-user-ops";
|
|
10
|
-
export { createGoogleProvider } from "./google-oauth";
|
|
11
|
-
export type { GoogleProviderConfig } from "./google-oauth";
|
|
12
|
-
export { createLinkedinProvider } from "./linkedin-oauth";
|
|
13
|
-
export { createGitHubProvider } from "./github-oauth";
|
|
14
|
-
export { createMicrosoftProvider } from "./microsoft-oauth";
|
|
15
|
-
export { createAppleProvider } from "./apple-oauth";
|
|
16
|
-
export { createFacebookProvider } from "./facebook-oauth";
|
|
17
|
-
export { createTwitterProvider } from "./twitter-oauth";
|
|
18
|
-
export { createDiscordProvider } from "./discord-oauth";
|
|
19
|
-
export { createGitLabProvider } from "./gitlab-oauth";
|
|
20
|
-
export { createBitbucketProvider } from "./bitbucket-oauth";
|
|
21
|
-
export { createSlackProvider } from "./slack-oauth";
|
|
22
|
-
export { createSpotifyProvider } from "./spotify-oauth";
|
|
23
|
-
export { requireAuth, requireAdmin, optionalAuth, extractUserFromToken, createAuthMiddleware } from "./middleware";
|
|
24
|
-
export type { AuthMiddlewareOptions, AuthResult } from "./middleware";
|
|
25
|
-
export { createAuthRoutes } from "./routes";
|
|
26
|
-
export type { AuthModuleConfig } from "./routes";
|
|
27
|
-
export { createResetPasswordRoute } from "./reset-password-admin";
|
|
28
|
-
export type { ResetPasswordRouteConfig } from "./reset-password-admin";
|
|
29
|
-
export { createRateLimiter, defaultAuthLimiter, strictAuthLimiter, createApiKeyRateLimiter, apiKeyKeyGenerator } from "./rate-limiter";
|
|
30
|
-
export { createApiKeyStore, createApiKeyRoutes, isApiKeyToken, validateApiKey, httpMethodToOperation, isOperationAllowed } from "./api-keys";
|
|
31
|
-
export type { ApiKey, ApiKeyMasked, ApiKeyPermission, ApiKeyWithSecret, CreateApiKeyRequest, UpdateApiKeyRequest, ApiKeyStore, ApiKeyOperation } from "./api-keys";
|
|
32
|
-
export { createBuiltinAuthAdapter } from "./builtin-auth-adapter";
|
|
33
|
-
export type { BuiltinAuthAdapterConfig } from "./builtin-auth-adapter";
|
|
34
|
-
export { createCustomAuthAdapter } from "./custom-auth-adapter";
|
|
35
|
-
export { createAdapterAuthMiddleware } from "./adapter-middleware";
|
|
36
|
-
export type { AdapterAuthMiddlewareOptions } from "./adapter-middleware";
|